Home > Article > Backend Development > Win2003 server security hardening settings - further improving server security_PHP tutorial
This article is my click experience in server maintenance, and part of it is the corresponding configuration adjustments I made based on the intrusion methods! Most of the content is available on the Internet. Some people may think it is plagiarism. It doesn't matter. As long as it is helpful to everyone, it is OK. If you have different opinions on this article, you are very welcome to communicate with me!
Another thing I want to say is that the focus of the discussion in this article is the reinforcement of server security settings. It is discussed on the basis of certain security settings. Moreover, I will also discuss the basic content at the end of this article. I listed the title, but there are so many good articles on the Internet that I don’t want to bother writing anymore! So, after reading this, please don’t say anything about not doing any settings like disks!
1. Modify the administrator account name and guest account name
This step is mainly to prevent intruders from using the default system user name or guest account to make huge profits immediately. After the change, Don’t forget to change your password to a strong one.
Control Panel - Administrative Tools - Local Security Policy - Local Policy - Security Options
At the bottom of the right column, as shown in the figure:
2. Modify the remote desktop connection port
Run Regedt32 and go to this item:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
Find the "PortNumber" subkey and you will see the value 00000D3D, which is the hexadecimal representation of 3389. Modify this port number using the hexadecimal value and save the new value. .
Xiaoqiaomen: Everyone, don’t get a headache when you see hexadecimal. Decimal is also supported when modifying key values
3. Disable uncommon services
Disabling unnecessary services can not only reduce the resource usage of the server and reduce the burden, but also enhance security. The services that can be disabled are listed below:
Application Experience Lookup Service
Automatic Updates
BITS
Computer Browser
DHCP Client
Error Reporting Service
Help and Support
Network Location Awareness
Print Spooler
Remote Registry
Secondary Logon
Server
Smartcard
TCP/IP NetBIOS Helper
Workstation
Windows Audio
Windows Time
Wireless Configuration
4. Set group policy and strengthen system security policy
Settings The account lockout threshold is 5 invalid logins and the lockout time is 30 minutes;
Delete the Everyone group from accessing this computer through the network;
Under user rights assignment, delete Power from accessing this computer through the network Users and Backup Operators;
Start message text for interactive login.
Enable to disallow anonymous access to SAM accounts and shares;
Enable to disallow storing credentials or Passport for network authentication;
Enable to not store LANMAN hashes on next password change;
Enable clearing the virtual memory page file;
Disable IIS anonymous users from logging in locally;
Enable interactive login: do not display the last user name;
Delete DFS$ that allows anonymous login from the file share and COMCFG;
Disable Active Desktop.
5. Strengthen TCP protocol stack
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
"SynAttackProtect"=dword:00000001
EnablePMTUDiscovery"=dword:00000000
"NoNameReleaseOnDemand"=dword:00000001
"EnableDeadGWDetect"=dword:00000000
"KeepAliveTime"=dword:00300000
"PerformRouterDiscovery"=dword:00000000
"TcpMaxConnectResponseRetransmissions"=dword:00000003
"TcpMaxHalfOpen"=dword:00000100
"TcpMaxHalfOpenRetried"=dword:00000080
Enter Windows component installation, Find the application server, enter the detailed information, and check ASP.NET. The necessary components of IIS will be automatically selected. If your server needs to run ASP scripts, you also need to enter the Internet Information Services (IIS)-World Wide Web Service check box. Select Active Server Pages. After completing the installation, a separate directory should be created on other logical partitions to store WEB website programs and data.
Multiple websites are running on a WEB server, and they may be unrelated to each other. Therefore, in order to isolate and improve security, it is necessary to establish an anonymous WEB user group and create an anonymous access account for each site. , add these anonymous accounts to the previously created anonymous WEB user group, and prohibit this group from having local login rights in the local computer policy.
Finally optimize the IIS6 application pool settings:
Disable the idle timeout of the default application pool;
Disable fast fail protection;
Limit shutdown time from
7. Delete MSSQL useless components, registry and called SHELL
Replace SQL procedures with security issues Delete. Comprehensive. Everything is for safety! Removed the destructive permission to call shell, registry, COM components
use master
EXEC sp_dropextendedproc 'xp_cmdshell'
EXEC sp_dropextendedproc 'Sp_OACreate'
EXEC sp_dropextendedproc 'Sp_OADestroy " _dropextendedproc 'Xp_regaddmultistring'
EXEC sp_dropextendedproc 'Xp_regdeletekey'
EXEC sp_dropextendedproc 'Xp_regdeletevalue'
EXEC sp_dropextendedproc 'Xp_regenumvalues'
EXEC sp_dropextendedproc 'Xp_regread'
EXEC sp_dropextendedproc 'Xp_regremovemultistring'
EX EC sp_dropextendedproc 'Xp_regwrite'
drop procedure sp_makewebtask
Copy all to "SQL Query Analyzer"
Click on the menu--"Query"--"Execute", the SQL procedure with security issues will be deleted (the above is 7i24 Technical support for genuine users)
Change the default SA empty password. Do not use the SA account for database links. Set up a separate account for a single database. Only give public and db_owner permissions.
Do not put the database in The default location.
SQL should not be installed under the PROGRAM FILE directory.
The latest SQL2000 patch is SP4
8. Anti-ping processing
Anti-ping processing suggestions Everyone uses software such as firewalls, which can greatly reduce the possibility of the server being attacked. Why do you say this? The main reason is that most intruders now use software to scan for surviving hosts in a network segment. Generally, judging whether a host is alive depends on whether the ping is successful or not!
9. Prohibit (change) common DOS commands
Find cmd.exe and cmd32.exe under %windir%/system32 net.exe net1.exe ipconfig.exe tftp.exe ftp. exe user.exe reg.exe regedit.exe regedt32.exe regsvr32.exe These files are commonly used by hackers. Define the ACLs users they access in "Properties" → "Security", such as only giving the administrator access rights. If We need to prevent some overflow attacks and illegal use of these files after successful overflow; then we only need to deny access to the system user in ACLs.
10. Modify the default port of server_U (there are similar video tutorials and articles on the Internet, which are quite good)
11. Close uncommon ports (available everywhere)
In TCP/IP Properties - Advanced - Filter, just open some commonly used ports! For example: 80 3389 1433, etc., according to everyone’s needs!
12. Disk (website directory), user, IIS permission settings (all over the street)
There are many such articles and videos, but what I want to say here is that there are many websites now When granting basic disk permissions in articles and videos, they all grant permissions to the Administrators group. I personally recommend that everyone use Administrator permissions, so as to prevent intruders from fully controlling the machine after the privilege escalation is successful! After doing this, even if the intrusion is successful, you will only have a little browsing permission!
http://www.bkjia.com/PHPjc/318324.html
www.bkjia.com
true