Nowadays, there are many people think that Microsoft's things vulnerabilities, Microsoft's system security is very poor, in fact, there are many vulnerabilities in various systems, but Microsoft's things are mostly used by people, and it is not very high, not very high. Will make a variety of security settings, so it will make people feel very good now, in fact, if the NT / 2000 server is really good after the security settings, its security It is definitely not poor than the NIX system.
1. Primary articles: NT / 2000 system itself The custom installation and related settings of NT (2000) have a large portion of the Web site in all websites, mainly because of its ease of use and easy management. This company does not have to put a large amount of money in the management of the server, this is better than the NIX system, you don't have to ask a very professional administrator, don't have to pay a high salary, Oh, of course, NIX administrators will not be unemployed. Because of its open source and Windows system unparalleled speed, almost all large servers now use NIX systems. But for small and medium-sized companies, Windows is enough, but NT security issues have always been outlined, making some NT-based websites have a feeling of thin ice, here I give a safety solution, as China Network security career makes a contribution (note: This program is mainly for the establishment of the NT, 2000 server security of the Web site, and is not suitable for servers in the LAN.) First, customize your own NT / 2000 Server 1 . Version selection: Win2000 has a variety of languages, for us, you can choose English or Simplified Chinese version, I strongly recommend that you must use the English version with your language is not an obstacle. To know, Microsoft's product is known in Bug & Patch, the Chinese version of BUG is far more than English version, and the patch will generally be late for at least half a month (that is, general Microsoft announced that your machine will also have your machine after the loopholes. Half a month is not protected) 2. Component customization: Win2000 is installed by default, but it is this default installation is extremely dangerous. You should know exactly what services you need, and just install your index service, according to safety principles, least Service Minimum permissions = maximum security. A typical web server requires the minimum component selection is: only IIS's COM Files, IIS Snap-in, WWW Server components. If you really need to install other components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML). Hazardous services. Second, correctly installation NT / 2000 Server No matter whether it is NT or 2000, the hard disk partition is NTFS partition; Folders Set different access rights, security enhancements. (2) It is recommended that it is best to be installed into NTFS partitions in one time, not to install into a FAT partition to convert to NTFS partitions, which will result in unsuccessful conversion in the case of installing SP5 and SP6, and even system crashes. (3) There is a potential danger in installing the NTFS partition, which is that most anti-virus software do not provide killing of NTFS partition viruses after the floppy disk, so that once the malignant virus is in the system, the system cannot start normally, the consequence It is more serious, so it is recommended to do anti-virus work.
(4) Some friends in the partition and logical discs have some friends to save hard drives, only a logical disk, all software is installed in C, which is very bad, it is recommended to establish a minimum of two partitions, one system Partition, an application partition, because Microsoft's IIS often has a leak source / overflow vulnerability, if the system and IIS are placed in the same drive, causing the leakage of the system file or even the invaders remotely acquire admin. The recommended security configuration is to build three logical drives. The first larger than 2G, used to install the system and important log files, the second put IIS, the third place FTP, so regardless of IIS or FTP out of security vulnerabilities Will directly affect the system directory and system files. To know that IIS and FTP are serviced, and it is more prone to problems. Separate IIS and FTP mainly to prevent intruders from running and run from IIS. (5) Selection of installation sequence: Win2000 has several order in installation: First, when to access the network: Win2000 has a vulnerability in installation, after you enter the Administrator password, the system has established admin The share of $, but does not use the password you just entered to protect it, this situation has continued until you start again, during which you can enter your machine through Admin $; at the same time, just install one Various services will run automatically, while the server is full of vulnerabilities, which is very easy to enter, so do not access the host before fully installed and configured Win2000 Server. Second, the installation of the patch: The installation of the patch should be after all applications are installed, because the patch is often replaced / modifies some system files, if the patch is installed first, it is possible to cause the patch to do not play the effect. For example, IIS's HotFix requires that each change of IIS is required to be installed. Safe Configuration NT / 2000 Server Even if Win2000 Server is properly installed, there are still a lot of vulnerabilities, but also need to make further details. 1. Port: The port is a logical interface connected to the computer and external network. It is also the first barrier of the computer. The port configuration correctly affects the security of the host. In general, only the port you need to use will be safe, configured The method is to enable TCP / IP filtering in the NIC attribute -TCP / IP-Advanced-Option -TCP / IP filter, but for the Win2000 port filtering, there is a bad feature: can only specify which ports, can not specify Which ports are closed, so that users who need to open a large number of ports are more painful. 2. IIS: IIS is the most vulnerability in Microsoft components. Average two or three months will have a vulnerability, and Microsoft's IIS default installation is really caught. Therefore, IIS configuration is our focus. Now everyone follows me. Get up: First, remove the C disk, what INETPUB directory is completely deleted, build a inetpub in D disk (if you don't assure the default directory name, you can remember) Point the main directory in the IIS manager. D: / inetpub; Second, the default Scripts and other virtual directories when the IIS installation is deleted. If you need any permissions, you can slowly build it yourself, what permissions are needed.
(Specially paying attention to writing permissions and executing programs, there is no absolute need to be given) Third, application configuration: Any useless mapping that must be deleted in IIS Manager, must refer to ASP, ASA, and other You really need to use the file type, for example you use STML, etc. (using server side include), actually 90% of the host has the above two mappings, and the rest of the mapping is almost a miserable story. : Htw, htr, idq, ida ... Want to know these stories? Go check the previous vulnerability list. Right-click host-> attributes in IIS Manager -> WWW Service Editing -> Main Directory Configuration -> Application Mapping, and then start a delete (there is no all in all, 嘿). The script error message will then be changed to send text in the application tutoring of that window (unless you want the ASP error, the user knows your program / network / database structure) error text written? Just like you like it, look at it. Click OK Don't forget to let the virtual site inherit the properties you set. After installing new Service Pack, IIS's application mapping should be reset. (Note: After installing new Service Pack, some application mappings will appear, resulting in security vulnerabilities. This is a little more negligible.) In order to deal with increasing CGI vulnerability scanner, there is a tip skill You can refer to the HTTP404 Object Not Found error page to redirect to a custom HTM file through the URL, which can make the most CGI vulnerability scanner fail. In fact, the reason is very simple. Most CGI scanners are written for convenience. By checking if the HTTP code returns to the page is existing, for example, the famous IDQ vulnerability is generally verified by taking 1.IDQ, if Returns to HTTP200, it is considered to have this vulnerability, and vice versa if it returns HTTP404, if you reform the HTTP404 error message to the http404.htm file via URL, all scans return HTTP200, 90% The CGI scanner will think that you have any vulnerabilities. The result is that your true vulnerability is covered, so that the invaders are nowhere to start, but from the perspective, I still think that it is triggered to do safety settings than such tips. More important. Finally, for the sake of insurance, you can use the IIS backup feature to back up all the settings, so you can restore the security configuration of IIS at any time. Also, if you are afraid that the IIS load is too high to cause the server full load, you can also open the CPU limit in performance, such as 70% of the maximum CPU usage of IIS. 3. Account Policy: (1) The account is as small as possible, and use it as little as possible to log in; One of the dangers of being broken. (2) In addition to Administrator, it is necessary to add an account that belongs to the administrator group; Alternate account; ontong, once the hacker breaks a account and change the password, we have the opportunity to reappear to achieve control over the short term.
(3) All account rights need to be strictly controlled, easily do not give the account to special permissions; (4) rename the administrator, change to a name that is not easy. Other general accounts should also respect this principle. Description: This can increase an obstacle for hacker attacks. (5) Disable the guest account, and rename it as a complex name, increase your password, and delete it from the Guest group; Put the account from the general user to the administrator group. (6) Give all user accounts a complex password (external account out), the length is at least 8 digits, and must simultaneously contain letters, numbers, special characters. Also do not use the familiar words (such as Microsoft), familiar keyboard order (such as qrt), familiar numbers (such as 2000). In a few minutes, it will be broken, and the recommended solution is much safe. (7) Password must be changed regularly (recommended for at least two weeks), and it is best to record it in your heart. In addition, you don't record anywhere; in addition, if an account is discovered in a log audience, This account must be changed immediately (including the username and password); (8) Set up a locking number in the account attribute, such as changing the account failed to the number of logins exceeded 5 times lock change. This prevents some large-scale login attempts, and also enables administrators to be vigilant against the account. 4. Safety Log: The default installation of Win2000 is not to open any security audit! Then please go to the local security policy -> Open the appropriate audit in the audit strategy, the recommended review is: Account Management Success Failure Login Event Success Failure Object Access Failure Policy Change Success Failure Privileges Use Failure System Event Success Failure Directory Service Access Failure Account Login The shortcomings of the event success failure audit items are that if you want to see that there is no record, it is not a matter; the audit item will not only take up system resources, but will cause you to see it at all, this will lose the meaning of the audit. In the account policy -> password policy setting: password complexity requirement to enable password length minimum 6-bit mandatory password history 5 maximum retention period 30 days in account policy -> account lock policy set : Account lock 3 error login lock time 20 minutes Reset lock count 20 minutes, Terminal Service's security log defaults, we can configure security audits in Terminal Service Configration (remote service configuration) - permissions, general For the login, you can log out the event. 5. Directory and File Permissions: In order to control the user's permissions on the server, we must also set access to the directory and files very carefully, and NT access is divided into: read , Write, read, and execute, modify, column directory, full control. In the default, most folders are completely open to all users (EVERYONE group), and you need to perform permission to reset according to the needs of the application.
When performing permission control, remember the following principles: 1> Limit is accumulated: If a user belongs to two groups, then he has all the permissions allowed by these two groups; 2> Rejected permissions To be higher than the permissible permissions (reject policy will be executed first) If a user belongs to a group that is denied access to a resource, then he must not access this resource regardless of the other permission settings. So please use the rejection very carefully, any improper rejection is possible to cause the system to function properly; 3> File permissions than folder permissions Height 4> Using user groups to perform permission control is a mature system administrator must have One of the excellent habits; 5> Only the privileges for users to truly need, the principle of permissions is an important guarantee for security; 6. Only one ** is installed; Will give a hacker with a machine, using an attack to restart the system to another ** system without security settings (or he is familiar with ** system), which is destroyed. 7. Install a stand-alone domain controller (Stand alone), select the workgroup member, no selection; description: Main domain controller (PDC) is a way to manage multiple networking machines in the LAN, for website The server contains a safety hazard that makes hackers have a vulnerability attack site server that is likely to use domain. 8. Send ** system files in partitions and web data, including other applications, and best not to use the system default directory when installing, such as change / Winnt to other directories; The hacker is likely to get the ** system-to-hand-in-handle permission through the WEB site vulnerability, resulting in greater damage. At the same time, if you use IIS, you should delete all useless mappings in its settings, do not install indexing services, the remote site management and server extension is best not to, then delete the WWW under the default path, the whole delete, don't Hand soft, then another hard disk of the hard disk establish a folder that stores your website, and must remember to open the W3C log record, remember (but I suggest adopt Apache 1.3.24) System installation process must be in the minimum service principle, useless service I don't choose to achieve the minimum installation of the system, one more service, more risks, huh, so useless components don't install! 9. About patch: In NT, if a patch is installed, if you want to install a new Windows program from the NT CD, you must reinstall a patch, and do not need to do this under 2000. Version patch vulnerabilities pose a threat to the system. This is a part of some administrators neglect; (2) Installing NT SP5, SP6 has a potential threat, that is, once the system crashes to reload NT, the system will not recognize NTFS partitions, because Microsoft is in these two NTFS is improved among a patch. You can only recognize NTFS through the Windows 2000 installation process, which will cause a lot of trouble, it is recommended to do data backup work. (3) Before installing Service Pack, you should be installed on the test machine to prevent the machine crash because of the exception cause, while doing a good job in data backup.
