来自西部数码的WEB服务器安全设置

2024-09-01 13:45:45

字体：大中小

来源：转载

供稿：网友

1、安全设置建议
(1)检查SP2补丁是否已经安装！改为每天3:00自动更新打补丁！
(2)进行防火墙和端口限制功能设置时，请务必小心操作，以免失去远程管理权限！
------在网上邻居点右键 >属性》高级，打开win2003的防火墙功能，设置为只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003(FTP PASV)等端口。
------建议在高级里面>icmp>允许回显，这样允许ping，方便调试！
------在网上邻居点右键 >属性>Tcp/ip>高级>选项>端口限制 ,只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003等常用端口
------打开win2003的防火墙，并且只打开了需要的端口。不推荐在服务器上安装其他个人防火墙或设置安全策略，如果确实需要安装或设置，请千万确保不将远程终端服务关闭（即封锁所有进入服务器的通信）。
------如果要更改远程桌面的端口3389，请务必在tcp/ip属性里的tcp/ip筛选里添加对应的端口，并在防火墙选项中添加对应的端口，否则重启后将不能远程管理服务器！
------不可更改服务器的IP/子网掩码/网关设置。
(3)若您安装SQLSERVER服务器，必须马上打SP4补丁，否则极易中SQLSERVER蠕虫病毒并导致服务器通信中断。
(4)重要的数据建议都放在D盘，C盘只放置程序和系统文件，以防止在日后重装系统的时候造成数据丢失。

2、权限安全
这里放上西部数码的一个安全脚本safe.cmd
west_server_safe.rar，自己解压缩下吧。
再放一份源码版的

复制代码代码如下:

@echo off
echo y|cacls.exe C:/ /p Administrators:f system:f "network service":r
echo y|cacls.exe D:/ /p Administrators:f system:f servU:f "network service":r
echo y|cacls.exe E:/ /p Administrators:f system:f servU:f "network service":r
echo y|cacls.exe "C:/Program Files" /t /p Administrators:f system:f everyone:r
echo y|cacls.exe  "C:/Program Files/Common Files" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe c:/windows /p Administrators:f system:f
echo y|cacls.exe c:/windows/system32 /p Administrators:f system:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:/Documents and Settings" /p Administrators:f system:f
echo y|cacls.exe "C:/Documents and Settings/All Users" /t /p Administrator:f system:f everyone:r
echo y|cacls.exe c:/windows/temp /p everyone:f
echo y|cacls.exe %systemroot%/system32/shell32.dll /p Administrators:f
echo y|cacls.exe %systemroot%/system32/wshom.ocx /p Administrators:f
echo y|cacls.exe c:/windows/system32/*.exe /p Administrators:f system:f
echo y|cacls.exe "c:/Documents and Settings/All Users" /e /g everyone:r
echo y|cacls.exe %systemroot%/system32/svchost.exe /e /g "network service":r
echo y|cacls.exe %systemroot%/system32/msdtc.exe /e /g "network service":r
echo y|cacls.exe %windir%/system32/mtxex.dll /e /g everyone:r
echo y|cacls.exe c:/windows/system32/cmd.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net1.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/sc.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/at.exe /p Administrator:f
echo y|cacls.exe %windir%/system32/dllhost.exe /e /g everyone:r
echo y|cacls.exe c:/windows/system32/netsh.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/net.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/cacls.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/cmdkey.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/ftp.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/tftp.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/reg.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/regedt32.exe /p Administrator:f
echo y|cacls.exe c:/windows/system32/regini.exe /p Administrator:f
echo y|cacls.exe %windir%/assembly /e /t /g "network service":r
echo y|cacls.exe %windir%/Microsoft.NET /e /t /g everyone:r
echo y|cacls.exe "%windir%/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /g everyone:f
echo y|cacls.exe %windir%/system32/mscoree.dll /e /g everyone:r
echo y|cacls.exe %windir%/system32/ws03res.dll /e /g everyone:r
echo y|cacls.exe %windir%/system32/msxml*.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/urlmon.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/mlang.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/TAPI32.dll /e /g everyone:r
echo y|cacls.exe C:/WINDOWS/system32/WININET.dll /e /g everyone:r
cacls c:/windows/assembly /e /t /p "network service":r
cacls c:/windows/Microsoft.NET /e /t /p "network service":r
cacls "C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:/WINDOWS/system32/mscoree.dll /e /g everyone:r
cacls C:/WINDOWS/system32/ws03res.dll /e /g everyone:r
cacls c:/WINDOWS /e /g "network service":r
if exist c:/windows  cacls c:/windows /e /g "network service":r
cacls c:/windows/Microsoft.NET /e /t /p "network service":r
cacls "C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files" /e /t /p "network service":f
cacls "C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files" /e /t /p "network service":f
cacls c:/windows/system32 /e /g "network service":r
cacls c:/windows/system32/rasapi32.dll /e /g "network service":r
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/adsiis.dll /p Administrators:f autosystem:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/iisadmpwd /p Administrators:f autosystem:f
echo y|cacls.exe C:/WINDOWS/system32/inetsrv/MetaBack /p Administrators:f autosystem:f
cacls C":/Program Files/Serv-U" /e /g "servu":f
cacls d:/wwwroot /e /g servU:f
cacls c:/windows /e /g everyone:R

net stop Browser
sc config Browser start= disabled
net stop lanmanserver
sc config lanmanserver start= disabled
net share c$ /delete
net share d$ /delete
net share e$ /delete
net share f$ /delete
net share admin$ /delete
net share ipc$ /delete
echo  .. delshare.reg .......
echo Windows Registry Editor Version 5.00> c:/delshare.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver/parameters]>> c:/delshare.reg
echo "AutoShareWks"=dword:00000000>> c:/delshare.reg
echo "AutoShareServer"=dword:00000000>> c:/delshare.reg
echo  .. delshare.reg .....
regedit /s c:/delshare.reg
echo  .. delshare.reg ....
del c:/delshare.reg
echo .
echo ........
echo .
echo =========================================================
echo .
echo .....................dos....
echo .
echo .........
echo Windows Registry Editor Version 5.00> c:/dosforwin.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters]>> c:/dosforwin.reg
echo "EnableICMPRedirect"=dword:00000000>> c:/dosforwin.reg
echo "DeadGWDetectDefault"=dword:00000001>> c:/dosforwin.reg
echo "DontAddDefaultGatewayDefault"=dword:00000000>> c:/dosforwin.reg
echo "EnableSecurityFilters"=dword:00000000">> c:/dosforwin.reg
echo "AllowUnqualifiedQuery"=dword:00000000>> c:/dosforwin.reg
echo "PrioritizeRecordData"=dword:00000001>> c:/dosforwin.reg
echo "ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,/>> c:/dosforwin.reg
echo 00,00,00,00>> c:/dosforwin.reg
echo "SynAttackProtect"=dword:00000002>> c:/dosforwin.reg
echo "EnablePMTUDiscovery"=dword:00000000>> c:/dosforwin.reg
echo "NoNameReleaseOnDemand"=dword:00000001>> c:/dosforwin.reg
echo "EnableDeadGWDetect"=dword:00000000>> c:/dosforwin.reg
echo "KeepAliveTime"=dword:00300000>> c:/dosforwin.reg
echo "PerformRouterDiscovery"=dword:00000000>> c:/dosforwin.reg
echo "EnableICMPRedirects"=dword:00000000>> c:/dosforwin.reg
echo .
echo ==========================================================
echo .. dosforwin.reg .....
regedit /s c:/dosforwin.reg
echo  .. dosforwin.reg ....
del c:/dosforwin.reg
echo ==============================================================
echo .
echo ===============================================================
echo ..Remote Registry Service...........
echo .........
echo .
echo Windows Registry Editor Version 5.00> c:/regedit.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RemoteRegistry]>> c:/regedit.reg
echo "Start"=dword:00000004>> c:/regedit.reg
echo .
echo .. regedit.reg .....
regedit /s c:/regedit.reg
echo .
echo ......
del c:/regedit.reg
echo ===============================================================
echo ..Messenger.......
echo .........
echo Windows Registry Editor Version 5.00> c:/message.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Messenger]>> c:/message.reg
echo "Start"=dword:00000004>> c:/message.reg
echo .
echo .. message.reg .....
regedit /s c:/message.reg
echo .
echo .. message.reg
del c:/message.reg
echo ===============================================================

echo ===============================================================
echo ..lanmanserver.......
echo .........
echo Windows Registry Editor Version 5.00> c:/lanmanserver.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/lanmanserver]>> c:/lanmanserver.reg
echo "Start"=dword:00000004>> c:/lanmanserver.reg
echo .
echo .. lanmanserver.reg .....
regedit /s c:/lanmanserver.reg
echo .
echo .. lanmanserver.reg
del c:/lanmanserver.reg

echo ==============================================================
echo ...TCP/IP NetBIOS Helper Service
echo .........
echo Windows Registry Editor Version 5.00> c:/netbios.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LmHosts]>> c:/netbios.reg
echo "Start"=dword:00000004>> c:/netbios.reg
echo .
echo .. netbios.reg .....
regedit /s c:/netbios.reg
echo .
echo .. netbios.reg
del c:/netbios.reg
regedit /s forddos.reg

脚本上未带Serv-u的目录安全权限，就一条。单独发这里了

cacls "C:/Program Files/Serv-U" /t /P administrators:f servu:r

还有一个反操作的,已经打包到上面的文件里面了。
注意哦，里面的目录路径自己都要改成自己的哦。

3、脚本映射
删除无用的脚本映射，让你的服务器会更安全。这里根据西部数码的收集了一份
最简单的修改方法是在这个文件C:/WINDOWS/system32/inetsrv/MetaBase.xml，具体自己打开看了。
SHTML脚本映射

.shtm,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST
.shtml,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST
.stm,C:/WINDOWS/system32/inetsrv/ssinc.dll,5,GET,POST

ASP脚本映射

.asp,C:/windows/System32/inetsrv/asp.dll,5,GET,HEAD,POST,TRACE
.asa,C:/windows/System32/inetsrv/asp.dll,5,GET,HEAD,POST,TRACE

PHP CGI脚本映射

.php,D:/wwwsoft/PHP/php-cgi.exe,5,GET,HEAD,POST,TRACE
.php3,D:/wwwsoft/PHP/php-cgi.exe,5,GET,HEAD,POST,TRACE

PHP ISAPI脚本映射

.php,D:/wwwsoft/PHP/php5isapi.dll,5,GET,HEAD,POST,TRACE
.php3,D:/wwwsoft/PHP/php5isapi.dll,5,GET,HEAD,POST,TRACE

ASP.NET v2.0脚本映射
ASP.net2.0兼容v1.0，所以一般使用2.0的设置就可以了

.asax,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ascx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ashx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.asmx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.aspx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.axd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.vsdisco,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.rem,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.soap,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.config,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.cs,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.csproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vbproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.webinfo,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.licx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.resx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.resources,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.xoml,C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.rules,C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.master,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.skin,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.compiled,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.browser,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.mdb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.jsl,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.vjsproj,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sitemap,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.msgx,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.ad,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.dd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.cd,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.adprototype,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.lddprototype,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
;.sdm,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.sdmDocument,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldb,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.svc,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG
.mdf,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.ldf,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.java,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.exclude,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG
.refresh,c:/windows/microsoft.net/framework/v2.0.50727/aspnet_isapi.dll,5,GET,HEAD,POST,DEBUG

不解，上面怎么有java的映射呢？