來自西部數碼的WEB服務器安全設置

2024-09-01 13:45:45

字體：大中小

來源：轉載

供稿：網友

1、安全設置建議
(1)檢查SP2補丁是否已經安裝！改為每天3:00自動更新打補丁！
(2)進行防火墻和端口限制功能設置時，請務必小心操作，以免失去遠程管理權限！
------在網上鄰居點右鍵 >屬性》高級，打開win2003的防火墻功能，設置為只允許20,21,25,80,110,1433,3306,遠程桌面3389,33000~33003(FTP PASV)等端口。
------建議在高級里面>icmp>允許回顯，這樣允許ping，方便調試！
------在網上鄰居點右鍵 >屬性>Tcp/ip>高級>選項>端口限制 ,只允許20,21,25,80,110,1433,3306,遠程桌面3389,33000~33003等常用端口
------打開win2003的防火墻，并且只打開了需要的端口。不推薦在服務器上安裝其他個人防火墻或設置安全策略，如果確實需要安裝或設置，請千萬確保不將遠程終端服務關閉（即封鎖所有進入服務器的通信）。
------如果要更改遠程桌面的端口3389，請務必在tcp/ip屬性里的tcp/ip篩選里添加對應的端口，并在防火墻選項中添加對應的端口，否則重啟后將不能遠程管理服務器！
------不可更改服務器的IP/子網掩碼/網關設置。
(3)若您安裝SQLSERVER服務器，必須馬上打SP4補丁，否則極易中SQLSERVER蠕蟲病毒并導致服務器通信中斷。
(4)重要的數據建議都放在D盤，C盤只放置程序和系統文件，以防止在日后重裝系統的時候造成數據丟失。

2、權限安全
這里放上西部數碼的一個安全腳本safe.cmd
west_server_safe.rar，自己解壓縮下吧。
再放一份源碼版的

復制代碼代碼如下:

@echo off
echo y|cacls.exe C:/ /p Administrators:f system:f "network service":r
echo y|cacls.exe D:/ /p Administrators:f system:f servU:f "network service":r
echo y|cacls.exe E:/ /p Administrators:f system:f servU:f "network service":r
echo y|cacls.exe "C:/Program Files" /t /p Administrators:f system:f everyone:r
echo y|cacls.exe  "C:/Program Files/Common Files" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe c:/windows /p Administrators:f system:f
echo y|cacls.exe c:/windows/system32 /p Administrators:f system:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:/Documents and Settings" /p Administrators:f system:f
echo y|cacls.exe "C:/Documents and Settings/All Users" /t /p Administrator:f system:f everyone:r
echo y|cacls.exe c:/windows/temp /p everyone:f
echo y|cacls.exe %systemroot%/system32/shell32.dll /p Administrators:f
echo y|cacls.exe %systemroot%/system32/wshom.ocx /p Administrators:f
echo y|cacls.exe c:/windows/system32/*.exe /p Administrators:f system:f
echo y|cacls.exe "c:/Documents and Settings/All Users" /e /g everyone:r
echo y|cacls.exe %systemroot%/system32/svchost.exe /e /g "network service":r
echo y|cacls.exe %systemroot%/system32/msdtc.exe /e /g "network service":r
echo y|cacls.exe %windir%/system32/mtxex.dll /e /g everyone:r
echo y|cacls.exe c:/windows/system32/cmd.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net1.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/sc.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/at.exe /p Administrator:f
echo y|cacls.exe %windir%/system32/dllhost.exe /e /g everyone:r
echo y|cacls.exe c:/windows/system32/netsh.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/cacls.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/cmdkey.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/ftp.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/tftp.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/reg.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/regedt32.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/regini.exe /p Administrator:f
echo y|cacls.exe %windir%/assembly /e /t /g "network service":r
echo y|cacls.exe %windir%/Microsoft.NET /e /t /g everyone:r
echo y|cacls.exe "%windir%/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /g everyone:f
echo y|cacls.exe %windir%/system32/mscoree.dll /e /g everyone:r
echo y|cacls.exe %windir%/system32/ws03res.dll /e /g everyone:r
echo y|cacls.exe %windir%/system32/msxml*.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/urlmon.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/mlang.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/TAPI32.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/WININET.dll /e /g everyone:r
cacls c:/windows/assembly /e /t /p "network service":r
cacls c:/windows/Microsoft.NET /e /t /p "network service":r
cacls "C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:/WINDOWS/system32/mscoree.dll /e /g everyone:r
cacls C:/WINDOWS/system32/ws03res.dll /e /g everyone:r
cacls c:/WINDOWS /e /g "network service":r
if exist c:/windows  cacls c:/windows /e /g "network service":r
cacls c:/windows/Microsoft.NET /e /t /p "network service":r
cacls "C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /p "network service":f
cacls "C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files" /e /t /p "network service":f
cacls c:/windows/system32 /e /g "network service":r
cacls c:/windows/system32/rasapi32.dll /e /g "network service":r
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/adsiis.dll /p Administrators:f autosystem:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/iisadmpwd /p Administrators:f autosystem:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/MetaBack /p Administrators:f autosystem:f
cacls C":/Program Files/Serv-U" /e /g "servu":f
cacls d:/wwwroot /e /g servU:f
cacls c:/windows /e /g everyone:R

net stop Browser
sc config Browser start= disabled
net stop lanmanserver
sc config lanmanserver start= disabled
net share c$ /delete
net share d$ /delete
net share e$ /delete
net share f$ /delete
net share admin$ /delete
net share ipc$ /delete
echo  .. delshare.reg .......
echo Windows Registry Editor Version 5.00> c:/delshare.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver/parameters]>> c:/delshare.reg
echo "AutoShareWks"=dword:00000000>> c:/delshare.reg
echo "AutoShareServer"=dword:00000000>> c:/delshare.reg
echo  .. delshare.reg .....
regedit /s c:/delshare.reg
echo  .. delshare.reg ....
del c:/delshare.reg
echo .
echo ........
echo .
echo =========================================================
echo .
echo .....................dos....
echo .
echo .........
echo Windows Registry Editor Version 5.00> c:/dosforwin.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters]>> c:/dosforwin.reg
echo "EnableICMPRedirect"=dword:00000000>> c:/dosforwin.reg
echo "DeadGWDetectDefault"=dword:00000001>> c:/dosforwin.reg
echo "DontAddDefaultGatewayDefault"=dword:00000000>> c:/dosforwin.reg
echo "EnableSecurityFilters"=dword:00000000">> c:/dosforwin.reg
echo "AllowUnqualifiedQuery"=dword:00000000>> c:/dosforwin.reg
echo "PrioritizeRecordData"=dword:00000001>> c:/dosforwin.reg
echo "ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,/>> c:/dosforwin.reg
echo 00,00,00,00>> c:/dosforwin.reg
echo "SynAttackProtect"=dword:00000002>> c:/dosforwin.reg
echo "EnablePMTUDiscovery"=dword:00000000>> c:/dosforwin.reg
echo "NoNameReleaseOnDemand"=dword:00000001>> c:/dosforwin.reg
echo "EnableDeadGWDetect"=dword:00000000>> c:/dosforwin.reg
echo "KeepAliveTime"=dword:00300000>> c:/dosforwin.reg
echo "PerformRouterDiscovery"=dword:00000000>> c:/dosforwin.reg
echo "EnableICMPRedirects"=dword:00000000>> c:/dosforwin.reg
echo .
echo ==========================================================
echo .. dosforwin.reg .....
regedit /s c:/dosforwin.reg
echo  .. dosforwin.reg ....
del c:/dosforwin.reg
echo ==============================================================
echo .
echo ===============================================================
echo ..Remote Registry Service...........
echo .........
echo .
echo Windows Registry Editor Version 5.00> c:/regedit.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RemoteRegistry]>> c:/regedit.reg
echo "Start"=dword:00000004>> c:/regedit.reg
echo .
echo .. regedit.reg .....
regedit /s c:/regedit.reg
echo .
echo ......
del c:/regedit.reg
echo ===============================================================
echo ..Messenger.......
echo .........
echo Windows Registry Editor Version 5.00> c:/message.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Messenger]>> c:/message.reg
echo "Start"=dword:00000004>> c:/message.reg
echo .
echo .. message.reg .....
regedit /s c:/message.reg
echo .
echo .. message.reg
del c:/message.reg
echo ===============================================================

echo ===============================================================
echo ..lanmanserver.......
echo .........
echo Windows Registry Editor Version 5.00> c:/lanmanserver.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver]>> c:/lanmanserver.reg
echo "Start"=dword:00000004>> c:/lanmanserver.reg
echo .
echo .. lanmanserver.reg .....
regedit /s c:/lanmanserver.reg
echo .
echo .. lanmanserver.reg
del c:/lanmanserver.reg

echo ==============================================================
echo ...TCP/IP NetBIOS Helper Service
echo .........
echo Windows Registry Editor Version 5.00> c:/netbios.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LmHosts]>> c:/netbios.reg
echo "Start"=dword:00000004>> c:/netbios.reg
echo .
echo .. netbios.reg .....
regedit /s c:/netbios.reg
echo .
echo .. netbios.reg
del c:/netbios.reg
regedit /s forddos.reg

腳本上未帶Serv-u的目錄安全權限，就一條。單獨發這里了

cacls "C:/Program Files/Serv-U" /t /P administrators:f servu:r

還有一個反操作的,已經打包到上面的文件里面了。
注意哦，里面的目錄路徑自己都要改成自己的哦。

3、腳本映射
刪除無用的腳本映射，讓你的服務器會更安全。這里根據西部數碼的收集了一份
最簡單的修改方法是在這個文件C:/WINDOWS/system32/inetsrv/MetaBase.xml，具體自己打開看了。
SHTML腳本映射

.shtm,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST
.shtml,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST
.stm,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST

ASP腳本映射

.asp,C:/windows/System32/inetsrv/asp.dll,5,GET,HEAD,POST,TRACE
.asa,C:/windows/System32/inetsrv/asp.dll,5,GET,HEAD,POST,TRACE

PHP CGI腳本映射

.php,D:/wwwsoft/PHP/php-cgi.exe,5,GET,HEAD,POST,TRACE
.php3,D:/wwwsoft/PHP/php-cgi.exe,5,GET,HEAD,POST,TRACE

PHP ISAPI腳本映射

.php,D:/wwwsoft/PHP/php5isapi.dll,5,GET,HEAD,POST,TRACE
.php3,D:/wwwsoft/PHP/php5isapi.dll,5,GET,HEAD,POST,TRACE

ASP.NET v2.0腳本映射
ASP.net2.0兼容v1.0，所以一般使用2.0的設置就可以了

.asax,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ascx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ashx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.asmx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.aspx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.axd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.vsdisco,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.rem,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.soap,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.config,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.cs,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.csproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vbproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.webinfo,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.licx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.resx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.resources,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.xoml,C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.rules,C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.master,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.skin,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.compiled,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.browser,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.mdb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.jsl,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vjsproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sitemap,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.msgx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.ad,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.dd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.cd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.adprototype,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.lddprototype,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
;.sdm,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sdmDocument,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.svc,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.mdf,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldf,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.java,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.exclude,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.refresh,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG

不解，上面怎么有java的映射呢？