win2003 IIS virtual host website anti trojan permission Settings security configuration arrangement

  • 2020-05-06 12:01:16
  • OfStack

1. Installation of
system 1. Follow the instructions of Windows2003 installation CD. Es7en 6.0 is not installed in the system by default in 2003.
2. Installation of
for IIS 6.0 The following is a quote:
Start menu - > Control panel - > Add or remove programs - > Add/remove Windows component
Application -- ASP.NET (optional)
| -- enable network COM access (required)
| -- Internet information service (IIS) -- Internet information service manager (required)
| -- public file (required)
| -- world wide web services -- Active Server pages(required)
| -- Internet data connector (optional)
| -- WebDAV release (optional)
| -- world wide web services (required)
| -- includes files (optional)
on the server side Then click ok -- > Next install.
3. System patch update: click start menu -- > All programs - > Windows Update follow the instructions to install the patch.
4. Backup system: backup system with GHOST.
5. Install commonly used software, such as anti-virus software and decompression software; After the installation, configure the anti-virus software, scan the system for vulnerabilities, and then backup the system again with GHOST after installation.
6, first close the unnecessary port to open the firewall to import IPSEC policy
In "network connection", delete all the unnecessary protocols and services. Here, only the basic Internet protocol (TCP/IP) is installed. In order to control the bandwidth traffic service, an additional Qos packet scheduler is installed. In the advanced tcp/ip setting --"NetBIOS" setting "disables NetBIOS(S) on tcp/IP". In the advanced option, use "Internet connection firewall ", which is windows 2003's own firewall, in the 2000 system does not have the function, although there is no function, but can mask the port, so has basically achieved an IPSec function.
Modify 3389 remote connection port
Modify the registry
Start -- run --regedit
Change PortNumber in the right key to the port number you want to use. Note the decimal (e.g. 10000)
Change PortNumber in the right key to the port number you want to use. Note the decimal number (e.g. 10000)
Note: don't forget to port 10000
on the WINDOWS2003 firewall The revision is complete. Restart server Settings take effect.
ii. User security Settings
1. Disable Guest account
Disable the Guest account in computer managed users. To be on the safe side, it's best to add a complex password to Guest. You can open notepad, enter a long string of special characters, Numbers, and letters, and copy it in as the Guest user's password.
2. Limit unnecessary users
Remove all Duplicate User users, test users, Shared users, and so on. The user group policy sets the appropriate permissions, and often checks the users of the system to delete users who are no longer in use. These users are often an entry point for hackers to break into the system.
3. Rename the system Administrator account to
As you all know, Windows 2003 Administrator users cannot be disabled, which means that someone can try the user's password over and over again. Try to disguise it as a regular user, such as changing it to Guesycludx.
4. Create a trap user
What is a trap user? Create a local user named "Administrator", set it to the lowest level and do nothing, and add a super complex password with more than 10 digits. This will keep the Hacker busy for a while, so that they can find their way in.
5. Change the permission of Shared files from Everyone group to
authorized user Never set the user of the Shared file to the "Everyone" group, including the print share. The default property is the "Everyone" group.
6. Enable user policy
Using the user policy, reset the user lock counter for 20 minutes, the user lock time for 20 minutes, and the user lock threshold for 3 times. (this item is optional)
7. Do not allow the system to display the last logon user name
By default, the login dialog displays the last logged in user name. This makes it easy for someone to get some of the system's user names and guess the password. Modify the registry so that the last logon user name is not displayed in the dialog box. Method: open the registry editor and find the registry "HKLM\Software\Microsoft\WindowsT\CurrentVersion\Winlogon\Dont-DisplayLastUserName", change the key value of REG_SZ to 1.
8. Password security setting
a, use the security password
Some company administrators create accounts with the company name, the computer name as the user name, and then set the password of these users too simple, such as "welcome" and so on. So be aware of the complexity of your password and remember to change it often.
b, set the screen saver password
This is a very simple and necessary operation. Setting the screen saver password is also a barrier to prevent insiders from damaging the server.
c, open password policy
Note the use of password policies, such as enabling password complexity requirements, setting the minimum password length to 6 bits, setting the mandatory password history to 5 times, for 42 days.
d, consider using a smart card instead of
For the password, always make the security administrator dilemma, password Settings are simple and easy to be attacked by hackers, password Settings are complex and easy to forget. If possible, using smart CARDS instead of complex passwords is a good solution.
Iii. System permission setting
1. Disk permission
System disks and all disks are given full control of Administrators group and SYSTEM only
System disk \Documents and Settings directory gives full control to Administrators group and SYSTEM
only System disk \Documents and Settings\All Users directory gives full control to Administrators group and SYSTEM
only System disk \Windows\System32\ cacls.exe, cmd.exe, net.exe, net1} Es238en.Administrators, regedit.exe, at.exe, attrib.exe,, del files give full control to Administrators group and SYSTEM
only The other will < systemroot > \System32\ cmd.exe,, ftp.exe transfer to another directory or rename
Some directories under Documents and Settings are set to give only adinistrators permission. And to view one directory at a time, including all the following subdirectories.
Delete c:\inetpub directory
2. Local security policy setting
Start menu - > Management tool - > Local security policy
A, local policy -- > Audit policy
Review policy change failed successfully
Audit login event failed successfully
Audit object access failure audit process tracking no audit
Audit directory service access failed

