win2003 WEB服務器NTFS權限設置圖文方法

2024-09-01 13:45:36

字體：大中小

來源：轉載

供稿：網友

總得來說，前者比較難配置，參考了別人的一些配置和自己的一些實踐，找到一個本人覺得還相對滿意的做法，由于個人水平有限，希望高手指出我不足的地方，謝謝。由于最近忙著別的事，等忙完之后再把IIS配置的部分還有自己要整理的一些資料奉上~~到時候大家可以到論壇上去查看，不過本博客也是提供相關資料的下載的。
下面是我的做法：
首先，配置系統盤下（如：c盤）的權限（已經將IIS的默認文件夾刪除）
1．系統盤：選中系統盤，屬性，安全選項卡，刪掉除了administrators和system組的其他組或者用戶。
2．Program Files ：右鍵文件夾->選擇屬性->選擇“安全”選項卡->點擊“高級”選項->選中“允許父項…”和“用在此顯示…”->點擊“復制”->點擊確定，退出高級安全設置->把安全選項卡中除了administrators和system組之外的組或者用戶刪除

高級安全設置效果如下：

win2003 WEB服務器NTFS權限設置圖文方法

3．Program Files/Common File/users : 進入到program files下的common file文件夾下面，找到system添加users，默認的權限即可。所謂默認權限就是你添加這個用戶系統自動授予這個用戶對于操作文件夾或者文件的權限。（可能有人要問為什么要給這個文件夾設置users的權限？答：這個部分里面有一些dll文件是asp中createobject的時候需要的）
4．Documents and Settings：進入系統盤，選中Documents and Settings文件夾右鍵，刪除掉除了administrator、system、power users組之外的其他用戶或者組。進入到Documents and Settings文件夾里面，administrator這個文件夾的權限無需設置。ALL users文件夾，進入到高級選項選擇“用在此顯示的可以應用到子對象的目錄替代所有子對象的權限項目”，確定，到安全選項卡下面刪掉除了 administrator和system之外的其他用戶組和用戶，點擊確定。Default users文件夾，進入到高級選項選擇“用在此顯示的可以應用到子對象的目錄替代所有子對象的權限項目”，確定，到安全選項卡下面刪掉除了 administrator、system、power users之外的其他用戶組和用戶，點擊確定。
5．Windows : 右鍵文件夾->選擇屬性->選擇“安全”選項卡->刪除掉除了administrator和system之外的用戶->點擊確定。
6．Windows/temp : 右鍵文件夾->選擇屬性->選擇“安全”選項卡->添加users組->設置users組只具有讀取、寫入的權限。
7．其他根目錄下的文件夾：右鍵文件夾->選擇屬性->選擇“安全”選項卡->點擊“高級”選項->選中“允許父項…”和“用在此顯示…”->點擊“復制”->點擊確定，退出高級安全設置->把“安全”選項卡中除了administrators和system組之外的組或者用戶刪除
8．批處理：接下來的是一些特殊文件夾、文件的權限，一些服務的修改，危險組件的刪除。
批處理的部分最后附上下面的保存為*.bat或者直接從我提供的下載的地方下載即可。

復制代碼代碼如下:

