Transfer from:
http://www.12986.com/n3765c48.aspx
1. Transfer
2. The system account is as small as possible, change the default account name (such as administrator) and description, the password is as complex;
3. Refuse to access the computer over the network (anonymous login; built-in administrator account; support_388945a0; guest; all non-operation system service account)
4. It is recommended to give the general user only to the read permissions, but only give the administrator and system to completely control the permissions, but this is possible to make some normal script can't be executed, or some need to write can not be completed, this When you need to change the folder permissions of these files, it is recommended to test the test machine before doing changes, and then make it carefully.
5. NTFS file permission setting (note the permissions of the file priority than the authority of the folder):
file type
CGI file (.exe, .dll, .cmd, .pl)
Script file (.asp)
Contains files (.inc, .shtm, .shtml)
Static content (.txt, .gif, .jpg, .htm, .html)
Recommended NTFS permission
EVERYONE
Administrators (full control)
SYSTEM (full control)
6. Prohibit the default sharing of C $, D $
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / PARAMETERS
AutoShareserver, Reg_dword, 0x0
7. Disable admin $ default sharing
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / PARAMETERS
AutoShaRewks, Reg_dword, 0x0
8. Limit IPC $ Broadcast Sharing
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA
Restrictanonymous reg_dword 0x0 default
0x1 anonymous users cannot enumerate the list of native users
0x2 anonymous users can't connect to this machine IPC $ sharing
Description: Not recommended 2, otherwise you may cause some of your services that cannot be started, such as SQL Server
9. Only the privileges for users, the minimization principle of permissions is an important guarantee for security
10. Open the appropriate audit in the local security policy -> audit strategy, the recommended review is:
Account management success failed
Successful failure
Object Access failed
Strategy change successfully failed
Privilege failure
System event success failure
Directory Service Access Failure
Account login event success failure
The shortcomings of reviewing projects are that if you want to see that there is no record, it is not a matter; the audit project will not only take up system resources, but will cause you to see it at all, this will lose the meaning of review. Related to it:
Set in the account policy -> password policy:
Password complexity requirements are enabled
Password length minimum 6 bit
Forced password history 5 times
Up to 30 days in the longest deposit period
Set in the Account Policy -> Account Lock Policy:
Account lock 3 error login
Lock time 20 minutes
Reset lock count 20 minutes
11. In Terminal Service Configration - Permissions - Advanced Configuration Security Audit, Generally, as long as logging in, logout events can be logged out.
12. Release the binding of NetBIOS and TCP / IP protocol
Control Isolated - Network - Binding - Netbios Interface - Disabled 2000: Control Book - Network and Dial - Local Network - Properties - TCP / IP - Properties - Advanced - Wins- - Disable NetBIOS on TCP / IP
13. Enable TCP / IP filtering in the network connection, only open the necessary ports (such as 80)
14. Disable 139 empty connection by changing registry local_machine / system / currentcontrolset / control / lsa-restrictanonymous = 1
15. Modify the volume of the data packet (TTL) value
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
Defaultttl REG_DWORD 0-0xFF (0-255 decimal, default 128)
16. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
SYNATTACKPROTECT REG_DWORD 0x2 (default is 0x0)
17. Prohibit Response ICMP Routing Notice Packet
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters / Interfaces / Interface
Performrouterdiscovery REG_DWORD 0x0 (default is 0x2)
18. Prevent ICMP to redirect the attack
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
EnableICMPREDirects reg_dword 0x0 (default is 0x1)
19. IGMP protocol is not supported
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
IGMPLEVEL REG_DWORD 0x0 (default is 0x2)
20. Set the ARP cache aging time setting
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services: / TCPIP / Parameters
ArpCachelife REG_DWORD 0-0xfffffffff (second, default is 120 seconds)
ArpCacheminReference 0-0xfffffff (second, default is 600)
21. Prohibition of dead gateway monitoring technology
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services: / TCPIP / Parameters
Enabledeadgwdetect reg_dword 0x0 (default is OX1)
22. Routing function is not supported
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services: / TCPIP / Parameters
IPenablerouter Reg_dword 0x0 (default is 0x0)
Install and configure IIS services:
1. Install only the necessary IIS components. (Disable unwanted FTP and SMTP services)
2. Enable the necessary services and Web Service extensions, recommend configuration:
Component name in the UI
Set
Set logic
Background Intelligent Transmission Service (BITS) server extension
Enable
Bits is the background file transfer mechanism used by Windows Updates and "Auto Update". If you use Windows Updates or "Auto Update" to automatically apply Service Pack and hot fixes in the IIS server, you must have this component.