Failed to use audit privilege
Audit system event successfully failed
Audit account login event failed successfully
Audit account management success failure
B, local policy -- > User permissions are assigned to
Shut down the system: only Administrators group, all others deleted.
Login is allowed through terminal services: join Administrators,Remote Desktop Users group only, delete
for all others C, local policy -- > Security options
Interactive login:
is enabled without showing the last user name Network access: SAM accounts and Shared anonymous enums are not allowed to enable
Network access:
is not allowed to be enabled for network authentication store credentials Network access: all anonymously accessible shares are deleted

Network access: can anonymously access the life of all deleted
Network access: all remotely accessible registry paths have
removed Network access: all remotely accessible registry paths and subpaths have
removed Account: rename the guest account rename an account
Account: rename the system administrator account rename an account
Disable unnecessary services start - run -services.msc
TCP/IPNetBIOS Helper provides support for NetBIOS on TCP/IP services and NetBIOS name resolution on clients on the network to enable users to share files, print, and login to
on the network Server enables this computer to share
over a network of files, prints, and named pipes Computer Browser maintains an up-to-date list of computers on the network and provides this list
Task scheduler allows a program to run
at a specified time Messenger transports NET SEND and alarm service messages
between the client and the server Distributed File System: the LAN manages Shared files without the need to disable
Distributed linktracking client: for LAN connection updates, it is not necessary to disable
Error reporting service: error reports
are not allowed Microsoft Serch: provides quick word search without the need to disable
NTLMSecuritysupportprovide: telnet service and Microsoft Serch. You do not need to disable
PrintSpooler: disable
if you do not have a printer Remote Registry: remote modification of the registry
is not allowed Remote Desktop Help Session Manager: remote assistance
is not allowed If Workstation is off, the remote NET command cannot list
The above is disabled in the default startup service on Windows Server 2003 system. The default default startup service should not be started unless specifically required.
4, modify the registry: modify the registry to make the system stronger
a, hidden important files/directories can modify the registry to fully hide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ Explorer\Advanced\Folder\ SHOWALL", right click "CheckedValue", select modify, change the value from 1 to 0
b, SYN flood prevention
New DWORD value, SynAttackProtect, 2
New EnablePMTUDiscovery REG_DWORD 0
New NoNameReleaseOnDemand REG_DWORD 1
New EnableDeadGWDetect REG_DWORD 0
New KeepAliveTime REG_DWORD 300,000
New PerformRouterDiscovery REG_DWORD 0
New EnableICMPRedirects REG_DWORD 03. Do not respond to
routing notice message ICMP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface
New DWORD value, PerformRouterDiscovery value 0
c. Prevents
from being attacked by ICMP redirected messages HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the EnableICMPRedirects value to 0
protocol IGMP is not supported HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, IGMPLevel value 0
e, IPC empty connection is prohibited:
cracker can use the net use command to create an empty connection and then invade, and net view, nbtstat these are all based on an empty connection, just disable it.
Local_Machine\System\CurrentControlSet\Control\ LSA-RestrictAnonymous just change this value to "1".
f, change TTL value
cracker gives you a rough idea of your operating system based on the value of TTL back to ping, e.g.
(win9x TTL = 127 or 128);
