yesterday, the customer’s site was linked to horse, I also have some responsibility, because usually too lazy to set the server security settings, some in a few minutes to set up, but is lazy, if the server is malicious damage results, you need to spend more time to recover the data, so the server security settings early to lay a good foundation, danger time will reduce a lot of unnecessary loss.
below, I will combine my experience and lessons to sum up some of the techniques and methods of server security settings.
1. Installation of operating system
the operating system I’m talking about here takes Windows 2000 as an example, and the higher version of Windows has similar functions.
formats a hard drive, it must be formatted as NTFS. Never use the FAT32 type.
C for operating system disk, D disk commonly used software, E disk format complete website, immediately after setting the disk permissions, C default, D disk security settings for Administrator and System complete control, other users delete, E disk on site, if there is only one website, set Administrator and System complete control, Everyone read, if the site on a piece of code must complete the write operation, then change to the separate file folder permissions.
The installation process in the
system must be in line with the principle of minimum service, the service will not be useless, minimum installation system, in the process of installation of IIS, the most basic function necessary to install only those dangerous, unnecessary services do not install, for example: FrontPage 2000 server extensions, Internet service Management (HTML). FTP services, document indexing service etc..
two, network security configuration
network security, the most basic is the port settings, in the "local connection properties", "Internet Protocol" (TCP/IP), point "advanced", and then click "options" – "TCP/IP filter."". Just open the ports you need for your web service, and configure the interface as shown below.
After the following settings of
, from your server will not use domain name resolution, so access to the Internet, but the external access is normal. This setting is designed to prevent DDOS attacks in general scale.
three, security template set
running MMC, adding independent management unit security configuration and analysis ", into the template basicsv.inf or securedc.inf, and then" immediately configure the computer ", the system will automatically configure the" account strategy "and" local policy "," service "and other information, in one step, but these configurations may lead to some software can not run or run error.