详解windows 2003 server安全配置要求
作者:佚名 来源:xp下载站 时间:2013-08-12 15:10
文档以windows 2003成员服务器为基础制定,对于AD服务器、WEB服务器、PRINT服务器等,会由另外文档针对性地提出单独的安全配置要求 。
1、版本控制
a)主补丁安装SP2
b)及时安装高危的补丁
c)要求每6个月更新镜像文件,新的镜像文件要求包括最新的补丁和对安全漏洞的修补
2、访问控制
a) 确认系统内所有帐号均设置了密码。且密码要求符合“密码安全规范”中的要求
1
2
3
4
5
6
7
|
复杂度控制:
密码长度不小于8个字符;
密码字符类型要包括,数字、小写字母、大写字母、特殊字符,至少三类;
密码不能落在“弱密码字典”中;
更新周期:
用户首次登陆,强制重置密码,复杂度要符合“密码复杂度控制”中的条例;
用户密码一个季度强制该更改一次,并且密码与上次密码不能相同,复杂度要符合“密码复杂度控制”中的条例。
|
b) 密码策略
1
2
3
4
5
6
|
打开 "计算机配置Windows设置安全设置账户策略密码策略" 文件夹,执行以下配置:
MinimumPasswordAge=1 密码最短存留期1天
MaximumPasswordAge=60 密码最长存留期60天
MinimumPasswordLength=14 密码长度最小值12个字符
PasswordComplexity=1 密码必须符合复杂性要求启用
PasswordHistorySize=24 强制密码历史24个需要记住的密码
|
c) 账户锁定策略
1
2
3
4
|
打开 "计算机配置Windows 设置安全设置账户策略账户锁定策略" 文件夹,执行以下配置:
LockoutBadCount=5 输错5次密码锁定账户
ResetLockoutCount=30 账户锁定时间在30分钟
LockoutDuration=-1 不自动解锁
|
d) 其他安全策略
1
2
3
4
5
6
7
8
|
打开 "计算机配置Windows 设置安全设置本地策略安全选项" 文件夹,执行以下配置:
RequireLogonToChangePassword = 0 每次启动需要修改密码
ForceLogoffWhenHourExpire = 1 超过登陆时间后强制注销
NewAdministratorName = "xadministrator" 修改本机管理员名称为xadministrator
NewGuestName = "xguest" 修改本机guest名称为xguest
ClearTextPassword=0 域中用户停用可还原的加密来存储密码
LSAAnonymousNameLookup=0 禁用匿名SID/名称转换
EnableGuestAccount=0 禁用guest账号
|
e) 确认所以的帐号密码均已修改
1
|
确认系统中的administrator、Guest等账号均已经修改初始密码
|
f) 限制Power Users组成员
1
2
|
清空Power Users组成员及隶属组。
安全隐患:由于 Power Users 可以安装或修改程序,因而以 Power User 身份连接到 Internet 时可能引起特洛伊木马程序的攻击或其他安全隐患。
|
g) 在密码到期前提示用户更改密码
1
|
编辑注册表:HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogonpasswordexpirywarning=4,14 //提前14天提醒
|
h) 使用空白密码的本地帐户只允许进行控制台登录
1
|
编辑注册表:HKLMSystemCurrentControlSetControlLsaLimitBlankPasswordUse=4,1
|
i) Everyone 权限应用于匿名用户
1
|
编辑注册表:HKLMSystemCurrentControlSetControlLsaEveryoneIncludesAnonymous=4,0
|
j) 当登录时间用完时自动注销用户
1
|
编辑注册表:HKLMSystemCurrentControlSetServicesLanManServerParametersEnableForcedLogOff=4,1
|
3、系统服务安全
禁用以下服务
序号 |
服务名称 |
操作 |
01 |
Alerter |
Disabled |
02 |
Clipbook |
Disabled |
03 |
Computer Browser |
Disabled |
04 |
Fax |
Disabled |
05 |
FTP Publishing Service |
Disabled |
06 |
IIS Admin Service |
Disabled |
07 |
Indexing Service |
Disabled |
08 |
Messenger |
Disabled |
09 |
Netmeeting Remote Desktop Sharing |
Disabled |
10 |
Network DDE |
Disabled |
11 |
Network DDE DSDM |
Disabled |
12 |
Remote Access Connection Manager |
Disabled |
13 |
Remote Desktop Help Session Manager |
Disabled |
14 |
Routing and Remote Access |
Disabled |
15 |
Remote Registry |
Disabled |
16 |
Simple Network Management Protocol (SNMP) Service |
Disabled |
17 |
Simple Network Management Protocol (SNMP) Trap |
Disabled |
18 |
SSDP Discovery Service |
Disabled |
19 |
Task Scheduler |
Disabled |
20 |
Telnet |
Disabled |
21 |
Terminal Services |
Disabled |
22 |
TCP/IP Netbios Helper |
Disabled |
23 |
Universal Plug and Play Device Host |
Disabled |
24 |
World Wide Web Publishing Service |
Disabled |
4、安全参数配置
a) 不允许SAM帐户的匿名枚举
1
|
编辑注册表:HKLMSystemCurrentControlSetControlLsaRestrictAnonymous=4,1
|
b) 禁用 ICMP 重定向
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesTcpipParametersEnableICMPRedirect=4,0
|
c) 禁用 TCP 备用网关
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesTcpipParametersEnableDeadGWDetect=4,0
|
d) 设置TCP的保持连接的间隔
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesTcpipParametersKeepAliveTime=4,300000 //设置为 300,000(5 分钟)
|
e) IP 源路由保护级别(防范数据包欺骗)
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesTcpipParametersDisableIPSourceRouting=4,2
