Master's network server security configuration skills

Master's network server security configuration skills

System update speed is very fast, but for the win2003 system there are still many users love. So here to share with you the skills of the network server security configuration in the win2003 system, to meet the needs of win2003 users.

System: Windows2003

Service: [IIS] [SERV-U] [IMAIL] [SQL SERVER 2000] [php] [MySQL]

1. WINDOWS Local Security Policy Port Limits

A. For our example, you need to open the following ports

outside->local80

outside->local20

外->Local 21

Foreign->Some ports used by local PASV

外->Local 25

外-> Local 110< Br>

外->Local 3389

Then open the SQL SERVER and MYSQL ports according to the specific situation

External->Local 1433

外-> Local 3306

B. Next is to open the port that needs to be opened from the inside to the outside

According to the actual situation, if you do not need the mail service, do not open the following two rules

Local ->Outside 53 TCP, UDP

Local->Outside 25

Depending on the situation, if you do not need to access the webpage on the server, try not to open the following port

Local ->Outside 80

C. This is the key to security rules except for the explicit permission.

External->Local All Protocol Blocking

2. User Account

A. Rename the administrator In the example, change to root

B. Cancel all

remote control in all user attributes except administrator root-> enable remote control and

terminal service configuration File->Allow login to terminal server

C. Rename guest to administrator and change password

D. Disable all other users except administrator root, IUSER, and IWAM and aspNET users , including SQL DEBUG and TERMINAL USER, etc.

3. Directory permissions

Change the permissions of all drive letters to only

admins group permissions all

ystem All permissions

All subdirectories and subfiles of the C drive are inherited from the C drive's administrator (group or user) and SYSTEM permissions for both permissions

Then make the following changes
>

C:\\PRogram Files\\Common Files Everyone default read and run list file directory read three permissions

C:\\WINDOWS\\ Open Everyone default read and run list file directory read three permissions

C:\\WINDOWS\\Temp Open Everyone Modify, read and run, list file directories, read and write permissions

Now WebShell can't write files in the system directory. Of course, you can also use more strict permissions, set permissions in separate directories under WINDOWS. However, it is more complicated and the effect is not obvious.

4. IIS

Under IIS 6, the file type in the application extension corresponds to the ISAPI type. The dangerous script types such as IDQ, PRINT, etc. have been removed,

Under IIS 5 we need to remove all types except ASP and ASA.

Install URLSCAN

Add the following to [DenyExtensions]. cer

. cdx

. mdb

.bat< Br>

. cmd

. com

. htw

. ida

. idq

. htr

. idc

. shtm

. shtml

. stm

. printer

This intruder cannot download. The mdb database, this method is more thorough than the outside method of adding special characters to the file header.

Because even if the header is added with special characters, it can be constructed by encoding.

5. WEB Directory Permissions

The safer approach is to create a Windows for each client. The user then binds the anonymous user executed by IIS to the user in the IIS response site item and binds the directory he points to, and changes the permissions to administrators. All permissions

system All permissions

Separately established users (or IUSER) Select Advanced -> Open other permissions except for full control, traversing folders/running programs, and taking ownership.

If there are not many sites on the server and there are forums We can remove the execution permission of this user from the upload directory of each forum. Only the read and write permissions enable the intruder to run the webshell even if it bypasses the forum file type detection.

6. MS SQL SERVER2000

Use the system account to log in to the Query Analyzer and run the following script using master

e xec sp_dropextendedproc 'xp_cmdshell'

e xec sp_dropextendedproc 'xp_dirtree'

e xec sp_dropextendedproc 'xp_enumgroups'

e xec sp_dropextendedproc 'xp_fixeddrives'

e xec sp_dropextendedproc 'xp_loginconfig'

e xec sp_dropextendedproc 'xp_enumerrorlogs '

e xec sp_dropextendedproc 'xp_getfiledetails'

e xec sp_dropextendedproc 'Sp_OACreate'

e xec sp_dropextendedproc 'Sp_OADestroy'

e xec sp_dropextendedproc 'Sp_OAGetErrorInfo'< Br>

e xec sp_dropextendedproc 'Sp_OAGetProperty'

e xec sp_dropextendedproc 'Sp_OAMethod'

e xec sp_dropextendedproc 'Sp_OASetProperty'

e xec sp_dropextendedproc 'Sp_OAStop'

e xec sp_dropextendedproc 'Xp_regaddmultistring'

e xec sp_dropextendedproc 'Xp_reg Deletekey'

e xec sp_dropextendedproc 'Xp_regdeletevalue'

e xec sp_dropextendedproc 'Xp_regenumvalues'

e xec sp_dropextendedproc 'Xp_regread'

e xec sp_dropextendedproc 'Xp_regremovemultistring'

e xec sp_dropextendedproc 'Xp_regwrite'

drop procedure sp_makewebtask

go Remove all dangerous extensions

7. Modify CMD.EXE and NET.EXE permissions

Modify the permissions of the two files to a specific administrator to access. For example, in this example, we modify the following

cmd.e xe root user all permissions

et. e xe root user ownership now

This will prevent illegal access

You can also use the comlog program provided in the example to rename com.exe to _com.e xe and then replace the com file. Can record all executed command line instructions

8. Backup

Use ntbackup software to back up system state, use reg.e xe to back up system key data, such as reg export

LM \\SOFTWARE\\O DBC e:\\backup\\system\\odbc.reg /y

Backing up the system's ODBC

9. Antivirus

In MCAFEE, we are also able to add rules to block Windows directory to create and modify E XE. DLL files, etc., we add anti-virus program to the WEB directory in the software, execute once a day, and open real-time monitoring.

10. Turning off useless services

We generally turn off the following services

Computer Browser

Help and Support

Messenger

Print Spooler

Remote Registry

TCP/ip NetBIOS Helper

If the server is not used as a domain controller, we can also disable Workstation

11. Cancel dangerous components

If the server does not require fso, regsvr32 /uc:windows\\system32\\scrrun.dll to unregister components, use regedit to use WScript.Network under /HKEY_CLASSES_ROOT

WScript.Network.1

WScript.Shell

WScript.Shell.1

Shell.application

Shell.Application.1

Rename the key or Delete

The strings contained in the CLSID under these key values

are found under {72C24DD5-D70A-438B-8A42-98424B88AFB8}

to /HKEY_CLASSES_ROOT/CLSID The key names named by these strings

are all deleted

12. Auditing

Local Security Policy-> Local Policy-> Audit Policy

Open the following content

Audit policy change succeeded, failed

Audit system event succeeded, failed

Audit account login event succeeded , Failed

Auditing account management success, failure

The network server is an important part of the system, and the security configuration of the network server can guarantee the demand of the Internet. Although the steps are cumbersome, these operations are necessary and cannot be ignored.