Windows server security settings summary

Windows Server is the core of Microsoft Windows Server System (WSS), the server operating system of Windows.

Each Windows server corresponds to its home (workstation) edition (except 2003 R2).

1), Basic system security settings

1. Installation instructions: Format all systems with NTFS, reinstall the system (using the original win2003), install anti-virus software (Mcafee), and replace the anti-virus software with Update, install sp2 patches, install IIS (only install necessary components), install SQL2000, install .net2.0, and turn on the firewall. And apply the latest patches to the server.

2), close unnecessary services

Computer Browser: Maintain network computer updates, disable

Distributed File System: LAN management shared files, no need to disable

Distributed linktracking client: used to update connection information on the LAN, does not need to be disabled

Error reporting service: prohibits sending error reports

Microsoft Serch: provides fast word search, does not need to be disabled

NTLMSecuritysupportprovide: Used for telnet service and Microsoft Serch, no need to disable

PrintSpooler: If there is no printer, it can be disabled

Remote Registry: Remote modification of the registry is prohibited

Remote Desktop Help Session Manager: Disable remote assistance for other services to be verified

3), set up and manage accounts

1. Disable the Guest account and change the name and description, and then enter a complex Password

2. It is best to create fewer system administrator accounts and change the default administrator account name (Administrator) and description. The password is best to use a combination of numbers plus uppercase and lowercase letters plus numbers. The length It is best not to be less than 10 characters

3. Create a new trap account named Administrator, set the minimum permissions for it, and then enter a combination of passwords preferably not less than 20 characters

4. Computer Configuration-Windows Settings-Security Settings-Account Policy-Account Lockout Policy, set the account to "The invalid time for three logins is 30 minutes

5. In Security Settings-Local Policy-Security Options, set Set "Do not show the last user name" to enabled

6. In Security Settings-Local Policy-User Rights Assignment, in "Access this computer from the network" only keep the Internet guest account and start the IIS process account. ,Aspnet account

7. Create a User account and run the system. If you want to run privileged commands, use the Runas command.

4), Open the corresponding audit policy

Audit policy Change: Success

Audit Login Events: Success, Failure

Audit Object Access: Failure

Audit Object Tracking: Success, Failure

Audit Directory Service Access :Failure

Audit privilege usage:Failure

Audit system events:success,failure

Audit account login events:success,failure

Audit account management: Success, failure

5), other security related settings

1. Prohibit default shares such as C$, D$, ADMIN$

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters, on the right Create a new Dword value in the window, set the name to AutoShareServer and set the value to 0

2. Unbind NetBios from the TCP/IP protocol

right-click Network Neighborhood-Properties-right-click Local Area Connection- Properties-double-click Internet Protocol-Advanced-Wins-Disable NETBIOS on TCP/IP

3. Hide important files/directories

You can modify the registry to achieve complete hiding: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent-VersionExplorerAdvancedFol derHi- ddenSHOWALL", right-click "CheckedValue", select modify, change the value from 1 to 0

4. Prevent SYN flood attacks

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named SynAttackProtect with a value of 2

5. Disable response to ICMP route advertisement messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface Create a new DWORD value named PerformRouterDiscovery with a value of 0

6. Prevent attacks from ICMP redirect messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Set the EnableICMPRedirects value to 0

7. The IGMP protocol is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named IGMPLevel with a value of 0

8. Disable DCOM : Enter Dcomcnfg.exe during operation. Press Enter and click "Component Services" under "Console Root Node". Open the Computers subfolder.

For local computers, right-click "My Computer" and select "Properties". Select the Default Properties tab. Clear the Enable Distributed COM on this computer check box.

9. The default port of the terminal service is 3389. You can consider changing it to another port.

The modification method is: Server side: Open the registry, find a subkey similar to RDP-TCP at "HKLM\SYSTEM\Current ControlSet\Control\Terminal Server\Win Stations", and modify the PortNumber value. Client: Follow the normal steps to create a client connection. Select this connection and select Export in the "File" menu. A file with the suffix .cns will be generated at the specified location. Open the file and modify the "Server Port" value to the value corresponding to the PortNumber on the server side. Then import the file (Method: Menu→File→Import), so that the client modifies the port.

6) Configure IIS service

1. Do not use the default Web site. If you use it, separate the IIS directory from the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.

4. Delete unnecessary IIS extension mappings. Right-click "Default Web Site→Properties→Home Directory→Configuration", open the application window, and remove unnecessary application mappings. Mainly .shtml, .shtm, .stm 　

5. To change the path of the IIS log, right-click "Default Web Site→Properties-Website-Click Properties under Enable Logging

6. If you are using 2000, you can use iislockdown to protect IIS. The version of IE6.0 running in 2003 does not need it.

7. Use UrlScan

UrlScan is an ISAPI filter, which Incoming HTTP packets are analyzed and any suspicious traffic can be rejected. The latest version is 2.5. If it is 2000Server, you need to install version 1.0 or 2.0 first. If there are no special requirements, just use the UrlScan default configuration. But if You run an ASP.NET program on the server, and to debug it you need to open the URLScan.ini file in the %WINDIR%System32InetsrvURLscan, folder, and then add the debug verb in the UserAllowVerbs section. Note that this section is case-sensitive. If you If your web page is an .asp web page, you need to delete the .asp related content in DenyExtensions. If your web page uses non-ASCII code, you need to set the value of AllowHighBitCharacters to 1 in the Option section. After making changes to the URLScan.ini file , you need to restart the IIS service to take effect, enter iisreset during the quick method operation. If you have any problems after configuration, you can delete UrlScan through Add/Remove Programs.

8. Use WIS (Web Injection Scanner) tool Conduct SQL Injection vulnerability scan on the entire website.

7), Configure Sql server

1. It is best not to have more than two System Administrators roles

3. Do not use Sa Account, configure a super complex password for it

4. Delete the following extended stored procedure format: 　

use master 　sp_dropextendedproc 'Extended stored procedure name' 　　

xp_cmdshell: It is the best shortcut to enter the operating system, delete the stored procedures that access the registry,

delete

Xp_regaddmultistring　Xp_regdeletekey　Xp_regdeletevalue　Xp_regenumvalues　Delete

Sp_OACreate　Sp_OADestroy　　Sp_OAGetErrorInfo　　Sp_OAGetProperty　Sp_OAMethod　Sp_OASetProperty　Sp_OAStop

5. Hide SQL Server and change the default 1433 port

Right-click the instance and select Properties-General-Network Configuration and select TCP /IP protocol properties, select to hide the SQL Server instance, and change the default port 1433.

8), modify the system log saving address. The default location is application log, security log, system log, DNS log. The default location is: %systemroot%\system32\config. The default file size is 512KB. The administrator will change this. Default size.

Security log file: %systemroot%\system32\config\SecEvent.EVT System log file: %systemroot%\system32\config\SysEvent.EVT Application log file: %systemroot%\system32\config\AppEvent .EVT Internet Information Service FTP log default location: %systemroot%\system32\logfiles\msftpsvc1\, one log per day by default. Default location of Internet Information Service WWW log: %systemroot%\system32\logfiles\w3svc1\, one log per day by default Scheduler( Task plan) Service log default location: %systemroot%\schedlgu.txt Application log, security log, system log, DNS server log, these LOG files are in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog Schedluler( Task plan) service log in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent SQL Delete or rename xplog70.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareServer"=dword:00000000 "AutoShareWks"=dword: 00000000 // AutoShareWks for pro version // AutoShareServer for server version // 0

Disable management of default shares such as admin$, c$, d$ [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA] "restrictanonymous"=dword:00000001 //0x1 Anonymous users cannot enumerate the local user list //0x2 Anonymous users cannot connect to the local IPC$ share (maybe the sql server cannot be started

