IIS related settings:
Delete the virtual directory of the default site, stop the default web site, delete the corresponding file directory c:inetpub, configure the public settings of all sites, and set the relevant connection limit.
Other settings such as bandwidth settings and performance settings. Configure application mapping, remove all unnecessary application extensions, and only retain asp, php, cgi, pl, aspx application extensions. right
In PHP and CGI, it is recommended to use isapi to parse, and use exe to parse has an impact on security and performance. User program debugging settings send text error messages to the customer. For databases, try to acquire
Use the mdb suffix and do not need to be changed to asp. You can set an mdb extension map in IIS, and use an unrelated dll file such as C:
To prevent the database from being downloaded. Set the log saving directory of IIS and adjust the logging information. Set to send text error message. Modify the 403 error page and turn it to another page to prevent
Stop some scanner detection. In addition, to hide system information and prevent the system version information from being leaked from telnet to port 80, IIS's banner information can be modified. You can use winhex to modify it manually or
Those who use related software such as banneredit to modify it.
For the directory where the user's site is located, let me explain here that the user's FTP root directory corresponds to three files: wwwroot, database, and logfiles, which store site files and databases respectively.
Backup and logs for this site. If an intrusion occurs, you can set specific permissions to the directory where the user site is located. The directory where the picture is located will only give permissions to the column directory, and the directory where the program is located will be located.
If you do not need to generate files (such as the program that generates html), you will not give write permissions. Because virtual hosts usually cannot be meticulous in script security, they can only use the method
Users escalate permissions from scripts:
ASP security settings:
After setting permissions and services, you still need to do the following work to prevent asp *s and run the following command in the cmd window:
regsvr32/u C:\WINNT\System32\
del C:\WINNT\System32\
regsvr32/u C:\WINNT\system32\
del C:\WINNT\system32\
You can uninstall the, , components, which can effectively prevent the asp *s from passing wscript or executing commands and
Use *s to view some system-sensitive information. Another method: You can cancel the user's permissions of the above files and restart IIS to take effect. But this method is not recommended.
In addition, for FSO, the user program needs to use it, the component can be not cancelled on the server. I will only mention the prevention of FSO, but there is no need to automatically activate the virtual business server.
It is only suitable for manually opened sites. Two groups can be set for sites that require FSO and do not require FSO, and c is given to user groups that require FSO:
File execution permissions, no permissions are given if unnecessary. Restart the server and take effect.
For such settings combined with the permission settings above, you will find that the Haiyang * horse has lost its function here!
PHP security settings:
The default installation of php needs to be paid attention to:
C:\winnt\Only give users read permission. The following settings are required:
Safe_mode=on
register_globals = Off
allow_url_fopen = Off
display_errors = Off
magic_quotes_gpc = On [default is on, but it needs to be checked]
open_basedir = web directory
disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod
The default setting com.allow_dcom = true is modified to false [the previous one must be cancelled before modification;]
MySQL security settings:
If MySQL database is enabled on the server, the security settings that MySQL database need to pay attention to are:
Delete all default users in mysql, keep only the local root account, and add a complex password to the root user. When giving updatedeletealertcreatedrop permission to ordinary users
and limited to specific databases, especially to avoid ordinary customers having permission to operate mysql database. Check the table, cancel the shutdown_priv of unnecessary users, relo
ad_priv, process_priv and File_priv permissions, these permissions may leak more server information, including other information that are not mysql. You can set up a startup user for mysql.
This user only has permissions to the mysql directory. Set permissions for the data database in the installation directory (this directory stores the data information of the mysql database). For the mysql installation directory, add read to users
fetch, column directories, and execute permissions.
Serv-u security issues:
The installer should try to use the latest version, avoid using the default installation directory, set the permissions where the serv-u directory is located, and set a complex administrator password. Modify the banner information of serv-u
, set the passive mode port range (4001-4003)
Make relevant security settings in the settings in the local server: including checking anonymous passwords, disabling timeout scheduling, intercepting "FTP bounce" attacks and FXP, and for connecting more than 3 times in 30 seconds
Users intercepted for 10 minutes. The settings in the domain are: Requires complex passwords, directories only use lowercase letters, and the advanced setting is set to cancel the date that allows the MDTM command to change the file.
Change the startup user of serv-u: Create a new user in the system and set a password for a complex point, which does not belong to any group. Give the servu installation directory to the user full control permissions. Establish
A FTP root directory requires that this user be given full control permissions, because all ftp users upload, delete, and change files are inherited from the user's permissions, otherwise it will not be possible.
document. In addition, you need to give the user the read permissions to the superior directory above the directory, otherwise 530 will appear when connecting. Not logged in, home directory does not
exist. For example, when testing, the root directory of ftp is d:soft, and the user of the d disk must be given the read permissions to the user, and in order to safely cancel the inheritance permissions of other folders of the d disk. And generally use the default s
There are no problems with system startup, because system generally has these permissions.
Security settings for database servers
For dedicated MSSQL database servers, set TCP/IP filtering and IP policies as mentioned above, and only ports 1433 and 5631 are open to the outside world. For MSSQL, first you need to set a strong one for sa
Strong password, use hybrid authentication, strengthen database logging, audit database logging events "success and failure" of database login events. Delete some unwanted and dangerous OLE automatic stored procedures (will
This causes some functions in the Enterprise Manager to be unusable), these processes include the following:
Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
Remove unnecessary registry access procedures, including:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue
Xp_regenumvalues Xp_regread Xp_regremovemultistring
Xp_regwrite
Remove other system stored procedures. If you think there is still a threat, of course you should be careful about Drop processes. You can test them on the test machine to ensure that the normal system can complete the work. These processes include
:
xp_cmdshell xp_dirtree xp_dropwebtask sp_addsrvrolemember
xp_makewebtask xp_runwebtask xp_subdirs sp_addlogin
sp_addextendedproc
Select the properties of the TCP/IP protocol in the instance properties. Selecting Hide SQL Server instances can prevent detection of port 1434 and modify the default port 1433. Remove the guest of the database
The account will be kept by unauthorized users. The exceptions are the master and tempdb databases, as they are required for their guest accounts. Also pay attention to setting up each database user
Permissions, only some permissions are given to the database of these users. Do not use the SA user to connect to any database in the program. There are suggestions on the Internet that you use protocol encryption, so don't
Do this, otherwise you can only reinstall MSSQL.
Part 2 Intrusion Detection and Data Backup
§1.1 Intrusion detection work
As a daily management of a server, intrusion detection is a very important task. In the normal detection process, it mainly includes routine server security inspections and intrusion inspections when intrusions occur.
Checking means that it is divided into security inspection during intrusion and security inspection before and after intrusion. The safety of the system follows the principle of wooden barrels. The principle of wooden barrels refers to: a wooden barrel consists of many wooden boards.
If the lengths of the wooden boards that make up the wooden barrel are different, the maximum capacity of the wooden barrel does not depend on the long board, but on the shortest board. Applying to security aspects means
The security of the system depends on the most vulnerable parts of the system, which are the focus of daily security detection.
Daily safety inspection
Daily safety inspection is mainly aimed at the security of the system, and the work is mainly carried out in accordance with the following steps:
1. Check the server status:
Open Process Manager, view server performance, and observe CPU and memory usage. Check whether there are any abnormalities such as excessive CPU and memory usage.
2. Check the current process status
Switch the Task Manager to the process and find if there are suspicious applications or background processes running. When viewing a process using the process manager, there will be a taskmgr in it, which is the process manager.
The process of the processor itself. If you are running Windows update, there will be a process. For processes that are not sure or do not know which application is opened on the server.
, you can search the process name on the Internet to determine [Process Knowledge Base:/]. If there is a process on the backdoor, it will usually take a process with the system.
Similar names, such as, at this time, you should carefully distinguish [usually, the confusing method is to change the letter o to the number 0 and the letter l to the number 1]
3. Check the system account
Open Computer Management, expand Local Users and Groups Options, view Group Options, see if there is a new account added to the administrators group, and check if there is a cloned account.
4. Check the current port opening situation
Use activeport to check the current port connection status, especially pay attention to the ports connected to the outside world, and see if there are unauthorized ports communicating with the outside world. If so, close it immediately
Close the port and record the program corresponding to the port and record it, and transfer the program to another directory for later analysis. Open Computer Management ==》Software Environment ==》Running Tasks[
Here you can view hidden processes that cannot be seen in the process manager], view the currently running program. If there is an unknown program, record the location of the program, open the task manager and end the process.
, For programs such as backdoors that use daemons, you can try to end the process tree. If it still cannot be finished, search for the program name in the registry, delete the key value, and switch to safe mode to delete
Remove the relevant program files.
5. Check system services
Run, check the service that is in the startup state, check whether there are newly added unknown services and determine the purpose of the service. For unknown services, open the service properties, check
See what the executable file corresponding to the service is. If you determine that the file is a normal file in the system, you can skip it. Check whether other normal open services exist.
On top, if there is, you can let it go. If it is impossible to determine whether the execution file is a normal file in the system and no other normal open service exists on the service, the
Service, and then test whether the various applications are normal. For some backdoors, due to the hook system API technology, the added service items cannot be seen in the service manager, so you need to call
Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices item in the registry to find it, and determine whether it is a backdoor by checking the names of each service and the corresponding execution files.
, * programs, etc.
6. View related logs
Run and roughly check the relevant log records in the system. When viewing, right-click on the corresponding log record and select "Properties" and set a log filter in "Filter"
, select only errors and warnings, and view the source and specific description information of the log. If you can find a solution to the error that occurs in common server troubleshooting, you can handle the problem according to this method
Question: If there is no solution, record the problem and record the event source, ID number and specific description information in detail to find a solution to the problem.
7. Check system files
Mainly check the exe and dll files of the system disk. It is recommended to use dir *.exe /s > to save all exe files on the C disk after the system is installed, and then every time you check it
Then use this command to generate a list of the time, compare the two files with FC, and do relevant checks for the DLL file. It should be noted that the original is regenerated after patching or installing the software.
Start list. Check whether the relevant system files have been replaced or whether the system has malicious programs such as * backdoors have been installed. If necessary, you can run an antivirus program once to scan the system disk.
8. Check if the security policy is changed
Open the properties of the local connection, check whether only "TCP/IP protocol" is checked in "General", open the "TCP/IP" protocol settings, click "Advanced" ==" "Options" to view "IP Security
Whether the mechanism" is the set IP policy, check whether the allowed ports for the "TCP/IP" filtering have been changed. Open "Management Tools" = "Local Security Policy" to view the IP security currently used
Whether the policy has changed.
9. Check directory permissions
Focus on checking whether the system directory and important application permissions have been changed. The directories that need to be viewed are c:;c:winnt;
C:winntsystem32;c:winntsystem32inetsrv;c:winntsystem32inetsrvdata;c:documents and
Settings; then check the serv-u installation directory to see if the permissions of these directories have changed. Check whether some important files under system32 have changed permissions, including: cmd,
Net, ftp, tftp, cacls and other files.
10. Check the start item
Mainly check the current boot self-start program. AReporter can be used to check the self-start program.
Response to invasions discovered
For intrusion incidents that are discovered immediately, the following situations are handled when the system has been damaged. If the system has not been damaged or the damage cannot be detected temporarily, follow the above inspection steps to check
After checking, consider the following measures as appropriate. The following measures should be taken immediately after the system is damaged:
Determine the way to deal with it depends on the serious situation, whether it is done remotely or on-site. If the situation is serious, it is recommended to deal with it on the spot. If field treatment is used, the first time the intrusion is discovered
The server is turned off in the computer room, and the personnel who are pending to handle disconnect the network cable when they arrive in the computer room, and then enter the system for inspection. If remote processing is adopted, if the situation is serious, all application services will be stopped as soon as possible, and change I
The P policy is to only allow remote management ports to connect and then restart the server. After restarting, connect remotely to process. Before restarting, use AReporter to check the startup self-start.
program. Then conduct a safety check.
The following treatment measures are for situations where the user's site is compromised but does not endanger the system. If the user requests to strengthen the security of his own site, the security of the user's site can be strengthened as follows:
The site root directory----only give the administrator read permissions, and the permissions are inherited.
wwwroot ------Read and write permissions to web users. Advanced has permission to delete subfolders and files
logfiles------write permission to system.
database----------read and write permissions to web users. There is no permission to delete subfolders and files in Advanced
If further modification is required, you can only give read permissions to ordinary file storage directories such as html, js, and picture folders based on the characteristics of the user site, and give permissions in the above table to script files such as asp.
