Win2000 + IIS 5.0 security configuration specification

xiaoxiao2021-03-06  114

First, Windows 2000 security configuration

. Make sure all disk partitions are NTFS partitions ■. Operating system, web home directory, logs are installed in different partitions, respectively. Don't install unwanted protocols, such as IPX / SPX, NetBIOS? ■. Do not install any other operating system ■. Install Service Pack ■. Installation hotfix, generally need to be installed as a patch * Q260347_W2K_sp2_x86_cn (IISCrosssite) * Q262694_W2K_SP2_x86_CN (resetBrowseForm) * Q269049_W2K_SP2_x86_CN (shellpath) * Q269862_W2K_SP2_x86_CN (unicode) * Q270676_W2K_SP2_x86_CN (shurufa) * Q272743_W2K_SP2_x86_CN (NTLM) * Q277873_W2K_sp2_x86_CN (filerequest) * Q278499_W2K_sp2_x86_CN (indexserv) * Q280322_W2K_sp2_x86_CN (MalweBform) * Q285851_W2K_SP3_X86_W2K_SP3_X86_CN (NetDDE) Specific reference Microsoft website: http://www.microsoft.com/windows2000/downloads ■. Turn off all unnecessary services * Alerter (disable) * ClipBook Server (disable) * Computer Browser (disable) * DHCP Client (disable) * Directory Replicator (disable) * FTP publishing service (disable) * License Logging Service (disable) * Messenger (disable) * Netlogon (disable) * Network DDE (disable) * Network DDE DSDM (disable) * Network Monitor (disable) * Plug and Play (disable after all hardware configuration) * Remote Access Server (disable) * Remote Procedure Call (RPC) Locater (Disable) * SCHEDULE (Disable) * SIMPLE SERVICES (Disable) * SPOOLER (Disable) * TCP / IP NetBIOS Helper (Disable) * Telephone Service (Disable) is forbidden to serve as follows: * SNMP service (optional) * SNMP trap (optional) * UPS (Optional settings are automatic start: * EventLog (Required) * NT LM Security Provider (Required) * RPC Service (Required) * WorkStation Leave Service On: Will Be Disabled Later In The Document * MSDTC (Required) * Protected Storage (Required) ■ Delete OS / 2 and POSIX Subsystem: Delete any of the following directories:

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / OS / 2 Subsystem for NT delete the following key: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / SessionManager / Environment / Os2LibPath delete the following key: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session Manager / SubSystems / Optional HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session Manager / SubSystems / Posix HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session Manager / SubSystems / Os2 delete the following directory: c:. / winnt / system32 / os2 ■ account number and password policy 1) to ensure the prohibition guest Account 2) Change the Administrator to a more difficult account 3) Password uniqueness: record the last 6 passwords 4) Shortest password period: 2 5) The longest period of password: 42 6) Shortest password length: 8 7) Password Complexity (passfilt.dll): Enabled 8) The user must log in to change the password: Enable 9) Account failed login locking threshold: 6 10) Re-enabled time interval after lock: 720 minutes ■. The protection file and directory will limit the access rights of C: / Winnt, C: / Winnt / Config, C: / WinNT / System32, C: / Winnt / System, etc. Permission ■. Some registry entries Amendment 1) removing shutdown button logon dialog box will HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current Version / Winlogon / in ShutdownWithoutLogon REG_SZ value is set to 02) to remove cashing functions logon information to HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current Version / Winlogon / in CachedLogonsCount REG_SZ value is set to 03) to hide the last login user name HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current Version / Winlogon in DontDisplayLastUserName REG_SZ value / set 14) LSA restrict anonymous access to HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / LSA in RestricAnonymous REG_DWORD value is set to 15) to remove all network shares will HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / LanManServer / Parameters / in AutoShareServer REG_DWORD value is set to 0 ■. enable TCP / IP filtration only allows TCP ports 80 and 443 (if you use SSL)

The UDP port is not allowed to allow IP Protocol 6 (TCP) ■. Mobile partial important files and access control: Create a directory that only system administrators can access, move some of the important files in the System32 directory to this directory: xcopy.exe , wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, Posix.exe, RSH .exe, syskey.exe, cacls.exe, ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, regedt32.exe , regedit.exe, Edit.com, NetStat.exe, Tracert.exe, NSlookup.exe, Rexec.exe, cmd.exe ■. Install anti-virus software Norton 2000 ■ You can download the HSECWeb.inf security template to configure http://download.microsoft.com/downl...us/hisecweb.exe This template configures basic Windows 2000 system security policy. Copy the template to the% Windir% / Security / Templates directory. Open the Security Template tool to view these settings. Open the Security Configuration and Analysis tool and load the template. Right-click Security Configuration and Analysis tool, then select "Analyze your computer now" from the context menu. Waiting for the operation. View the results, update the template if necessary. Right-click Security Configuration and Analysis tool, then select "Configure Computer Now" from the context menu. Second, IIS security configuration ■. Close and delete the default site: Default FTP Site Default Web Site Management Web Site ■. Establish your own site, and the system is not in a partition, such as d: / wwwroot3. To create an E: / logfiles directory, the log files when the site will be established. Make sure that access control permissions on this directory are: Administrators (Full Control) System (full control) ■. Delete IIS: Iishelp C: / Winnt / Help / Iishelp Iisadmin C: / System32 / InetSRV / Iisadmin Msadc C: / Program Files / Common Files / System / MSADC / Delete C: // INETPUB ■ Delete Unnecessary IIS mapping and extension: IIS is pre-configured to support common file name extensions such as .asp and .shtm files. This call is processed by the DLL when IIS receives these types of file requests.

If you do not use some of the extensions or features, you should delete the mapping. The steps are as follows: Open Internet Service Manager: Select your computer name, right click, select Properties: You select Edit and select the main directory, click Configure Select Expansion Name / ".htw/" ,/".htr/" ,/".idc/" ,/".ida/" ,/".idq/ "and / ".printer/", click Delete If you don't use Server Side Include, delete /".shtm/ "/".stm/" and /".shtml/ "■. ■ Disable parent path:" Parent Path "option allows you to use" .. "in the call, such as mappath function. By default, this option is enabled and should be disabled. The steps to disable this option are as follows: Right-click the root of the Web site and select Properties from the context menu. Click the Home Directory tab. Click Configure. Click the Application Options tab. Deselect the Enable Parent Path check box. ■ To set access control permissions on the virtual directory The files used by the homepage are filed by file types: CGI (.exe, .dll, .cmd, .pl) Everyone (x) Administrators (full control) System Fully controlled) Script file (.asp) Everyone (x) Administrators (full control) System (full control) include file (.inc, .shtm, .shtml) Everyone (x) Administrators (full control) System (full control) static Content (.txt, .gif, .jpg, .html) Everyone (R) Administrators SYSTEM (Full Control) When you create a Web site, there is no need to set access control permissions on each file, it should be for each The file type creates a new directory and then sets access control permissions on each directory, allowing access control permissions to pass to each file. For example, the directory structure can be the following form: D: / wwwroot / myserver / static (.html) D: / wwwroot / myserver / include (.inc) D: / wwwroot / myserver / script (.asp) D: / wwwroot / MyServer / executable (.dll) D: / wwwroot / myserver / images (.gif, .jpeg) ■ Enable logging to determine if the server is attacked, logging is extremely important. You should use the W3C extended logging format, steps you: Open Internet Service Manager: Right-click on the site, then select Properties from the context menu. Click the Web Site tab. Select the Enable Logging check box. Select "W3C Extended Log File Format" from the "Event Log Form" drop-down list. Click Properties. Click the Extended Properties tab, then set the following properties: * Customer IP Address * User Name * Method * URI Resource * HTTP Status * WIN32 Status * User Agent * Server IP Address * Server Port?

转载请注明原文地址:https://www.9cbs.com/read-126952.html

New Post(0)