Win2K server If everyone is near to buy CD, I should notice that the default is closed after the installation, if you don't close the account, please permanently disable the user in the control panel management tool. Now go to SP4, the back door vulnerability should be closed, pay attention to the boot must set a password, it is best to let Win2K use the automatic upgrade function to implement unmanned management.
If SQL is installed on your system, you must block 3389 port.
Private service is now different. It should be done now must install the firewall. If there is condition, you can install the LockDown. He can effectively stop the hacking Trojan program.
Shielded port article: Block port with Win2000 IP security policy closed port, fully build a defense line
Most hackers have invaded through the port, so your server can only open the port you need, then what ports do you need? The following is a common port, you can take care of:
80 is a web website service; 21 is an FTP service; 25 is an E-mail SMTP service; 110 is an Email Pop3 service.
Others and SQL Server port 1433, etc., you can find relevant information online. Those ports that don't have to be turned off! Close these ports, we can do it through the security policy of Windows 2000. With its security strategy, you can prevent the invaders from attacking. You can go through "Management Tools → Local Security Policy" to enter, right-click "IP Security Policy", select "Create IP Security Policy", click [Next]. Enter the name of the security policy, click [Next], until completion, you create a security policy:
Then you have to do right-click "IP Security Policy", enter the management IP filter and filter operation, where you can block the port to block the port, here to close the ICMP and 139 ports as an example .
Close ICMP, hacker software can not scan your machine if there is no forced scan function, and ping is not your machine. The specific operation of the ICMP is as follows: Click [Add], then enter "Turn ICMP" in the name, click [Add] on the right, then [Next]. Select "any IP address" in the source address, click [Next]. Select "My IP Address" in the target address, click [Next]. Select "ICMP" in the protocol, click [Next]. Go back to close the ICMP property window, that is, the ICMP is turned off.
Below we will set off 139, and also "Add" in the management IP filter list, the name is set to "Close 139", click "Add" on the right, click [Next]. Select "any IP address" in the source address, click [Next]. Select "My IP Address" in the target address, click [Next]. Select "TCP" in the protocol, click [Next]. Select from any port to this port in setting the IP protocol port, enter 139 in this port, point [Next]. That is to complete the close 139 port, the other ports are also set
Then enter the setting management filter operation, click "Add", click [Next], enter "Reject" in the name, click [Next]. Select "Block", click [Next].
Then close the property page, right-click New IP Security Policy "Security", open the property page. Select "Add" in the rules, click [Next]. Select "This rule does not specify a tunnel", click [Next]. Select All Network Connections in Select Network Types, click [Next]. Select "Turn ICMP" in the IP filter list, click [Next]. Select "Reject" in the filter operation, click [Next]. This way you add "Close ICMP" filters to the IP security policy named "Security". The same method, you can join other filters such as "Off 139" to come in. The last thing to do is to assign the strategy, only after the assignment, it works. The method is to right-click "Security", select "All Tasks" in the menu, and select "Assign". IP security settings to this end, you can set the appropriate strategy based on your own situation.
Windows2000 Service Security and Recommendation Alerter Service Direction: Responsible for notifying users to manage alerts, the service is working together, the latter receives and routes the former information. Optical file:% systemroot% / system32 / services.exe risk: potential possibilities Subject to social engineering attacks: Limit the warning of the Alerter service to receive only by administrator. Application Management Direction: Provides communication between Active Directory. Specify by Group Policy, publish and delete in the system Installed application. Executable file: Winnt / System32 / Services.exe risk: No recommended: Non-group policies use applications, it is best to disable it.
Boot Information Negotiation Layer Service Direction: Working with Remote Installation Service (RIS), except if you need to install the operating system via RIS, do not run. Executable file: Winnt / System32 / Services.exe risk: no
BROWER Service Direction: Responsible for saving a list of computers on the network and provides the list to those programs that request the list: WinNT / System32 / Services.exe risk: Exposure of the relevant network information suggestions: ban
Indexing Service Direction: Responsible for the documentation and document properties on the disk, and save the information in a directory so you can search them later. Executable file: Winnt / System32 / Services.exe risk: It is a lot of security on the IISWeb server The root of weaknesses: unless otherwise needed, it is prohibited.