. In addition, check the corresponding security logs of the user's site to find out the cause of the vulnerability and assist users in fixing the vulnerability.
§1.2 Data backup and data recovery
Data backup work is roughly as follows:
1. Back up system data once a month.
2. Two weeks after the system is backed up, the application data is backed up separately, mainly including IIS, serv-u, database and other data.
3. Ensure the security of backup data and place these data backups in a classified manner. Because basically all the full backup method is used, the data retention cycle can only be retained for that backup and the last backup.
Just two copies of the data.
Data recovery work:
1. When the system crashes or encounters other unrecoverable system normal state, first backup some changes that occurred after the last system backup, such as application, security policy, etc. settings, and restore
Restore these changes after the system is re-repaired.
2. If an application or other error occurs, it uses the latest backup data to restore related content.
Part 3 Server performance optimization
§3.1 Server performance optimization
System performance optimization
Organize the system space:
Delete the system backup file, delete driver backup, delete unused input methods, delete system help files, and uninstall infrequently used components. Minimize C disk files.
Performance optimization:
Delete unnecessary automatic startup program; reduce pre-reading and reduce progress bar waiting time; let the system automatically close the program that stops responding; disable error reporting, but notify when a serious error occurs
; Turn off automatic update and manually update the computer;
Enable hardware and DirectX acceleration; disable shutdown event tracking; disable configuration server wizard; reduce the wait time for the startup disk scan; adjust both processor planning and memory usage to the application
Up; adjust virtual memory; memory optimization; modify CPU's secondary cache; modify disk cache.
IIS performance optimization
1. Adjust IIS cache
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\InetInfoParametersMemoryCacheSize
The range of MemoryCacheSize is from 0 channels 4GB, with a default value of 3072000 (3MB). Generally speaking, this value should be set to 10% of the server memory. IIS caches system handles and directories through cache
Lists and other commonly used data values to improve system performance. This parameter specifies the memory size allocated to the cache. If the value is 0, it means "no cache is done"
”. In this case, the system's performance may be degraded. If your server has busy network communication and has enough memory space, you can consider increasing this value. It must be noted that the modification note is
After the calendar, it is necessary to restart for the new value to take effect.
2. Do not turn off system services: "Protected Storage"
3. Limit access traffic
A. Limit the number of visitors to the site
B. Site bandwidth limitation. Keep HTTP connections.
C. Process limit, input CPU consumption percentage
4. Improve IIS processing efficiency
The "Application Protection" drop-down button in Application Settings" will select the "Low (IIS Process)" option from the pop-up drop-down list. The efficiency of the IIS server processor can be increased by 20%.
about. However, this setting will bring serious security issues and is not worth recommending.
5. Set up IIS server as a standalone server
A. Improve hardware configuration to optimize IIS performance
Hard disk: The hard disk space is used by NT and IIS services in the following two ways: one is to simply store data; the other is to use it as virtual memory. If you use Ultra2's SCSI hard drive, you
Significantly improve IIS performance
B. You can distribute the page exchange files of the NT server to multiple physical disks. Note that multiple "physical disks" are invalid when distributed on multiple partitions. Also, do not place page exchange files
In the same partition as the Windows NT boot zone
C. Using disk mirroring or disk stripping sets can improve disk read performance
D. It is best to store all the data in a separate partition. Then run the disk defragmenter regularly to ensure there is no fragmentation in the partition where the web server data is stored. Using NTFS
Helps reduce debris. It is recommended to use Norton's Speeddisk, which can quickly organize NTFS partitions.
6. Use HTTP compression
HTTP compression is a method of transferring compressed text content between a web server and a browser. HTTP compression uses general compression algorithms such as gzip to compress HTML, JavaScript or CSS files. Can
Use pipeboost to set it up.
7. Recycling of resources
Use IIS5Recycle to recycle process resources regularly.
§3.2 Common Troubleshooting of Servers
1. ASP's "Requested Resources are in Use" solution:
This problem is generally related to antivirus software, which is caused by installing a personal version of antivirus software on the server. This error can be solved by uninstalling the antivirus software, or you can try to re-register.
l and to solve it, run it on the command line: regsvr32 and regsvr32.
2. ASP500 error solution:
First, determine whether the problem exists on a single site or all sites. If the problem exists on a single site, it is a problem with the website program. You can open the error prompt of the site and turn IE
The "Show friendly HTTP error" message is canceled, view the specific error message, and then modify the relevant program accordingly. If all sites have this problem and the HTML page does not have this problem,
The related log shows "The server cannot load the application'/LM/W3SVC/1/ROOT'. The error is 'This interface is not supported'". It is most likely that ASP-related components in the server system are released
There is a problem. Restart the IIS service and try to solve the problem. If it cannot be solved, try to solve the problem. If it cannot be solved, you can re-fix the ASP component.
: First, delete the three things about IIS in the com component. You need to first cancel the "Prohibit Deletion" check in the advanced level in the attribute.
In the command line, enter the "cd winnt\system32\inetsrv" string command, click the Enter key, and then execute the "rundll32, CreateIISPackage" command, and then
Then execute the "regsvr32" command and the "iisreset" command in turn, and finally restart the computer operating system, so that the IIS server can respond to the ASP script correctly again.
The page is here.
3. IIS 105 error:
In the system log "The server cannot register the management tool to discover information. The management tool may not be able to see this server" Source: w3svc ID: 105
Solution: Just reinstall the netbios protocol in the network connection, and cancel the checkmark after the installation is completed.
4. MySQL service cannot start [Error code 1067] solution
An error will be reported midway when starting MySQL service! Content is: On the local computer, MySQL service cannot be started. Error 1067: The process aborted unexpectedly.
Solution: Find files in the Windows directory, edit content (if there is no such file, create a new one), at least include
Basedir and datadir are the two basic configurations.
[mysqld]
# set basedir to installation path, ., c:/mysql
# Set as the installation directory of MYSQL
basedir=D:/www/WebServer/MySQL
# set datadir to location of data directory,
# ., c:/mysql/data or d:/mydata/data
# Set as MYSQL data directory
datadir=D:/www/WebServer/MySQL/data
Note that I have not given permissions to the system user to the changed directory after changing the system temp directory.
