本文仅试用于运行IIS 4.0的NTS 4.0系统,如果服务器上还有其他的应用(比如Cold Fusion),那么必须同时保证这些应用本身的安全。下面所述的方法应该在安装新系统时进行,以避免不可预知的结果出现。另外需要注意的是,这种方法不应该在内部网络上(比如文件服务器)使用,因为它删除了一些NT常用的默认服务。 一、安装 1.所有分区为NTFS 服务器选择独立的服务器,不选择PDC 选择工作组成员,不选择域 2.安装IE 4.0 SP2,不安装active desktop 3.安装最新的服务包:SP6a 安装最新的热补丁: q241041 Enabling NetBT to Open IP Ports Exclusively q243404 WINOBJ.EXE May Let You View Securable Objects Created/Opened by JET500.DLL q243405 Device Drivers Create their Corresponding DeviceObject with FILE_DEVICE_SECURE_OPEN Device Characteristics q244599 Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6a. Windows NT Appears to Hang When You Log Off After Installing Service Pack 6. q188806 NTFS Alternate Data Stream Name of a File May Return Source q252463 Security Update, April 13, 2000 q267559 Security Update, July 17, 2000 q269862 Security Update, August 15, 2000 q271652 Security Update, September 8, 2000 4.安装option pack 选择自定义安装: 只安装如下组件: [_] Internet Information Server [_] Internet Service Manager [_] World Wide Web Server [_] Microsoft Data Access Components 1.5 [_] Data Sources [_] MDAC: ADO, OBDC, and OLE DB [_] Remote Data Service 1.5 [_] RDS Core Files [_] Microsoft Management Console [_] NT Option Pack Common Files [_] Transaction Server [_] Transaction Server Core Components
* Administrators::FULL CONTROL * System::FULL CONTROL
2.设置屏幕保护
在控制面板中选择显示 选择屏幕保护程序 选中密码保护,点击确定
3.设置服务
禁止如下的服务:
Alerter (disable) ClipBook Server (disable) Computer Browser (disable) DHCP Client (disable) Directory Replicator (disable) FTP publishing service (disable) License Logging Service (disable) Messenger (disable) Netlogon (disable) Network DDE (disable) Network DDE DSDM (disable) Network Monitor (disable) Plug and Play (disable after all hardware configuration) Remote Access Server (disable) Remote Procedure Call (RPC) locater (disable) Schedule (disable) Server (disable) Simple Services (disable) Spooler (disable) TCP/IP Netbios Helper (disable) Telephone Service (disable)
在必要时禁止如下服务:
SNMP service (optional) SNMP trap (optional) UPS (optional
设置如下服务为自动启动:
Eventlog ( required ) NT LM Security Provider (required) RPC service (required) WWW (required) Workstation (leave service on: will be disabled later in the document) MSDTC (required) Protected Storage (required)
4.如果安装了SNMP,改变community的值
5.删除IIS例子程序的所在目录
IIS d:inetpubiissamples Admin Scripts d:inetpubscripts Admin Samples %systemroot%system32inetsrvadminsamples IISADMPWD %systemroot%system32inetsrviisadmpwd IISADMIN %systemroot%system32inetsrviisadmin Data access c:Program FilesCommon FilesSystemmsadcSamples 6.从ISM(Internet Service Manager)中删除如下目录
从网络中访问这台计算机:No one 将工作站添加到域:No one 备份文件和目录:Administrators 更改系统时间:Administrators 强制从远程系统关机:No one 加载和下载设备驱动程序:Administrators 本地登录:Administrators 管理审核和安全日志:Administrators 恢复文件和目录:Administrators 关闭系统:Administrators 获得文件或对象的所属权:Administrators 忽略遍历检查(高级权力):Everyone 作为服务登录(高级权力):No one 内存中锁定页:No one 替换进程级记号:No one 产生安全审核:No one 创建页面文件:Administrators 配置系统性能:No one 创建记号对象:No one 调试程序:No one 增加进度优先级:Administrators 添加配额:Administrators 配置单一进程:Administrators 修改固件环境值:Administrators 生成系统策略: Administrators 以批处理作业登录:No one
设为主页
收藏本站
相关文章: