search
HomeOperation and MaintenanceSafetyWindows server security settings summary
Windows server security settings summaryFeb 02, 2021 am 11:50 AM
windowsSafetyserver

Windows server security settings summary

Windows Server is the core of Microsoft Windows Server System (WSS), the server operating system of Windows.

Each Windows server corresponds to its home (workstation) edition (except 2003 R2).

1), Basic system security settings

1. Installation instructions: Format all systems with NTFS, reinstall the system (using the original win2003), install anti-virus software (Mcafee), and replace the anti-virus software with Update, install sp2 patches, install IIS (only install necessary components), install SQL2000, install .net2.0, and turn on the firewall. And apply the latest patches to the server.

2), close unnecessary services

Computer Browser: Maintain network computer updates, disable

Distributed File System: LAN management shared files, no need to disable

Distributed linktracking client: used to update connection information on the LAN, does not need to be disabled

Error reporting service: prohibits sending error reports

Microsoft Serch: provides fast word search, does not need to be disabled

NTLMSecuritysupportprovide: Used for telnet service and Microsoft Serch, no need to disable

PrintSpooler: If there is no printer, it can be disabled

Remote Registry: Remote modification of the registry is prohibited

Remote Desktop Help Session Manager: Disable remote assistance for other services to be verified

3), set up and manage accounts

1. Disable the Guest account and change the name and description, and then enter a complex Password

2. It is best to create fewer system administrator accounts and change the default administrator account name (Administrator) and description. The password is best to use a combination of numbers plus uppercase and lowercase letters plus numbers. The length It is best not to be less than 10 characters

3. Create a new trap account named Administrator, set the minimum permissions for it, and then enter a combination of passwords preferably not less than 20 characters

4. Computer Configuration-Windows Settings-Security Settings-Account Policy-Account Lockout Policy, set the account to "The invalid time for three logins is 30 minutes

5. In Security Settings-Local Policy-Security Options, set Set "Do not show the last user name" to enabled

6. In Security Settings-Local Policy-User Rights Assignment, in "Access this computer from the network" only keep the Internet guest account and start the IIS process account. ,Aspnet account

7. Create a User account and run the system. If you want to run privileged commands, use the Runas command.

4), Open the corresponding audit policy

Audit policy Change: Success

Audit Login Events: Success, Failure

Audit Object Access: Failure

Audit Object Tracking: Success, Failure

Audit Directory Service Access :Failure

Audit privilege usage:Failure

Audit system events:success,failure

Audit account login events:success,failure

Audit account management: Success, failure

5), other security related settings

1. Prohibit default shares such as C$, D$, ADMIN$

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters, on the right Create a new Dword value in the window, set the name to AutoShareServer and set the value to 0

2. Unbind NetBios from the TCP/IP protocol

right-click Network Neighborhood-Properties-right-click Local Area Connection- Properties-double-click Internet Protocol-Advanced-Wins-Disable NETBIOS on TCP/IP

3. Hide important files/directories

You can modify the registry to achieve complete hiding: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent-VersionExplorerAdvancedFol derHi- ddenSHOWALL", right-click "CheckedValue", select modify, change the value from 1 to 0

4. Prevent SYN flood attacks

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named SynAttackProtect with a value of 2

5. Disable response to ICMP route advertisement messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface Create a new DWORD value named PerformRouterDiscovery with a value of 0

6. Prevent attacks from ICMP redirect messages

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Set the EnableICMPRedirects value to 0

7. The IGMP protocol is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a new DWORD value named IGMPLevel with a value of 0

8. Disable DCOM : Enter Dcomcnfg.exe during operation. Press Enter and click "Component Services" under "Console Root Node". Open the Computers subfolder.

For local computers, right-click "My Computer" and select "Properties". Select the Default Properties tab. Clear the Enable Distributed COM on this computer check box.

9. The default port of the terminal service is 3389. You can consider changing it to another port.

The modification method is: Server side: Open the registry, find a subkey similar to RDP-TCP at "HKLM\SYSTEM\Current ControlSet\Control\Terminal Server\Win Stations", and modify the PortNumber value. Client: Follow the normal steps to create a client connection. Select this connection and select Export in the "File" menu. A file with the suffix .cns will be generated at the specified location. Open the file and modify the "Server Port" value to the value corresponding to the PortNumber on the server side. Then import the file (Method: Menu→File→Import), so that the client modifies the port.

6) Configure IIS service

1. Do not use the default Web site. If you use it, separate the IIS directory from the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.

4. Delete unnecessary IIS extension mappings. Right-click "Default Web Site→Properties→Home Directory→Configuration", open the application window, and remove unnecessary application mappings. Mainly .shtml, .shtm, .stm  

5. To change the path of the IIS log, right-click "Default Web Site→Properties-Website-Click Properties under Enable Logging

6. If you are using 2000, you can use iislockdown to protect IIS. The version of IE6.0 running in 2003 does not need it.

7. Use UrlScan

UrlScan is an ISAPI filter, which Incoming HTTP packets are analyzed and any suspicious traffic can be rejected. The latest version is 2.5. If it is 2000Server, you need to install version 1.0 or 2.0 first. If there are no special requirements, just use the UrlScan default configuration. But if You run an ASP.NET program on the server, and to debug it you need to open the URLScan.ini file in the %WINDIR%System32InetsrvURLscan, folder, and then add the debug verb in the UserAllowVerbs section. Note that this section is case-sensitive. If you If your web page is an .asp web page, you need to delete the .asp related content in DenyExtensions. If your web page uses non-ASCII code, you need to set the value of AllowHighBitCharacters to 1 in the Option section. After making changes to the URLScan.ini file , you need to restart the IIS service to take effect, enter iisreset during the quick method operation. If you have any problems after configuration, you can delete UrlScan through Add/Remove Programs.

8. Use WIS (Web Injection Scanner) tool Conduct SQL Injection vulnerability scan on the entire website.

7), Configure Sql server

1. It is best not to have more than two System Administrators roles

3. Do not use Sa Account, configure a super complex password for it

4. Delete the following extended stored procedure format:  

use master  sp_dropextendedproc 'Extended stored procedure name'   

xp_cmdshell: It is the best shortcut to enter the operating system, delete the stored procedures that access the registry,

delete

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues Delete

Sp_OACreate Sp_OADestroy  Sp_OAGetErrorInfo  Sp_OAGetProperty Sp_OAMethod Sp_OASetProperty Sp_OAStop

5. Hide SQL Server and change the default 1433 port

Right-click the instance and select Properties-General-Network Configuration and select TCP /IP protocol properties, select to hide the SQL Server instance, and change the default port 1433.

8), modify the system log saving address. The default location is application log, security log, system log, DNS log. The default location is: %systemroot%\system32\config. The default file size is 512KB. The administrator will change this. Default size.

Security log file: %systemroot%\system32\config\SecEvent.EVT System log file: %systemroot%\system32\config\SysEvent.EVT Application log file: %systemroot%\system32\config\AppEvent .EVT Internet Information Service FTP log default location: %systemroot%\system32\logfiles\msftpsvc1\, one log per day by default. Default location of Internet Information Service WWW log: %systemroot%\system32\logfiles\w3svc1\, one log per day by default Scheduler( Task plan) Service log default location: %systemroot%\schedlgu.txt Application log, security log, system log, DNS server log, these LOG files are in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog Schedluler( Task plan) service log in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent SQL Delete or rename xplog70.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareServer"=dword:00000000 "AutoShareWks"=dword: 00000000 // AutoShareWks for pro version // AutoShareServer for server version // 0

Disable management of default shares such as admin$, c$, d$ [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA] "restrictanonymous"=dword:00000001 //0x1 Anonymous users cannot enumerate the local user list //0x2 Anonymous users cannot connect to the local IPC$ share (maybe the sql server cannot be started

9), local security policy

1. Only open the ports and protocols required by the service. The specific method is: open "Network Neighborhood → Properties → Local Area Connection → Properties → Internet Protocol → Properties → Advanced → Options → TCP/IP Filtering → Properties" and add the required TCP, UDP ports and IP protocols. Open ports according to services. Commonly used TCP ports are: port 80 for Web service; port 21 for FTP service; port 25 for SMTP; port 23 for Telnet service; port 110 for POP3. Commonly used UDP ports are: port 53 - DNS domain name resolution service; port 161 - snmp simple network management protocol. 8000 and 4000 are used for OICQ, the server uses 8000 to receive information, and the client uses 4000 to send information. Blocked TCP ports: 21 (FTP, change FTP port) 23 (TELNET), 53 (DNS), 135, 136, 137, 138, 139, 443, 445, 1028, 1433, 3389 Blockable TCP ports: 1080, 3128, 6588, 8080 (the above are proxy ports). 25 ( SMTP), 161 (SNMP), 67 (boot). Block UDP port: 1434 (needless to say this). Block all ICMP, that is, block PING. The above are the most commonly scanned ports. Others are also blocked. Of course, because 80 is for WEB use

2. It is forbidden to establish an empty connection. By default, any user can connect to the server through an empty connection, enumerate accounts and guess passwords. The port used for empty connections is 139. Through empty connections, files can be copied to the remote server and a task is scheduled to be executed. This is a vulnerability. You can prohibit the establishment of empty connections through the following two methods:

(1) Modify the value of Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous in the registry to 1.

(2) Modify the local security policy of Windows 2000. Set RestrictAnonymous (additional restrictions on anonymous connections) in "Local Security Policy → Local Policy → Options" to "Do not allow enumeration of SAM accounts and shares". First of all, the default installation of Windows 2000 allows any user to obtain all accounts and sharing lists of the system through an empty connection. This was originally intended to facilitate LAN users to share resources and files. However, at the same time, any remote user can also obtain yours through the same method. User list, and may use brute force methods to crack user passwords and cause damage to the entire network. Many people only know to change the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1 to prohibit null user connections. In fact, in the local security policy of Windows 2000 (if it is a domain server, it is in the domain server security and domain security policy ) There is the RestrictAnonymous option, which has three values: "0" is the system default value without any restrictions. Remote users can know all accounts, group information, shared directories, network transmission lists (NetServerTransportEnum), etc. on your machine. ; The value "1" only allows non-NULL users to access SAM account information and shared information; the value "2" is only supported by Windows 2000. It should be noted that if this value is used, resources can no longer be shared. Therefore, it is recommended to set the value to "1".

10), prevent asp Trojans

1, asp Trojans based on FileSystemObject component

cacls %systemroot%\system32\scrrun.dll /e /d guests //Prohibited guests use regsvr32 scrrun.dll /u /s //Delete

2. Asp Trojan based on shell.application component

cacls %systemroot%\system32\shell32.dll /e /d guests //Prohibit guests from using regsvr32 shell32.dll /u /s //Delete

3. Set the permissions of the picture folder to not allow it to run.

4. If asp does not exist in the website, disable asp

11) to prevent SQL injection

1. Try to use parameterized statements

2. Unable to use parameterized SQL usage filtering.

3. The website is set to not display detailed error information, and will always jump to the error page when an error occurs.

4. Do not use the sa user to connect to the database

5. Create a new database user with public permissions and use this user to access the database. 6. [Role] Remove the role public’s select access to sysobjects and syscolumns objects. permissions.

Note:

Finally, it is emphasized that the above settings may affect some application services, such as leading to the inability to connect to the remote server.

Therefore, it is strongly recommended that the above settings be first Make the settings on the local machine or virtual machine (VMware Workstation), make sure everything is fine, and then do it on the server

Related recommendations:Website Security

The above is the detailed content of Windows server security settings summary. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:博客园. If there is any infringement, please contact admin@php.cn delete
c盘的users是什么文件夹?可以删除吗?c盘的users是什么文件夹?可以删除吗?Nov 10, 2022 pm 06:20 PM

c盘的users是用户文件夹,主要存放用户的各项配置文件。users文件夹是windows系统的重要文件夹,不能随意删除;它保存了很多用户信息,一旦删除会造成数据丢失,严重的话会导致系统无法启动。

启动任务管理器的三个快捷键是什么启动任务管理器的三个快捷键是什么Sep 21, 2022 pm 02:47 PM

启动任务管理器的三个快捷键是:1、“Ctrl+Shift+Esc”,可直接打开任务管理器;2、“Ctrl+Alt+Delete”,会进入“安全选项”的锁定界面,选择“任务管理器”,即可以打开任务管理器;3、“Win+R”,会打开“运行”窗口,输入“taskmgr”命令,点击“确定”即可调出任务管理器。

window下报错“php不是内部或外部命令”怎么解决window下报错“php不是内部或外部命令”怎么解决Mar 23, 2023 pm 02:11 PM

对于刚刚开始使用PHP的用户来说,如果在Windows操作系统中遇到了“php不是内部或外部命令”的问题,可能会感到困惑。这个错误通常是由于系统无法识别PHP的路径导致的。在本文中,我将为您提供一些可能会导致这个问题的原因和解决方法,以帮助您快速解决这个问题。

微软的pin码是什么微软的pin码是什么Oct 14, 2022 pm 03:16 PM

PIN码是Windows系统为了方便用户本地登录而独立于window账户密码的快捷登录密码,是Windows系统新添加的一套本地密码策略;在用户登陆了Microsoft账户后就可以设置PIN来代替账户密码,不仅提高安全性,而且也可以让很多和账户相关的操作变得更加方便。PIN码只能通过本机登录,无法远程使用,所以不用担心PIN码被盗。

win10自带的onenote是啥版本win10自带的onenote是啥版本Sep 09, 2022 am 10:56 AM

win10自带的onenote是UWP版本;onenote是一套用于自由形式的信息获取以及多用户协作工具,而UWP版本是“Universal Windows Platform”的简称,表示windows通用应用平台,不是为特定的终端设计的,而是针对使用windows系统的各种平台。

win10为什么没有“扫雷”游戏了win10为什么没有“扫雷”游戏了Aug 17, 2022 pm 03:37 PM

因为win10系统是不自带扫雷游戏的,需要用户自行手动安装。安装步骤:1、点击打开“开始菜单”;2、在打开的菜单中,找到“Microsoft Store”应用商店,并点击进入;3、在应用商店主页的搜索框中,搜索“minesweeper”;4、在搜索结果中,点击选择需要下载的“扫雷”游戏;5、点击“获取”按钮,等待获取完毕后自动完成安装游戏即可。

在windows中鼠标指针呈四箭头时一般表示什么在windows中鼠标指针呈四箭头时一般表示什么Dec 17, 2020 am 11:39 AM

在windows中鼠标指针呈四箭头时一般表示选中对象可以上、下、左、右移动。在Windows中鼠标指针首次用不同的指针来表示不同的状态,如系统忙、移动中、拖放中;在Windows中使用的鼠标指针文件还被称为“光标文件”或“动态光标文件”。

windows操作系统的特点包括什么windows操作系统的特点包括什么Sep 28, 2020 pm 12:02 PM

windows操作系统的特点包括:1、图形界面;直观高效的面向对象的图形用户界面,易学易用。2、多任务;允许用户同时运行多个应用程序,或在一个程序中同时做几件事情。3、即插即用。4、出色的多媒体功能。5、对内存的自动化管理。

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!