Top Ten Steps to Building a Secure Personal Web Server

Win2003 Server security has been greatly improved compared to Win2K, but is it really safe to use Win2003 Server as a server? How can I build a secure personal web server? Here we briefly introduce

First, Windows Server2003 installation

1, the installation system requires at least two partitions, the partition format is NTFS format

2, in the disconnect Network situation installed 2003 system

3, install IIS, only install the necessary IIS components (disable unwanted such as FTP and SMTP services). By default, the IIS service is not installed. Select "Application Server" in the Add/Remove Win component, then click on "Details", double-click Internet Information Services (iis), and check the following options:

Internet Information Service Manager;

Public Files;

Background Intelligent Transfer Service (BITS) Server Extensions;

World Wide Web Service.

If you use the FrontPage extended Web site, check the box: FrontPage 2002 Server Extensions

4. Install MSSQL and other required software and then update.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of your computer and identify missing patches and updates. Download address: see the link at the end of the page

Second, set up and manage the account

1, the system administrator account is best to build less, change the default administrator account name (Administrator) and description, The password is preferably a combination of a number plus uppercase and lowercase letters plus a number of upper keys, preferably no less than 14 digits in length.

2, create a new trap account named Administrator, set the minimum permissions for it, and then enter the combination of the best not less than 20-digit password

3, disable the Guest account And change the name and description, then enter a complex password, of course, there is now a DelGuest tool, maybe you can also use it to delete the Guest account, but I have not tried.

4. Enter gpedit.msc in the run, press Enter, open the Group Policy Editor, select Computer Configuration - Windows Settings - Security Settings - Account Policy - Account Lockout Policy, set the account to "three login invalid" , "Lock time is 30 minutes", "Reset lock count is set to 30 minutes".

5. In the Security Settings - Local Policies - Security Options, set "Do not display last user name" to enable

6. In Security Settings - Local Policies - User Rights Assignment Only "Internet access to this computer from the network" will keep the Internet guest account and start the IIS process account. If you use Asp.net, you also need to keep your Aspnet account.

7. Create a User account and run the system. If you want to run the privileged command, use the Runas command.

III. Network Service Security Management

1. Disable the default share of C\\$, D\\$, ADMIN\\$, etc.

Open the registry, HKEY_LOCAL_MACHINE\\ SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters, create a new Dword value in the right window, set the name to AutoShareServer value set to 0

2. Unbind NetBios from TCP/IP protocol

Right-click on Network Neighborhood - Properties - right-click Local Area Connection - Properties - Double-click Internet Protocol - Advanced - Wins - Disable NETBIOS on TCP/IP

3. Turn off unwanted services. The following are suggested options. >

Computer Browser: Maintain network computer update, disable

Distributed File System: LAN management shared file, no need to disable

distributed linktracking client: for LAN update connection information, no need Disable

Error reporting service: Disable sending error reports

Microsoft Serch: Provides fast word search, no need to disable

NTLMSecuritysupportprovide: telnet service and Microsoft Serch No need to disable

PrintSpooler: Disable if there is no printer

Remote Registry: Disable remote modification of the registry

Remote Desktop Help Session Manager: Disable Remote Assistance

Fourth, open the corresponding audit policy

Enter gpedit.msc in the run, press Enter, open the Group Policy Editor, select the computer configuration - Windows Settings - Security Settings - Audit Policy Need to pay attention when creating the audit project If there are too many projects to be audited and the more events are generated, the harder it is to find serious incidents. Of course, if too few audits will affect your serious incidents, you need to Make a choice between.
The recommended items to be reviewed are:

Login event failed successfully

Account login event failed successfully

System event failed successfully

Policy change Success Failure

Object Access Failed

Directory Service Access Failed

Privileged Usage Failed

V. Other Security Related Settings

Hide important files/directories

You can modify the registry to completely hide: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ Current-Version\\Explorer\\Advanced\\Folder\\Hi-dden\\SHOWALL", right click on "CheckedValue" ", select modify, change the value from 1 to 0

2. Start the system's own Internet connection firewall, check the web server in the settings service option.

3, to prevent SYN flood attacks

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

New DWORD value, named SynAttackProtect, value 2

4. Disable response to ICMP route advertisement message
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\interface

Create a new DWORD value named PerformRouterDiscovery with a value of 0

5. Prevent ICMP Redirect Packet Attacks

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

Set the EnableICMPRedirects Value to 0

6. Not supported IGMP

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

New DWORD value, named IGMPLevel value is 0

7. Disable DCOM:

Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console Root. Open the Computer subfolder.

For the local computer, right-click on "My Computer" and select "Properties". Select the "Default Properties" tab.

Clear the "Enable distributed COM on this computer" checkbox.

Note: I have used the Server2000 setting for 3-6 items. I have not tested whether it works for 2003. But one thing is certain that I have spent some time not discovering the effects of other side effects.