Home Operation and Maintenance Safety Windows server security settings summary

Windows server security settings summary

Feb 02, 2021 am 11:50 AM
windows Safety server

Windows server security settings summary

Windows Server is the core of Microsoft Windows Server System (WSS), the server operating system of Windows.

Each Windows server corresponds to its home (workstation) edition (except 2003 R2).

1), Basic system security settings

1. Installation instructions: Format all systems with NTFS, reinstall the system (using the original win2003), install anti-virus software (Mcafee), and replace the anti-virus software with Update, install sp2 patches, install IIS (only install necessary components), install SQL2000, install .net2.0, and turn on the firewall. And apply the latest patches to the server.

2), close unnecessary services

Computer Browser: Maintain network computer updates, disable

Distributed File System: LAN management shared files, no need to disable

Distributed linktracking client: used to update connection information on the LAN, does not need to be disabled

Error reporting service: prohibits sending error reports

Microsoft Serch: provides fast word search, does not need to be disabled

NTLMSecuritysupportprovide: Used for telnet service and Microsoft Serch, no need to disable

PrintSpooler: If there is no printer, it can be disabled

Remote Registry: Remote modification of the registry is prohibited

Remote Desktop Help Session Manager: Disable remote assistance for other services to be verified

3), set up and manage accounts

1. Disable the Guest account and change the name and description, and then enter a complex Password

2. It is best to create fewer system administrator accounts and change the default administrator account name (Administrator) and description. The password is best to use a combination of numbers plus uppercase and lowercase letters plus numbers. The length It is best not to be less than 10 characters

3. Create a new trap account named Administrator, set the minimum permissions for it, and then enter a combination of passwords preferably not less than 20 characters

4. Computer Configuration-Windows Settings-Security Settings-Account Policy-Account Lockout Policy, set the account to "The invalid time for three logins is 30 minutes

5. In Security Settings-Local Policy-Security Options, set Set "Do not show the last user name" to enabled

6. In Security Settings-Local Policy-User Rights Assignment, in "Access this computer from the network" only keep the Internet guest account and start the IIS process account. ,Aspnet account

7. Create a User account and run the system. If you want to run privileged commands, use the Runas command.

4), Open the corresponding audit policy

Audit policy Change: Success

Audit Login Events: Success, Failure

Audit Object Access: Failure

Audit Object Tracking: Success, Failure

Audit Directory Service Access :Failure

Audit privilege usage:Failure

Audit system events:success,failure

Audit account login events:success,failure

Audit account management: Success, failure

5), other security related settings

1. Prohibit default shares such as C$, D$, ADMIN$

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters, on the right Create a new Dword value in the window, set the name to AutoShareServer and set the value to 0

2. Unbind NetBios from the TCP/IP protocol

right-click Network Neighborhood-Properties-right-click Local Area Connection- Properties-double-click Internet Protocol-Advanced-Wins-Disable NETBIOS on TCP/IP

3. Hide important files/directories

You can modify the registry to achieve complete hiding: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent-VersionExplorerAdvancedFol derHi- ddenSHOWALL", right-click "CheckedValue", select modify, change the value from 1 to 0

4. Prevent SYN flood attacks

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named SynAttackProtect with a value of 2

5. Disable response to ICMP route advertisement messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface Create a new DWORD value named PerformRouterDiscovery with a value of 0

6. Prevent attacks from ICMP redirect messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Set the EnableICMPRedirects value to 0

7. The IGMP protocol is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named IGMPLevel with a value of 0

8. Disable DCOM : Enter Dcomcnfg.exe during operation. Press Enter and click "Component Services" under "Console Root Node". Open the Computers subfolder.

For local computers, right-click "My Computer" and select "Properties". Select the Default Properties tab. Clear the Enable Distributed COM on this computer check box.

