Your location:Tech News>OS>Windows Sever>Common Security Strategies for WIN2003 Server

Latest News

Common Security Strategies for WIN2003 Server

Author:fsadmin

Views:

 Strategy 1: Turn off unnecessary services in windows2003
  \u0026middot;computer browser Maintain the latest list of computers on the network and provide this list
  \u0026middot;task scheduler allows The program runs at a specified time
  \u0026middot;routing and remote access Provide routing services for enterprises in LAN and WAN environments
  \u0026middot;removable storage Manage removable media drivers and libraries
  \u0026middot;remote The registry service allows remote registry operations
  \u0026middot;print spooler loads files into memory for later printing.
  \u0026middot;ipsec policy agent manages ip security policies and activates isakmp/oakleyike) and ip security drivers
  \u0026middot;distributed link tracking client sends notifications when files move in the ntfs volume of the network domain
\u0026middot;com+ event system provides automatic publishing of events to subscription com components
  \u0026middot;alerter notifies selected users and computer management alerts
\u0026middot;error reporting service collects stores and reports abnormal applications to Microsoft< br/>  \u0026middot;messenger transmits net send and alerter service messages between the client and server
  \u0026middot;telnet allows remote users to log in to this computer and run programs
Strategy 2: Disk Permission Settings
The c drive only gives administrators and system permissions other permissions are not given other disks can also be set in this way the system permissions given here do not necessarily need to be given but some third-party applications are started as services You need to add this user otherwise it will not start.
The default permissions for users should be added to the windows directory otherwise applications such as asp and aspx cannot run.
  Strategy 3: Prohibit windows system from empty connection
  Find the corresponding key hkey_local_machine/system/currentcontrolset/control/lsa in the registry and change the key value of the dword value restrictanonymous to 1
Strategy 4: Close unnecessary ports
Local connection--Properties--Internet Protocol (tcp/ip)--Advanced--Options--tcp/ip filtering--Properties--check the box and then add you The required port is fine. (Such as: 33892114333306 80)
  Change the remote connection port method
  Start-->Run-->Enter regedit
  Find 3389:
Please Find according to the following steps:
  1 hkey_local_machinesystemcurrentcontrolsetcontrol erminal serverwds dpwd ds cp under portnumber=3389 changed to the port number of Zibaoyi
  2 hkey_local_machinesystemcurrentcontrolsetcontrol erminal serverwinstations dp-tcp changed from number under port=3389 Baoyi's port number
modify 3389 to the number you want (in decimal) ---- click hexadecimal (the system will automatically convert) ---- finally confirm! This is ok.
This way the 3389 port has been modified but the host needs to be restarted so that the 3389 port is modified successfully! If you don’t restart 3389 it can’t be modified! After restarting you can use the new one next time The port has entered!
  Disable netbios on tcp/ip
  Local connection--Properties--Internet protocol (tcp/ip)--Advanced\u0026mdash;wins--Disable netbios on tcp/ip
  Strategy 5: Close the empty connection shared by default
First write a batch file with the following content:
  @echo off
  net share c$ /delete
  net share d$ / delete
net share e$ /delete
  net share f$ /delete
  net share admin$ /delete
The content of the above files can be modified according to their needs. Save it as delshare.bat and store it in the system32grouppolicyuserscriptslogon directory under the folder where the system is located. Then enter gpedit.msc in the start menu \u0026rarr; run and press
to open the Group Policy Editor. Click User Configuration\u0026rarr;windows settings\u0026rarr;scripts (login/logout)\u0026rarr;login.
In the 'login properties' window that appears click 'Add' and 'Add script' will appear. In the dialog box enter delshare.bat in the 'Script Name' field of the window and then click the 'OK' button.
