win2003 IIS virtual host website anti trojan permission Settings security configuration arrangement

2020-05-06 12:01:16
OfStack
1. Installation of 
 system

 1. Follow the instructions of Windows2003 installation CD. Es7en 6.0 is not installed in the system by default in 2003. 

2. Installation of 
 for IIS 6.0

The following is a quote: 

Start menu - >
Control panel - >
Add or remove programs - >
Add/remove Windows component 

Application -- ASP.NET (optional) 

| -- enable network COM access (required) 

| -- Internet information service (IIS) -- Internet information service manager (required) 

| -- public file (required) 

| -- world wide web services -- Active Server pages(required) 

| -- Internet data connector (optional) 

| -- WebDAV release (optional) 

| -- world wide web services (required) 

| -- includes files (optional) 
 on the server side

Then click ok -- >
Next install. 

3. System patch update: click start menu -- >
All programs - >
Windows Update follow the instructions to install the patch. 

4. Backup system: backup system with GHOST. 

5. Install commonly used software, such as anti-virus software and decompression software; After the installation, configure the anti-virus software, scan the system for vulnerabilities, and then backup the system again with GHOST after installation. 

6, first close the unnecessary port to open the firewall to import IPSEC policy 

In "network connection", delete all the unnecessary protocols and services. Here, only the basic Internet protocol (TCP/IP) is installed. In order to control the bandwidth traffic service, an additional Qos packet scheduler is installed. In the advanced tcp/ip setting --"NetBIOS" setting "disables NetBIOS(S) on tcp/IP". In the advanced option, use "Internet connection firewall ", which is windows 2003's own firewall, in the 2000 system does not have the function, although there is no function, but can mask the port, so has basically achieved an IPSec function. 

Modify 3389 remote connection port 

Modify the registry 

Start -- run --regedit 

In turn spread HKEY_LOCAL_MACHINE SYSTEM/CURRENTCONTROLSET/CONTROL/

TERMINAL SERVER/WDS/RDPWD/TDS/TCP 

Change PortNumber in the right key to the port number you want to use. Note the decimal (e.g. 10000) 

HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/TERMINAL SERVER/WINSTATIONS/RDP-TCP/ 

Change PortNumber in the right key to the port number you want to use. Note the decimal number (e.g. 10000) 

Note: don't forget to port 10000 
 on the WINDOWS2003 firewall

The revision is complete. Restart server Settings take effect. 

 ii. User security Settings 

 1. Disable Guest account 

Disable the Guest account in computer managed users. To be on the safe side, it's best to add a complex password to Guest. You can open notepad, enter a long string of special characters, Numbers, and letters, and copy it in as the Guest user's password. 

2. Limit unnecessary users 

Remove all Duplicate User users, test users, Shared users, and so on. The user group policy sets the appropriate permissions, and often checks the users of the system to delete users who are no longer in use. These users are often an entry point for hackers to break into the system. 

3. Rename the system Administrator account to 

As you all know, Windows 2003 Administrator users cannot be disabled, which means that someone can try the user's password over and over again. Try to disguise it as a regular user, such as changing it to Guesycludx. 

4. Create a trap user 

What is a trap user? Create a local user named "Administrator", set it to the lowest level and do nothing, and add a super complex password with more than 10 digits. This will keep the Hacker busy for a while, so that they can find their way in. 

5. Change the permission of Shared files from Everyone group to 
 authorized user

Never set the user of the Shared file to the "Everyone" group, including the print share. The default property is the "Everyone" group. 

6. Enable user policy 

Using the user policy, reset the user lock counter for 20 minutes, the user lock time for 20 minutes, and the user lock threshold for 3 times. (this item is optional) 

7. Do not allow the system to display the last logon user name 

By default, the login dialog displays the last logged in user name. This makes it easy for someone to get some of the system's user names and guess the password. Modify the registry so that the last logon user name is not displayed in the dialog box. Method: open the registry editor and find the registry "HKLM\Software\Microsoft\WindowsT\CurrentVersion\Winlogon\Dont-DisplayLastUserName", change the key value of REG_SZ to 1. 