|
f) 禁用”ICMP路由公告”功能
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesTcpipParametersPerformRouterDiscovery=4,0
|
g) 不支持IGMP协议
1
|
编辑注册表:HKLMSYSTEMCurrentControlSetServicesTcpipParameters 新建DWORD值,名为IGMPLevel 值为0
|
h) 禁用DCOM
1
|
运行中输入Dcomcnfg.exe并回车,单击"控制台根节点"下的"组件服务"。打开"计算机"子文件夹,对于本地计算机,请以右键单击"我的电脑",然后选择"属性"。选择"默认属性"选项卡,清除"在这台计算机上启用分布式"复选框
|
i) 禁用CD-Rom Auto Run功能
1
|
编辑注册表:HKLMsystemCurrentControlSetServicesCdromAutorun=4,0
|
j) 禁止所有盘AutoRun
1
|
编辑注册表:HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun=4,255
|
k) 禁用自动登录
1
|
编辑注册表:HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogonAutoAdminLogon=1,0
|
l) LAN Manager 身份验证级别
1
|
编辑注册表:HKLMsystemcurrentcontrolsetcontrollsalmcompatibilitylevel=4,4 只接受NTLM 和 NTLMv2方式
|
m) 严禁在系统登录前具有关机选项
1
|
编辑注册表:HKLMsoftwaremicrosoftwindowscurrentversionpoliciessystemshutdownwithoutlogon=4,0
|
n) 用户试图登录时消息标题
1
|
编辑注册表:HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemLegalNoticeCaption=1,"YOU ARE LOGIN OFFICE NETWORK OF ALIBABA GROUP"
|
p) 不允许 SAM 帐户的匿名枚举
1
|
编辑注册表:HKLMSystemCurrentControlSetControlLsaRestrictAnonymousSAM=4,1
|
q) 不要在下次更改密码时存储 LAN Manager 的哈希值
1
|
编辑注册表:HKLMSystemCurrentControlSetControlLsaNoLMHash=4,1
|
5、文件权限控制
%SystemDrive% |
Administrators: Full System: Full Creator Owner: Full Users: Read, Execute. |
||||||||||||||
%SystemRoot% regedit.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32arp.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32at.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32attrib.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32cacls.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32debug.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32edlin.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32eventcreate.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32eventtriggers.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32ftp.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32nbtstat.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32net.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32net1.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32netsh.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32netstat.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32nslookup.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32ntbackup.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32rcp.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32reg.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32regedt32.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32regini.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32regsvr32.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32rexec.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32route.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32rsh.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32sc.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32secedit.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32subst.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% System32systeminfo.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32telnet.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32tftp.exe |
Administrators: Full System: Full |
||||||||||||||
%SystemRoot% system32tlntsvr.exe |
Administrators: Full System: Full 6、恶意攻击防范
a) 网络配置安全
b) 关闭未使用的网卡
7、日志及其输出 a) 系统日志
b) 安全日志
b) 应用程序日志
d) 日志审核策略
|