Public document
Enable
IIS requires these files, be sure to enable them in the IIS server. File Transfer Protocol (FTP) service
Disable
Allow IIS servers to provide FTP services. The dedicated IIS server does not require this service.
FrontPage 2002 Server Extensions
Disable
Provide FrontPage support for managed and publishing a Web site. If you do not use the FrontPage extension Web site, please disable the component in a dedicated IIS server.
Internet Information Service Manager
Enable
IIS management interface.
Internet printing
Disable
Provide web-based printer management allows printers to be shared via HTTP. Dedicated IIS servers do not require this component.
NNTP service
Disable
Distribute, query, retrieve and deliver the USEnet news article in the Internet. Dedicated IIS servers do not require this component.
SMTP service
Disable
Support transmission email. Dedicated IIS servers do not require this component.
World Wide Web service
Enable
Provide web services, static and dynamic content for the client. A dedicated IIS server requires this component.
World Wide Web service subcomponent
Component name in the UI
Installation options
Set logic
Active Server Page
Enable
Provide ASP support. If the Web site and the application in the IIS server do not use the ASP, disable the component; or use web service extensions to disable it.
Internet data connector
Disable
Provide dynamic content support by expanding files with .idc. If the Web site and the application in the IIS server do not include .IDC extension files, disable this component; or use web service extensions to disable it.
Remote management (HTML)
Disable
Provide an HTML interface for managing IIS. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not require this feature.
Remote Desktop Web Connection
Disable
Includes the Microsoft ActiveX Controls and Samples page connected to the management terminal service client. Model IIS Manager makes management easier and reduces the attack surface of the IIS server. Dedicated IIS servers do not require this component.
Server side includes
Disable
Support for .shtm, .shtml and .stm files. If the Web site and the application running in the IIS server do not use the above-described extended files, disable the component.
WebDAV
Disable
WebDAV extends the HTTP / 1.1 protocol, allows clients to publish, lock and manage resources in the Web. A dedicated IIS server disables this component; or uses a web service extension to disable the component.
World Wide Web service
Enable
Provide web services, static and dynamic content for the client. Dedicated IIS server requires this component
3. Separate the IIS directory & data to the system disk and save it in a private disk space.
4. Remove any other mapping that must be used in the IIS Manager (retaining the ASP, etc.)
5. Redirect the http404 object not found in IIS to redirect to a custom HTM file via URL
6. Web site permission setting (recommended)
Web site privilege:
Permissions granted:
read
allow
write
Not allowed
Script source access
Not allowed
Directory browsing
Recommended closed
Log Access
Recommended closed
Index resource
Recommended closed
carried out
Recommended choice "Script is limited"
7. It is recommended to use the W3C expansion log file format, record the customer IP address, user name, server port, method, URI rib, HTTP status, user agent, and review the log every day. (It is best not to use the default directory, it is recommended to replace the path to the log log, and set access to the log, only allow administrators and system to Full Control). 8. Program security:
1) It is best to encapsulate the username and password, as little as possible in the ASP file, involving the user's name and password should be minimized with the database connection;
2) The validated ASP page can be tracked with the file name of the previous page, and only the session from the previous page can read this page.
3) Prevent the ASP home page .inc file leak problem;
4) Prevent the UE and other editors from generating a Some.asp.bak file leak problem.
Security update
All service packs needed to apply and regularly update patches.
Installation and configuration of antivirus protection
Recommended NAV 8.1 above the virus firewall (configured to automatically upgrade at least once a week).
Install and configure firewall protection
Recommend the latest version of the Blackice Server Protection firewall (simple configuration, relatively practical)
Monitoring solution
Install and configure the MOM agent or similar monitoring solutions as required.
