1. Transfer systemrootSystem32cmd.exe to another directory and change its name;
2. Minimize the number of system accounts and change the default account name (such as Administrator) And description the password is as complex as possible;
3. Deny access to the computer through the network (anonymous login; built-in administrator account; Support_388945a0; Guest; all non-operating system service accounts)
4 . It is recommended to give general users only read permissions and only give administrators and system full control permissions but doing so may make some normal scripts unable to execute or some operations that need to be written cannot be completed. You need to change the permissions of the folder where these files are located. It is recommended to test on the test machine before making changes and then change them carefully.
5. NTFS file permissions settings (note that the priority of file permissions is higher than that of folders):
CGI file (.exe .Dll .cmd .pl)
Script files (.asp)
Include files (.inc .shtm .shtml)
static Content (.txt .gif .jpg .htm .html)
Recommended NTFS permissions
Administrators (full control )
System (full control)
6. Prohibit default sharing such as C$ D$
AutoShareServer REG_DWORD 0x0
7. Prohibit ADMIN$ default sharing
AutoShareWks REG_DWORD 0x0
8. Restrict IPC $Default sharing
restrictanonymous REG_DWORD 0x0 default
0x1 Anonymous users cannot enumerate the list of local users
0x2 Anonymous users Unable to connect to the local IPC$ share
Note: It is not recommended to use 2 otherwise it may cause some of your services to fail to start such as SQL Server
9. Only give users what they really need Permissions the principle of minimizing permissions is an important guarantee for security
10. Open the corresponding audit in the local security policy-audit policy. The recommended audit is:
Account management failed successfully
Successful login event failed
Object access failed
Successful policy change failed
Privilege use failed
System Event failed successfully
Directory service access failed
Success and failure of account login events
The disadvantage of fewer audit items is that if you want to see and find that there is no record it is nothing; too many audit items will not only take up system resources but also make you have no time to go Look this loses the meaning of review. Related to it:
Set in Account Policy-Password Policy:
Password complexity requirement is enabled
The minimum password length is 6 digitsP>
Mandatory password history 5 times
The maximum retention period is 30 days
Set in the account policy-account lock policy:
Account lock 3 wrong logins
Lock time 20 minutes
Reset lock count 20 minutes
11. In Terminal Service Configration (remote service configuration)-permissions-advanced To configure security audit generally speaking it is enough to record login and logout events.
12. Unbind NetBios and TCP/IP protocol
Control panel-network-binding-NetBios interface-disable 2000: control panel- Network and dial-up connection-local network-properties-TCP/IP-properties-advanced-WINS-disable NETBIOS on TCP/IP
13. Enable in the network connection protocol TCP/IP filtering only open the necessary ports (such as 80)
14. By changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1 to prohibit 139 empty connections
15. Modify the data packet Time to live (TTL) value
DefaultTTL REG_DWORD 0-0xff (0-255 decimal default value 128)
16. Prevent SYN flood attacks< /P>
SynAttackProtect REG_DWORD 0x2 (default value is 0x0)
17. It is forbidden to respond to ICMP routing notification messages
PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)
18. Prevent ICMP redirect message attacks
EnableICMPRedirects REG_DWORD 0x0 (default Value is 0x1)
19. IGMP protocol is not supported
IGMPLevel REG_DWORD 0x0 (default value is 0x2)
20. Set arp cache aging time settings
ArpCacheLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 600)
21. Dead gateway monitoring technology is prohibited
EnableDeadGWDetect REG_DWORD 0x0 (default value is ox1)
22. Routing function is not supported
IPEnableRouter REG_DWORD 0x0 (default value is 0x0)
Install and configure IIS service:
1. Install only necessary IIS components. (Disable unnecessary services such as FTP and SMTP)
2. Only enable necessary services and Web Service extensions recommended configuration:
Component name in UI< P> Setting
Background Intelligent Transfer Service (BITS) server extension
BITS is Windows updates and 'automatic Update the background file transfer mechanism used. If you use Windows updates or 'automatic updates' to automatically apply service packs and hot fixes in the IIS server you must have this component.
IIS needs these files so you must enable them in the IIS server.
File Transfer Protocol (FTP) service
Allow IIS server to provide FTP service. The dedicated IIS server does not require this service.
FrontPage 2002 Server Extensions
Provide FrontPage support for managing and publishing Web sites. If you do not use FrontPage extended Web sites please disable this component in the dedicated IIS server.
Internet Information Service Manager
IIS management interface.
Provides Web-based printer management allowing printer sharing via . This component is not required for dedicated IIS servers.
Distribute query retrieve and post Usenet news articles on the Internet. This component is not required for dedicated IIS servers.
Support email transmission. This component is not required for dedicated IIS servers.
World Wide Web Services
Provide clients with Web services static and dynamic content. The dedicated IIS server requires this component.
World Wide Web Service Subcomponent
Component name in UI
Active Server Page
Provide ASP support. If the Web sites and applications in the IIS server do not use ASP please disable this component; or use Web service extensions to disable it.
Internet Data Connector
Provide dynamic content support through files with the extension .idc. If the Web site and application in the IIS server do not include the .idc extension file please disable the component; or use the Web service extension to disable it.
Remote Management (HTML)
Provide an HTML interface for IIS management. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not need this feature.
Remote Desktop Web Connection
Includes Microsoft ActiveX? controls and sample pages for managing terminal services client connections. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. This component is not required for dedicated IIS servers.
The server side includes
Provide support for .shtm .shtml and .stm files. If the Web sites and applications running in the IIS server do not use the above-mentioned extended include files please disable this component.
WebDAV extends the /1.1 protocol allowing clients to publish lock and manage resources on the Web. Dedicated IIS server to disable this component; or use Web service extension to disable this component.
World Wide Web Services
Provide clients with Web services static and dynamic content. The dedicated IIS server needs this component
3. Separate the IIS directory data from the system disk and store it in a dedicated disk space.
4. Delete any unused mappings other than necessary in the IIS manager (retain the necessary mappings such as asp)
5. Set 404 Object Not in IIS The Found error page is redirected to a customized HTM file via URL
6. Web site permission setting (recommended)
Web site permissions:
Authorized permissions :
Script Source Access
It is recommended to close
It is recommended to close
It is recommended to close
It is recommended to select 'Script only'
7. It is recommended to use the W3C extended log file format to record customer IP every day Address user name server port method URI root status user agent and logs are reviewed every day. (It is better not to use the default directory it is recommended to change a log path and set the log access permissions at the same time only allow the administrator and system to be Full Control).
8. Program security:
1) Programs involving user names and passwords are best encapsulated on the server side and appear in ASP files as little as possible and involve the connection to the database. The user name and password should be given minimum permissions;
2) The ASP page that needs to be verified can track the file name of the previous page. Only the session transferred from the previous page can read this page.
3) Prevent the leakage of ASP homepage .inc file;
4) Prevent the leakage of some.asp.bak file generated by editors such as UE.
Apply all required service packs and regular manual update patches.
Install and configure anti-virus protection
Recommend NAV 8.1 or above virus firewall (configured to be automatically upgraded at least once a week).
Install and configure firewall protection
Recommend the latest version of BlackICE Server Protection firewall (simple configuration more practical)
Install and configure MOM agents or similar monitoring solutions as required.
Strengthen data backup
Web data is backed up regularly to ensure that it can be restored to the latest state after a problem occurs.
Consider implementing IPSec filters
Use IPSec filters to block ports
Internet Protocol Security (IPSec) filters can enhance the security required by the server Levels provide effective methods. This guide recommends using this option in the high-security environment defined in the guide to further reduce the attack surface of the server.
For more information about using IPSec filters please refer to the module's other member server hardening process.
The following table lists all the IPSec filters that can be created on the IIS server under the advanced security environment defined in this guide.
When implementing the rules listed in the table above they should be mirrored. This ensures that any network communication that enters the server can also be returned to the source server.
SQL Server Security Hardening
Install the latest MDAC (: //.microsoft.com/data/download.htm)
Since SQL Server cannot change the sa user name nor delete the super user we must The strongest protection for this account of course including the use of a very strong password it is best not to use the sa account in database applications. Create a new super user with the same permissions as sa to manage the database. At the same time develop a good habit of regularly changing the password. The database administrator should regularly check whether there are accounts that do not meet the password requirements. For example use the following SQL statement:
select name Password from syslogins where password is null
Database log records
Check the 'failure and success' of database login events select 'security' in the instance properties and select the audit level as all so that in the database system and operating system logs all account logins are recorded in detail event.
Manage extended stored procedures
xp_cmdshell is the best shortcut to enter the operating system and is a big backdoor left by the database to the operating system. Please remove it. Use this SQL statement:
If you need this stored procedure please use this statement to recover it.
OLE automatic stored procedures (will cause some features in the manager to be unavailable) these procedures include the following (no need to Remove all:
Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
Remove unnecessary registry access stored procedures registry stored procedures can even be read The password of the operating system administrator is as follows:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues ??
Xp_regread Xp_regremovemultistring Xp_regwrite
Anti-TCP/IP port detection
Select the properties of the TCP/IP protocol in the instance properties. Choose to hide the SQL Server instance.
Please change the original default port 1433 based on the configuration in the previous step.
In IPSec filtering rejects UDP communication on port 1434 which can hide your SQL Server as much as possible.
IP restrictions on network connections
IP data can be realized by using the operating system's own IPSec The security of the package. Please restrict the IP connection to ensure that only your own IP can access and deny port connections made by other IPs.
Attachment: Win2003 system recommends to disable the service list
Background Intelligent Transfer Service
DHCP Client Dhcp
NTLM Security Support Provider NtLmSsp
Network Location Awareness
Performance Logs and Alerts SysmonLog
Remote Administration Service SrvcSurg
Remote Registry Service RemoteRegistry
TCP/IP NetBIOS Helper Service LmHosts
DHCP Client Dhcp
NTLM Security Support Provider NtLmSsp
Windows Installer MSIServer
Windows Management Instrumentation Driver Extensions Wmi
WMI Performance Adapter WMIApSrv
Disable?Tips and tricks for speeding up Windows 7