Try not to install software with regardless of Web site service; Method: NT: Controls - Network - Binding - NetBIOS Interface - Disabled 2000: Control Book - Network and Dial - Local Network - Properties - TCP / IP - Properties - Advanced --Wins - Disable NetBIOS on TCP / IP 11. Delete all network shared resources, remove files and print sharing in the network connection, leaving only TCP / IP protocols: NT and 2000 There are many network shared resources by default, which is useful for network management and network communication in the LAN, which is equally a large security hazard on the website server. (Uninstall "File and Printer Sharing of Microsoft Network". When you view any connection properties in Network and Dial-up Connections, this option will be displayed. Click the "Uninstall" button to delete the component; clear the "Microsoft network files and printers Sharing "checkbox will not work.) Method: (1) NT: Management Tools - Server Manager - Shared Directory - Stop sharing; 2000: Control Side - Management Tool - - Calculation and Management - Shared Folders --- Stop sharing But the above two methods are too troublesome, the server must stop once, and the administrator must stop once. (2) Modify the registry: Running regedit, then Modify the registry to add a key under hKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / LANMANSERVER / Parameters to add a key: autoshareserver TYPE: REG_DWORD Sharing still exists, manually delete after each restart. 1. Reform NTFS safety authority; explanation: NTFS All documents under NTFS are fully controlled permissions by default, which makes hackers to increase, delete, delete, and Implementation, etc., it is recommended to give general users only give read rights, and only give administrators and system to completely control the permissions, but this is possible to make some normal script can't be executed, or some need to write * * Can't do it, then make changes to the folder permissions in which these files are located. It is recommended to test them on the test machine before doing changes, and then make it carefully. The network management is not good at this point, not the backup is not complete, that is, the backup is not timely. Data backups need to be carefully planned to develop a strategy and have been implemented in the test, and the backup plan needs to be continuously adjusted as the website is updated. / SPX is an agreement that is eliminated, and there is no use on the website, but it will be used by some hacker tools.
(NT): By default, NT's IP forwarding function is forbidden, but notice not to enable, otherwise it will have routing effects, which is hacked to attack other servers. The goal of hacker attacks, in order to prevent the previous version of the vulnerability, may be brought into the upgrade version, it is recommended to uninstall the latest version. Note: It is best to do test before installing the latest version, because some data access methods may no longer be supported in the new version, in which case the vulnerability can be used by modifying the registry, see the vulnerability test document. Access to the FTP service, so that security is greatly improved. Anonymous access to FTP services is prohibited: If you allow an anonymous access to FTP services, this anonymous account is likely to be utilized to obtain more information, resulting in harm to the system. ] (It is best not to use the default directory, it is recommended to replace the path to the log, and set the log's access, only allow administrators and system to full control) : As an important measure, you can discover signs of attacks It takes precautions to act as an evidence of attack. 以Only give the .asp file directory with script, not to give execution permissions. Description: Directory access must be carefully set, otherwise it will be utilized by hackers. . Currently, the ASP program on most websites has such security vulnerabilities, but if you pay attention to your writing, you can still avoid it. It is best to encapsulate user names and passwords, as little as possible in ASP files, involving user names and passwords to the database connection should be minimal. Permissions. Therefore, try to minimize the number of appearances in the ASP file. The number of times the user name and the password can be written in one position comparing hidden containment file. If you are involved in connection with a database connection, just give it to perform the authority of the stored procedure, don't directly give the user to modify, insert, and delete records. It is necessary to verify the ASP page to track the file name of the previous page, and only the session from the previous page can be read this page.
Specific vulnerabilities see the open draft. Prevent ASP home page. INC file leak issues When there is an ASP home page is making the final debug completion, it can be added as search objects, if someone uses the search engine at this time. The web page is looking for, it will get the location of the file and see the details of the database location and structure in the browser to reveal the complete source code. Solution: Programmers should completely debug them before publishing the web page; security experts need to fix the ASP containing files so that users can not see them. First, encrypt the contents of the .inc file, secondly, you can use the .asp file instead. INC file allows the user to directly view the source code of the file directly from the browser. The file name of the .inc file is not used to use the system default or have a special meaning. It is easy to be guessed by the user, try to use a rough English letter. Note that some ASP editors automatically back up ASP files, which will be downloaded to edit the ASP program tool, when creating or modifying an ASP file, the editor automatically creates a backup file, For example: UltraEdit will back up a ..bak file, such as you create or modify some.asp, the editor automatically generates a Some.asp.bak file, if you don't delete this Bak file, the attack can download some. ASP.BAK file, so that Some.asp's source program will be downloaded. In the ASP program that deals similar to message board, BBS and other input boxes, it is best to block the HTML, JavaScript, VBScript statement, if there is no special requirement, can be limited to allowing only letters and numbers, shielding special characters. At the same time, the length of the input character is limited. Moreover, it is not only in the client to enter the legitimacy check, but also check in the server-side program. Description: The input box is a goal of hacker utilization, they can cause damage to the user client by entering scripting languages; if the input box involves data queries, they will use special query input to get more database data, even It is all of the table. Therefore, the input box must be filtered. However, if the efficiency is only entered on the client, it is still possible to be bypass, so it must be checked again in the server side. prevents the Access MDB database, which is likely to be downloaded. When you use Access to make a background database, if someone knows or guesses the path of the server's Access database and the database name, then he can download This Access database file is very dangerous. Solution: (1) gives your database file name to a complex unconventional name and put him in a few directory. The so-called "unconventional", for example, if there is a database to save information about books, don't give him a "book.mdb" name, a weird name, such as D34ksfslf.mdb, then Put him in a few layers of directory such as ./kdslf/i44/studi/, this hacker wants to get your Access database file by guessing. (2) Do not write the database name in the program.
Some people like to write DSN in the program, such as DBPATH = Server.mAppath ("cmddb.mdb" conn.open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath If you gave people the source program, your ACCESS database has a list. Therefore, it is recommended that you set up a data source in ODBC, then write this in the program: Conn.open "shujiyuan" Use Access to encode and encrypt database file file. First select "Tools -> Security -> Encryption / Decryption Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Causes Save Save " Window, save: Employer1.mdb. Then employer.mdb will be encoded, then save it as employer1.mdb .. Encoding, the purpose is to prevent others from using other tools to view the content of the database file. Next we will encrypt the database, first open the encoded EMPLOYER1.MDB, when open, select "exclusive" mode. Then select "Tools -> Security -> Settings Database Password", then enter the password. This is even if someone gets the Employer1.mdb file, there is no password, he can't see Employer1.mdb. 23.sql server Safety Timely update patch. Description: Many of the vulnerabilities of SQL Server will make up by patch. It is recommended to test the test machine before installing the patch while making a data backup of the target server in advance. 憾Some people often pay only attention to writing the SQL statement itself, and the management of the SQL Server database is unfamiliar, which is likely to cause the sa password. This is a serious threat to database security. There is currently a small number of sites with this hidden danger. strictly control the permissions of database users, easily do not give users direct query, change, insert, delete permissions, can be accessed by visiting users. The permissions of the graph, and only the permissions to perform the stored procedure. Develop a complete database backup and recovery strategy. 14. Pcanywhere's security: Currently, PCANywhere is the most popular NT and 2000 remote control tools, and also need to pay attention to security issues. It is recommended to adopt a separate username and password, it is best to use an encryption method. Don't use the same user name and password as the NT administrator, or use the password integrated with NT.