Enhance data backup
WEB Data Time Make backups, ensuring that you can return to the most recent status after you have problems.
Consider implementing IPSec filing
Block the port with IPsec filter
Internet Protocol Security (IPSec) filter provides an effective way to enhance the security level required by the server. This guide is recommended to use this option in a high security environment defined in the guide to further reduce the attachment surface of the server.
For more information on using the IPSec filter, see Modules Other Member Server Enhancements Process.
The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this guide.
service
protocol
Source port
Target port
source address
target address
operating
Mirror
TERMINAL SERVICES
TCP
all
3389
all
ME
allow
Yes
HTTP Server
TCP
all
80
all
ME
allow
Yes
HTTPS Server
TCP
all
443
all
ME
allow
Yes
When implementing the rules listed above, they should be mirrored. This ensures that any network communication that enters the server can also return to the source server.
SQL server security reinforcement
step
Description
MDAC upgrade
Install the latest MDAC (http://www.microsoft.com/data/download.htm)
Password policy
Since SQL Server does not change the SA user name, we cannot delete this super user, so we must perform the strongest protection of this account, of course, including using a very strong password, preferably not to use the SA account in the database application. The newly established a super user with SA-like authority to manage the database. At the same time, develop a good habit of regularly modify the password. Database administrators should regularly check if there is an account that does not meet the password requirements. For example, use the following SQL statement:
Use master
Select Name, Password from syslogins where password is null
Database log record
Nuclear database login event "failure and success", select "Security" in the instance properties, selected the audit level as all, so in the database system and the operating system log, all account login events have been recorded in detail. .
Manage expansion stored procedures
XP_cmdshell is the best shortcut to enter the operating system, which is a large back door to the operating system. Please remove it. Use this SQL statement: use master
sp_dropextendedProc 'XP_cmdshell'
If you need this stored procedure, please use this statement to recover.
sp_addextendedProc 'XP_cmdshell', 'XPSQL70.DLL'
OLE Auto stored procedures (which can cause certain features in the manager), these processes include the following (no need to remove:
SP_OACREATE SP_OADESTROY SP_OAGETERRORINFO SP_OAGETPROPERTY
SP_OAMETHOD SP_OASETPROPERTY SP_OASTOP
Remove the stored procedures for unwanted registry access, the registry stored procedure can even read the password of the operating system administrator, as follows:
XP_REGADDMULTISTRING XP_REGDELETEKEY XP_REGDELETEVALUE XP_REGENUMVALUES
XP_REGREAD XP_REGREMOVEMULTISTRING XP_REGWRITE
Anti-TCP / IP port detection
Select the properties of the TCP / IP protocol in the instance properties. Select hide the SQL Server instance.
On the previous step, change the original 1433 port.
The UDP communication that rejects the 1434 port in IPSec filtering can hide your SQL Server as much as possible.
IP limit on network connection
Use the operating system's own IPSec to implement the security of the IP packet. Please restrict the IP connection to ensure that only your IP can access, reject port connections to other IP.
Attachment: Win2003 system recommended to disable service list
Name
Service Name
Suggestion setting
Automatic update
WUAUSERV
Disable
Background Intelligent Transfer Service, INTELLIGENT TRANSFER SERVICE
Bits
Disable
Computer Browser
Browser
Disable
DHCP Client DHCP
Disable
NTLM Security Support Provider NTLMSSP
Disable
NetWork location awareness
NLA
Disable
Performance logs and alerts sysmonlog
Disable
Remote Administration Service Srvcssurg
Disable
Remote Registry Service RemoteRegistry
Disable
Server LanmanServer
Disable
TCP / IP NetBIOS Helper Service Lmhosts
Disable
DHCP Client DHCP
Disable
NTLM Security Support Provider NTLMSSP
Disable
TERMINAL SERVICES
TermService
Disable
Windows Installer MSIServer
Disable
Windows Management Instrumentation Driver Extensions WMIs. INSTRUMENTATION DRIVER EXTENSONS WMI
Disable
WMI Performance Adapter WMIAPSRV
Disable
Error Reporting
Errrep