5. The problem of DllHotst process consuming 100% CPU
The normal CPU consumption of the server should be below 75%, and the CPU consumption should fluctuate. If the server with this problem occurs, the CPU will suddenly be at a level of 100% and will not drop.
Looking at the task manager, you can find that it consumes all the CPU free time. In this case, the administrator had to restart the IIS service. Strangely, restart the IIS
Everything was fine after service, but maybe after a while, the problem reappeared.
Direct reason:
One or more ACCESS databases are corrupted during multiple read and writes. When the MDAC system writes this corrupt ACCESS file, the ASP thread is in the BLOCK state, and the other threads can only wait.
When IIS is deadlocked, all CPU time is consumed in DLLHOST.
Solution:
Download the database locally, then open it with ACCESS to perform the repair operation. Upload to the website again. If it doesn't work, just create a new ACCESS database and then import it from the original database.
Enter all tables and records. Then upload the new database to the server.
6. Error in Windows installer:
When installing the software, "You cannot access the windows installer service. Maybe you run Windows in safe mode, or Windows installer does not have the correct installation.
Pack. Please contact your support staff for help” If you try to reinstall, prompt: "The specified service already exists".
Solution:
There may be other errors about installer errors, and you can try the following solution:
First, confirm whether it is a permission problem. The prompt message will provide relevant information. If it is a permission problem, give everyone permissions to winnt directory [change the permissions back after installation.
]. If the message is prompted, you can try the following solution: Run "msiexec /unregserver" to uninstall Windows
Installer service, if it cannot be uninstalled, you can use SRVINSTW to uninstall it, and then download Windows
Installer's installer [address:/cfan/200410/], use winrar to unzip the file, and find ms in the unzipped folder
File, right-click and select "Install", and after restarting the system, run "msiexec /regserver" to re-register the Windows Installer service.
Part 4 Server Management
§4.1 Daily server management arrangements
Server management must be standardized and rigorous, especially when there is not only one administrator. Daily management work includes:
1. The server restarts regularly. Each server is guaranteed to restart once a week. After restarting, you need to check to confirm that the server has started and confirm that all services on the server have been restored.
Return to normal. Corresponding measures should be taken for situations where no startup or service fails to recover in time. The former can be requested to help the relevant staff of the hosting provider to restart manually, and if necessary, you can request it.
Let the connected monitor confirm whether it has started; the latter needs to remotely log in to the server for reason search and try to restore the service based on the reason.
2. Server security and performance checks, each server ensures at least twice a week to log in. The results of each inspection are required to be registered. If you need to use some tools to check
Check, you can directly find the relevant tools in e:tools. For tools that need to be temporarily found on the network, first adjust the security level of IE to high, and then search on the network, do not do it
Why not download the site without knowing it? Try to choose large websites such as Huajun and Sky to download it. After downloading, make sure that the current antivirus software has been upgraded to the latest version. After the upgrade is completed, the downloaded software will be completed.
Antivirus, and it can only be used after confirming that it is normal. If the downloaded new tool needs to be used for future maintenance, save the tool to e:tools and do it in the file in this directory
Good record accordingly, record the name, function, and usage method of the tool. And keep a backup of the winrar compressed file of the tool in the rar folder in the folder and set the decompression password.
3. The server's data backup work is to ensure that each server is backed up the system data at least once a month. The system backup is ghost, and the ghost files are stored in the e:ghost file directory.
Next, the file name is named after the backup date. For example, each server guarantees to back up application data at least once every two weeks, and each server guarantees to back up user data at least once every month.
The data of the data is fixedly stored in the e:databak folder, and corresponding subfolders are created for various data, such as serv-u user data placed in the servu folder under the folder, iis site number
The data is stored in the iis folder under this folder.
4. The server monitoring work must ensure that all server status is monitored during normal working hours every day. Once the service is found to stop, corresponding measures must be taken in a timely manner. For the discovery service is stopped, first check
Check whether the same type of service on the server is interrupted. If all services of the same type have been interrupted, log in to the server in time to check the relevant reasons and try to restart the corresponding service for this reason.
5. The server's related log operations must be cleaned once a month for each server. The corresponding logs such as application logs, security logs, system logs, etc. before cleaning should be
Select Save Log. All log files are saved in e:logs, the application logs are saved in e:logsapp, the system program logs are saved in e:logssys, and the security logs are protected.
Exist in e:logsec. For other applications, the logs are also processed in this way, such as the logs of ftp are saved in e:logsftp. All backup log files are
Name the date of the backup, such as. For logs that are not single-file, create a folder named after the date in the corresponding record location and store these files in the document
In the folder.
6. Server patch patching and application update work. For new vulnerability patches, application security updates must be posted on each server as soon as possible.
patch.
7. The server's hidden danger inspection work mainly includes safety hazards, performance and other aspects. Each server must ensure that the focus is checked separately every month. The results of each inspection must be recorded.
8. For irregular related work, all administrators must be informed of operations such as installing new applications or uninstalling applications due to application software changes or other reasons.
9. Regularly manage password changes, each server ensures that password changes at least once every two months. For SQL servers, change the system administrator password will be affected if SQL uses hybrid verification.
The use of the database will not be modified.
Related suggestions: Set up a server management record for each server. The administrator should record in detail each time he logs into the system. There are several items that need to be recorded in total: login time and log out.
Time, server status during login [including unknown process records, port connection status, system account status, memory/CPU status], detailed operation status record [details of the administrator login to the system
every step afterwards]. Whether it is a remote login operation or a physical contact operation, it must be recorded, and then archive these records according to each server and organize the documents in chronological order.
For operations such as data backup and server scheduled restart, it is recommended to group the servers, such as dividing them into four groups, backing up a group of server data on Saturday nights every month, and restarting them regularly on a certain day of the week
This is more convenient for the development of work, and these are fixed tasks. In addition, some work can be carried out simultaneously, such as monthly data backup, security check and management
The password modification work of personnel is to back up the data first, then perform security checks, and then modify the password. For required immediate operations such as installation of server patches, server irregular failure dimensions
These are immediate work, but in principle, immediate work cannot affect the arrangement of fixed work.
§4.2 Daily precautions for administrators
During the server management process, administrators need to pay attention to the following things:
1. You should keep detailed records of each operation of yourself, see the above suggestions for details for easier inspection later.
