How to configure a NT (I am speaking here of the NT refers to Windows NT 4.0 version) for all of us is not a very difficult task, but you want to configure a high security of the NT can not be easy, as a a good system administration staff, we must learn how to make your hands NT 4 to Microsoft said the C2 level. 下面的几点大家可以作为一点借鉴: The following points we can learn from as little:
* 最重要的一点,经常看看一些安全站点,使用最新的Service Pack并时常打一些微软发布的小补丁。 * The most important point, often look at some secure site, using the latest Service Pack and often play some small patches released by Microsoft.
* 硬盘最好Format 成NTFS格式,如果你现在使用的是FAT的文件格式,赶快用convert.exe转换成NTFS格式吧。 * Format NTFS format hard drive is best, if you are using the FAT file format, they use convert.exe convert to NTFS format it.
* 关闭NTFS的8.3格式文件识别,这需要在HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\ Control\FileSystem 中将NtfsDisable8dot3NameCreation的值设为“1”。 * Turn off NTFS 8.3 file format identification, which requires the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ FileSystem NtfsDisable8dot3NameCreation will set the value of "1."
* 系统启动的等待时间设置为0秒,控制面板->系统->启动/关闭,然后将列表显示的默认值“30”改为“0”。 * System startup waiting time is set to 0 seconds, the Control Panel -> System -> startup / shutdown, then the list shows the default value of "30" to "0."
* 将你的Web服务器设置为独立的服务器,减少能登陆到你的服务器的用户,也能提高不少安全级别。 * Set up your Web server to a standalone server, reducing server can login to your users, but also can improve a lot of security level.
* Remove 你NT服务器上的其他系统OS/2,Linux……,以免他人从别的系统上修改你的NT系统。 * Remove your NT server on the other system OS / 2, Linux ... ..., to prevent others from other systems to modify your NT system.
* 删除你的网络共享,你可以使用这样的命令net share /d,那些为了管理而设置的共享就必须通过修改注册表的方法来实现了,HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Services\LanmanServer\Parameters 的AutoShareServer设置为0。 * Remove your network share, you can use this command net share / d, to those who shared management must set the registry by modifying the method to achieve, HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Services \ LanmanServer \ Parameters The AutoShareServer set to 0.
* 严格审核Success/Failed Logon/Logoff日志,修改办法:域用户管理器->规则->审核。 * Rigorous examination of Success / Failed Logon / Logoff logs modification: User Manager for Domains -> Rules -> review.
* 隐藏上次登陆用户名,修改注册表HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows NT\Current Version\Winlogon 中的DontDisplayLastUserName改为0。 * Hide the last login user name, modify the registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ Current Version \ Winlogon in DontDisplayLastUserName to 0.
* 在你的logon对话框中把"Shutdown"按钮移走,修改注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \WindowsNT\Current Version\Winlogon 中的ShutdownWithoutLogon改为0。 * In your logon dialog box to "Shutdown" button to remove, modify the registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ Current Version \ Winlogon in ShutdownWithoutLogon to 0.
* 设定用户的口令长度,一般可以设到9位,密码位数到了这个数字再被猜出的可能性就很小了;关闭guest帐号,将Administrator帐号改名,并为管理员设置一个强壮的口令。 * Set the user's password length, can generally be set to nine, password-digit figure again to guess the likelihood of very small; off the guest account, rename the Administrator account, and for administrators to set up a strong the password.
* Windows NT 有这样一个特征,他允许未认证的用户进入网络列举域内用户,如果你要禁止这个功能,修改HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\LSA 中的RestrictAnonymous ,将它的值改为1。 * Windows NT has a feature, he allowed unauthenticated users into the network domain user list, if you want to disable this feature, modify the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA in RestrictAnonymous, its value to 1.
* 只有管理员能分配打印机和盘符,要完成这个功能必须使用Windows NT Resource Kit中的一个工具C2Conifg才可以完成。 * Only the administrator can assign a printer and drive to accomplish this function must be used in the Windows NT Resource Kit tool C2Conifg can complete.
* 注册表允许远程修改,这么做是危险的,最好是禁止,但这样也许会给你带来些许的不方便,自己权衡一下吧。 * Allow remote registry changes to do so is dangerous, it is best to ban, but it may give you a little inconvenience, they weigh it.
* 最好不要绑定BetBIOS服务,以免被人使用Nbtstat等工具取得服务器的信息。 * Do not bind BetBIOS best service, so as not to be made using tools such Nbtstat server information.
* 禁止IP转发,设置办法:控制面板->网络->协议->TCP/IP协议->属性,使这个选框为空。 * Banned IP forwarding, set way: Control Panel -> Network -> Protocols -> TCP / IP Protocol -> Properties, make the box empty.
* 配置TCP/IP过滤,这样做你可能有很多服务被禁止,但可以减少许多许多不必要的麻烦,具体配置的方法是:控制面板->网络->协议 -.TCP/IP协议->属性->高级->启用安全机制->配置,你可以这样配置:TCP Ports 80和443(SSL的端口);不允许UDP端口;IP协议6,这是一个典型的安全配置,推荐使用,但是,一定要知道你必须的其他服务的端口号并开启它,不然你的服务也就被禁止了。 * Configure TCP / IP filtering, do you have a lot of services may be prohibited, but can reduce the number of unnecessary trouble, the specific configuration of the method is: Control Panel -> Network -> Protocol -.TCP/IP Protocol -> Properties -> Advanced -> Enable Security -> configuration, you can configure: TCP Ports 80 and 443 (SSL port); not allow UDP port; IP Protocol 6, which is a typical security configuration is recommended, however, You must be sure to know the port number of other services and open it, or your service will be banned.