CLIPBOOK Service Direction: ClipBook supports the CLIPBook Viewer program that allows the scrapbook to be browsed by ClipBook on a remote computer. You can make users can connect and paste text and graphics over the network. Executable file: WinNT / System32 / Clipsrv. EXE Risk: Potential illegal for remote access CLIPBOOK clip page suggestions: disable
Distributed File System Service Direction: Allow a single logical disk. File distributions different locations on the network. Executable files: WinNT / System32 / DFSRC.exe risk: No known risk recommendations: disabled (will generate disk error, can ignore it error)
DHCP Client Service Direction: Manage Network Configurations by registering and updating IP addresses and DNS domain names. Executable file: Winnt / System32 / Services.exe risk: None known risk recommendations: Assign a static IP for servers
Logical Disk Manager Administrative Service Direction: Used to Manage Logic Download: WinNT / System32 / Dmadmin.exe Risk: No known risk recommendation: Set the service start-up type to manual (Manual)
Logical Disk Manager Service Direction: This service is Logical Disk Manager Watchdog service. Responsible for managing dynamic disk services. Executable file: Winnt / System32 / Services.exe risk: No known risk recommendation: System running, keep default automatic Start the DNS Server Service Direction: Responsible to answer the DNS Domain Name Query Executable: Winnt / System32 / DNS.exe Risk: No known Risk Suggestions: This service should be used with caution due to the root cause of many security weaknesses.
DNS Client Service Direction: Used to cache DNS queries to record. Can be used for DNS queries for an intrusion detection system to accelerate the speed of DNS queries. Executable file: Winnt / System32 / Services.exe risk: no known risks, But the attacker can view your cache content. Make sure you have visited the website. Command line form is (IPConfig / DisplayDNS) suggestion: can stop non-stop
EVENT log service direction: EVENT log service is responsible for logging management event messages from the system and running program. Although the service function is limited, it has some small problems, but the service can be used for intrusion detection and system monitoring. Executable file: Winnt /system32/services.exe Risk: No known risk recommendation: This service should be started, especially on the standalone server.
COM Ent System Service Direction: Provide automatic event distribution function to subscribe to COM components. Executive files: Winnt / System32 / SVCHOST.EXE -K NESVCS Risk: No known risk recommendation: If the service does not need any programs installed Used, you can disable COM Event System and System Event Notification services.
FAX Service Direction: It is responsible for managing fax sending and receiving. Executive file: Winnt / System32 / FaxSvc.exe risk: No known risk recommendation: For servers, it is not recommended to use this service unless the server is specifically Be specified as a fax server.
SINGLE Instance Storage Groveler Service Direction: This service is used with Remote Installation services. Scan a single instance storage volume to find duplicate files and point your duplicate file to a data storage point to save disk space. Risk: No known risk recommendation: Unless you need to use the Remote Installation service, please stop it.
Internet Authentication Service Direction: Used to authenticate dial and VPN users. Executive files: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendation: Obviously in addition to on dial and VPN server, the service should not be used Prohibition.
IIS Admin Service Direction: IIS Admin Service allows IIS services to be managed over the Internet Services Manager MMC program panel. Executive file: WinNT / System32 / InetSRV / INETINFO.EXE Risk: No known risk recommendation: If the server is running inetRNET services The service is required. If no INETRNET service is run, the Internet Information Server should be uninstalled from the Control Panel, and the IIS Admin service will also be uninstalled.
Intersite Messaging Service Direction: Intersite Messaging Services and Active Directory Replication. Executive File: Winnt / System32 / ISMServ.exe Risk: None of the known risk recommendation: In addition to the Active Directory server, it is not recommended to use the service.
Kerberos Key Distribution Center Service Direction: This is a domain service, providing a Kerberos Authentication Service (TGT, Ticket-GRANTING Service) executable: Winnt / System32 / LSASS.EXE Risk: No known Risk Suggestions: The Kerberos Key Distribution Center service works with Active Directory in a domain controller, and cannot be stopped, in addition to on the domain controller, the service should not run on other computers .Server service direction: The service provides RPC support and file, print and named pipe sharing. The Server service is implemented as a file system drive, which can process I / O requests. Executable file: Winnt / System32 / Services.exe risk: If you do not provide appropriate users Protection, exposing system files and printer resources suggestions: Unless you intend to share files or printers on a Windows network, you don't need to run the service. (List: For 2000, this is a high-risk service, 2000 users Know the default sharing, it is the problem of the service. If you don't prohibit it, you will open it, the default share will open, so important information will be exposed. For example, the Winnt folder. Everyone should know him for 2000 Important. Unless your password is secure, this share will be the dead hole of your machine !!!!)
WorkStation Service Direction: This service provides network connection and communication, which works in the form of a file system drive and allows users to access resources on Windows networks. Executable files: Winnt / System32 / Services.exe risk: Some independence Servers, such as web servers, should not be involved in a Windows network: This service should only be run on an internal network and is running on a firewall-protected workstation and servers that can be connected to the Internet. This service should be disabled.
TCP / IP Print Server Service Direction: This service allows remote UNIX users to access printers managed by a Windows2000 server by using TCP / IP protocols. Executable files: Winnt / System32 / TCPSVCS.EXE Risk: Have Some Security Weakness And open a listener port suggestion: This service has some security weaknesses because the port to the Internet, so unless the network is separated from the Internet. Otherwise, do not use the service.
