Solutions for establishing security Web sites based on NT / 2000
Creation time: 2002-04-01
Article attribute: finishing
Article submission:
Warnray (warnray_at_msn.com)
The Web site established with NT (2000) accounts for a large part of the proportion in all websites, but NT security issues have always been prominent, making some NT-based websites have a feeling of ice, but Microsoft There is no clear firm solution, just introduced a patch, and a variety of security documents for NT security descriptions, giving people feelings. So, some measures do not take any measures, and some are busy with a variety of patches, and some will think that the firewall is in the future. This status quotes directly lead to NT safety of a large number of websites. Only a very small number of NT sites have high security, and most websites are very secure. To this end, Rising company is determined to collect finishing for NT main vulnerabilities. At the same time, standing on the overall height, trying to find a solution to establish a secure site with NT to allow users to use NT (2000) to establish a Web site.
Solution: (Note: This program is mainly for the establishment of the NT, 2000 server security of the Web site, and is not suitable for servers in the LAN.)
First, installation:
No matter whether it is NT or 2000, the hard disk partition is NTFS partition;
Description:
(1) NTFS is more secure control than the FAT partition, which can set different access rights for different folders, and security is enhanced.
(2) It is recommended that it is best to be installed into NTFS partitions in one time, not to install into a FAT partition to convert to NTFS partitions, which will result in unsuccessful conversion in the case of installing SP5 and SP6, and even system crashes.
(3) There is a potential danger in installing the NTFS partition, which is that most anti-virus software do not provide killing of NTFS partition viruses after the floppy disk, so that once the malignant virus is in the system, the system cannot start normally, the consequence It is more serious, so it is recommended to do anti-virus work.
Only one operating system is installed;
Description: Install two or more operating systems, will give hackers to make a machine, using an attack to restart the system to another operating system without security settings (or the operating system he is familiar with), which is destroyed.
Installed into a stand-alone domain controller, select the workgroup member, no domain;
: The Main Dome Controller (PDC) is a way of managing multiple networking machines in the LAN, which is used for website servers that make hackers have a vulnerability attack site server with a domain mode.
Explanation: Hackers are likely to get the operating system for execution permissions for some programs of the operating system through the vulnerability of the Web site, resulting in greater damage.
Install the latest patches of the operating system, NT is currently SP6, 2000 is currently SP2; in NT, if the patch is installed, if you want to install a new Windows program from the NT CD, you must reinstall a patch. Don't do this in 2000.
Description:
(1) The latest patch, indicating that the system has a major vulnerability, non-supplement, for the local network server is not the latest, but the site must install the latest patch, otherwise the hacker may utilize the low version patch vulnerability to the system create a threat. This is a part of some administrators neglect; (2) Installing NT SP5, SP6 has a potential threat, that is, once the system crashes to reload NT, the system will not recognize NTFS partitions, because Microsoft is in these two NTFS is improved among a patch. You can only recognize NTFS through the Windows 2000 installation process, which will cause a lot of trouble, it is recommended to do data backup work.
(3) Before installing Service Pack, you should be installed on the test machine to prevent the machine crash because of the exception cause, while doing a good job in data backup.
Try not to install software with regardless of Web site service;
.
2, NT setting:
Account Policy:
(1) The account is as small as possible and use it as little as possible to log in;
(2) In addition to Administrator, it is necessary to add an account that belongs to the administrator group;
There is a spare account; ontong, once hackers break a account and change the password, we have
Have the opportunity to re-regain control over the short term.
(3) All account rights need to be strictly controlled, easily do not give the account to special privileges;
(4) Renaming the Administrator and changed to a name that is not easy. Other general accounts should also be respectful
follow the principle.
Description: This can increase an obstacle for hacker attacks.
(5) Disable the guest account, and rename it as a complex name, increase your password, and will
Goest group deleted;
Lift to the administrator group.
(6) Give all user accounts a complex password (external account out), the length is at least 8 digits, and must simultaneously contain letters, numbers, special characters. Also do not use the familiar words (such as Microsoft), familiar keyboard order (such as qrt), familiar numbers (such as 2000).
In a few minutes, it will be broken, and the recommended solution is much safe.
(7) Password must be changed regularly (recommended for at least two weeks), and it is best to record it in your heart. In addition, you don't record anywhere; in addition, if an account is discovered in a log audience, This account must be changed immediately (including the username and password);
(8) Setting the number of locked times in the account attribute, such as the change of the account failure, the number of logins exceeds 5 times, lock the reform account. This prevents some large-scale login attempts, and also enables administrators to be vigilant against the account.
Release the binding of NetBIOS and TCP / IP protocol
Description: NetBois is an indispensable function in the LAN, but it has become the preferred target of hacker scanning tools on the website server. Method: NT: Controls - Network - Binding - NetBIOS Interface - Disabled 2000: Control Book - Network and Dial - Local Network - Properties - TCP / IP - Property - Advanced --Wins - Disable NetBIOS on TCP / IP
Remove all network sharing resources
Description: NT and 2000 have many network shared resources by default, useful in network management and network communication in the LAN, which is also a big security hazard on the website server. (Uninstall "File and Printer Sharing of Microsoft Network". When you view any connection properties in Network and Dial-up Connections, this option will be displayed. Click the "Uninstall" button to delete the component; clear the "Microsoft network files and printers Sharing "checkbox will not work.)
