1. Installation of Windows Server 2003
1. At least two partitions are required to install the system and the partition format is NTFS format
2. Install the 2003 system when disconnected from the network.
3. Install IIS install only the necessary IIS components (disable unnecessary services such as FTP and SMTP). By default the IIS service is not installed. Select 'Application Server' in Add/Remove Win Components then click 'Details' double-click Internet Information Services (iis) and check the following options:
Internet Information Service Manager;
Public files;
Background Intelligent Transfer Service (BITS) server extension;
World Wide Web Service .
If you use FrontPage extended Web site then check: FrontPage 2002 Server Extensions
4. Install MSSQL and other required software and then update.
5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of the computer and identify missing patches and updates. Download link: see the link at the end of the page
2. Setting and managing accounts
1. It’s better to create less system administrator accounts. Change the default administrator account name (Administrator ) And description. The password should preferably be a combination of numbers uppercase and lowercase letters and numbers and the length should be no less than 14 digits.
2 create a new trap account named Administrator set the minimum permissions for it and then enter a combination of passwords with no less than 20 characters
3 Disable the Guest account and change the name and description and then enter a complex password. Of course there is also a DelGuest tool. Maybe you can also use it to delete the Guest account but I haven't tried it.
4. Enter gpedit.msc while running open the Group Policy Editor select Computer Configuration-Windows Settings-Security Settings-Account Policy-Account Lockout Policy and set the account to \u0026ldquo; three times Login is invalid' 'lock time is 30 minutes' 'reset lock count to 30 minutes'.
5. Set 'Do not display the last user name' in the security settings-local policy-security options to enable
6. In the security settings-local In the policy-user rights assignment only the Internet guest account and the IIS process account will be reserved in 'Access this computer from the network'. If you use Asp.net keep your Aspnet account.
7. Create a User account and run the system. If you want to run a privileged command use the Runas command.
3. Network service security management
1. Prohibit default sharing such as C$ D$ ADMIN$
Open the registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters create a new Dword value in the right window set the name to AutoShareServer and set the value to 0
2 release NetBios and TCP/IP protocol binding
Right-click Network Neighborhood-Properties-Right-click Local Area Connection-Properties-Double-click Internet Protocol-Advanced-Wins-Disable NETBIOS on TCP/IP
3. No need to close The following are the recommended options
Computer Browser: Maintain network computer updates disable it
Distributed File System: Manage shared files in the local area network do not need to disable
Distributed linktracking client: Used to update the connection information in the local area network do not need to be disabled
Error reporting service: Disable sending error reports
Microsoft Serch: Provide fast word search no Need to be disabled
NTLMSecuritysupportprovide: for telnet service and Microsoft Serch do not need to be disabled
PrintSpooler: If there is no printer you can disable
Remote Registry: Prohibit remote modification of the registry
Remote Desktop Help Session Manager: Prohibit remote assistance
Four open the corresponding audit policy
Enter gpedit in the run .msc Enter open the Group Policy Editor select Computer Configuration-Windows Settings-Security Settings-Audit Policy. When creating audit items you need to pay attention to that if there are too many audited items the more events will be generated then you have to The more difficult it is to find serious incidents. Of course too little review will affect your discovery of serious incidents. You need to choose between the two according to the situation.
The recommended items to be reviewed are:
Login event success and failure
Account login event success and failure
System Event success and failure
Success and failure of policy change
Object access failure
Directory service access failure
Privilege use failure
br/>
5. Other security-related settings
1. Hide important files/directories
You can modify the registry to completely hide: \u0026ldquo;HKEY_LOCAL_MACHINE\\SOFTWARE\\ Microsoft\\Windows\\ Current-Version\\Explorer\\Advanced\\Folder\\Hi-dden\\SHOWALL\u0026rdquo; right-click on \u0026ldquo;CheckedValue\u0026rdquo; select Modify change the value from 1 to 0
2 start The system comes with the Internet connection firewall and check the Web server in the setting service options.