License Logging Service Direction: This service is responsible for managing a site license agreement information. Executable file: Winnt / System32 / llssrv.exe risk: No known risk recommendation: In addition to on the domain controller, other computers should not use the service .
TCP / IP NetBIOS Helper Service Direction: This service allows NetBIOS communication on the TCP / IP network. Executable file: Winnt / System32 / Services.exe risk: exposed NetBIOS security weaknesses in the system, such as NTLM certification suggestions: unless You need to keep compatible with an old version of Windows, otherwise the service should be prohibited.
Messenger Service Direction: Messenger Service is responsible for sending and receiving messages passed by an administrator or alerter service. Executable file: Winnt / System32 / Services.exe risk: No known risk recommendation: This service does not need and should be disabled.
NetMeeting Remote Desktop Sharing Service Direction: This service allows you to access your Windows desktop remotely by using NetMeeting. Executable file: Winnt / System32 / MnMsrvc.exe Risk: is a service suggestion with potentially unsafe: this service should It is disabled. Because it will result in potentially safe weaknesses. You can use the Terminal service instead of the service for remote desktop access.
Distributed Transaction Coordinator Service Direction: Microsoft's Distributed Transaction Coordinator Services (MS DTC) can provide a transaction coordination tool with the OLE Transactions protocol, which can be coordinated in two and multiple databases, message queue file systems and other transactions. (TraSaction Protected) Explorer Transaction. Executable File: Winnt / System32 / MSDTC.exe Risk: No known risk recommendation: No need to ban FTP Publishing Service Direction: File Transfer Protocol is not a safe protocol, if not appropriate Protection, FTP Publishing service will come to a lot of security risks. Executive files: WinNT / System32 / InetSRV / INETINFO.EXE Risk: Microsoft's FTP Server has no known risks. But in general, FTP is known unsafe Service. Suggestion: Unless you need to provide file sharing by FTP, the service should be disabled. If you need it, please carefully protect and monitor it.
Windows Installer Service Direction: Responsible for managing software installation, modified services are useful for installing and repairing software applications. Executable files: Winnt / System32 / Msiexec.exe / V Risk: No known risk recommendations: keep
Network DDE Service Direction: This service provides Dynamic Data Exchange (DDE, Dynamic Data Exhange) data stream transfer and security. Executable file: Winnt / System32 / NetDDe.exe Risk: Requests for DDE through the network: For most applications In terms of NetWork DDE, you should set it to manually start.
Network DDE DSDM Service Direction: This service saves a shared conversation database so that the shared session will be applied when a NetWork DDE shared is accessed, and the security detection system will determine whether the request is allowed to be accessed. Executive file: Winnt / System32 / NetDDe.exe Risk: No known risk recommendation: This service should be set to start
NET Logon Service Direction: Pass-Through Authentication (PASS-THROUGH Authentication) supported for the computer in the domain. Executive file: Winnt / System32 / LSASS.EXE Risk: Can be used to deliver a strong password attack: The service should not be used on separate servers that are not part of the domain.
Network Connections Service Direction: This service is responsible for managing objects in the Network and Dial-Up Connections folder, you can see local area networks and remote connections. Executable files: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendations: Since the service starts yourself when needed, you can set it manually.
Network News Transport Protocol (NNTP) Service Direction: Used to provide a news server service, such as usenet. Executable: WinntSystem32 / inetsrv / inetinfo.exe risk: No known risk recommendation: NNTP server should be installed in a DMZ network, It should be treated like other network services, such as FTP, NAIL, and Web services. It is not recommended to configure NNTP servers on private networks, and any server on an internal network should uninstall or disable NNTP services.
File Replication Service Direction: File Replication Services (FRS) can be done across the domain to copy file, system policies, and login scripts, which can also be used to copy data for distributed file systems (DFS, Distributed File System). Executable Document: Winnt / System32 / NTFRS.exe Risk: No known risk recommendation: It maintains the file synchronization of the contents of the file directory between multiple services.
NTLM Security Support Provider Service Direction: RPC.Remote Procedure Call program provides security, which uses a transmission mode other than named pipes. This service is only available after the Client for Microsoft is installed. The appearance. Executive file: winnt / system32 / lsass.exe risk: no known risk suggestion: Since it is installed after installation, there is no need to depends, only you don't have a Client for Microsoft.Removable Storage service direction: The service is responsible Manage removable media, disk and libraries. Executable files: WinNT / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendations: You can start the service when you need.
PLUG-AND-Play Service Direction: This service is responsible for managing device installation and configuration, and the changes that appear to the program. Executable file: Winnt / System32 / Services.exe risk: No known risk suggestion: No this service In the case of the start system, the start system is possible, but the time is longer, and some services can not run (such as RAS), so the service may be optimized to start.
IPsec Policy Agent Service Direction: This service is responsible for managing IP security and launching Isakmp / Oakley (IKE) and IP security drivers. Executable file: Winnt / System32 / LSAss.exe risk: No known risk suggestion: This service please keep Bar.
