Win200 Server security is more powerful than Win2K, but is it really safe to use Win2003 Server as a server? How can I create a secure personal web server? Let's take a brief introduction ...
First, the installation of Windows Server2003
1. The minimum number of two needs of the installation system requires a partition, and the partition format uses NTFS format.
2. Install the 2003 system in the case of disconnecting the network
3, install IIS, only the necessary IIS components (disabled, such as FTP and SMTP services) are installed. By default, the IIS service is not installed, select "Application Server" in the Add / Remove Win component, then click "Details", double-click Internet Information Service (IIS), check the following options:
Internet Information Service Manager;
Public document;
Background Intelligent Transmission Services (BITS) server extension;
World Wide Web service.
If you use FrontPage extended Web site check: FrontPage 2002 Server Extensions
4, install MSSQL and other required software then make Update.
5. Use Microsoft's MBSA (Microsoft Baseline Security Analyzer tool to analyze your computer security configuration and identify the missing patch and update. Download address: see the link at the end of the page
Second, setup and manage accounts
1. The system administrator account is best to build, change the default administrator account name (Administrator) and description, the password is best to increase the upper genders combination of lowercase letters plus digital, preferably not less than 14 bits.
2. Newly built a trap account called Administrator, set the minimum permissions for it, and then enter the best than 20 passwords of the combination.
3. Disable the guest account and change the name and description, then enter a complex password, and now there is also a DELGUEST tool now, maybe you can use it to delete the guest account, but I have not tried it.
4, enter the gpedit.msc Enter, open the Group Policy Editor, select the Computer Configuration -Windows Settings - Security Settings - Account Policy - Account Lock Policy, set the account to "three logins invalid", "lock time is 30 Minutes "," reset lock count is 30 minutes ".
5, in the Security Setting - Local Policy - Security Options Set "Not Display User Name" to enable
6. In Safety Settings - Local Policy - User Rights All IIS Process Accounts will be retained in the Internet guest account in the user rights assignment. If you use ASP.NET, you have to keep an ASPNET account.
7. Create a USER account, run the system, if you want to run the privilege command to use the runas command.
Third, network service safety management
1, prohibit C $, D $, ADMIN $ 5 for default sharing
Open the registry, HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters, create a new DWORD value in the window, named AutoShareserver value set to 0
2. Release the binding of NetBIOS and TCP / IP protocol
Right-click on the online neighbor - property - right-click local connection - Properties - Double-click Internet Protocol - Advanced -Wins - Disable NetBIOS on TCP / IP
3. Close the unwanted service, the following is the suggested option
Computer Browser: Maintaining Network Computer Update, Disable
Distributed File System: LAN Management Shared File, no need to disable
Distributed LinkTracking Client: Used for LAN Update Connection Information, no need to disable error Reporting Service: Prohibition of sending error reports
Microsoft Serch: Provides fast word search, no need to disable
NTLMSecuritySupportProvide: Telnet service and Microsoft Serch, no need to disable
PrintSpooler: If there is no printer, it is disabled
Remote Registry: Prohibition Remote Modify Registry
Remote Desktop Help Session Manager: Prohibition of remote assistance
Fourth, open the corresponding audit strategy
Enter GPEDIT.MSC Enter, open Group Policy Editor, select Computer Configuration - Windows Settings - Security Settings - Audit Policy Need to note when creating an audit project is that there are too many audited projects, the resulting event is also Many, then you want to find a serious event, you can certainly affect the serious events you find serious events, you need to make a choice based on the situation.
Recommended items to review are:
Successful failure
Account login event success failure
System event success failure
Strategy change successfully failed
Object Access failed
Directory Service Access Failure
Privilege failure
V. Other security related settings
1, hide important files / directory
You can modify the registry to fully hide: "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Current-Version / Explorer / Advanced / Folder / Hi-DDEN / Showall", the mouse right-click "CheckedValue", select the modification, change the value from 1 to 1 0
2. Start the Internet connection firewall with your own system, check the web server in the setup service option.
3 to prevent SYN flood attacks
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
New DWORD value, named SYNATTACKPROTECT, value 2
4. Prohibit Response ICMP Routing Notice Packet
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters / Interfaces / Interface
New DWORD value, named PerformRouterDiscovery value is 0
5. Prevent ICMP to redirect the attack
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
Set the enableICMPRedirects value to 0
6. IGMP protocol does not support
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
New DWORD value, named IGMplevel value 0
7, disable DCOM:
Enter dcomcnfg.exe in the run. Enter, click Component Services under "Control Bengen Node". Open the Computer subfolder.
For local computers, right-click My Computer and select Properties. Select the Default Properties tab.
Clear "Enable Distributed COM on this computer" checkbox.
Note: 3-6 Item I use the Server2000 settings, not tested whether to work for 2003. But one thing can be sure that I have not found the impact of other departments.
