Harden the security of WIN2003 IIS SQL server Computer Knowledge

1. Transfer systemrootSystem32cmd.exe to another directory and change its name;

2. Minimize the number of system accounts and change the default account name (such as Administrator) And description the password is as complex as possible;

3. Deny access to the computer through the network (anonymous login; built-in administrator account; Support_388945a0; Guest; all non-operating system service accounts)

4 . It is recommended to give general users only read permissions and only give administrators and system full control permissions but doing so may make some normal scripts unable to execute or some operations that need to be written cannot be completed. You need to change the permissions of the folder where these files are located. It is recommended to test on the test machine before making changes and then change them carefully.

5. NTFS file permissions settings (note that the priority of file permissions is higher than that of folders):

File type

CGI file (.exe .Dll .cmd .pl)

Script files (.asp)

Include files (.inc .shtm .shtml)

static Content (.txt .gif .jpg .htm .html)

Recommended NTFS permissions

Everyone (execute)

Administrators (full control )

System (full control)

6. Prohibit default sharing such as C$ D$

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters

AutoShareServer REG_DWORD 0x0

7. Prohibit ADMIN$ default sharing

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters

AutoShareWks REG_DWORD 0x0

8. Restrict IPC $Default sharing

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

restrictanonymous REG_DWORD 0x0 default

0x1 Anonymous users cannot enumerate the list of local users

0x2 Anonymous users Unable to connect to the local IPC$ share

Note: It is not recommended to use 2 otherwise it may cause some of your services to fail to start such as SQL Server

9. Only give users what they really need Permissions the principle of minimizing permissions is an important guarantee for security

10. Open the corresponding audit in the local security policy-audit policy. The recommended audit is:

Account management failed successfully

Successful login event failed

Object access failed

Successful policy change failed

Privilege use failed

System Event failed successfully

Directory service access failed

Success and failure of account login events

The disadvantage of fewer audit items is that if you want to see and find that there is no record it is nothing; too many audit items will not only take up system resources but also make you have no time to go Look this loses the meaning of review. Related to it:

Set in Account Policy-Password Policy:

Password complexity requirement is enabled

The minimum password length is 6 digits

Mandatory password history 5 times

The maximum retention period is 30 days

Set in the account policy-account lock policy:

Account lock 3 wrong logins

Lock time 20 minutes

Reset lock count 20 minutes

11. In Terminal Service Configration (remote service configuration)-permissions-advanced To configure security audit generally speaking it is enough to record login and logout events.

12. Unbind NetBios and TCP/IP protocol

Control panel-network-binding-NetBios interface-disable 2000: control panel- Network and dial-up connection-local network-properties-TCP/IP-properties-advanced-WINS-disable NETBIOS on TCP/IP

13. Enable in the network connection protocol TCP/IP filtering only open the necessary ports (such as 80)

14. By changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1 to prohibit 139 empty connections

15. Modify the data packet Time to live (TTL) value

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

DefaultTTL REG_DWORD 0-0xff (0-255 decimal default value 128)

16. Prevent SYN flood attacks< /P>

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

SynAttackProtect REG_DWORD 0x2 (default value is 0x0)

17. It is forbidden to respond to ICMP routing notification messages

HKEY_LOCAL_MACHINEsTEMipCurrentControlsInterfaceParameterSetInterfaceParametersInterface>

PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)

18. Prevent ICMP redirect message attacks

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

EnableICMPRedirects REG_DWORD 0x0 (default Value is 0x1)

19. IGMP protocol is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

IGMPLevel REG_DWORD 0x0 (default value is 0x2)

20. Set arp cache aging time settings

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices:TcpipParameters

ArpCacheLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 120 seconds)

ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (number of seconds default value is 600)

21. Dead gateway monitoring technology is prohibited

P>

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices:TcpipParameters

EnableDeadGWDetect REG_DWORD 0x0 (default value is ox1)

22. Routing function is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices:TcpipParameters

IPEnableRouter REG_DWORD 0x0 (default value is 0x0)

Install and configure IIS service:

1. Install only necessary IIS components. (Disable unnecessary services such as FTP and SMTP)

2. Only enable necessary services and Web Service extensions recommended configuration:

Component name in UI

Setting logic

Background Intelligent Transfer Service (BITS) server extension

Enable

BITS is Windows updates and 'automatic Update the background file transfer mechanism used. If you use Windows updates or 'automatic updates' to automatically apply service packs and hot fixes in the IIS server you must have this component.

Public files

Enable

IIS needs these files so you must enable them in the IIS server.

File Transfer Protocol (FTP) service

Disable

Allow IIS server to provide FTP service. The dedicated IIS server does not require this service.

FrontPage 2002 Server Extensions

Disable

Provide FrontPage support for managing and publishing Web sites. If you do not use FrontPage extended Web sites please disable this component in the dedicated IIS server.

Internet Information Service Manager

Enable

IIS management interface.

Internet printing

Disable

Provides Web-based printer management allowing printer sharing via . This component is not required for dedicated IIS servers.

NNTP service

Disable

Distribute query retrieve and post Usenet news articles on the Internet. This component is not required for dedicated IIS servers.

SMTP service

Disable

Support email transmission. This component is not required for dedicated IIS servers.

World Wide Web Services

Enable

Provide clients with Web services static and dynamic content. The dedicated IIS server requires this component.

World Wide Web Service Subcomponent

Component name in UI

Installation options

Setting logic

Active Server Page

Enable

Provide ASP support. If the Web sites and applications in the IIS server do not use ASP please disable this component; or use Web service extensions to disable it.

Internet Data Connector

Disable

Provide dynamic content support through files with the extension .idc. If the Web site and application in the IIS server do not include the .idc extension file please disable the component; or use the Web service extension to disable it.

Remote Management (HTML)

Disable

Provide an HTML interface for IIS management. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. The dedicated IIS server does not need this feature.

Remote Desktop Web Connection

Disable

Includes Microsoft ActiveX? controls and sample pages for managing terminal services client connections. Switching to IIS Manager makes management easier and reduces the attack surface of the IIS server. This component is not required for dedicated IIS servers.

The server side includes

Disable

Provide support for .shtm .shtml and .stm files. If the Web sites and applications running in the IIS server do not use the above-mentioned extended include files please disable this component.

WebDAV

Disable

WebDAV extends the /1.1 protocol allowing clients to publish lock and manage resources on the Web. Dedicated IIS server to disable this component; or use Web service extension to disable this component.

World Wide Web Services

Enable

Provide clients with Web services static and dynamic content. The dedicated IIS server needs this component

3. Separate the IIS directory data from the system disk and store it in a dedicated disk space.

4. Delete any unused mappings other than necessary in the IIS manager (retain the necessary mappings such as asp)

5. Set 404 Object Not in IIS The Found error page is redirected to a customized HTM file via URL

6. Web site permission setting (recommended)

Web site permissions:

Authorized permissions :

Read

Allow

Write

Not Allow

Script Source Access

Not allowed

Directory browsing

It is recommended to close

Log access

It is recommended to close

Index resources

It is recommended to close

Execute

It is recommended to select 'Script only'

7. It is recommended to use the W3C extended log file format to record customer IP every day Address user name server port method URI root status user agent and logs are reviewed every day. (It is better not to use the default directory it is recommended to change a log path and set the log access permissions at the same time only allow the administrator and system to be Full Control).

8. Program security:

1) Programs involving user names and passwords are best encapsulated on the server side and appear in ASP files as little as possible and involve the connection to the database. The user name and password should be given minimum permissions;

2) The ASP page that needs to be verified can track the file name of the previous page. Only the session transferred from the previous page can read this page.

3) Prevent the leakage of ASP homepage .inc file;

4) Prevent the leakage of some.asp.bak file generated by editors such as UE.

Security Update

Apply all required service packs and regular manual update patches.

Install and configure anti-virus protection

Recommend NAV 8.1 or above virus firewall (configured to be automatically upgraded at least once a week).

