Windows Server 2003 Server Security Settings

1. Installation of Windows Server 2003

1. At least two partitions are required to install the system and the partition format is NTFS format

2. Install the 2003 system when disconnected from the network.

3. Install IIS install only the necessary IIS components (disable unnecessary services such as FTP and SMTP). By default the IIS service is not installed. Select 'Application Server' in Add/Remove Win Components then click 'Details' double-click Internet Information Services (iis) and check the following options:

Internet Information Service Manager;

Public files;

Background Intelligent Transfer Service (BITS) server extension;

World Wide Web Service .

If you use FrontPage extended Web site then check: FrontPage 2002 Server Extensions

4. Install MSSQL and other required software and then update.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of the computer and identify missing patches and updates. Download link: see the link at the end of the page

2. Setting and managing accounts

1. It’s better to create less system administrator accounts. Change the default administrator account name (Administrator ) And description. The password should preferably be a combination of numbers uppercase and lowercase letters and numbers and the length should be no less than 14 digits.

2 create a new trap account named Administrator set the minimum permissions for it and then enter a combination of passwords with no less than 20 characters

3 Disable the Guest account and change the name and description and then enter a complex password. Of course there is also a DelGuest tool. Maybe you can also use it to delete the Guest account but I haven't tried it.

4. Enter gpedit.msc while running open the Group Policy Editor select Computer Configuration-Windows Settings-Security Settings-Account Policy-Account Lockout Policy and set the account to \u0026ldquo; three times Login is invalid' 'lock time is 30 minutes' 'reset lock count to 30 minutes'.

5. Set 'Do not display the last user name' in the security settings-local policy-security options to enable

6. In the security settings-local In the policy-user rights assignment only the Internet guest account and the IIS process account will be reserved in 'Access this computer from the network'. If you use Asp.net keep your Aspnet account.

7. Create a User account and run the system. If you want to run a privileged command use the Runas command.

3. Network service security management

1. Prohibit default sharing such as C$ D$ ADMIN$

Open the registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters create a new Dword value in the right window set the name to AutoShareServer and set the value to 0

2 release NetBios and TCP/IP protocol binding

Right-click Network Neighborhood-Properties-Right-click Local Area Connection-Properties-Double-click Internet Protocol-Advanced-Wins-Disable NETBIOS on TCP/IP

3. No need to close The following are the recommended options

Computer Browser: Maintain network computer updates disable it

Distributed File System: Manage shared files in the local area network do not need to disable

Distributed linktracking client: Used to update the connection information in the local area network do not need to be disabled

Error reporting service: Disable sending error reports

Microsoft Serch: Provide fast word search no Need to be disabled

NTLMSecuritysupportprovide: for telnet service and Microsoft Serch do not need to be disabled

PrintSpooler: If there is no printer you can disable

Remote Registry: Prohibit remote modification of the registry

Remote Desktop Help Session Manager: Prohibit remote assistance

Four open the corresponding audit policy

Enter gpedit in the run .msc Enter open the Group Policy Editor select Computer Configuration-Windows Settings-Security Settings-Audit Policy. When creating audit items you need to pay attention to that if there are too many audited items the more events will be generated then you have to The more difficult it is to find serious incidents. Of course too little review will affect your discovery of serious incidents. You need to choose between the two according to the situation.

The recommended items to be reviewed are:

Login event success and failure

Account login event success and failure

System Event success and failure

Success and failure of policy change

Object access failure

Directory service access failure

Privilege use failure

br/>
5. Other security-related settings

1. Hide important files/directories

You can modify the registry to completely hide: \u0026ldquo;HKEY_LOCAL_MACHINE\\SOFTWARE\\ Microsoft\\Windows\\ Current-Version\\Explorer\\Advanced\\Folder\\Hi-dden\\SHOWALL\u0026rdquo; right-click on \u0026ldquo;CheckedValue\u0026rdquo; select Modify change the value from 1 to 0

2 start The system comes with the Internet connection firewall and check the Web server in the setting service options.

3. Prevent SYN flood attack

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

New DWORD value named SynAttackProtect value It is 2

4. It is forbidden to respond to ICMP routing announcement messages

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\interface

Create a new DWORD value named PerformRouterDiscovery and the value is 0

5. Prevent ICMP redirect message attacks

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

Set the EnableICMPRedirects value to 0

6. IGMP protocol is not supported

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

Create a new DWORD value named IGMPLevel and the value is 0.

7. Disable DCOM:

Enter Dcomcnfg.exe while running. Press Enter and click 'Component Services' under 'Console Root Node'. Open the \u0026ldquo;Computer\u0026rdquo; subfolder.

For the local computer please right-click 'My Computer' and select 'Properties'. Select the \u0026ldquo;Default Properties\u0026rdquo; tab.

Clear the \u0026ldquo;Enable Distributed COM on this computer\u0026rdquo; check box.

Note: I used Server2000 settings for items 3-6 and I have not tested whether it works for 2003. But one thing is certain that I have spent a period of time and found no other side effects.

Six. Configure IIS service:

1. Do not use the default Web site. If you use it separate the IIS directory from the system disk.

2 delete the Inetpub directory created by IIS by default (on the disk of the installation system).

3. Delete the virtual directories under the system disk such as: _vti_bin IISSamples Scripts IIShelp IISAdmin IIShelp MSADC.

4. Delete unnecessary IIS extension mapping.

Right-click \u0026ldquo;Default Web Site\u0026rarr;Properties\u0026rarr;Home Directory\u0026rarr;Configuration\u0026rdquo; open the application window and remove unnecessary application mapping. Mainly .shtml .shtm .stm

5. Change the path of IIS log

Right-click \u0026ldquo;Default Web Site\u0026rarr; Properties-Website-Enable Log Record the click properties

6. If you are using 2000 you can use iislockdown to protect IIS. It is not required for the version of IE6.0 running in 2003.

7. Use UrlScan

UrlScan is an ISAPI filter that analyzes incoming packets and can reject any suspicious traffic. The latest version is 2.5. If it is 2000Server you need to install version 1.0 or 2.0 first. For the download address see the link on the page.

If there is no special requirement the default configuration of UrlScan can be used.

But if you are running ASP.NET programs on the server and you want to debug you need to open URLScan in the %WINDIR%\\System32\\Inetsrv\\URLscan

folder. ini file and then add the debug predicate in the UserAllowVerbs section. Note that this section is case sensitive.

If your webpage is an .asp webpage you need to delete the .asp related content in DenyExtensions.

If your page uses a non-ASCII code you will need to value Option section AllowHighBitCharacters set to 1

After the changes made to the file URLScan.ini You need to restart the IIS service to take effect. Enter iisreset when the quick method is running.

If you have any problems after configuration you can delete UrlScan by adding/removing programs.

8. Use WIS (Web Injection Scanner) tool to scan the entire website for SQL Injection vulnerability.

Download link: [://.fanvb.net/ websample/othersample.aspx]VB.NET enthusiast[/url]

Seven configure the Sql server

1. It is best not to have more than two System Administrators roles

2 if you are on this machine it is best to configure the authentication to Win login

3 do not use the Sa account configure a super complex password for it

4. Delete the following extended stored procedure format:

use master

sp_dropextendedproc 'extended stored procedure name'

xp_cmdshell: Yes to enter The best shortcut for the operating system delete

Access the stored procedure of the registry delete

Xp_regaddmultistringXp_regdeletekeyXp_regdeletevalueXp_regenumvalues ??

Xp_regread　 Xp_regwrite　 Xp_regremovemultistring
/>OLE automatic stored procedure no need to delete

Sp_OACreateSp_OADestroySp_OAGetErrorInfoSp_OAGetProperty

Sp_OAMethodSp_OASetPropertySp_OAStop

5. Hide 3 server port change the default 143 server/>
Right-click the instance select Properties-General-Network Configuration select TCP/IP protocol properties select Hide SQL Server instance and change the original default port 1433.

8. If you are only a server and do not perform other operations