9. The default port of the terminal service is 3389. You can consider changing it to another port.

The modification method is: Server side: Open the registry, find a subkey similar to RDP-TCP at "HKLM\SYSTEM\Current ControlSet\Control\Terminal Server\Win Stations", and modify the PortNumber value. Client: Follow the normal steps to create a client connection. Select this connection and select Export in the "File" menu. A file with the suffix .cns will be generated at the specified location. Open the file and modify the "Server Port" value to the value corresponding to the PortNumber on the server side. Then import the file (Method: Menu→File→Import), so that the client modifies the port.

6) Configure IIS service

1. Do not use the default Web site. If you use it, separate the IIS directory from the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.

4. Delete unnecessary IIS extension mappings. Right-click "Default Web Site→Properties→Home Directory→Configuration", open the application window, and remove unnecessary application mappings. Mainly .shtml, .shtm, .stm  

5. To change the path of the IIS log, right-click "Default Web Site→Properties-Website-Click Properties under Enable Logging

6. If you are using 2000, you can use iislockdown to protect IIS. The version of IE6.0 running in 2003 does not need it.

7. Use UrlScan

UrlScan is an ISAPI filter, which Incoming HTTP packets are analyzed and any suspicious traffic can be rejected. The latest version is 2.5. If it is 2000Server, you need to install version 1.0 or 2.0 first. If there are no special requirements, just use the UrlScan default configuration. But if You run an ASP.NET program on the server, and to debug it you need to open the URLScan.ini file in the %WINDIR%System32InetsrvURLscan, folder, and then add the debug verb in the UserAllowVerbs section. Note that this section is case-sensitive. If you If your web page is an .asp web page, you need to delete the .asp related content in DenyExtensions. If your web page uses non-ASCII code, you need to set the value of AllowHighBitCharacters to 1 in the Option section. After making changes to the URLScan.ini file , you need to restart the IIS service to take effect, enter iisreset during the quick method operation. If you have any problems after configuration, you can delete UrlScan through Add/Remove Programs.

8. Use WIS (Web Injection Scanner) tool Conduct SQL Injection vulnerability scan on the entire website.

7), Configure Sql server

1. It is best not to have more than two System Administrators roles

3. Do not use Sa Account, configure a super complex password for it

4. Delete the following extended stored procedure format:  

use master  sp_dropextendedproc 'Extended stored procedure name'   

xp_cmdshell: It is the best shortcut to enter the operating system, delete the stored procedures that access the registry,

delete

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues Delete

Sp_OACreate Sp_OADestroy  Sp_OAGetErrorInfo  Sp_OAGetProperty Sp_OAMethod Sp_OASetProperty Sp_OAStop

5. Hide SQL Server and change the default 1433 port

Right-click the instance and select Properties-General-Network Configuration and select TCP /IP protocol properties, select to hide the SQL Server instance, and change the default port 1433.

8), modify the system log saving address. The default location is application log, security log, system log, DNS log. The default location is: %systemroot%\system32\config. The default file size is 512KB. The administrator will change this. Default size.

Security log file: %systemroot%\system32\config\SecEvent.EVT System log file: %systemroot%\system32\config\SysEvent.EVT Application log file: %systemroot%\system32\config\AppEvent .EVT Internet Information Service FTP log default location: %systemroot%\system32\logfiles\msftpsvc1\, one log per day by default. Default location of Internet Information Service WWW log: %systemroot%\system32\logfiles\w3svc1\, one log per day by default Scheduler( Task plan) Service log default location: %systemroot%\schedlgu.txt Application log, security log, system log, DNS server log, these LOG files are in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog Schedluler( Task plan) service log in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent SQL Delete or rename xplog70.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareServer"=dword:00000000 "AutoShareWks"=dword: 00000000 // AutoShareWks for pro version // AutoShareServer for server version // 0

Disable management of default shares such as admin$, c$, d$ [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA] "restrictanonymous"=dword:00000001 //0x1 Anonymous users cannot enumerate the local user list //0x2 Anonymous users cannot connect to the local IPC$ share (maybe the sql server cannot be started

