Nowadays, there are many people think that Microsoft's things vulnerabilities are too much. Microsoft's system security is extremely safe, but through the safety configuration of all systems, I summed up some experience, I will share with you. In fact, all kinds of systems have a lot of vulnerabilities, but Microsoft's things are mostly used, and it is generally not very high. It will not be a variety of security settings, so they will have now online NT / 2000 service security. The sex is very poor, in fact, if the NT / 2000 server is really good after the security settings, its security will never be poor than the NIX system. If you follow what I said below, I can guarantee you 95 % Or more security, 100% I don't dare to guarantee, of course, you have to hit a variety of big and small patches of Microsoft, huh, who, who takes me with banana skin, stand up! ! Oh, talk less nonsense, transfer to the topic.
1. Primary: NT / 2000 system itself custom installation and related settings
The web site established with NT (2000) accounts for a large part of the proportion in all websites, mainly because of its ease of use and easy management, so that the company does not have to put a lot of money in the management of the server, this A little better than NIX systems, don't have to ask a professional administrator, don't have to pay a high salary, Oh, of course, NIX administrators will not be unemployed, because its open source and Windows system are unparalleled, so almost all The large server is all NIX systems. But for small and medium-sized companies, Windows is enough, but NT security issues have always been outlined, making some NT-based websites have a feeling of thin ice, here I give a safety solution, as China The network security industry makes a contribution (note: This program is mainly for the NT, 2000 server security to establish a web site, and is not suitable for servers in the local area.)
一, customize your own NT / 2000 Server
1. Version selection: Win2000 has a variety of languages, for us, you can choose English or Simplified Chinese version, I strongly recommend that you must use the English version with your language is not an obstacle. To know, Microsoft's product is known in Bug & Patch, the Chinese version of BUG is far more than English version, and the patch will generally be late for at least half a month (that is, general Microsoft announced that your machine will also have your machine after the loopholes. Half a month is not protected)
2. Component customization: Win2000 is installed by default, but it is this default installation is extremely dangerous. You should know exactly what services you need, and just install your index service, according to safety principles, least Service Minimum permissions = maximum security. A typical web server requires the minimum component selection is: only IIS's COM Files, IIS Snap-in, WWW Server components. If you really need to install other components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML). Hazardous services.
II. Correctly installed NT / 2000 Server NT or 2000, the hard disk partition is NTFS partition; Description: (1) NTFS is more secure control over the FAT partition, you can Folders Set different access rights, security enhancements. (2) It is recommended that it is best to be installed into NTFS partitions in one time, not to install into a FAT partition to convert to NTFS partitions, which will result in unsuccessful conversion in the case of installing SP5 and SP6, and even the system crashes. (3) There is a potential danger to install the NTFS partition, which is that most anti-virus software does not provide killing of NTFS partition viruses after the floppy disk, so once the malignant virus is in the system, the system cannot be started normally, the consequence It is more serious, so it is recommended to do anti-virus work. (4) Some friends in the partition and logical discs have some friends to save hard drives, only a logical disk, all software is installed in C, which is very bad, it is recommended to establish a minimum of two partitions, one system Partition, an application partition, because Microsoft's IIS often has a leak source / overflow vulnerability, if the system and IIS are placed in the same drive, causing the leakage of the system file or even the invaders remotely acquire admin. The recommended security configuration is to build three logical drives. The first larger than 2G, used to install the system and important log files, the second put IIS, the third place FTP, so regardless of IIS or FTP out of security vulnerabilities Will directly affect the system directory and system files. To know that IIS and FTP are serviced, and it is more prone to problems. Separate IIS and FTP mainly to prevent intruders from running and run from IIS. (5) Selection of installation sequence: Win2000 has several order in installation: First, when to access the network: Win2000 has a vulnerability in installation, after you enter the Administrator password, the system has established admin The share of $, but does not use the password you just entered to protect it, this situation has continued until you start again, during which you can enter your machine through Admin $; at the same time, just install one Various services will run automatically, while the server is full of vulnerabilities, which is very easy to enter, so do not access the host before fully installed and configured Win2000 Server. Second, the installation of the patch: The installation of the patch should be after all applications are installed, because the patch is often replaced / modifies some system files, if the patch is installed first, it is possible to cause the patch to do not play the effect. For example: IIS's hotfix requires that each change of IIS is required to install II. Security Configuration NT / 2000 Server Even if Win2000 Server is installed correctly, there are still a lot of vulnerabilities, and it is necessary to further configure further.
1. Port: The port is a logical interface connected to the computer and external network. It is also the first barrier of the computer. The port configuration correctly affects the security of the host. In general, only the port you need to use will be safe, configured The method is to enable TCP / IP filtering in the NIC attribute -TCP / IP-Advanced-Option -TCP / IP filter, but for the Win2000 port filtering, there is a bad feature: can only specify which ports, can not specify Which ports are closed, so that users who need to open a large number of ports are more painful. 2. IIS: IIS is the most vulnerability in Microsoft components. Average two or three months will have a vulnerability, and Microsoft's IIS default installation is really caught. Therefore, IIS configuration is our focus. Now everyone follows me. Get up: First, remove the C disk, what INETPUB directory is completely deleted, build a inetpub in D disk (if you don't assure the default directory name, you can remember) Point the main directory in the IIS manager. D: / inetpub; Second, the default s cripts and other virtual directories are deleted when the IIS installation is deleted. If you need any permissions can be built slowly, what permissions are needed. (Specially paying attention to writing permissions and executing programs, there is no absolute need to be given) Third, application configuration: Any useless mapping that must be deleted in IIS Manager, must refer to ASP, ASA, and other You really need to use the file type, for example you use STML, etc. (using server side include), actually 90% of the host has the above two mappings, and the rest of the mapping is almost a miserable story. : Htw, htr, idq, ida ... Want to know these stories? Go check the previous vulnerability list. Right-click host-> attributes in IIS Manager -> WWW Service Editing -> Main Directory Configuration -> Application Mapping, and then start a delete (there is no all in all, 嘿). The script error message will then be changed to send text in the application tutoring of that window (unless you want the ASP error, the user knows your program / network / database structure) error text written? Just like you like it, look at it. Click OK Don't forget to let the virtual site inherit the properties you set. After installing new Service Pack, IIS's application mapping should be reset. (Note: After installing new Service Pack, some application mappings will appear, resulting in security vulnerabilities. This is a point that administrators easily ignore.)
