Strengthening the safety of NT and IIS (authoritative translation, recommended to 9CBS and all Microsoft server users !!!)

zhaozj2021-02-08  217

This article is only tried to run the NTS 4.0 system of IIS 4.0. If there are other applications (such as Cold Fusion) on the server, these applications must be guaranteed. The method described below should be carried out when installing a new system to avoid unpredictable results. It is also important to note that this method should not be used on an internal network (such as a file server) because it deletes some NT commonly used default services.

First, install

1. All partitions NTFS

Server selects separate servers, do not choose PDC

Select a member of the workgroup, no domain

2. Install IE 4.0 SP2, do not install Active Desktop

3. Install the latest service pack: SP6A

Install the latest hot patch:

Q241041 Enabling NetBt to Open IP Ports Exclusively

Q243404 Winobj.exe May Let You View Securable Objects CREATED / OPENED by Jet500.dll

Q243405 Device Drivers Create THEIRESPONDING DeviceObject with file_device_secure_open Device Characteristics

Q244599 FIXES REQUIRED IN TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6A. Windows NT Appears To HANG WHEN You Log Off Installing Service Pack 6.

Q188806 NTFS Alternate Data Stream Name of a File May Return Source

Q252463 SECURITY UPDATE, April 13, 2000

Q267559 Security Update, July 17, 2000

Q269862 Security Update, August 15, 2000

Q271652 Security Update, September 8, 2000

4. Install OPTION PACK:

Select a custom installation:

Only the following components are installed:

Internet Information Server, INTERNET Information Server

Internet Service Manager

[_] World Wide Web Server

[_] Microsoft Data Access Components 1.5

Data Sources

[_] MDAC: ADO, OBDC, And Ole DB

[_] Remote Data Service 1.5

RDS Core Files

[_] Microsoft Management Console

[_] NT OPTION PACK Common Files

[_] Transaction Server

[_] Transaction Server Core Components

Install WWW on different partitions different from operating systems

Select Default / Local Administration when installing Transaction Server

5. Install the latest MDAC (2.6 RTM AS OF 10/30/00)

Second, configure NT

1. Setting permissions:

Set the following using the User Manager on the root of all partitions as follows:

* Administrators :: Full Control

* SYSTEM :: Full Control

2. Set screen protection Select display in the control panel

Select screen saver

Select Password Protection, click OK

3. Set service:

Prohibit the following services:

ALERTER (Disable)

CLIPBOOK Server (Disable)

Computer Browser (Disable)

DHCP Client (Disable)

DIRECTORY Replicator (Disable)

FTP Publishing Service (Disable)

License logging service (disable)

Messenger (Disable)

Netlogon (Disable)

Network DDE (Disable)

Network DDE DSDM (Disable)

Network monitor (disable)

Plug and Play (Disable After All Hardware Configuration)

Remote Access Server (Disable)

Remote Procedure Call (RPC) Locater (Disable)

Schedule (Disable)

Server (Disable)

Simple Services (Disable)

Spooler (Disable)

TCP / IP NetBIOS Helper (Disable)

Televhone Service (Disable)

The following services are prohibited when necessary:

SNMP Service (Optional)

SNMP Trap (Optional)

UPS (Optional

Set the following service to start:

EventLog (Required)

NT LM Security Provider (Required)

RPC Service (Required)

WWW (required)

WorkStation (Leave Service On: Will Be Disabled Later in The Document)

MSDTC (Required)

Protected Storage (Required)

4. If SNMP is installed, change the value of Community

5. Delete the directory of the IIS example:

IIS D: / INETPUB / IISSAMPLES

Admin Scripts D: / INETPUB / SCRIPTS

Admin Sample% SystemRoot% / System32 / inetsrv / adminssamples

IisadMPWD% systemroot% / system32 / inetsrv / isadmpwd

Iisadmin% systemroot% / system32 / inetsrv / iisadmin

Data Access C: / Program Files / Common Files / System / MSADC / Samples

6. Remove the following directory from the ISM (Internet Service Manager):

Iissamples

Scripts

Iisadmin

Iishelp

Iisadmpwd

7. Delete unnecessary IIS extension mappings:

From ISM:

Select the computer name, right-click, select Properties:

Then select Edit

Then select the primary directory, click configure

Select the extension ".hta", ".htr" and ".idc", click to delete

If you don't use Server Side Include, delete ".shtm" ".stm" and ".shtml" 8. Prohibition of default WWW sites

9. Disable administrator from logging in

Use the tool passprop in NT Resouce Kit to execute the following command:

Passprop / AdminLockOut / Complex

10. Only open ports:

Select the network in the control panel, click the property to select the TCP / IP protocol and click Properties.

