Windows Server Security Solution
The server, Windows Server is a certain proportion, but the Microsoft has not proposed a relatively possible solution due to the highlighted security issues of Windows Sever, just launching this one of the patches, making the user of Windows Server I am afraid all day.
After a long-term exploration and exquisite, we have organized the zero fragile security document of the network, summed up a set of solutions, as follows:
solution:
First, system installation
1. Disk partition format
1) A Windows Server to be used as a network server, the partition format of the hard disk must be NTFS, NTFS partition format is much secure than the FAT partition format, in the NTFS format, users can set different folders The permissions, enhance the security of the server.
2) At another point, we should pay attention to the partitioning of the hard disk. It is best to divide the partition into the NTFS format. Please be divided into the FAT format, which is easy to cause the system, and even crash. .
3) Due to the particularity of the NTFS partition format, the user cannot activate anti-virus through the floppy disk, so you must remind the user, you must do a good job of systematic anti-virus work.
2. Operating system installation
1) Operating system installation, be sure to install only one system installed, and will not give people a bad person to have a machine, adding the safety hazard of the server.
2) When the operating system is installed, the system file should not be installed in the default directory (Winnt), choose to install a new directory for installation; web directory and system do not place the same partition, prevent someone from vulnerability through Web, access system files ,folder.
3) Install the operating system, be sure to update the necessary patch until no patch can be updated.
4) Use less software that is not related to Web services.
Second, the system settings
Account settings
1) As few effective accounts, don't use it, more accounts will be more security hazards.
2) There are two management accounts to prevent your password, or modified your password, and then standby.
3) To strengthen account management, do not give special permissions easily.
4) Rename the management account, do not keep the default name, this is easy to guess. Other non-managed accounts also try to follow this principle.
5) Disable the guest account to a complex name and add a password, then delete it from the guest group.
6) Account password rules, all accounts (except system accounts) The password is preferably 8 or more, the password is preferably special symbols, numbers, and uppercase letters. Do not avoid using words.
7) The account password should be changed regularly. The password is best to be kept in the brain. Do not make records elsewhere;
8) Adding an account error login to the number of times to prevent continuous login attempts, and effectively improve administrator's vigilance.
2. Network settings
1) Only the TCP / IP protocol is retained, and all other deletes.
2) NetBIOS is often the scanning target of online hackers, here we have to disable it.
Operation method: Network connection -> Local connection properties -> Advanced -> WINS Options -> Disable NetBIOS-> OK on TCP / IP.
3) only allows some necessary ports
Such as:
21 TCP FTP
25 TCP SMTP
53 TCP DNS
80 TCP HTTP
1433 TCP SQL Server
3389 TCP TERMINAL SERVICES
5631 TCP PCANYWHERE
Some common ports. Special reminder: Installing the Blunt Domain Virtual Host Relationship System Requires Open 19888 Port.
4)
3. Delete unnecessary shares and improve security
How to operate: Runregit,
(1) Add a value under HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters
Name: AutoShareServer
TYPE: REG-DWORD
Value: 0
(2) Add a value under HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA
Name: restrictanonymous
TYPE: REG_DWORD
Value: 0
4. Modify the permissions
Windows 2000 Server NTFS partition default permissions are EVERYOF full control, which gives a certain security hazard. We recommend that all NTFS partitions are only fully controlled to administrators and system. A directory with special permission requirements can be set separately.
5. Modify some of the computers
Operation method: Control Panel -> System -> Advanced -> Startup and Fault Recovery -> Cancel Display Operating System List -> Cancel Send Alert -> Cancel Write Timeture -> Complete.
6. Disable some unnecessary services.
Specific operation position: Control Silver Edition -> Management Tools -> Services
Services you need to stop, for example: Alert, Computer Browser, Distributed File System, Intersite Messaging, Kerberos Key Distribution Center, Remote Registry Service, Routing and Remote Access, etc.
7. Safety log
Win2000's default installation is not to open any security audit!
Then please go to the local security policy -> In the audit strategy to open the corresponding audit, the recommended audit is:
Account management success failed
Successful failure
Object Access failed
Strategy change successfully failed
Privilege failure
System event success failure
Directory Service Access Failure
Account login event success failure
The shortcomings of reviewing projects are that if you want to see that there is no record, it is not a matter; the audit project will not only take up system resources, but will cause you to see it at all, this will lose the meaning of review. Related to it:
Set in the account policy -> password policy:
Password complexity requirements are enabled
Password length minimum 6 bit
Forced password history 5 times
Up to 30 days in the longest deposit period
Set in the Account Policy -> Account Lock Policy:
Account lock 3 error login
Lock time 20 minutes
Reset lock count 20 minutes
Similarly, Terminal Service's security log is also not open, we can configure security audits in Terminal Service Configration -> Permissions -> Advanced Chinese configuration
8. IIS settings
Only the manager, public documentation, and WWW service are installed.
Try to minimize the unnecessary mapping in IIS, most users only leave ASP, and ASA is OK.
The web directory requires IUSR read and write permissions, only open read permissions in IIS.
Effectively use IS in IIS to prohibit access lists.
Improve the log function to find problems and strengthen monitoring. 9. FTP settings
It is forbidden to access anonymous access to FTP.
Pay attention to the opening of user privileges.