Method:
(1) NT: Management Tool - Server Manager - Shared Directory - Stop sharing;
2000: Control Silver - Management Tool - Calculation and Management - Shared Folders --- Stop Sharing
However, the two methods are too troublesome, and the server must stop once every time.
(2) Modify the registry:
Running the regedit, then modify the registry to add a key under HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / PARAMETERS
Aname: AutoShareserver
TYPE: REG_DWORD
Value: 0
The then restart your server, the disk partition is removed, but the IPC sharing still exists, and it is necessary to delete it after each restart.
Reform NTFS security permissions;
Permissions, but only give administrators and system to completely control the permissions, but this is possible to make some normal scripts can't be executed, or some of the operations that need to be written cannot be completed, then the folder right of these files is required. Make changes, it is recommended to test the test machine before doing changes, and then make it carefully.
The wait time of the system is set to 0 seconds, the control panel -> system -> boot / close, and then change the default value "30" displayed by the list to "0". (Or change the value of Timeout in boot.ini 0)
Only open the necessary ports and close the remaining ports.
The list of common ports is now as follows:
Port Protocol Application
21 TCP FTP
25 TCP SMTP
53 TCP DNS
80 TCP HTTP Server
1433 TCP SQL Server
5631 TCP PCANywhere
5632 UDP PCANywhere
66 (non-port) IP protocol
8 (non-port) IP protocol
Strengthen log review;
" Safe is an essential link. The security log default is not logged, the account audit can select the indicator from the domain user manager - rule - audit; the audit of the file is selected from the Explorer in the resource manager in NTFS. It should be noted that only the indicators you really care is, if the election is selected, the number of records is too large, but it is not conducive to analysis; there is too much to have a waste of system resources.
Strengthen data backup;
, Not the backup is not complete, it is not timely backup. Data backups need to be carefully planned to develop a strategy and have been implemented in the test, and the backup plan needs to be continuously adjusted as the website is updated.
only retain TCP / IP protocol, remove NetBeui, IPX / SPX protocol;
ip / IP use.
The unwaken service is stopped, only reserves some of the services related to the website and the server.
] However, pay attention to some services are the service necessary for the operating system. It is recommended to check the help documentation before stopping and first test on the test server.
hidden the last login user name, modify the registry WinNT4.0:
playlastusername in HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current Version / WinLogon, set it to 1. This item already exists in Windows 2000, just change its value to 1.
Do not use IP forwarding features, Control Panels -> Networks -> Protocol -> TCP / IP Protocol -> Properties, making this box empty. (NT)
ip forwarding function is disabled, but notice not to enable, otherwise it will have a routing effect, which is hacked to attack other servers.
Install the latest MDAC (
http://www.microsoft.com/data/download.htm)
version. Note: It is best to do test before installing the latest version, because some data access methods may no longer be supported in the new version, in which case the vulnerability can be used by modifying the registry, see the vulnerability test document.
Third, IIS settings (including IIS 4.0 and IIS5.0)
Enter only the service you must have in Optoin Pack, it is recommended not to install the INDEX Server, FrontPage Server Extensions, sample WWW site and other functions (NT). Windows 2000 is similar to setting.
Stop the default FTP site, the default Web site, manage the web site, create a new WWW service and FTP service in a new directory.
Description: The default site and management Web site contains a large number of security vulnerabilities, which is very easy to cause attack opportunities to hackers. The specific vulnerability is found in the attached security document. Therefore, it must be prohibited. At the same time, it should be established in a new directory. This directory should not be placed under inetpub / wwwroot, preferably in different partitions in it.
Remove unnecessary IIS extension mappings. It is best to remove .idc, .htr, .stm, .ida, .htw application map, .shtml, .shtm, etc. should be removed.
Description: The above application map has a large number of safety hazards. Method: NT (2000): Web Site - Properties - Main Directory - Configuration - Application Map
After installing new service pack, IIS's application mapping should be reset.
Description: After installing new Service Pack, some application maps will appear, resulting in security vulnerabilities. This is a point that the administrator is more negligible.
Setting the IP Refusal Access List
improve.
No anonymous access to FTP services
Description: If you allow an anonymous access to the FTP service, this anonymous account is likely to be utilized to get more information, resulting in harm to the system.
It is recommended to use the W3C expansion log file format, record the client IP address, user name, server port, method, URI rib, HTTP status, user agent, and review the log every day. (It is best not to use the default directory, it is recommended to replace the path to the log log, and set access to the log, only allow administrators and system to Full Control)
Explanation: As an important measure, you can find out signs of attacks, preventive measures, or an evidence of attacked.
carefully set access to the web site directory, in general, do not give directory to write and allow directory browsing permissions. Only give the .asp file directory with script, not to give execution permissions.
Description: Directory access must be carefully set, otherwise it will be utilized by hackers.
4, ASP programming security:
security is not only a network management, and programmers must pay attention to certain security details, develop good safety habits. Otherwise, it will cause the hacker to make a machine. Currently, the ASP program on most websites has such security vulnerabilities, but if you pay attention to your writing, you can still avoid it.
The program involving the username and password is best packaged on the server, try to appear in the ASP file, involving the user name and password should be minimized with the database connection.
Therefore, try to minimize the number of appearances in the ASP file. The number of times the user name and the password can be written in one position comparing hidden containment file. If you are involved in connection with a database connection, just give it to perform the authority of the stored procedure, don't directly give the user to modify, insert, and delete records.
The validated ASP page is required to track the file name of the previous page, and only the session from the previous page can read this page.
Specific vulnerabilities see the open draft.
stop ASP home page. INC file leak problem
When there is an ASP home page, it is not possible to make the final debug completion. If some search engines can be added as search objects, if someone uses the search engine to find these pages, it will receive the position of the file, and Details of the database location and structure can be viewed in the browser to reveal the complete source code.
Solution: Programmers should completely debug them before publishing the web page; security experts need to fix the ASP containing files so that users can not see them. First, encrypt the contents of the .inc file, secondly, you can use the .asp file instead. INC file allows the user to directly view the source code of the file directly from the browser. The file name of the .inc file is not used to use the system default or have a special meaning. It is easy to be guessed by the user, try to use a rough English letter.
Note that some ASP editors will automatically back up the ASP file and will be downloaded.
In some editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file, such as: UltraEdit will back up one ..bak file, such as you create or modify some.asp, edit Automatically generate a Some.asp.bak file, if you don't delete this Bak file, the attack can download some.asp.bak files directly, so the source of Some.asp will be downloaded.
In the ASP program that deals similar to message board, BBS, etc., it is best to block the HTML, JavaScript, VBScript statement, if there is no special requirements, can be limited to allowing for letters and numbers, shielding special characters. At the same time, the length of the input character is limited. Moreover, it is not only in the client to enter the legitimacy check, but also check in the server-side program.
Description: The input box is a goal of hacker utilization, they can cause damage to the user client by entering scripting languages; if the input box involves data queries, they will use special query input to get more database data, even It is all of the table. Therefore, the input box must be filtered. However, if the efficiency is only entered on the client, it is still possible to be bypass, so it must be checked again in the server side.
Preventing the ACCESS MDB database to be downloaded with vulnerabilities
When you use Access to make a background database, if someone knows or guess the path of the server, the server's Access database path and the database name, he can download this Access database file, which is very dangerous.
Solution:
(1) gives your database file names a complex unconventional name and put him in a few directory. The so-called "unconventional", for example, if there is a database to save information about books, don't give him a "book.mdb" name, a weird name, such as D34ksfslf.mdb, then Put him in a few layers of directory such as ./kdslf/i44/studi/, this hacker wants to get your Access database file by guessing. (2) Do not write the database name in the program. Some people like to write DSN in the program, such as:
DBPATH = Server.mAppath ("cmddb.mdb")
Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath
. So I suggest you set the data source in the ODBC, then write this in the program:
Conn.open "shujiyuan"
(3) Use Access to encode and encrypt the database file file. First, "Tools-> Security-> Encrypted / Decrypting Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Caused Save Save Save "window, save: Employer1.mdb. Employer.mdb will be encoded, then save it as employer1.mdb ..
It is important to note that the above movements are not to set a password for the database, but only to the database file, the purpose is to prevent others from using other tools to view the contents of the database file.
Next we are encrypted for the database, first open the encoded employer1.mdb, when open, select "exclusive" mode. Then select the "Tools -> Security -> Setting Database Password" of the menu, then enter the password. This is even if someone gets the Employer1.mdb file, there is no password. He can't see Employer1.mdb.
5, SQL Server's security
SQL Server is the most database system for NT platform, but its security issues must also be paid attention to. There are often most valuable information in the database, and once the data is stolen, it is unimaginable.
Timely update the patch.
Description: Like NT, many vulnerabilities in SQL Server will make up by patch. It is recommended to do test on the test machine before installing the patch while making a data backup of the target server.
Give the SA a complex password.
Description: SA has all permissions to the SQL Server database operation. Unfortunately, a part of the network management is not familiar with the database, and the work of establishing the database is completed by the programmer, and this part of the person only pays attention to writing the SQL statement itself. It is not familiar with the management of the SQL Server database, which is likely to cause the SA password. air. This is a serious threat to database security. At present, there is not a small number of sites.
Strictly control the permissions of database users, easily do not give users direct queries, changes, insert, delete permissions, can pass to the user to access the permissions of the view, and only have permissions to execute stored procedures.
Description: If the user has direct operational permissions on the table, there will be dangerous dangers.
Develop a complete database backup and recovery strategy.
Sixth, PCANywhere's security:
Currently, PCANywhere is the most popular NT and 2000 remote control tool, and also need to pay attention to security issues.
It is recommended to adopt a separate username and password, it is best to use an encryption method. Don't use the same user name and password as the NT administrator, or use the password integrated with NT.
After being broken, there is no safety. And if you use a separate password, even if you break the PCANywhere, NT has a password barrier.
Timely installation of newer versions.
