This article is only tried to run the NTS 4.0 system of IIS 4.0. If there are other applications (such as Cold Fusion) on the server, these applications must be guaranteed. The method described below should be carried out when installing a new system to avoid unpredictable results. It is also important to note that this method should not be used on an internal network (such as a file server) because it deletes some NT commonly used default services.
First, install
1. All partitions NTFS
Server selects separate servers, do not choose PDC
Select a member of the workgroup, no domain
2. Install IE 4.0 SP2, do not install Active Desktop
3. Install the latest service pack: SP6A
Install the latest hot patch:
Q241041 Enabling NetBt to Open IP Ports Exclusively
Q243404 Winobj.exe May Let You View Securable Objects CREATED / OPENED by Jet500.dll
Q243405 Device Drivers Create THEIRESPONDING DeviceObject with file_device_secure_open Device Characteristics
Q244599 FIXES REQUIRED IN TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6A. Windows NT Appears To HANG WHEN You Log Off Installing Service Pack 6.
Q188806 NTFS Alternate Data Stream Name of a File May Return Source
Q252463 SECURITY UPDATE, April 13, 2000
Q267559 Security Update, July 17, 2000
Q269862 Security Update, August 15, 2000
Q271652 Security Update, September 8, 2000
4. Install OPTION PACK:
Select a custom installation:
Only the following components are installed:
Internet Information Server, INTERNET Information Server
Internet Service Manager
[_] World Wide Web Server
[_] Microsoft Data Access Components 1.5
Data Sources
[_] MDAC: ADO, OBDC, And Ole DB
[_] Remote Data Service 1.5
RDS Core Files
[_] Microsoft Management Console
[_] NT OPTION PACK Common Files
[_] Transaction Server
[_] Transaction Server Core Components
Install WWW on different partitions different from operating systems
Select Default / Local Administration when installing Transaction Server
5. Install the latest MDAC (2.6 RTM AS OF 10/30/00)
Second, configure NT
1. Setting permissions:
Set the following using the User Manager on the root of all partitions as follows:
* Administrators :: Full Control
* SYSTEM :: Full Control
2. Set screen protection Select display in the control panel
Select screen saver
Select Password Protection, click OK
3. Set service:
Prohibit the following services:
ALERTER (Disable)
CLIPBOOK Server (Disable)
Computer Browser (Disable)
DHCP Client (Disable)
DIRECTORY Replicator (Disable)
FTP Publishing Service (Disable)
License logging service (disable)
Messenger (Disable)
Netlogon (Disable)
Network DDE (Disable)
Network DDE DSDM (Disable)
Network monitor (disable)
Plug and Play (Disable After All Hardware Configuration)
Remote Access Server (Disable)
Remote Procedure Call (RPC) Locater (Disable)
Schedule (Disable)
Server (Disable)
Simple Services (Disable)
Spooler (Disable)
TCP / IP NetBIOS Helper (Disable)
Televhone Service (Disable)
The following services are prohibited when necessary:
SNMP Service (Optional)
SNMP Trap (Optional)
UPS (Optional
Set the following service to start:
EventLog (Required)
NT LM Security Provider (Required)
RPC Service (Required)
WWW (required)
WorkStation (Leave Service On: Will Be Disabled Later in The Document)
MSDTC (Required)
Protected Storage (Required)
4. If SNMP is installed, change the value of Community
5. Delete the directory of the IIS example:
IIS D: / INETPUB / IISSAMPLES
Admin Scripts D: / INETPUB / SCRIPTS
Admin Sample% SystemRoot% / System32 / inetsrv / adminssamples
IisadMPWD% systemroot% / system32 / inetsrv / isadmpwd
Iisadmin% systemroot% / system32 / inetsrv / iisadmin
Data Access C: / Program Files / Common Files / System / MSADC / Samples
6. Remove the following directory from the ISM (Internet Service Manager):
Iissamples
Scripts
Iisadmin
Iishelp
Iisadmpwd
7. Delete unnecessary IIS extension mappings:
From ISM:
Select the computer name, right-click, select Properties:
Then select Edit
Then select the primary directory, click configure
Select the extension ".hta", ".htr" and ".idc", click to delete
If you don't use Server Side Include, delete ".shtm" ".stm" and ".shtml" 8. Prohibition of default WWW sites
9. Disable administrator from logging in
Use the tool passprop in NT Resouce Kit to execute the following command:
Passprop / AdminLockOut / Complex
10. Only open ports:
Select the network in the control panel, click the property to select the TCP / IP protocol and click Properties.
Click Advanced Options
Select "Enable Security Mechanism" and click "Configuration"
Allow all changes to only the following ports:
TCP Ports UDP Ports IP Protocols
80 HTTP 161 SNMP 6
443 SSL 162 SNMP 8
22 SSH
11. Install only TCP / IP protocol
Select the network in the control panel, click on the protocol, and remove all non-TCP / IP protocols.
12. No Netbios:
Select the network in the control panel, click Bind, select the NetBIOS interface, then click Disable
13. Move some important files and add access control:
Create a directory that only the system administrator can access, such as:
D: / admin
Move the following files in the System32 directory to the directory you created above:
Xcopy.exe, Wscript.exe, Cscript.exe, Net.exe, ftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, POSIX. EXE, RSH.EXE, ATSVC.EXE, QBasic.exe, Runonce.exe, syskey.exe, cacls.exe, ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, Regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe, nslookup.exe
Third, run bation.inf reinforcement script
Download the latest bastionf.zip, run the following command after decompression:
SECEDIT / configure / cfg bastion.inf / db% temp% / successdit.sdb / verbose / log% TEMP% / SECLOG.TXT
This security policy script has made the following changes in the system:
1. Set the following password strategy:
Password Uniqueness: Record 6 passwords last time
Shortest password period: 2
Password longest deadline: 42
The shortest password length: 10
Password complication (passfilt.dll): Enable
The user must log in to change the password: enable
Account failed login locking threshold: 5
Time lapse of re-enabled after lock: 720 minutes
2. Audit strategy:
Audit the following events:
User and group management success: failed
Successful login and cancellation: failed
Document and object access failure
Change safety rules success: failed
User privilege failed
System event success: failed
3. User authority assignment:
Access this computer from the network: No One Adds the workstation to the domain: No One
Backup file and directory: administrators
Change system time: administrators
Forced from remote system shutdown: no one
Load and download device drivers: administrators
Local login: Administrators
Manage review and security logs: administrators
Restore files and directories: administrators
Turn off system: administrators
Get the authority of the file or object: administrators
Ignore traversal inspection (advanced power): Everyone
As a service login (advanced power): no one
Memory locking page: no one
Replace process grade marker: no one
Produce security audit: no one
Create a page file: administrators
Configuring system performance: no one
Create a marker object: No One
Debugger: no one
Add progress priority: administrators
Add quota: administrators
Configure a single process: administrators
Modify firmware environment value: administrators
Generate system strategy: administrators
Log in with batch job: no one
4. Event Viewer Settings:
Applications, systems, and secure log spaces are set to 100MB
The event log coverage is: overwriting the log of 30 days ago
No anonymous user view log
5. Registry value
Key Type Value
Machine / Software / Microsoft / DataFactory / HandlerInfo /
HandlerRequid Reg_dword 1
Machine / System / CurrentControlSet / Control / FileSystem /
NTFSDISABLE8DOT3NAMECREATION REG_DWORD 1
Machine / Software / Microsoft / WindowsNT / Version / Winlogon / AllocatecDroms REG_SZ 1
Machine / System / CurrentControlSet / Control / LSA / AuditbaseObjects
REG_DWORD 1
Machine / System / CurrentControlSet / Control / LSA / SU
Machine / System / CurrentControlSet / Control / Print / Providers / Lanman
PrintServices / AddPrintDrivers Reg_dword 1
Machine / System / CurrentControlSet / Services / RDR /
Parameters / EnablePlainTextPassword Reg_dword 0
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / Autodisconnect Reg_dword 15
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / AutoShaRewks REG_DWORD 0
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / AutoShareServer Reg_dword 0
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / EnableForcedLogoff REG_DWORD 1
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / RequireSecuritySignature REG_DWORD 1
Machine / System / CurrentControlSet / Services / LanmanServer /
Parameters / EnableSecuritySignature Reg_dword 1
Machine / System / CurrentControlSet / Services / RDR / Parameters /
RequireSecuritySignature Reg_dword 1
Machine / System / CurrentControlSet / Services / RDR / Parameters /
EnableSecuritySignature Reg_dword 1
Machine / System / CurrentControlSet / Services / Netlogon /
Parameters / RequiresIGNorsEal Reg_dword 1
Machine / System / CurrentControlSet / Services / Netlogon / Parameters /
Sealsecurechannel Reg_dword 1
Machine / System / CurrentControlSet / Services / Netlogon / Parameters /
SignSecurechannel REG_DWORD 1
Machine / System / CurrentControlSet / Control / LSA / Restrictanonymous
REG_DWORD 1
Machine / System / CurrentControlSet / Control / Session Manager /
ProtectionMode REG_DWORD 1
Machine / System / CurrentControlSet / Control / LSA / LMCompatibilityLityLevel
REG_DWORD 2
Machine / Software / Microsoft / Windows
NT / CurrentVersion / WinLogon / LegalnoticeText Reg_sz this is a
Private system. unauthorized use is prohibited.
Machine / Software / Microsoft / Windows NT / CURRENTVERSION /
Winlogon / LegalNoticecaption Reg_sz CISD
Machine / Software / Microsoft / Windows
NT / CurrentVersion / Winlogon / DONTDISPLAYLASTUSERNAME REG_SZ 1
Machine / System / CurrentControlSet / Control / LSA / Crashonauditfail
REG_DWORD 1
Machine / System / CurrentControlSet / Control / Session Manager / Memory
Management / ClearPageFileatShutdown Reg_dword 1
Machine / Software / Microsoft / Windows NT / CURRENTVERSION /
Winlogon / CachedLogonscount Reg_sz 0
Machine / Software / Microsoft / Windows NT / CURRENTVERSION /
Winlogon / Allocatefloppies Reg_SZ 1
Machine / Software / Microsoft / Windows NT / Current BmitControlReg_dword 0
Machine / System / CurrentControlSet / Control / LSA /
Fullprivilegeauditing reg_binary 1
Machine / Software / Microsoft / Windows NT / CURRENTVERSION /
Winlogon / ShutdownwithOutlogon Reg_SZ 1
6. File system and registry access control:
See bastion.inf
7. Administrator account:
Bastion.inf will name the administrator to root,
You can change this name according to your needs and use a strong password.
Fourth, optional registry settings
1. Delete OS / 2 and POSIX subsystems:
Delete any of the following directories:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / OS / 2 Subsystem for NT
Delete the following:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / Session Manager / Environment / OS2LibPath
Delete the following:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION
Manager / Subsystems / Optional
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION
Manager / Subsystems / POSIX
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION
Manager / Subsystems / OS2
Delete the following directory:
C: / WinNT / System32 / OS2
2. Remove RDS vulnerability:
Delete the following registry key:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /
Parameters / Adclaunch / Rdsserver.DataFactory
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /
Parameters / AdClaunch / AdvancedDataFactory
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /
Parameters / adclaunch / vbusobj.vbbusobjcls
3. Delete unnecessary services from the network service:
Delete: NetBIOS interface, computer browser, server, workstation
Reserved: RPC configuration
V. Protection license
1. Protect Internet Guest users account:
In the User Manager, change the Internet Guest account to a hypothyroid name and use a strong password.
Prohibit Guest account.
Remove the rentered Internet guest account from the group "guests".
Setting the renamed Internet guest account to "No Access" on all volumes, in order to ensure the normal operation of IIS, the renamed Internet guest account must be given to the following directory read permissions:
Default path environment variable
C: /% systemdrive%
C: / Winnt% SystemRoot% D: / inetpub / wwwroot Your IIS root directory
Note: Do not select the permissions of the sessile directory when setting the permissions of the above directory! !
2. Lock group "users":
Setting the NT built-in group "users" for all volumes of access to "No Access", because the new user will automatically join the group "User", so the new user default will not access any volume.