(linux TTL = 240 or 241);
Actually you can change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters: DefaultTTL \SYSTEM\ Tcpip\Parameters: DefaultTTL \SYSTEM\ Tcpip\Parameters g. Delete the default share
Someone asked me to share all the disks as soon as I turned them on. After changing them back, I restarted them to share again. This is the default share set by 2K for management, HKEY_LOCAL_MACHINE\SYSTEM\ LanmanServer\Parameters: AutoShareServer type is REG_DWORD,
after changing the value to 0 h. It is forbidden to establish an empty connection to
By default, any user connects to the server via an empty connection, then enumerates the account and guesses the password. We can disable empty connections by modifying the registry:
Change the value of Local_Machine\System\CurrentControlSet\Control\ LSA-RestrictAnonymous to "1".
i, create a notepad and fill in the following code. Save as *.bat and add to the startup project
The following is a quote:
net share c$ /del
net share d$ /del
net share e$ /del
net share f$ /del
net share ipc$ /del
net share admin$ /del
5. IIS site Settings:
a, separate the IIS directory & data from the system disk and store it in dedicated disk space.
b, enable parent path
c, remove any unused mappings in IIS manager except those that must be used (just keep the necessary mappings such as asp)
d, in IIS, redirect the HTTP404 Object Not Found error page to a custom HTM file
via URL e, Web site permission Settings (recommended)
Reading allows

is not allowed Script source access is not allowed
Directory browsing is recommended to close
Log access is recommended to turn off
Index resources recommend that
be turned off Execute the recommended selection "script only"
f, it is recommended to use W3C to expand the log file format, record the customer IP address, user name, server port, method, URI root, HTTP status, user agent, and review the log every day. (it is best not to use the default directory, it is recommended to change the path to the log, and set the access rights of the log, allowing only the administrator and system to Full Control).

g, program security
1) the program involving user name and password is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection user name and password should be given the minimum permission;
2) the ASP page needs to be authenticated to track the file name of the previous page, which can only be read by the session that came in from the previous page. 3) prevent ASP home page.
4) prevent UE and other editors from generating some.asp.bak file leakage problems.
6. The idea of IIS permission setting
1) to create a system user for each individual to be protected (such as a website or a virtual directory), so that the site has a unique identity in the system that can be set permissions.
2) fill in the user name just created in IIS (site properties or virtual directory properties → directory security → anonymous access and authentication control → edit → anonymous access → edit).
3) set all partitions to prevent this user from accessing, while the folder setting corresponding to the home directory of the site just now allows this user to access (remove the inherited parent permission, and add the hypertube group and SYSTEM group).
7. Uninstall the most insecure component,
The simplest way is to directly uninstall after the corresponding program files deleted. Save the following code as a.BAT file, (take WIN2000 as an example below, if 2003 is used, the system folder should be C:\WINDOWS\)
The following is a quote:
regsvr32/u C:\WINDOWS\System32\wshom.ocx
del C:\WINDOWS\System32\wshom.ocx
regsvr32/u C:\WINDOWS\system32\shell32.dll
del C:\WINNT\WINDOWS\shell32.dll
Es738en.Shell, Shell.application, WScript.Network will be uninstalled. You may be prompted that you can't delete the file, leave it alone, restart the server, and you'll find that all three are "safe".

Related articles: