■ Windows Services
It is recommended that you disable all unnecessary services running in the operating system to make it a more secure server. For example, if you do not need a configured local or shared printer in the server, you should disable the Print Spooler service.
建议停止服务器上所有不必要的服务。如果没有在服务器上配置本地或远程打印机,就应该停止掉 Print Spooler服务。
The following is a list of best security practices when configuring Windows services:
下列内容是并于配置Windows服务的最佳措施:
■ Do not install unneeded components and services.
■ Disable unnecessary Windows services.
■ Do not install additional third-party applications if they are not needed.(非必要时不安装第三方工具)
■ User Accounts and Groups
It is recommended that you implement a strong password policy to avoid any weak passwords being disclosed under brute force or dictionary attacks.
建议使用强密码策略来某些弱口令被暴力破解或字典攻击。
One of the first tasks you will perform after you set up the operating system is to rename the administrator account.
It is recommended that you assign a strong password to the original administrator account and audit logon events for the shell administrator account; auditing logon events allows you to track suspicious attempts to log on using the fake administrator account.
系统安全完成后的第一个任务就是将Administrator账号重命名;
建议对最初的Administrator账号设置一个强口令,并对所有的管理员账号都进行审计;对于登录事件的审计可以用来对一些通过无效的Administrator账号进行登录的尝试进行追踪。
The following is a list of best security practices for user accounts and groups.
■ Remove unused accounts.
■ Disable temporary accounts when an account has to be deactivated
for a while.
■ Disable guest accounts.
■ Rename the Administrator account.
■ Enforce strong password policies.
■ Implement account lockouts.
■ Log on to the system with fewer privileges.
■ Disable null session logons.
下列内容是对用户 账号和组进行管理的最佳配置:
删除不使用的账号;
当一个账号长时间不用时停用之;
停用Guest账号;
将Administrator用户更名;
执行强密码策略;
应用账号锁定;
尽可能的使用较低权限的用户登录;
禁止空会话登录。
■ File System
The following is a list of best file system security practices:
■ Use NTFS format for disk partitions; this will enable you to configure file-level security.
■ Group related files into one folder and configure strong NTFS permissions.
■ Restrict the Everyone group’s access and configure specific users or user groups to control resource access.
■ Always grant minimum permissions. Do not grant full control to any non-system user; always grant minimum permissions to users and user groups. Grant permissions on an as-needed basis.
■ Deny write access permission for IIS anonymous users; this will prevent anonymous user from uploading malicious scripts. If write permission is required, grant it at the minimum file or folder level.
■ Restrict access to system command line tools. By default, in IIS 6.0, anonymous users do not have access to system command line tools such as cmd.exe. If you are customizing your own anonymous users, ensure that they do not have access to such tools.You can apply this restriction by applying the deny read access for the user accounts.
■ Do not install any sample files on a production machine.
■ Remove unnecessary network shares.
■ Deploy an antivirus solution.
■ Auditing and Logging
The following is a list of best security practices when configuring auditing and logging.
■ Enable auditing for failed logon attempts.
■ Enable IIS site activity logging.
■ Relocate the default IIS log file and secure it with proper NTFS permissions.
■ Backup and archive old log files.
■ Enable auditing for failed access to important system files.
■ Audit log files on a routine basis.