@echo off
ECHO.
ECHO.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHo.
ECHo "windows2003NTFS加固腳本"
ECHo.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHO.
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo 請按提示操作備份好注冊表,否則修改后無法還原,本人不負責.
ECHO.
ECHO YES=next set NO=exit (this time 30 Second default for n)
ECHO. -------------------------------------------------------------------------
CHOICE /T 30 /C yn /D n
if errorlevel 2 goto end
if errorlevel 1 goto next
:next
if EXIST backup (echo.)else md backup
if EXIST temp (rmdir /s/q temp|md temp) else md temp
if EXIST backup/backupkey.reg (move backup/backupkey.reg backup/backupkey_old.reg ) else goto run
:run
regedit /e temp/backup-reg1.key1 "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/"
regedit /e temp/backup-reg2.key2 "HKEY_CLASSES_ROOT/"
copy /b /y /v temp/backup-reg1.key1+temp/backup-reg2.key2 backup/backupkey.reg
if exist backup/wshom.ocx (echo 備份已存在) else copy /v/y %SystemRoot%/System32/wshom.ocx backup/wshom.ocx
if exist backup/shell32.dll (echo 備份已存在) else copy /v/y %SystemRoot%/system32/shell32.dll backup/shell32.dll
ECHO 備份已經完成
ECHO.
goto next2
:next2
ECHO.
ECHO. -------------------------------------------------------------------
ECHo 修改權限system32目錄中不安全的幾個exe文件,改為只有Administrators才有權限運行
ECHO YES=next set NO=this set ignore (this time 30 Second default for y)
ECHO. -------------------------------------------------------------------
CHOICE /T 30 /C yn /D y
if errorlevel 2 goto next3
if errorlevel 1 goto next21
:next21
echo y|cacls.exe %SystemRoot%/system32/net.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/net1.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/cmd.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/tftp.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/netstat.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/regedit.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/at.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/attrib.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/cacls.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/fortmat.com /g Administrators:F
echo y|cacls.exe %SystemDrive%/boot.ini /g Administrators:F
echo y|cacls.exe %SystemDrive%/AUTOEXEC.BAT /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/ftp.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/secedit.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/gpresult.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/gpupdate.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/logoff.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/shutdown.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/telnet.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/wscript.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/doskey.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/help.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/ipconfig.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/nbtstat.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/print.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/debug.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/regedt32.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/reg.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/register.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/replace.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/nwscript.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/share.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/ping.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/ipsec6.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/netsh.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/edit.com /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/route.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/tracert.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/powercfg.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/nslookup.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/arp.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/rsh.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/netdde.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/mshta.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/mountvol.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/setx.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/find.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/where.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/finger.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/regsvr32.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/sc.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/shadow.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/runas.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/PCHealth/HelpCtr/Binaries/msconfig.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/notepad.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/regedit.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/winhelp.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/winhlp32.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/edlin.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/posix.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/atsvc.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/qbasic.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/runonce.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/syskey.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/cscript.exe /g Administrators:F
echo y|cacls.exe %SystemRoot%/system32/sethc.exe /g Administrators:F

echo "C盤權限設定"
cacls "%SystemRoot%/Registration" /r "everyone" /e

echo "刪除C盤的windows目錄下的create owner的權限"
cd/

cacls "%SystemRoot%/repair" /r "create owner" /e
cacls "%SystemRoot%/system32" /r "create owner" /e
cacls "%SystemDrive%/system32/config" /r "create owner" /e
cacls "%SystemRoot%/system32/wbem" /r "create owner" /e

echo "刪除WINDOWS文件夾下面的power users的權限"

cacls "%SystemRoot%/repair" /r "Power Users" /e
cacls "%SystemRoot%/system32" /r "Power Users" /e
cacls "%SystemDrive%/system32/config" /r "Power Users" /e
cacls "%SystemRoot%/system32/wbem" /r "Power Users" /e

echo "刪除WINDOWS下users的訪問權限"

