2003 server security settings

  

A lot of online security about the windows server 2003 system configuration, but careful analysis found that many are not comprehensive, and many are still not reasonable enough, and there are great security risks, today I decided to carefully do the extreme BT The security configuration of the 2003 server allows more network management friends to sit back and relax.
The components we need to support are as follows: (ASP, ASPX, CGI, PHP, FSO, JMAIL, MySql, SMTP, POP3, FTP, 3389 Terminal Services, Remote Desktop Web Connection Management Service, etc.) The system has been installed, IIS, including FTP server, mail server, etc., these specific configuration methods will not be repeated, and now we focus on the security configuration.
About regular security installation systems, setting up and managing accounts, shutting down redundant services, auditing policies, modifying terminal management ports, and configuring MS-SQL, deleting dangerous stored procedures, connecting with the least privileged public account, etc. Wait.
First of all, about the NTFS disk permission settings of the system, you may have seen more, but the 2003 server has some details to pay attention to, I have read a lot of articles have not written completely.
C drive only gives administrators and system permissions, other permissions are not given, other disks can also be set this way, the system permissions given here do not necessarily need to be given, just because some third-party applications are started as services You need to add this user, otherwise it will not start.

Windows directory to add the default permissions to users, otherwise ASP and ASPX and other applications will not run. In the past, a friend separately set the directory permissions such as Instsrv and temp. In fact, there is no such necessity.

Also in the c: /Documents and Settings /Xiangdangchongyao here, behind the directory permissions will not inherit the previous settings, if only just set up the C drive permissions for administrators, and in the All Users /Application In the Data directory, everyone has full control permissions, so the intrusion can jump to this directory, write scripts or files only, and combine other vulnerabilities to enhance permissions; for example, use serv-u's local overflow to enhance permissions, or the system Missing patches, database weaknesses, and even social engineering and other N-methods, there used to be no one who said: "Just give me a webshell, I can get system", which is indeed possible. In systems that use the web/ftp server, the recommendation is to lock these directories. The directories of each of the other disks are set as such, and none of the disks only give the adinistrators permission.

addition, it will: net.exe, cmd.exe, tftp.exe, netstat.exe, regedit.exe, at.exe, attrib.exe, cacls.exe, these files are set to only allow the administrators access.
Unnecessary services are banned, although these may not be exploitable by attackers, but in terms of security rules and standards, unnecessary things are not necessary to open, reducing a hidden danger.

Copyright © Windows knowledge All Rights Reserved