3. Prevent SYN flood attack
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters
New DWORD value named SynAttackProtect value It is 2
4. It is forbidden to respond to ICMP routing announcement messages
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\interface
Create a new DWORD value named PerformRouterDiscovery and the value is 0
5. Prevent ICMP redirect message attacks
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters
Set the EnableICMPRedirects value to 0
6. IGMP protocol is not supported
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters
Create a new DWORD value named IGMPLevel and the value is 0.
7. Disable DCOM:
Enter Dcomcnfg.exe while running. Press Enter and click 'Component Services' under 'Console Root Node'. Open the \u0026ldquo;Computer\u0026rdquo; subfolder.
For the local computer please right-click 'My Computer' and select 'Properties'. Select the \u0026ldquo;Default Properties\u0026rdquo; tab.
Clear the \u0026ldquo;Enable Distributed COM on this computer\u0026rdquo; check box.
Note: I used Server2000 settings for items 3-6 and I have not tested whether it works for 2003. But one thing is certain that I have spent a period of time and found no other side effects.
Six. Configure IIS service:
1. Do not use the default Web site. If you use it separate the IIS directory from the system disk.
2 delete the Inetpub directory created by IIS by default (on the disk of the installation system).
3. Delete the virtual directories under the system disk such as: _vti_bin IISSamples Scripts IIShelp IISAdmin IIShelp MSADC.
4. Delete unnecessary IIS extension mapping.
Right-click \u0026ldquo;Default Web Site\u0026rarr;Properties\u0026rarr;Home Directory\u0026rarr;Configuration\u0026rdquo; open the application window and remove unnecessary application mapping. Mainly .shtml .shtm .stm
5. Change the path of IIS log
Right-click \u0026ldquo;Default Web Site\u0026rarr; Properties-Website-Enable Log Record the click properties
6. If you are using 2000 you can use iislockdown to protect IIS. It is not required for the version of IE6.0 running in 2003.
7. Use UrlScan
UrlScan is an ISAPI filter that analyzes incoming packets and can reject any suspicious traffic. The latest version is 2.5. If it is 2000Server you need to install version 1.0 or 2.0 first. For the download address see the link on the page.
If there is no special requirement the default configuration of UrlScan can be used.
But if you are running ASP.NET programs on the server and you want to debug you need to open URLScan in the %WINDIR%\\System32\\Inetsrv\\URLscan
folder. ini file and then add the debug predicate in the UserAllowVerbs section. Note that this section is case sensitive.
If your webpage is an .asp webpage you need to delete the .asp related content in DenyExtensions.
If your page uses a non-ASCII code you will need to value Option section AllowHighBitCharacters set to 1
After the changes made to the file URLScan.ini You need to restart the IIS service to take effect. Enter iisreset when the quick method is running.
If you have any problems after configuration you can delete UrlScan by adding/removing programs.
8. Use WIS (Web Injection Scanner) tool to scan the entire website for SQL Injection vulnerability.
Download link: [://.fanvb.net/ websample/othersample.aspx]VB.NET enthusiast[/url]
Seven configure the Sql server
1. It is best not to have more than two System Administrators roles
2 if you are on this machine it is best to configure the authentication to Win login
3 do not use the Sa account configure a super complex password for it
4. Delete the following extended stored procedure format:
use master
sp_dropextendedproc 'extended stored procedure name'
xp_cmdshell: Yes to enter The best shortcut for the operating system delete
Access the stored procedure of the registry delete
Xp_regaddmultistringXp_regdeletekeyXp_regdeletevalueXp_regenumvalues ??
Xp_regread Xp_regwrite Xp_regremovemultistring
/>OLE automatic stored procedure no need to delete
Sp_OACreateSp_OADestroySp_OAGetErrorInfoSp_OAGetProperty
Sp_OAMethodSp_OASetPropertySp_OAStop
5. Hide 3 server port change the default 143 server/>
Right-click the instance select Properties-General-Network Configuration select TCP/IP protocol properties select Hide SQL Server instance and change the original default port 1433.
8. If you are only a server and do not perform other operations
Windows Server 2003 Server Security Settings
Author:fsadmin
Views: