How to make Windows 2003 system more secure

Windows Server 2003 is Microsoft's latest server operating system. Compared with Windows 2000/XP system, all aspects of the function have been enhanced, especially in terms of security, the overall feeling is done It's not bad. But "gold has no foot" is not perfect, and Microsoft Windows 2003 is the same, there are system vulnerabilities, there are many security risks! Whether you use your computer to enjoy music, surf the Internet, run games, or write documents, you will inevitably be threatened by the proliferation of new viruses. How to make Windows Server 2003 more secure has become a concern of users.

First, cancel the IE security prompt dialog box

In the face of hacker organizations malicious programs, Microsoft has been working hard to reduce the security risks of products, which is obvious to all. Microsoft's next-generation Windows Server 2003 operating system has been enhanced in terms of security. For example, when using the Internet Explorer IE browser that uses

to browse the webpage, a security prompt pops up every time, "Toolish" to remind us whether we need to add the currently visited website to the one we trust. If you want to browse the site, you must click the Add button to add the page to the list of trusted sites. However, every time you visit a web page, you have to go through such steps, which is really cumbersome. In fact, we can use the following methods to let IE cancel the security check of the website:

1. Once the system opens the security prompt page, you can use the mouse to continue the "When the content of the website is blocked" Prompt "Select the option;

2. In the navigation interface, click the "Tools" menu item with the mouse to execute the "Internet Options" command from the open drop-down menu;

3. In the pop-up option setting interface, you can set the highest security level in the system default state to medium level;

4. When setting, just drag the safe slide in the “Security” tab page. Block to the "medium" position is OK;

5. After completing the settings, click the "OK" button, you can cancel the browser's security automatic prompt page.

After modifying the default security level settings of IE, when you go online, IE will not automatically check the security of the website, and the trouble is solved!
Second, re-support ASP script

mention ASP (ActiveServerPage) everyone will associate with Windows, it is popular with the majority of WEB developers with its powerful features, easy to learn features. However, in order to minimize the system security risks, the Windows Server 2003 operating system does not support ASP scripts in the default state - the system will not perform any operations on the ASP code in the website; but now many web pages The service functions are mostly implemented through ASP scripts. What should I do? In fact, we can completely support the ASP script under the premise that the system security is guaranteed. The specific implementation method is:

1. In the system's Start menu, click the "Administrative Tools" /"Internet Information Service Manager" command
2. In the subsequent Internet Information Service properties In the settings window, use the mouse to select the "Web Server Extensions" option in the left area;

3. Then in the area to the right of the corresponding option, double-click the "Actives server pages" option and then Click the "Allow" button at the "Taskbar" setting item, and IIS6 in the system can re-support the ASP script.
The user's most concerned question is whether the original ASP component can still be used. I can tell you that after this modification, IIS6 in the system re-supports ASP scripts, and all operations are very simple!
Third, clear the default shared hidden danger

Users who use Windows Server 2003 will encounter a problem, that is, the system will generate the default shared folder when installed by default. Although the user does not set up sharing, each drive letter is automatically shared by Windows. The share name is the drive letter

followed by a symbol $ (share names are c$, d$, ipc$ respectively) And admin$). In other words, as long as the attacker knows the administrator password of the system, it is possible to open the specified folder of the system through the "\\\\ workstation name\\share name" method, so that the user carefully set the security defense. Is it not a display? Still safe! For this reason, it is necessary for us to remove the default shared vulnerability of Windows Server 2003 system and immediately remove it from the system.

1. Delete the default share of Windows Server 2003

First write the batch file of the following content:

@echo off

net share C$ /del

net share D$ /del

net share E$ /del

net share F$ /del

net share admin$ /del

The contents of the above files can be modified according to your needs. Save it as delshare.bat and place it in the system32\\GroupPolicy\\User\\Scripts\\Logon directory under the system folder. Then type gpedit.msc in the Start menu → Run,

Enter to open the Group Policy Editor. Click User Configuration→Windows Settings→Script (Login/Logout)→Login
Click “Add” in the “Login Properties” window that appears, the “Add Script” dialog box will appear, and the “Script Name” in the window will appear. Enter delshare.bat in the column, and then click the "OK" button.
Restart the computer system, you can automatically cancel all hidden shared folders of the system, thus reducing the system security risks to a minimum. .

