Security Configuration Windows2000 Server

First: How to install

First, version selection

I strongly recommend: If the language does not become an obstacle, please use the English version. You know, Microsoft's products are known as "Bug & Patch", the Chinese version of the bug is far more than the English version, and the patch is generally at least half a month later (that is, the general Microsoft Your server will remain unprotected for half a month after the vulnerability is announced.

Second, component customization

WIN2K will install some common components by default, but it is this default installation is very dangerous, according to the security principle "Minimum service + minimal Permissions = Maximum security", just install the services you really need. Special reminders here are: "Indexing Service", "FrontPage 2000 Server Extensions", "Internet Service Manager" are dangerous services.

Third, the choice of management applications

Choosing a good remote management software is very important, this is not only a security requirement, but also an application need. WIN2K's Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). It is fast and easy to operate, and is suitable for routine operation. However, Terminal Service also has its shortcomings. Because it uses virtual desktops, and Microsoft's programming is not rigorous, when you use Terminal Service to install software or restart servers and interact with real desktops, it often appears. The phenomenon of crying and laughing, for example: using the Terminal Service to restart Microsoft's authentication server (Compaq, IBM, etc.) may shut down directly. Therefore, for security reasons, it is recommended to equip with a remote control software as an aid, complementing the Terminal Service, such as PcAnyWhere is a good choice.

Fourth, partition and logical disk allocation

At least two partitions, one system partition, one application partition. This is because Microsoft's IIS (Internet Ihformation Server) often has loopholes. If you put the system and IIS on the same drive, it will lead to the leakage of system files, and even allow the intruder to obtain management rights remotely.

It is recommended to create three logical drives, the first one to install the system and important log files; the second to put IIS; the third to put FTP, so no matter whether IIS or FTP out of security holes will not Directly affect the system directory and system files.

V. Selection of installation order

Don't think that as long as the system can be installed, it will be finished. In fact, the installation order of WIN2K is very important.

First of all, pay attention to the time of access to the network. WIN2K has a vulnerability in the installation, that is, after entering the password of the Administrator, the system will establish a "$ADMIN" share, but it does not protect it with the password just entered, this situation will continue until the computer starts again. In the meantime, anyone can enter the system through "$ADMIN"; at the same time, as soon as the installation is complete, the various services will run automatically, and the server is full of loopholes, which is very easy to invade from the outside. Therefore, do not connect the host to the network until the WIN2K Server is fully installed and configured.

Second, pay attention to the installation of the patch. Patches should be installed after all applications have been installed, because patches often have to replace or modify certain system files. If you install the patch first, it may not work as expected.

Second: How to set up

Even if WIN2K Server is installed correctly, there are many loopholes in the system, and further detailed configuration is required.

I. Port

The port is the logical interface between the computer and the external network. It is also the first barrier of the computer. The correct port configuration directly affects the security of the host.

Second, IIS

IIS is the most problematic component of Microsoft's components, an average of two or three months will be a loophole, and Microsoft's IIS default installation is really not flattering, so The configuration of IIS is our focus.

First, delete the Inetpub directory under the C drive, build an Inetpub on the D drive, and point the home directory to D:Inetpub in the IIS Manager.
Secondly, the default virtual files such as scripts are also deleted when IIS is installed. If you need any permissions, the directory can be built later (special attention to write permissions and execute program permissions).

Then there is the configuration of the application. Delete all useless mappings in IIS Manager (of course, you must keep such as ASP, ASA, etc.). In the IIS Manager, "Host → Properties → WWW Service Edit → Home Directory Configuration → Application Mapping", and then start deleting one by one. Then in the application debug bookmarks,? "Script error message" is changed to "send text". When you click "OK" to exit, don't forget to let the virtual site inherit the property you just set.
Finally, to be on the safe side, you can use the backup function of IIS. Just back up all the settings, so you can restore the security configuration of IIS at any time. Also, if you are afraid that the IIS load is too high and the server crashes, you can also open the CPU limit in performance, such as limiting the maximum CPU usage of IIS to 70%.