In order to deal with increasing CGI vulnerability scanner, there is a small tip that can be referred to in IIS, and the HTTP404 Object Not Found error page will be redirected to a custom HTM file via URL, which can make the most CGI vulnerability scanner fail. In fact, the reason is very simple. Most CGI scanners are written for convenience. By checking if the HTTP code returns to the page is existing, for example, the famous IDQ vulnerability is generally verified by taking 1.IDQ, if Returns to HTTP200, it is considered to have this vulnerability, and vice versa if it returns HTTP404, if you reform the HTTP404 error message to the http404.htm file via URL, all scans return HTTP200, 90% The CGI scanner will think that you have any vulnerabilities. The result is that your true vulnerability is covered, so that the invaders are nowhere to start, but from the perspective, I still think that it is triggered to do safety settings than such tips. More important.
Finally, for the sake of insurance, you can use the IIS backup feature to back up all the settings, so you can restore the security configuration of IIS at any time. Also, if you are afraid that the IIS load is too high to cause the server full load, you can also open the CPU limit in performance, such as 70% of the maximum CPU usage of IIS. 3. Account Policy: (1) The account is as small as possible, and it is used as little as possible to log in; One of the dangers of being broken. (2) In addition to Administrator, it is necessary to add an account that belongs to the administrator group; Alternate account; ontong, once the hacker breaks a account and change the password, we have the opportunity to re-regain control. (3) All account rights must be strictly controlled, easily do not give the account to special permissions; (4) rename the administrator, change to a name that is not easy to guess. Other general accounts should also respect this principle. Description: This can add an obstacle to hacker attacks. (5) Disable the guest account, and rename it as a complex name, increase your password, and delete it from the guest group; Raise the account from the general user to the administrator group. (6) gives all user accounts a complex password (external account out), the length is at least 8 digits, and must contain both letters, numbers, special characters. Also do not use the familiar words (such as Microsoft), familiar keyboard order (such as qrt), familiar numbers (such as 2000). Description: The password is the key point of hacker attack. Once the password is broken, there is no system security, and this is often a place that Many Net management ignored, according to our test, only 5 passwords of the letter only In a few minutes, it will be broken, and the recommended solution is much safe. (7) Password must be changed regularly (recommended for at least two weeks), and it is best to record it anywhere in your heart. In addition, if a account is discovered in a log audience, This account must be changed immediately (including the username and password); (8) Set up a locking number in the account property, such as the change of the account failed to log in to change the account. This prevents some large-scale login attempts, and also enables administrators to be vigilant against the account. 4. Safety log:
Win2000's default installation is not to open any security audit! Then please go to the local security policy -> Open the appropriate audit in the audit strategy, the recommended review is: Account Management Success Failure Login Event Success Failure Object Access Failure Policy Change Success Failure Privileges Use Failure System Event Success Failure Directory Service Access Failure Account Login The shortcomings of the event success failure audit items are that if you want to see that there is no record, it is not a matter; the audit item will not only take up system resources, but will cause you to see it at all, this will lose the meaning of the audit. In the account policy -> password policy setting: password complexity requirement to enable password length minimum 6-bit mandatory password history 5 maximum retention period 30 days in account policy -> account lock policy set : Account lock 3 error login lock time 20 minutes Reset lock count 20 minutes, Terminal Service's security log defaults, we can configure security audits in Terminal Service Configration (remote service configuration) - permissions, general For the login, you can log out the event. 5. Directory and file permissions:
In order to control the permissions of the user on the server, it is also necessary to set the access rights of the directory and files very carefully, and the access, write, read, and Perform, modify, column directory, full control. In the default, most folders are completely open to all users (EVERYONE group), and you need to perform permission to reset according to the needs of the application. When performing permission control, remember the following principles: 1> Limit is accumulated: If a user belongs to two groups, then he has all the permissions allowed by these two groups; 2> Rejected permissions To be higher than the permissible permissions (reject policy will be executed first) If a user belongs to a group that is denied access to a resource, then he must not access this resource regardless of the other permission settings. So please use the rejection very carefully, any improper rejection is possible to cause the system to function properly; 3> File permissions than folder permissions Height 4> Using user groups to perform permission control is a mature system administrator must have One of the excellent habits; 5> Only the privileges for users, the minimization principle of permissions is an important guarantee for security; 6. Only one * work system; Description: Install two or more * work system, will give The hacker uses an attack to restart the system to another * as a system without security settings (or he is familiar with * as a system), which is destroyed. 7. Install a stand-alone domain controller, select the workgroup member, no domain; Description: Main domain controller (PDC) is a way to manage multiple networking machines in the LAN, for website The server contains a safety hazard that makes hackers have a vulnerability attack site server that is likely to use domain. 8. Send * System files in partitions and web data, including other applications, and best not to use the system default directory when installing, such as change / winnt to other directories; Description: hacker It is possible to obtain * as an execution permission of the system pair * as a system pair * as a system pair *, resulting in a greater damage. At the same time, if you use IIS, you should delete all useless mappings in its settings, do not install indexing services, the remote site management and server extension is best not to, then delete the WWW under the default path, the whole delete, don't Hand soft, then another hard disk of the hard disk establish a folder that stores your website, and must remember to open the W3C log record, remember (but I suggest Apache 1.3.24)
During the system installation process, you must have a minimum service principle. Useless service is not selected, reach the minimum installation of the system, more services, more risks, huh, so useless components don't install! 9. About patch: In NT, if a patch is installed, if you want to install a new Windows program from the NT CD, you must reinstall a patch, and do not need to do this under 2000. : (1) The latest patch, indicating that the system has a major vulnerability, non-supplement, for the local network server is not the latest, but the site must install the latest patch, otherwise the hacker may take advantage of low Version patch vulnerabilities pose a threat to the system. This is a part of some administrators neglect; (2) Installing NT SP5, SP6 has a potential threat, and once the system crashes to reload NT, the system will not recognize NTFS partitions, because Microsoft is in these two NTFS is improved among a patch. You can only recognize NTFS through the Windows 2000 installation process, which will cause a lot of trouble, it is recommended to do data backup work. (3) Installing the service pack before installing it on the test machine to prevent the machine crash because of the exception cause, while doing a good job in data backup. Do not install software-independent software with Web site service; Description: Other application software may have a well-known security vulnerability. 10. Release the binding of NetBIOS and TCP / IP protocol
Description: NetBois is an indispensable function in the LAN, but it has become the preferred target of the hacker scanning tool. Method: NT: Controls - Network - Binding - NetBIOS Interface - Disabled 2000: Control Book - Network and Dial - Local Network - Properties - TCP / IP - Property - Advanced --Wins - Disable NetBIOS 11 on TCP / IP. Delete all network shared resources, remove files and print sharing in the network connection, leaving only TCP / IP protocol
Description: NT and 2000 have many network shared resources by default, which is useful to network management and network communication in the LAN, which is also a large security hazard on the web server. (Uninstall "File and Printer Sharing of Microsoft Network". When you view any connection properties in Network and Dial-up Connections, this option will be displayed. Click the "Uninstall" button to delete the component; clear the "Microsoft network files and printers Sharing "checkbox will not work.) Method: (1) NT: Administrative Tools - Server Manager - Shared Directory - Stop Sharing; 2000: Control Book - Management Tool - - Calculation and Management - Shared Folders --- Stop sharing but two methods are too troublesome, the server must stop once, the administrator must stop once (2) modify the registry: Runregit, then Modify the Registry In HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEPE: AutoShareserver Type: REG_DWORD VALUE: 0 Then restart your server, disk partition sharing, but IPC Sharing still exists, manually delete after each restart. 12. Reform NTFS security permissions; Description: NTFS All files under NTFS is fully controlled for all files, which makes hackers to increase, delete, delete, and Implementation, etc. Can't do, there is a need to change the folder permissions in these files. It is recommended to test the test machine before doing changes, and then make it carefully. 13. Strengthen data backup; Description: This is very important, the core of the site is data, and the data is unimaginable, and this is often a hacker truly concerned. Regret, there are many The network management is not good at this point, not the backup is not complete, that is, the backup is not timely. Data backups need to be carefully planned to develop a strategy and have been implemented in the test, and the backup plan needs to be continuously adjusted as the website is updated. 14. Only the TCP / IP protocol, delete NetBeui, IPX / SPX protocol; / SPX is an agreement that is eliminated, and there is no use on the website, but it will be used by some hacker tools. 15. Do not use IP forwarding features, control panels -> network -> protocols -> TCP / IP protocol -> properties, making this box empty. (NT) Description: By default, NT's IP forwarding function is forbidden, but notice not to enable, otherwise it will have a routing, which is hacked to attack other servers. 16. Install the latest mdachttp://www.microsoft.com/data/download.htm) Description: MDAC is a data access component, usually the program's access to the database passes it, but it is also a hacker attack The goal, in order to prevent the previous version of the vulnerability may be brought into the upgrade version, it is recommended to uninstall the latest version.
Note: It is best to do test before installing the latest version, because some data access methods may no longer be supported in the new version, in which case the vulnerability can be used by modifying the registry, see the vulnerability test document. 17. Setting IP Denial Access List Description: For WWW services, you can reject some addresses for sites with attacks; especially for FTP services, if you just upload files, you can only allow the company IP Access to the FTP service, so that security is greatly improved. 18. Prohibition of anonymous access to FTP services Description: If you allow an anonymous access to the FTP service, this anonymous account is likely to be utilized to get more information, resulting in harm to the system. 19. It is recommended to use the W3C expansion log file format, record the customer IP address, user name, server port, method, URI rib, HTTP status, user agent, and review the log every day. (It is best not to use the default directory, it is recommended to replace the path to the log, and set the log's access, only allow administrators and system to full control) Description: As an important measure, you can discover signs of attacks It takes precautions to act as an evidence of attack. 20. Deprecated access to Web site directory, in general, do not give directory to write and allow directory browsing permissions. Only give the .asp file directory with script, not to give execution permissions. Description: Directory access must be cautious, otherwise it will be hacked.
21.asp Programming Security: is not only a network management, and programmers must pay attention to certain security details. Otherwise, it will cause a chance to make a hacker. Currently, the ASP program on most websites has such security vulnerabilities, but if you pay attention to your writing, you can still avoid it. The program involving the username and the password is best packaged on the server side, as little as possible in the ASP file, involving the user name and password to the database to give the minimum permission. Description: User name and password are often the most interested things that hackers, if they are seen in some way, the consequences are serious. Therefore, try to minimize the number of appearances in the ASP file. The number of times the user name and the password can be written in one position comparing hidden containment file. If you are involved in connection with a database connection, just give it to perform the authority of the stored procedure, don't directly give the user to modify, insert, and delete records. The validated ASP page can be tracked with the file name of the previous page, and only the session that is converted from the previous page can read this page. Description: The currently verified ASP program is mostly adding a judgment statement on the page header, but it is not enough, it is possible to pass the verification by hacker directly to enter, so it is necessary to track the previous page. Specific vulnerabilities see the open draft. Prevent ASP Home. INC file leak issues When there is an ASP home page, it is not possible to make a final debug completion, can be added as search objects, if someone uses the search engine to use these at this time. The web page is looking for, it will get the location of the file and see the details of the database location and structure in the browser to reveal the complete source code. Solution: Programmers should completely debug it before the page is released; security experts need to fix the ASP containing files so that users cannot see them. First, encrypt the contents of the .inc file, secondly, you can use the .asp file instead. INC file allows the user to directly view the source code of the file directly from the browser. The file name of the .inc file is not used to use the system default or have a special meaning. It is easy to be guessed by the user, try to use a rough English letter. Note Some ASP editors automatically backed up the ASP file, which will be downloaded to edit the ASP program tool, when creating or modifying an ASP file, the editor automatically creates a backup file, For example: UltraEdit will back up a ..bak file, such as you create or modify some.asp, the editor automatically generates a Some.asp.bak file, if you don't delete this Bak file, the attack can download some. ASP.BAK file, so that Some.asp's source program will be downloaded. In the ASP program that deals similar to message board, BBS and other input boxes, it is best to block the HTML, JavaS Cript, VBS CRIPT statement, if there is no special requirement, can limit only allow input letters and numbers, shield special characters . At the same time, the length of the input character is limited. Moreover, it is not only in the client to enter the legitimacy check, but also check in the server-side program. Description: The input box is a goal of hacker utilization, they can cause damage to the user client by entering scripting languages; if the input box involves data queries, they will use special query input to get more database data, even It is all of the table. Therefore, the input box must be filtered. However, if the efficiency is only entered on the client, it is still possible to be bypass, so it must be checked again in the server side.
Prevent the Access MDB database from being downloaded by the vulnerability When you use Access to make a background database, if someone knows or guesses the path of the server and the database name, then he can download This Access database file is very dangerous. Solution: (1) gives your database file name to a complex unconventional name, and put him in a few directory. The so-called "unconventional", for example, if there is a database to save information about books, don't give him a "book.mdb" name, a weird name, such as D34ksfslf.mdb, then Put him in a few layers of directory such as ./kdslf/i44/studi/, this hacker wants to get your Access database file by guessing. (2) Do not write the database name in the program. Some people like to write DSN in the program, such as: dbpath = server.mappath ("cmddb.mdb") conn.open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath If you gave people a source, your name of your Access database is unlike. Therefore, it is recommended that you set up a data source in ODBC, then write this in the program: conn.open "shujiyuan" (3) Use Access to encode and encrypt the database file file. First, "Tools-> Security-> Encrypted / Decrypting Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Caused Save Save Save "window, save: Employer1.mdb. Employer.mdb will be encoded, then eMployer1.mdb .. 的,, 动不 不不 是 只 只 只 是 只 是具 加具 是具 是具 是具 加, 是具 是具 是具 是具 只具 是具 是具To view the content of the database file. Next we encrypt the database, first open the encoded EMPLOYER1.MDB, select "exclusive" mode when open, then select the "tool -> security -> settings" Database password, then enter the password. This is even if others get the Employer1.mdb file, there is no password. He can't see Employer1.mdb.
23. SQL Server Security SQL Server is the most database system with the NT platform, but its security issues must also be paid. There are often most valuable information in the database, and once the data is stolen, it is unimaginable. Timely update the patch. : Like NT, many vulnerabilities in SQL Server will make up by patch. It is recommended to do test on the test machine before installing the patch while making a data backup of the target server. A complex password for SA. Description: SA has all permissions for SQL Server Database *. Unfortunately, a part of the network management is not familiar with the database, and the work of establishing the database is completed by the programmer, and this part of the person only pays attention to writing the SQL statement itself. It is not familiar with the management of the SQL Server database, which is likely to cause the SA password. air. This is a serious threat to database security. At present, there is not a small number of sites. Strictly control the permissions of database users, easily do not give direct queries, changes, insert, delete permissions to make the user, can pass to the user to access the view, and only the permission to perform the stored procedure. Description: If the user has direct * authority, the data is destroyed. Develop a complete database backup and recovery strategy. 24. Pcanywhere Security: Currently, PCANywhere is the most popular NT and 2000 remote control tool, and also need to pay attention to security issues. It is recommended to adopt a separate username and password. It is best to use an encryption method. Don't use the same user name and password as the NT administrator, or use the password integrated with NT. At the same time, it is necessary to use the strong encrypting mode in Security Options, and the low encryption level is rejected, and the user name and password encryption during the password encryption are used to prevent the number of connections. Another important point is to set up high-intensity passwords in Protect Item, while constantly restricting any settings that you can't see your Host end, even if you want to view the host's related settings, you must enter the password! Description: The PCANYWHERE password is the first gateway of remote control. If the security barrier is lost as in NT, the security barrier is lost. After being broken, there is no safety. And if you use a separate password, even if you break the PCANywhere, NT has a password barrier. Set up newer versions in time.
2. Intermediate Articles: IIS Safety and Performance Adjustment
In fact, security and applications are contradictory in many times, so you need to find a balance point, after all, the server is used instead of Open HACK, if the security principle hinders the system application, then this security principle is not A good principle. Network security is a system engineering, which not only has spatial spans, but also has a span. Many friends (including some system administrators) believe that the host for secure configuration is safe. In fact, this is a misunderstanding: We can only say that a host is safe with the network structure at a certain situation. Change, new vulnerabilities discovery, administrator / user * work, the host's security situation changes anytime, anywhere, only allowing security awareness and security system to achieve real safety.
Eight methods of increasing the performance efficiency of IIS 5.0 Site Server The following is eight ways to improve the performance efficiency of the IIS 5.0 website server: 1. The continuous action of HTTP can improve the implementation efficiency of 15 ~ 20%. 2. Do not enable records to improve 5 to 8% of the execution efficiency. 3. Use [independent] handler to lose 20% of execution efficiency. 4. Increase the number of save files to the memory, improve the effectiveness of Active Server Pages. 5. Do not use the CGI program. 6. Add the number of IIS 5.0 CPUs. 7. Do not enable ASP detection. 8. The static web page uses HTTP compression, which can reduce the amount of transmission of 20%. Brief introduction is as follows. 1. When HTTP continues to enable HTTP, when Keep-alive, the connection between IIS and the browser does not disconnect, and improve execution efficiency until the browser is closed when the browser closes. Because of the "Keep-Alive" state, it is not necessary to re-establish a new connection every time the client request, so the efficiency of the server will be improved. This feature is HTTP1.1 preset function, and HTTP 1.0 plus Keep-Alive Header can also provide the last function of HTTP.
2. Enable HTTP's persistence can improve 15 to 20% of execution efficiency. How to enable HTTP's persistent effect? The steps are as follows: In the [Internet Service Administrator], select the entire IIS computer, or the web station, on the [Main Directory] page of [Content], check [HTTP's continuous action] option.
3. Do not enable records that do not enable records can improve 5 to 8% of the execution efficiency. How to set up not enable record? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, or the web station, on the [Profile] page of [Content], does not check the [Enable Record] option. Setting a non-stand-alone handler uses [independent] handler to lose 20% of execution efficiency, the so-called independent "system refers to the [Main Directory], [Virtual Directory] page Application Protection Options to [High" (Independent)]. So [Application Protection] is set to [Low (IIS Processor)] How to set non-"independent" processing programs when [low (IIS handler)]? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, web station, or start directory of the application. In [Content] [Main Directory], [Virtual Directory] page, set the Application Protection Option to [Low (IIS Processor)].
4. Adjusting Cache Memory IIS 5.0 Temubaistically stores the static web page information in a cache memory; IIS 4.0 temporarily stores the static web information in the file. Adjusting Cache memory saves files can improve execution efficiency. After the ASP instruction file is executed, it will be temporarily stored in a cache memory to improve the performance performance. Increase the number of saved files to the memory, improve the effectiveness of Active Server Pages. You can set all the number of quick-optic memory files performed throughout the IIS computer, "Independence" Web Station, or "Independ" application. How to set up a cache function? The steps are as follows: Select the entire IIS computer, "Independence" Web Station, or "Independ" application in [Internet Service Administrator]. When [Contents] [Main Catalog], [Virtual Directory] page, press [Set] button, you can set [Instruction Board Commission Memory]. How to set the number of cache memory files? The steps are as follows: In the [Internet Service Administrator], choose the entire IIS computer, or the start directory of the web station. Press the [Setting] button in [Server Expansion "page in [Content]. You can set the number of cache memory files. 5. Do not use the CGI program to use the CGI program, because the processor must constrain and destroy, there is poor execution efficiency. In general, the execution efficiency is compared: Static web page (static): 100 isapi: 50 ASP: 10 CGI: 1 In other words, the ASP may be 10 times faster than CGI, so do not use the CGI program to improve IIS execution efficiency. In terms of flexibility: ASP> CGI> ISAPI> Static web page (static). In terms of safety (security): ASP (independent) = ISAPI (independent) = CGI> ASP (non-independent) = ISAPI (non-independent) = static web page (static)
6, increasing the number of IIS 5.0 computer CPUs According to Microsoft's test report, increasing the number of IIS 4.0 computers CPUs, do not improve how much; but increase the number of IIS 5.0 computer CPUs, execution efficiency will be almost proportionally, in other words, The IIS5.0 computer execution efficiency of two CPUs is almost twice that of a CPU computer. The four CPU IIS 5.0 computer execution efficiency is almost a four-fold IIS 5.0 of a CPU computer. IIS 5.0 will be temporarily stored for quick-sink (Cache) Memory; IIS 4.0 temporarily stores static web information in the file. Adjusting Cache memory saves files can improve execution efficiency.
