Ten steps to teach you to build a secure personal web server

Win2003 Server security has been greatly improved compared to Win2K, but is it really safe to use Win2003 Server as a server? How can I build a secure personal web server? Here we briefly explain

a, Windows Server2003 installation


1, install the system requires a minimum of two partitions, partition formats are in NTFS format

2, disconnected from the network installed 2003 systems

3, install IIS, IIS only install the necessary components (disabling unneeded services such as FTP and SMTP). By default, the IIS service is not installed. Select "Application Server" in the Add/Remove Win component, then click on "Details", double-click Internet Information Services (iis), and check the following options:

Internet Information Service Manager;

Public File;

Background Intelligent Transfer Service (BITS) Server Extension;

World Wide Web Service.

If you are using FrontPage extended Web site and then check: FrontPage 2002 Server Extensions

4, MSSQL and install the software it needs and then Update.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of your computer and identify missing patches and updates. Download: See the link at the end of

page Second, set up and manage accounts

1, the system administrator account is best to build more, change the default administrator account name (Administrator) And description, the password is preferably a combination of a number plus uppercase and lowercase letters plus a number of upper keys, preferably no less than 14 digits in length.

2, create a new account named Administrator of the trap, to set minimal permissions, and then casually enter the best combination of not less than 20 passwords

3, the Guest account is disabled And change the name and description, then enter a complex password, of course, there is now a DelGuest tool, maybe you can also use it to delete the Guest account, but I have not tried.

4, enter gpedit.msc in the operation of the carriage return, open the Group Policy Editor and select Computer Configuration -Windows Settings - Security Settings - Account Strategy - account lockout policy, the account is set to "three invalid login" , "Lock time is 30 minutes", "Reset lock count is set to 30 minutes".

5, in the Security Settings - "Do not display last user name" to enable security options in the

6. In the Security Settings - - Local Policies Local Policies - User Rights Assignment Only "Internet access to this computer from the network" will keep the Internet guest account and start the IIS process account. If you use Asp.net, you also need to keep your Aspnet account.

7, create a User account, the operating system, if you want to run privileged commands using the Runas command.

Third, the network service security management


1, prohibits C $, D $, ADMIN $ default share

a kind of open registry , HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters, New Dword value in the right window, the name is set AutoShareServer value is set to 0

2, lift the NetBios and TCP /IP protocol binding

right-click My Network Places - properties - Right-click local Area connection - properties - Double-click Internet protocol - High -Wins- disable NETBIOS

3 on TCP /IP, turn off unneeded services, the following is the recommended option

Computer Browser: Maintain network computer updates, disable

Distributed File System: LAN management shared files, do not need to disable

Distributed linktracking client: for LAN update connection information, do not need to disable

Error reporting service: Prohibit sending error reports

Microsoft Serch: Provides fast word search, no need to disable

NTLMSecuritysupportprovide: telnet service And Microsoft Serch use, do not need to disable

PrintSpooler: If no printer can be disabled

Remote Registry: Prevent remote modification of the registry

Remote Desktop Help Session Manager: Remote ban assist

Fourth, open the appropriate audit policy


enter gpedit.msc enter in operation, open the group policy editor and select computer configuration -Windows settings - security Setup-Audit Policy When creating an audit project, it is important to note that if there are too many projects to be audited, the more events are generated, the harder it is to find serious incidents. Of course, if you audit too little, it will affect your seriousness. Events, you need to choose between the two depending on the situation.

The recommended items to be reviewed are:

Login event success failed

Account login event failed successfully

System event failed successfully

Policy change failed successfully

Object access failed

Directory service access failed

Privilege use failed

V. Other security related settings


1. Hide important files/directories

You can modify the registry to completely hide: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Current-VersionExplorerAdvancedFolderHi-ddenSHOWALL", right click on "CheckedValue", select Modify, and set the value from 1 was changed to 0

2, start the system comes with Internet connection firewall, check the Web server settings service options.

3, to prevent the new SYN flood attack DWORD value

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

, named SynAttackProtect, a value of 2

4. ICMP router advertisement message in response to prohibit

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface

Create a new DWORD value named PerformRouterDiscovery with a value of 0

5. Prevent ICMP redirect packets from attacking

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

Set the EnableICMPRedirects value to 0

6. IGMP protocol is not supported

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

New DWORD value, named IGMPLevel value is 0

7. Disable DCOM:

Enter Dcomcnfg.exe during operation. Enter, click Component Services under Console Root. Open the "Computer" subfolder.

For the local computer, right-click on "My Computer" and select "Properties". Select the Default Attributes tab.

Clear the "Enable Distributed COM on this computer" checkbox.

Note: 3-6 items I use the Server2000 setting, not tested on 2003 is working. But one thing is certain that I have spent some time not discovering the effects of other side effects.