Your location:Tech News>OS>Windows Sever>Harden the security of WIN2003 IIS SQL server Computer Knowledge

Latest News

Harden the security of WIN2003 IIS SQL server Computer Knowledge



1. Transfer systemrootSystem32cmd.exe to another directory and change its name;

2. Minimize the number of system accounts and change the default account name (such as Administrator) And description the password is as complex as possible;

3. Deny access to the computer through the network (anonymous login; built-in administrator account; Support_388945a0; Guest; all non-operating system service accounts)

4 . It is recommended to give general users only read permissions and only give administrators and system full control permissions but doing so may make some normal scripts unable to execute or some operations that need to be written cannot be completed. You need to change the permissions of the folder where these files are located. It is recommended to test on the test machine before making changes and then change them carefully.

5. NTFS file permissions settings (note that the priority of file permissions is higher than that of folders):

File type

CGI file (.exe .Dll .cmd .pl)

Script files (.asp)

Include files (.inc .shtm .shtml)

static Content (.txt .gif .jpg .htm .html)

Recommended NTFS permissions

Everyone (execute)

Administrators (full control )

System (full control)

6. Prohibit default sharing such as C$ D$


AutoShareServer REG_DWORD 0x0

7. Prohibit ADMIN$ default sharing


AutoShareWks REG_DWORD 0x0

8. Restrict IPC $Default sharing


restrictanonymous REG_DWORD 0x0 default

0x1 Anonymous users cannot enumerate the list of local users

0x2 Anonymous users Unable to connect to the local IPC$ share

Note: It is not recommended to use 2 otherwise it may cause some of your services to fail to start such as SQL Server

9. Only give users what they really need Permissions the principle of minimizing permissions is an important guarantee for security

10. Open the corresponding audit in the local security policy-audit policy. The recommended audit is:

Account management failed successfully

Successful login event failed

Object access failed

Successful policy change failed

Privilege use failed

System Event failed successfully

Directory service access failed

Success and failure of account login events

The disadvantage of fewer audit items is that if you want to see and find that there is no record it is nothing; too many audit items will not only take up system resources but also make you have no time to go Look this loses the meaning of review. Related to it:

Set in Account Policy-Password Policy:

Password complexity requirement is enabled

The minimum password length is 6 digits


Mandatory password history 5 times

The maximum retention period is 30 days

Set in the account policy-account lock policy:

Account lock 3 wrong logins

Lock time 20 minutes

Reset lock count 20 minutes

11. In Terminal Service Configration (remote service configuration)-permissions-advanced To configure security audit generally speaking it is enough to record login and logout events.

12. Unbind NetBios and TCP/IP protocol

Control panel-network-binding-NetBios interface-disable 2000: control panel- Network and dial-up connection-local network-properties-TCP/IP-properties-advanced-WINS-disable NETBIOS on TCP/IP

13. Enable in the network connection protocol TCP/IP filtering only open the necessary ports (such as 80)

14. By changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1 to prohibit 139 empty connections

15. Modify the data packet Time to live (TTL) value


DefaultTTL REG_DWORD 0-0xff (0-255 decimal default value 128)

16. Prevent SYN flood attacks< /P>


SynAttackProtect REG_DWORD 0x2 (default value is 0x0)

17. It is forbidden to respond to ICMP routing notification messages


PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)

18. Prevent ICMP redirect message attacks


EnableICMPRedirects REG_DWORD 0x0 (default Value is 0x1)

19. IGMP protocol is not supported


IGMPLevel REG_DWORD 0x0 (default value is 0x2)

20. Set arp cache aging time settings


ArpCacheLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 120 seconds)

ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 600)

21. Dead gateway monitoring technology is prohibited



EnableDeadGWDetect REG_DWORD 0x0 (default value is ox1)

22. Routing function is not supported


IPEnableRouter REG_DWORD 0x0 (default value is 0x0)

Install and configure IIS service:

1. Install only necessary IIS components. (Disable unnecessary services such as FTP and SMTP)

2. Only enable necessary services and Web Service extensions recommended configuration:

Component name in UI

< P> Setting

Setting logic

Background Intelligent Transfer Service (BITS) server extension


BITS is Windows updates and 'automatic Update the background file transfer mechanism used. If you use Windows updates or 'automatic updates' to automatically apply service packs and hot fixes in the IIS server you must have this component.

Public files


IIS needs these files so you must enable them in the IIS server.

File Transfer Protocol (FTP) service


Allow IIS server to provide FTP service. The dedicated IIS server does not require this service.

FrontPage 2002 Server Extensions


Provide FrontPage support for managing and publishing Web sites. If you do not use FrontPage extended Web sites please disable this component in the dedicated IIS server.

Internet Information Service Manager


IIS management interface.

Internet printing


Provides Web-based printer management allowing printer sharing via . This component is not required for dedicated IIS servers.

NNTP service


Distribute query retrieve and post Usenet news articles on the Internet. This component is not required for dedicated IIS servers.

SMTP service


Support email transmission. This component is not required for dedicated IIS servers.

World Wide Web Services


Provide clients with Web services static and dynamic content. The dedicated IIS server requires this component.

World Wide Web Service Subcomponent

Component name in UI

Installation options

Setting logic

Active Server Page


Provide ASP support. If the Web sites and applications in the IIS server do not use ASP please disable this component; or use Web service extensions to disable it.

Internet Data Connector


Provide dynamic content support through files with the extension .idc. If the Web site and application in the IIS server do not include the .idc extension file please disable the component; or use the Web service extension to disable it.

Remote Management (HTML)


Provide an HTML interface for IIS management. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not need this feature.

Remote Desktop Web Connection


Includes Microsoft ActiveX? controls and sample pages for managing terminal services client connections. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. This component is not required for dedicated IIS servers.

The server side includes


Provide support for .shtm .shtml and .stm files. If the Web sites and applications running in the IIS server do not use the above-mentioned extended include files please disable this component.



WebDAV extends the /1.1 protocol allowing clients to publish lock and manage resources on the Web. Dedicated IIS server to disable this component; or use Web service extension to disable this component.

World Wide Web Services


Provide clients with Web services static and dynamic content. The dedicated IIS server needs this component

3. Separate the IIS directory data from the system disk and store it in a dedicated disk space.

4. Delete any unused mappings other than necessary in the IIS manager (retain the necessary mappings such as asp)

5. Set 404 Object Not in IIS The Found error page is redirected to a customized HTM file via URL

6. Web site permission setting (recommended)

Web site permissions:

Authorized permissions :




Not Allow

Script Source Access

Not allowed

Directory browsing

It is recommended to close

Log access

It is recommended to close

Index resources


It is recommended to close


It is recommended to select 'Script only'

7. It is recommended to use the W3C extended log file format to record customer IP every day Address user name server port method URI root status user agent and logs are reviewed every day. (It is better not to use the default directory it is recommended to change a log path and set the log access permissions at the same time only allow the administrator and system to be Full Control).

8. Program security:

1) Programs involving user names and passwords are best encapsulated on the server side and appear in ASP files as little as possible and involve the connection to the database. The user name and password should be given minimum permissions;

2) The ASP page that needs to be verified can track the file name of the previous page. Only the session transferred from the previous page can read this page.

3) Prevent the leakage of ASP homepage .inc file;

4) Prevent the leakage of some.asp.bak file generated by editors such as UE.

Security Update

Apply all required service packs and regular manual update patches.

Install and configure anti-virus protection

Recommend NAV 8.1 or above virus firewall (configured to be automatically upgraded at least once a week).

Install and configure firewall protection

Recommend the latest version of BlackICE Server Protection firewall (simple configuration more practical)

Monitoring solution

Install and configure MOM agents or similar monitoring solutions as required.

Strengthen data backup

Web data is backed up regularly to ensure that it can be restored to the latest state after a problem occurs.

Consider implementing IPSec filters

Use IPSec filters to block ports

Internet Protocol Security (IPSec) filters can enhance the security required by the server Levels provide effective methods. This guide recommends using this option in the high-security environment defined in the guide to further reduce the attack surface of the server.

For more information about using IPSec filters please refer to the module's other member server hardening process.

The following table lists all the IPSec filters that can be created on the IIS server under the advanced security environment defined in this guide.



Source Port

Destination Port

Source Address

Target address



Terminal Services

















S Server








When implementing the rules listed in the table above they should be mirrored. This ensures that any network communication that enters the server can also be returned to the source server.

SQL Server Security Hardening



MDAC Upgrade

Install the latest MDAC (: //

Password Policy

Since SQL Server cannot change the sa user name nor delete the super user we must The strongest protection for this account of course including the use of a very strong password it is best not to use the sa account in database applications. Create a new super user with the same permissions as sa to manage the database. At the same time develop a good habit of regularly changing the password. The database administrator should regularly check whether there are accounts that do not meet the password requirements. For example use the following SQL statement:

Use master

select name Password from syslogins where password is null

Database log records

Check the 'failure and success' of database login events select 'security' in the instance properties and select the audit level as all so that in the database system and operating system logs all account logins are recorded in detail event.

Manage extended stored procedures

xp_cmdshell is the best shortcut to enter the operating system and is a big backdoor left by the database to the operating system. Please remove it. Use this SQL statement:

use master

sp_dropextendedproc ’xp_cmdshell’

If you need this stored procedure please use this statement to recover it.


OLE automatic stored procedures (will cause some features in the manager to be unavailable) these procedures include the following (no need to Remove all:

Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty

Sp_OAMethod Sp_OASetProperty Sp_OAStop

Remove unnecessary registry access stored procedures registry stored procedures can even be read The password of the operating system administrator is as follows:

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues ??

Xp_regread Xp_regremovemultistring Xp_regwrite

Anti-TCP/IP port detection

Select the properties of the TCP/IP protocol in the instance properties. Choose to hide the SQL Server instance.

Please change the original default port 1433 based on the configuration in the previous step.

In IPSec filtering rejects UDP communication on port 1434 which can hide your SQL Server as much as possible.

IP restrictions on network connections

IP data can be realized by using the operating system's own IPSec The security of the package. Please restrict the IP connection to ensure that only your own IP can access and deny port connections made by other IPs.

Attachment: Win2003 system recommends to disable the service list


Service name

Recommended settings

Automatic update



Background Intelligent Transfer Service



Computer Browser



DHCP Client Dhcp


NTLM Security Support Provider NtLmSsp


Network Location Awareness



Performance Logs and Alerts SysmonLog


Remote Administration Service SrvcSurg


Remote Registry Service RemoteRegistry


Server lanmanserver


TCP/IP NetBIOS Helper Service LmHosts


DHCP Client Dhcp


NTLM Security Support Provider NtLmSsp


Terminal Services



Windows Installer MSIServer


Windows Management Instrumentation Driver Extensions Wmi


WMI Performance Adapter WMIApSrv


Error Reporting



?Tips and tricks for speeding up Windows 7

Recommend article

Relate article