At the same time, it is necessary to use the strong encrypting mode in Security Options, and the low encryption level is rejected, and the user name and password encryption during the password encryption are used to prevent the number of connections. Another important point is to set up high-intensity passwords in Protect Item, while constantly restricting any settings that you can't see your Host end, even if you want to view the host's related settings, you must enter the password! After being broken, there is no safety. And if you use a separate password, even if you break the PCANywhere, NT has a password barrier. Timely installation of newer versions. 2. Intermediate Articles: IIS security and performance adjustment actually, security and applications are contradictory in many times, so you need to find a balance point, after all, the server is used for users rather than making Open Hack, if security principles It hinders the system application, then this security principle is not a good principle. Network security is a system engineering, which not only has spatial spans, but also has a span. Many friends (including some system administrators) believe that the host for secure configuration is safe. In fact, this is a misunderstanding: We can only say that a host is safe with the network structure at a certain situation. Change, new vulnerabilities discovery, administrator / user's **, the security situation of the host changes anytime, anywhere, only allowing security awareness and security systems to achieve real safety. Eight methods of increasing the performance efficiency of IIS 5.0 Site Server The following is eight ways to improve the performance efficiency of the IIS 5.0 website server: 1. The continuous action of HTTP can improve the implementation efficiency of 15 ~ 20%. 2. Do not enable records to improve 5 to 8% of the execution efficiency. 3. Use [independent] handler to lose 20% of execution efficiency. 4. Increase the number of save files to the memory, improve the effectiveness of Active Server Pages. 5. Do not use the CGI program. 6. Add the number of IIS 5.0 CPUs. 7. Do not enable ASP detection. 8. The static web page uses HTTP compression, which can reduce the amount of transmission of 20%. Brief introduction is as follows. 1. When HTTP continues to enable HTTP, when Keep-alive, the connection between IIS and the browser does not disconnect, and improve execution efficiency until the browser is closed when the browser closes. Because of the "Keep-Alive" state, it is not necessary to re-establish a new connection every time the client request, so the efficiency of the server will be improved. This feature is HTTP1.1 preset function, and HTTP 1.0 plus Keep-Alive Header can also provide the last function of HTTP. 2. Enable HTTP's persistence can improve 15 to 20% of execution efficiency. How to enable HTTP's persistent effect? The steps are as follows: In the [Internet Service Administrator], select the entire IIS computer, or the web station, on the [Main Directory] page of [Content], check [HTTP's continuous action] option. 3. Do not enable records that do not enable records can improve 5 to 8% of the execution efficiency. How to set up not enable record? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, or the web station, on the [Profile] page of [Content], does not check the [Enable Record] option.
Setting a non-stand-alone handler uses [independent] handler to lose 20% of execution efficiency, the so-called independent "system refers to the [Main Directory], [Virtual Directory] page Application Protection Options to [High" (Independent)]. So [Application Protection] is set to [Low (IIS Processor)] How to set non-"independent" processing programs when [low (IIS handler)]? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, web station, or start directory of the application. In [Content] [Main Directory], [Virtual Directory] page, set the Application Protection Option to [Low (IIS Processor)]. 4. Adjusting Cache Memory IIS 5.0 Temubaistically stores the static web page information in a cache memory; IIS 4.0 temporarily stores the static web information in the file. Adjusting Cache memory saves files can improve execution efficiency. After the ASP instruction file is executed, it will be temporarily stored in a cache memory to improve the performance performance. Increase the number of saved files to the memory, improve the effectiveness of Active Server Pages. You can set all the number of quick-optic memory files performed throughout the IIS computer, "Independence" Web Station, or "Independ" application. How to set up a cache function? The steps are as follows: Select the entire IIS computer, "Independence" Web Station, or "Independ" application in [Internet Service Administrator]. When [Contents] [Main Catalog], [Virtual Directory] page, press [Set] button, you can set [Instruction Board Commission Memory]. How to set the number of cache memory files? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, or the start directory of the web station. Press the [Setting] button in [Server Expansion "page in [Content]. You can set the number of cache memory files. 5. Do not use the CGI program to use the CGI program, because the processor must constrain and destroy, there is poor execution efficiency. In general, the execution efficiency is compared: Static web page (static): 100 isapi: 50 ASP: 10 CGI: 1 In other words, the ASP may be 10 times faster than CGI, so do not use the CGI program to improve IIS execution efficiency. In terms of flexibility: ASP> CGI> ISAPI> Static web page (static).
