First, customize your own Win2000 Server 1. Version selection
Win2000 has a variety of languages. For us, you can choose English or Simplified Chinese version. I strongly recommends that in the case of language is not obstacles, please use the English version. To know, Microsoft's product is known in Bug & Patch, the Chinese version of the BUG is far more than English version, and the patch will generally be late for at least half a month (that is, general Microsoft announced your machine after your machine) There will be no protection in half a month)
2. Customization of components
Win2000 will install some common components by default, but this default installation is extremely dangerous (Mitniki said that he can enter any server installed, I don't dare to say, but if Your host is the default installation of Win2000 Server, I can tell you, you are dead) You should know what services do you need, and just install the service you really need, according to safety principles, least service minimum permissions = Maximum security. A typical web server requires the minimum component selection is: only IIS's COM Files, IIS Snap-in, WWW Server components. If you really need to install other components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML). Hazardous services. 3. Management application selection
It is very important to choose a good remote management software, which is not only a security requirements and is also applicable. Win2000 Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). His speed is fast, easy to operate, and is more suitable for regular operation. However, Terminal Service also has its shortcomings. Because it is using a virtual desktop, add Microsoft programming unscrupulous, when you use Terminal Service to install software or restarted the server, the server, often, often There is a crying phenomenon, for example: using the Terminal Service reconfers Microsoft's authentication server (Compaq, IBM, etc.) may directly shut down. So, in order to be safe, I suggest you come with a remote control software as auxiliary, and Terminal Service complement each other, like Pcanywhere is a good choice.
Second, properly install Win2000 Server
1. Distribution of the partition and logical disk, some friends are divided into a logical disk in order to save things, all the software is installed in C, which is very bad, it is recommended to establish a minimum of two partitions, a system partition, An application partition, because Microsoft's IIS often has a leak source / overflowing vulnerability, if the system and IIS are placed in the same drive causes the leakage of the system file or even the invader remote acquisition admin. The recommended security configuration is to build three logical drives. The first larger than 2G, used to install the system and important log files, the second put IIS, the third place FTP, so regardless of IIS or FTP out of security vulnerabilities Will directly affect the system directory and system files. To know that IIS and FTP are serviced, and it is more prone to problems. Separate IIS and FTP mainly to prevent intruders from running and run from IIS. (This may lead to procedure developers and editors, manage him, anyway, you are administrator J) 2. Selection of installation sequence: Don't think: What is important? As long as you have installed, how to install it. wrong! There are several orders in the installation: First, when to access the network: Win2000 has a vulnerability in installation, after you enter the Administrator password, the system has established a share of Admin $, but did not use You just entered the password to protect it. This situation has continued until you start again. During this time, anyone can enter your machine through Admin $; at the same time, as long as the installation is completed, all services will run automatically At this time, the server is full of vulnerabilities, which is very easy to enter, so it must not access the host before fully installed and configured Win2000 Server.
Second, the installation of the patch: The installation of the patch should be after all applications are installed, because the patch is often replaced / modifies some system files, if the patch is installed first, it is possible to cause the patch to do not play the effect. For example: IIS's HotFix requires installation (changelessness when changing the configuration of IIS each time.
Third, safety configuration WIN2000 Server
Even if Win2000 Server is installed correctly, there are still a lot of vulnerabilities, but also need to be further metably configured. 1. port
The port is the logical interface connected to the computer and external network. It is also the first barrier of the computer. The port configuration correctly affects the security of the host. In general, only the port you need to use will be safe, the configuration method is Enable TCP / IP filtering in NIC attribute -TCP / IP-Advanced-Option -TCP / IP filter, but for Win2000 port filtering, there is a bad feature: which port can only be set, can not be ruled close? Port, which is more painful for users who need to open a large number of ports.
2. IIS
IIS is one of the most vulnerabilities in Microsoft components. Average two or three months will have a vulnerability, and Microsoft's IIS default installation is really caught. Therefore, IIS's configuration is our focus. Now everyone follows me:
First, remove the C disk that INETPUB directory is completely deleted, built a inetpub in D disk (if you don't feel relieved with the default directory name, you can remember) Point the main directory in the IIS manager. INETPUB; Second, what is the default Scripts and other virtual directories in the IIS installation, the virtual directory is deleted (the source of sin, forget http://www.target.com/scripts/..