7. Enabling an ASP URF function Do not enable ASP detection to improve execution efficiency. How do you do not enable ASP detection? The steps are as follows: In [Internet Service Administrator], select the web platform, or the start directory of the application, press the right click to select [Content], press [Main Directory], [Directory] or [Directory] page, press [ Settings] button, select [Application Device] page, do not check [Enable ASP Server Device Instruction Data], [Enable ASP User Directive Default] option. 8, static web pages use HTTP compressed static web pages with HTTP compression, approximately 20% of the transfer amount. HTTP compression is enabled or off, which is set for the entire IIS server. The user ends uses IE 5.0 browser to connect to the HTTP compressed IIS5.0 web server, with HTTP compression. How do I enable HTTP compression? The steps are as follows: To enable HTTP compression, the method is in [Internet Service Administrator], select [Content] below [Content], and select [WWW service] below [Main content]. Then press the [Edit] button, on the [Service] page, select [Compressed Static Archive] to compress static files, do not select [Compressed Application Profile]. Dynamically generated content files (compressed application files) can also be compressed, but it is recommended not to compress an additional CPU processing time. If the% processor Time is 80%, it is recommended not to compress
The above is the parameter settings that use IIS as a Web server and its performance adjustment, which can maximize your IIS, but individuals think that there is no obstacle or use Apache, and less vulnerability, it is recommended to adopt Apache 1.3.24, because recently tested, Apache 1.3.23 version has overflow vulnerabilities, don't be afraid, this vulnerability is very small, huh, huh. In addition, personal recommendation should not use ASP security to always rest assured, individual thinks still use JSP good, good security, powerful, absolute value, huh, huh, because PHP also has a lot of caves
Attachment: IIS security tool and its instructions
First, IIS Lock Tool, Quick Set IIS Security Properties
IIS Lock Tool's launch, thanks to the red code, because it is a large area of red code, causing Microsoft design to publish this help administrator to set IIS security.
(1) IIS LOCK TOOL has the following features and features
1, the most basic function, help the administrator set IIS security;
2, this tool can be used on IIS4 and IIS5;
3. Even if the system does not install all patches in time, it can also effectively prevent known vulnerabilities of IIS4 and IIS5;
4. Help administrators remove some of the services that do not have to be in this website, so that IIS runs the least service in the event of this website;
5, with two usage modes: shortcut mode and advanced mode. The shortcut mode directly helps administrators set up IIS security. This mode is only suitable for websites using only HTML and HTM static webpages, because the ASP cannot be run after the setting is complete; the advanced mode allows administrators to set various properties, set proper There is no impact on any function of IIS system.
(2) IIS LOCK TOOL
1, software download and installation
IIS LOCK TOOL in Microsoft Website Download, Download Address: http://www.microsoft.com/downloads/release.asp? ReleaseID = 32362 Installation is easy, you need to pay attention to, after installation, the program will not be in the system [program 】 The menu appears, nor does it appear in [Management Tools], requires the installer to find the program in the installation directory.
2, the use of software
In the following introduction, we will introduce the meaning and recommended settings of each step, which is described in detail, is to understand what these settings mean, at the same time, with our original security settings, avoid setting up completion In the future, the system has an obstacle.
Run the software, first appear the following interface (Figure 1):
Figure one
The above interface describes some basic conditions of IIS Lock Tool and where you need to pay attention to: 1) When you use the least service of this website, remove unnecessary services; 2) After the setting is complete, it is recommended to thoroughly check the website. To determine if the setting is appropriate to this website;
In the above interface, click the [Next] button, the following interface appears (Figure 2):
Figure II
The above interface selects shortcut mode or advanced mode to run software, here, software introduces the difference between the two modes:
Shortcut mode: This setting mode off some advanced service properties of IIS, including dynamic web attributes (ASP); so we need to repeat it again, choose shortcuts only suitable for providing static pages, of course, this mode is relative the safest.
Advanced Mode: This mode runs the installer to customize the various properties while allowing the advanced properties to run.
Shortcut mode settings We don't have to introduce, click the [Next] button to set it. Let's choose [Advanced LockDown] (Advanced Settings), click the [Next] button, appears the following interface (Figure 3):
Figure three
The above interface helps administrators set a variety of script maps, and how should we set up each image:
1) Disable Support Active Server Pages (ASP), Select this setting will make IIS do not support ASP functions; you can choose to choose from the specific situation of the website, because the website generally requires running ASP programs;
2) Disable support Index Server Web Interface (.idq, .htw, .ida), Select this will not support indexing services, which is not supported .idq, .htw, .ida files. Let's take a look at what is an index service, and then decide to pay. Indexing services are the content index engine included in IIS4. You can call it ADO and search for your site, which provides you with a very good web search engine. If your website does not use index services to retrieve the website, you can cancel this feature of the website, the benefits of cancellation are: 1) Reduce the system burden; 2) Effectively prevent viruses and hackers that use index service vulnerabilities, because index servers The vulnerability may cause the attacker to control the website server, while exposing the physical location of the web file on the server (using .ida, .idq). Therefore, we generally recommend ticking in the front, that is, cancel the index service;
3) Disable support for server side incdude (.shtml, .shtm ,.stm), Cancel server side contains; first, let's see what server is included, SSI is in an HTML file, you can call commands or pointers that are called by comment. SSI has a powerful feature, as long as a simple SSI command can realize the content update, dynamic display time and date of the entire website, and perform complex features such as Shell and CGI scripts. In general, we don't use this feature, so it is recommended to cancel some of the IIS potential vulnerability; 4) Disable for Internet Data Connector (.IDC), cancel the Internet database connection; first look at the role of Internet database connection, It allows HTML pages and background database to connect to dynamic pages. It should be noted that IIS4 and IIS5 are basically no IDC, so it is recommended to tick, cancel IDC in this item;
5) Disable support for Internet printing (.printer), cancel the Internet printing; this feature we generally have not been used, suggestion cancellation; cancellation is to avoid .printer remote cache overflow vulnerability, this vulnerability allows attackers to use this vulnerability remote Invading the IIS server and performs any command as system administrator (System administrator);
6) Disable support for .htr s cripting (.htr), cancel HTR mapping; attacker constructs a special URL request via HTR, which may cause the site part of the file source code exposure (including ASP), it is recommended to tick, cancel it in front of this Mapping;
After understanding the above settings, we can decide to pay according to this website. In addition to the ASP requirements, the usual website can be canceled, that is, the first front of the whole process, all other ticks, press [next step] 】 Button, the following interface appears (Figure 4)
Figure four
The above interface settings allow the administrator to choose some of the reservations for IIS default installation files, let's see how to choose:
1) Remove Sample Web Files, delete web examples; it is recommended to delete because we don't need to read these files on the server, and these files may allow attackers to read some web page source code (including ASP);
2) Remove The S Cripts Vitual Directory, delete scripting virtual directory; recommended deletion;
3) Remove The MSDAC Virtual Directory, delete the MSDAC virtual directory, suggestion deletion;
4) Disable Distribauted Authoring and Versioning (WebDAV), Delete WebDAV, WebDAV mainly allows managers to write and modify pages remotely, usually, suggestion deletion, deleting benefits can avoid IIS5's WebDAV vulnerability, this vulnerability Leading the server to stop.
5) SET File Permous to Prevent The IIS Anouymous User from Executing System Utilities (Such as cmd.exe, tftp.exe), prevents anonymous users from running executables, such as cmd.exe and tftp.exe; suggestions to select this, because The red code and Nima use the "SET File Permous" to Prevent The IIS Anouymous User from Writing to Content Directories, preventing anonymous users from having write permissions for the directory, this don't explain , Recommended selection;
After setting the above option, press the [Next] button to appear the following interface (Figure 5):
Figure 5
Require confirmation to accept the above settings, select [Yes], the following interface (Figure 6) begins to perform settings to the system:
Figure 6
In the above interface, we can see the detailed setting of IIS. After the setting is complete, it is recommended to restart IIS.
Second, urlscan Tool - filter illegal URL access
Carefully observe the vulnerability of IIS, and we can make such conclusions. All means that use these vulnerabilities to attack the website attacks are constructive special URLs to access websites, generally include the following types of URLs can take vulnerability:
1, especially long URL, such as the URL of the Red Code Attack Website:
GET / default.idaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX% u9090% u6858% ucbd3% u7801% u9090% u6858% ucbd3% u7801% u9090% u6858% ucbd3% u7801% u9090% u9090% u8190% u00c3% u0003% u8b00% u531b% u53ff% u0078% u0000% U00 = a 200;
2, special characters or string URLs, such as behind the URL: $ DATA can see the web page (ASP) source code;
3, the URL contains executable file name, the most common is CMD.exe;
Since these attacks use special URLs to achieve, Microsoft provides security tools that specialize in filtering illegal URLs, which can achieve the effect outside the country, this tool has the following features and functions:
1. Basic function: Filter illegal URL requests;
2, set the rules, identify those URL requests are legal; this, you can develop a special URL request rule for this website; at the same time, when there is a new vulnerability, you can change this rule to achieve the effect of defense new vulnerabilities. ;
3, the program provides a set of URL request rules, this rule contains the exploits of vulnerabilities, helps administrator setting rules;
(1), software download and installation
Urlscan can download on Microsoft's website, as follows:
http://download/iis50/utility/1.0/nt45xp/en-us/urlscan.exe installation is the same as general software, however, this software cannot choose the installation path, after the installation is complete, we can be in System32 / INETSVR / URLSCAN directory found the following files:
Urlscan.dll: Dynamic connection library file; urlscan.inf: Install information file; urlscan.txt: Software documentation; Urlscan.ini: software profile, this file is as long as all configurations of urlscan, all have this file carry out.
(2), software configuration
The software configuration is completed by the URLSCAN.INI file. We need some basic knowledge before configuring this file.
1. Configuration Form of Urlscan Profile
Urlscan configuration file must follow the following rules:
(1) This file name must be urlscan.ini;
(2) The configuration file must be in the same directory with urlscan.dll;
(3) The configuration file must be a standard INI file structure, which is composed of section, string and value;
(4) After the configuration file is modified, IIS must be restarted to make the configuration take effect;
(5) The configuration file consists of the following sections:
[Option], the main setting section; [allowverbs], the configuration is determined as legal URL rule settings, this setting is related to the Option section; [Denyverbs] section, the configuration is determined to set the illegal URL rule setting, this setting and Option The section is related; [DenyHeaders], configuring the illegal header in the setting setting; [AllowExtensions], configured as a legal file extension is set here, this setting is related to the Option section; [DenyExtensions] section, configuration identification This setting is related to the Option section for illegal file extensions.
2, specific configuration
(1) The configuration of the Option section, because the settings of the Option section directly affect the future configuration, so the settings of this section are particularly important. This section is primarily the setting of the following properties:
UseAllowverbs: Use the Allow Mode to check the URL request, if set to 1, all the requests that are not set in [AllowVerbs] are denied; if set to 0, all URL requests not set in [Denyverbs] are considered legal; default is 1 ;
UseAllowExtensions: Use the Allow mode to detect file extensions; if set to 1, all file extensions not set in [AllowExtensions] section is considered to be illegal requests; if set to 0, all extensions not set to [Denyextensions] section It is considered a legal request; the default is 0;
Enablelogging: Whether to use the log file, if 1, the same directory named urlscan.log is recorded all filtration;
ALLOWLATESCANNING: Allows other URL filters before urlscan filtering, the system defaults to not allow 0;
AlternateServerName: Use the service name instead; if this section exists, [RemoveServerHeader] is set to 0, IIS will replace the server name set here instead of the default "server"; Normalizeurlbeforeescan: Specified URL before detecting the URL; if it is 1, urlscan The URL will be detected before the IIS encoding URL; it is necessary to remind that only the administrator can set it to 0 if the administrator is very familiar with the URL parsing; default is 1;
VerifyNormalization: If set to 1, urlscan will verify the URL rule, default is 1; this section is set to NormalizeurlbeforeScan;
AllowHighBitCharacters: If set to 1, will allow the presence of all the bytes in the URL if it is 0, the URL contains a non-ASCII character will be rejected; default is 1;
AllowDotinPath: If set to 1, all URL requests containing multiple "." Will be rejected. Since the URL detects before the IIS parses the URL, the accuracy of this test cannot be guaranteed, and the default is 0;
RemoveServerHeader: If set to 1, clear all the answers of the service heads, default is 0;
(2) [ALOWVERBS] section configuration
If useAllowverbs is set to 1, all requests set in this section will be allowed, and the following requests are generally set:
GET, Head, POST
(3) [Denyverbs] section configuration
If the useAllowverbs set to 0, all requests set in this section will reject, generally set the following request:
PropFind, Proppatch, Mkcol, Delete, Put, Copy, Move, Lock, Unlock
(4) [AllowExtensions] section settings
All extensions set in this section will be allowed to be requested, and the following requests are generally set:
.txt, .jpg, .jpeg, .gif, if you need to provide file download service, you need to add .rar, .zip
(5) [DenyExtensions] section settings
All extended name files set in this section will be rejected, according to the discovered vulnerabilities, we can add content in this section, generally: .asa, executable file, batch file, log file, rare Expansions such as SHTML, .printer, etc.
Third, summary
The above two tools are powerful and can truly implement the protection of IIS. IIS Lock Tool is simple, relatively, just passive defense; Urlscan setting is more difficult, it is recommended to use administrators who are very familiar with IIS, as long as the URLScan is more powerful. When using Urlscan, I don't want to set up a big matter. If you need to keep track of new vulnerabilities, modify the Urlscan profile.
3. Advanced: NT / 2000 Advanced Security Settings
1. Disable air connection, prohibit anonymous to get a list of usernames
Win2000's default installation allows any users to get all the system all account / sharing lists via empty users, this original is to facilitate the local area network user sharing file, but a remote user can get your user list and use violence to crack user passwords. Many friends know that can ban 139 empty connections can be disabled by changing registry local_machine / system / currentcontrolset / control / lsa-restrictanonymous = 1, actually Win2000 local security policy (if it is domain server is in domain server security and domain security policies There is such options Restrictanonymous (additional limit for anonymous connection), this option has three values: 0: None. Rely on Default Permissions (no, depending on the default permission 1: do not allow enumeration of sam accounts and shares Allow enumeration SAM account and sharing) 2: No Access WITHOUT EXPLICIT Anonymous Permous Permissions (no access to explicit anonymity) 0 This value is the system default, what limit is not, remote users can know all the accounts on your machine , Group information, shared directory, network transfer list (NetServertransportenum, etc.) This setting is very dangerous to the server. 1 This value is only non-null user access SAM account information and sharing information. 2 This value is in Win2000 It is necessary to pay attention to it. If you use this value, your share is estimated to be all finished, so I recommend you or set to 1 is better. Ok, invaders have no way to get our users List, our account is safe. 2. Disable the last login username hkey_local_machine / SoftWare / Microsoft / WindowsNT / CURRENTVERSION / WINLOGON INTVERSIT data is changed to 1, so the system will not display automatically Last login user name. Don't Display Last User Name string data in the server registry HKEY_LOCAL_ MACHINE / SOFTWARE / Microsoft / WindowsNT / CURRENTVERSION / WINLOGON item is changed to 1, hidden the username of the last login console. Actually In the local security policy of 2000, this option will also exist Winnt4.0 modified registry: hkey_local_machine / Software / Microsoft / Windows NT / Current Version / Winlogon Add DONTDISPLAYLASTU Sername, set it to 1.2. Prevention DOS:
Change the following value in the registry HKLM / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters can help you in defense of a certain intensity DoS attacks SynAttackProtect REG_DWORD 2 EnablePMTUDiscovery REG_DWORD 0 NoNameReleaseOnDemand REG_DWORD 1 EnableDeadGWDetect REG_DWORD 0 KeepAliveTime REG_DWORD 300,000 PerFORMRouterDiscovery REG_DWORD 0 EnableICMPRedirects REG_DWORD 0
How to turn off ICMP (ping) in Win2000
3. Full names for ICMP attack ICMP are Internet control and message protocal, internet control messages / error packet protocols, which are mainly transmitted for error messages and control information, such as the famous ping and tracert tools. Echo Request packets in the ICMP protocol (request message ICMP ECHO type 8 code 0, answering message ICMP echoreply type 0). The ICMP protocol has a feature - it is no connection, that is Very flexible, but also brings a deadly defect --- Easy forge (sender's address on the mailbox), anyone can forged an ICMP message and send it out, fake people can take advantage of SOCK_RAW Programming directly rewriting the ICMP header and IP header, such a source address is forged, and it is impossible to trace in the destination, (the attacker is not afraid of being caught, it is still not awkward?) According to this principle Many ICMP-based attack software, with a network architecture defect manufacturing ICMP storm, there is a very large packet blocking network, there is an ICMP fragment attack consumption server CPU, or even if ICMP protocol is used to communicate, Making a Trojan without any TCP / UDP port (see unveiling Trojan's mystery three) ... Since the ICMP protocol is so dangerous, why don't we turn off it?
We all know that Win2000 comes with a TCP / IP filter in the network attribute. Let's take a look at it here to turn off the ICMP protocol, right-click on the online neighbor on the desktop -> Properties -> Right click on the network card you want to configure. -> Properties -> TCP / IP-> Advanced -> Options -> TCP / IP Filter, here there are three filters, which are: TCP ports, UDP ports, and IP protocols, let's allow TCP / IP to filter, then one one To configure, first is the TCP port, click "Allow", then add the port you need to open, in general, the web server only needs to open 80 (WWW), the FTP server needs to open 20 (FTP Data), 21 (FTP) Control), the mail server may need to open 25 (SMTP), 110 (POP3) to push ... Then the UDP, the UDP protocol, and the ICMP protocol are based on the unconnected, so it is easy to fake, so if not It is necessary (for example, to provide DNS service from UDP) should be selected to avoid flood (FLOOD) or fragment attack. One of the rightmost edit boxes is to define the IP protocol filter, we choose to allow TCP protocols to pass, add a 6 (6 is the code in the IP protocol, IPPROTO_TCP = 6), in the truth, only allow TCP protocol Whether UDP should not be passed, it is a pity that the IP protocol filter is a narrow IP protocol. From the architecture, although ICMP protocols and IGMP protocols are an IP protocol, it is from the network 7 Structure ICMP / IGMP protocol with the IP protocol is a layer, so Microsoft's IP protocol filtering here does not include ICMP protocols, that is, even if you set "only TCP protocol passed", ICMP packets can still pass it. So if we need to filter ICMP protocols, you need to find another way. Just when we perform TCP / IP filtration, there is another option: IP Security Mechanism (IP Security), we are filtered ICMP ideas to fall on it.
Open local security policies, select IP Security Policy, here we can define your own IP security policy. An IP Secure Filter consists of two parts: filtering policies and filtration *, filtering policies determine which packets should cause filter attention, filtering * Make the filter is "allowed" or "Reject". To create a new IP security filter, you must create your own filtering policies and filtering *: Right-click the IP security policy of this machine, select the management IP filter, create a new filter rule in the IP filter management list: ICMP_Any_in, source Address selection of any IP, the target address is selected, the protocol type is ICMP, switches to the management filter *, add a * made named DENY, * is "block" (block). In this way, we have a filtering strategy for all accessing ICMP packets and discard all packets. It should be noted that there is a mirror selection in the address option. If the mirror is selected, then a symmetrical filtering policy will be created, that is, when you pay attention to any ip-> my IP, due to the effect of the image, actually You also pay attention to my ip-> any ip, you can choose or give up the mirror according to your needs. Right-click on the IP security policy of this machine, select New IP Filter Policy, create a filter named ICMP Filter, by adding the Filter Rules Wizard, we specify the ICMP_ANY_IN filtering policy just defined to ICMP Filter, then in * Select the Deny * work we just defined, exit the wizard window, right-click the ICMP Filter and enable it, now any address enters the ICMP packets will be discarded. Although ICMP packets can be filtered with IP SEC, it is too troublesome, and if you only need to filter specific ICMP packets, you have to retain some common packets (such as the host is not reached, the network is not arrived), The IP Sec policy is not from the heart, and we can use another powerful tool route to the remote access control (Routing & Remote Access) to complete these complex filtration *. Routing and Remote Access Control is the tool for managing routing tables, configuring VPN, controls remote access, and performs IP packet filtering. It is not installed by default, so you first need to enable it, open "Administrative Tools" -> " Routing and Remote Access, right-click on the server (if you do not add this unit) Select "Configure and Enable Routing and Remote Access", then the Configuration Wizard will make you choose what server, in general, if you don't You need to configure the VPN server, then select "Manual Configuration", after the configuration is complete, the option of IP route will appear, select the network card you want to configure in "General" (if you have multiple network cards, you can Select Close a piece of ICMP), click "Enter Filter" in the NIC attribute, add a filter policy "from: any to: Any protocol: ICMP type: 8: Encoding: 0 Discard" (Type 8 Code 0) Is the ICMP_echo packet used by ping, if you want to filter all ICMP packets, you only need to set the type and encoding to 255)
Careful friends have just discovered that in the input, output filter, there is a "fragment check" feature, this feature is used to deal with IP fragment attack, which has exceeded the scope discussed in this article, I will in the future Deways continue to discuss with everyone in the article. Win2000 Routing and Remote Access is a very powerful toolset 4. Change some of the default values of the Windows system (for example: data packets), different systems have different values, experienced people can according to TTL Different values judge what the other party uses * as a system (such as Windows 2000 default value 128), I changed, see how you see it)
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
Defaultttl REG_DWORD 0-0xFF (0-255 decimal, default 128)
Description: Specifies the default life (TTL) value set in the IP packet. TTL determines the maximum time to survive in the network before reaching the target. It actually defines the IP packet before discarding The number of routers. Sometimes this value is used to detect remote host * as a system.
5. Prevent ICMP redirection packets HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters
EnableICMPREDirects reg_dword 0x0 (default is 0x1)
Description: This parameter controls whether Windows 2000 changes its routing table to respond to its ICMP redirection message sent to it, sometimes it is used to do bad things. The default value of 1 inwin2000 is 1, indicating response ICMP redirection Packet.
6. Prohibit Response ICMP Routing Notice Packet HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / Parameters / Interfaces / InterfacePerForMRouterDiscovery Reg_dword 0x0 (default is 0x2)
Note: The ICMP Routing Announcement function can cause the network connection exception of others. The data is eavesdropped, and the computer is used for traffic attacks. This problem has led to a large area of the campus network, and the network is abnormal. Therefore It is recommended to turn off the response ICMP routing packet. The default value is 2 in thewin2000, indicating that when the DHCP is sent router discovery option.
7. Prevent SYN Flood Attack HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters
SYNATTACKPROTECT REG_DWORD 0x2 (default is 0x0)
Note: SYN Attack Protection includes reducing the number of SYN-ACK reloaded to reduce the time reserved for allocation resources. Routing cache item resource allocation delay until it is established. If SYNATTACKPROTECT = 2, the AFD connection indication has been delayed to three ways The handshake is completed. Note that the protection mechanism will take action only when TCPMaxHalFopen and TCPMaxHalFopenRetried are set out.
8. Prohibits C $, D $ a class of a class of HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parametersautoshareserver, Reg_dword, 0x0
9. Prohibition default ADMIN $ share HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parametersAutoShareWks, REG_DWORD, 0x010. Restricting default IPC $ share HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa
Restrictanonymous REG_DWORD 0X0 default 0x1 anonymous users Unable to list this list 0x2 Anonymous users Unable to connect Native IPC $ Sharing Description: Not recommended 2, otherwise you may cause your service unable to start, such as SQL Server11. Do not support IGMP protocol HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters
IGMPLEVEL REG_DWORD 0x0 (default is 0x2)
Description: Remember that there is a bug under Win9X, which is used by IGMP to make others blue screen, modify the registry can correct this bug.win2000 although there is no bug, IGMP is not necessary, so it can be removed. Change to 0 Route Print will not see the annoying 224.0.0.0 item.
12. Set an ARP Cache Aging Time Setting HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES: / TCPIP / Parameters
ArpCachelife REG_DWORD 0-0XFFFFFFFF (second, default is 120 seconds) ArpCacheminReferencedlife REG_DWORD 0-0xfffffff (second, default is 600)
Note: If the ArpCacheLife greater than or equal ArpCacheMinReferencedLife, referenced and unreferenced ARP cache entries expire in less than ArpCacheLife seconds if ArpCacheLife A ArpCacheMinReferencedLife, unreferenced entries expire in ArpCacheLife seconds, and referenced entries expire in ArpCacheMinReferencedLife seconds. The items in the ARP cache are referenced each time you send an outbound packet to an IP address.
13. Prohibit Dead Gateway Monitoring Technology HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES: / TCPIP / Parameters
Enabledeadgwdetect reg_dword 0x0 (default is OX1)
Description: If you set a number of gateways, your machine will automatically switch to backup gateway when handling multiple connections. Sometimes this is not a good idea, it is recommended to prohibit the monitoring of death.
14. Do not support routing function hkey_local_machine / system / currentControlSet / Services: / TCPIP / Parameters
IPenablerouter Reg_dword 0x0 (default is 0x0)
Description: Set the value to 0x1 to make the Win2000 have routing functions, thereby bringing unnecessary issues.
15. Maximum external port larger than NAT HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES: / TCPIP / Parameters
MAXUSERPORT REG_DWORD 5000-65534 (decimal 0x1388 - decimal 5000)
Note: When the application requests the number of user ports available from the system, the parameter controls the maximum number of ports used. Under normal circumstances, the number of allocation of the short-term port is 1024-5000. When the parameter is set to the valid range, The closest effective value (5000 or 65534) is used. It is recommended to enlarge the value when using NAT .16. Modify the MAC address hkey_local_machine / system / currentControlSet / Control / Class /
Find the directory of the right window as "NIC", such as {4D36E972-E325-11CE-BFC1-08002Be10318}
Expand, in the branch of 0000,000,000, 0002 ... The key value of "driverDesc" is your NIC, for example, "DriverDesc" is "Intel (r) 82559 Fast Ethernet LAN ON Motherboard "Then create a string value in the right window, the name is" networkaddress ", the content is the MAC value you want, such as" 004040404040 "and restart the computer, IPConfig / all. 17. Prevent password from being dump, You just need to turn off the Remote Regisitery Services inside the service.
The above is some of my knowledge and opinion on Windows platform server security settings. If you have new information and views, please write to tell me.
