第二章 Hardening Windows Server 2003
Microsoft created an initiative called Trustworthy Computing, dedicated to helping to build computing systems that are as reliable ,secure, and trustworthy as the infrastructure utilities that we all depend on for daily living. This is a long-term goal; in the shorter term, Microsoft’s approach to improving the security of its products is based on four pillars, as defined by Microsoft:
Secure by design Security, privacy, and protection are taken into consideration during design stage.
Secure by default Security, privacy, reliability and configuration settings are optimized in every product.
Secure in deployment Setup and product deployments are defaulted to secure mode. Guidelines, whitepapers and other resources are available to assist customers.
Communication Constantly listening and communicating internally with employees and externally with customers.
大意为MS启动了一项可信任计算的长期目标,用于帮助构建稳定、安全和可信任的计算系统。短期内,MS的产品会基于下面的四个方面 的努力来达到改进安全性的目标:
通过设计来保证安全:
通过系统的默认设置来保证安全:
通过系统的实施来保证安全:
经常性的和公司内工作人员及客户进行沟通,听取意见。
**感觉有点向FreeBSD学习的意思,默认系统什么服务都不开放,要用什么都需要管理员自已动手打开。所以除了系统的稳定性外,默认的安全设置也一定程序的保证了FreeBSD的安全性。
The context of discussion will be based on securing IIS 6.0 as an Internet Web server. On the subject of
getting secure, we will look at the following:
■ Networking environment
■ Patches and updates
■ Windows services
■ User accounts and groups
■ File system
■ Auditing and logging
关于Server2003系统和IIS6.0安全相关的方面,书中涉及到下列几个:
网络环境、补丁及更新、Windows服务、用户账号和组、文件系统、审核及日志
■ Networking environment
You should specifically pay attention to the following areas:
■ Router
■ Firewall
■ Intrusion Detection System
在配置好2003的系统之前,建议先将所有对此服务器的访问全部屏蔽,并检查下列项目:
路由器、防火墙、IDS
The ACL can be configured to block or filter any unwanted traffic to your internal hosts. It is recommended that you configure the ACL to block access to your new Windows Server 2003 machine before it is configured and protected.You
路由器方面可以通过ACL(Access Control List)来限制一些对服务器的访问,书中提到了Cisco
The main responsibility of a firewall is to block access in more complex manner than that provided by ACLs.
防火墙的主要职责是提供一种比ACL更为复杂的访问阻塞方式。强烈建议设立防火墙来确保更深一层的保护和对恶意代码的过滤。
intrusion detection not only monitors incoming requests traveling through the network, but it also provides internal network monitoring as well. It will detect possible attack patterns and identify the source of the attack.
IDS(入侵检测系统)可以(**一定程度上)检测出可能的入侵迹象并识别出攻击的来源。IDS不仅监测通过网络过来的请求,同时还可以对内部网络进行监控。
The following is a list of best security practices when securing your network:
■ Filter traffic based on protocols and ports. For example, if you are only supporting web browsing on your IIS server, it is recommended that you only allow HTTP and HTTPS protocol traffic.
■ Disable Internet Control Message Protocol (ICMP) requests. By disabling ICMP, attackers will not be able to ping your server, thus minimizing the risk of a ping flood attack.
■ Disable NetBIOS over TCP/IP. Disabling NetBIOS over TCP/IP prevents NetBIOS services from using TCP Port 139, thus stopping all NetBIOS sessions.
■ Enable logging and audit log files on a routine basis.
■ Update and patch devices accordingly.
■ Limit physical and remote access to networking equipment.
此列表是进行网络环境安全防护时最佳措施:
- 基于协议和端口进行过滤。如果服务器只提供IIS的Web服务,最好只允许Http和Https的协议通过
- 禁用ICMP请求。这样服务器就不会响应攻击方的Ping响应,最小化了Ping Flood攻击的可能性。
- 禁用 TCP/IP上的NetBIOS。即停止139端口和NetBIOS的会话。
- 启用常规的日志和审核记录
- 相应的更新及补丁
- 限制对网络设备的物理及远程访问
■ Patches and updates
The first step in patching your operating system is to determine which patches and fixes are needed for your server (you must therefore be aware of which components and services are running on your operating system). For example, if you are not running Microsoft SQL server, there is no need to deploy any updates or service packs related to that product.
After determining your system’s needs, download the patches from a trusted source, typically from Microsoft’s website。
It is recommended that you always test patches and updates on a test machines before you deploy them on live production machines, as they may themselves contain flaws that could adversely affect your applications and other components.
第一步要确定自己的服务器需要那些补丁和修正(你必须得明白自己的操作系统上运行着那些组件和服务);
确定服务器的需要之后,从信任的站点上下载补丁,主要是从MS的站点;
在生产服务器上实施丁之前建议先在实验机上进行实验,因为补丁程序可能会对你的程序或其它组件产生影响。
......未完待续