Protected Storage Service Direction: This service can provide protected storage for sensitive data (such as private keys) to prevent them from accessing them from unauthorized services, processes or users. Optical file: Winnt / System32 / Services.exe risk: no already Knowledge risk suggestion: This will not have to ask, it is necessary for the system.
Remote Access Auto Connection Manager Service Direction: When the user requests access to a remote network address, the service will automatically dial network connection. Executable File: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendation: The service is only required when you use a dial-up network connection. If you are not dial-up, it is not necessary.
Remote Access Connection Manager Service Direction: This service management Dial-up network connection executable: winnt / system32 / svchost.exe -k netsvcs risk: No known risk recommendation: only the server needs to support Routing and Remote Access Service (ras) Run the service, so you can ban it.
Routing and Remote Access Service Direction: This service provides routing services in a local area network and a wide area network environment. This service is for remote access points. Executable files: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: If configured, the service The illegal users will enable illegal users to access the network suggestions in unauthorized: This service cannot be turned off, then it has a good configuration.
Remote Registry Service Direction: Enable authorized administrators to operate on registry projects located on remote hosts, for some features, such as remote performance monitoring, is required to work. Optical file: Winnt / System32 / Regsvc.exe risk: If you do not get an appropriate configuration, it will potentially expose the registry: risk is obvious, so, no need special needs, or prohibited.
Remote Procedure Call (RPC) Locator Service Direction: This service allows you to register resource availability for RPC applications, and enable customers to find compatible RPC servers. Executable files: Winnt / System32 / SVCHOST -K RPCSS risk: None Knowledge risk recommendation: This service should only run on a domain controller
Remote Procedure Call (RPC) Service Direction: This service calls available on remote computers and is used for remote computer management. Executable files: Winnt / System32 / SVCHOST -K RPCSS risk: will expose system information Suggestions: Although will expose information However, there is no way to pull it, who is called him? QoS Admission Control Service Direction: This service provides bandwidth management control to ensure access to the network service. Executable file: Winnt / System32 / RSVP.exe - r Risk: No known risk recommendation: If you use the Windows QoS function, you should enable it, don't be banned.
SECRITY Accounts Manager Service Direction: The SECRITY Accounts Manager (SAM) service saves the security information of the local user account for authentication. Executable File: Winnt / System32 / LSASS.EXE Risk: Although some methods can get SAM data, but The SAM service itself does not bring security risks. Suggestions: this is a must-active service
Task Scheduler Service Direction: This service schedules a program to the specified time. For NT4, only the administrator can schedule tasks, and so the task is run as a system, for 2000, any user can schedule a certain one Tasks, and this task is only running in the user's respective user environments. Executable files: Winnt / System32 / MStask.exe risk: Intruders can run the Trojan server for you for you, unless you need to A task job is scheduled, otherwise the service should be disabled.
RunAs Service Direction: This service allows the process to start under additional user credentials, which is a response to the Trojm Horse program. Use Runs, you can run as an administrator privilege as a non-privileged user A process. Executable file: Winnt / System32 / Services.exe Risk: No known risk recommendation: This service should start
System Event Notification Service Direction: This service tracking system event. Executable file: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendation: This service records Windows login, network, and power events, the recommended service is enabled.
Internet Connection Sharing Service Direction: Sharing a computer with other computers. Optical: Winnt / System32 / SVCHOST.EXE -K Netsvcs Risk: No known risk recommendation: This service should be prohibited because it can make Users use an unauthorized connection to bypass proxy and monitoring services in the corporate network.
SIMPLE TCP / IP Service Direction: This service is run as a basic TCP / IP service, open TCP ports 7, 9, 13, 17, 19. Executable files: WinNT / System32 / TCPSVCS.exe risk: in various Some unsafe service recommendations are running on the TCP port: Although there is danger, it is still running.
SIMPLE MAIL TRANSPORT Protocol (SMTP) Service Direction: Provides outstanding Internet Mail Services. Executable File: Winnt / System32 / IneTsrv / InetInfo.exe Risk: You can achieve email spoofing and relay suggestions: This service is useful, should It is limited to only access her from a local host or network.
SNMP Service Direction: You can monitor the agent of network device activity, and report these monitoring information to the network console workstation executable: Winnt / System32 / snmp.exe Risk: By default, it is set to use public as its community character. String. He exposes sensitive information about Windows2000 servers. Suggest: It is good to use it on the Internet.
SNMP Trap Service Direction: Accepting SNMP Information from Other SNMP Agents Executable: WinNT / System32 / SNMPTrap.exe Risk: No known risk recommendations: Use it in the internal network, others don't.
