Security China Win2003 security Settings to share

2020-05-06 12:01:25
OfStack
                    All I said in front was bullshit, just polishing the pen. (I also write once) 

This brings us to the actual operation phase of system permission setting and security configuration 

System Settings online there is a sentence is "minimum privileges + minimum services = maximum security". This sentence is basically everyone has seen, but I think 

Did not see a more detailed about a comprehensive article, the following is my personal experience for a teaching attempt! 

How to implement the minimum permission? 

NTFS system permission Settings add each harddisk root to Administrators user for full permission (optional SYSTEM user) 
 before use
Delete other users, enter the system disk: permissions are as follows 

C:\WINDOWS Administrators SYSTEM user full permissions Users user default permissions are not modified 

Delete Everyone users from other directories, remember C:\Documents and Settings All Users\Default User directory and its subdirectories 

The default configuration of C:\Documents and Settings\All Users\Application Data directory retains the Everyone user privileges 

Also note that the permissions in the C:\WINDOWS directory, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retain the Everyone permissions. 

Delete the C:\WINDOWS\Web\printers directory, the existence of this directory will cause IIS to add a.printers extension, can overflow attacks 

The default IIS error page is largely unused. It is recommended to delete C:\WINDOWS\Help\iisHelp directory 

Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, this directory is for managing IIS passwords, such as 500 
 because some passwords are out of sync
In case of error, use OWA or Iisadmpwd to change the synchronization password, but delete it here. The following Settings will eliminate 

The password setup caused an out-of-sync problem. 

Open C:\Windows and search 

net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com; 

regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe; 

ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe 

Modify permissions to delete all users save only Administrators and SYSTEM for all permissions 
 closes port 445, 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netBT\Parameters 

The new "DWORD value" value is "SMBDeviceEnabled" and the default value is "0" 
 is not allowed to establish an empty connection 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 

The new "DWORD value" value is "RestrictAnonymous" and the data value is "1" [2003 default is 1] 
 prevents the system from automatically starting server sharing 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters 

New "DWORD value" the value is "AutoShareServer" the data value is "0" 
 prevents the system from automatically starting administrative shares 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters 

New "DWORD value" the value is "AutoShareWks" the data value is "0" 
 prevents small-scale DDOS attacks on 
 by modifying the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

The new "DWORD value" value is "SynAttackProtect" and the data value is "1" 
 prohibits the production of dump file 

The dump file is a useful resource for finding problems in the event of a system crash or a blue screen. However, it can also provide some sensitive 
 to hackers
Information such as passwords for some applications. Control panel >
System properties >
Senior >
Startup and failover change the debug message written to none. 
 closed Dr. Watson 

Call up system 
 by entering "drwtsn32" in the start-run, or start-program-add-on - system tools - system information - tools -Dr Watson
Es143en.Watson, leaving only the option of "dump all thread context", otherwise if the program fails, the hard drive will read for a long time and take up 

Lots of space. If this has happened before, please find the user.dmp file. After deleting, you can save several tens of MB space. 
 local security policy configures 

 began >
Program >
Management tool >
Local security policy 

Account policy >
Password policy >
Change the minimum password expiry date to 0 days (i.e., the password does not expire, which I mentioned above will not cause the IIS password to be out of sync) 

Account policy >
Account locking policy >
Account lock threshold 5 times account lock time 10 minutes [personal recommended configuration] 

Local policy >
Audit policy >
 
Account management success failure 

Login event failed successfully 

Object access failed 

Policy change failed successfully 

Privilege use failure 

System event successfully failed 

Directory service access failed 

Account login event failed successfully 

Local policy >
Security options >
Clean virtual memory page file changed to "enabled" 

>
The last username change to "enabled" 
 is not shown

>
There is no need to change CTRL+ALT+DEL to "enabled" 

>
The anonymous enumeration of SAM accounts is not allowed to change to "enabled" 

>
The anonymous enumeration of SAM accounts and shares is not allowed to change to "enabled" 

>
Rename the guest account and change it to a more complex account name 

>
Rename the system administrator account to change your own account [you can also create an Administrat account without the user group] 
 group policy editor 

Run gpedit.msc computer with > configured
Management template >
The system shows the close event tracker changed to 
 disabled
Remove the unsafe component 

Es212en.Shell, Shell.application are commonly used by some ASP trojans or malicious programs. 
 solution 1: 

 regsvr32 /u wshom.ocx uninstall WScript.Shell component 

regsvr32 /u shell32.dll uninstall Shell.application component 

If you follow the Settings described above, you do not need to delete these two files 
 plan 2: 

Delete the registry HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A5-D70B5-A248en42-98424B88250en8} corresponding to WScript.Shell 

Delete the registry HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11A49E-444553540000} corresponding to Shell.application 

User management 

Create another alternate administrator account to prevent special situations. 

The server installed with terminal service and SQL service deactivated TsInternetUser and SQLDebugger accounts 

User group description 

In the IIS to be used in the future, IIS users generally use the Guests group, or they can set up a separate group for IIS, but 

To give this group access to the C:\Windows directory [single read] individuals are not advised to use a separate directory, it is too small. 

Minimum service if 
 is implemented

 black for automatic   green for manual   red for disabled  

  Alerter  

  Application Experience Lookup Service  

  Application Layer Gateway Service  

  Application Management  

 Automatic Updates  [Windows updates automatically, optional]

  Background Intelligent Transfer Service  

  ClipBook  

  COM+ Event System  

COM+ System Application

Computer Browser

Cryptographic Services

  DCOM Server Process Launcher  

DHCP Client

Distributed File System

  Distributed Link Tracking Client  

Distributed Link Tracking Server

Distributed Transaction Coordinator

DNS Client

Error Reporting Service

  Event Log  

File Replication

Help and Support

HTTP SSL

Human Interface Device Access

  IIS Admin Service  

IMAPI CD-Burning COM Service

Indexing Service

Intersite Messaging

 IPSEC Services 

Kerberos Key Distribution Center

License Logging

 Logical Disk Manager  [optional, multi-hard drive recommended automatically]

Logical Disk Manager Administrative Service

Messenger

  Microsoft Search  

Microsoft Software Shadow Copy Provider

  MSSQLSERVER  

MSSQLServerADHelper

Net Logon

NetMeeting Remote Desktop Sharing

Network Connections

Network DDE

Network DDE DSDM

Network Location Awareness (NLA)

Network Provisioning Service

NT LM Security Support Provider

Performance Logs and Alerts

  Plug and Play  

 Portable Media Serial Service  [Microsoft anti-piracy tool, currently only for multimedia] 

Print Spooler

  Protected Storage  

Remote Access Auto Connection Manager

Remote Access Connection Manager

Remote Desktop Help Session Manager

  Remote Procedure Call (RPC)  

Remote Procedure Call (RPC) Locator

Remote Registry

Removable Storage

Resultant Set of Policy Provider

Routing and Remote Access

Secondary Logon

  Security Accounts Manager  

Server

Shell Hardware Detection

Smart Card

Special Administration Console Helper

SQLSERVERAGENT

  System Event Notification  

Task Scheduler

TCP/IP NetBIOS Helper

Telephony

Telnet

  Terminal Services  

Terminal Services Session Directory

Themes

Uninterruptible Power Supply

Upload Manager

Virtual Disk Service

Volume Shadow Copy

WebClient

 Windows Audio  [server does not need to use sound]

Windows Firewall/Internet Connection Sharing (ICS)

Windows Image Acquisition (WIA)

Windows Installer

  Windows Management Instrumentation  

Windows Management Instrumentation Driver Extensions

Windows Time

Windows User Mode Driver Framework

WinHTTP Web Proxy Auto-Discovery Service

  Wireless Configuration  

WMI Performance Adapter

Workstation

  World Wide Web Publishing Service

After  operation is completed, is it "minimum privileges + minimum services = maximum security"? It's not. Everything is relative to 

According to my personal opinion, the above Settings are only the most basic things. If there is anything missing, please make up for it later!