Security China Win2003 security Settings to share
- 2020-05-06 12:01:25
- OfStack
This brings us to the actual operation phase of system permission setting and security configuration
System Settings online there is a sentence is "minimum privileges + minimum services = maximum security". This sentence is basically everyone has seen, but I think
Did not see a more detailed about a comprehensive article, the following is my personal experience for a teaching attempt!
How to implement the minimum permission?
NTFS system permission Settings add each harddisk root to Administrators user for full permission (optional SYSTEM user)
before use Delete other users, enter the system disk: permissions are as follows
C:\WINDOWS Administrators SYSTEM user full permissions Users user default permissions are not modified
Delete Everyone users from other directories, remember C:\Documents and Settings All Users\Default User directory and its subdirectories
The default configuration of C:\Documents and Settings\All Users\Application Data directory retains the Everyone user privileges
Also note that the permissions in the C:\WINDOWS directory, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retain the Everyone permissions.
Delete the C:\WINDOWS\Web\printers directory, the existence of this directory will cause IIS to add a.printers extension, can overflow attacks
The default IIS error page is largely unused. It is recommended to delete C:\WINDOWS\Help\iisHelp directory
Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, this directory is for managing IIS passwords, such as 500
because some passwords are out of sync In case of error, use OWA or Iisadmpwd to change the synchronization password, but delete it here. The following Settings will eliminate
The password setup caused an out-of-sync problem.
Open C:\Windows and search
net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com;
regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe;
ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe
Modify permissions to delete all users save only Administrators and SYSTEM for all permissions
closes port 445,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netBT\Parameters
The new "DWORD value" value is "SMBDeviceEnabled" and the default value is "0"
is not allowed to establish an empty connection
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The new "DWORD value" value is "RestrictAnonymous" and the data value is "1" [2003 default is 1]
prevents the system from automatically starting server sharing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
New "DWORD value" the value is "AutoShareServer" the data value is "0"
prevents the system from automatically starting administrative shares
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
New "DWORD value" the value is "AutoShareWks" the data value is "0"
prevents small-scale DDOS attacks on
by modifying the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The new "DWORD value" value is "SynAttackProtect" and the data value is "1"
prohibits the production of dump file
The dump file is a useful resource for finding problems in the event of a system crash or a blue screen. However, it can also provide some sensitive
to hackers Information such as passwords for some applications. Control panel > System properties > Senior > Startup and failover change the debug message written to none.
closed Dr. Watson
Call up system
by entering "drwtsn32" in the start-run, or start-program-add-on - system tools - system information - tools -Dr Watson Es143en.Watson, leaving only the option of "dump all thread context", otherwise if the program fails, the hard drive will read for a long time and take up
Lots of space. If this has happened before, please find the user.dmp file. After deleting, you can save several tens of MB space.
local security policy configures
began > Program > Management tool > Local security policy
Account policy > Password policy > Change the minimum password expiry date to 0 days (i.e., the password does not expire, which I mentioned above will not cause the IIS password to be out of sync)
Account policy > Account locking policy > Account lock threshold 5 times account lock time 10 minutes [personal recommended configuration]
Local policy > Audit policy >
Account management success failure
Login event failed successfully
Object access failed
Policy change failed successfully
Privilege use failure
System event successfully failed
Directory service access failed
Account login event failed successfully
Local policy > Security options > Clean virtual memory page file changed to "enabled"
> The last username change to "enabled"
is not shown > There is no need to change CTRL+ALT+DEL to "enabled"
> The anonymous enumeration of SAM accounts is not allowed to change to "enabled"
> The anonymous enumeration of SAM accounts and shares is not allowed to change to "enabled"
> Rename the guest account and change it to a more complex account name
> Rename the system administrator account to change your own account [you can also create an Administrat account without the user group]
group policy editor
Run gpedit.msc computer with > configured Management template > The system shows the close event tracker changed to
disabled Remove the unsafe component
Es212en.Shell, Shell.application are commonly used by some ASP trojans or malicious programs.
solution 1:
regsvr32 /u wshom.ocx uninstall WScript.Shell component
regsvr32 /u shell32.dll uninstall Shell.application component
If you follow the Settings described above, you do not need to delete these two files
plan 2:
Delete the registry HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A5-D70B5-A248en42-98424B88250en8} corresponding to WScript.Shell
Delete the registry HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11A49E-444553540000} corresponding to Shell.application
User management
Create another alternate administrator account to prevent special situations.
The server installed with terminal service and SQL service deactivated TsInternetUser and SQLDebugger accounts
User group description
In the IIS to be used in the future, IIS users generally use the Guests group, or they can set up a separate group for IIS, but
To give this group access to the C:\Windows directory [single read] individuals are not advised to use a separate directory, it is too small.
Minimum service if
is implementedblack for automatic green for manual red for disabled
Alerter
Application Experience Lookup Service
Application Layer Gateway Service
Application Management
Automatic Updates [Windows updates automatically, optional]
Background Intelligent Transfer Service
ClipBook
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Client
Error Reporting Service
Event Log
File Replication
Help and Support
HTTP SSL
Human Interface Device Access
IIS Admin Service
IMAPI CD-Burning COM Service
Indexing Service
Intersite Messaging
IPSEC Services
Kerberos Key Distribution Center
License Logging
Logical Disk Manager [optional, multi-hard drive recommended automatically]
Logical Disk Manager Administrative Service
Messenger
Microsoft Search
Microsoft Software Shadow Copy Provider
MSSQLSERVER
MSSQLServerADHelper
Net Logon
NetMeeting Remote Desktop Sharing
Network Connections
Network DDE
Network DDE DSDM
Network Location Awareness (NLA)
Network Provisioning Service
NT LM Security Support Provider
Performance Logs and Alerts
Plug and Play
Portable Media Serial Service [Microsoft anti-piracy tool, currently only for multimedia]
Print Spooler
Protected Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry
Removable Storage
Resultant Set of Policy Provider
Routing and Remote Access
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Smart Card
Special Administration Console Helper
SQLSERVERAGENT
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Telnet
Terminal Services
Terminal Services Session Directory
Themes
Uninterruptible Power Supply
Upload Manager
Virtual Disk Service
Volume Shadow Copy
WebClient
Windows Audio [server does not need to use sound]
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Installer
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows Time
Windows User Mode Driver Framework
WinHTTP Web Proxy Auto-Discovery Service
Wireless Configuration
WMI Performance Adapter
Workstation
World Wide Web Publishing Service
After operation is completed, is it "minimum privileges + minimum services = maximum security"? It's not. Everything is relative to
According to my personal opinion, the above Settings are only the most basic things. If there is anything missing, please make up for it later!