Securely configure Windows 2000 Server

First: How to install

I. Selection of the version

I strongly recommend that you use the English version if the language does not become an obstacle. You know, Microsoft's products are known as "Bug & Patch", the Chinese version of the bug is far more than the English version, and the patch is generally at least half a month later (that is, generally After Microsoft announced the vulnerability, your server will remain unprotected for half a month.

Second, component customization

WIN2K will install some common components by default, but it is this default installation is very dangerous, according to the security principle "Minimum service + minimum Permissions = Maximum security ", only install the services that are really needed. Special reminders here are: "Indexing Service", "FrontPage 2000 Server Extensions", " Internet Service Manager" these dangerous services.

Third, the choice of management applications

Choosing a good remote management software is very important, this is not only a security requirement, but also an application need. WIN2K's Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). It is fast and easy to operate, and is suitable for routine operation. However, Terminal Service also has its shortcomings. Because it uses virtual desktops, and Microsoft's programming is not rigorous, when you use Terminal Service to install software or restart servers and interact with real desktops, it often appears. The phenomenon of crying and laughing, for example: using the Terminal Service to restart Microsoft's authentication server (Compaq, IBM, etc.) may shut down directly. Therefore, for security reasons, it is recommended to equip with a remote control software as an aid, complementing the Terminal Service, such as PcAnyWhere is a good choice.

Fourth, partition and logical disk allocation

At least two partitions, one system partition, one application partition. This is because Microsoft's IIS (Internet Ihformation Server) often has loopholes. If you put the system and IIS on the same drive, it will lead to the leakage of system files, and even allow the intruder to obtain management rights remotely.

It is recommended to create three logical drives, the first one to install the system and important log files; the second to put IIS; the third to put FTP, so no matter whether IIS or FTP out of security holes will not Directly affect the system directory and system files.

V. Selection of installation order

Don't think that as long as the system can be installed, it will be finished. In fact, the installation order of WIN2K is very important.

First of all, pay attention to the time of access to the network. WIN2K has a vulnerability in the installation, that is, after entering the password of the Administrator, the system will establish a share of "$ADMIN", but it is not protected with the password just entered, this situation will continue until the computer starts again. In the meantime, anyone can enter the system through "$ADMIN"; at the same time, as soon as the installation is complete, the various services will run automatically, and the server is full of loopholes, which is very easy to invade from the outside. Therefore, do not connect the host to the network until the WIN2K Server is fully installed and configured.

Second, pay attention to the installation of the patch. Patches should be installed after all applications have been installed, because patches often have to replace or modify certain system files. If you install the patch first, it may not work as expected.

Second: How to set up

Even if WIN2K Server is installed correctly, there are many loopholes in the system, and further detailed configuration is required.

I. Port

The port is the logical interface between the computer and the external network. It is also the first barrier of the computer. The correct port configuration directly affects the security of the host.

Second, IIS

IIS is the most problematic component of Microsoft's components, an average of two or three months will be a loophole, and Microsoft's IIS default installation is really not flattering, so The configuration of IIS is our focus.

First, delete the Inetpub directory under the C drive, build an Inetpub on the D drive, and point the home directory to D:\\Inetpub in the IIS Manager.
Secondly, the default virtual files such as scripts are also deleted when IIS is installed. If you need any permissions, the directory can be built later (special attention to write permissions and execute program permissions).

Then there is the configuration of the application. Delete all useless mappings in IIS Manager (of course, you must keep such as ASP, ASA, etc.). In the IIS Manager, "Host→Properties→WWW Service Edit→Home Directory Configuration→Application Mapping", and then start deleting one by one. Then in the application debug bookmark, "script error message" is changed to "send text". Click "OK" Don't forget to let the virtual site inherit the property you just set.
Finally, in order to be on the safe side, you can use the backup function of IIS to back up all the settings, so you can restore the security configuration of IIS at any time. Also, if you are afraid that the IIS load will cause the server to crash, you can also turn on the CPU limit in performance, such as limiting the maximum CPU usage of IIS to 70%.

