西部数码服务器文件,来自西部数码的WEB服务器安全设置

  • Post author:
  • Post category:其他


1、安全设置建议

(1)检查SP2补丁是否已经安装!改为每天3:00自动更新打补丁!

(2)进行防火墙和端口限制功能设置时,请务必小心操作,以免失去远程管理权限!

——在网上邻居点右键 >属性》高级,打开win2003的防火墙功能,设置为只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003(FTP PASV)等端口。

——建议在高级里面>icmp>允许回显,这样允许ping,方便调试!

——在网上邻居点右键 >属性>Tcp/ip>高级>选项>端口限制 ,只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003等常用端口

——打开win2003的防火墙,并且只打开了需要的端口。不推荐在服务器上安装其他个人防火墙或设置安全策略,如果确实需要安装或设置,请千万确保不将远程终端服务关闭(即封锁所有进入服务器的通信)。

——如果要更改远程桌面的端口3389,请务必在tcp/ip属性里的tcp/ip筛选里添加对应的端口,并在防火墙选项中添加对应的端口,否则重启后将不能远程管理服务器!

——不可更改服务器的IP/子网掩码/网关设置。

(3)若您安装SQLSERVER服务器,必须马上打SP4补丁,否则极易中SQLSERVER蠕虫病毒并导致服务器通信中断。

(4)重要的数据建议都放在D盘,C盘只放置程序和系统文件,以防止在日后重装系统的时候造成数据丢失。

2、权限安全

这里放上西部数码的一个安全脚本safe.cmd

west_server_safe.rar,自己解压缩下吧。

再放一份源码版的

@echo off

echo y|cacls.exe C:\ /p Administrators:f system:f “network service”:r

echo y|cacls.exe D:\ /p Administrators:f system:f servU:f “network service”:r

echo y|cacls.exe E:\ /p Administrators:f system:f servU:f “network service”:r

echo y|cacls.exe “C:\Program Files” /t /p Administrators:f system:f everyone:r

echo y|cacls.exe  “C:\Program Files\Common Files” /t /g Administrators:f system:f everyone:r

echo y|cacls.exe c:\windows /p Administrators:f system:f

echo y|cacls.exe c:\windows\system32 /p Administrators:f system:f

echo y|cacls.exe C:\WINDOWS\system32\inetsrv /p Administrators:f system:f everyone:r

echo y|cacls.exe “C:\Documents and Settings” /p Administrators:f system:f

echo y|cacls.exe “C:\Documents and Settings\All Users” /t /p Administrator:f system:f everyone:r

echo y|cacls.exe c:\windows\temp /p everyone:f

echo y|cacls.exe %systemroot%\system32\shell32.dll /p Administrators:f

echo y|cacls.exe %systemroot%\system32\wshom.ocx /p Administrators:f

echo y|cacls.exe c:\windows\system32\*.exe /p Administrators:f system:f

echo y|cacls.exe “c:\Documents and Settings\All Users” /e /g everyone:r

echo y|cacls.exe %systemroot%\system32\svchost.exe /e /g “network service”:r

echo y|cacls.exe %systemroot%\system32\msdtc.exe /e /g “network service”:r

echo y|cacls.exe %windir%\system32\mtxex.dll /e /g everyone:r

echo y|cacls.exe c:\windows\system32\cmd.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\net1.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\sc.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\at.exe /p Administrator:f

echo y|cacls.exe %windir%\system32\dllhost.exe /e /g everyone:r

echo y|cacls.exe c:\windows\system32\netsh.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\cacls.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\cmdkey.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\ftp.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\tftp.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\reg.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\regedt32.exe /p Administrator:f

echo y|cacls.exe c:\windows\system32\regini.exe /p Administrator:f

echo y|cacls.exe %windir%\assembly /e /t /g “network service”:r

echo y|cacls.exe %windir%\Microsoft.NET /e /t /g everyone:r

echo y|cacls.exe “%windir%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files” /e /t /g everyone:f

echo y|cacls.exe %windir%\system32\mscoree.dll /e /g everyone:r

echo y|cacls.exe %windir%\system32\ws03res.dll /e /g everyone:r

echo y|cacls.exe %windir%\system32\msxml*.dll /e /g everyone:r

echo y|cacls.exe C:\WINDOWS\system32\urlmon.dll /e /g everyone:r

echo y|cacls.exe C:\WINDOWS\system32\mlang.dll /e /g everyone:r

echo y|cacls.exe C:\WINDOWS\system32\TAPI32.dll /e /g everyone:r

echo y|cacls.exe C:\WINDOWS\system32\WININET.dll /e /g everyone:r

cacls c:\windows\assembly /e /t /p “network service”:r

cacls c:\windows\Microsoft.NET /e /t /p “network service”:r

cacls “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files” /e /t /p “network service”:f

cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r

cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r

cacls c:\WINDOWS /e /g “network service”:r

if exist c:\windows  cacls c:\windows /e /g “network service”:r

cacls c:\windows\Microsoft.NET /e /t /p “network service”:r

cacls “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files” /e /t /p “network service”:f

cacls “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files” /e /t /p “network service”:f

cacls c:\windows\system32 /e /g “network service”:r

cacls c:\windows\system32\rasapi32.dll /e /g “network service”:r

echo y|cacls.exe C:\WINDOWS\system32\inetsrv\adsiis.dll /p Administrators:f autosystem:f

echo y|cacls.exe C:\WINDOWS\system32\inetsrv\iisadmpwd /p Administrators:f autosystem:f

echo y|cacls.exe C:\WINDOWS\system32\inetsrv\MetaBack /p Administrators:f autosystem:f

cacls C”:\Program Files\Serv-U” /e /g “servu”:f

cacls d:\wwwroot /e /g servU:f

cacls c:\windows /e /g everyone:R

net stop Browser

sc config Browser start= disabled

net stop lanmanserver

sc config lanmanserver start= disabled

net share c$ /delete

net share d$ /delete

net share e$ /delete

net share f$ /delete

net share admin$ /delete

net share ipc$ /delete

echo  .. delshare.reg …….

echo Windows Registry Editor Version 5.00> c:\delshare.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg

echo “AutoShareWks”=dword:00000000>> c:\delshare.reg

echo “AutoShareServer”=dword:00000000>> c:\delshare.reg

echo  .. delshare.reg …..

regedit /s c:\delshare.reg

echo  .. delshare.reg ….

del c:\delshare.reg

echo .

echo ……..

echo .

echo =========================================================

echo .

echo …………………dos….

echo .

echo ………

echo Windows Registry Editor Version 5.00> c:\dosforwin.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>> c:\dosforwin.reg

echo “EnableICMPRedirect”=dword:00000000>> c:\dosforwin.reg

echo “DeadGWDetectDefault”=dword:00000001>> c:\dosforwin.reg

echo “DontAddDefaultGatewayDefault”=dword:00000000>> c:\dosforwin.reg

echo “EnableSecurityFilters”=dword:00000000”>> c:\dosforwin.reg

echo “AllowUnqualifiedQuery”=dword:00000000>> c:\dosforwin.reg

echo “PrioritizeRecordData”=dword:00000001>> c:\dosforwin.reg

echo “ReservedPorts”=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\>> c:\dosforwin.reg

echo 00,00,00,00>> c:\dosforwin.reg

echo “SynAttackProtect”=dword:00000002>> c:\dosforwin.reg

echo “EnablePMTUDiscovery”=dword:00000000>> c:\dosforwin.reg

echo “NoNameReleaseOnDemand”=dword:00000001>> c:\dosforwin.reg

echo “EnableDeadGWDetect”=dword:00000000>> c:\dosforwin.reg

echo “KeepAliveTime”=dword:00300000>> c:\dosforwin.reg

echo “PerformRouterDiscovery”=dword:00000000>> c:\dosforwin.reg

echo “EnableICMPRedirects”=dword:00000000>> c:\dosforwin.reg

echo .

echo ==========================================================

echo .. dosforwin.reg …..

regedit /s c:\dosforwin.reg

echo  .. dosforwin.reg ….

del c:\dosforwin.reg

echo ==============================================================

echo .

echo ===============================================================

echo ..Remote Registry Service………..

echo ………

echo .

echo Windows Registry Editor Version 5.00> c:\regedit.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]>> c:\regedit.reg

echo “Start”=dword:00000004>> c:\regedit.reg

echo .

echo .. regedit.reg …..

regedit /s c:\regedit.reg

echo .

echo ……

del c:\regedit.reg

echo ===============================================================

echo ..Messenger…….

echo ………

echo Windows Registry Editor Version 5.00> c:\message.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]>> c:\message.reg

echo “Start”=dword:00000004>> c:\message.reg

echo .

echo .. message.reg …..

regedit /s c:\message.reg

echo .

echo .. message.reg

del c:\message.reg

echo ===============================================================

echo ===============================================================

echo ..lanmanserver…….

echo ………

echo Windows Registry Editor Version 5.00> c:\lanmanserver.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]>> c:\lanmanserver.reg

echo “Start”=dword:00000004>> c:\lanmanserver.reg

echo .

echo .. lanmanserver.reg …..

regedit /s c:\lanmanserver.reg

echo .

echo .. lanmanserver.reg

del c:\lanmanserver.reg

echo ==============================================================

echo …TCP/IP NetBIOS Helper Service

echo ………

echo Windows Registry Editor Version 5.00> c:\netbios.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]>> c:\netbios.reg

echo “Start”=dword:00000004>> c:\netbios.reg

echo .

echo .. netbios.reg …..

regedit /s c:\netbios.reg

echo .

echo .. netbios.reg

del c:\netbios.reg

regedit /s forddos.reg

脚本上未带Serv-u的目录安全权限,就一条。单独发这里了

cacls “C:\Program Files\Serv-U” /t /P administrators:f servu:r还有一个反操作的,已经打包到上面的文件里面了。注意哦,里面的目录路径自己都要改成自己的哦。3、脚本映射删除无用的脚本映射,让你的服务器会更安全。这里根据西部数码的收集了一份最简单的修改方法是在这个文件C:\WINDOWS\system32\inetsrv\MetaBase.xml,具体自己打开看了。SHTML脚本映射

.shtm,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POST.shtml,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POST.stm,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POSTASP脚本映射

.asp,C:\windows\System32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE.asa,C:\windows\System32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACEPHP CGI脚本映射

.php,D:\wwwsoft\PHP\php-cgi.exe,5,GET,HEAD,POST,TRACE.php3,D:\wwwsoft\PHP\php-cgi.exe,5,GET,HEAD,POST,TRACEPHP ISAPI脚本映射

.php,D:\wwwsoft\PHP\php5isapi.dll,5,GET,HEAD,POST,TRACE.php3,D:\wwwsoft\PHP\php5isapi.dll,5,GET,HEAD,POST,TRACEASP.NET v2.0脚本映射ASP.net2.0兼容v1.0,所以一般使用2.0的设置就可以了

.asax,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.ascx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.ashx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.asmx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.aspx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.axd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.vsdisco,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.rem,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.soap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.config,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.cs,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.csproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.vb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.vbproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.webinfo,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.licx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.resx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.resources,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.xoml,C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.rules,C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.master,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.skin,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.compiled,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.browser,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.mdb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.jsl,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.vjsproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.sitemap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.msgx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.ad,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.dd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.ldd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.sd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.cd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.adprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.lddprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG;.sdm,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.sdmDocument,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.ldb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.svc,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG.mdf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.ldf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.java,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.exclude,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG.refresh,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG不解,上面怎么有java的映射呢?