Six, configure IIS services:
1. Do not use the default Web site, if you use it, you should also separate the IIS directory to the system disk.
2. Remove the IIS default created INETPUB directory (on the installation system). 3. Delete the virtual directory under the system, such as _vti_bin, Iissamples, Scripts, Iishelp, Iisadmin, Iishelp, MSADC.
4. Delete unnecessary IIS extension mappings.
Right-click the Default Web Site → Properties → Home Directory → Configuration, open the application window, remove unnecessary application mappings. Mainly .shtml, .shtm, .stm
5, change the path to the IIS log
Right-click "Default Web Site → Properties - Website - click Properties in Enable Logging
6. If you are using 2000, you can use IISLockDown to protect IIS, the version of IE6.0 running in 2003 is not required.
7, use urlscan
Urlscan is an ISAPI filter that analyzes incoming HTTP packets and rejects any suspicious traffic. The latest version is 2.5, if it is 2000Server, you need to install 1.0 or 2.0 version. Download the address to see the page unwind
If there is no special requirement, you can use the URLSCAN default configuration.
But if you run the ASP.NET program in the server, you need to debug you to open the% WINDIR% / system32 / inetsrv / urlscan
The URLSCAN.INI file in the folder, then add a debug predicate in the UseralLowverBS section, pay attention to this section is case sensitive.
If your page is .asp page, you need to delete .asp related content in DenyExtensions.
If your page uses a non-ASCII code, you need to set the value of Option 1 in the section AllowHighBitCharacters
After making changes to the URLSCAN.INI file, you need to restart the IIS service to take effect, and enter Iisreset in the quick way.
If you have any problems after configuring, you can delete Urlscan by adding / deleting programs.
8. Use the WIS (Web Injection Scanner "tool to perform SQL INJECTION vulnerability scanning.
Download address: [http://www.fanvb.net/websample/othersample.aspx] VB.NET enthusiast [/ url]
Seven, configure SQL servers
1, the SYSTEM Administrators role is best not to exceed two
2, if it is best to configure authentication as WIN login
3, don't use the SA account, configure a super complex password for it
4. Delete the following expansion stored procedure format:
Use master
SP_DROPEXTENDPROC 'Extended Storage Procedure Name'
XP_cmdshell: is the best shortcut to enter the operating system, delete
Access the stored procedure of the registry, delete
XP_REGADDMULTISTRING XP_REGDELETEKEY XP_REGDELETEVALUE XP_REGENUMVALUES
XP_regread XP_RegWrite XP_RegremoveMultInstring
OLE automatic storage procedure, no deletion
SP_OACREATE SP_OADESTROY SP_OAGETERRORINFO SP_OAGETPROPERTY
SP_OAMETHOD SP_OASETPROPERTY SP_OASTOP
5, hide SQL Server, change the default 1433 port
Right-click on instance-select Properties - General-Network configuration properties to select TCP / IP protocol, select Hide SQL Server instance and change the default 1433 port.
8. If you only do only the server, don't do other operations, use IPSec
1. Management Tool - Local Security Policy - Right-click IP Security Policy - Manage IP Filter Table and Filter Action - Click to Manage IP Filter Table options
Add-Name Set to Web Filter - Click Add - Enter the Web Server in Description - Set the source address to any IP address - set the target address to my IP address - the protocol type is set to TCP - IP protocol port The first item is set from any port, second item to this port 80 - click Finish - Click OK. 2, click on the management IP filter table option
Add-Name Set to All Inbound Filters - Click Add - Enter all inbound filtering in the description - Set the source address to any IP address - set the target address to my IP address - the protocol type is set to arbitrary - - Click Next - Complete - Click OK.
3. Click Add under Admin Scaway Operation Options - Next - Enter Blocks in Name - Next - Select Block - Next - Complete - Turn off Manage IP Filter Table and Filter Operation Window
4. Right-click IP Security Policy - Create IP Security Policy - Next - Name Enter Packet Filter - Next - Cancel Default Activation Response Principle - Next - Complete
5. Select Add in the open IP Security Policy Properties window - Next - Not specified Tunnel - Next - All Network Connections - Next - Select New Web Filters in the IP Filter list - - Next - Select License in Filter Action - Next - Complete - Select New Block Filter in the IP Filter list - Next - Select Block in Filter Action - Next - Completed - determination
6. Right-click New Packet Filter in the right window of the IP security policy, click the assignment, no need to restart, IPSec can take effect.
Nine, suggestions
If you go on this article, it is recommended to test the server every other change. If you have any questions, you can cancel your changes immediately. If the number of items change is changed, it is difficult to judge what is going on.
Ten, run the server to record the current program and open port
1. Cause the process of the current server, save it, and save it, it is convenient to see if there is an unknown program.
2, graphically or record the currently open port, save, so that you will be able to view the unknown port. Of course, if you can tell each process, and the port can be omitted.
