6. SQL2000 SERV-U FTP security settings
SQL security aspects
1. System Administrators should not exceed two roles
2. If it is on this machine, it is best to configure authentication as Win login.
3. Do not use a Sa account, configure a super complex password for it
4. Delete the following extended stored procedure format as:
use master
sp_dropextendedproc 'Extended stored procedure name'
xp_cmdshell: is the best shortcut to enter the operating system, delete
Access the stored procedure of the registry, delete
Xp_regaddmultistringXp_regdeletekeyXp_regdeletevalueXp_regenumvalues
Xp_regread Xp_regwrite Xp_regremovemultistring
OLE automatic stored procedure, no need to delete
Sp_OACreate Sp_OADestroySp_OAGetErrorInfoSp_OAGetProperty
Sp_OAMethodSp_OASetPropertySp_OAStop
5. Hide SQL Server and change the default 1433 port
Right-click the instance to select properties - General - Select the properties of the TCP/IP protocol in the network configuration, select Hide SQL Server instance, and change the original default port 1433
Several general security needs to be set for serv-u:
Select "Block"FTP_bounce"attack and FXP". What is FXP? Usually, when using the FTP protocol for file transfer, the client first issues a "PORT" command to the FTP server, which contains the IP address of the user and the port number to be used for data transmission. After the server receives it, it uses the user address information provided by the command to establish a connection with the user. In most cases, there will be no problems with the above process, but when the client is a malicious user, it may make the FTP server connect to other non-client machines by adding specific address information to the PORT command. Although the malicious user may not have the right to directly access a specific machine, if the FTP server has the right to access the machine, the malicious user can still use the FTP server as an intermediary and can still finally achieve the connection to the target server. This is FXP, also known as cross-server attack. This can be prevented from happening after selection.
7. IIS security settings
IIS Security:
1. Do not use the default web site. If you use it, separate the IIS directory from the system disk.
2. Delete the Inetpub directory created by IIS by default (on the disk where the installation system is installed).
3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.
4. Delete unnecessary IIS extension mappings.
Right-click "Default Web Site → Properties → Home Directory → Configuration" to open the application window and remove unnecessary application mappings. Mainly .shtml, .sshtm, .stm
5. Change the path of IIS log
Right-click "Default Web Site → Properties - Website - Click Properties under Enable Logging
6. If you are using 2000, you can use iislockdown to protect IIS. IE6.0 version running in 2003 is not required.
8. Others
1. System upgrade and operating system patches are required, especially IIS 6.0 patches, SQL SP3a patches, and even IE 6.0 patches. At the same time, keep track of the latest vulnerability patches in a timely manner;
2. Stop the Guest account, add an extremely complex password to the guest, and change the name or disguise the Administrator!
3. Hide important files/directories
You can modify the registry to achieve complete hiddenness: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current-Version\Explorer\Advanced\Folder\Hi-dden\SHOWALL", right-click "CheckedValue", select Modify, change the value from 1 to 0
4. Start the Internet connection firewall that comes with the system and check the Web server in the Settings Services option.
5. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named SynAttackProtect, with a value of 2
6. Disable response to ICMP routing notification messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface
Create a new DWORD value, named PerformRouterDiscovery, the value is 0
7. Prevent ICMP redirect packet attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the EnableICMPRedirects value to 0
8. IGMP protocol is not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named IGMPLevel, the value is 0
9. Disable DCOM:
Enter in running. Enter and click "Component Services" under "Console Root Node". Open the "Computer" subfolder.
For local computers, right-click My Computer and select Properties. Select the Default Properties tab.
Clear the “Enable distributed COM on this computer” check box.