* 不妨运行一下SYSKEY程序,加密你的帐号数据库。 * SYSKEY might run the program, encrypt your account database.
* 把一些工具从你的NT目录中转移到一个安全的目录,例如:cmd.exe,net.exe,telnet.exe, ftp.exe …… 这些就是NT 4的一些安全配置,如果你对你的服务器安全有较高的要求,这可以作为一个借鉴,也许我还遗忘了一些什么,希望大家能及时和我联系。 * Some tools from the NT directory you moved to a secure directory, such as: cmd.exe, net.exe, telnet.exe, ftp.exe ... ... These are some of the security configuration NT 4, if you are on your servers have a higher security requirements, which can be used as a reference, perhaps I have forgotten something, and I hope that we can contact in time.
下面,我再谈谈NT 4的搭档IIS 4.0的一些安全配置方法。 Here, let me talk about the NT 4, IIS 4.0 partner some of the security configuration. * 首先是安装一个能满足你需要的最小的IIS * 设置正确的Server访问控制权限.EXE, .CGI,.DLL, .CMD, .PL 权限设置Everyone (X),Administrators (Full Control), System (Full Control).ASP 的权限设置Everyone (X),Administrators (Full Control),System (Full Control) .INC, .SHTML, .SHTM 的权限设置Everyone (X),Administrators (Full Control),System (Full Control) .HTML, .GIF, .JPEG的权限设置Everyone (R),Administrators (Full Control),System (Full Control) 。 * First, you need to install a minimum satisfy the IIS * set the correct Server access control permissions. EXE,. CGI,. DLL,. CMD,. PL permissions Everyone (X), Administrators (Full Control), System ( Full Control). ASP permissions set Everyone (X), Administrators (Full Control), System (Full Control). INC,. SHTML,. SHTM's permissions Everyone (X), Administrators (Full Control), System (Full Control ). HTML,. GIF,. JPEG permissions settings Everyone (R), Administrators (Full Control), System (Full Control).
* 正确设置虚拟目录,建议把默认安装后的那些虚拟目录删除IIS --c:\inetpub\iissamples, IIS SDK--c:\inetpub\iissamples\sdk,Admin Scripts--c:\inetpub\AdminScripts,Data access--c:\Program Files\Common Files\System\msadc\Samples,这些目录将给你的系统带来不必要的麻烦。 * Properly set the virtual directory, it is recommended that after installation the default virtual directory to delete IIS - c: \ inetpub \ iissamples, IIS SDK - c: \ inetpub \ iissamples \ sdk, Admin Scripts - c: \ inetpub \ AdminScripts, Data access - c: \ Program Files \ Common Files \ System \ msadc \ Samples, these directories will give your system and cause unnecessary trouble.
* 正确设置IIS日志访问权限,ACL:Administrators (Full Control),System (Full Control)。 * Set the correct access to the IIS logs, ACL: Administrators (Full Control), System (Full Control).
* 适当地设置IP拒绝访问列表,防止有些讨厌的家伙攻击你的Server。 * Properly set the IP Deny access list to prevent some nasty guys attack your Server.
* 设置并使用Secure Sockets Layer * Setting up and using Secure Sockets Layer
* 删除一些你用不上的组件,regedit XXX.dll /u。 * Remove some of the components you do not have access, regedit XXX.dll / u.
* 删除这个虚拟目录IISADMPWD,因为它允许你重新设置你的管理员口令,实在是比较危险,还是不要的好。 * Delete the virtual directory IISADMPWD, because it allows you to reset your administrator password, it is more dangerous, or not good.
* 删除一些不必要的Scipt Mapping,象.htr,.idc,. shtm, .stm, .shtml,都可以在IIS服务管理器删除。 * Remove some unnecessary Scipt Mapping, like. Htr,. Idc,. Shtm,. Stm,. Shtml, you can delete the IIS service manager.
* 禁止RDS的支持,因为最近发现了一个他的bug,所以最好还是禁用的好,禁用办法:删除注册表中这三个键,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters \ADCLaunch\ RDSServer.DataFactory ;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\ AdvancedDataFactory ;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\ VbBusObj.VbBusObjCls 。 * RDS support prohibition, because he recently found a bug, it is best to disable the good, disable method: Delete these three keys in the registry, HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \ ADCLaunch \ RDSServer . DataFactory; HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \ ADCLaunch \ AdvancedDataFactory; HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \ ADCLaunch \ VbBusObj.VbBusObjCls.
* 使用IIS登陆日志,每天记录客户IP地址,用户名,服务器端口,方法,URI字根,HTTP状态, 用户代理。 * Log in using the IIS log, a daily record of client IP address, user name, server port, Method, URI root, HTTP status, the user agent.
*在你的ASP页面中加入对输入的检测,避免恶意的攻击者输入一些管道符从而破坏你的机器。 * In your ASP page by adding the input of the test, to avoid malicious attackers enter some pipeline operators to destroy your machine. * 禁止"Parent Paths",也就是不让别人用"··"来访问你的上一层目录,设置办法:站点属性->主目录->配置->应用程序选项->启用上层目录,将它disable就可以了。 * Ban "Parent Paths", which is not allowing people to use the "· ·" to access your the parent directory, set the options: Site Properties -> Home Directory -> Configuration -> Application Options -> Enable parent directory, will it disable it.
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters 的SSIEnableCmdDirective设置为1禁止远程调用command shell。 * HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters of SSIEnableCmdDirective call is set to 1 to disable remote command shell.
请注意,请你在修改你的注册表之前对你的系统做好备份,以防出现异常情况的时候可以进行恢复。 Please note that you modify your registry before you make a backup of your system in case when the abnormal situation can be restored.
Tidak ada komentar:
Posting Komentar