Windows Server2003 is currently the most mature network server platform, which is much greatly improved relative to Windows 2000, but 2003 default security configuration is not necessarily suitable for our needs, so we have to fully configure Win2003 based on the actual situation. To be honest, the security configuration is a relatively difficult network technology, the permission configuration is too strict, and many programs are still can't afford, the authority is too loose, and it is easy to be invaded by hackers, as a network administrator, really very Headache, therefore, I combine network security management experience in these years, summarizing the following methods to improve our server security.
First trick: Correctly divided the file system format, select a stable operating system installation disk
In order to improve security, the server's file system format must be divided into NTFS (new technical file system) format, which is much higher than FAT16, FAT32 security, and the space utilization is greatly improved, we can configure file security through it. , Disk quota, EPS file encryption, etc. If you have been divided into FAT32 format, you can convert FAT32 into NTFS format with CONVERT disk / fs: ntfs / v. Install Windows 2003 Server, in the Netan League http://cqhk.14023.com/soft/yyrj/bigsoft/200504/502.asp> Enterprise with Windows 2003 can upgrade, this completely crack version, you can Direct online upgrade, we try to install the components we must use when we installed, and then put on the latest patches and upgrade to the latest version online! Ensure that the operating system itself has no vulnerability.
The second trick: Correctly set the security of the disk, as follows (the security settings of the virtual machine, we take the ASP program as an example):
1, system disk authority settings
C: Partition section:
C: /
ADMINISTRATORS is all (this folder, subfolders and files)
Creator Owner all (only subfolds and files)
System all (this folder, subfolders and files)
IIS_WPG creates file / write data (only this folder)
IIS_WPG (This folder, subfolders and files)
Traverse folder / run file
List folder / read data
Read attribute
Create a folder / additional data
Read permissions
C: / Documents and Settings
ADMINISTRATORS is all (this folder, subfolders and files)
Power Users (this folder, subfolders and files)
Reading and running
List the folder directory
Read
System all (this folder, subfolders and files)
C: / program files
ADMINISTRATORS is all (this folder, subfolders and files)
Creator Owner is all (only subfolds and files)
IIS_WPG (This folder, subfolders and files)
Reading and running
List the folder directory
Read
Power Users (this folder, subfolders and files)
Modify permissions
System all (this folder, subfolders and files)
Terminal Server User (This folder, subfolders and files)
Modify permissions
2, website and virtual machine permission settings (such as website in E disk)
Description: We assume that the website is all in the E disk wwwsite directory and creates a guest user for each virtual machine. The username is vhost1 ... vhostn and creates a Webuser group, add all the VHOST users to this Webuser group. Convenient management inside
E: /
ADMINISTRATORS is all (this folder, subfolders and files)
E: / wwwsite
All (this folder, subfolder, file) system is all (this folder, subfolder, file)
Service is all (this folder, subfolders and files)
E: / wwwsite / vhost1
ADMINISTRATORS is all (this folder, subfolders and files)
System all (this folder, subfolders and files)
Vhost1 is all (this folder, subfolders and files)
3, data backup disk
The data backup disk is best to specify only a specific user who has full operations.
For example, the F disk is a data backup disk, we only specify an administrator who has permissions on it.
4, permission settings in other places
Please find these files in the C drive, put the security settings with only a specific administrator has full operation permission
These files only allow administrators to access
Net.exe
Net1.exet
cmd.exe
TFTP.exe
NetStat.exe
Regedit.exe
at.exe
Attrib.exe
Cacls.exe
Format.com
5. Delete the c: / inetpub directory, delete IIS unnecessary mappings, establish a trap account, change the description
Third stroke: Disabling unnecessary services, improve security and system efficiency
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows the program to run at the specified time
Ruting and Remote Access provides routing services for companies in the LAN and WAN environment
Removable Storage manages removable media, drivers and libraries
Remote Registry Service allows remote registry operations
Print Spooler loads files into memory for later printing. Users who want to use printers cannot disable this
IPsec Policy Agent Management IP Security Policy and Starting Isakmp / Oakleyike) and IP Security Drivers
Distributed Link Tracking Client Sends a notification when the file moves in the NTFS volume of the network domain
Comcom Event System provides automatic release to subscription COM components
Alerter notifies the selected user and computer management alert
Error Reporting Service Collection, Storage, and to Microsoft Report Abnormal Applications
Messenger Transports NET SEND and Alert Service Messages between Clients and Services
Telnet allows remote users to log in to this computer and run programs
The fourth stroke: modify the registry, let the system stronger
1. Hide Important Files / Directory You can modify the registry to implement complete hide: hkey_local_machine / current-version / explorer / advanced / folder / hi-dden / showall, the mouse right-click "CheckedValue", select the modification, Change the value from 1 to 0
2, start the system's own Internet connection _BLANK "> Firewall, check the web server in the Settings service option.
3 to prevent SYN flood attacks
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
New DWORD value, named SYNATTACKPROTECT, value 2
Enablepmtudiscovery Reg_dword 0
NonameReleaseOndemand Reg_dword 1
Enabledeadgwdetect reg_dword 0
KeepaliveTime Reg_dword 300,000
PerformRouterdiscovery Reg_dword 0
EnableICMPRedirects reg_dword 04. Prohibited response ICMP routing packet
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters / Interfaces / Interface
New DWORD value, named PerformRouterDiscovery value is 0
5. Prevent ICMP to redirect the attack
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
Set the enableICMPRedirects value to 0
6. IGMP protocol does not support
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
New DWORD value, named IGMplevel value 0
7. Modify the terminal service port
Running regedit, find [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / TERMINAL Server / WDS / RDPWD / TDS / TCP] to see the portnumber on the right? Change it to the port number you want under decimal state, such as 7126, as long as you do not conflict with other conflicts.
2, the second hkey_local_machine / system / currentcontrolset / control / terminal server / winstations / rdp-TCP, the method is the same as that, the changed port number is the same as the above.
8, prohibiting IPC empty connection:
Cracker can use the NET USE command to create an empty connection, in turn, and Net View, NBTSTAT These are air-based, and if the empty connection is forbidden. Open the registry, find local_machine / system / currentcontrolset / control / lsa-restrictanonymous to change this value to "1".
9, change the TTL value
Cracker can roughly judge your operating system based on the TTL value of ping back, such as:
TTL = 107 (WinNT);
TTL = 108 (Win2000);
TTL = 127 or 128 (Win9x);
TTL = 240 or 241 (Linux);
TTL = 252 (Solaris);
TTL = 240 (IRIX);
In fact, you can change it yourself: hkey_local_machine / system / currentcontrolset / services / tcpip / parameters: defaultttl reg_dword 0-0xff (0-255 decimal, default 128) change into a inexplicable number such as 258, at least let those small vegetables In the first half of the day, I don't have to give up the invasion.
10. Delete the default sharing
Someone asked me to share all trays, change it back, and the restart becomes a sharing. This is the default share set by 2K. You must cancel it by modifying the registry: hkey_local_machine / System / currentControlSet / Services / lanmanserver / parameters: AutoShareserver type is REG_DWORD to change the value to 0
11. Prohibition of establishing an empty connection
By default, any user enumerates an account by empty connection, and speculates the password. We can ban the establishment of an empty connection by modifying the registry:
The value of local_machine / system / currentcontrolset / control / lsa-restrictanonymous is changed to "1". Fifth stroke: other safety means
1. Disable NetBIOS on TCP / IP
Online Neighborhood - Properties - Local Connection - Properties -InetNet Protocol (TCP / IP) Properties - Advanced-Wins Panel -NetBIOS Settings - Disable NetBIOS on TCP / IP. This cracker cannot read your NetBIOS information and NIC MAC address with the nbtstat command.
2. Account security
First, all accounts are prohibited, except yourself, huh, huh. Then change the administrator. I have built an administrator account, but what is the kind of permissions, and then open a notepad, a mess, copy, paste it into the "password", huh, huh, come to break the password ~! After breaking it, I found a low-level account. I don't see you crash?
Create 2 administrators with account
Although this is a bit contradictory, it is in fact to obey the rules of the above. Create a general permissions account to recruit and handle some * standby, another account with Administrators permission is only used when needed. Allows administrators using the "runas" command to perform some work that require privileges to make it easy to manage
3. Change C: /Windows/help/iishelp/common/404b.htm content change to This error is automatically transferred to the home page
4. Safety log
I have encountered such a situation, a host is invaded by others, the system administrator invited me to trace the murderer, I log in to see: The safety log is empty, inverted, keep: Win2000 default installation is Do not open any safety review! Then please go to the local security policy -> In the audit strategy to open the corresponding audit, the recommended audit is:
Account management success failed
Successful failure
Object Access failed
Strategy change successfully failed
Privilege failure
System event success failure
Directory Service Access Failure
Account login event success failure
The shortcomings of reviewing projects are that if you want to see that there is no record, it is not a matter of nothing; the audit project will not only take up system resources, but will cause you to see it at all, this will lose the significance of review.
5. Run Anti-Virgin
I have never seen the installation of anti-virus software, in fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojans used by the "hacker" are unused. Don't forget to upgrade the virus library, we recommend McAfree anti-virus software Blackice_blank "> Firewall
6. SQLSERVER Database Server Security and Serv-U FTP Server Security Configuration, Change the default port, and manage your password
7. Set IP filtering, disable Trojan common port with Blackice
Generally disable the following ports
135 138 139 443 445 4000 4899 7626
8. The settings for local security policies and group policies If you set it wrong when you set up a local security policy, you can restore it into its default value.
Open the% SystemRoot% / Security folder, create a "OldSecurity" subdirectory, move all the .log files under the% systemroot% / security to this new subfolder.
Find the "SECEDIT.SDB" secure database in% systemroot% / security / data / to change the name, such as "SECEDIT.OLD". Start "Security Configuration and Analysis" MMC Management Unit: "Start" -> " "->" MMC ", start management console," Add / Delete Management Unit ", add" Safety Configuration and Analysis "management unit.
Right-click Security Configuration and Analysis -> "Open Database", browse the "C: / WinNT / Security / Database" folder, enter the file name "SECEDIT.SDB", click "Open".
When the system prompts to enter a template, select "Setup Security.inf", click "Open".
If the system prompts "Rejecting the Database", no matter what him.
You will find a new secure database in the "C: / Winnt / Security / Database" subfolder, re-generate the log file under the "C: / WinNT / Security" subfolder. The secure database is successful.