Install and configure firewall protection

Recommend the latest version of BlackICE Server Protection firewall (simple configuration more practical)

Monitoring solution

Install and configure MOM agents or similar monitoring solutions as required.

Strengthen data backup

Web data is backed up regularly to ensure that it can be restored to the latest state after a problem occurs.

Consider implementing IPSec filters

Use IPSec filters to block ports

Internet Protocol Security (IPSec) filters can enhance the security required by the server Levels provide effective methods. This guide recommends using this option in the high-security environment defined in the guide to further reduce the attack surface of the server.

For more information about using IPSec filters please refer to the module's other member server hardening process.

The following table lists all the IPSec filters that can be created on the IIS server under the advanced security environment defined in this guide.

Service

Protocol

Source Port

Destination Port

Source Address

Target address

Operation

Mirror

Terminal Services

TCP

All

3389

All

ME

Allow

Yes

Server

TCP

All

80

All

ME

Allow

Yes

S Server

TCP

All

443

All

ME

Allow

Yes

When implementing the rules listed in the table above they should be mirrored. This ensures that any network communication that enters the server can also be returned to the source server.

SQL Server Security Hardening

Steps

Instructions

MDAC Upgrade

Install the latest MDAC (: //.microsoft.com/data/download.htm)

Password Policy

Since SQL Server cannot change the sa user name nor delete the super user we must The strongest protection for this account of course including the use of a very strong password it is best not to use the sa account in database applications. Create a new super user with the same permissions as sa to manage the database. At the same time develop a good habit of regularly changing the password. The database administrator should regularly check whether there are accounts that do not meet the password requirements. For example use the following SQL statement:

Use master

select name Password from syslogins where password is null

Database log records

Check the 'failure and success' of database login events select 'security' in the instance properties and select the audit level as all so that in the database system and operating system logs all account logins are recorded in detail event.

Manage extended stored procedures

xp_cmdshell is the best shortcut to enter the operating system and is a big backdoor left by the database to the operating system. Please remove it. Use this SQL statement:

use master

sp_dropextendedproc ’xp_cmdshell’

If you need this stored procedure please use this statement to recover it.

sp_addextendedproc'xp_cmdshell''xpsql70.dll'

OLE automatic stored procedures (will cause some features in the manager to be unavailable) these procedures include the following (no need to Remove all:

Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty

Sp_OAMethod Sp_OASetProperty Sp_OAStop

Remove unnecessary registry access stored procedures registry stored procedures can even be read The password of the operating system administrator is as follows:

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues ??

Xp_regread Xp_regremovemultistring Xp_regwrite

Anti-TCP/IP port detection

Select the properties of the TCP/IP protocol in the instance properties. Choose to hide the SQL Server instance.

Please change the original default port 1433 based on the configuration in the previous step.

In IPSec filtering rejects UDP communication on port 1434 which can hide your SQL Server as much as possible.

IP restrictions on network connections

IP data can be realized by using the operating system's own IPSec The security of the package. Please restrict the IP connection to ensure that only your own IP can access and deny port connections made by other IPs.

Attachment: Win2003 system recommends to disable the service list

Name

Service name

Recommended settings

Automatic update

wuauserv

Disable

Background Intelligent Transfer Service

BITS

Disable

Computer Browser

Browser

Disable

DHCP Client Dhcp

Disable

NTLM Security Support Provider NtLmSsp

Disable

Network Location Awareness

NLA

Disable

Performance Logs and Alerts SysmonLog

Disable

Remote Administration Service SrvcSurg

Disable

Remote Registry Service RemoteRegistry

Disable

Server lanmanserver

Disable

TCP/IP NetBIOS Helper Service LmHosts

Disable

DHCP Client Dhcp

Disable

NTLM Security Support Provider NtLmSsp

Disable

Terminal Services

TermService

Disable

Windows Installer MSIServer

Disable

Windows Management Instrumentation Driver Extensions Wmi

Disable

WMI Performance Adapter WMIApSrv

Disable

Error Reporting

ErrRep

Disable