Win2008 server or VPS security configuration basics tutorial
- 2020-05-06 12:06:14
- OfStack
Of course, the security setup tutorial here is also valid for Windows Server 2003, only some steps are different, for reference only.
In fact, whether windows server system, or linux server system, as long as you set a good security policy, you can ensure the security of the server to the greatest extent, linux is more secure than windows, the key is to see how you use, how to set security policy, how to avoid the use of vulnerabilities; The key to the security of the windows server system is to prevent vulnerabilities in the system from being exploited. The following is the specific security configuration basic tutorial, for reference only, according to the individual like and set:
changes administrator account and password
windows 2008 server system is managed by remote login, the default administrator account is administactor; If the other party knows your account, may obtain your password through violent decryption; Therefore, to modify the administrator account in time.
The modification process is: select "click" start → run ", enter "gpedit.msc" in the pop-up run dialog box to open the group policy editor, successively expand "Settings →→ local policy → security options", and drag down the list box on the right to the bottom, double-click "rename system administrator account" to rename; After changing the account name, remember to change the password, it is recommended that no less than 18 password, must use the combination of English upper and lower case Numbers.
modifies the port number
for remote login
The windows system default remote landing port number is 3389, this port number is easy to scan, it is suggested to change to a larger port number, such as 23429, pay attention not to conflict with the known port number, if the firewall has been opened, to close 3389 port, while opening 23429 port number.
The process of changing the port number is: open "start → run", enter "regedit", open the registry, enter the following path: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp], see the PortNamber value, its default value is 3389, change to the desired port, such as 23429; Open [HKEY_LOCAL_MACHINESYSTEMCurrentContro1SetControlTenninal ServerWinStationsRDPTcp] again, change the value of PortNumber (default is 3389) to port 23429, and enter the computer name IP: 23429 when logging in later.
set up a firewall to close the useless port
windows 2008 server system is its own firewall, the firewall can set the port number open and close, the above modified remote landing port number, remember to close 3389 port, while adding a new set of port number; At the same time, it is recommended to use the port scan tool to scan, the general server only open three ports, one is port 80, one is your remote landing port, one is FTP port.
When the firewall is turned on, PING is disabled by default. If you want the server to support PING, then delete the corresponding prohibition rule in the firewall Settings. In addition, firewalls do not disable all non-network service ports by default, so it is recommended that you manually disable ports that must be used outside of the network.
removed FTP and database online management
Because the windows 2008 server has a graphical interface, you can use the network disk to backup the website, log in the backup website remotely, upload to the network disk, and then download the website content from the network disk from the local computer, so you can not enable FTP; Opening one more port means one more risk, and since the windows 2008 server system has a graphical interface, you should take advantage of this.
As for online database management, beginners are used to phpmyadmin management, Linux system host through IP/some space/ way of database management, in fact, this is not safe, equivalent to an additional security risk; For users of windows 2008 system, they can actually manage the database after logging in remotely, such as my website www.
sets file permissions and patches to update
If you are using windows system server site, then must set up the file permissions, such as prohibit the script to run what, after the set up, so the site program itself security will improve a lot; In addition, remember to timely update the program and system patches, while adding error login Settings, users through the remote login system, enter the wrong password three times, can be banned for 30 minutes or a day.
Some time ago, mysql/php successively exposed the corresponding vulnerability, we should also remember to upgrade the version of these programs, for example, now the virtual host Php version is 5.2.17, which is a relatively old stable version, hash conflict vulnerability, can be upgraded to 5.3.* or 5.4.*; As for mysql, it can also be upgraded to version 5.5.*. You can directly download the corresponding program from the official website to upgrade.
changes the account information on IDC's official website
No matter what system server you purchase, you should ensure the security of your account information on IDC official website. The account and password here should be different from the password of the account registered at ordinary times to avoid the theft of one of your account and being used here by others. In addition, part of IDC also has its own forum. Although you can get external links by communicating in the forum, you should pay attention to ensure the security of your information and do not disclose your account habits.
The above is the personal maintenance Windows Server 2008 server experience, as a basic security configuration tutorial, can prevent the majority of vulnerability attacks; Of course, if memory allows, you can also install server antivirus software and add other protection Settings, however, for VPS or cloud host users, antivirus software is not necessary, there are these in the upper Settings, and the installation of antivirus software may conflict.
In fact, whether windows server system, or linux server system, as long as you set a good security policy, you can ensure the security of the server to the greatest extent, linux is more secure than windows, the key is to see how you use, how to set security policy, how to avoid the use of vulnerabilities; The key to the security of the windows server system is to prevent vulnerabilities in the system from being exploited. The following is the specific security configuration basic tutorial, for reference only, according to the individual like and set:
changes administrator account and password
windows 2008 server system is managed by remote login, the default administrator account is administactor; If the other party knows your account, may obtain your password through violent decryption; Therefore, to modify the administrator account in time.
The modification process is: select "click" start → run ", enter "gpedit.msc" in the pop-up run dialog box to open the group policy editor, successively expand "Settings →→ local policy → security options", and drag down the list box on the right to the bottom, double-click "rename system administrator account" to rename; After changing the account name, remember to change the password, it is recommended that no less than 18 password, must use the combination of English upper and lower case Numbers.
modifies the port number
for remote login
The windows system default remote landing port number is 3389, this port number is easy to scan, it is suggested to change to a larger port number, such as 23429, pay attention not to conflict with the known port number, if the firewall has been opened, to close 3389 port, while opening 23429 port number.
The process of changing the port number is: open "start → run", enter "regedit", open the registry, enter the following path: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp], see the PortNamber value, its default value is 3389, change to the desired port, such as 23429; Open [HKEY_LOCAL_MACHINESYSTEMCurrentContro1SetControlTenninal ServerWinStationsRDPTcp] again, change the value of PortNumber (default is 3389) to port 23429, and enter the computer name IP: 23429 when logging in later.
set up a firewall to close the useless port
windows 2008 server system is its own firewall, the firewall can set the port number open and close, the above modified remote landing port number, remember to close 3389 port, while adding a new set of port number; At the same time, it is recommended to use the port scan tool to scan, the general server only open three ports, one is port 80, one is your remote landing port, one is FTP port.
When the firewall is turned on, PING is disabled by default. If you want the server to support PING, then delete the corresponding prohibition rule in the firewall Settings. In addition, firewalls do not disable all non-network service ports by default, so it is recommended that you manually disable ports that must be used outside of the network.
removed FTP and database online management
Because the windows 2008 server has a graphical interface, you can use the network disk to backup the website, log in the backup website remotely, upload to the network disk, and then download the website content from the network disk from the local computer, so you can not enable FTP; Opening one more port means one more risk, and since the windows 2008 server system has a graphical interface, you should take advantage of this.
As for online database management, beginners are used to phpmyadmin management, Linux system host through IP/some space/ way of database management, in fact, this is not safe, equivalent to an additional security risk; For users of windows 2008 system, they can actually manage the database after logging in remotely, such as my website www.
sets file permissions and patches to update
If you are using windows system server site, then must set up the file permissions, such as prohibit the script to run what, after the set up, so the site program itself security will improve a lot; In addition, remember to timely update the program and system patches, while adding error login Settings, users through the remote login system, enter the wrong password three times, can be banned for 30 minutes or a day.
Some time ago, mysql/php successively exposed the corresponding vulnerability, we should also remember to upgrade the version of these programs, for example, now the virtual host Php version is 5.2.17, which is a relatively old stable version, hash conflict vulnerability, can be upgraded to 5.3.* or 5.4.*; As for mysql, it can also be upgraded to version 5.5.*. You can directly download the corresponding program from the official website to upgrade.
changes the account information on IDC's official website
No matter what system server you purchase, you should ensure the security of your account information on IDC official website. The account and password here should be different from the password of the account registered at ordinary times to avoid the theft of one of your account and being used here by others. In addition, part of IDC also has its own forum. Although you can get external links by communicating in the forum, you should pay attention to ensure the security of your information and do not disclose your account habits.
The above is the personal maintenance Windows Server 2008 server experience, as a basic security configuration tutorial, can prevent the majority of vulnerability attacks; Of course, if memory allows, you can also install server antivirus software and add other protection Settings, however, for VPS or cloud host users, antivirus software is not necessary, there are these in the upper Settings, and the installation of antivirus software may conflict.