1. Transfer <systemroot>\System32\ to another directory or change the name;
2. Try to have as fewer system accounts, change the default account name (such as Administrator) and description, and try to be as complicated as possible;
3. Denied access to the computer via the network (anonymous login; built-in administrator account; Support_388945a0; Guest; all non-OS service accounts)
4. It is recommended to give only read permissions to general users, and only give full control permissions to administrators and Systems. However, doing so may prevent some normal script programs from being executed, or some operations that need to be written cannot be completed. At this time, you need to change the permissions to the folder where these files are located. It is recommended to test on the test machine before making changes, and then make careful changes.
5. NTFS file permission settings (note that the permission priority of the file is higher than that of the folder):
File Type
CGI files (.exe, .dll, .cmd, .pl)
Script file (.asp)
Include files (.inc, .shtml, .shtml)
Static content (.txt, .gif, .jpg, .htm, .html)
Suggested NTFS permissions
Everyone (execute)
Administrators (full control)
System (full control)
6. Prohibit default sharing of C$ and D$
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer、REG_DWORD、0x0
7. Disable ADMIN$ default sharing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks、REG_DWORD、0x0
8. Restrict IPC$ default sharing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous REG_DWORD 0x0 Default
0x1 Anonymous users cannot list the local user list
0x2 Anonymous user cannot connect to native IPC$share
Note: It is not recommended to use 2, otherwise some of your services may not be started, such as SQL Server
9. Only give users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.
10. Open the corresponding audit in Local Security Policy->Audit Policy. The recommended audit is:
Account Management Success Failed
Login event Success Failed
Object access failed
Policy Change Success Failed
Privileged use failed
System Event Success Failed
Directory service access failed
Account login event Success Failed
The disadvantage of having few review projects is that if you want to see it and find that there is no record, it will be useless at all; too many review projects will not only occupy system resources but also cause you to have no time to view it, which will lose the meaning of review. Related to this are:
Set in Account Policy->Password Policy:
Password complexity requirements Enable
Minimum password length 6 digits
Forced password history 5 times
Maximum retention period 30 days
Set in Account Policy->Account Lock Policy:
Account locked 3 times incorrect login
Lock time 20 minutes
Reset lock count 20 minutes
11. Configure security audits in Terminal Service Configuration - Permissions - Advanced. Generally speaking, just record login and logout events.
12. Unbind NetBios and TCP/IP protocols
Control Panel - Network - Binding - NetBios Interface - Disable 2000: Control Panel - Network and Dial-up Connection - Local Network - Properties - TCP/IP - Properties - Advanced - WINS - Disable NETBIOS on TCP/IP
13. Enable TCP/IP filtering in the network connection protocol, and only the necessary ports are opened (such as 80)
14. Disable 139 empty connections by changing the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1
15. Modify the packet's time to survive (TTL) value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL REG_DWORD 0-0xff(0-255 decimal, default value 128)
16. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAttackProtect REG_DWORD 0x2 (default value is 0x0)
17. Responsive to ICMP routing notification messages is prohibited
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface
PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)
18. Prevent ICMP redirect packet attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirects REG_DWORD 0x0 (default value is 0x1)
19. IGMP protocol is not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IGMPLevel REG_DWORD 0x0 (default value is 0x2)
20. Set the arp cache aging time setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\Parameters
ArpCacheLife REG_DWORD 0-0xFFFFFFFFF (seconds, default value is 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFFF (seconds, default value is 600)
21. Prohibit dead gateway monitoring technology
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\Parameters
EnableDeadGWDetect REG_DWORD 0x0 (default value is ox1)
22. The routing function is not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\Parameters
IPEnableRouter REG_DWORD 0x0 (default value is 0x0)
Install and configure IIS services:
1. Install only the necessary IIS components. (Disable unwanted services such as FTP and SMTP)
2. Only enable necessary services and Web Service extensions, recommended configuration:
Component name in UI
set up
Setting logic
Backend Intelligent Transmission Service (BITS) Server Extension
Enable
BITS is the background file transfer mechanism used by Windows updates and "automatic updates". This component must be available if you use Windows updates or Automatic Update to automatically apply Service Packs and hotfixes in an IIS server.