Print Spooler Service Direction: This service is used for spool print jobs that makes it easy to wait when the application prints files. Executable File: Winnt / System32 / Spoolsv.exe Risk: No known risk recommendations: Unless you want to handle the print queue, Otherwise, the service should be prohibited: processes the performance logs and alerts, which are useful for system and network monitoring. Executable files: Winnt / System32 / SMLogsvc.exe risk: No known risk recommendations: Of course it is enabled.
Telephony Service Direction: Provide telephone and IP-based voice connection. Executable file: Winnt / System32 / SVCHOST.EXE -K TAPISRV Risk: No known risk recommendations: Unless you intend to use this function on the LAN, it should be banned service.
Terminal Service Direction: Remote Desktop Access to TCP / IP Access Executable: Winnt / System32 / Termsrv.exe Risk: It can lead to potential illegal access to remote desktops and powerful attacks. Suggestions: You should pass the IP address limit Strictly restrict access to the service. And closely monitor it.
Terminal Services Licensing Service Direction: Used to manage customer license agreements when using Terminal services in application service mode. Executable file: Winnt / System32 / LServer.exe Risk: No known risk recommendation: This service is in Application Server It is necessary to run the Terminal service under Mode.
Trivial FTP DAEMON Service Direction: Trivial FTP Internet Standard. Executable File: Winnt / System32 / TFTPB.EXE Risk: Leading Potential Unauthorized File Access: You should be applied to local trusted networks.
Telnet Service Direction: This service allows a remote user to log in to the system and use the command line to run the console program. Executable file: Winnt / System32 / TLNTSVR.EXE Risk: His password is transmitted in a clear text, if MTLM certification It is enabled, the NTLM password has been discovered. Suggest: ban
Utility Manager Service Direction: You can start and configure accessibility tools. Executable files: Winnt / System32 / Utilman.exe risk: No known risk recommendations: Unless you need to use a reachable tool, you should ban him
Windows Time Service Direction: Setting System Time from a network time server. Executable File: Winnt / System32 / Services.exe Risk: No known risk suggestions: If you are not 2000, it is forbidden.
World Wide Web Publishing Service Direction: This service provides an anonymous web site access service for Internet. Executive files: WinNT / System32 / InetSrv / InetInfo.exe risk: Various file access, remote command execution, reject service and other risks have suggestions He is a must, only relying on other tools to maintain his safety.
Windows Management Instrumentation Service Direction: Provides system management information, is basically a web-based enterprise management compatible tool for collecting and associating management data from various sources. Executable file: Winnt / System32 / WBEM / Winmgmt.exe Risk : Potential hazard recommendations with exposure sensitive information: WMI is a useful tool, which can also be used to collect information. If you don't especially don't want to use the service, or start it.
Windows Internet Name Service Direction: It is Microsoft's Name Service for NetBIOS Networks. Executive File: Winnt / System32 / Win.exe Risk: Potential Hazardous Suggestions with Exposure Sensitive System Information: Pure Windows2000 Network does not rely on Wins. Disabled. Or use it locally.
Port portion 139 port 1. Start - Program - Management Tool - Local Security Policy - Mouse Node "IP Security Policy, in Local Machines"; 2. Click "Manage IP Filter Table and Filter Actions" and "Add" on the Manage IP Filter List "; 3. The "IP Filter List" window will pop; 4. Addition names and descriptions, such as "prohibiting 139", add, then an IP Filter Wizard, click Next; 5. To the "Specify IP Source Address" window, select "Any IP Address" in Source Address, click Next; 6. Select "My IP Address" in "IP Communication Target", click Next; 7. Select TCP in "Select Protocol Type" of IP Protocol Type, point Next; 8. In the "Setting IP Protocol Port" of the Filter Wizard, "from any port", the second block "to this port" and add "139", point one step; 9. Click "Finish" and then "Close" back to "Manage IP Filter Table and Filter Actions"; 10. Select "Manage Filter Operation" and click "Add"; 11. At this time, a "Filter Operation Wizard", click "Next", add "Disable 139 Port" connection in "Name", click Next, select "Block", then click Next; 12. Click "Complete" and "Close". The 445 port method is the same as the above 139 port, just notice that the same "blocked" filter is not used when adding a filter operation, otherwise the rule has no effect.
After completing the two operations, return to the IP Security Policy, in Local Machines, and right "IP Security Policy": 1. "IP Security Policy Wizard", click "Next", in "Name", add "Forbidden to use 139,445 port connections" 1 point next step, complete. 2. In "Add" in "Add", "Safe Rules Wizard" appears, the "Secure Rules Wizard" appears, all the way, to the "IP Filter List", select "Forbidden 139" (that is, we have previously closed 139) The name), click Next, "Disable 139" in "Filter Action", click Next, finally, click "Finish", "OK"; 3. The filter list and operation of the 445 port will be disabled through "Add", and the next step is also added, to the "IP Filter List", select "Disable 445", click Next, "Select" in "Filter Operation" Disable 445 ", Click" Close ", return to the" Properties "window; Finally, only need to assign something that is just configured.
135 ports are open to 135 ports, you can add a rule on your firewall: Reject all this? * 氲腢 DP package, destination port is 135, the source port is 7, 19, or 135, this can protect The internal system prevents attacks from the outside. Most firewalls or packages have set a lot of stringent rules that have covered this filtering rule, but it is necessary to pay attention: There are some NT applications that rely on the UDP135 port for legal communication, and open your 135 port. Communication with the NT's RPC service. If this is true, you must implement the above rules on the system of those original addresses (105 ports), specifying communication from these systems can be ignored by the firewall, or, can be ignored by the attack detection system to maintain those applications The normal connection of the program. About the opening of the 17, 19, 7, and 9 should be used by the default service configuration, close method; go to download a software called Configure Port Blocker, the software can directly delete unnecessary port 80 ports to use safe and effective The method of verifying the user's identity (it is recommended not to log in anonymous); in IIS, the HTTP404 Object Not find error page is redirected to a custom HTM file through the URL.
IIS server 1. Change the default IIS path, completely delete the INETPUB directory under the C drive, and then create one, in the IIS Manager, to create the primary directory to us 2. Open the IIS server, to the "master Directory page, find "Settings", delete unnecessary mappings, leave us to use. Remove the right point host-attribute -WWW service editing in the IIS Manager - the primary directory configuration - application mapping. In the application call bookmark of that window, the script error message is changed to send text, and if the error text is just written. When exiting, let the virtual site inherited the set properties. 3. Delete the default virtual directory, such as MSTDC, Scripts, etc. Under C: / WinNT / System32, make FTP, CMD, TFTP, a new setting, put the system "IUSR_Computer Name", this user refuses to access.
Other 1. Turn off the Guest Account: Disclose this account, and he is not allowed to log in at any time. It is best to give him a super-complicated password, what digital, uppercase letters, special symbols with Notepad, to get more than 20 people, then copy it from Notepad; 2. Delete users who have no use ; 3. Remify the Administrator account, and change it. This account seems to make people try to crack once again. Or use a long password; 4. Permissions to share files are changed to "Authorized User"; 5. Open the audit policy record such as trying the user password, changing the account policy, unlicensed file access; 6. Password policies are open; 7. Do not allow the system to display the last login username: Modify HKLM / CURRENTVERSION / WINLOGON / DONTDITVERENTVERSION / WINLOGON / DONTDISPLAY LastUsername to change the key value of REG_SZ to 1; 8. Prohibition of establishing an empty connection: By default, any People can connect to the server through empty connection, guess the password. Modify Local_Machine / System / CurrentControlSet / Control value / LSA-RestrictAnonymous changed to 1; 9, if the server does not play the game, to turn off DirectDraw:. HKLM / SYSTEM / CurrentControlSet / Control / GraphicsDrivers / DGI the Timeout (TEG_DWORD) 0 ; 10. Prohibition of dump file generation: This thing can provide some sensitive information to others, such as the password of the application, etc., record information when the dead, blue screen is turned off. Control Panel - System Properties - Advanced - Startup and Fault Recovery, change "Write Debug Information" to not.
Terminal Services set 1, first step, change the server side settings of the terminal service. Open the registry, find a key value hkey_local_machine / system / currentControlSet / Control / Terminal Server / WDS / RePwD / TDS / TCP to find PortNumber. 0xD3D, this is 16-based, this is 3389, this value is the default value of the RDP (Remote Desktop Protocol), that is to say to configure the new RDP service, to change the established RDP service, we go to the next button Value: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / TERMINALRERVER / WINSTATIONS This should have one or more sub-health like RDP-TCP (depending on how many RDP services have been established), the portnumber is changed. 2, step 2, change the client. Create another client: Open the Client Connection Manager, create a shortcut to a client connection according to the normal step, select this connection, then select "Export" in the File menu (Menu-> File-> Export), This operation generates a CNS file, which is the configuration file of the terminal service client. You can edit this file with a text editor (such as Notepad), find "Server Port = 3389", change it to the port you want, then select Import (Menu-> file-> import), this is the client shortcut has become the port you need. It should be noted that the terminal service client Terminal Service Client (MSI version) downloaded from the Microsoft home page cannot change the port, and only the "Makeup Disk" function of the Win2000 server version of the terminal service can be changed. Port, this feature is in the Terminal Service Client Creator of the Administration Tool. For the log's question, in fact, Terminal Service is a log function. Open Remote Control Services Configuration in Administrative Tools, click "Connect", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP5.0)), select the bookmark "permission", click "Advanced" in the lower left corner, see the "audit" above? Let's join an EveryOne group, which represents all users, then review his "Connect", "Disconnect", "Logout" success and "landing" function and failure is enough, too much audit is not good. This review is recorded in the security log, you can view from Administrative Tools -> Log Viewer. Now who will log in to a clear, but it does not record the client's IP (only the online user's IP) but record the computer name.
We create a .bat file called Tslog.bat, this file is used to record the login's IP, the content is as follows: Time / EtStSlog.log netstat -n -p TCP | Find ": 3389 >> Tslog.log START Explorer to explain the meaning of this file: The first line is the time to record the user, Time / T means directly return to the system time (if not / t, the system will wait for you to enter new time), then we use Additional symbols >> Time to record the TSLog.log second line is the record of the user's IP address, NetStat is used to display the current network connection status, -n means displaying IP and port instead of domain name, protocol, -p TCP It is only the TCP protocol, and then we use the pipe symbol "|" to output the result of this command to the find command, look up the ": 3389" line from the output (this is where we have the customer's IP, if you Changed the port of the terminal service, this value also wants to change accordingly, and finally we also redirect this result to the log file tslog.log, so in the TSLog.log file, the record format is as follows: 22: 40TCP 192.168 .12.28.10.123:4903ESTABLISHED 22: 54TCP 192.168.12.28:3389 192.12.28:3389 192.168.12.29:1039established Run? Terminal Services allows us to customize the starting program for user, in the terminal service configuration, we override the user's login script settings and specify the script that tslog.bat needs to open when logging in to the user, so each user must perform this Script, because the default script (equivalent to the shell environment) is Explorer (Explorer), so I add the starting of Explorer in the last line of Tslog.bat, if I don't add this line, the user has no way Enter the desktop. Of course, if you only need to give users specific shells:, for example, cmd.exe or word.exe you can also replace Start Explorer to any shell. This script can also have other ways, such as writing a script to send each login user's IP to your own mailbox for a very good way. Under normal circumstances, the general user does not look at the permissions of the terminal service settings, so he will not know that you have an IP audit for the login, just put the TSLog.bat file and the TSLog.log file in a more hidden directory, it is enough. However, it is only a simple terminal service log Raiders, and there is not much security measures and permissions mechanisms. Pay attention to the modification of the registry to improve the Win2000 anti-DDOS
Modify the registry to improve the Win2000 anti-DDOS capability from the correct look at DOS and DDOS
I believe that everyone will not feel strange to these two words, the Denial of Service, as well as distributed
DISTRIBUTED DENIAL OF Service.
The so-called denial of service means that the object being attacked can not provide service in time after a particular attack occurs, such as the present
Website Services (HTTP Service) does not provide website services, email servers (SMTP, POP3) cannot provide functions such as transceiver, basically, blocking service attacks typically utilize a large number of network packets, with the network and host of each other , Make normal users
Unable to get the host's prompt service. Distributed denial service, simple to say that the use of a wide range of data package consumes available systems, and network bandwidth, resulting in network
Service is paralyzed.
Perhaps it is related to the excessive concern of the media, DOS attack, especially DDoS attack, seems to be popular between night, big and small network management,
As long as the server is faulty, it is very exciting, "I was DDOS!", The face seems to write extreme glory and pride.
In fact, in our surroundings, the true DDoS is not much, after all, the resources needed to start a DDoS attack are very much, but it is real
The attack has not stopped, this, most of which is ordinary denial of service attack. Ordinary level attack, how
Protection, also became the most headache of many network administrators, so I am in listening everywhere, and the result is often one, "Buy our
Hardware firewall ". Hardware firewall, including dedicated resistance to service attack products is really good, but basic prices are very expensive, the effect is good,
Some fire can be avoided from the perspective of investment and investment.
In fact, from the perspective of operating system, there are many functions, but a lot is to take us slowly. Here I will give you a simple
This section describes how to modify the registry and enhance the system's anti-DOS capabilities in the Win2000 environment.
