IIS Web Server Security Reinforcement Steps:
Install and configure Windows Server 2003.
1. Transfer
2. The system account is as small as possible, change the default account name (such as administrator) and description, the password is as complex;
3. Refuse to access the computer via the network (anonymous login; built-in administrator account; support_
388945A
0; Guest; all non-operation system service accounts)
4. It is recommended to give the general user only to the read permissions, but only give the administrator and system to completely control the permissions, but this is possible to make some normal script can't be executed, or some need to write can not be completed, this When you need to change the folder permissions of these files, it is recommended to test the test machine before doing changes, and then make it carefully.
5. NTFS file permission setting (note the permissions of the file priority than the authority of the folder):
Document Type Recommended NTFS Permissions CGI file (.exe, .dll, .cmd, .pl) script file (.ASP) contains file (.inc, .shtm, .shtml) static content (.txt, .gif, .jpg) , .Htm, .html) Everyone (Execute) Administrators (Full Control) System (Full Control)
6. Forbidden C $, D $ a class of default sharing hkey_local_machine / system / currentcontrolset / services / lantserver / parameters autoshaserver, reg_dword, 0x0
7. Disable admin $ 市场 k缺 缺 共缺 ,缺
8. Limit IPC $ By default Sharing HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / CONTROL / LSARESTRICTROLSET / CONTROL / LSARESTRICTANONYMOMS REG_DWORD 0X0 Default 0x1 Anonymous User Unable to include Native User List 0x2 Anonymous User Unable to connect Native IPC $ Sharing Description: Not recommended 2, otherwise it may Causes some of your services can't start, such as SQL Server
9. Only the privileges for users, the minimization principle of permissions is an important guarantee for security
10. Open the appropriate audit in the local security policy -> audit strategy, the recommended audit is: Account Management Success Fail Login Event Success Fail Object Access Fail Policy Change Success Failure Privilege The Use Fail System Event Success Failed Directory Service Access Failure Account Login Event Success failure audit projects less shortcomings are that if you want to see that there is no record, it is not a matter; the audit item will not only take up system resources, but will cause you to see it at all, this will lose the meaning of the review. In the account policy -> password policy setting: password complexity requirement to enable password length minimum 6-bit mandatory password history 5 maximum retention period 30 days in account policy -> account lock policy set : Account Lock 3 error login lock time 20 minutes reset lock count 20 minutes
11. In Terminal Service Configration - Permissions - Advanced Configuration Security Audit, Generally, as long as logging in, logout events can be logged out. 12. Release NetBIOS and TCP / IP Protocol Bind Control Edition - Network - Binding - NetBIOS Interface - Disabled 2000: Control Book - Network and Dial - TN - Local Network - Attribute - TCP / Ip - Property - Advanced - Wins - Disable NetBIOS on TCP / IP
13. Enable TCP / IP filtering in the network connection, only open the necessary ports (such as 80)
14. Disable 139 empty connection by changing registry local_machine / system / currentcontrolset / control / lsa-restrictanonymous = 1
15. Modify the Survival Time (TTL) value of the packet HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters Defaultttl REG_DWORD 0-0xFF (0-255 decimal, default 128)
16. Prevent SYN Flood Attack HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / Parameters SYNATTACKPROTECT REG_DWORD 0X2 (Default is 0x0)
17. Prohibit ICMP Routing Notice Packet HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / Parameters / Interfaces / Interface PerformRouterdiscovery Reg_dword 0x0 (default is 0x2)
18. Prevent ICMP Redirection Packet Attack HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / TCPIP / Parameters EnableicMpRedirects Reg_dword 0x0 (Default is 0x1)
19. IGMP protocol hkey_local_machine / system / currentcontrolset / services / tcpip / parameters IGMPLEVELVEVELEVELVEVELEVEVELEVELREVELVEVELVEVELREVELVEVELEVELEVEVELEVELEVELEVELEVELVEVELEVELVEVELVEVELEVELVELEVELEVELEVELRER REG_DWORD 0X0 (default is 0x2)
20. A set arp cache aging time HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services: / Tcpip / Parameters ArpCacheLife REG_DWORD 0-0xFFFFFFFF (seconds, the default value is 120 seconds) ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default is 600)
21. Prohibited Death Gateway Monitoring Technology HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES: / TCPIP / Parameters EnabledeadGwdeTect Reg_dword 0x0 (default is OX1)
22. Does not support routing function hkey_local_machine / system / currentControlSet / Services: / tcpip / parameters iPenableRunt REG_DWORD 0X0 (default is 0x0)
Install and configure IIS services:
1. Install only the necessary IIS components. (Disable unwanted FTP and SMTP service) 2. Only enable the necessary services and Web Service extensions, recommended configuration:
Component Name Settings Settings Logic Background Smart Transport Services (BITS) Server Extensions Enable Bits is the background file transfer mechanism used by Windows Updates and "Auto Updates". If you use Windows Updates or "Auto Update" to automatically apply Service Pack and hot fixes in the IIS server, you must have this component. Public files Enable IIS requires these files, be sure to enable them in the IIS server. File Transfer Protocol (FTP) service disable allows IIS servers to provide FTP services. The dedicated IIS server does not require this service. FrontPage 2002 Server Extensions Disables FRONTPAGE support to manage and publish Web sites. If you do not use the FrontPage extension Web site, please disable the component in a dedicated IIS server. Internet Information Service Manager enables IIS's management interface. Internet print disabling provides web-based printer management that allows printers to be shared via HTTP. Dedicated IIS servers do not require this component. NNTP services disable distribution, query, retrieve, and deliver a USENET news article in the Internet. Dedicated IIS servers do not require this component. SMTP services Disable support for transport emails. Dedicated IIS servers do not require this component. The World Wide Web service is enabled for web services, static and dynamic content. A dedicated IIS server requires this component. Component Names in the World Wide Web Series UI Settings Options Settings Logical Active Server Page Enables ASP Support. If the Web site and the application in the IIS server do not use the ASP, disable the component; or use web service extensions to disable it. The Internet Data Connector disables files that provide dynamic content support by extension .idc. If the Web site and the application in the IIS server do not include .IDC extension files, disable this component; or use web service extensions to disable it. Remote Management (HTML) Disables the HTML interface to manage IIS. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not require this feature. Remote Desktop Web Connection disables the Microsoft ActiveX® Controls and Samples page that includes managed terminal service clients. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. Dedicated IIS servers do not require this component. The server side includes support for disabling .shtm, .shtml, and .stm files. If the Web site and the application running in the IIS server do not use the above-described extended files, disable the component. WebDAV disables WebDAV extends the HTTP / 1.1 protocol, allows clients to publish, lock and manage resources in the Web. A dedicated IIS server disables this component; or uses a web service extension to disable the component. The World Wide Web service is enabled for web services, static and dynamic content. A dedicated IIS server requires this component 3. Separate IIS directories & data from the system disk, saved within a private disk space. 4. Remove any other mapping that must be used in the IIS Manager (retaining the necessary mapping such as ASP) 5. Redirect the http404 Object Not Found error page to a custom HTM file 6 at the URL in IIS. Web site permission setting (recommended)
Web Site Permissions: Permissions Grant: Read Allow Write Not Allowing Script Source Access Do Not Allow Directory Browse Recommendations Close Log Access Recommendations Off Index Resource Recommendations Off Perform Recommended Selection "Subsicles Only 7. Recommended W
3C
Expand the log file format, record the client IP address, user name, server port, method, URI ribbon, HTTP status, user agent, and review the log every day. (It is best not to use the default directory, it is recommended to replace the path to the log log, and set access to the log, only allow administrators and system to Full Control). 8. Program security: 1) It is best to encapsulate the user name and password, as little as possible in the ASP file, involving the user name and password to the database to the password should be minimized; 2) Need to pass Validated ASP page, track the file name of the previous page, only the session that is converted from the previous page can read this page. 3) Prevent ASP home page .inc file leak issues; 4) Prevent UE and other editors from generating a Some.asp.bak file leak problem. All service packs required for security update applications are manually updated on scheduled. Installing and configuring antivirus protection Recommend NAV 8.1 above the virus firewall (configured to automatically upgrade once a week). Installing and configuring the firewall protection Recommend the latest version of the Blackice Server Protection firewall (Configure simple, comparison) monitoring solution Install and configure MOM proxy or similar monitoring solutions as required. Enhance data backup web data timing to make a backup, ensuring that you can return to the most recent state after the problem occurs. Consider implementing an IPSec filter Blocking port Internet Protocol Security (IPSec) filter provides an effective way to enhance the security level required by the server. This guide is recommended to use this option in a high security environment defined in the guide to further reduce the attachment surface of the server. For more information on using the IPSec filter, see Modules Other Member Server Enhancements Process. The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this guide. Service Protocol Source Port Target Port Source Address Destination Address Mirror Terminal Services TCP All 3389 All Me Allows Yes HTTP ServerTCP All 80 All ME Allows HTTPS ServerTCP All 443 All Me Allows to implement the rules listed in the above table, should be Mirror processing is performed. This ensures that any network communication that enters the server can also return to the source server.
Internet Protocol Security (IPSec) filter provides an effective way to enhance the security level required by the server. This guide is recommended to use this option in a high security environment defined in the guide to further reduce the attachment surface of the server.
For more information on using the IPSec filter, see Modules Other Member Server Enhancements Process.
The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this guide.
Service Agreement Source Port Target Port Source Address Target Address Operation Mirror Terminal Services TCP All 3389 All Me Allows Yes HTTP ServerTCP All 80 All ME Allows HTTPS ServerTCP All 443 All Me Allow
When implementing the rules listed above, they should be mirrored. This ensures that any network communication that enters the server can also return to the source server.
SQL server security reinforcement
Step Description MDAC Upgrade Install the latest MDAC (http://www.microsoft.com/data/download.htm) Password Policy Due to SQL Server can't change the SA user name, you can't delete this super user, so we must have this account. To make the strongest protection, of course, including using a very strong password, it is best not to use the SA account in the database application. The newly established a super user with SA-like authority to manage the database. At the same time, develop a good habit of regularly modify the password. Database administrators should regularly check if there is an account that does not meet the password requirements. For example, use the SQL statement below: Use masterSelect Name, Password from syslogins where password is Null database log login "Failed and Success", select "Security" in the instance properties, select the audit level selected For all, in this database system and operating system log, all account login events are recorded in detail. Managing extended stored procedures XP_cmdshell is the best shortcut to enter the operating system, which is a large back door for the database to the operating system. Please remove it. Use this SQL statement: Use master sp_dropextendedProc 'XP_cmdshell' If you need this stored procedure, please use this statement to recover. sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'OLE automatic storage procedure (cause some features Manager can not be used), which process includes the following (all not need to be removed: Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetPropertySp_OAMethod Sp_OASetProperty Sp_OAStop removing unnecessary register table access stored procedure, the registry stored procedure can even read an operating system administrator's password, as follows: Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues xp_regread Xp_regremovemultistring Xp_regwrite anti-TCP / IP port to detect and select properties TCP / IP protocol in the instance properties to choose from. Hide SQL Server instance. On the previous step configuration, change the original 1433 port. Reject the UDP communication of the 1434 port in IPSec filtering, you can hide your SQL Server as much as possible. For network connections The system's own IPsec can implement the security of the IP packet. Please limit the IP connection to ensure that only your IP can access, reject port connections to other IPs. Attachment: Win2003 system recommended to disable service list