In terms of security (SECURITY) = ISAPI (independent) = CGI> ASP (non-independent) = ISAPI (non-independent) = static web page (static) 6, increasing IIS 5.0 computer CPU number according to Microsoft's test report Increase the number of IIS 4.0 computer CPUs, the execution efficiency does not improve; however, increase the number of IIS 5.0 computer CPUs, the execution efficiency will provide almost proportionally, in other words, the two CPU IIS5.0 computer execution efficiency is almost one Two times the CPU computer, four CPUs IIS 5.0 computer execution efficiency is almost four times IIS 5.0 for a CPU computer to temporarily store static web information in cache memory; IIS 4.0 will static The web information is presented in the file. Adjusting Cache memory saves files can improve execution efficiency. 7. Enabling an ASP URF function Do not enable ASP detection to improve execution efficiency. How do you do not enable ASP detection? The steps are as follows: In [Internet Service Administrator], select the web platform, or the start directory of the application, press the right click to select [Content], press [Main Directory], [Directory] or [Directory] page, press [ Settings] button, select [Application Device] page, do not check [Enable ASP Server Device Instruction Data], [Enable ASP User Directive Default] option. 8, static web pages use HTTP compressed static web pages with HTTP compression, approximately 20% of the transfer amount. HTTP compression is enabled or off, which is set for the entire IIS server. The user ends uses IE 5.0 browser to connect to the HTTP compressed IIS5.0 web server, with HTTP compression. How do I enable HTTP compression? The steps are as follows: To enable HTTP compression, the method is in [Internet Service Administrator], select [Content] below [Content], and select [WWW service] below [Main content]. Then press the [Edit] button, on the [Service] page, select [Compressed Static Archive] to compress static files, do not select [Compressed Application Profile]. The dynamically generated content file (compressed application file) can also be compressed, but it is necessary to consume additional CPU processing time. If the% Processor Time is already eight percent or more, it is recommended not to compress or compress the above is the use of IIS as a web server. Some security-related settings, which can maximize your IIS, but individuals think that there is no obstacle or use Apache, and it is recommended to use Apache 1.3.24, because recently Test, the version before Apache 1.3.23 has overflow vulnerabilities, don't be afraid, this kind of vulnerability is very small, huh, huh. In addition, individuals should not use ASP security to always be safe. Personally think that it is also good, good security, powerful, absolute value, huh, because PHP also has a lot of cave: IIS security tool And use of IIS LOCK TOOL, Quick Set IIS Security Attribute IIS Lock Tool's launch, but also thanked the red code, because it is a large area of red code, causing Microsoft design to release this help administrator to set IIS security Sexual tool.
(1) IIS LOCK TOOL has the following features and features 1, the most basic function, help administrators set IIS security; 2. This tool can be used on IIS4 and IIS5; 3, even if the system does not have all patches in time, Effectively prevent known vulnerabilities of IIS4 and IIS5; 4. Help administrators remove some services to this website, so that IIS runs the least service in the case of meeting this website; 5, has two usage modes: shortcut mode and Advanced mode. The shortcut mode directly helps administrators set up IIS security. This mode is only suitable for websites using only HTML and HTM static webpages, because the ASP cannot be run after the setting is complete; the advanced mode allows administrators to set various properties, set proper There is no impact on any function of IIS system. (2), IIS LOCK TOOL use 1, software download and installation IIS Lock Tool in Microsoft website download, download address: http://www.microsoft.com/downloads/...releaseId=32362 installation is simple, you need to pay attention Since the installation, the program will not appear in the system [Program] menu, nor does it appear in [Management Tools], require the installer to find the program in the installation directory. 2, the use of software in the following introduction, we will introduce the meaning and recommended settings of each step, the reason for this, is to understand what these settings mean, at the same time, with our original security settings After avoiding the setup completion, the system has obstacles. Run the software, first appear, the following interface (Figure 1): Figure 1 The above interface introduces some basic situations of IIS Lock Tool and places you need to pay attention to: 1) When using, you should choose the minimum service for this website, remove unnecessary Services; 2) After the setting is complete, it is recommended to thoroughly check the website to determine if the settings are appropriate to this website; in the above interface, click the [Next] button, appear the following interface (Figure 2): Figure two interface selection shortcut mode Or advanced mode to run the software, here, the software introduces the difference between the two modes: Shortcut: This setting mode is closed for some advanced service properties of IIS, including Dynamic Web Properties (ASP); So, we need to repeat again Selecting shortcuts that is only suitable for providing static pages, of course, this model is relatively safe. Advanced Mode: This mode runs the installer to customize the various properties while allowing the advanced properties to run. Shortcut mode settings We don't have to introduce, click the [Next] button to set it.
Let's choose [Advanced Lockdown] (Advanced Settings), click the [Next] button, appear the following interface (Figure 3): Figure 3 Help administrator sets various script maps, what should we see how each mapping should be set: 1) Disable Support Active Server Pages (ASP), Select this setting will make IIS do not support ASP functions; you can select this item according to the specific situation of the website, because the website generally requires running ASP programs; 2) Disable support Index Server Web Interface (.idq, .htw, .ida), select this item will not support indexing services, which is not supported .idq, .htw, .ida. Let's take a look at what is an index service, and then decide to pay. Indexing services are the content index engine included in IIS4. You can call it ADO and search for your site, which provides you with a very good web search engine. If your website does not use index services to retrieve the website, you can cancel this feature of the website, the benefits of cancellation are: 1) Reduce the system burden; 2) Effectively prevent viruses and hackers that use index service vulnerabilities, because index servers The vulnerability may cause the attacker to control the website server, while exposing the physical location of the web file on the server (using .ida, .idq). Therefore, we generally recommend tick in front of this, which is to cancel the index service; 3) Disable support for server side incduDes (.shtml, .shtm ,.stm), cancel the server side contains; first, let's see what servers The end contains, the SSI is in an HTML file, which can be called by the note or pointer. SSI has a powerful feature, as long as a simple SSI command can realize the content update, dynamic display time and date of the entire website, and perform complex features such as Shell and CGI scripts. In general, we don't use this feature, so it is recommended to cancel some of the IIS potential vulnerability; 4) Disable for Internet Data Connector (.IDC), cancel the Internet database connection; first look at the role of Internet database connection, It allows HTML pages and background database to connect to dynamic pages.
It should be noted that IIS4 and IIS5 do not use IDC, so it is recommended to cancel IDC; 5) Disable support for Internet printing (.printer), cancel the Internet printing; this feature is generally not used , It is recommended to cancel; the benefits of canceling are to avoid .printer remote cache overflow vulnerability, this vulnerability allows attackers to remotely invade the IIS server with this vulnerability, and perform any command as system administrator (SYSTEM); 6) Disable support for. Htr scripting (.htr), cancel HTR mapping; attackers construct a special URL request via HTR, may result in some file source code exposure (including ASP), suggesting to cancel mapping in front of this item; understand the above settings In the future, we can decide to pay according to this website. In addition to the ASP requirements, we can cancel, which is canceled, which is the whole hook in front of the first item, all other ticks, press [Next] button, appear Interface (Figure 4) Figure four interface settings allows administrators to choose some of IIS default installation files, let's see how to choose: 1) Remove Sample web files, delete web example files; recommend deletion, because we don't These files need to be read on the server, and these files may allow attackers to read some web page source code (including ASP); 2) Remove the Scripts Vitual Directory, delete scripting virtual directories; suggestion deletion; 3) Remove the MSDAC Virtual Directory, delete MSDAC virtual directory, recommended deletion; 4) Disable distribauted authoring and versioning (WebDAV), delete WebDAV, WebDAV mainly allows managers to write and modify pages remotely, generally will not be used, recommended deletion, delete is the advantage A WebDAV vulnerability of IIS5 can be avoided, which may cause the server to stop.
