Windows Server 2003 is the latest server operating system for Microsoft, compared to the Windows 2000 / XP system, all aspects have indeed enhanced, especially in terms of security, and the overall feeling is not bad. But "gold is not enough", there is no perfect, and Microsoft Windows 2003 is also the same, there is a system vulnerability, there is a lot of safety hazards! Whether you use your computer to enjoy music, surf, run games, or write documents, you must inevitably suffer from new viruses, how to make Windows Server 2003 more secure and become a very concern of users.
First, cancel the IE security prompt dialog
In the face of hacking, Microsoft has been working hard to reduce product safety hazards, which is obvious to all. Microsoft's new generation of Windows Server 2003 operating systems have been strengthened in terms of security performance. For example, when using the IE browser comes with Windows Server 2003, a security prompt box will be popped up, "Don't Imanize" to prompt us, do you need to add the currently visited website to your trusted site; if you represent If you don't trust, you can only click the "Close" button; and if you want to browse the site, you must click the Add button to add the web page to the list of trust sites. However, every visit, you have to pass this step, it is too cumbersome. In fact, we can let IE cancel the security check on website security by the following methods:
1. Once the system opens the security prompt page, you can use the mouse to "as the contents of the site when the content is blocked" check item selection;
2. In the browse interface, click the "Tool" menu item with the mouse to execute the "Internet Option" command from the open drop-down menu;
3. In the pop-up option settings interface, you can set the highest security level in the default state to a medium level;
4. When setting up, as long as you are in the Security tab page, you can drag the security slider to the "middle" location;
5. After the setting is completed, click the "OK" button to cancel the browser's security automatic prompt page.
After modifying the default security level of IE, when you go online, IE will not automatically check the security of the website, trouble solved!
Second, recall the ASP script
Lifting the ASP (ActiveServerPage) will think of Windows, which is aimed at the vast number of Web developers with its powerful features, simple and easy to learn. However, in order to minimize system security hidden dangers, the Windows Server 2003 operating system is in the default state, whether the ASP script is not supported - the system will no longer operate any more ASP code in the website; but now many web pages The service function is mostly implemented through the ASP script. What should I do? In fact, we can fully re-support the ASP script under the premise of system security. The specific method is:
1. In the system's start menu, click the Administrative Tools / "Internet Information Service Manager" command (Figure 1).
figure 1
2. In the INTERNET Information Service Properties setting window, use the "Web Server Extension" option in the left area;
3. Next, in the area on the right side of the option, double-click the "Actives Server Pages" option with the mouse, and then click the "Allow" button at the "Task Bar" setting item, click IIS6 in the system to reconfirm the ASP. The script is (as shown in Figure 2).
figure 2
The user's most concerned issue is probably whether the original ASP component can continue to use? I can tell you, IIS6 in the system re-supported the ASP script, everything is very simple! Third, clear the default sharing hidden danger
Users who use Windows Server 2003 will encounter a problem, which is the default shared folder when the system is installed by default. Although the user does not set a sharing, each disk is automatically shared by Windows, and its shared name is a disk
Add a symbol $ (shared name is C $, D $, IPC $, and admin $). That is, as long as the attacker knows the administrator password of the system, it is possible to open the system's designated folder by "// Work Start / Sharing Name". For this way, the user carefully set security Do you not make a display? Still safe! To this end, we must make a default sharing hazard from the Windows Server 2003 system, immediately remove it from the system.
1, delete Windows Server 2003 default sharing
First, write a batch file with the following:
@echo off
NET Share C $ / DEL
NET Share D $ / DEL
NET Share E $ / DEL
NET Share F $ / DEL
Net Share Admin $ / DEL
The content users of the above documents can be modified according to their needs. Saved as Delshare.bat, stored in the System32 / GroupPolicy / User / Scripts / Logon directory under the folder where the system is located. Then enter gpedit.msc in the start menu → run.
The Group Policy Editor can be opened. Click User Configuration → Windows Settings → Script (Login / Logout) → Log in (Figure 3).
image 3
In the "Sign In Properties" window, click Add, "Add Script" dialog box, enter DELSHARE.BAT in the "Script Name" field of the window, and then click the "OK" button (such as Figure 4).
