级 网
Currently, Win2000 Server is one of the more popular server operating systems, but it is not easy to configure Microsoft's operating system. This article tries to conduct a preliminary discussion on the security configuration of Win2000 Server.
First, customize your own Win2000 Server
1. Version selection: Win2000 has a variety of languages, for us, you can choose English or Simplified Chinese version, I strongly recommend that you must use the English version with your language is not an obstacle. To know, Microsoft's product is known in Bug & Patch, the Chinese version of the BUG is far more than English version, and the patch will generally be late for at least half a month (that is, general Microsoft announced your machine after your machine) There will be no protection in half a month)
2. Customization of components: Win2000 is installed by default, but it is this default installation is extremely dangerous (Mitnik said, he can enter any server installed, I don't dare to be so Said, if your host is Win2000 Server's default installation, I can tell you, you are dead), you should know what services do you need, and just install the service you really need, according to safety principles, least service Minimum permissions = maximum security. A typical web server requires the minimum component selection is: only IIS's COM Files, IIS Snap-in, WWW Server components. If you really need to install other components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML). Hazardous services.
3. Management application selection
It is very important to choose a good remote management software, which is not only a security requirements and is also applicable. Win2000 Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). His speed is fast, easy to operate, and is more suitable for regular operation. However, Terminal Service also has its shortcomings. Because it is using a virtual desktop, add Microsoft programming unscrupulous, when you use Terminal Service to install software or restarted the server, the server, often, often There is a crying phenomenon, for example: using the Terminal Service reconfers Microsoft's authentication server (Compaq, IBM, etc.) may directly shut down. So, in order to be safe, I suggest you come with a remote control software as auxiliary, and Terminal Service complement each other, like Pcanywhere is a good choice.
Second, properly install Win2000 Server
1. Distribution of the partition and logical disk, some friends are divided into a logical disk in order to save things, all the software is installed in C, which is very bad, it is recommended to establish a minimum of two partitions, a system partition, An application partition, because Microsoft's IIS often has a leak source / overflowing vulnerability, if the system and IIS are placed in the same drive causes the leakage of the system file or even the invader remote acquisition admin. The recommended security configuration is to build three logical drives. The first larger than 2G, used to install the system and important log files, the second put IIS, the third place FTP, so regardless of IIS or FTP out of security vulnerabilities Will directly affect the system directory and system files. To know that IIS and FTP are serviced, and it is more prone to problems. Separate IIS and FTP mainly to prevent intruders from running and run from IIS. (This may lead to procedure developers and editors, manage him, anyway, you are administrator J) 2. Selection of installation sequence: Don't think: What is important? As long as you have installed, how to install it. wrong! There are several order in the installation: Win2000 is important to pay attention to:
First, when to access the network: Win2000 has a vulnerability in installation, after you enter the Administrator password, the system has established the share of Admin $, but does not use the password you just entered to protect it, this situation has continued After you start it again, during this time, anyone can enter your machine through admin $; at the same time, as long as the installation is completed, the various services will automatically run, and the server is full of vulnerabilities, it is very easy to enter Therefore, do not access the host before fully installed and configured Win2000 Server.
Second, the installation of the patch: The installation of the patch should be after all applications are installed, because the patch is often replaced / modifies some system files, if the patch is installed first, it is possible to cause the patch to do not play the effect. For example: IIS's HotFix requires installation (changelessness when changing the configuration of IIS each time.
Third, safety configuration WIN2000 Server
Even if Win2000 Server is installed correctly, there are still a lot of vulnerabilities, but also need to be further metably configured.
1. Port: The port is a logical interface connected to the computer and external network. It is also the first barrier of the computer. The port configuration correctly affects the security of the host.
2. IIS: IIS is the most vulnerability in Microsoft components. Average two or three months will have a vulnerability, and Microsoft's IIS default installation is really caught. Therefore, IIS configuration is our focus. Now everyone follows me. stand up:
First, remove the C disk that INETPUB directory is completely deleted, built a inetpub in D disk (if you don't feel relieved with the default directory name, you can remember) Point the main directory in the IIS manager. / Inetpub; Second, the default Scripts and other virtual directories in the IIS installation, the virtual directory is deleted (the source of sin, I forgot http://www.target.com/scripts/..