2. Strive to improve one's own level and strengthen learning.
Delete the virtual directory of the default site, stop the default web site, delete the corresponding file directory c:inetpub, configure the public settings of all sites, and set the relevant connection limit.
Other settings such as bandwidth settings and performance settings. Configure application mapping, remove all unnecessary application extensions, and only retain asp, php, cgi, pl, aspx application extensions. right
In PHP and CGI, it is recommended to use isapi to parse, and use exe to parse has an impact on security and performance. User program debugging settings send text error messages to the customer. For databases, try to acquire
Use the mdb suffix and do not need to be changed to asp. You can set an mdb extension map in IIS, and use an unrelated dll file such as C:
To prevent the database from being downloaded. Set the log saving directory of IIS and adjust the logging information. Set to send text error message. Modify the 403 error page and turn it to another page to prevent
Stop some scanner detection. In addition, to hide system information and prevent the system version information from being leaked from telnet to port 80, IIS's banner information can be modified. You can use winhex to modify it manually or
Those who use related software such as banneredit to modify it.
For the directory where the user's site is located, let me explain here that the user's FTP root directory corresponds to three files: wwwroot, database, and logfiles, which store site files and databases respectively.
Backup and logs for this site. If an intrusion occurs, you can set specific permissions to the directory where the user site is located. The directory where the picture is located will only give permissions to the column directory, and the directory where the program is located will be located.
If you do not need to generate files (such as the program that generates html), you will not give write permissions. Because virtual hosts usually cannot be meticulous in script security, they can only use the method
Users escalate permissions from scripts:
ASP security settings:
After setting permissions and services, you still need to do the following work to prevent asp *s and run the following command in the cmd window:
regsvr32/u C:\WINNT\System32\
del C:\WINNT\System32\
regsvr32/u C:\WINNT\system32\
del C:\WINNT\system32\
You can uninstall the, , components, which can effectively prevent the asp *s from passing wscript or executing commands and
Use *s to view some system-sensitive information. Another method: You can cancel the user's permissions of the above files and restart IIS to take effect. But this method is not recommended.
In addition, for FSO, the user program needs to use it, the component can be not cancelled on the server. I will only mention the prevention of FSO, but there is no need to automatically activate the virtual business server.
It is only suitable for manually opened sites. Two groups can be set for sites that require FSO and do not require FSO, and c is given to user groups that require FSO:
File execution permissions, no permissions are given if unnecessary. Restart the server and take effect.
For such settings combined with the permission settings above, you will find that the Haiyang * horse has lost its function here!
PHP security settings:
The default installation of php needs to be paid attention to:
C:\winnt\Only give users read permission. The following settings are required:
Safe_mode=on
register_globals = Off
allow_url_fopen = Off
display_errors = Off
magic_quotes_gpc = On [default is on, but it needs to be checked]
open_basedir = web directory
disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod
The default setting com.allow_dcom = true is modified to false [the previous one must be cancelled before modification;]
MySQL security settings:
If MySQL database is enabled on the server, the security settings that MySQL database need to pay attention to are:
Delete all default users in mysql, keep only the local root account, and add a complex password to the root user. When giving updatedeletealertcreatedrop permission to ordinary users
and limited to specific databases, especially to avoid ordinary customers having permission to operate mysql database. Check the table, cancel the shutdown_priv of unnecessary users, relo
ad_priv, process_priv and File_priv permissions, these permissions may leak more server information, including other information that are not mysql. You can set up a startup user for mysql.
This user only has permissions to the mysql directory. Set permissions for the data database in the installation directory (this directory stores the data information of the mysql database). For the mysql installation directory, add read to users
fetch, column directories, and execute permissions.
Serv-u security issues:
The installer should try to use the latest version, avoid using the default installation directory, set the permissions where the serv-u directory is located, and set a complex administrator password. Modify the banner information of serv-u
, set the passive mode port range (4001-4003)
Make relevant security settings in the settings in the local server: including checking anonymous passwords, disabling timeout scheduling, intercepting "FTP bounce" attacks and FXP, and for connecting more than 3 times in 30 seconds
Users intercepted for 10 minutes. The settings in the domain are: Requires complex passwords, directories only use lowercase letters, and the advanced setting is set to cancel the date that allows the MDTM command to change the file.
Change the startup user of serv-u: Create a new user in the system and set a password for a complex point, which does not belong to any group. Give the servu installation directory to the user full control permissions. Establish
A FTP root directory requires that this user be given full control permissions, because all ftp users upload, delete, and change files are inherited from the user's permissions, otherwise it will not be possible.
document. In addition, you need to give the user the read permissions to the superior directory above the directory, otherwise 530 will appear when connecting. Not logged in, home directory does not
exist. For example, when testing, the root directory of ftp is d:soft, and the user of the d disk must be given the read permissions to the user, and in order to safely cancel the inheritance permissions of other folders of the d disk. And generally use the default s
There are no problems with system startup, because system generally has these permissions.
Security settings for database servers
For dedicated MSSQL database servers, set TCP/IP filtering and IP policies as mentioned above, and only ports 1433 and 5631 are open to the outside world. For MSSQL, first you need to set a strong one for sa
Strong password, use hybrid authentication, strengthen database logging, audit database logging events "success and failure" of database login events. Delete some unwanted and dangerous OLE automatic stored procedures (will
This causes some functions in the Enterprise Manager to be unusable), these processes include the following:
Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
Remove unnecessary registry access procedures, including:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue
Xp_regenumvalues Xp_regread Xp_regremovemultistring
Xp_regwrite
Remove other system stored procedures. If you think there is still a threat, of course you should be careful about Drop processes. You can test them on the test machine to ensure that the normal system can complete the work. These processes include
:
xp_cmdshell xp_dirtree xp_dropwebtask sp_addsrvrolemember
xp_makewebtask xp_runwebtask xp_subdirs sp_addlogin
sp_addextendedproc
Select the properties of the TCP/IP protocol in the instance properties. Selecting Hide SQL Server instances can prevent detection of port 1434 and modify the default port 1433. Remove the guest of the database
The account will be kept by unauthorized users. The exceptions are the master and tempdb databases, as they are required for their guest accounts. Also pay attention to setting up each database user
Permissions, only some permissions are given to the database of these users. Do not use the SA user to connect to any database in the program. There are suggestions on the Internet that you use protocol encryption, so don't
Do this, otherwise you can only reinstall MSSQL.
Part 2 Intrusion Detection and Data Backup
§1.1 Intrusion detection work
As a daily management of a server, intrusion detection is a very important task. In the normal detection process, it mainly includes routine server security inspections and intrusion inspections when intrusions occur.
Checking means that it is divided into security inspection during intrusion and security inspection before and after intrusion. The safety of the system follows the principle of wooden barrels. The principle of wooden barrels refers to: a wooden barrel consists of many wooden boards.
If the lengths of the wooden boards that make up the wooden barrel are different, the maximum capacity of the wooden barrel does not depend on the long board, but on the shortest board. Applying to security aspects means
The security of the system depends on the most vulnerable parts of the system, which are the focus of daily security detection.
Daily safety inspection
Daily safety inspection is mainly aimed at the security of the system, and the work is mainly carried out in accordance with the following steps:
1. Check the server status:
Open Process Manager, view server performance, and observe CPU and memory usage. Check whether there are any abnormalities such as excessive CPU and memory usage.
2. Check the current process status
Switch the Task Manager to the process and find if there are suspicious applications or background processes running. When viewing a process using the process manager, there will be a taskmgr in it, which is the process manager.
The process of the processor itself. If you are running Windows update, there will be a process. For processes that are not sure or do not know which application is opened on the server.
, you can search the process name on the Internet to determine [Process Knowledge Base:/]. If there is a process on the backdoor, it will usually take a process with the system.
Similar names, such as, at this time, you should carefully distinguish [usually, the confusing method is to change the letter o to the number 0 and the letter l to the number 1]
3. Check the system account
Open Computer Management, expand Local Users and Groups Options, view Group Options, see if there is a new account added to the administrators group, and check if there is a cloned account.
4. Check the current port opening situation
Use activeport to check the current port connection status, especially pay attention to the ports connected to the outside world, and see if there are unauthorized ports communicating with the outside world. If so, close it immediately
Close the port and record the program corresponding to the port and record it, and transfer the program to another directory for later analysis. Open Computer Management ==》Software Environment ==》Running Tasks[
Here you can view hidden processes that cannot be seen in the process manager], view the currently running program. If there is an unknown program, record the location of the program, open the task manager and end the process.
, For programs such as backdoors that use daemons, you can try to end the process tree. If it still cannot be finished, search for the program name in the registry, delete the key value, and switch to safe mode to delete
Remove the relevant program files.
5. Check system services
Run, check the service that is in the startup state, check whether there are newly added unknown services and determine the purpose of the service. For unknown services, open the service properties, check
See what the executable file corresponding to the service is. If you determine that the file is a normal file in the system, you can skip it. Check whether other normal open services exist.
On top, if there is, you can let it go. If it is impossible to determine whether the execution file is a normal file in the system and no other normal open service exists on the service, the
Service, and then test whether the various applications are normal. For some backdoors, due to the hook system API technology, the added service items cannot be seen in the service manager, so you need to call
Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices item in the registry to find it, and determine whether it is a backdoor by checking the names of each service and the corresponding execution files.
, * programs, etc.
6. View related logs
Run and roughly check the relevant log records in the system. When viewing, right-click on the corresponding log record and select "Properties" and set a log filter in "Filter"
, select only errors and warnings, and view the source and specific description information of the log. If you can find a solution to the error that occurs in common server troubleshooting, you can handle the problem according to this method
Question: If there is no solution, record the problem and record the event source, ID number and specific description information in detail to find a solution to the problem.
7. Check system files
Mainly check the exe and dll files of the system disk. It is recommended to use dir *.exe /s > to save all exe files on the C disk after the system is installed, and then every time you check it
Then use this command to generate a list of the time, compare the two files with FC, and do relevant checks for the DLL file. It should be noted that the original is regenerated after patching or installing the software.
Start list. Check whether the relevant system files have been replaced or whether the system has malicious programs such as * backdoors have been installed. If necessary, you can run an antivirus program once to scan the system disk.
8. Check if the security policy is changed
Open the properties of the local connection, check whether only "TCP/IP protocol" is checked in "General", open the "TCP/IP" protocol settings, click "Advanced" ==" "Options" to view "IP Security
Whether the mechanism" is the set IP policy, check whether the allowed ports for the "TCP/IP" filtering have been changed. Open "Management Tools" = "Local Security Policy" to view the IP security currently used
Whether the policy has changed.
9. Check directory permissions
Focus on checking whether the system directory and important application permissions have been changed. The directories that need to be viewed are c:;c:winnt;
C:winntsystem32;c:winntsystem32inetsrv;c:winntsystem32inetsrvdata;c:documents and
Settings; then check the serv-u installation directory to see if the permissions of these directories have changed. Check whether some important files under system32 have changed permissions, including: cmd,
Net, ftp, tftp, cacls and other files.
10. Check the start item
Mainly check the current boot self-start program. AReporter can be used to check the self-start program.
Response to invasions discovered
For intrusion incidents that are discovered immediately, the following situations are handled when the system has been damaged. If the system has not been damaged or the damage cannot be detected temporarily, follow the above inspection steps to check
After checking, consider the following measures as appropriate. The following measures should be taken immediately after the system is damaged:
Determine the way to deal with it depends on the serious situation, whether it is done remotely or on-site. If the situation is serious, it is recommended to deal with it on the spot. If field treatment is used, the first time the intrusion is discovered
The server is turned off in the computer room, and the personnel who are pending to handle disconnect the network cable when they arrive in the computer room, and then enter the system for inspection. If remote processing is adopted, if the situation is serious, all application services will be stopped as soon as possible, and change I
The P policy is to only allow remote management ports to connect and then restart the server. After restarting, connect remotely to process. Before restarting, use AReporter to check the startup self-start.
program. Then conduct a safety check.
The following treatment measures are for situations where the user's site is compromised but does not endanger the system. If the user requests to strengthen the security of his own site, the security of the user's site can be strengthened as follows:
The site root directory----only give the administrator read permissions, and the permissions are inherited.
wwwroot ------Read and write permissions to web users. Advanced has permission to delete subfolders and files
logfiles------write permission to system.
database----------read and write permissions to web users. There is no permission to delete subfolders and files in Advanced
If further modification is required, you can only give read permissions to ordinary file storage directories such as html, js, and picture folders based on the characteristics of the user site, and give permissions in the above table to script files such as asp.
. In addition, check the corresponding security logs of the user's site to find out the cause of the vulnerability and assist users in fixing the vulnerability.
§1.2 Data backup and data recovery
Data backup work is roughly as follows:
1. Back up system data once a month.
2. Two weeks after the system is backed up, the application data is backed up separately, mainly including IIS, serv-u, database and other data.
3. Ensure the security of backup data and place these data backups in a classified manner. Because basically all the full backup method is used, the data retention cycle can only be retained for that backup and the last backup.
Just two copies of the data.
Data recovery work:
1. When the system crashes or encounters other unrecoverable system normal state, first backup some changes that occurred after the last system backup, such as application, security policy, etc. settings, and restore
Restore these changes after the system is re-repaired.
2. If an application or other error occurs, it uses the latest backup data to restore related content.
Part 3 Server performance optimization
§3.1 Server performance optimization
System performance optimization
Organize the system space:
Delete the system backup file, delete driver backup, delete unused input methods, delete system help files, and uninstall infrequently used components. Minimize C disk files.
Performance optimization:
Delete unnecessary automatic startup program; reduce pre-reading and reduce progress bar waiting time; let the system automatically close the program that stops responding; disable error reporting, but notify when a serious error occurs
; Turn off automatic update and manually update the computer;
Enable hardware and DirectX acceleration; disable shutdown event tracking; disable configuration server wizard; reduce the wait time for the startup disk scan; adjust both processor planning and memory usage to the application
Up; adjust virtual memory; memory optimization; modify CPU's secondary cache; modify disk cache.
IIS performance optimization
1. Adjust IIS cache
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\InetInfoParametersMemoryCacheSize
The range of MemoryCacheSize is from 0 channels 4GB, with a default value of 3072000 (3MB). Generally speaking, this value should be set to 10% of the server memory. IIS caches system handles and directories through cache
Lists and other commonly used data values to improve system performance. This parameter specifies the memory size allocated to the cache. If the value is 0, it means "no cache is done"
”. In this case, the system's performance may be degraded. If your server has busy network communication and has enough memory space, you can consider increasing this value. It must be noted that the modification note is
After the calendar, it is necessary to restart for the new value to take effect.
2. Do not turn off system services: "Protected Storage"
3. Limit access traffic
A. Limit the number of visitors to the site
B. Site bandwidth limitation. Keep HTTP connections.
C. Process limit, input CPU consumption percentage
4. Improve IIS processing efficiency
The "Application Protection" drop-down button in Application Settings" will select the "Low (IIS Process)" option from the pop-up drop-down list. The efficiency of the IIS server processor can be increased by 20%.
about. However, this setting will bring serious security issues and is not worth recommending.
5. Set up IIS server as a standalone server
A. Improve hardware configuration to optimize IIS performance
Hard disk: The hard disk space is used by NT and IIS services in the following two ways: one is to simply store data; the other is to use it as virtual memory. If you use Ultra2's SCSI hard drive, you
Significantly improve IIS performance
B. You can distribute the page exchange files of the NT server to multiple physical disks. Note that multiple "physical disks" are invalid when distributed on multiple partitions. Also, do not place page exchange files
In the same partition as the Windows NT boot zone
C. Using disk mirroring or disk stripping sets can improve disk read performance
D. It is best to store all the data in a separate partition. Then run the disk defragmenter regularly to ensure there is no fragmentation in the partition where the web server data is stored. Using NTFS
Helps reduce debris. It is recommended to use Norton's Speeddisk, which can quickly organize NTFS partitions.
6. Use HTTP compression
HTTP compression is a method of transferring compressed text content between a web server and a browser. HTTP compression uses general compression algorithms such as gzip to compress HTML, JavaScript or CSS files. Can
Use pipeboost to set it up.
7. Recycling of resources
Use IIS5Recycle to recycle process resources regularly.
§3.2 Common Troubleshooting of Servers
1. ASP's "Requested Resources are in Use" solution:
This problem is generally related to antivirus software, which is caused by installing a personal version of antivirus software on the server. This error can be solved by uninstalling the antivirus software, or you can try to re-register.
l and to solve it, run it on the command line: regsvr32 and regsvr32.
2. ASP500 error solution:
First, determine whether the problem exists on a single site or all sites. If the problem exists on a single site, it is a problem with the website program. You can open the error prompt of the site and turn IE
The "Show friendly HTTP error" message is canceled, view the specific error message, and then modify the relevant program accordingly. If all sites have this problem and the HTML page does not have this problem,
The related log shows "The server cannot load the application'/LM/W3SVC/1/ROOT'. The error is 'This interface is not supported'". It is most likely that ASP-related components in the server system are released
There is a problem. Restart the IIS service and try to solve the problem. If it cannot be solved, try to solve the problem. If it cannot be solved, you can re-fix the ASP component.
: First, delete the three things about IIS in the com component. You need to first cancel the "Prohibit Deletion" check in the advanced level in the attribute.
In the command line, enter the "cd winnt\system32\inetsrv" string command, click the Enter key, and then execute the "rundll32, CreateIISPackage" command, and then
Then execute the "regsvr32" command and the "iisreset" command in turn, and finally restart the computer operating system, so that the IIS server can respond to the ASP script correctly again.
The page is here.
3. IIS 105 error:
In the system log "The server cannot register the management tool to discover information. The management tool may not be able to see this server" Source: w3svc ID: 105
Solution: Just reinstall the netbios protocol in the network connection, and cancel the checkmark after the installation is completed.
4. MySQL service cannot start [Error code 1067] solution
An error will be reported midway when starting MySQL service! Content is: On the local computer, MySQL service cannot be started. Error 1067: The process aborted unexpectedly.
Solution: Find files in the Windows directory, edit content (if there is no such file, create a new one), at least include
Basedir and datadir are the two basic configurations.
[mysqld]
# set basedir to installation path, ., c:/mysql
# Set as the installation directory of MYSQL
basedir=D:/www/WebServer/MySQL
# set datadir to location of data directory,
# ., c:/mysql/data or d:/mydata/data
# Set as MYSQL data directory
datadir=D:/www/WebServer/MySQL/data
Note that I have not given permissions to the system user to the changed directory after changing the system temp directory.
5. The problem of DllHotst process consuming 100% CPU
The normal CPU consumption of the server should be below 75%, and the CPU consumption should fluctuate. If the server with this problem occurs, the CPU will suddenly be at a level of 100% and will not drop.
Looking at the task manager, you can find that it consumes all the CPU free time. In this case, the administrator had to restart the IIS service. Strangely, restart the IIS
Everything was fine after service, but maybe after a while, the problem reappeared.
Direct reason:
One or more ACCESS databases are corrupted during multiple read and writes. When the MDAC system writes this corrupt ACCESS file, the ASP thread is in the BLOCK state, and the other threads can only wait.
When IIS is deadlocked, all CPU time is consumed in DLLHOST.
Solution:
Download the database locally, then open it with ACCESS to perform the repair operation. Upload to the website again. If it doesn't work, just create a new ACCESS database and then import it from the original database.
Enter all tables and records. Then upload the new database to the server.
6. Error in Windows installer:
When installing the software, "You cannot access the windows installer service. Maybe you run Windows in safe mode, or Windows installer does not have the correct installation.
Pack. Please contact your support staff for help” If you try to reinstall, prompt: "The specified service already exists".
Solution:
There may be other errors about installer errors, and you can try the following solution:
First, confirm whether it is a permission problem. The prompt message will provide relevant information. If it is a permission problem, give everyone permissions to winnt directory [change the permissions back after installation.
]. If the message is prompted, you can try the following solution: Run "msiexec /unregserver" to uninstall Windows
Installer service, if it cannot be uninstalled, you can use SRVINSTW to uninstall it, and then download Windows
Installer's installer [address:/cfan/200410/], use winrar to unzip the file, and find ms in the unzipped folder
File, right-click and select "Install", and after restarting the system, run "msiexec /regserver" to re-register the Windows Installer service.
Part 4 Server Management
§4.1 Daily server management arrangements
Server management must be standardized and rigorous, especially when there is not only one administrator. Daily management work includes:
1. The server restarts regularly. Each server is guaranteed to restart once a week. After restarting, you need to check to confirm that the server has started and confirm that all services on the server have been restored.
Return to normal. Corresponding measures should be taken for situations where no startup or service fails to recover in time. The former can be requested to help the relevant staff of the hosting provider to restart manually, and if necessary, you can request it.
Let the connected monitor confirm whether it has started; the latter needs to remotely log in to the server for reason search and try to restore the service based on the reason.
2. Server security and performance checks, each server ensures at least twice a week to log in. The results of each inspection are required to be registered. If you need to use some tools to check
Check, you can directly find the relevant tools in e:tools. For tools that need to be temporarily found on the network, first adjust the security level of IE to high, and then search on the network, do not do it
Why not download the site without knowing it? Try to choose large websites such as Huajun and Sky to download it. After downloading, make sure that the current antivirus software has been upgraded to the latest version. After the upgrade is completed, the downloaded software will be completed.
Antivirus, and it can only be used after confirming that it is normal. If the downloaded new tool needs to be used for future maintenance, save the tool to e:tools and do it in the file in this directory
Good record accordingly, record the name, function, and usage method of the tool. And keep a backup of the winrar compressed file of the tool in the rar folder in the folder and set the decompression password.
3. The server's data backup work is to ensure that each server is backed up the system data at least once a month. The system backup is ghost, and the ghost files are stored in the e:ghost file directory.
Next, the file name is named after the backup date. For example, each server guarantees to back up application data at least once every two weeks, and each server guarantees to back up user data at least once every month.
The data of the data is fixedly stored in the e:databak folder, and corresponding subfolders are created for various data, such as serv-u user data placed in the servu folder under the folder, iis site number
The data is stored in the iis folder under this folder.
4. The server monitoring work must ensure that all server status is monitored during normal working hours every day. Once the service is found to stop, corresponding measures must be taken in a timely manner. For the discovery service is stopped, first check
Check whether the same type of service on the server is interrupted. If all services of the same type have been interrupted, log in to the server in time to check the relevant reasons and try to restart the corresponding service for this reason.
5. The server's related log operations must be cleaned once a month for each server. The corresponding logs such as application logs, security logs, system logs, etc. before cleaning should be
Select Save Log. All log files are saved in e:logs, the application logs are saved in e:logsapp, the system program logs are saved in e:logssys, and the security logs are protected.
Exist in e:logsec. For other applications, the logs are also processed in this way, such as the logs of ftp are saved in e:logsftp. All backup log files are
Name the date of the backup, such as. For logs that are not single-file, create a folder named after the date in the corresponding record location and store these files in the document
In the folder.
6. Server patch patching and application update work. For new vulnerability patches, application security updates must be posted on each server as soon as possible.
patch.
7. The server's hidden danger inspection work mainly includes safety hazards, performance and other aspects. Each server must ensure that the focus is checked separately every month. The results of each inspection must be recorded.
8. For irregular related work, all administrators must be informed of operations such as installing new applications or uninstalling applications due to application software changes or other reasons.
9. Regularly manage password changes, each server ensures that password changes at least once every two months. For SQL servers, change the system administrator password will be affected if SQL uses hybrid verification.
The use of the database will not be modified.
Related suggestions: Set up a server management record for each server. The administrator should record in detail each time he logs into the system. There are several items that need to be recorded in total: login time and log out.
Time, server status during login [including unknown process records, port connection status, system account status, memory/CPU status], detailed operation status record [details of the administrator login to the system
every step afterwards]. Whether it is a remote login operation or a physical contact operation, it must be recorded, and then archive these records according to each server and organize the documents in chronological order.
For operations such as data backup and server scheduled restart, it is recommended to group the servers, such as dividing them into four groups, backing up a group of server data on Saturday nights every month, and restarting them regularly on a certain day of the week
This is more convenient for the development of work, and these are fixed tasks. In addition, some work can be carried out simultaneously, such as monthly data backup, security check and management
The password modification work of personnel is to back up the data first, then perform security checks, and then modify the password. For required immediate operations such as installation of server patches, server irregular failure dimensions
These are immediate work, but in principle, immediate work cannot affect the arrangement of fixed work.
§4.2 Daily precautions for administrators
During the server management process, administrators need to pay attention to the following things:
1. You should keep detailed records of each operation of yourself, see the above suggestions for details for easier inspection later.
2. Strive to improve one's own level and strengthen learning.