Windows 2003 Vps security settings problem tutorial

Summary of the security settings of the VPS, a total of 11 articles, to look carefully, prevent it before it happens! First, the default sharing is prohibited. Method 1: Create a notebook and fill in the following code. Save as *.bat and add it to the startup project net share c$ /delnet share d$ /delnet share e$ /delnet share f$ /delnet share ipc$ /delnet share admin$ /del Method 2: Modify the registry, ( Note that you must first back up the registry and backup method before modifying the registry. In the run > regedit, select the file "export", take a file name, export it, if you modify the registry failed, you can find the exported registry file double-click Run it.) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters New “DWORD Value" Value Name"AutoShareServer” Data Value is “0” Second, Remote Desktop Connection Configuration. Start > Programs > Administrative Tools > Terminal Services Configuration > Connection Selection Right > RDP-tcp” Connect Right-click Properties ==> Permissions to delete other users, only keep system, add administrator (not administrators), set These two users (system and administrator) are "full control" permissions, so that even if the server is created by other administrators, you cannot use Terminal Services. Third, serv_u security settings (be sure to set the management password, otherwise will be privileged) open serv_u, click "local service", click on the right & rdquo; set /change password & ldquo;, if no password is set, "old The password is blank, fill in the new password and click & rdquo; OK “. Fourth, close 139, 445 port 1 control panel  network  local link  properties (check here to cancel & rdquo; network file and printer sharing & rdquo;)  tcp /ip protocol properties  advanced  WINS  Netbios settings == gt; disabled Netbios, you can close port 139. 2 close port 445 (note that you must first back up the registry before the registry, backup method. Run >gtedit, select file to export, take a file name, export can, if If the registry fails to be modified, you can find the exported registry file and double-click it to run.) HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\ etBT\\ParametersNew“DWORD value"value name“SMBDeviceEnabled” Data is the default value“0&rdquo Fifth, delete the unsafe components WScript.Shell, Shell.application These two components are generally used by some ASP Trojans or some malicious programs. Method: Enter the following command 1regsvr32 /u wshom.ocx in "Run", respectively Uninstall the WScript.Shell component 2regsvr32 /u shell32.dll Uninstall the Shell.application component. 3regsvr32 /u %windir%\\system32\\Wshext.dll VI. Set iis permissions. Create a separate user for each website. (The following is only the permission setting of one of the sites. If there are multiple sites on the vps, other sites will set different internet guest users according to this site.) 1 First, right click on “My Computer"Management" Local Computer and Group users, on the right. Right click on “new user”, create a new user, and set a password. Figure:

For example: This test adds test to a website to access users. 2 Set the permissions of the site folder. Then, open the internet information service manager. Find the site. Right click, select “ permission & rdquo; Figure:

After selecting the permission, as shown below:

Delete other users, only keep a super administrator administrator (you can define it yourself, pay attention to not manage Member group administrators). And system users (system), as well as inernet guest users who add access to the website. You can click on “Add” to add the user you just created in the system (such as test). Then check the user (test) to read and run, list the folder directory, read, write permissions. Super administrator (administrator) & rdquo; full control & rdquo;, system user (system) “ full control & rdquo; permissions. And select the user (test)  & ldquo; advanced & rdquo; appears as shown below

Select “Use some of the displayed items that can be applied to sub-objects to replace the permission items of all sub-objects>Click “Applies&rdquo After that, wait for the folder permissions to be passed. Then click “OK”. 3 Set access users. Right-click Site Properties == "Directory Security ==" Edit to add the user you just added (such as test) to the anonymous access user. The password is the same as the password when adding the user.

4Set site access rights.

Right-click on the site you want to set up. Attribute == "Home Directory Only selected under the local path Read Record Access Index resources are not selected. Execute permissions Select “pure script”. Do not choose “scripts and executables”. As shown:

Other settings and the general settings of the iis site, no more to say. Note: For ASP.NET programs, you need to set the account permissions of the IIS_WPG group and the permissions settings for the upload directory. At this time, you need to pay attention to, be sure to set the execution permission of the upload directory to "ld"; no & rdquo;, select the write permission of the folder, so even if you upload ASP, PHP and other script programs or exe programs, it will not be in the user Trigger execution in the browser, change (pure script) to (none) for pure static websites (all html). For some programs, you may require everyone to have full control. You can set the site access user (such as test user) to have full control over the folder settings, and you don't need to add everyone to set full control. Seven, database security settings must set the database password. Also. For sql database it is recommended to uninstall the extended stored procedure xp_cmdshellxp_cmdshell is the best shortcut to enter the operating system, is a large back door for the database to leave the operating system. Please remove it. Use this SQL statement: use masterexec sp_dropextendedproc ‘xp_cmdshell’ If you need this stored procedure, please use this statement to recover. The first step is to execute: EXEC sp_addextendedproc xp_cmdshell, @dllname =& rsquo;xplog70.dll’declare @o int Step 2: sp_addextendedproc ‘xp_cmdshell’, ‘xpsql70.dll’ VIII. Prevent access database from being downloaded in IIS properties &mdash ;— home directory ——config——map——app extensions added there. Application resolution of the mdb file. Note that the D LL selected here does not select asp.dll, find a dll file that is not used in the mapping. Nine, use the firewall to limit the port. Open only the ports you need. For vps users, you need to open the website service port 80 and the remote login port 3389. If you have ftp service software such as serv_u, you need to open port 21. For details on opening ports, please refer to the following: 1. Right click on Network Neighborhood Select “Properties”,===>Local Connection==Properties==Advanced Settings

Check”Enable” .2, click “Exceptions”==” to add a port. Add external ports as needed. Note that in the front of the added port, select 3, add the port, click & rdquo; OK & rdquo;  OK, prevent the list of user groups and system processes. If you upload the asp trojan user list may be exploited by hackers, we should hide it. The method is: [Start → Program & Rarr; Management Tools & Rarr; Service], find the Workstation, stop it, disable it. XI, install anti-virus software Although anti-virus software sometimes can not solve the problem, but anti-virus software avoids many problems, you can kill some Trojans. It is recommended to install anti-virus software that uses less memory resources. In addition, it is effective to upgrade the software frequently.