9), local security policy

1. Only open the ports and protocols required by the service. The specific method is: open "Network Neighborhood → Properties → Local Area Connection → Properties → Internet Protocol → Properties → Advanced → Options → TCP/IP Filtering → Properties" and add the required TCP, UDP ports and IP protocols. Open ports according to services. Commonly used TCP ports are: port 80 for Web service; port 21 for FTP service; port 25 for SMTP; port 23 for Telnet service; port 110 for POP3. Commonly used UDP ports are: port 53 - DNS domain name resolution service; port 161 - snmp simple network management protocol. 8000 and 4000 are used for OICQ, the server uses 8000 to receive information, and the client uses 4000 to send information. Blocked TCP ports: 21 (FTP, change FTP port) 23 (TELNET), 53 (DNS), 135, 136, 137, 138, 139, 443, 445, 1028, 1433, 3389 Blockable TCP ports: 1080, 3128, 6588, 8080 (the above are proxy ports). 25 ( SMTP), 161 (SNMP), 67 (boot). Block UDP port: 1434 (needless to say this). Block all ICMP, that is, block PING. The above are the most commonly scanned ports. Others are also blocked. Of course, because 80 is for WEB use

2. It is forbidden to establish an empty connection. By default, any user can connect to the server through an empty connection, enumerate accounts and guess passwords. The port used for empty connections is 139. Through empty connections, files can be copied to the remote server and a task is scheduled to be executed. This is a vulnerability. You can prohibit the establishment of empty connections through the following two methods:

(1) Modify the value of Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous in the registry to 1.

(2) Modify the local security policy of Windows 2000. Set RestrictAnonymous (additional restrictions on anonymous connections) in "Local Security Policy → Local Policy → Options" to "Do not allow enumeration of SAM accounts and shares". First of all, the default installation of Windows 2000 allows any user to obtain all accounts and sharing lists of the system through an empty connection. This was originally intended to facilitate LAN users to share resources and files. However, at the same time, any remote user can also obtain yours through the same method. User list, and may use brute force methods to crack user passwords and cause damage to the entire network. Many people only know to change the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1 to prohibit null user connections. In fact, in the local security policy of Windows 2000 (if it is a domain server, it is in the domain server security and domain security policy ) There is the RestrictAnonymous option, which has three values: "0" is the system default value without any restrictions. Remote users can know all accounts, group information, shared directories, network transmission lists (NetServerTransportEnum), etc. on your machine. ; The value "1" only allows non-NULL users to access SAM account information and shared information; the value "2" is only supported by Windows 2000. It should be noted that if this value is used, resources can no longer be shared. Therefore, it is recommended to set the value to "1".

10), prevent asp Trojans

1, asp Trojans based on FileSystemObject component

cacls %systemroot%\system32\scrrun.dll /e /d guests //Prohibited guests use regsvr32 scrrun.dll /u /s //Delete

2． Asp Trojan based on shell.application component

cacls %systemroot%\system32\shell32.dll /e /d guests //Prohibit guests from using regsvr32 shell32.dll /u /s //Delete

3. Set the permissions of the picture folder to not allow it to run.

4. If asp does not exist in the website, disable asp

11) to prevent SQL injection

1. Try to use parameterized statements

2. Unable to use parameterized SQL usage filtering.

3. The website is set to not display detailed error information, and will always jump to the error page when an error occurs.

4. Do not use the sa user to connect to the database

5. Create a new database user with public permissions and use this user to access the database. 6. [Role] Remove the role public’s select access to sysobjects and syscolumns objects. permissions.

Note:

Finally, it is emphasized that the above settings may affect some application services, such as leading to the inability to connect to the remote server.

Therefore, it is strongly recommended that the above settings be first Make the settings on the local machine or virtual machine (VMware Workstation), make sure everything is fine, and then do it on the server

Related recommendations:Website Security

The above is the detailed content of Windows server security settings summary. For more information, please follow other related articles on the PHP Chinese website!