5) SET File Permous to Prevent The IIS Anouymous User from Executing System Utilities (Such as cmd.exe, tftp.exe), prevents anonymous users from running executables, such as cmd.exe and tftp.exe; suggestions to select this, because The red code and Nima use the "SET File Permous" to Prevent The IIS Anouymous User from Writing to Content Directories, preventing anonymous users from having write permissions for the directory, this don't explain , Suggestion selection; set the above option, press the [Next] button, the following interface appears (Figure 5): Figure 5 requires that it is confirmed whether or not accepting the above settings, select [Yes], appear (Figure 6) Start setting the system : Figure 6 In the above interface, we can see the detailed setting of IIS. After the setting is complete, it is recommended to restart IIS.
Second, URLSCAN TOOL - Filtering illegal URL Access carefully observes the vulnerability of IIS, and we can almost make such a conclusion, all means that use these vulnerabilities to attack the website attacks are the construction of special URLs to access the website, generally the following type the URL can be exploited: 1, particularly long URL, such as Code red attack site URL is this: GET / default.idaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX% u9090% u6858% ucbd3% u7801% u 9090% u6858% ucbd3% u7801% U9090% U6858% UCBD3% U7801% U9090% U9090% U8190% U 00c3% U0003% U8B00% U531B% U53FF% U0078% U00% U00 = A 200; 2, special characters or string URL, such as rear after URL: : $ DATA can see the web page (ASP) source code; 3, the URL contains executable file name, the most common thing is to have cmd.exe; since these attacks use special URLs to achieve, Microsoft provides this special Filtering illegal URL security tools can achieve the effects outside the country, this tool has the following features and features: 1. Basic function: Filter illegal URL requests; 2. Setting rules, identify those URL requests are legal In this way, it is possible to establish a special URL request rule for this website; at the same time, when there is a new vulnerability, you can change this rule to achieve the effect of the defense new vulnerability; Contains vulnerability utilization features, help administrator setting rules; (1), software download and installation URLScan can download on Microsoft's website, address: http://download.microsoft.com/downl...- US / urlscan.exe is installed as the general software, however, this software cannot choose the installation path, after the installation is complete, we can be in System32 / IneTsvr / URLS The following files are found: urlscan.dll: Dynamic connection library file; urlscan.inf: Install information file; urlscan.txt: Software documentation; Urlscan.ini: Software profile, this file is as long as Urlscan All configurations have this file to complete. (2) The configuration of the software configuration software is completed by the urlscan.ini file. We need to know some basic knowledge before configuring this file.
1, the constructor of the URLSCAN configuration file URLSCAN configuration file must follow the following rules: (1) This file must be urlscan.ini; (2) The configuration file must be in the same directory; (3) Profile must be a standard The INI file structure, that is, by the section, string and value; (4) After the configuration file modification, the IIS must be restarted, enable the configuration, and the configuration file consists of the following sections: [Option], main setting section [Allowverbs], the configuration is determined as the legal URL rule setting, this setting is related to the Option section; [Denyverbs], the configuration is determined as illegal URL rule settings, this setting is related to the Option section; [DenyHeaders], Configure that the illegal Header is set up; [AllowExtensions] section, configuring a legal file extension is set here, this setting is related to the Option section; [DenyExtensions], configured to be illegal file extensions here Set, this setting is related to the Option section; 2. Configuration (1) The configuration of the Option section, because the setting of the Option section directly affects the future configuration, so the settings of this section are particularly important.
This section mainly performs the following attributes: UseAllowverbs: Use the allowable mode to check the URL request, if set to 1, all the requests that are not set in [Allowverbs] are denied; if set to 0, all are not set in [Denyverbs] URL requests are legal; default is 1; UseAllowExtensions: Use the allowable mode to detect file extensions; if set to 1, all file extensions not set in [AllowExtensions] is considered to be illegal requests; if set to 0, all no The extension name set in [Denyextensions] is considered a legal request; the default is 0; Enablelogging: Whether to use the log file, if 1, the same directory will be set to urlscan.log file record all Filtering; AllowLateScanning: Allowing other URL filters before urlscan filtering, the system defaults to not allow 0; AlternateServerName: Use the service name instead; if this section exists, the [RemoveServerHeader] setting is set to 0, IIS will be set here. Default "server"; Normalizeurlbeforeescan: Specified URL before detecting the URL; if it is 1, urlscan will detect before the IIS encoding URL; need to be reminded, only the administrator can be very familiar with the URL parsing set to 0; default is 1; VerifyNormalization: If set to 1, the UrlScan checksums URL rules, the default is 1; set in this section relating to NormalizeUrlBeforeScan; AllowHighBitCharacters: If set to 1, will allow the presence of all bytes in the URL If 0, the URL containing non-ASCII characters will reject; the default is 1; allowdotinpath: If set to 1, all URL requests containing multiple "." Will reject, because the URL detects before the IIS parsing the URL, so The accuracy of this test cannot be guaranteed, the default is 0; RemoveServerHeader: If set to 1, you will clear all the answers, default is zero; (2) [allowverbs] section Configuration If the useAllowVerbs is set to 1, this section settings All requests will be allowed, generally set the following request: get, head, post (3) [Denyverbs] section configuration If Userlowverbs is set to 0, all requests for this section will reject, generally set the following requests: PropFind, Proppatch, Mkcol, delete, PUT, COPY, MOVE, LOCK, UNLOCK (4) [Allowextensions] section settings in this section settings All extended names will be allowed to be requested, generally set the following request: .txt, .htm, .html, .txt, .jpg, .jpeg, .gif, if you need to provide file download service, you need to increase .rar, .zip (5) [Denyextensions] section setting All extension files requested in this section will be rejected, according to the vulnerabilities that have been discovered,
