IIS Web Server Security Reinforcement Steps:
Steps Note: Install and configure WindowsServer2003. Will
/System32/cmd.exe
Transfer to other directories or renames; 2. System account as little, change the default account name (such as administrator) and description, password as complicated; 3. Refuse to access the computer through the network (anonymous login; built-in administrator account; support; All non-operation system service accounts) 4. It is recommended to give the general user only to the read permissions, but only give the administrator and system to completely control the permissions, but this is possible to make some normal script can't be executed, or some needs Written operations cannot be completed, then make changes to the folder permissions in these files, it is recommended to test the test machine before doing changes, and then make it carefully. 5. NTFS file permission setting (note the permissions of the file priority than the authority of the folder):
Document Type Recommended NTFS Permissions CGI file (.exe, .dll, .cmd, .pl) script file (.ASP) contains file (.inc, .shtm, .shtml) static content (.txt, .gif, .jpg) , .Htm, .html) Everyone Administrators (Full Control) System (Full Control) 6. Disable C $, D $ Class for the default sharing hKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters Autoshaserver, Reg_dword, 0x0 7. prohibition default ADMIN $ share HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parameters AutoShareWks, REG_DWORD, 0x0 8. limit the default IPC $ share HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsarestrictanonymous REG_DWORD 0x0 default 0x1 anonymous users can not Click on the list 0x2 anonymous user Unable to connect to the native IPC $ Sharing Description: Not recommended 2, otherwise you may cause some of your services that cannot be started, such as SQL Server 9. Only the privileges that truly needs to users, minimize permissions The principle is an important guarantee for security. 10. Open the corresponding audit in the local security policy -> audit strategy, the recommended review is: Account Management Success Fail Login Event Success Fail Object Access Failure Policy Change Success Failure Privileges Failure System Event Success Failure Directory Service Access Failure Account Login Event Success Failure Audit Project There are less shortcomings that if you want to see that there is no record, it is not a matter; the audit item will not only take up system resources, but will cause you to see it, this is lost. The significance of review. In the account policy -> password policy setting: password complexity requirement to enable password length minimum 6-bit mandatory password history 5 maximum retention period 30 days in account policy -> account lock policy set : Account lock 3 error login lock time 20 minutes reset lock count 20 minutes 11. In Terminal Service Configration - Permissions - Advance Configuration Security Audit, Generally, as long as logging in, logout, logout.
12. Release NetBIOS and TCP / IP Protocol Bind Control Edition - Network - Binding - NetBIOS Interface - Disabled 2000: Control Book - Network and Dial - TN - Local Network - Attribute - TCP / Ip - Property - Advanced - Wins - Disable NetBIOS 13 on TCP / IP. Enable TCP / IP filtering in the network connection, only open the necessary ports (such as 80) 14. By changing registry local_machine / System / CurrentControlSet / Control / LSA-RestrictAnonymous = 1 to prohibit air link 139 to modify the data packet 15. a time to live (TTL) value HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters DefaultTTL REG_DWORD 0-0xff (0-255 decimal The default value of 128) 16 prevent SYN flood attacks HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters SynAttackProtect REG_DWORD 0x2 (default is 0x0) 17. prohibited ICMP router advertisement messages in response HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters / Interfaces / interface PerformRouterDiscovery REG_DWORD 0x0 (default is 0x2) 18. prevent ICMP redirect attack packets HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters EnableICMPRedirects REG_DWORD 0x0 (default is 0x1) 19. does not support the IGMP protocol HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / Parameters IGMPLEVELEVELR REG_DWORD 0X0 (Default is 0x2) 20. Setting ARP Cache Aging Time Setting HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCON trolSet / Services: / Tcpip / Parameters ArpCacheLife REG_DWORD 0-0xFFFFFFFF (seconds, the default value is 120 seconds) ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default is 600) 21 prohibited dead gateway monitoring techniques HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / services: / Tcpip / Parameters EnableDeadGWDetect REG_DWORD 0x0 (default is ox1) 22. does not support routing function HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / services: / Tcpip / Parameters IPEnableRouter REG_DWORD 0x0 (default is 0x0) to install and configure IIS services: 1. Install only the necessary IIS components. (Disable unwanted FTP and SMTP service) 2. Only the necessary services and Web Service extensions are enabled, and the recommended configuration:
The Component Name Settings Settings Logic Background Intelligent Transport Service (BITS) Server Extension Enable Bits is the background file transfer mechanism used by Windows Updates and "Auto Updates". If you use Windows Updates or "Auto Update" to automatically apply Service Pack and hot fixes in the IIS server, you must have this component. Public files Enable IIS requires these files, be sure to enable them in the IIS server. File Transfer Protocol (FTP) service disable allows IIS servers to provide FTP services. The dedicated IIS server does not require this service. FrontPage 2002 Server Extensions Disables FRONTPAGE support to manage and publish Web sites. If you do not use the FrontPage extension Web site, please disable the component in a dedicated IIS server. Internet Information Service Manager enables IIS's management interface. Internet print disabling provides web-based printer management that allows printers to be shared via HTTP. Dedicated IIS servers do not require this component. NNTP services disable distribution, query, retrieve, and deliver a USENET news article in the Internet. Dedicated IIS servers do not require this component. SMTP services Disable support for transport emails. Dedicated IIS servers do not require this component. The World Wide Web service is enabled for web services, static and dynamic content. A dedicated IIS server requires this component. Component Names in the World Wide Web Series UI Settings Options Settings Logical Active Server Page Enables ASP Support. If the Web site and the application in the IIS server do not use the ASP, disable the component; or use web service extensions to disable it. The Internet Data Connector disables files that provide dynamic content support by extension .idc. If the Web site and the application in the IIS server do not include .IDC extension files, disable this component; or use web service extensions to disable it. Remote Management (HTML) Disables the HTML interface to manage IIS. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not require this feature. Remote Desktop Web Connections Disable the Microsoft ActiveX® Controls and Samples page that includes the management terminal service client connection. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. Dedicated IIS servers do not require this component. The server side includes support for disabling .shtm, .shtml, and .stm files. If the Web site and the application running in the IIS server do not use the above-described extended files, disable the component. WebDAV disables WebDAV extends the HTTP / 1.1 protocol, allows clients to publish, lock and manage resources in the Web. A dedicated IIS server disables this component; or uses a web service extension to disable the component. The World Wide Web service is enabled for web services, static and dynamic content. A dedicated IIS server requires this component 3. Separate IIS directories & data from the system disk, saved within a private disk space. 4. Remove any other mapping that must be used in the IIS Manager (retaining the necessary mapping such as ASP) 5. Redirect the HTTP404 Object Not Found error page by URL to a custom HTM file 6 in IIS. Web site permission setting (recommended)
Web Site Permissions: Permissions Grant: Read Allow Write Not Allowing Script Source Access Do Not Allow Directory Browse Recommendations Close Log Access Recommendations Off Index Resource Recommendations Off Perform Recommendation Selection "Script" 7. Recommended W3C Expansion log file format, daily record Customer IP address, user name, server port, method, URI ribbon, HTTP status, user agent, and review the log every day. (It is best not to use the default directory, it is recommended to replace the path to the log log, and set access to the log, only allow administrators and system to Full Control). 8. Program security: 1) It is best to encapsulate the user name and password, as little as possible in the ASP file, involving the user name and password to the database to the password should be minimized; 2) Need to pass Validated ASP page, track the file name of the previous page, only the session that is converted from the previous page can read this page. 3) Prevent ASP home page .inc file leak issues; 4) Prevent UE and other editors from generating a Some.asp.bak file leak problem. Security update. All service packs needed to apply and regularly update patches. Install and configure antiviral protection. Recommended NAV 8.1 above the virus firewall (configured to automatically upgrade at least once a week). Install and configure firewall protection. Recommend the latest version of the Blackice Server Protection firewall (Simple, comparison) monitoring solution. Install and configure the MOM agent or similar monitoring solutions as required. Enhance data backup. WEB Data Time Make backups, ensuring that you can return to the most recent status after you have problems. Consider implementing an IPSec filter. Blocking the Port Internet Protocol Security (IPSec) filter with IPSec Filter Provides a valid method to enhance the security level required by the server. This guide is recommended to use this option in a high security environment defined in the guide to further reduce the attachment surface of the server. For more information on using the IPSec filter, see Modules Other Member Server Enhancements Process. The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this guide. Service Agreement Source Port Target Port Source Address Destination Address Mirror Terminal Services TCP All 3389 All Me Allows All 80 All ME Allows Yes HTTPS Server TCP All 443 All Me Allows to implement the rules listed in the above table, should Mirror processing is performed. This ensures that any network communication that enters the server can also return to the source server.
SQL server security reinforcement
Step Description MDAC Upgrade Install the latest MDAC (http://www.microsoft.com/data/download.htm) Password Policy Due to SQL Server can't change the SA user name, you can't delete this super user, so we must have this account. To make the strongest protection, of course, including using a very strong password, it is best not to use the SA account in the database application. The newly established a super user with SA-like authority to manage the database. At the same time, develop a good habit of regularly modify the password. Database administrators should regularly check if there is an account that does not meet the password requirements. For example, use the SQL statement below: Use masterSelect Name, Password from syslogins where password is Null database log login "Failed and Success", select "Security" in the instance properties, select the audit level selected For all, in this database system and operating system log, all account login events are recorded in detail. Managing extended stored procedures XP_cmdshell is the best shortcut to enter the operating system, which is a large back door for the database to the operating system. Please remove it. Use this SQL statement: Use master sp_dropextendedProc 'XP_cmdshell' If you need this stored procedure, please use this statement to recover. sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' OLE automatic storage procedure (cause some features Manager can not be used), which process includes the following (all not need to be removed: Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetPropertySp_OAMethod Sp_OASetProperty Sp_OAStop removing unnecessary register table access stored procedure, the registry stored procedure can even read an operating system administrator's password, as follows: Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues xp_regread Xp_regremovemultistring Xp_regwrite anti-TCP / IP port to detect and select properties TCP / IP protocol in the instance properties to choose from. Hide SQL Server instance. On the previous step configuration, change the original 1433 port. Reject the UDP communication of the 1434 port in IPSec filtering, you can hide your SQL Server as much as possible. For network connections The system's own IPsec can implement the security of the IP packet. Please limit the IP connection to ensure that only your IP can access, reject port connections to other IPs. Attachment: Win2003 system recommended to disable service list
