Your location:Tech News>OS>Window 2003>Win2003 system security detailed settings

Latest News

Win2003 system security detailed settings



win2003 detailed system security settings

Set the disk security correctly as follows (the security settings of the virtual machine we use the asp program For example) Key points:

1. System disk permission setting

C: Partition:


administrators all (the folder sub-folders and files)

CREATOR OWNER all (only sub-files and files)

system all (the folder sub-files) Folder and file)

IIS_WPG create file/write data (only this folder)

IIS_WPG (this folder subfolder and file)
< br/>traverse folders/run files

list folders/read data

read attributes

create folders/add data

Read permission

c:\\Documents and Settings

administrators all (the folder subfolders and files)

Power Users (the folder subfolders and files)

Read and run

List folder directories


SYSTEM all (the folder subfolders and files)

C:\\Program Files

administrators all (the folder Sub-folders and files)

CREATOR OWNER all (only sub-files and files)

IIS_WPG (the folder sub-folders and files)

Read and run

List the folder directory


Power Users (the folder subfolders and File)

Modify permissions

SYSTEM all (the folder subfolders and files)

TERMINAL SERVER USER (the folder sub Folders and files)

Modify permissions

2 website and virtual machine permission settings (for example the website is on the E drive)

Note: We assume that the website is all on the E drive Under the site directory and create a guest user for each virtual machine the user name is vhost1...vhostn and a webuser group is created and all vhost users are added to this webuser group for easy management


Administrators all (the folder subfolders and files)


Administrators all (the Folders subfolders and files)

system all (the folder subfolders and files)

service all (the folder subfolders and files) )


Administrators all (the folder subfolders and files)

system all (the folder Subfolders and files)

vhost1 all (the folder subfolders and files)

3 data backup disk

data It’s better to only specify a specific user for the backup disk to have full operation authority

For example the F disk is a data backup disk and we only designate an administrator to have full operation authority on it.

4. Permission settings in other places

Please find these files on the c drive and set the security settings to only specific administrators with full operation permissions

the following The file only allows administrators to access




tftp.exe < br/>





5. Delete the c:\\inetpub directory delete unnecessary mapping of iis create a trap account change the description

Third trick: Disable unnecessary services to improve security and system efficiency

Computer Browser maintains the latest list of computers on the network and provides this list

Task scheduler allows the program to run at a specified time

Routing and Remote Access provides routing services for enterprises in LAN and WAN environments.

Removable storage management Media drivers and libraries

Remote Registry Service allows remote registry operations

Print Spooler loads files into memory for later printing. Friends who want to use printers can’t disable this

IPSEC Policy Agent manages IP security policies and activates ISAKMP/OakleyIKE) and IP security drivers

Distributed Link Tracking Client When the file is in Send notifications when moving in the NTFS volume of the network domain

Com+ Event System provides automatic publishing of events to the subscription COM component

Alerter notifies selected users and computer management alerts

Error Reporting Service collects stores and reports abnormal applications to Microsoft

Messenger transmits NET SEND and alerter service messages between client and server

Telnet allows remote users to log in to this computer and run the program. Fourth trick: Modify the registry to make the system stronger.

1. Hide important files/directories. You can modify the registry to hide completely: HKEY_LOCAL_MACHINE\\SOFTWARE\\ Microsoft\\Windows\\ Current-Version\\Explorer\\Advanced\\Folder\\Hi-dden\\SHOWALL\u0026rdquo; right-click \u0026ldquo;CheckedValue\u0026rdquo; select Modify change the value from 1 to 0

2 start Internet connection _blank\u0026quot;\u0026gt; firewall that comes with the system check the Web server in the setting service options.

3. Prevent SYN flood attacks


New DWORD value named SynAttackProtect value 2

EnablePMTUDiscovery REG_DWORD 0

NoNameReleaseOnDemand REG_DWORD 1

EnableDeadGWDetect REG_DWORD 0

KeepAliveTime REG_DWORD 300000

PerformRouterDiscovery REG_DWORD 0

EnableICMPRedirects REG_DWORD 0

4. Prohibit responding to ICMP routing announcement messages

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \\Tcpip\\Parameters\\Interfaces\\interface

Create a new DWORD value named PerformRouterDiscovery with a value of 0

5. Prevent ICMP redirect message attacks


Set the EnableICMPRedirects value to 0

6. IGMP protocol is not supported

HKEY_LOCAL_MACHINE \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

Create a new DWORD value named IGMPLevel and the value is 0

7. Modify the terminal service port

Run regedit and find [HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Control \\ Terminal Server \\ Wds \\ rdpwd \\ Tds \\ tcp] do you see the PortNumber on the right? Change it to the port number you want in the decimal state such as 7126 as long as it does not conflict with others.

2. The second place is HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Control \\ Terminal Server \\ WinStations \\ RDP-Tcp the method is the same as above remember to change the port number the same as above.

8. Prohibit IPC empty connections:

cracker can use the net use command to establish empty connections and then invade and net view and nbtstat are all based on empty connections. Just prohibit empty connections. Open the registry find Local_Machine\\System\\CurrentControlSet\\Control\\LSA-RestrictAnonymous and change this value to \u0026rdquo;1\u0026rdquo;.

9 change the TTL value

cracker can roughly judge your operating system according to the TTL value pinged back such as:

TTL=107 (WINNT);


TTL=127 or 128(win9x);

TTL=240 or 241( linux);



Actually you can change it yourself: HKEY_LOCAL_MACHINE \\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters: DefaultTTL REG_DWORD 0-0xff (0-255 decimal default value 128) changed to an inexplicable number such as 258 at least to make those little novices stunned for a long time you may not give up the invasion. Oh

10. Delete the default share

Someone asked me to share all the disks as soon as I booted up. After I changed it back the reboot turned into a share again. This is The default share set by 2K for management must be cancelled by modifying the registry: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters: AutoShareServer type is REG_DWORD and the value can be changed to 0

11. It is forbidden to establish empty connections

By default any user connects to the server through an empty connection to enumerate accounts and guess passwords. We can prohibit the establishment of empty connections by modifying the registry:

Local_Machine\\System\\CurrentControlSet\\Control\\LSA-RestrictAnonymous can be changed to \u0026rdquo;1\u0026rdquo;.

Fifth trick: other security measures

1. Disable NetBIOS over TCP/IP

Network Neighborhood-Properties-Local Area Connection-Properties- Internet Protocol (TCP/IP) Properties-Advanced-WINS Panel-NetBIOS Settings-Disable NetBIOS over TCP/IP. In this way the cracker cannot use the nbtstat command to read your NetBIOS information and the MAC address of the network card.

2. Account Security

First of all all accounts are forbidden except yourself haha. Then renamed Administrator. I just created another Administrator account but it’s the one that I don’t have any permissions. Then I opened the notepad typed randomly copied and pasted it into the 'password' hehe let's break the password

Recommend article

Relate article