Server security configuration tips

Server security configuration tips


If you are too lazy to set up server security, some settings can be set up in a few minutes, but because of laziness, if the server is maliciously destroyed, it will take more time to recover the data, so the server security settings will lay the foundation early. In times of crisis, there will be a lot of unnecessary losses.



First, the installation of the operating system


The operating system uses Windows 2000 as an example, and the higher version of Windows has similar functions.


When formatting the hard disk, it must be formatted as NTFS. Never use the FAT32 type.


C disk is the operating system disk, D disk puts commonly used software, E disk website, immediately after formatting is completed, the disk permissions are set, C disk defaults, D disk security settings are fully controlled by Administrator and System, other users delete, E disk puts the website If there is only one website, set the Administrator and System full control, Everyone reads, if a certain piece of code on the website must complete the write operation, then the permissions of the folder where the file is located are changed separately.


The system installation process must be based on the principle of minimum service, useless services are not selected, to achieve the minimum installation of the system, in the process of installing IIS, only install the most basic necessary functions, those unnecessary dangerous services must not be installed, For example: FrontPage 2000 Server Extensions, Internet Service Manager (HTML), FTP Services, Documentation, Indexing Services, etc.




Second, network security configuration


The most basic network security is the port settings. In the "Local Area Connection Properties", click "Internet Protocol (TCP/IP)", click "Advanced", then click "Options" - "TCP/IP Filter". Only open the port required for the website service. The configuration interface is as shown below.




After making the following settings, domain name resolution will not be available from your server, so access to the Internet, but external access is normal. This setting is mainly to prevent DDOS attacks of a general size.



Third, security template settings


Run MMC, add a separate management unit "Security Configuration and Analysis", import the template basicsv.inf or securedc.inf, then click "Configure Computer Now", the system will automatically configure "Account Policy", "Local Policy", "System Services" "The information is in one step, but these configurations may cause some software to fail or run incorrectly.




Fourth, the setting of the WEB server


Take IIS as an example. Never use the WEB directory installed by default in IIS. You need to create a new directory on the E drive. Then right click on Host->Properties->WWW Service Edit->Home Directory Configuration->Application Mapping in IIS Manager, only keep asp and asa, and delete all others.



Five, ASP security


On IIS systems, most Trojans are written by ASP, so the security of ASP components is very important.


ASP Trojans actually implement their functions by calling Shell.Application, WScript.Shell, WScript.Network, FSO, and Adodb.Stream components. Most of them can be disabled directly except FSO.

The WScript.Shell component is removed with this command: regsvr32 WSHom.ocx /u

The WScript.Network component is removed with this command: regsvr32 wshom.ocx /u

Shell.Application can be used to prevent Guest users from using shell32.dll to prevent this component from being called. Use the command: cacls C:\WINNT\system32\shell32.dll /e /d guests

The command to prohibit the guest user from executing cmd.exe is: cacls C:\WINNT\system32\Cmd.exe /e /d guests

Disabling FSO components is cumbersome. If the site itself does not need to use this component, then disable it with the RegSrv32 scrrun.dll /u command. If the site itself also needs FSO, then please see this article.

In addition, using the URLScan Tool provided by Microsoft to filter illegal URL access tools can also play a preventive role. Of course, daily backup is also a good habit.