With the continuous upgrading and improvement of computer software and hardware, servers and operating systems are also constantly being updated. Now more and more companies or individuals choose to use win2008 as the server operating system, so how to set the win2008 server security strategy is becoming More and more important, the following small series will share the security strategy on win2008 server.
1. System patch update
Click Start Menu -> All Programs -> Windows Update
Follow the prompts to install the patch.
2. Share and discover
Right click "Network" - Properties - Change Advanced Sharing Settings - Sharing and Discovery
off, network share, file share, public file share, printer share all
3. Firewall settings
Check it yourself online, ping is still often needed
4. Firewall settings
Control Panel → Windows Firewall Settings (Start Firewall) → Change Settings → Exceptions, check FTP, HTTP, Remote Desktop Services Core Network HTTPS 3306: Mysql 1433: Mssql;
By default, the ping command is disabled after the firewall is enabled. The method to enable it is as follows:
Method 1: Command Line Mode
After entering the server, click Start - Run and enter the command:
netsh firewall set icmpsetting 8 so that you can ping to the server externally, very simple and practical!
In the same way, if you want to disable Ping, you can run the following command:
netsh firewall set icmpsetting 8 disable
Method 2: Firewall Advanced Panel Method
1. Go to Control Panel -> Administrative Tools -> find "Windows Firewall with Advanced Security"
2. Click Inbound Rules
3. Find the echo request-ICMPv4-In (Echo Request – ICMPv4-In)
4. Right click on the rule and click "Enable"
Same way to disable ping
5. Disable unnecessary and dangerous services. The services listed below need to be disabled.
Open Control Panel--Administrative Tools--Services (or by command services.msc)
Distributed linktracking client for local area network update connection information
PrintSpooler print service
Remote Registry Modify the registry remotely
Server computers share file, print, and named pipes over the network (shutdown will report an error on startup)
TCP/IP NetBIOS Helper provides
over TCP/IP (NetBT) services
NetBIOS and clients on the network
NetBIOS name resolution support
Workstation leaks list of system usernames associated with Terminal Services Configuration
Computer Browser maintenance network computer updates is disabled by default
Net Logon domain controller channel management is already manual by default
Remote Procedure Call (RPC) Locator RpcNs* Remote Procedure Call (RPC) is already manual by default
delete service sc delete MySql
Local Computer Policy: (command line input: gpedit.msc )
computer configuration
|-Windows Settings
| -Security Settings
| -Account Policy
| -Password Policy
| -Account Lockout Policy
| -Local Policy
|- Audit Policy
| -User Rights Assignment
| -Security Options
Audit Policy
Audit Policy Change Success Failed
Audit login event success and failure
Audit object access failed
Audit Process Tracking No Audit
Audit directory service access failures
Audit privilege usage failed
Audit System Events Success and Failure
Audit account login event success and failure
Audit account management success or failure
User Rights Assignment
Shut down the system: Only the Administrators group and all others are deleted.
Login Denied via Terminal Services: Join the Guests group, IUSR_*****, IWAM_*****, NETWORK SERVICE, SQLDebugger
Allow login through Terminal Services: join Administrators, Remote Desktop Users group, delete all others
Security Options
Interactive login: do not display last username enabled
Network Access: Do not allow anonymous enumeration of SAM accounts enabled enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares enabled
Network Access: Do not allow storage of credentials for network authentication enabled
Network access: All shared content that can be accessed anonymously is deleted
Network access: All anonymously accessible named pipe contents are deleted
Network access: delete all remotely accessible registry path contents
Network access: All remotely accessible registry paths and subpaths are deleted
Account: Rename the guest account Here you can change the guest account
Account: Rename the system administrator account Here you can change the Administrator account
Create a new fake Administrator account without any permissions
Administrative Tools → Computer Management → System Tools → Local Users and Groups → Users
Create a new Administrator account as a trap account, set a long password, and remove all user groups
Description of change: Built-in account for management computer (domain)