Windows 2003 server security configuration ultimate flexible technology

A lot of online security about the windows server 2003 system configuration, but careful analysis found that many are not comprehensive, and many are still not reasonable enough, and there are great security risks, today I decided to carefully do the extreme BT The security configuration of the 2003 server allows more network management friends to sit back and relax.

The components we need to provide support are as follows: (ASP, ASPX, CGI, PHP, FSO, JMAIL, MySql, SMTP, POP3, FTP, 3389 Terminal Services, Remote Desktop Web Connection Management Service, etc.) The premise here is that the system has been installed, IIS, including FTP server, mail server, etc., these specific configuration methods will not be repeated, and now we focus on the main configuration of security.

About regular security installation systems, set up and manage accounts, turn off redundant services, audit policies, modify terminal management ports, and configure MS-SQL to remove dangerous stored procedures with the least privileged public Account connection and so on, do not say

first talk about the system's NTFS disk permissions settings, you may have seen more, but the 2003 server has some details to pay attention to, I have not read many articles complete.

C drive only gives administrators and system permissions, other permissions are not given, other disks can also be set this way, the system permissions given here do not necessarily need to be given, just because some third-party applications are If the service form is started, you need to add this user, otherwise it will not start.

Windows directories should be given default permissions for users, otherwise applications such as ASP and ASPX will not run. In the past, a friend separately set the directory permissions such as Instsrv and temp. In fact, there is no such necessity.

In addition, c:/Documents and Settings/is very important here, the permissions in the following directories will not inherit the previous settings, if only set the C drive to Administrators permission, and in the All Users/Application Data directory, everyone has full control permissions, so the intrusion can jump to this directory, write scripts or only files, and then combine other vulnerabilities to enhance permissions; for example, using serv- u's local overflow escalation authority, or system missing patches, database weaknesses, and even social engineering, etc. N more methods, formerly not a cow said: "Just give me a webshell, I can get the system" This is indeed possible. In systems that use the web/ftp server, the recommendation is to lock these directories. The directories of each of the other disks are set as such, and none of the disks only give the adinistrators permission.

In addition, it will also: net.exe, cmd.exe, tftp.exe, netstat.exe, regedit.exe, at.exe, attrib.exe, cacls.exe, these File settings are only allowed for access by administrators.

Disallow unnecessary services, although these may not be exploited by attackers, but in terms of security rules and standards, unnecessary things do not need to be opened, reducing a hidden danger.

In the "network connection", the unnecessary protocols and services are deleted. Only the basic Internet protocol (TCP/IP) is installed here. Due to the bandwidth traffic control, the Qos data is additionally installed. Package planning process. In the advanced tcp/ip settings - "NetBIOS" setting "Disable NetBIOS(s) on tcp/IP". In the advanced options, use "Internet Connection Firewall", which is the firewall that comes with Windows 2003. It has no functions in the 2000 system. Although it has no function, it can shield the port. This has basically achieved an IPSec function.

Here we open the response port according to the required service. In the 2003 system, it is not recommended to use the port filtering function in TCP/IP filtering. For example, when using an FTP server, if only port 21 is only open, due to the special nature of the FTP protocol, when FTP is transmitted, it is unique to FTP. In the Port mode and the Passive mode, when the data is transmitted, the high port needs to be dynamically opened. Therefore, in the case of using TCP/IP filtering, there is often a problem that the directory and data transmission cannot be listed after the connection. Therefore, the Windows connection firewall added on the 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the network card.
SERV-U FTP server settings:
In general, it is not recommended to use srev-u as an ftp server, mainly because the vulnerability appears too frequently, but it is also because of its simple operation, powerful, too Popular, and there are many people who are concerned, only to find bugs, and other ftp server software is not as safe as it is.
Of course, there are also features like serv-u, the more secure ftp software: Ability FTP Server
settings are also very simple, but we still have to cater to the public appetite, talk about the security of serv-u Settings.
First of all, 6.0 has changed the password function of the local LocalAdministrtaor than the previous 5.x version. In fact, in the 5.x version, you can use the editor of ultraedit-32 to modify the serv-u program body to change the password port, 6.0. Fixed this hidden danger and it was convenient for everyone to come out. However, the serv-u that modifies the password is the same as a security risk. Two months ago, I ate a new exploit that used the local sniff method to obtain the serv-u management password. It is selling online, but this is The method of sniff is also to have the "execute" permission in the directory after obtaining the conditions of the webshell, and the administrator needs to log in again to run the serv-u administrator. Therefore, our administrators should try to avoid the above factors and it can be protected.

additional points under the general safety of serv-u need to set:
select the "Block" FTP_bounce "attack and FXP". What is FXP? Usually, when using the FTP protocol for file transfer, the client first sends a "PORT" command to the FTP server, which contains the IP address of the user and the port number that will be used for data transmission. After the server receives it, Establish a connection with the user by using the user address information provided by the command. In most cases, the above process will not cause any problems, but when the client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the PORT command. Although this malicious user may not have the right to directly access a particular machine, if the FTP server has access to the machine, the malicious user can still use the FTP server as an intermediary to finally achieve the connection with the target server. This is FXP, also known as cross-server attack. Once selected, this can be prevented.

Also available in "Block anti time-out schemes". Second, in the "Advanced" tab, check if "Enable security" is selected, if not, select them.

Security for IIS:

Delete c:/inetpub directory, delete unnecessary mappings for iis

First of all, use separate web sites For IIS users, for example, here is a new build called www.315safe.com with permissions for guest.

In the IIS domain properties "Directory Security"---"Authentication Access and Access Control" set up anonymous access using the following Windows user accounts" username and password are used Www.315safe.com This user's information. The corresponding web directory file in this site, the default is only for the IIS user's read and write permissions (there are more BT settings to be introduced later).

In the "application configuration", we give the necessary script execution permissions: ASP.ASPX, PHP,

ASP, ASPX provides mapping support by default, for PHP, Need to add a new response mapping script, then set ASP, ASPX to allow in the web service extension, for php and CGI support, you need to create a new web service extension, enter php under extension (X): then in the required File (E): Add the address C:/php/sapi/php4isapi.dll and check the setting status to Allow (S). Then click OK, so IIS supports PHP. The same is true for CGI.

To support ASPX, you need to give the web root directory the default permissions of the users, in order to make ASPX

In the application configuration, debugging is set to send custom text information to the client, so that for sites with ASP injection vulnerability, the program can be reported without feedback. Information can avoid a certain degree of attack.

In the custom HTTP error option, it is necessary to define errors such as 404, 500, etc., but sometimes in order to debug the program, I know that the program is wrong. In some places, it is recommended to set only 404.

IIS6.0 has the concept of application pool due to different operating mechanisms. It is generally recommended to share one of 10 sites. Application pool, application pool can use the default settings for general sites,

can reclaim the work process every morning.

Create a new station, use the default wizard, pay attention to the following in the application settings in the settings: the execution permissions are the default pure script, the application pool uses a separate program pool named: 315safe.

Application pool named 315safe can be properly set under "memory back ": The maximum virtual memory here is: 1000M, and the maximum used physical memory is 256M. This setting almost does not limit the performance of this site.

In the application pool The "Identification" option, you can choose the security account of the application pool, the default is to use the network service account, you do not want to move it, you can try to run with the minimum permissions, the hidden danger is smaller. In some directories of a site, such as this "uploadfile" directory, you do not need to run asp programs or other scripts inside, remove the execution script permissions of this directory, in the "execution permissions" of "application settings" The default is "pure script", we change to "none", so we can only use static pages. And so on, most of the directories that do not need to run asp, such as database directory, image directory, etc. can do so, mainly to avoid the emergence of bugs in the site application scripts, such as the popular upfile vulnerability, and Can have a certain degree of control over the loopholes.

In the default, we generally give the permissions of the web directory of each site to the reading and writing of IIS users, as shown in the figure:

But we are now in order to inject SQL, upload vulnerabilities are all gone, we can take a manual approach to detailed policy settings.
1. The IIS user to the web root only gives read access. As shown in the figure:

Then we give the write permission to the uploadfiles of the response/or other directories that need to have the uploaded file, and give the directory no script run permission in IIS, so even There is a loophole in the website program, and the intruder can't write the asp trojan into the directory. Oh, but it is not so simple to prevent the attack, and there is still a lot of work to be done. If it is an MS-SQL database, it will be OK, but the Access database, the directory where the database is located, or the database file also has to write permissions, and then the database file does not need to be changed to .asp. Everyone knows the consequences of this. Once your database path is exposed, this database is a big Trojan, terrible. In fact, it is completely ruled only with the mdb suffix. This directory does not give script permission in IIS. Then set a mapping rule in IIS, as shown in the figure:

Use any dll file to resolve the mapping of .mdb suffixes, as long as you do not use asp.dll to parse Yes, so that others can't download even if they get the database path. This method can be said to be the ultimate solution to prevent the database from being downloaded.