8. Password security setting 

a, use the security password 

Some company administrators create accounts with the company name, the computer name as the user name, and then set the password of these users too simple, such as "welcome" and so on. So be aware of the complexity of your password and remember to change it often. 

b, set the screen saver password 

This is a very simple and necessary operation. Setting the screen saver password is also a barrier to prevent insiders from damaging the server. 

c, open password policy 

Note the use of password policies, such as enabling password complexity requirements, setting the minimum password length to 6 bits, setting the mandatory password history to 5 times, for 42 days. 

d, consider using a smart card instead of 

For the password, always make the security administrator dilemma, password Settings are simple and easy to be attacked by hackers, password Settings are complex and easy to forget. If possible, using smart CARDS instead of complex passwords is a good solution. 

Iii. System permission setting  

1. Disk permission 

System disks and all disks are given full control of Administrators group and SYSTEM only 

System disk \Documents and Settings directory gives full control to Administrators group and SYSTEM 
 only

System disk \Documents and Settings\All Users directory gives full control to Administrators group and SYSTEM 
 only

System disk \Windows\System32\ cacls.exe, cmd.exe, net.exe, net1} Es238en.Administrators, regedit.exe, at.exe, attrib.exe, format.com, del files give full control to Administrators group and SYSTEM 
 only

The other will <
systemroot
>
\System32\ cmd.exe, format.com, ftp.exe transfer to another directory or rename 

Some directories under Documents and Settings are set to give only adinistrators permission. And to view one directory at a time, including all the following subdirectories. 

Delete c:\inetpub directory 

2. Local security policy setting 

Start menu - >
Management tool - >
Local security policy 

A, local policy -- >
Audit policy 

Review policy change failed successfully 

Audit login event failed successfully 

Audit object access failure audit process tracking no audit 

Audit directory service access failed 

Failed to use audit privilege 

Audit system event successfully failed 

Audit account login event failed successfully 

Audit account management success failure 

B, local policy -- >
User permissions are assigned to 

Shut down the system: only Administrators group, all others deleted. 

Login is allowed through terminal services: join Administrators,Remote Desktop Users group only, delete 
 for all others

C, local policy -- >
Security options 

Interactive login: 
 is enabled without showing the last user name

Network access: SAM accounts and Shared anonymous enums are not allowed to enable 

Network access: 
 is not allowed to be enabled for network authentication store credentials

Network access: all anonymously accessible shares are deleted 

Network access: can anonymously access the life of all deleted 

Network access: all remotely accessible registry paths have 
 removed

Network access: all remotely accessible registry paths and subpaths have 
 removed
Account: rename the guest account rename an account 

Account: rename the system administrator account rename an account 

Disable unnecessary services start - run -services.msc 

TCP/IPNetBIOS Helper provides support for NetBIOS on TCP/IP services and NetBIOS name resolution on clients on the network to enable users to share files, print, and login to 
 on the network

Server enables this computer to share 
 over a network of files, prints, and named pipes

Computer Browser maintains an up-to-date list of computers on the network and provides this list 

Task scheduler allows a program to run 
 at a specified time

Messenger transports NET SEND and alarm service messages 
 between the client and the server

Distributed File System: the LAN manages Shared files without the need to disable 

Distributed linktracking client: for LAN connection updates, it is not necessary to disable 

Error reporting service: error reports 
 are not allowed

Microsoft Serch: provides quick word search without the need to disable 

NTLMSecuritysupportprovide: telnet service and Microsoft Serch. You do not need to disable 

PrintSpooler: disable 
 if you do not have a printer

Remote Registry: remote modification of the registry 
 is not allowed

Remote Desktop Help Session Manager: remote assistance 
 is not allowed

If Workstation is off, the remote NET command cannot list 

The above is disabled in the default startup service on Windows Server 2003 system. The default default startup service should not be started unless specifically required. 

4, modify the registry: modify the registry to make the system stronger 

a, hidden important files/directories can modify the registry to fully hide 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ Explorer\Advanced\Folder\ SHOWALL", right click "CheckedValue", select modify, change the value from 1 to 0 

b, SYN flood prevention 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

New DWORD value, SynAttackProtect, 2 

New EnablePMTUDiscovery REG_DWORD 0 

New NoNameReleaseOnDemand REG_DWORD 1 

New EnableDeadGWDetect REG_DWORD 0 

New KeepAliveTime REG_DWORD 300,000 

New PerformRouterDiscovery REG_DWORD 0 

New EnableICMPRedirects REG_DWORD 03. Do not respond to 
 routing notice message ICMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface 

New DWORD value, PerformRouterDiscovery value 0 

c. Prevents 
 from being attacked by ICMP redirected messages

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

Set the EnableICMPRedirects value to 0 

d. 
 protocol IGMP is not supported

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

New DWORD value, IGMPLevel value 0 

e, IPC empty connection is prohibited: 

cracker can use the net use command to create an empty connection and then invade, and net view, nbtstat these are all based on an empty connection, just disable it. 

Local_Machine\System\CurrentControlSet\Control\ LSA-RestrictAnonymous just change this value to "1". 

f, change TTL value 

cracker gives you a rough idea of your operating system based on the value of TTL back to ping, e.g. 

TTL=107(WINNT); 

TTL=108(win2000); 

(win9x TTL = 127 or 128); 

(linux TTL = 240 or 241); 

TTL=252(solaris); 

TTL=240(Irix); 

Actually you can change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters: DefaultTTL \SYSTEM\ Tcpip\Parameters: DefaultTTL \SYSTEM\ Tcpip\Parameters

g. Delete the default share 

Someone asked me to share all the disks as soon as I turned them on. After changing them back, I restarted them to share again. This is the default share set by 2K for management, HKEY_LOCAL_MACHINE\SYSTEM\ LanmanServer\Parameters: AutoShareServer type is REG_DWORD, 
 after changing the value to 0

h. It is forbidden to establish an empty connection to 

By default, any user connects to the server via an empty connection, then enumerates the account and guesses the password. We can disable empty connections by modifying the registry: 

Change the value of Local_Machine\System\CurrentControlSet\Control\ LSA-RestrictAnonymous to "1". 

i, create a notepad and fill in the following code. Save as *.bat and add to the startup project 

The following is a quote: 

net share c$ /del 

net share d$ /del 

net share e$ /del 

net share f$ /del 

net share ipc$ /del 

net share admin$ /del 

5. IIS site Settings: 

a, separate the IIS directory & data from the system disk and store it in dedicated disk space. 

b, enable parent path 

c, remove any unused mappings in IIS manager except those that must be used (just keep the necessary mappings such as asp) 

d, in IIS, redirect the HTTP404 Object Not Found error page to a custom HTM file 
 via URL

e, Web site permission Settings (recommended) 

Reading allows 

 is not allowed

Script source access is not allowed 

Directory browsing is recommended to close 

Log access is recommended to turn off 

Index resources recommend that 
 be turned off

Execute the recommended selection "script only" 

f, it is recommended to use W3C to expand the log file format, record the customer IP address, user name, server port, method, URI root, HTTP status, user agent, and review the log every day. (it is best not to use the default directory, it is recommended to change the path to the log, and set the access rights of the log, allowing only the administrator and system to Full Control). 

g, program security 

1) the program involving user name and password is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection user name and password should be given the minimum permission; 

2) the ASP page needs to be authenticated to track the file name of the previous page, which can only be read by the session that came in from the previous page. 3) prevent ASP home page. 

4) prevent UE and other editors from generating some.asp.bak file leakage problems. 

6. The idea of IIS permission setting 

1) to create a system user for each individual to be protected (such as a website or a virtual directory), so that the site has a unique identity in the system that can be set permissions. 

2) fill in the user name just created in IIS (site properties or virtual directory properties → directory security → anonymous access and authentication control → edit → anonymous access → edit). 

3) set all partitions to prevent this user from accessing, while the folder setting corresponding to the home directory of the site just now allows this user to access (remove the inherited parent permission, and add the hypertube group and SYSTEM group). 

7. Uninstall the most insecure component, 

The simplest way is to directly uninstall after the corresponding program files deleted. Save the following code as a.BAT file, (take WIN2000 as an example below, if 2003 is used, the system folder should be C:\WINDOWS\) 

The following is a quote: 

regsvr32/u C:\WINDOWS\System32\wshom.ocx 

del C:\WINDOWS\System32\wshom.ocx 

regsvr32/u C:\WINDOWS\system32\shell32.dll 

del C:\WINNT\WINDOWS\shell32.dll 

Es738en.Shell, Shell.application, WScript.Network will be uninstalled. You may be prompted that you can't delete the file, leave it alone, restart the server, and you'll find that all three are "safe".