Experts share the security policy of win2003 server

Although for the win2003 system, it is already a relatively stable system with relatively high security performance. There are various operations on the security of the win2003 server. Therefore, the master integrates a most detailed server. The security strategy is shared with everyone.

Strategy 1: Turn off Windows 2003 unnecessary services

·computer browser Maintain an up-to-date list of computers on the network and provide this list

·task scheduler allows programs to be specified Time Run

·routing and remote access Routing services for enterprises in LAN and WAN environments

·removable storage Managing removable media, drivers and libraries

·remote registry service Allows remote registry operations

·PRint spooler Loads files into memory for later printing.

·ipsec policy agent Manage ip security policy and start isakmp/oakleyike) and ip security driver

·distributed link tracking client Send notification when file moves in ntfs volume of network domain

·com+ event system Provides automatic publishing of events to subscribe to com components

·alerter Notifies selected users and computer management alerts

·error reporting service , storing and reporting exception applications to microsoft

·messenger transferring net send and alerter service messages between client and server

·telnet allows remote users to log in to this computer and Run the program

Strategy 2: Disk permissions settings

The c drive only gives administrators and system permissions, other permissions are not given, other disks can also be set this way, the system permissions given here are not Must be given, just because some third-party applications are started as a service, you need to add this user, otherwise it will not start.

The windows directory should be given the default permissions for users, otherwise applications such as asp and aspx will not run.

Strategy 3: Prevent windows system from making empty connections

Find the corresponding key value hkey_local_machine/system/currentcontrolset/control/lsa in the registry, and change the dWord value of restrictanonymous to 1

Strategy 4: Turn off unwanted ports

Local Connection--Properties--Internet Protocol (tcp/ip)--Advanced--Options--tcp/ip Filter--Properties- - Put the hook on it and add the port you need. (eg: 3389, 21, 1433, 3306, 80)

Change the remote connection port method

Start-->Run-->Enter regedit

Find 3389 :

Please follow the steps below to find:

1, hkey_local_machinesystemcurrentcontrolsetcontrol erminal serverwds dpwd ds cp under portnumber=3389 changed to the port number from Baoyi

2, hkey_local_machinesystemcurrentcontrolsetcontrol erminal Serverwinstations dp-tcp under portnumber=3389 changed to the port number from Baoyi

Modify 3389 for the number you want (in decimal)----double hexadecimal (the system will automatically convert )----Finally! This is ok.

The 3389 port has been modified, but the host has to be restarted, so the 3389 port is considered to be successfully modified! If you do not restart 3389,

is not modified! You can enter with the new port!

Disable netbios on tcp/ip

Local connection--attribute--internet protocol (tcp/ip)--advanced—wins--disabled Netbios on tcp/ip

Policy 5: Turn off the empty connection for the default share

First write the batch file as follows:

@echo off

net share c$ /delete

net share d$ /delete

net share e$ /delete

net share f$ /delete

net Share admin$ /delete

The contents of the above files can be modified by the user. Save it as delshare.bat and store it in the system32grouppolicyuserscriptslogon directory under the system folder. Then enter gpedit.msc in the Start menu → Run,

Enter to open the Group Policy Editor. Click User Configuration & Rarr; Windows Settings & Rarr; Script (Login/Logout) & Rarr; Login.

Click on "Add Login" in the "Login Properties" window that appears, and "Add Script" will appear. & rdquo; dialog box, enter delshare.bat in the "Script name" column of the window, and then click the "OK" button.

By restarting the computer system, all hidden shared folders of the system can be automatically canceled, thus minimizing system security risks.

Strategy 6: iis Security Settings

1. Do not use the default web site. If you use it, separate the iis directory from the system disk.

2, delete the inetpub directory created by iis by default (on the disk of the installation system).

3, delete the virtual directory under the system disk, such as: _vti_bin, iissamples, scripts, iishelp, iisadmin, iishelp, msadc.

4, delete unnecessary iis extension mapping.

Right-click "Default Web Site & Rarr; Properties & Rarr; Home Directory & Rarr; Configuration" to open the application window and remove unnecessary application mappings. Mainly .shtml, shtm, stm.

5, change the path of the iis log

Right click "& default" web site → attributes - website - click on the properties under the enable logging

Strategy 7: Registration Table related security settings

1. Hide important files/directories

hkey_local_machinesoftwaremicrosoftwindowscurrent-versionexploreradvancedfolderhiddenshowall”

Right click on “checkedvalue” and select Modify to change the value from 1 to 1. 0.

2, to prevent syn flood attacks

hkey_local_machinesystemcurrentcontrolsetservices cpipparameters

New dword value, named synattackprotect, value 2

3. Disable response icmp route advertisement Message

hkey_local_machinesystem currentcontrolset services cpipparametersinterfacesinterface

Create a new dword value named performrouterdiscovery with a value of 0.

4, to prevent icmp redirect message attack

hkey_local_machinesystemcurrentcontrolsetservices cpipparameters

set the enableicmpredirects value to 0

5, does not support igmp protocol

hkey_local_machinesystemcurrentcontrolsetservices cpipparameters

Create a new dword value named igmplevel with a value of 0.

Since win2003 is a relatively mature system, many hackers and Trojans have been researching it for a long time. In order to prevent the siege of external insecure forces, we must set the security of win2003 server. More rigorous, I hope these introductions will help everyone.