Ten steps to create a secure personal web server

Win2003 Server security has been greatly improved compared to Win2K, but is it really safe to use Win2003 Server as a server? How can we build a secure personal web server? Brief introduction, Windows Server 2003 security

Win2003 Server security has been greatly improved compared to Win2K, but is it really safe to use Win2003 Server as a server? How to create a secure personal web server ? Here we briefly explain

a, Windows Server2003 installation

1, install the system requires a minimum of two partitions, partition formats are in NTFS format

2 Install the 2003 system in the case of disconnected network

3. Install IIS and install only the necessary IIS components (disable unwanted FTP, such as FTP) And SMTP service). By default, the IIS service is not installed. Select "Application Server" in the Add/Remove Win component, and then click "Details", double-click Internet Information Services (iis) and check the following options:

Internet information services Manager;

common files;

background intelligent transfer service (BITS) server extensions;

World Wide Web Service.

If you use the FrontPage extended Web site, check the box: FrontPage 2002 Server Extensions

4. Install MSSQL and other required software and then update.

5, provided by Microsoft MBSA (Microsoft Baseline Security Analyzer) tool to analyze the security configuration of the computer, and identify missing patches and updates. Download: See the end of the page link

Second, set up and manage accounts

1, the system administrator account is best to build more, change the default administrator account name (Administrator) And description, the password is preferably a combination of a number plus uppercase and lowercase letters plus a number of upper keys, preferably no less than 14 digits in length.

2, a new account named Administrator trap, to set the minimum permissions and random combination of inputs is preferably not less than 20-bit code

3. Disable the Guest account and change the name and description, then enter a complex password. Of course, there is also a DelGuest tool. You may also use it to delete the Guest account, but I have not tried it.

4. Enter gpedit.msc in the run, press Enter, open the Group Policy Editor, select Computer Configuration - Windows Settings - Security Settings - Account Policies - Account Lockout Policy, set the account to "ld"; three logins are invalid ”, “ lock time is 30 minutes & rdquo;, & ldquo; reset lock count is set to 30 minutes & rdquo;.

5, in the security settings - local policy - security options will "do not display the last user name" set to enable

6, in the security settings - Local Policy - User Rights Assignment will only keep Internet guest accounts and start IIS process accounts in the "Access this computer from the network". If you use Asp.net, you also need to keep your Aspnet account.

7. Create a User account and run the system. If you want to run the privileged command, use the Runas command.

Third, the network service security management

1, prohibits C $, D $, ADMIN $ default a class share

Open the registry, HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters, create a new Dword value in the right window, set the name to AutoShareServer value set to 0

2. Unbind NetBios and TCP/IP protocol

Right-click on Network Neighborhood - Properties - right-click Local Area Connection - Properties - Double-click Internet Protocol - Advanced - Wins - Disable NETBIOS on TCP/IP

3. Turn off unwanted services. The following are suggested options

Computer Browser: Maintain network computer updates, disable

Distributed File System: LAN management shared files, no need to disable

Linktracking client: for LAN update connection information, no need to disable

Error reporting service: prohibit sending error reports

Microsoft Serch: Provides fast word search, no need Can be disabled

NTLMSecurit Ysupportprovide: for telnet service and Microsoft Serch, no need to disable

PrintSpooler: disable if there is no printer

Remote Registry: disable remote modification of registry

Remote Desktop Help Session Manager: remote assistance prohibited

Fourth, open the appropriate audit policy

enter enter gpedit.msc in operation, open the group policy editor, select Computer Configuration - Windows Settings - Security Settings - Auditing Strategies When creating an auditing project, it is important to note that if there are too many audited projects, the more events are generated, the harder it is to find serious incidents. Less will also affect the serious events you find, and you need to choose between the two depending on the situation.

The recommended items to review are:

Login event failed successfully

Account login event failed successfully

System event failed successfully

policy change success failure

Object access failed

directory service access failure

failed privilege use

V. Other security related settings

1. Hide important files/directories

You can modify the registry to completely hide: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ Current-Version\\Explorer\\Advanced\\Folder\\Hi-dden\\SHOWALL”, right click on "CheckedValue", select Modify, change the value from 1 to 0

2. Start the system's own Internet connection Firewall, check the web server in the Set Service option.

3, to prevent SYN flood attacks

HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ Tcpip \\ Parameters

New DWORD value named SynAttackProtect, value 2

4. Disable response to ICMP route advertisement messages

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\interface

Create a new DWORD value named PerformRouterDiscovery with a value of 0

5. Prevent ICMP redirect packets from attacking

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

EnableICMPRedirects value is set to 0

6. does not support the IGMP protocol

HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ Tcpip \\ Parameters

New DWORD value called IGMPLevel value 0

7, disable DCOM:

operation input Dcomcnfg.exe. Enter, click “Component Services” under <; console root node". Open the "Computer” subfolder.

For a local computer, right-click on “My Computer” and select “Properties”. Select the “Default Properties” tab.

Clear “ Enable the Distributed COM” checkbox on this computer.

Note: I have used the Server2000 setting for 3-6 items. I have not tested whether it works for 2003. But one thing is certain that I have spent some time not discovering the effects of other side effects.

Six, configure IIS services:

1, do not use the default Web site, if you use the IIS directory should be separated with the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.

4, delete unnecessary IIS extension mapping.

Right click on “Default Web Site → Properties & Rarr; Home Directory & Rarr; Configuration & rdquo;, open the application window, remove unnecessary application mapping. Mainly .shtml, .shtm, .stm

5, change the IIS log path

Right-click & ldquo; the default Web site & rarr; Properties - website - to enable logging record Click on Properties

6. If you are using 2000, you can use iislockdown to protect IIS. The version of IE6.0 running in 2003 is not required.

7. Using UrlScan

UrlScan is an ISAPI filter that analyzes incoming HTTP packets and rejects any suspicious traffic. The current version is 2.5. If it is 2000Server, you need to install version 1.0 or 2.0 first. Download the address on the page without a link

If there is no special requirement, you can use the default configuration of UrlScan.

But if you run ASP.NET on the server and want to debug it you need to open %WINDIR%\\System32\\Inetsrv\\URLscan