We can add content in this section, generally: .asa, executable files, batch files, log files, rare extensions such as: SHTML, .printer, etc. Third, summarize the power of the above two tools, can truly implement the protection of IIS. IIS Lock Tool is simple, relatively, just passive defense; Urlscan setting is more difficult, it is recommended to use administrators who are very familiar with IIS, as long as the URLScan is more powerful. When using Urlscan, I don't want to set up a big matter. If you need to keep track of new vulnerabilities, modify the Urlscan profile. 3. Advanced Security Settings for NT / 2000 1. Disable air connection, prohibiting anonymous to get username list win2000 default installation allows any user to get all account / sharing lists through empty users, this original is to facilitate local area network users sharing files However, a remote user can also get your list of users and use violent methods to crack user passwords. Many friends know that can ban 139 empty connections can be disabled by changing registry local_machine / system / currentcontrolset / control / lsa-restrictanonymous = 1, actually Win2000 local security policy (if it is domain server is in domain server security and domain security policies There is such options Restrictanonymous (additional limit for anonymous connection), this option has three values: 0: None. Rely on Default Permissions (no, depending on the default permission 1: do not allow enumeration of sam accounts and shares Allow enumeration SAM account and sharing) 2: No Access WITHOUT EXPLICIT Anonymous Permous Permissions (no access to explicit anonymity) 0 This value is the system default, what limit is not, remote users can know all the accounts on your machine , Group information, shared directory, network transfer list (NetServertransportenum, etc.) This setting is very dangerous to the server. 1 This value is only non-null user access SAM account information and sharing information. 2 This value is in Win2000 It is necessary to pay attention to it. If you use this value, your share is estimated to be all finished, so I recommend you or set to 1 is better. Ok, invaders have no way to get our users List, our account is safe. 2. Disable the last login username hkey_local_machine / SoftWare / Microsoft / WindowsNT / CURRENTVERSION / WINLOGON INTVERSIT data is changed to 1, so the system will not display automatically The last login user name. Dove the server registry HKEY_LOCAL_ MACHINE / SOFTWARE / Microsoft / WindowsNT / CURRENTVERSION / WINLOGON INT / CURRENTVERSION / WINLOGON INTD Data Modified to 1, hidden the username of the last login console. In fact, 2000 local security policy, there are also the option to modify the registry Winnt4.0: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / Current Version / Winlogon increase DontDisplayLast UserName sets its value to 1.
2. To prevent DoS: Change the following value in the registry HKLM / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters can help you defense DoS attack certain intensity SynAttackProtect REG_DWORD 2 EnablePMTUDiscovery REG_DWORD 0 NoNameReleaseOnDemand REG_DWORD 1 EnableDeadGWDetect REG_DWORD 0 KeepAliveTime REG_DWORD 300,000 PerFORMRouterDiscovery REG_DWORD 0 EnableICMPREDIRECTS REG_DWORD 0 How to turn off ICMP (ping) in WIN2000 3. The full name for ICMP attack ICMP is Internet control message / error message protocol, this protocol is mainly used for error information and control information. Transfer, such as the famous ping and tracert tools are made using the Echo Request packets in the ICMP protocol (request message ICMP Echo type 8 code 0, answering packet ICMP echoreply type 0).
The ICMP protocol has a feature - it is no connection, that is, as long as the sender completes the package of ICMP packets and passes it to the router, this message will look for the destination address as the mail package, this feature makes the ICMP protocol Very flexible, but also brings a deadly defect --- Easy forge (sender's address on the mailbox), anyone can forged an ICMP message and send it out, fake people can take advantage of SOCK_RAW Programming directly rewriting the ICMP header and IP header, such a source address is forged, and it is impossible to trace in the destination, (the attacker is not afraid of being caught, it is still not awkward?) According to this principle, there is an outside. Many ICMP-based attack software, with a network architecture defect manufacturing ICMP storm, there is a very large packet blocking network, there is an ICMP fragment attack consumption server CPU, or even if ICMP protocol is used to communicate, Making a Trojan without any TCP / UDP port (see unveiling Trojan's mystery three) ... Since the ICMP protocol is so dangerous, why don't we turn off it? We all know that Win2000 comes with a TCP / IP filter in the network attribute. Let's take a look at it here to turn off the ICMP protocol, right-click on the online neighbor on the desktop -> Properties -> Right click on the network card you want to configure. -> Properties -> TCP / IP-> Advanced -> Options -> TCP / IP Filter, here there are three filters, which are: TCP ports, UDP ports, and IP protocols, let's allow TCP / IP to filter, then one one To configure, first is the TCP port, click "Allow", then add the port you need to open, in general, the web server only needs to open 80 (WWW), the FTP server needs to open 20 (FTP Data), 21 (FTP) Control), the mail server may need to open 25 (SMTP), 110 (POP3) to push ... Then the UDP, the UDP protocol, and the ICMP protocol are based on the unconnected, so it is easy to fake, so if not It is necessary (for example, to provide DNS service from UDP) should be selected to avoid flood (FLOOD) or fragment attack. One of the rightmost edit boxes is to define the IP protocol filter, we choose to allow TCP protocols to pass, add a 6 (6 is the code in the IP protocol, IPPROTO_TCP = 6), in the truth, only allow TCP protocol Whether UDP should not be passed, it is a pity that the IP protocol filter is a narrow IP protocol. From the architecture, although ICMP protocols and IGMP protocols are an IP protocol, it is from the network 7 Structure ICMP / IGMP protocol with the IP protocol is a layer, so Microsoft's IP protocol filtering here does not include ICMP protocols, that is, even if you set "only TCP protocol passed", ICMP packets can still pass it. So if we need to filter ICMP protocols, you need to find another way. Just when we perform TCP / IP filtration, there is another option: IP Security Mechanism (IP Security), we are filtered ICMP ideas to fall on it. Open local security policies, select IP Security Policy, here we can define your own IP security policy.