Public documents
Enable
IIS requires these files, be sure to enable them in the IIS server.
File Transfer Protocol (FTP) Service
Disabled
Allows IIS servers to provide FTP services. The service is not required for a dedicated IIS server.
FrontPage 2002 Server Extensions
Disabled
Provide FrontPage support for managing and publishing Web sites. If there is no Web site that uses the FrontPage extension, disable the component in a dedicated IIS server.
Internet Information Service Manager
Enable
IIS's management interface.
Internet Print
Disabled
Provides web-based printer management to allow sharing of printers over HTTP. This component is not required for a dedicated IIS server.
NNTP Service
Disabled
Distribute, query, retrieve and deliver Usenet news articles on the Internet. This component is not required for a dedicated IIS server.
SMTP Service
Disabled
Supports transmission of emails. This component is not required for a dedicated IIS server.
World Wide Web Services
Enable
Provides web services, static and dynamic content to clients. This component is required for a dedicated IIS server.
World Wide Web Service Subcomponent
Component name in UI
Installation options
Setting logic
Active Server Page
Enable
Provide ASP support. If neither the Web site nor the application in the IIS server uses ASP, disable the component; or disable it using the Web Services extension.
Internet Data Connector
Disabled
Provides dynamic content support through files with the extension .idc. If neither the Web site nor the application in the IIS server includes the .idc extension file, disable the component; or use the Web service extension to disable it.
Remote Management (HTML)
Disabled
Provides an HTML interface to manage IIS. Using IIS Manager instead makes management easier and reduces the attack surface of IIS servers. This feature is not required for a dedicated IIS server.
Remote Desktop Web Connection
Disabled
Includes Microsoft ActiveX? controls and example pages that manage terminal service client connections. Using IIS Manager instead makes management easier and reduces the attack surface of IIS servers. This component is not required for a dedicated IIS server.
Server side includes
Disabled
Provides support for .shtm, .shtml and .stm files. If neither the Web site nor the application running on the IIS server uses the included files of the above extension, disable this component.
WebDAV
Disabled
WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock and manage resources in the Web. A dedicated IIS server disables the component; or disables the component using a Web service extension.
World Wide Web Services
Enable
Provides web services, static and dynamic content to clients. This component is required for a dedicated IIS server
3. Separate the IIS directory & data from the system disk and save it in a dedicated disk space.
4. Delete any unused mappings other than necessary in the IIS manager (keep necessary mappings such as asp)
5. Redirect the HTTP404 Object Not Found error page to a custom HTM file through URL in IIS
6. Web site permission setting (suggested)
Web site permissions:
Authorization granted:
read
allow
Write
Not allowed
Script source access
Not allowed
Directory browsing
It is recommended to close
Log access
It is recommended to close
Index resources
It is recommended to close
implement
Recommended selection "Scripts Only"
7. It is recommended to use W3C to expand the log file format, record the customer IP address, user name, server port, method, URI root, HTTP status, user agent every day, and review the logs every day. (It is best not to use the default directory. It is recommended to change a path to record logs and set log access permissions. Only administrators and system are allowed to be Full Control).
8. Program security:
1) Programs involving user names and passwords should be packaged on the server side and appear as little as possible in the ASP file. User names and passwords where the database connection should be connected to the minimum permissions;
2) A verified ASP page can track the file name of the previous page. Only sessions transferred from the previous page can read this page.
3) Prevent the leakage of ASP homepage.inc files;
4) Prevent files leaks generated by UE and other editors.
Security update
Apply all Service Packs required and update patches manually regularly.
Install and configure antivirus protection
NAV 8.1 or above virus firewall is recommended (configured to automatically upgrade at least once a week).