cacls "%SystemRoot%/addins" /r "users" /e
cacls "%SystemRoot%/AppPatch" /r "users" /e
cacls "%SystemRoot%/Connection Wizard" /r "users" /e
cacls "%SystemRoot%/Debug" /r "users" /e
cacls "%SystemRoot%/Driver Cache" /r "users" /e
cacls "%SystemRoot%/Help" /r "users" /e
cacls "%SystemRoot%/IIS Temporary Compressed Files" /r "users" /e
cacls "%SystemRoot%/java" /r "users" /e
cacls "%SystemRoot%/msagent" /r "users" /e
cacls "%SystemRoot%/mui" /r "users" /e
cacls "%SystemRoot%/repair" /r "users" /e
cacls "%SystemRoot%/Resources" /r "users" /e
cacls "%SystemRoot%/security" /r "users" /e
cacls "%SystemRoot%/system" /r "users" /e
cacls "%SystemRoot%/TAPI" /r "users" /e
cacls "%SystemRoot%/Temp" /r "users" /e
cacls "%SystemRoot%/twain_32" /r "users" /e
cacls "%SystemRoot%/Web" /r "users" /e
cacls "%SystemRoot%/system32/3com_dmi" /r "users" /e
cacls "%SystemRoot%/system32/administration" /r "users" /e
cacls "%SystemRoot%/system32/Cache" /r "users" /e
cacls "%SystemRoot%/system32/CatRoot2" /r "users" /e
cacls "%SystemRoot%/system32/Com" /r "users" /e
cacls "%SystemRoot%/system32/config" /r "users" /e
cacls "%SystemRoot%/system32/dhcp" /r "users" /e
cacls "%SystemRoot%/system32/drivers" /r "users" /e
cacls "%SystemRoot%/system32/export" /r "users" /e
cacls "%SystemRoot%/system32/icsxml" /r "users" /e
cacls "%SystemRoot%/system32/lls" /r "users" /e
cacls "%SystemRoot%/system32/LogFiles" /r "users" /e
cacls "%SystemRoot%/system32/MicrosoftPassport" /r "users" /e
cacls "%SystemRoot%/system32/mui" /r "users" /e
cacls "%SystemRoot%/system32/oobe" /r "users" /e
cacls "%SystemRoot%/system32/ShellExt" /r "users" /e
cacls "%SystemRoot%/system32/wbem" /r "users" /e

goto next3
:next3
ECHO.
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo 禁止不必要的服務,如果要退出請按Ctrl+C
ECHO YES=next set NO=this set ignore (this time 30 Second default for y)
ECHO. ------------------------------------------------------------------------
CHOICE /T 30 /C yn /D y
if errorlevel 2 goto next4
if errorlevel 1 goto next31
:next31
echo Windows Registry Editor Version 5.00 >temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanworkstation] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Alerter] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Browser] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Dfs] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Scheduler] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LmHosts] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TlntSvr] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RemoteAccess] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NtmsSvc] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RemoteRegistry] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TrkWks] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ERSvc] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Messenger] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetLogon] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetLogon] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetDDE] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetDDEdsdm] >>temp/Services.reg
echo "Start"=dword:00000004 >>temp/Services.reg
regedit /s temp/Services.reg

ECHO.
goto next4
:next4
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo 防止人侵和攻擊. 如果要退出請按Ctrl+C
ECHO YES=next set NO=this set ignore (this time 30 Second default for y)
ECHO. -------------------------------------------------------------------------
CHOICE /T 30 /C yn /D y
if errorlevel 2 goto next5
if errorlevel 1 goto next41

:next41
echo Windows Registry Editor Version 5.00 >temp/skyddos.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters] >>temp/skyddos.reg
echo "EnableDeadGWDetect"=dword:00000000 >>temp/skyddos.reg
echo "EnableICMPRedirects"=dword:00000000 >>temp/skyddos.reg
echo "PerformRouterDiscovery"=dword:00000000 >>temp/skyddos.reg
echo "NoNameReleaseOnDemand"=dword:00000001 >>temp/skyddos.reg
echo "KeepAliveTime"=dword:000493e0 >>temp/skyddos.reg
echo "EnablePMTUDiscovery"=dword:00000000 >>temp/skyddos.reg
echo "SynAttackProtect"=dword:00000002 >>temp/skyddos.reg
echo "TcpMaxHalfOpen"=dword:00000064 >>temp/skyddos.reg
echo "TcpMaxHalfOpenRetried"=dword:00000050 >>temp/skyddos.reg
echo "TcpMaxConnectResponseRetransmissions"=dword:00000001 >>temp/skyddos.reg
echo "TcpMaxDataRetransmissions"=dword:00000003 >>temp/skyddos.reg
echo "TCPMaxPortsExhausted"=dword:00000005 >>temp/skyddos.reg
echo "DisableIPSourceRouting"=dword:0000002 >>temp/skyddos.reg
echo "TcpTimedWaitDelay"=dword:0000001e >>temp/skyddos.reg
echo "EnableSecurityFilters"=dword:00000001 >>temp/skyddos.reg
echo "TcpNumConnections"=dword:000007d0 >>temp/skyddos.reg
echo "TcpMaxSendFree"=dword:000007d0 >>temp/skyddos.reg
echo "IGMPLevel"=dword:00000000 >>temp/skyddos.reg
echo "DefaultTTL"=dword:00000016 >>temp/skyddos.reg
echo 刪除IPC$(Internet Process Connection)是共享“命名管道”的資源
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa] >>temp/skyddos.reg
echo "restrictanonymous"=dword:00000001 >>temp/skyddos.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/interfaces] >>temp/skyddos.reg
echo "PerformRouterDiscovery"=dword:00000000 >>temp/skyddos.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetBT/Parameters] >>temp/skyddos.reg
echo "BacklogIncrement"=dword:00000003 >>temp/skyddos.reg
echo "MaxConnBackLog"=dword:000003e8 >>temp/skyddos.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Afd/Parameters] >>temp/skyddos.reg
echo "EnableDynamicBacklog"=dword:00000001 >>temp/skyddos.reg
echo "MinimumDynamicBacklog"=dword:00000014 >>temp/skyddos.reg
echo "MaximumDynamicBacklog"=dword:00002e20 >>temp/skyddos.reg
echo "DynamicBacklogGrowthDelta"=dword:0000000a >>temp/skyddos.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver/parameters] >>temp/skyddos.reg
echo "autoshareserver"=dword:00000000 >>temp/skyddos.reg
regedit /s temp/skyddos.reg
ECHO.
ECHO.
goto next5
:next5
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo 防止ASP木馬運行卸除WScript.Shell, Shell.application, WScript.Network
ECHO YES=next set NO=this set ignore (this time 30 Second default for y)
ECHO. -----------------------------------------------------------------------
CHOICE /T 30 /C yn /D y
if errorlevel 2 goto next6
if errorlevel 1 goto next51
:next51
echo Windows Registry Editor Version 5.00 >temp/del.reg
echo [-HKEY_CLASSES_ROOT/Shell.Application] >>temp/del.reg
echo [-HKEY_CLASSES_ROOT/Shell.Application.1] >>temp/del.reg
echo [-HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540000}] >>temp/del.reg
echo [-HKEY_CLASSES_ROOT/ADODB.Command/CLSID] >>temp/del.reg
echo [-HKEY_CLASSES_ROOT/CLSID/{00000566-0000-0010-8000-00AA006D2EA4}] >>temp/del.reg
regedit /s temp/del.reg
regsvr32 /u %SystemRoot%/system32/wshom.ocx
del /f/q %SystemRoot%/System32/wshom.ocx
regsvr32 /u %SystemRoot%/system32/shell32.dll
del /f/q %SystemRoot%/System32/shell32.dll
rmdir /q/s temp

ECHO.
goto next6
:next6
ECHO.
ECHO.
ECHO. ---------------------------------------------------------------------
ECHo 設置已經完成重啟后才能生效.
ECHO YES=reboot server NO=exit (this time 60 Second default for y)
ECHO. ----------------------------------------------------------------------
CHOICE /T 30 /C yn /D y
if errorlevel 2 goto end
if errorlevel 1 goto reboot
:reboot
shutdown /r /t 0
:end
if EXIST temp (rmdir /s/q temp|exit) else exit