An IP Secure Filter consists of two parts: filtering policies and filters **, filtering policies determine which packets should cause filter attention, filtering ** makes a decision filter is "allowed" or "rejected" message by. To create a new IP security filter, you must create your own filtering policies and filtering **: Right-click the IP security policy of this machine, select the management IP filter, create a new filter rule in the IP filter management list: ICMP_Any_in, The source address selection IP, the target address is selected, the protocol type is ICMP, switch to the management filter **, add a ** called Deny, ** Type "Block" (block). In this way, we have a filtering strategy that comes to enter ICMP packets and discards filtering ** of all packets. It should be noted that there is a mirror selection in the address option. If the mirror is selected, then a symmetrical filtering policy will be created, that is, when you pay attention to any ip-> my IP, due to the effect of the image, actually You also pay attention to my ip-> any ip, you can choose or give up the mirror according to your needs. Right to right-click the IP security policy of this machine, select New IP Filter Policy, create a filter named ICMP Filter, by adding the Filter Regulations Wizard, we specify the ICMP_ANY_IN filtering policy just defined to ICMP Filter, then in ** Select the DENY operation we just defined, exit the wizard window, right-click the ICMP Filter and enable it, now any address ICMP packet will be discarded. Although ICMP packets can be filtered with IP SEC, it is too troublesome, and if you only need to filter specific ICMP packets, you have to retain some common packets (such as the host is not reached, the network is not arrived, etc.) The IP sec policy is not from the heart, and we can use another powerful tool route with remote access control (Routing & Remote Access) to complete these complex filtration **.
Routing and Remote Access Control is the tool for managing routing tables, configuring VPN, controls remote access, and performs IP packet filtering. It is not installed by default, so you first need to enable it, open "Administrative Tools" -> " Routing and Remote Access, right-click on the server (if you do not add this unit) Select "Configure and Enable Routing and Remote Access", then the Configuration Wizard will make you choose what server, in general, if you don't You need to configure the VPN server, then select "Manual Configuration", after the configuration is complete, the option of IP route will appear, select the network card you want to configure in "General" (if you have multiple network cards, you can Select Close a piece of ICMP), click on "Enter Filter" in the NIC attribute, add a filter policy "from: any to: any protocol: ICMP Type: 8: Coded Discard" (Type 8 Code 0 is ping Used ICMP_echo packets, if all ICMP packets are to be filtered, only need to set the type and encoding to 255), and the friend who is carefully, it has already found that below the input, the output filter, there is a "fragment check" function. This feature is used to deal with IP fragment attack, which has exceeded the scope discussed in this article, and I will continue to discuss with everyone in the articles of the next refusal service attack.
Win2000 Routing and Remote Access is a very powerful toolset 4. Change some of the default values of the Windows system (for example: data packets), different systems have different values, experienced people can according to TTL Different values to judge what other ** is used as a system (such as Windows 2000 default 128), I change to change, see how you see it) HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTTTL REG_DWORD 0-0xFF (0-255 decimal, default 128) Description: Specifies the default spending time (TTL) value set in the IP packet. TTL determines the maximum time that IP packets survive in the network before reaching the target. It actually The number of routers allowed by IP packets before discarding. Sometimes the value is used to detect remote host ** as a system. 5. Prevent ICMP redirection packets HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SESTEM / TCPIP / parameters enableibPREDIRECTS REG_DWORD 0x0 (Default is 0x1) Description: This parameter controls whether Windows 2000 changes its routing table to respond to ICMP redirection messages sent to it in response to network devices (such as routers), sometimes it is used to do bad things. The default value of Win2000 is 1, represents the response ICMP redirect messages response 6. prohibit ICMP router advertisement message HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters / Interfaces / interface PerformRouterDiscovery REG_DWORD 0x0 (default is 0x2) Description:. "ICMP routing announcement" The function can cause the network connection exception of others. The data is eavesdropped, and the computer is used for serious consequences such as traffic attack. This problem has led to some local network abnormalities in the campus network. Therefore, it is recommended to turn off the response ICMP routing announcement Wen .Win2000 is 2, indicating that when DHCP is sent router discovery option 7. Prevent SYN Flood Attack HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / PARAMETERS SYNATTACKPROTECT REG_DWOR D 0x2 (default is 0x0) Description: SYN Attack Protection includes reducing the number of SYN-ACK reloaded to reduce the time reserved for allocation resources. Routing Cache item resource allocated delay until the connection is established. If SYNATTACKPROTECT = 2, then AFD The connection indication has been delayed until the three-way handshake is completed. Note that the protection mechanism will take action only when TCPMaxHalFopen and TCPMaxHalFopenRetried are overrange. 8. Prohibit C $, D $ Class for the default sharing hkey_local_machine / system / currentControlSet / Services / lanmanserver / parameters AutoShareServer, REG_DWORD, 0x0 9. prohibit ADMIN $ default share HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parameters AutoShareWks, REG_DWORD, 0x0 10. IPC $ default share limit HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa restrictanonymous reg_dword 0x0 default 0x1 anonymous users Unable to list this unit list 0x2 Anonymous users Unable to connect Native IPC $ Sharing Description: Not recommended 2, otherwise you may cause some of your services that cannot be started,
Such as SQL Server 11. IGMP protocol hkey_local_machine / system / currentControlSet / services / tcpip / parameters IGMPLEVEL REG_DWORD 0X0 (default is 0x2) Description: Remember that there is a bug under Win9X, that is, use IGMP to make others blue screen, modify the registry It can be corrected this bug.win2000 although there is no bug, but IGMP is not necessary, so it can be removed. After modulation into 0, it will not see the annoying 224.0.0.0. 12. Set the ARP cache aging time setting HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services: / Tcpip / Parameters ArpCacheLife REG_DWORD 0-0xFFFFFFFF (seconds, the default value is 120 seconds) ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default is 600): If greater than or equal to ArpCacheLife ArpCacheminReferencedlife, reference or untrus ARP cache item expires after ArpCachelife seconds. If ArpCachelife is less than ARPCACHEMINREFERENCEDLIFE, the unfolired item expires after ArpCachelife seconds, and the reference item is expired after ArpCachemNReferencedlife seconds. Export data When the package is sent to the IP address of the item, the items in the ARP cache are referenced.
