win2008 server security settings deployment document (recommended)

I had been working on the project before the New Year, and it was only in the last few days that I got the newly added hard disk for the new server, redo the array configuration for the production environment, and write deployment documents to prepare security policies. I handed it over to the testing department and related departments for the final test before going online. I then handed the deployment document to a colleague in the relevant department and asked him to make the system again according to the deployment document to ensure that other colleagues could deploy the server normally in the future. Finally, after hurriedly finishing the test on the last day before the holiday, I simply instructed my colleagues to redeploy the server according to the deployment document and then ran away to go home. The rest was left to my colleagues who were working overtime to host the server in the computer room. After returning to work after the New Year, I started to prepare documents according to the work plan (mainly revising the deployment documents written previously and adding relevant security policies that were not added to the documents, and conducting security tests in the test environment). By the time we were done with the final security check on the server, the operations department had already promoted the website. It was so dizzying, they didn't even give us a chance to survive... We could only work overtime to do a physical check on the server logs and related settings that had been connected to the public network. Of course, upon inspection, we found that the server had various attack records, but fortunately they were all blocked and there were no problems. Then we continued to add some firewall policies and system security settings.

Next, I will be busy writing the "Server Security Inspection Guidelines - Daily Maintenance Instructions". The company needs to develop a new project, so we have to analyze the requirements, write development documents, and then build the front-end and back-end development frameworks. The old system needs to add new functions, and we have to write function upgrade development documents for different versions of V3 and V4... I am finally very busy today. Looking back, February has passed in the blink of an eye. It seems that it makes sense that programmers age quickly. They no longer have their own time.

I have said a lot of nonsense before, now let’s get to the point.

I believe many developers will encounter server security, but most people have no idea about security. I remember when I first took over the server 10 years ago, I was excited but also confused. However, when I really faced it, I didn't know where to start. I searched on Baidu and Google, but there was no complete explanation. I was completely confused about security. The servers I configured at the beginning were full of loopholes. At that time, I almost ate and slept in the computer room, but I couldn't avoid the server being hacked. Most of the time, I didn't know anything after being hacked. It was depressing to think about it~~~ Of course, my experience was gradually upgraded in the process of being hacked, haha......

Below I will share the "Server Security Deployment Document" I have written, hoping it will be helpful to everyone. Of course, I am not a hacker and I don’t know all the attack methods, so there may be omissions. I welcome suggestions. We configure the servers according to the security setting ideas in this document (different platforms and operating system versions have different configurations, but the security setting ideas are the same). We manage many servers (including various Web servers, database servers, streaming media servers, game servers (Linux systems)) from 2005 to now, and there have been no successful intrusions. Of course, it may also be related to the lack of very powerful hackers to carry out attacks, but we can also see that there are still some security guarantees (haha... I'm embarrassed to brag so much). If you don’t have a server, you can also try to install and configure it on your own computer using a virtual machine (in my company’s technical department, after sending the document to everyone, many colleagues have tried to follow the document’s instructions, which is quite helpful for improving server security deployment). Of course, there are some subtle differences between the configuration of the virtual machine and the operations on the actual server.

Table of contents

1. Introduction 3
2. Deployment Environment.. 3
2.1 Server Environment Information.. 3
3. Disk array configuration.. 4
4. Install the operating system.. 4
5. Install the software.. 4
5.1 Installing a Disk Defragmenter.. 4
5.2 Installing Virtual CD-ROM.. 6
5.3 Install IIS. 6
5.4 Install .NET Framework 4.9
5.5 Install SQL2008.9
5.6 Installing JMail 17
5.7 Install anti-virus software and firewall.. 17
6. Server website and security configuration.. 22
6.1. Modify the system default account name.. 22
6.2. Configuring Account Lockout Policy.. 27
6.3. Server Hard Drive Security Access Security Configuration.. 28
6.4. Configuring the website.. 29
6.5. Configure cross-server synchronous update of image website.. 68
6.6. Shielding xplog70.dll vulnerability 75
6.7. Setting Network Access Policy.. 76
6.8. Setting User Rights Assignment Policy. 77
6.9. Turn off default sharing.. 79
6.10. Disable unnecessary and dangerous services. 79
6.11. Modify the audit policy.. 81
6.12. System Firewall Security Settings.. 82
6.13. Enable remote desktop function.. 83
6.14. Configuring McAfee Access Protection.. 90
6.15. Configuring McAfee Firewall.. 97
7. Deployment considerations.. 103