Install and configure firewall protection
Recommend the latest version of BlackICE Server Protection firewall (simple configuration and more practical)
Monitoring Solution
Install and configure MOM Agent or similar monitoring solutions as required.
Strengthen data backup
Web data is backed up regularly to ensure that it can be restored to its recent state after problems occur.
Consider implementing IPSec filters
Block the port with an IPSec filter
Internet Protocol Security (IPSec) filters provide an effective way to enhance the level of security required for servers. This guide recommends using this option in the high security environment defined in the guide to further reduce the attack surface of the server.
For more information on using IPSec filters, see the other member server hardening process of modules.
The following table lists all IPSec filters that can be created on an IIS server in the advanced security environment defined in this guide.
Serve
protocol
Source port
Target port
Source address
Destination address
operate
Mirror
Terminal Services
TCP
all
3389
all
ME
allow
yes
HTTP Server
TCP
all
80
all
ME
allow
yes
HTTPS Server
TCP
all
443
all
ME
allow
yes
When implementing the rules listed in the table above, they should be mirrored. This ensures that any network communication entering the server can also be returned to the source server.
SQL Server Security Reinforcement
Steps
illustrate
MDAC Upgrade
Install the latest MDAC (/data/)
Password Policy
Since SQL Server cannot change the sa user name and cannot delete this super user, we must provide the strongest protection for this account, of course, including using a very strong password, it is best not to use the sa account in the database application. A new super user with the same permissions as sa is created to manage the database. At the same time, develop the good habit of changing passwords regularly. Database administrators should check regularly for any account that does not meet password requirements. For example, use the following SQL statement:
Use master
select name,Password from syslogins where password is null
Database log record
For the "failure and success" of the kernel database login event, select "Security" in the instance properties and select the audit level as all. In this way, the login events of all accounts are recorded in detail in the database system and operating system logs.
Manage extended stored procedures
xp_cmdshell is the best shortcut to enter the operating system and is a big backdoor left by the database to the operating system. Please remove it. Use this SQL statement:
use master
sp_dropextendedproc 'xp_cmdshell'
If you need this stored procedure, please use this statement to recover it.
sp_addextendedproc 'xp_cmdshell', ''
OLE automatically stores procedures (which will cause some features in the manager to be unusable), and these procedures include the following (it can be removed without any need:
Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
Remove the stored procedures for unwanted registry access, and the stored procedures of the registry can even read the password of the operating system administrator, as follows:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues
Xp_regread Xp_regremovemultistring Xp_regwrite
Anti-TCP/IP port detection
Select the attributes of the TCP/IP protocol in the instance properties. Select Hide SQL Server instance.
Please change the original default port 1433 based on the previous configuration.
In IPSec filtering, reject UDP communications on port 1434, you can hide your SQL Server as much as possible.
IP restriction on network connections
Use the operating system's own IPSec to achieve the security of IP packets. Please restrict IP connections to ensure that only your own IP can access them and deny port connections made by other IPs.
Attachment: Win2003 system recommended to disable service list
Name
Service name
Recommended settings
Automatic update
wuauserv
Disabled
Background Intelligent Transfer Service
BITS
Disabled
Computer Browser
Browser
Disabled
DHCP Client Dhcp
Disabled
NTLM Security Support Provider NtLmSsp
Disabled
Network Location Awareness
NLA
Disabled
Performance Logs and Alerts SysmonLog
Disabled
Remote Administration Service SrvcSurg
Disabled
Remote Registry Service RemoteRegistry
Disabled
Server lanmanserver
Disabled
TCP/IP NetBIOS Helper Service LmHosts
Disabled
DHCP Client Dhcp
Disabled
NTLM Security Support Provider NtLmSsp
Disabled
Terminal Services
TermService
Disabled
Windows Installer MSIServer
Disabled
Windows Management Instrumentation Driver Extensions Wmi
Disabled
WMI Performance Adapter WMIApSrv
Disabled
Error Reporting
ErrRep
Disabled