detail:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters]
'Turn off the inspection of the invalid gateway. When the server sets a plurality of gateways, the system will try to connect the second gateway when the network is not smooth, and the network can be optimized by turning off it. "Enabledeadgwdetect" = dword: 00000000
'Prohibit response to ICMP redirection packets. Such packets may be used to attack, so the system should refuse to accept ICMP redirection packets. "Enableicmpredirects" = dword: 00000000
'Do not allow the NetBIOS name. When an attacker issues a request for a query server NetBiOS name, you can make the server from respond. 'Note the system must install SP2 or more "nonameReleaseOndemand" = dword: 00000001
'Send verification to keep the activity packet. This option determines how much time TCP interval determines that the current connection is still connected, 'does not have this value, and the system checks if the TCP has an idle connection every 2 hours, where the set time is 5 minutes. "KeepaliveTime" = dword: 000493E0
'Disable the maximum packet length path detection. When this value is 1, the size of the packet that can be transmitted is automatically detected, 'can be used to improve transmission efficiency, such as failure or security, the setting value is 0, indicating the use of fixed MTU values 576bytes. "Enablepmtudiscovery" = dword: 00000000
'Start SYN Attack Protection. The default value is 0, indicating that the attack protection is not turned on, and the item value is 1 and 2 indicates that SYN attack protection is started. After setting 2, the 'security level is higher, and it is considered to be an attack, and it is necessary to attack the TCPMAXHALFOPEN. The conditions set with the TCPMaxHalfopenRetried value 'are triggered. It should be noted here that NT4.0 must be set to 1, set to 2, which will cause the system to restart under certain special data packets. "SYNATTACKPROTECT" = DWORD: 00000002 'simultaneously allows the open semi-connected number. The so-called semi-connected, indicating an uncompleted TCP session, which can be seen with the NetStat command to see the SYN_RCVD status'. Here, Microsoft recommended values, the server is set to 100, and the advanced server is set to 500. It is recommended to set a little bit a little. "Tcpmaxhalfopen" = dword: 00000064
'Judging whether there is a trigger point for attacks. Here, Microsoft recommended values, servers are 80, and the advanced server is 400. "Tcpmaxhalfopenretried" = dword: 00000050
'Set waiting for the SYN-ACK time. The default value is 3, the default process consumes 45 seconds. The item value is 2, the time consumption is 21 seconds. The 'item value is 1, the time consumption is 9 seconds. The minimum can be set to 0, indicating that it is not waiting, the time consumption is 3 seconds. This value can be modified according to the size of the attack. 'Microsoft Site Safety is recommended to 2. "TCPMAXCONNECTRESERETRANSMISSIONS" = dword: 00000001
'Set the number of times the TCP retransmit a single data segment. The default value is 5, the default process consumption is over 240 seconds. Microsoft Site Safety is recommended to 3. "TCPMAXDATARETRANSMISSIONS" = dword: 00000003
'Set the critical point of SYN attack protection. When the available backlog becomes 0, this parameter is used to control the opening of SYN attack protection, and the Microsoft site is recommended to be 5. "TCPMAXPORTSEXHAUSTED" = dword: 00000005
'Disable IP source routing. The default value is 1, indicating that the transmission source routing package, the item value is set to 0, indicating all forwarding, set to 2, indicating that all acceptable 'source routing packages, Microsoft site security recommendation is 2. "Disableipsourceerouting" = dword: 0000002
'Limit the longest time in the Time_Wait state. The default is 240 seconds, the lowest is 30 seconds, up to 300 seconds. It is recommended to be 30 seconds. "Tcptimedwaitdelay" = dword: 0000001e
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / Net / Parameters] 'Increase the increase in NetBT's connection block. The default is 3, the ranges 1-20, the larger value, the greater the increase in performance. Each connection block consumes 87 bytes. "Backlogincrement" = dword: 00000003
'The maximum number of connected NetBt is quick. Range 1-40000, here is set to 1000, the greater the value, the more connections are allowed to connect. "MaxConnBackLog" = dword: 000003E8
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / AFD / Parameters] 'Configuration Activation Dynamics Backlog. For systems that are busy or vulnerable to SYN attacks, it is recommended to set to 1, indicating that dynamic backlog is allowed. "EnableDynamicbacklog" = dword: 00000001 'Configure the minimum dynamic backlog. The default item value is 0, indicating the minimum number of free connections for dynamic backlog allocation. When the number of free connections is lower than this, the automatic allocation is free to connect. The default is zero, which is recommended to be 20 for systems that are busy or easy to suffer from SYN. "Minimumdynamicbacklog" = dword: 00000014
'Maximum dynamic backlog. Represents the number of defined "quasi" connections, mainly watching memory size, theory every 32M memory can 'increase 5000, here is set to 2000. "Maximumdynamicbacklog" = dword: 00002E20
'An additional free connection data. The default item value is 5, indicating that the number of free connections per increase is defined. For systems that are busy or easy to suffer from SYN attacks, it is recommended to set it to 10. "DynamicBackLogGrowthDelta" = dword: 0000000A
The following sections need to be manually modified according to the actual situation
'------------------------------------- ------------------------------------------------ ' HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / TCPIP / Parameters] 'Enables secure filter on the NIC' "EnableSecurityFilters" = DWORD: 00000001 '' At the same time, the number of TCP connections open, here, can be controlled according to the situation. '"Tcpnumconnections" =' 'This parameter controls the size limit of the TCP header table. In a large number of RAMs, add this setting to improve the response performance during the SYN attack. '"TCPMAXSENDFREE" =' [hkey_local_machine / system / currentcontrolset / service / tcpip / parameters / interfaces / {自 自己 网卡 接口}] 'is forbidden to route discovery functions. ICMP routing packets can be used to increase routing table records, which can cause attacks, so routing discovery. "PerformRouterdiscovery" = dword: 00000000