9), local security policy

1. Only open the ports and protocols required by the service. The specific method is: open "Network Neighborhood → Properties → Local Area Connection → Properties → Internet Protocol → Properties → Advanced → Options → TCP/IP Filtering → Properties" and add the required TCP, UDP ports and IP protocols. Open ports according to services. Commonly used TCP ports are: port 80 for Web service; port 21 for FTP service; port 25 for SMTP; port 23 for Telnet service; port 110 for POP3. Commonly used UDP ports are: port 53 - DNS domain name resolution service; port 161 - snmp simple network management protocol. 8000 and 4000 are used for OICQ, the server uses 8000 to receive information, and the client uses 4000 to send information. Blocked TCP ports: 21 (FTP, change FTP port) 23 (TELNET), 53 (DNS), 135, 136, 137, 138, 139, 443, 445, 1028, 1433, 3389 Blockable TCP ports: 1080, 3128, 6588, 8080 (the above are proxy ports). 25 ( SMTP), 161 (SNMP), 67 (boot). Block UDP port: 1434 (needless to say this). Block all ICMP, that is, block PING. The above are the most commonly scanned ports. Others are also blocked. Of course, because 80 is for WEB use

2. It is forbidden to establish an empty connection. By default, any user can connect to the server through an empty connection, enumerate accounts and guess passwords. The port used for empty connections is 139. Through empty connections, files can be copied to the remote server and a task is scheduled to be executed. This is a vulnerability. You can prohibit the establishment of empty connections through the following two methods:

(1) Modify the value of Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous in the registry to 1.

(2) Modify the local security policy of Windows 2000. Set RestrictAnonymous (additional restrictions on anonymous connections) in "Local Security Policy → Local Policy → Options" to "Do not allow enumeration of SAM accounts and shares". First of all, the default installation of Windows 2000 allows any user to obtain all accounts and sharing lists of the system through an empty connection. This was originally intended to facilitate LAN users to share resources and files. However, at the same time, any remote user can also obtain yours through the same method. User list, and may use brute force methods to crack user passwords and cause damage to the entire network. Many people only know to change the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1 to prohibit null user connections. In fact, in the local security policy of Windows 2000 (if it is a domain server, it is in the domain server security and domain security policy ) There is the RestrictAnonymous option, which has three values: "0" is the system default value without any restrictions. Remote users can know all accounts, group information, shared directories, network transmission lists (NetServerTransportEnum), etc. on your machine. ; The value "1" only allows non-NULL users to access SAM account information and shared information; the value "2" is only supported by Windows 2000. It should be noted that if this value is used, resources can no longer be shared. Therefore, it is recommended to set the value to "1".

10), prevent asp Trojans

1, asp Trojans based on FileSystemObject component

cacls %systemroot%\system32\scrrun.dll /e /d guests //Prohibited guests use regsvr32 scrrun.dll /u /s //Delete

2. Asp Trojan based on shell.application component

cacls %systemroot%\system32\shell32.dll /e /d guests //Prohibit guests from using regsvr32 shell32.dll /u /s //Delete

3. Set the permissions of the picture folder to not allow it to run.

4. If asp does not exist in the website, disable asp

11) to prevent SQL injection

1. Try to use parameterized statements

2. Unable to use parameterized SQL usage filtering.

3. The website is set to not display detailed error information, and will always jump to the error page when an error occurs.

4. Do not use the sa user to connect to the database

5. Create a new database user with public permissions and use this user to access the database. 6. [Role] Remove the role public’s select access to sysobjects and syscolumns objects. permissions.

Note:

Finally, it is emphasized that the above settings may affect some application services, such as leading to the inability to connect to the remote server.

Therefore, it is strongly recommended that the above settings be first Make the settings on the local machine or virtual machine (VMware Workstation), make sure everything is fine, and then do it on the server

Related recommendations:Website Security

The above is the detailed content of Windows server security settings summary. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
1 months ago By 尊渡假赌尊渡假赌尊渡假赌
Two Point Museum: All Exhibits And Where To Find Them
1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

How to update the latest version of Bybit Exchange? Will there be any impact if it is not updated? How to update the latest version of Bybit Exchange? Will there be any impact if it is not updated? Feb 21, 2025 pm 10:54 PM

