打印本文 打印本文  关闭窗口 关闭窗口
加固NT和IIS的安全
作者:采集员 文章来源:来源于网络 点击数: 更新时间:2005/9/10 13:26:08
改固件环境值:Administrators
  生成系统策略: Administrators
  以批处理作业登录:No one

4.事件查看器设置:
     应用程序、系统和安全的日志空间都设为100MB
     事件日志覆盖方式为:覆盖30天以前的日志
禁止匿名用户查看日志

5.注册表的值
KEY  Type  Value
MACHINESOFTWAREMicrosoftDataFactoryHandlerInfo
HandlerRequired REG_DWORD  1
     
     MACHINESYSTEMCurrentControlSetControlFileSystem
     NtfsDisable8dot3NameCreation  REG_DWORD  1
     
     MACHINESoftwareMicrosoftWindowsNTVersionWinlogonAllocateCDRoms REG_SZ 1
     
     MACHINESystemCurrentControlSetControlLsaAuditBaseObjects
     REG_DWORD 1
     
     MACHINESystemCurrentControlSetControlLsaSu
     
     MACHINESystemCurrentControlSetControlPrintProvidersLanMan
     PrintServicesAddPrintDrivers REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesRdr
     ParametersEnablePlainTextPassword REG_DWORD 0
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersAutoDisconnect REG_DWORD 15
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersAutoShareWks REG_DWORD 0
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersAutoShareServer REG_DWORD 0
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersEnableForcedLogOff REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersRequireSecuritySignature REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesLanManServer
     ParametersEnableSecuritySignature REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesRdrParameters
     RequireSecuritySignature REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesRdrParameters
     EnableSecuritySignature REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesNetlogon
     ParametersRequireSignOrSeal REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesNetlogonParameters
     SealSecureChannel REG_DWORD 1
     
     MACHINESystemCurrentControlSetServicesNetlogonParameters
     SignSecureChannel REG_DWORD 1
     
     MACHINESystemCurrentControlSetControlLsa RestrictAnonymous
     REG_DWORD 1
     
     MACHINESystemCurrentControlSetControlSession Manager
     ProtectionMode REG_DWORD 1
     
     MACHINESystemCurrentControlSetControlLsa LmCompatibilityLevel
     REG_DWORD 2
     
     MACHINESoftwareMicrosoftWindows
     NTCurrentVersionWinlogonLegalNoticeText REG_SZ This is a

private system. Unauthorized use is prohibited.
     
     MACHINESoftwareMicrosoftWindows NTCurrentVersion
     WinlogonLegalNoticeCaption REG_SZ CISD
     
     MACHINESoftwareMicrosoftWindows
     NTCurrentVersionWinlogonDontDisplayLastUserName REG_SZ 1
     
     MACHINESystemCurrentControlSetControlLsaCrashOnAuditFail
     REG_DWORD 1
     
     MACHINESystemCurrentControlSetControlSession ManagerMemory
     ManagementClearPageFileAtShutdown REG_DWORD 1
     
     MACHINESoftwareMicrosoftWindows NTCurrentVersion
     WinlogonCachedLogonsCount REG_SZ 0
     
     MACHINESoftwareMicrosoftWindows NTCurrentVersion
     WinlogonAllocateFloppies REG_SZ 1
     
MACHINESoftwareMicrosoftWindows NTCurrent bmitControl
REG_DWORD 0
     
     MACHINESystemCurrentControlSetControlLsa
     FullPrivilegeAuditing REG_BINARY 1
     
     MACHINESoftwareMicrosoftWindows NTCurrentVersion
     WinlogonShutdownWithoutLogon REG_SZ 1
     
6.文件系统和注册表存取控制:
详见bastion.inf

7.管理员帐号:
bastion.inf将Administrator改名为root,
可以按照自己的需要更改这个名字,并使用强壮的密码

四、可选的注册表设置

1.删除 OS/2 和 POSIX 子系统:
删除如下目录的任何键:   
     HKEY_LOCAL_MACHINESOFTWARE MicrosoftOS/2 Subsystem for NT
    删除如下的键:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession       ManagerEnvironmentOs2LibPath
     删除如下的键:
     HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsOptional
     
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
     ManagerSubSystemsPosix
     
     HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
     ManagerSubSystemsOs2
     
  删除如下目录:
      c:winntsystem32os2
   
2.除去RDS漏洞:
    删除如下的注册表项:   
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
     ParametersADCLaunchRDSServer.DataFactory
     
     HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
     ParametersADCLaunchAdvancedDataFactory
     
     HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
     ParametersADCLaunchVbBusObj.VbBusObjCls
3.从网络服务中删除不必要的服务:
    删除:Netbios接口,计算机浏览器,服务器,工作站
    保留:RPC配置


五、保护许可

1. 保护Internet Guest 用户帐号:
    在用户管理器中,将Internet Guest 帐号改为晦涩的名字,并使用强壮的密码
禁止guest帐号。
    将改名后的Internet Guest 帐号从组“guests”中删除。
    设置改名后的Internet Guest 帐号对所有卷的访问为“No Access”,为了保证IIS的正常运行,必须赋予改名后的
Internet Guest 帐号对以下目录的读取权限:
默认路径                 环境变量
c:                       %SystemDrive%
c:winnt                  %SystemRoot%
d:InetPubwwwroot         你的IIS根目录
    注意:在设置以上目录的权限时,不要选择替换子目录的权限!!

2. 锁住组“Users”:
    设置NT内建组“Users”对所有卷的访问权为“No Access”,因为新用户会自动加入组“Users”中,所以新用户缺省将不能访问任何卷。



上一页  [1] [2] 



打印本文 打印本文  关闭窗口 关闭窗口