Shulou(Shulou.com)06/03 Report--

Server system Security Defense reinforcement method > Windows Server system Security Defense reinforcement method

Update:

2017-06-01 19:24

Windows server security hardening scheme, which is mainly aimed at windows server 2008 R2, of course, it is also applicable to other systems such as 2012.

one

Delete useless accounts:

Use the Win+ R key to call up and run, enter compmgmt.msc- > local users and groups, and delete unused accounts

Make sure that the guest account is disabled and change the administrator's default user name administrator to something else.

two

Enhanced password policy:

Use the Win+ R key to call up and run, enter secpol.msc- > Security Settings

1. Security Policy-> password Policy

Passwords must meet complexity requirements: enable

Minimum password length: 8 characters

Minimum password life: 0 days

Maximum password life: 90 days

Forced password history: 1 remember password

Storing passwords with recoverable encryption: disabled

two。 Local Policy-> Security options

Interactive login: do not display the last user name: enable

three

Turn off unwanted services:

Use the Win+ R key to call up and run, and type services.msc. Disable the following services:

Application Layer Gateway Service

Background Intelligent Transfer Service

Computer Browser

DHCP Client

Diagnostic Policy Service

Distributed Transaction Coordinator

DNS Client

Distributed Link Tracking Client

Remote Registry

Print Spooler

Server

Shell Hardware Detection

TCP/IP NetBIOS Helper

Windows Remote Management

four

Shut down the netbios service (close port 139):

Network connection-> Local connection-> Properties-> Internet Protocol version 4-> Properties-> Advanced-> WINS- > disable NetBIOS on TCP/IP.

Note: turn off this function, all shared service functions on your server will be turned off, and others will not see your shared resources in Explorer. This also prevents the disclosure of information.

five

Turn off network file and print sharing: network connection-> Local connection-> property, and check everything except "Internet Protocol version 4".

six

Turn off IPV6:

First close Network connection-> Local connection-> Properties-> Internet Protocol version 6 (TCP/IPv6)

Then modify the registry: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Tcpip6\ Parameters, add a Dword key, name: DisabledComponents, value: ffffffff (8 f of 16 bits)

seven

Close the microsoft network client (close port 445)

Port 445 is the service port used by netbios to resolve machine names in the local area network. Generally, the server does not need to open any sharing to LAN, so it can be turned off.

Modify the registry: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NetBT\ Parameters, then there is one more Dword key: SMBDeviceEnabled, value: 0

eight

Shut down LLMNR (shut down port 5355)

Turn off using Group Policy, run-> gpedit.msc- > computer configuration-> Administrative templates-> Network-> DNS client-> turn off Multicast name Resolution-> enable

nine

Increase network access restrictions:

Use the Win+ R key to call up and run, enter secpol.msc- > Security Settings-> Local Policy-> Security options:

Network access: anonymous enumeration of SAM accounts is not allowed: enabled

Network access: anonymous enumeration of SAM accounts and shares not allowed: enabled

Network access: apply Everyone permissions to anonymous users: disabled

Account: only console login is allowed for local accounts with empty passwords: enabled

ten

Modify the 3389 remote access default port:

1. Settings in the firewall

1. Control Panel-windows Firewall-Advanced Settings-inbound rules-New rules-Port-specific port tcp (such as 13688)-allow connections 2. After completing the above operations, right-click the scope of the rule-- Local ip address-- any ip address-- remote ip address-- the following ip address-- add manager ip. Similarly, other ports can block specific network segments (such as port 80) through this function.

two。 Run regedit 2. [HKEY _ LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ TerminalServer\ Wds\ rdpwd\ Tds\ tcp] and [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ TerminalServer\ WinStations\ RDP-TCP], see the PortNamber value? The default value is 3389, which can be changed to the desired port, for example, 13688

3. [HKEY _ LOCAL_MACHINE\ SYSTEM\ CurrentContro1Set\ Control\ Tenninal Server\ WinStations\ RDP\ Tcp], change the value of PortNumber (default is 3389) to port 13688 (custom).

eleven

Give Everyone the right to lower:

Right mouse button system drive (disk)-> Properties-> Security to see if the root directory of each system drive is set to Everyone with all permissions

Delete the permission of Everyone or cancel the write permission of Everyone

twelve

Increase log audit:

Use the Win+ R key to call up and run, enter secpol.msc-> Security Settings-> Local Policy-> Audit Policy

Recommended settings:

Audit policy changes: successful

Audit login events: success, failure

Audit object access: successful

Audit process tracking: success, failure

Audit directory service access: success, failure

Audit system events: success, failure

Audit account login event: success, failure

Audit account management: success, failure

thirteen

Close ICMP

Open windows Firewall in the control panel of the server, click Advanced Settings-> Click inbound rules-find File and Printer share (Echo request-ICMPv4-In). Enable this rule to enable ping. Disabling this rule IP will prohibit other clients from ping, but will not affect TCP, UDP and other connections.

fourteen

IIS is configured not to return detailed error messages:

The "mode" property of the edit web.config tag cannot be set to "Off" so that users can see the details of the exception. And remove directory browsing, ASP, CGI, and include files on the server side in the IIS role service.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.