Restart the computer system you can automatically cancel all the hidden shared folders of the system so that the hidden dangers of the system can be reduced to a minimum.
  Strategy Five: IIS Security Settings
  1. Do not use the default web site. If you use it separate the IIS directory from the system disk.
  2 delete the inetpub directory created by iis by default (on the disk of the installation system).
  3. Delete the virtual directories under the system disk such as: _vti_bin iissamples scripts iishelp iisadmin iishelp msadc.
  4 delete unnecessary iis extension mapping.
  Right-click on the 'default web site' 'Properties' 'Home Directory' 'Configuration' open the application window and remove unnecessary application mapping. Mainly .shtml shtm stm.
5. Change the path of iis log
  Right-click \u0026ldquo;default web site\u0026rarr;Properties-Website-click Properties under enable logging
  Strategy 6: Registry-related security settings
  1 hide important files/directories
  hkey_local_machinesoftwaremicrosoftwindowscurrent-versionexploreradvancedfolderhiddenshowall\u0026rdquo;
right-click on \u0026ldquo;checkedvalue\u0026rdquo; select Modify and change the value from 1 to 0.
  2 prevent syn flood attacks
  hkey_local_machinesystemcurrentcontrolsetservices cpipparameters
create a new dword value named synattackprotect with a value of 2
  3 prohibit responding to icmp routing notification messages
  services cpipparametersinterfacesinterface
  New dword value named performrouterdiscovery value 0.
  4. Prevent the attack of icmp redirection packets
  hkey_local_machinesystemcurrentcontrolsetservices cpipparameters
set the value of enableicmpredirects to 0
5 do not support igmp protocol
  systemhipkeysetservices cpipcontrol_local_br/> Create a new dword value named igmplevel value 0.
  Strategy Seven: Component Security Settings
  a. Uninstall wscript.shell and shell.application components save the following code as a .bat file for execution (for 2000 and 2003 systems)
  windows2000 .bat
  regsvr32/uc:winntsystem32wshom.ocx
  del c:winntsystem32wshom.ocx
  regsvr32/uc:winntsystem32shell32.dll
 />del c:winntsystem32wshom.ocx
  regsvr32/uc:winntsystem32shell32.dll
 />del c:winntsystem32 ow. bat
  regsvr32/uc:windowssystem32wshom.ocx
  del c:windowssystem32wshom.ocx
  regsvr32/uc:windowssystem32shell32.dll
 systemdel cshell32.dll renamed c:windowssystem32shell32.dll
Insecure components please note that the name and clsid of the component must be changed and must be changed thoroughly. Don’t copy it but change it yourself.
[Start\u0026rarr;Run\u0026rarr; regedit\u0026rarr; Enter] Open the registry editor
and then [Edit\u0026rarr;find\u0026rarr;fill in shell.application\u0026rarr;find next]
Two registry entries can be found by this method:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
The first step: In order to be foolproof export these two registry keys and save them as xxxx.reg files.
Step 2: For example we want to make such a change
  13709620-c279-11ce-a49e-444553540000 renamed to 13709620-c279-11ce-a49e-444553540001
  shell.application renamed to shell. application_nohack
Step 3: Then replace the content in the exported .reg file according to the above corresponding relationship and then import the modified .reg file into the registry (just double click) and import After renamed the registry key don't forget to delete the original two items. One thing to note here clsid can only contain ten numbers and abcdef six letters.
  Actually just export the corresponding registry key for backup and then change the key name directly.
  A good example of the change
  I suggest you change it by yourself
It should be successful at one time
  windows registry editor version 5.00
  [hkey_classes_rootclsid{13709620-c279-11ce-a49e-444553540001}]
  @=\u0026quot;shell automation service\u0026quot;
 09620-clkey_classes_root a49e-444553540001}inprocserver32]
  @=\u0026quot;c:\\winnt\\system32\\shell32.dll\u0026quot;
  \u0026quot;threadingmodel\u0026quot;=\u0026quot;apartment\u0026quot;
  [hkey_classes_rootclsid-11137096 -a49e-444553540001}progid]
  @=\u0026quot;shell.application_nohack.1\u0026quot;
  [hkey_classes_rootclsid{13709620-c279-11ce-a49e-444553540001} ypelib]
7\u0026quot;b@a\u0026quot;0 -70ef-11d1-b75a-00a0c90564fe}\u0026quot;
  [hkey_classes_rootclsid{13709620-c279-11ce-a49e-444553540001}version]
  @=\u0026quot;1.1\u0026quot;
20cl-class[hkey_class] c279-11ce-a49e-444553540001}versionindependentprogid]
@=\u0026quot;shell.application_nohack\u0026quot;
  [hkey_classes_rootshell.application_nohack]
  @=\u0026quot;shel l automation service\u0026quot;
  [hkey_classes_rootshell.application_nohackclsid]
  @=\u0026quot;{13709620-c279-11ce-a49e-444553540001}\u0026quot;
  [hkey_classes_rootshell.application_nocurver [hkey_classes_rootshell.quot  [hkey_classes_rootshell.quot ;shell.application_nohack.1\u0026quot;
  Comment:
  wscript.shell and shell.application components are important links in the process of script intrusion which are important to elevate permissions. The uninstallation and modification of these two components corresponds to the registration key name It can greatly improve the script security performance of the virtual host. Generally speaking the function of asp and php scripts to enhance the permissions cannot be achieved plus some system services hard disk access permissions port filtering and local security policy settings Therefore the virtual host should say that the security performance has been greatly improved and the possibility of hacker intrusion is very low. After logging out the shell component the possibility of an intruder running the upgrade tool is very small but other scripting languages ??such as prel also have shell capabilities. Just in case it is better to set it up. The following is another setting with similarities and minor differences.
  c. Prohibit the use of filesystemobject components.
  Filesystemobject can perform routine operations on files. You can modify the registry and rename this component to prevent this type of Trojan.
  hkey_classes_rootscripting.filesystemobject
Renamed to other names such as: change to filesystemobject_changename
  When you call it later you can use this to call this component normally.
Also change the clsid value Change the value of the item
  hkey_classes_rootscripting.filesystemobjectclsid
  You can also delete it to prevent this type of Trojan.
  2000 cancel this component command: regsrv32 /uc:winntsystemscrrun.dll
  2003 cancel this component command: regsrv32 /uc:windowssystemscrrun.dll
  How to prevent guest users from using scrrun.dll to prevent this Components?
  Use this command: cacls c:winntsystem32scrrun.dll /e /d guests
  d prohibit the use of wscript.shell components
  wscript.shell can call the system kernel to run basic dos commands.
  You can modify the registry and rename this component to prevent this type of Trojan.
  hkey_classes_rootwscript.shell and hkey_classes_rootwscript.shell.1
  Renamed to other names such as: change to wscript.shell_changename or wscript.shell.1_changename
you can use this when you call it later. Call this component
also change the clsid value
hkey_classes_rootwscript.shellclsid project value
  hkey_classes_rootwscript.shell.1clsid project value
  You can also delete it to prevent The harm of such Trojans.
  e. It is forbidden to use shell.application components.
  shell.application can call the system kernel to run basic dos commands.
  You can modify the registry and rename this component to prevent this type of Trojan.
  hkey_classes_rootshell.application and
  hkey_classes_rootshell.application.1
renamed to other names such as: change to shell.application_changename or shell.application.1_changename
use when you call it later This can call this component normally.
Also change the value of clsid
 The value of hkey_classes_rootshell.applicationclsid
The value of hkey_classes_rootshell.applicationclsid
You can also delete it To prevent the harm of such Trojans.
Guest users are prohibited from using shell32.dll to prevent calling this component.
  2000 use command: cacls c:winntsystem32shell32.dll /e /d guests
  2003 use command: cacls c:windowssystem32shell32.dll /e /d guests
  Note: All operations need to restart the web It will take effect after the service.
  f

Recommend article

Relate article