Click Advanced Options

Select "Enable Security Mechanism" and click "Configuration"

Allow all changes to only the following ports:

TCP Ports UDP Ports IP Protocols

80 HTTP 161 SNMP 6

443 SSL 162 SNMP 8

22 SSH

11. Install only TCP / IP protocol

Select the network in the control panel, click on the protocol, and remove all non-TCP / IP protocols.

12. No Netbios:

Select the network in the control panel, click Bind, select the NetBIOS interface, then click Disable

13. Move some important files and add access control:

Create a directory that only the system administrator can access, such as:

D: / admin

Move the following files in the System32 directory to the directory you created above:

Xcopy.exe, Wscript.exe, Cscript.exe, Net.exe, ftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, POSIX. EXE, RSH.EXE, ATSVC.EXE, QBasic.exe, Runonce.exe, syskey.exe, cacls.exe, ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, Regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe, nslookup.exe

Third, run bation.inf reinforcement script

Download the latest bastionf.zip, run the following command after decompression:

SECEDIT / configure / cfg bastion.inf / db% temp% / successdit.sdb / verbose / log% TEMP% / SECLOG.TXT

This security policy script has made the following changes in the system:

1. Set the following password strategy:

Password Uniqueness: Record 6 passwords last time

Shortest password period: 2

Password longest deadline: 42

The shortest password length: 10

Password complication (passfilt.dll): Enable

The user must log in to change the password: enable

Account failed login locking threshold: 5

Time lapse of re-enabled after lock: 720 minutes

2. Audit strategy:

Audit the following events:

User and group management success: failed

Successful login and cancellation: failed

Document and object access failure

Change safety rules success: failed

User privilege failed

System event success: failed

3. User authority assignment:

Access this computer from the network: No One Adds the workstation to the domain: No One

Backup file and directory: administrators

Change system time: administrators

Forced from remote system shutdown: no one

Load and download device drivers: administrators

Local login: Administrators

Manage review and security logs: administrators

Restore files and directories: administrators

Turn off system: administrators

Get the authority of the file or object: administrators

Ignore traversal inspection (advanced power): Everyone

As a service login (advanced power): no one

Memory locking page: no one

Replace process grade marker: no one

Produce security audit: no one

Create a page file: administrators

Configuring system performance: no one

Create a marker object: No One

Debugger: no one

Add progress priority: administrators

Add quota: administrators

Configure a single process: administrators

Modify firmware environment value: administrators

Generate system strategy: administrators

Log in with batch job: no one

4. Event Viewer Settings:

Applications, systems, and secure log spaces are set to 100MB

The event log coverage is: overwriting the log of 30 days ago

No anonymous user view log

5. Registry value

Key Type Value

Machine / Software / Microsoft / DataFactory / HandlerInfo /

HandlerRequid Reg_dword 1

Machine / System / CurrentControlSet / Control / FileSystem /

NTFSDISABLE8DOT3NAMECREATION REG_DWORD 1

Machine / Software / Microsoft / WindowsNT / Version / Winlogon / AllocatecDroms REG_SZ 1

Machine / System / CurrentControlSet / Control / LSA / AuditbaseObjects

REG_DWORD 1

Machine / System / CurrentControlSet / Control / LSA / SU

Machine / System / CurrentControlSet / Control / Print / Providers / Lanman

PrintServices / AddPrintDrivers Reg_dword 1

Machine / System / CurrentControlSet / Services / RDR /

Parameters / EnablePlainTextPassword Reg_dword 0

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / Autodisconnect Reg_dword 15

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / AutoShaRewks REG_DWORD 0

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / AutoShareServer Reg_dword 0

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / EnableForcedLogoff REG_DWORD 1

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / RequireSecuritySignature REG_DWORD 1

Machine / System / CurrentControlSet / Services / LanmanServer /

Parameters / EnableSecuritySignature Reg_dword 1

Machine / System / CurrentControlSet / Services / RDR / Parameters /

RequireSecuritySignature Reg_dword 1

Machine / System / CurrentControlSet / Services / RDR / Parameters /

EnableSecuritySignature Reg_dword 1

Machine / System / CurrentControlSet / Services / Netlogon /

Parameters / RequiresIGNorsEal Reg_dword 1

Machine / System / CurrentControlSet / Services / Netlogon / Parameters /

Sealsecurechannel Reg_dword 1

Machine / System / CurrentControlSet / Services / Netlogon / Parameters /

SignSecurechannel REG_DWORD 1

Machine / System / CurrentControlSet / Control / LSA / Restrictanonymous

REG_DWORD 1

Machine / System / CurrentControlSet / Control / Session Manager /

ProtectionMode REG_DWORD 1

Machine / System / CurrentControlSet / Control / LSA / LMCompatibilityLityLevel

REG_DWORD 2

Machine / Software / Microsoft / Windows

NT / CurrentVersion / WinLogon / LegalnoticeText Reg_sz this is a

Private system. unauthorized use is prohibited.

Machine / Software / Microsoft / Windows NT / CURRENTVERSION /

Winlogon / LegalNoticecaption Reg_sz CISD

Machine / Software / Microsoft / Windows

NT / CurrentVersion / Winlogon / DONTDISPLAYLASTUSERNAME REG_SZ 1

Machine / System / CurrentControlSet / Control / LSA / Crashonauditfail

REG_DWORD 1

Machine / System / CurrentControlSet / Control / Session Manager / Memory

Management / ClearPageFileatShutdown Reg_dword 1

Machine / Software / Microsoft / Windows NT / CURRENTVERSION /

Winlogon / CachedLogonscount Reg_sz 0

Machine / Software / Microsoft / Windows NT / CURRENTVERSION /

Winlogon / Allocatefloppies Reg_SZ 1

Machine / Software / Microsoft / Windows NT / Current BmitControlReg_dword 0

Machine / System / CurrentControlSet / Control / LSA /

Fullprivilegeauditing reg_binary 1

Machine / Software / Microsoft / Windows NT / CURRENTVERSION /

Winlogon / ShutdownwithOutlogon Reg_SZ 1

6. File system and registry access control:

See bastion.inf

7. Administrator account:

Bastion.inf will name the administrator to root,

You can change this name according to your needs and use a strong password.

Fourth, optional registry settings

1. Delete OS / 2 and POSIX subsystems:

Delete any of the following directories:

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / OS / 2 Subsystem for NT

Delete the following:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / Session Manager / Environment / OS2LibPath

Delete the following:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION

Manager / Subsystems / Optional

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION

Manager / Subsystems / POSIX

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION

Manager / Subsystems / OS2

Delete the following directory:

C: / WinNT / System32 / OS2

2. Remove RDS vulnerability:

Delete the following registry key:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /

Parameters / Adclaunch / Rdsserver.DataFactory

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /

Parameters / AdClaunch / AdvancedDataFactory

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC /

Parameters / adclaunch / vbusobj.vbbusobjcls

3. Delete unnecessary services from the network service:

Delete: NetBIOS interface, computer browser, server, workstation

Reserved: RPC configuration

V. Protection license

1. Protect Internet Guest users account:

In the User Manager, change the Internet Guest account to a hypothyroid name and use a strong password.

Prohibit Guest account.

Remove the rentered Internet guest account from the group "guests".

Setting the renamed Internet guest account to "No Access" on all volumes, in order to ensure the normal operation of IIS, the renamed Internet guest account must be given to the following directory read permissions:

Default path environment variable

C: /% systemdrive%

C: / Winnt% SystemRoot% D: / inetpub / wwwroot Your IIS root directory

Note: Do not select the permissions of the sessile directory when setting the permissions of the above directory! !

2. Lock group "users":

Setting the NT built-in group "users" for all volumes of access to "No Access", because the new user will automatically join the group "User", so the new user default will not access any volume.

转载请注明原文地址:https://www.9cbs.com/read-2119.html

New Post(0)