Figure 4
Restart your computer system, you can automatically cancel all of your hidden sharing folders, so you can reduce system security hazards to a minimum. 2, disable IPC connection
IPC $ (Internet Process Connection) is a resource share "named pipe", which is a named pipe that opens inter-process communication, by providing trusted username and password, connecting the two parties, can establish a secure channel and use this The channel is exchanged for encrypted data, thereby enabling access to the remote computer. It is a Windows NT / 2000 / XP / 2003 unique feature, but it has a feature that only one connection is allowed between the two IPs within the same time. NT / 2000 / XP / 2003 provides the default sharing while providing IPC $ feature, all logical sharing (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $) shared. All of these, Microsoft's original intention is to facilitate administrators, but also provide convenient or unintentional provision for IPC intruders, resulting in a reduction in system security performance. You do not need any hacker tools in the establishment of an IPC connection, you can type the corresponding command in the command line, but there is a prerequisite, that is, you need to know the username and password of the remote host. After opening the CMD, enter the following command to connect: NET USE // IP / IPC $ "Password" / user: "usernqme". We can disable the IPC connection by modifying the registry. Open the Registry Editor. Find the RESTRICTANOMOMOUS sub-key in HKEY_LOCAL_MACHINE / System / CurrentControlSet / System / CurrentControlSet / Control / LSA to disable the IPC connection (Figure 5). Figure 5
Fourth, empty the registry path for remote accessible
Everyone knows that the Windows 2003 operating system provides the remote access feature of the registry, only to set the remote accessible registry path to empty, so that the hacker uses the scanner to read the computer's system information through the remote registry. Other information (Figure 6).
Figure 6 Opening the Group Policy Editor, expand "Computer Configuration → Windows Settings → Security Settings → Local Policy → Security Options", found "Network Access: Remote Access" in the Window, then open In the window, the registry path and sub-path content of the remote access can be set to empty (Figure 7).
Figure 7
V. Close unnecessary port
For personal users, the default ports are indeed necessary, and the port is turned off is also useless. The 139 port is the port used by the NetBIOS protocol. While the TCP / IP protocol is installed, NetBIOS is also installed as the default setting to the system. The opening of the 139 port means that the hard disk may be shared in the network; online hackers can also know everything in your computer through NetBIOS! In the previous Windows version, you can turn off the 139 port as long as you do not install the file and print shared protocols of the Microsoft network. But in Windows Server 2003, just do it. If you want to completely close the 139 port, the specific steps are as follows:
Right-click Network Neighbors, select "Properties", go to "Network and Dial-up Connections", right-click "local connection", select "Properties", open the Local Connection Properties page (Figure 8) ,
Figure 8
Then remove the "√" in the "Microsoft Network and Print Sharing" (Figure 9),
Figure 9
Next, "Internet Protocol (TCP / IP)", click "Properties" → "Advanced" → "WINS", select "Disable the NetBIOS on TCP / IP", ie the task is completed (Figure 10)!
Figure 10
For personal users, you can set it to "disable" in various service properties settings to avoid restarting the service next time, and the port is also open. If you still have IIS in your computer, you'd better reset the port filtering. The steps are as follows: Select the NIC attribute, then double-click the Internet Protocol (TCP / IP) ", click the Advanced button in the window, will enter the Advanced TCP / IP Settings window, then select the" Options "label The "TCP / IP Filter" item, click the "Properties" button to come to the "TCP / IP Filter" window, "√" before the "Enable TCP / IP Filter (All Adapters)", then according to You need to configure it. If you only intend to browse the web, only the TCP port 80 can be opened, so you can select "Allow" above "TCP Port", and then click the Add button, enter 80 and click "OK". Figure 11) Figure 11
Six, eliminate illegal access applications
Windows Server 2003 is a server operating system. To prevent users from logging in, start the application in the server, bringing unnecessary trouble to the server's normal operation, we must be based on the access rights of different users. limit.
They call the app. In fact, we can implement this purpose as long as we use the Group Policy Editor to achieve this, the specific steps are as follows:
Open the "Group Policy Editor" is: Click "Start → Run" in turn, type the "GPEDIT.MSC" command and enter Enter to the "Run" dialog box, you can open the Group Policy Editor window. Then open the "Group Policy Console → User Configuration → Management Model"
"Run License Windows Application" in Board → System "and enables this policy (Figure 12).
Figure 12
Then click on the "Moved Applications List" below to pop up a "display content" dialog box, click the Add button to add the allowed application (Figure 13).
Figure 13 will only run the program in the "Allowed Applications List" in Figure 13.