2, disable IPC connection

IPC$ (Internet Process Connection) is a shared "named pipe" resource, it is a named pipe open for inter-process communication, by providing trustworthy The user name and password can be used to connect the two computers to establish a secure channel and exchange encrypted data with this channel, thereby realizing access to the remote computer. It is a feature unique to Windows NT/2000/XP/2003, but it has the feature that only one connection can be established between two IPs at the same time. NT/2000/XP/2003 provides the ipc$ function, and also opens the default share when the system is first installed, that is, all logical shares (c$, d$, e$...) and the system directory winnt or windows. (admin$) share. All of these, Microsoft's original intention is to facilitate the management of the administrator, but also for the IPC intruder for the intentional or unintentional provision of convenient conditions, resulting in a reduction in system security performance. You don't need any hacking tools to establish an IPC connection. Just type the appropriate command on the command line, but there is a precondition that you need to know the username and password of the remote host. After opening CMD, enter the following command to connect: net use\\\\ip\\ipc$ "password" /user:"usernqme". We can disable IPC connections by modifying the registry. Open the Registry Editor. Locate the restrictanonymous subkey in the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa group and change the value to 1 to disable the IPC connection. 4. Clear the remotely accessible registry path.

Know that the Windows 2003 operating system provides remote access to the registry, only the remotely accessible registry path is set to empty, in order to effectively prevent hackers from using the scanner to read the system information and other information of the computer through the remote registry. .
Open the Group Policy Editor, expand "Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options", find "Network Access: Remotely Accessible Registry Path" in the right window, and then open In the window, set the remotely accessible registry path and sub-path contents to all empty.
V. Close unnecessary ports

For individual users, some default ports in the installation are indeed Nothing is necessary, turning off the port means turning off useless services. Port 139 is the port used by the NetBIOS protocol. NetBIOS is also installed as a default setting on the system while the TCP/IP protocol is installed. The opening of port 139 means that the hard disk may be shared on the network; online hackers can also know everything in your computer through NetBIOS! In previous versions of Windows, port 139 could be closed as long as the file and print sharing protocol of the Microsoft network was not installed. But in Windows Server 2003, only doing this is not enough. If you want to completely shut down port 139, the specific steps are as follows:

Right-click "Network Neighborhood", select "Properties", enter "Network and Dial-up Connection", and then right-click "Local Area Connection". Select "Properties", open the "Local Area Connection Properties" page
and then remove the "Microsoft Network File and Print Sharing" in front of the "√"
Next select "Internet Protocol (TCP /IP)", click " Attribute "→"Advanced"→"WINS", select "Disable NetBIOS over TCP/IP", that is, task completion
For individual users, you can set it to "disable" in each service attribute setting to avoid The next restart of the service is also restarted, and the port is also open.

If you have IIS installed on your computer, you'd better reset the port filtering. The steps are as follows: Select the network card properties, then double-click "Internet Protocol (TCP/IP)", click the "Advanced" button in the window that appears, you will enter the "Advanced TCP /IP Settings" window, then select the "Options" tab "TCP /IP Filter" item, click the "Properties" button, you will come to the "TCP /IP Filter" window, in the window "Enable TCP /IP Filter (all adapters)" in front of the "√", and then Need to configure it. If you only want to browse the webpage, you can only open TCP port 80, so you can select "Allow only" above "TCP Port", then click the "Add" button, enter 80 and click "OK". BR> Six, to prevent illegal access to applications

Windows Server 2003 is a server operating system, in order to prevent users from logging in, free to start the application in the server, to bring unnecessary operation to the server The trouble, we need to be limited according to the access rights of different users.

They call the application. In fact, we can use the Group Policy Editor for further settings, this can be achieved, the specific steps are as follows:

Open the "Group Policy Editor" method: Click "Start → Run" You can open the Group Policy Editor window by typing the gpedit.msc command in the Run dialog and pressing Enter. Then open "Run only licensed Windows applications" in Group Policy Console→User Configuration→Management Module

Board→System” and enable this policy
and then click “Allowed Apps” below. The "Display" button on the side of the program list pops up a "Show Content" dialog box. Click the "Add" button here to add the application that is allowed to run.
After the general user can only run the "Allowed Application" The program in the list.