III. Account Security

First of all, the default installation of WIN2K allows any user to get all the accounts and shared lists of the system through empty users. This is to facilitate LAN users to share resources and files, but At the same time, any remote user can get your user list in the same way, and may use brute force to crack the user password to bring damage to the entire network. Many people only know to change the registry Local_Machine\\System\\CurrentControlSet\\Control\\LSA-RestrictAnonymous = 1 to disable empty user connections, in fact WIN2K's local security policy (if the domain server is in the domain server security and domain security policy There is such an option RestrictAnonymous (extra limit for anonymous connections), which has three values:

"0":None, Rely on default permissions (none, depending on the default permissions)

"1":Do not allow enumeration of SAM accounts and shares

"2":No access without explicit anonymous permissions (no explicit anonymous permissions Not allowed to access)

"0" This value is the default by the system. There is no limit. Remote users can know all the accounts, group information, shared directories, network transmission list (NetServerTransportEnum) on your machine. This setup is very dangerous for the server. "1" This value allows only non-NULL users to access SAM account information and share information. "2" This value is only supported by WIN2K. It should be noted that if this value is used, resources cannot be shared anymore, so it is recommended to set the value to "1"

Four, security log

Here you need to pay attention: the default installation of WIN2K is not open any security audit! Then you should open the corresponding audit in the "Local Security Policy → Audit Policy". Here, if there are too few audit items, if you want to check it, you will find that there is no record. However, if there are too many audit projects, not only will it take up a lot of system resources, but you may not have time to read them all at all, which will lose the meaning of the audit. The recommended review is as follows:

"Account Management", "Login Events", "Policy Change", "System Events", "Account Login Events"Requires " Success " and "Failure" are turned on; "object access", "privilege usage", "directory service access" just open "failure".

Also related to this, set in "Account Strategy→Password Policy": "Password Complexity Requirements Enable","The minimum password length is 6 digits "," Force password history 5 times ","Maximum retention period 30 days"; Set in "Account Strategy→Account Lockout Policy" "Account Lock 3 Times Log In ","Lock Time 20 Minutes "," reset lock count for 20 minutes "etc.

The security log of Terminal Service is also not enabled by default. You can configure security audit in "Terminal Service Configration→Permissions→Advanced". Generally, just log in the login and logout events. Yes.

V. Directory and File Permissions

In order to control the permissions of users on the server, and also to prevent possible intrusions and overflows in the future, you must also set the access rights of directories and files very carefully. . NT access rights are divided into: read, write, read and execute, modify, column directory, full control. By default, most folders are completely open to all users (Everyone), and you need to reset permissions based on your application needs. When performing permission control, please keep the following principles in mind:

1. Permissions are cumulative. If a user belongs to two groups at the same time, then he has all the permissions allowed by the two groups. .

2. The denied permission is higher than the allowed permission (the rejection policy will be executed first). If a user belongs to a group that is denied access to a resource, he must not be able to access the resource regardless of how many permissions are granted to him by other permission settings.

3. File permissions are higher than folder permissions.

4. Using user groups for permission control is a good habit that a mature system administrator must have.

5. Only give the user the real need, the principle of minimizing the authority is an important guarantee of security.

6. Preventing ICMP attacks: ICMP storm attacks and fragmentation attacks are also a headache for NT hosts. In fact, the method of coping is also very simple. WIN2K comes with a Routing & Remote Access tool. The prototype of the router. In this tool, we can easily define the input and output packet filters. If the input ICMP code 255 is set to discard, it means that all foreign ICMP packets are discarded.

Third: Pay attention to

In fact, security and application are contradictory in many cases, so you need to find a balance point in it, after all, the server is for users, if it is safe The principle hampers the application of the system, and this security principle is not a good principle.

Network security is a system engineering that not only has a span of space, but also a span of time. Many friends (including some system administrators) think that the host that has been configured securely is safe. In fact, there is a misunderstanding here. We can only say that a host is safe under certain circumstances for a certain period of time, with the network structure. The changes, the discovery of new vulnerabilities, the operation of administrators and users, the security status of the host is changing anytime and anywhere, and only the security awareness and security system can be truly safe throughout the entire process.