First of all, I have to introduce a new security baseline analysis tool for Microsoft. When I first use it for the first time, I can't describe my joy, I'm three words: "Shuaijing", words Not much to say, let everyone first appreciate its beautiful style, hurry to http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi Download and install, run, Figure one is its effect:
Figure one
Figure 1 is the result of scanning my machine, I don't know, I don't know, there are so many patches on my machine, what should I do? Hurry, I'm waiting for, click on "Result Details" in Figure 1, there is a detailed description, then have the URL download and fix the patch, then you will know how to do it? . Is it very convenient? Especially for those who are managed by the website;
This two tools are required after installing Microsoft Systems Management Server and SMS Sus Feature Pack (software upgrade services, patch download update kits). It helps you use SMS Sus Feature Pack to install secure patches without affecting normal business, and guarantees your system in the latest.
Finally, there are other tools, such as QChain, Adtest, Iis LockDown, Urlscan, etc., are not described.
The above tools just help us quickly analyze the problem, solve the problem, you have to rely on our own, so here, I want to make some personal opinions and opinions on how to create a safe web server, and improper expectations.
1. Disable NetBIOS and SMB
description:
These two protocols should be banned in the Web Server and Domain Name System (DNS) server. NetBIOS port and name Control: UDP / 137 (NetBIOS Name Service), UDP / 138 (NetBIOS Datashers) and UDP / 139 (NetBIOS Session Service); ports used by SMB: TCP / 139 and TCP / 445.
Solution:
Disable SMB: Uninstall the "Microsoft Network Client" and "File and Printer Sharing of Microsoft Network";
Disable NetBIOS: Select "Show Hide Device" on "Device Manager", then expand "Non Plug and Play Driver", right-click "NetBIOS over TCPIP", put it in its Properties settings dialog "Start Type" is changed to "Manual", and then click Stop.
2. Protect your server using the IPsec Security Policy
1: Set "audit strategy"
Open the "MMC" console, add "Local Computer Policies", expand, then expand "Computer Configuration" -> "Windows Settings" -> "Security Settings" -> Local Policy -> "audit policy ", As shown in Figure 2:
Figure II
Select the audit event in the second right list box, double click, and then select the audit object in its Properties dialog box.
2: Configuring IP Security Monitor
Run "IPSecmon" (open the console in Windows2003, add the IP Security Monitor "management unit), set the automatic refresh interval in the Properties dialog box, this you can set it.
Three: IP security policies that use local computers are as shown in Figure 2, select "IP Security Policy, in Local Computers", and then see "Server (Request Security)", "client (only) Response) "and" Safety Server (requires security) "three, right" security servers (need security) ", select Assassin. Run "cmd", ping, you have assigned the IP address of the security policy, as shown in Figure 3:
Figure three
You can see that the security policy we set is enabled on this IP, then open the IP security monitor, we can see more information such as receiving and sending, then we will start "cmd", ping another IP, As shown in Figure 4:
Figure four
You can see that four successful reply information is generated between the two IP, and then we will open "Computer Management", which is also added to "computer management" management units in "MMC", expand "System Tools" -> " Event Viewer "->" Security ", double-click the" Review Success "event to see a detailed record of the call between the two IPs just.
Four: Define security server policies on your machine
The default IP security policy set above may make your secure server side unable to connect with the client or DNS domain name system because the security server must strictly check all the desires before any communication connection. The security server makes a call to confirm its validity, so you must also customize the security server policy based on your security needs and network layout.
5: Allows non-IP security policies to talk to your security server (this is just another machine in the same domain)
In this case you can set the "Server (request security) policy instead of assigning the Security Server (requiring security)" policy.
Six: Create a custom IP security policy
The previously speaking is a computer existing IP security policy. It can establish effective and secure communication between computers in the same domain, but if it is two different domain users or your server needs to make external clients. When anonymous access you, this IP security policy will make your communication restriction. So, then you should create an IP security policy for all clients.