The way to update ByBit exchanges varies by platform and device: Mobile: Check for updates and install in the app store. Desktop Client: Check for updates in the Help menu and install automatically. Web page: You need to manually access the official website for updates. Failure to update the exchange can lead to security vulnerabilities, functional limitations, compatibility issues and reduced transaction execution efficiency.

deepseek web version entrance deepseek official website entrance deepseek web version entrance deepseek official website entrance Feb 19, 2025 pm 04:54 PM

DeepSeek is a powerful intelligent search and analysis tool that provides two access methods: web version and official website. The web version is convenient and efficient, and can be used without installation; the official website provides comprehensive product information, download resources and support services. Whether individuals or corporate users, they can easily obtain and analyze massive data through DeepSeek to improve work efficiency, assist decision-making and promote innovation.

Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node? Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node? Mar 05, 2025 pm 05:57 PM

Detailed explanation and installation guide for PiNetwork nodes This article will introduce the PiNetwork ecosystem in detail - Pi nodes, a key role in the PiNetwork ecosystem, and provide complete steps for installation and configuration. After the launch of the PiNetwork blockchain test network, Pi nodes have become an important part of many pioneers actively participating in the testing, preparing for the upcoming main network release. If you don’t know PiNetwork yet, please refer to what is Picoin? What is the price for listing? Pi usage, mining and security analysis. What is PiNetwork? The PiNetwork project started in 2019 and owns its exclusive cryptocurrency Pi Coin. The project aims to create a one that everyone can participate

How to install deepseek How to install deepseek Feb 19, 2025 pm 05:48 PM

There are many ways to install DeepSeek, including: compile from source (for experienced developers) using precompiled packages (for Windows users) using Docker containers (for most convenient, no need to worry about compatibility) No matter which method you choose, Please read the official documents carefully and prepare them fully to avoid unnecessary trouble.

Coinsuper exchange software channel official website entrance Coinsuper exchange software channel official website entrance Feb 21, 2025 pm 10:39 PM

The official website entrance of the Coinsuper Exchange: https://www.coinsuper.com. The client download channels are: Windows client, macOS client, and mobile (iOS/Android). Registration requires an email, mobile phone number and password, and you need to complete real-name authentication before you can trade. The platform provides a variety of digital asset transactions, including Bitcoin, Ethereum, etc., with the transaction fee rate of 0.1% for both orders and acceptors. Security safeguards include cold wallet storage, dual-factor verification, anti-money laundering and anti-terrorism financing measures, and with security public

Ouyi okx installation package is directly included Ouyi okx installation package is directly included Feb 21, 2025 pm 08:00 PM

Ouyi OKX, the world's leading digital asset exchange, has now launched an official installation package to provide a safe and convenient trading experience. The OKX installation package of Ouyi does not need to be accessed through a browser. It can directly install independent applications on the device, creating a stable and efficient trading platform for users. The installation process is simple and easy to understand. Users only need to download the latest version of the installation package and follow the prompts to complete the installation step by step.

BITGet official website installation (2025 beginner's guide) BITGet official website installation (2025 beginner's guide) Feb 21, 2025 pm 08:42 PM

BITGet is a cryptocurrency exchange that provides a variety of trading services including spot trading, contract trading and derivatives. Founded in 2018, the exchange is headquartered in Singapore and is committed to providing users with a safe and reliable trading platform. BITGet offers a variety of trading pairs, including BTC/USDT, ETH/USDT and XRP/USDT. Additionally, the exchange has a reputation for security and liquidity and offers a variety of features such as premium order types, leveraged trading and 24/7 customer support.

Get the gate.io installation package for free Get the gate.io installation package for free Feb 21, 2025 pm 08:21 PM

Gate.io is a popular cryptocurrency exchange that users can use by downloading its installation package and installing it on their devices. The steps to obtain the installation package are as follows: Visit the official website of Gate.io, click "Download", select the corresponding operating system (Windows, Mac or Linux), and download the installation package to your computer. It is recommended to temporarily disable antivirus software or firewall during installation to ensure smooth installation. After completion, the user needs to create a Gate.io account to start using it.

See all articles