1. Introduction

In fact, to configure a secure server, simply put it in a few words:

Close or disable all ports that can be opened and services that can be disabled;

Use a firewall that can configure port communication access policies;

Strictly control the permissions of various programs in the system to create, modify and delete executable scripts, dynamic link libraries and programs in each directory;

For website directories, directories or files that can be written cannot have execution permissions, and directories with execution permissions cannot be assigned write permissions. (This is the most important)

2. Deployment Environment
2.1 Server environment information <br /> Server hardware configuration:

slightly

Server software environment:

3. Disk array configuration

For specific configuration, please refer to the "RAID Configuration Chinese Manual", link address:
http://support1.ap.dell.com/cn/zh/forum/thread.asp?fid=20&tid=61244
Before configuration, please back up the data in the hard disk in advance. After re-setting the array, all the data in the hard disk will be lost.
(The author uses Dell R820 server. Dell server's after-sales service is really good. If there is any problem with the server, just make a few after-sales calls to solve it. It is very convenient)

4. Install the operating system <br /> For specific installation steps, please refer to the "R820 Server Installation Guide"
1) Install Windows 2008 via Lifecycle:
http://zh.community.dell.com/support_forums/poweredge/f/279/t/2812.aspx
This method is to press F10 directly when booting the computer to install the operating system, which can be installed quickly. To install other officially supported systems, just select the corresponding one when choosing the operating system and you can install it quickly.

2) Manual installation of 2012:
http://zh.community.dell.com/support_forums/poweredge/f/279/t/9621.aspx
This method is to install directly through the 2012 installation CD and start it from the CD-ROM drive.
When selecting the installation disk, you can decompress the RAID driver in the folder where this document is located into a USB flash drive, insert the USB flash drive into the server, and manually select to load the driver for installation.

The rest of the installation process is the same as the normal operating system installation, so I will not describe it in detail here.

5. Install the software
5.1 Installing a Disk Defragmenter

Since server-related files, images, and various log files are constantly created and deleted, after the server has been running for a long time, there will be a lot of file fragments on the disk, which will reduce the performance of the server and shorten the life of the hard disk.
Diskeeper2011_ProPremier is a real-time defragmentation program that does not interfere with system resources and runs automatically. It can automatically prevent key system files from being fragmented, monitor the disk in real time, and defragment once fragmentation occurs, thus ensuring system stability and speed to the greatest extent. Its intelligent file access acceleration sequence technology I-FAAST2.0 can increase the access speed of the most frequently used files by up to 80% (an average of 10%~20%). (For detailed introduction, please refer to the official documents)
Run the installation:

5.2 Installing a Virtual CD

slightly
5.3 Install IIS

Open Server Manager, select Roles => Click "Add Role"

Select Web Server (IIS)

After clicking Next, check the content selected as shown below

5.4 Install .NET Framework 4

Run dotNetFx40_Full_x86_x64.exe to install the .net4 framework (this must be installed after IIS is installed, so that the .net4 framework will be automatically bound in the relevant properties of IIS)

5.5 Install SQL2008

Before installing SQL2008, you must first install the .net3.5 framework. Open the Server Manager, click Features=》Add Features=》Check .NET Framework3.5.1 to run the installation

To continue installing SQL2008, please first modify the default system account name in step 6.1 as an administrator and then proceed to the following steps

After following the steps in 6.1, load SQL2008_CHS.iso into the virtual CD, run the installation and select "Install" => "New SQL Server standalone installation or add features to an existing installation"

The account name selected here is SYSTEM and the password is blank

Please note at this step:
1) Select Mixed Mode for Authentication Mode
2) The SA password must be longer than 32 characters, including Chinese and English characters (uppercase and lowercase) and numbers. It must be a garbled code that no one can remember. Once set, the account and password will no longer be used.
3) The designated SQL Server administrator is the current user (it must be the administrator user after the operation of step 6.1 to modify the system default account name. If it is not, it may cause failure to log in to SQL)

Sometimes when running to the last step, it will show that the installation failed. At this time, after restarting, enter the control panel, click Uninstall the program, delete the newly installed SQL2008, restart the computer again, and then install it. Of course, I tried it once and it succeeded, and I also tried this operation three or four times before it succeeded. I don’t know why this happened.

5.6 Installing JMail

slightly
5.7 Install antivirus software and firewall

It is best to install antivirus software and firewalls after completing all the steps before "6.14. Configure McAfee Firewall". Otherwise, some configurations or operations may fail because the successful installation of the firewall will prevent the operation of system software. If it has been installed, open the anti-virus software console first, disable "Access Protection", and do not enable the firewall yet.

I won’t go into details, just install the antivirus software as shown below:

Install a firewall

Directly run McAfeeHIP_ClientSetup.exe (Note: the genuine installation method is different from the following, there are some differences)

After running, there will be no installation interface. Wait for a while before running the patch, as shown below

Just double-click the left mouse button, then enter the path shown below and find the installed firewall program

Run McAfeeFire.exe to open the firewall software

6. Server website and security configuration
6.1. Modify the system default account name

Modify the system default account name and create a new Administrator account as a trap account, set an extra-long password, and remove all user groups. (Just set it to empty in the user group so that this account does not belong to any user group), and also rename and disable the Guest user.

First rename the original Administrator user

Change the name to your own preference

Then create a new Administrator fraud account and set a mixed and super long password

Edit it

Delete a group you belong to

Because this is a spoofed account, allow network policy to control access

Rename Guest as well

After the setup is complete, you must restart the computer, otherwise the installation of SQL may fail and require reinstallation

6.2. Configuring Account Lockout Policy

Enter gpedit.msc in the Run window and press Enter to open the Group Policy Editor. Select Computer Configuration - Windows Settings - Security Settings - Account Policies - Account Lockout Policy, and set the account to "Three logins invalid", "Lockout time 30 minutes", and "Reset lockout count to 30 minutes".

6.3. Server Hard Drive Security Access Security Configuration

Delete all user permissions of all disks except CREATOR OWNER, administrators, and system (the Users user group must be retained in the C drive. Theoretically, the Users user group should be deleted, but if many friends delete it directly here, the website may not be accessible if the operation is improper. It is very troublesome to reconfigure permissions for many directories under the system directory, so this article recommends retaining it. As long as the following settings are in place, there will not be much security risk here)

6.4. Configuring the website

Copy the website code and images to the specified folder

(Since the front-end and back-end of this site are separated, the picture site is also independent, and an asynchronous cross-server update program for pictures is also made, so there are the following four folders)

Open the server manager, enter the local user and group management, add corresponding binding users for the above websites, and set super long mixed passwords respectively, and record them for later use

Note: Later, my colleagues reminded me that the IIS access of the Win2008 server can use the application pool name as the account to set up (you can refer to: http://www.cnblogs.com/yjmyzz/archive/2009/10/26/1590033.html), without creating multiple independent accounts. However, the document has already been written, so I am too lazy to change it. I still use the Win2003 setting mode to add the account.

Then delete the default group to which the created accounts belong and add the Guests group

Remove remote control

Set incoming calls to Deny

Open IIS and delete the default site

Right click on the website and add the website

Create the corresponding site

Click the Connect As button, set the access account, set the path credentials to: Specific User, then enter the username just created and the corresponding password

Setting up authentication

Click Application Pool and assign the newly created website to the corresponding application pool .NET Framework version and managed pipeline mode

.NET Framework version is set to .NET Framework v4.0.30319
Managed pipeline mode is set to classic mode

Set the default document of the website to Index.aspx

Setting ISAPI and CGI restrictions

Set Active Server Pages to not allow and ASP.NET v4.0.30319 to allow

Go to the C:\Windows\Microsoft.NET\Framework64\v4.0.30319 directory and set the access permissions for the Temporary ASP.NET Files folder.

Right click => Properties

Add the user in the red box and set it to be editable

Go to the C:\Windows\Microsoft.NET\Framework64\v2.0.50727 directory and do the same for the Temporary ASP.NET Files folder

Then set the corresponding folder access permissions for the currently created website

Add the account just created and bound in IIS, Authenticated Users and NETWORK SERVICE accounts

Set permissions to default permissions (Read and Execute, List Folder Contents, Read)

Enable Parent Paths

Double-click ASP to open the property editor and change Enable parent path to True

Attach database operation to open SQL2008

Attach a database

Find the database storage location

Delete the original bound user in the database

Create a new login name

Fill in the database link username and password in the SQL new login name corresponding text box, and set it as shown below

Then click User Mapping, check the data, and set the database to have db_owner role permissions (Note: After clicking OK, it is best to recheck the properties of the newly created user, the user mapping item, and check whether the db_owner role permissions are assigned successfully. It is often the case that the assignment is not successful after creation, and it needs to be manually reset)

Open the website directory, find the Web.config file, open it in Notepad, and fill in the newly created database username and password

Run the ASP.NET State Service and set it to run automatically

After setting up several other websites according to the above steps and configurations, you can open the browser and ask questions normally.

Set write permissions for writable directories

Set the two accounts in the red box to edit permissions

Disable the execute permission of the writable directory (you can also disable the execute permission of all directories that do not need to run ASPX scripts, such as css, js, etc.)

6.5. Configure cross-server synchronization to update image websites

slightly

6.6. Shielding xplog70.dll vulnerability

Go to the installed SQL directory and search for xplog70.dll and then delete the found file (this operation will stop the SQL agent service, so if you use the agent function, please do not delete it)

6.7. Setting Network Access Policy

Type gpedit.msc in the Run window and press Enter to open the Group Policy Editor. Select Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options, and set Network access: Shares that can be accessed anonymously;
Network access: named pipes with anonymous access;
Network access: Registry paths that can be accessed remotely;
Network access: Registry paths and sub-paths that can be accessed remotely;
Clear the above four items

6.8. Setting User Rights Assignment Policy

Enter gpedit.msc in the Run window and press Enter to open the Group Policy Editor. Select Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment and delete "Everyone" in the "Access this computer from the network" policy.

In the "Deny log on through Remote Desktop Services" policy, add the following user groups and users

In addition, when adding a new site, the new user created must also be added here

6.9. Disable default sharing

Open the registry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
Create a new DOWRD value, name it "AutoShareServer", "AutoShareWKs", and set the value to "0"

6.10. Disabling unnecessary and dangerous services

Open the Server Manager, enter the "Services" management, and disable the following services (the services marked in yellow may not exist in the 2008 system)

6.11. Modify the audit policy

6.12. System Firewall Security Settings

Turn on the system firewall (Control Panel => System and Security => Windwos Firewall => Turn Windows Firewall on or off). If you are operating remotely, be careful not to disable your own connection.

Turn off File and Print Sharing

Note: For greater security, it is best to turn off remote desktop and use a more secure third-party remote login program. Or modify the remote connection port. Generally speaking, after making the previous settings, even if the "zombie" is left, the problem is not big.
To add new firewall rules, please refer to 6.13 for related operations.

6.13. Enable remote desktop function

Click on My Computer and open the System Properties window.

Modify the remote desktop link port. Click the Start menu and enter regedit to open the registry. Change the PortNumber value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp item from 3389 to, for example, 12345, these high-end ports.

Change the PortNumber value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp key from 3389 to 12345

After modifying the remote desktop port, the original firewall remote desktop rules will become invalid and you need to recreate the rules. Open Windows Firewall and click "Advanced Settings"

After setting, restart the computer and it will take effect immediately
Note: If you modify the port remotely, you need to modify the McAfee firewall at the same time and add new port rules to avoid being unable to log in remotely.

6.14. Configuring McAfee Access Protection

Open the VirusScan console

Enable Access Protection

Open Access Protection Properties

Adding User Defined Rules

Processes to exclude:

csc.exe, DTSWizard.exe, Explorer.EXE, FrameworkService.exe, HIPSvc.exe, McScript_InUse.exe, SqlWb.exe, Ssms.exe, vbc.exe, w3wp.exe

Processes to exclude:

FrameworkService.exe, mmc.exe, svchost.exe

Enable firewall blocking rules

Add the excluded processes to the corresponding rules as required below.

To add these rules, you need to frequently check the "Access Protection Log" to see which programs we allow to execute but are blocked by the firewall, and add them to the corresponding exclusion process (if you don't understand the specific operation, you can check Baidu, or check my next article "Server Security Inspection Guide - Daily Maintenance Instructions", which attributes the daily maintenance content of the server)

6.15. Configuring McAfee Firewall

Enter the firewall folder according to the following path

Run McAfeeFire.exe to open the firewall software

Click to unlock, the default password is abcde12345

After unlocking, set the relevant options of the firewall

Enable firewall function - If it is a remote desktop operation, the remote desktop will be unable to connect immediately after this step. You need to set it locally on the server to allow it to connect again.

After enabling, connect with remote desktop and grant authorization

After clicking "allow", you can log in using the remote desktop connection. The same operation is applied to authorized access to other ports, software or websites. When granting authorization, please pay close attention to whether the program we requested to allow is accessing it. If not or if you are not sure, please reject it. If you find that a certain function of the website cannot be accessed or there is a problem after rejection, please come here to check and modify the rules to ensure the security of the server.

7. Deployment considerations

1. Before updating, it must be tested by self-test and testing department personnel;
2. Any modification of the website configuration must be backed up in advance to facilitate rollback;
3. Any modification of the server-side settings must be submitted and recorded to facilitate quick identification of problems when any problems occur on the website;
4. When changing the relevant ports on the server, you must open the corresponding ports in Windows Firewall and McAfee Firewall in advance. After modifying the ports and restarting the server or software, remember to close the original ports and do a good job of testing to prevent inaccessibility. In particular, you must be careful when modifying the remote access ports, otherwise it may cause remote login failure.
5. When a certain function fails to run or an error occurs, please first check Windows Firewall, McAfee Access Protection and Firewall to see if it is blocked by the access protection rules.
6. User management must be checked regularly to see if there are any extra users and whether the user's affiliated groups have changed; check application logs, security logs, system logs, IIS access logs, logs recorded by website background management, operation logs and recharge logs recorded in the website directory, McAfee access protection logs, etc., and make backups; check whether Windows Firewall, McAfee Access Protection and Firewall are running, and whether they have been accidentally closed and forgotten to be opened; check the growth of SQL related logs and records, check SQL backup status, whether the backup space is sufficient, etc. (For details, please refer to my next article "Server Security Inspection Guide - Daily Maintenance Instructions")
7. In addition to making good server security configurations, code security is also very important. All submitted data must be filtered to prevent SQL injection and XSS attacks. The client must be regularly disinfected and checked for Trojans, and the login password must be changed regularly to ensure system security.

8. Conclusion

Server security is no small matter, you need to be careful in everything, and if there is a problem it will be a big problem, so you need to be very careful and cautious when actually operating it.

As a server maintenance personnel, in addition to daily maintenance work, if you have time, you must also learn and master various commonly used hacking tools, familiarize yourself with various attack methods, visit websites such as Wuyun.com more often to see how others invade, in order to provide better protection.

Due to some particularities of the company's website, the published content has been edited, and some special configurations and settings have not been published, haha... However, the basic security protection description is almost there. I am not sure whether there are still any security issues. I hope friends with experience can give me some advice.

If you feel this article is helpful to you, please recommend it.

Copyright Notice:

This article was published by AllEmpty on Blog Garden. The copyright of this article is shared by the author and Blog Garden. Reprinting is welcome, but this statement must be retained without the author's consent, and the original link must be given in a prominent position on the article page. If you have any questions, you can contact me at 1654937#qq.com . Thank you very much.

The purpose of publishing this content is to learn and make progress together with everyone. Friends who are interested can join the QQ group: 327360708 or email me (1654937#qq.com) for discussion. Due to my busy work, if you have any questions, please leave a message first. Please forgive me for the late reply.