1. Right click on "IP Security Policy, in Local Computer", select "Create IP Security Policy", as shown in Figure 5:
Figure 5
Click "Next" to enter a custom IP security policy name, click "Next", clear the "Activate Default Response Rule", then click "Next", confirm the "Edit Properties", default The next is selected, then click "Finish", in the policy attribute editing dialog box, confirm the "Add Wizard" ", then click" Add "to create IP security rules, as shown in Figure 6:
Figure 6
Click "Next", select "This rule does not specify a tunnel", click "Next", then select "All Network Connections", click "Next", click "Add" to create an IP filter in the IP filter list. When the pop-up dialog box confirms that "Use Add Wizard" is selected, click "Add", add the Tags dialog box, click "Next", select "Mirror", click "Next", select in the drop-down box "My IP Address", click "Next", select "All IP Address" in the drop-down box, click "Next", select the protocol type "arbitrary", click "Next", confirm the Clear "Edit Properties" Click "Finish", turn off Create IP Filter dialog box, return to Create IP Rules Wizard, select the IP filter you just created, click Next, confirm that "Use Add Wizard" is selected, then click "Add", In the Add Filter Operation Wizard, click Next, enter the filter operation name, click "Next", select "Negotiation Security", click "Next", select "Computer communication with IPSec" Click "Next", select "Keep Integrity", click "Next", confirm that "Edit Properties" is not selected, click "Finish", close the Add Filter Operation Wizard, return to Filter Operation dialog, select Just created filter operation, click "Next". 2. Configure the IKE authentication mode to establish a trust connection between computers.
IKE under Windows 2000 provides three ways to establish trust relationships between computers: Kerberos V5, CA certificate, and pre-shared keys. In this article I use the pre-shared key, the purpose is for testing, for a company, should establish a communication connection in the CA certificate authentication mode. As shown in Figure 7, select "Use this string to protect key exchange (pre-shared key)"
Figure 7
Click "Next" to confirm that "Edit Properties" is not selected, click "Finish", custom IPsec policy creation completion.
3. You should first test it on your network to use this strategy.
At the "IP Security Policy, in the Local Computer" right list column, select the IP security policy you have just created, and assign it to your server, then run "cmd", ping, any computer, You will receive the "negotiation IP security" response, and then ping the other party machine, you will receive four successful responses. Note IPSec can be used to go on your network. Similarly, you can use the IP Security Monitor to view your network.
7: Using CA certification
As mentioned earlier, CA certification is a way of IKE negotiation, and now introduces a test CA certificate to use it to your web server.
Get a certificate
Nowadays, many CA websites can provide a fee-charged server certificate, but the price is relatively high. In order to explain how to use the CA certificate, I have found a free test certificate. You can go to https://testca.netca.net/apply_srv/srv_root .ASP and get a free test certificate.
2. Install the certificate
Open the IIS Information Services Manager, open the properties of the site you want to install, select Directory Security, and click the "Server Cert" to install the certificate.
3. Set your server certificate
Add a "certificate" management unit to the MMC console, expand "Personal" -> Certificate, double-click you to install your server certificate, if you see the following message "You have a private key corresponding to the certificate" The name of the certificate authority indicates that your CA certificate is valid, otherwise you will re-apply and install the CA certificate. In the console launched the "trusted certificate authority" -> "certificate", find the issuer who issued a certificate to you, press the steps above to install all the CA certificates. Go back to "IP Security Policy, Local Computer", double-click the IP policy you created in the right IP policy list, select the IP filter you created in the IP security rule in the dialog box, click Edit, Switch to the "Authentication Method" in the Edit Rule Properties dialog box, select the authentication method you created, click "Edit", then select "Certificate issued by this certificate authority (CA)", click "Browse ", In the pop-up dialog box, select the certificate name you install, click" OK ", return to the Edit Rule Properties dialog box, click" OK ", return to the IP Security Policy Properties dialog box, click" OK ", This way, use the CA certificate authentication negotiation communication method for your IP security policy. Note that you should add the name of the root certificate authority as much as possible in your third-party root certificate issued agency certificate, so you don't have a negotiation failure in your request.
8: Use the CRL to check IKE
Open the registry editor, find the following hkey_local_machine / system / currentControlSet / Services / policyAgent / Oakley registration item, then find a strongcrlCheck value in the edit box on the right, if set to 1, indicating if the CRL check returns a certificate, CA certificate The certified IKE negotiation method will not work; if set to 2, indicating that if the CRL check failed, the CA certificate authentication IKE negotiation method will not work. Use Net Start PolicyAgent and Net Stop PolicyAgent to enable and stop this service in Windows 2000.
Nine: Enable IKE log
Open the Registry Editor, find the following hkey_local_machine / system / currentControlSet / Services / PolicyAgent / Oakley registration item, and then find the enablelogging value in the edit box on the right and set it to 1. Then you can find Oakley.log files in the debug directory in the system directory.
to be continued
