来自西部数码的WEB服务器安全设置_Windows

1、安全设置建议
(1)检查sp2补丁是否已经安装！改为每天3:00自动更新打补丁！
(2)进行防火墙和端口限制功能设置时，请务必小心操作，以免失去远程管理权限！
------在网上邻居点右键 >属性》高级，打开win2003的防火墙功能，设置为只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003(ftp pasv)等端口。
------建议在高级里面>icmp>允许回显，这样允许ping，方便调试！
------在网上邻居点右键 >属性>tcp/ip>高级>选项>端口限制 ,只允许20,21,25,80,110,1433,3306,远程桌面3389,33000~33003等常用端口
------打开win2003的防火墙，并且只打开了需要的端口。不推荐在服务器上安装其他个人防火墙或设置安全策略，如果确实需要安装或设置，请千万确保不将远程终端服务关闭（即封锁所有进入服务器的通信）。
------如果要更改远程桌面的端口3389，请务必在tcp/ip属性里的tcp/ip筛选里添加对应的端口，并在防火墙选项中添加对应的端口，否则重启后将不能远程管理服务器！
------不可更改服务器的ip/子网掩码/网关设置。
(3)若您安装sqlserver服务器，必须马上打sp4补丁，否则极易中sqlserver蠕虫病毒并导致服务器通信中断。
(4)重要的数据建议都放在d盘，c盘只放置程序和系统文件，以防止在日后重装系统的时候造成数据丢失。

2、权限安全
这里放上西部数码的一个安全脚本safe.cmd
，自己解压缩下吧。
再放一份源码版的

复制代码代码如下:

@echo off 
echo y|cacls.exe c:\ /p administrators:f system:f "network service":r 
echo y|cacls.exe d:\ /p administrators:f system:f servu:f "network service":r 
echo y|cacls.exe e:\ /p administrators:f system:f servu:f "network service":r 
echo y|cacls.exe "c:\program files" /t /p administrators:f system:f everyone:r 
echo y|cacls.exe  "c:\program files\common files" /t /g administrators:f system:f everyone:r 
echo y|cacls.exe c:\windows /p administrators:f system:f 
echo y|cacls.exe c:\windows\system32 /p administrators:f system:f 
echo y|cacls.exe c:\windows\system32\inetsrv /p administrators:f system:f everyone:r 
echo y|cacls.exe "c:\documents and settings" /p administrators:f system:f  
echo y|cacls.exe "c:\documents and settings\all users" /t /p administrator:f system:f everyone:r 
echo y|cacls.exe c:\windows\temp /p everyone:f  
echo y|cacls.exe %systemroot%\system32\shell32.dll /p administrators:f 
echo y|cacls.exe %systemroot%\system32\wshom.ocx /p administrators:f 
echo y|cacls.exe c:\windows\system32\*.exe /p administrators:f system:f 
echo y|cacls.exe "c:\documents and settings\all users" /e /g everyone:r 
echo y|cacls.exe %systemroot%\system32\svchost.exe /e /g "network service":r 
echo y|cacls.exe %systemroot%\system32\msdtc.exe /e /g "network service":r 
echo y|cacls.exe %windir%\system32\mtxex.dll /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\cmd.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\net.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\net1.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\sc.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\at.exe /p administrator:f 
echo y|cacls.exe %windir%\system32\dllhost.exe /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\netsh.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\net.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\cacls.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\cmdkey.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\ftp.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\tftp.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\reg.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\regedt32.exe /p administrator:f 
echo y|cacls.exe c:\windows\system32\regini.exe /p administrator:f 
echo y|cacls.exe %windir%\assembly /e /t /g "network service":r 
echo y|cacls.exe %windir%\microsoft.net /e /t /g everyone:r 
echo y|cacls.exe "%windir%\microsoft.net\framework\v1.1.4322\temporary asp.net files" /e /t /g everyone:f 
echo y|cacls.exe %windir%\system32\mscoree.dll /e /g everyone:r 
echo y|cacls.exe %windir%\system32\ws03res.dll /e /g everyone:r 
echo y|cacls.exe %windir%\system32\msxml*.dll /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\urlmon.dll /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\mlang.dll /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\tapi32.dll /e /g everyone:r 
echo y|cacls.exe c:\windows\system32\wininet.dll /e /g everyone:r 
cacls c:\windows\assembly /e /t /p "network service":r 
cacls c:\windows\microsoft.net /e /t /p "network service":r 
cacls "c:\windows\microsoft.net\framework\v1.1.4322\temporary asp.net files" /e /t /p "network service":f 
cacls c:\windows\system32\mscoree.dll /e /g everyone:r 
cacls c:\windows\system32\ws03res.dll /e /g everyone:r 
cacls c:\windows /e /g "network service":r 
if exist c:\windows  cacls c:\windows /e /g "network service":r 
cacls c:\windows\microsoft.net /e /t /p "network service":r 
cacls "c:\windows\microsoft.net\framework\v1.1.4322\temporary asp.net files" /e /t /p "network service":f 
cacls "c:\windows\microsoft.net\framework\v2.0.50727\temporary asp.net files" /e /t /p "network service":f 
cacls c:\windows\system32 /e /g "network service":r 
cacls c:\windows\system32\rasapi32.dll /e /g "network service":r 
echo y|cacls.exe c:\windows\system32\inetsrv\adsiis.dll /p administrators:f autosystem:f 
echo y|cacls.exe c:\windows\system32\inetsrv\iisadmpwd /p administrators:f autosystem:f 
echo y|cacls.exe c:\windows\system32\inetsrv\metaback /p administrators:f autosystem:f 
cacls c":\program files\serv-u" /e /g "servu":f 
cacls d:\wwwroot /e /g servu:f 
cacls c:\windows /e /g everyone:r 

net stop browser 
sc config browser start= disabled 
net stop lanmanserver 
sc config lanmanserver start= disabled 
net share c$ /delete 
net share d$ /delete 
net share e$ /delete 
net share f$ /delete 
net share admin$ /delete 
net share ipc$ /delete 
echo  .. delshare.reg ....... 
echo windows registry editor version 5.00> c:\delshare.reg 
echo [hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]>> c:\delshare.reg 
echo "autosharewks"=dword:00000000>> c:\delshare.reg 
echo "autoshareserver"=dword:00000000>> c:\delshare.reg 
echo  .. delshare.reg ..... 
regedit /s c:\delshare.reg 
echo  .. delshare.reg .... 
del c:\delshare.reg 
echo . 
echo ........ 
echo . 
echo ========================================================= 
echo . 
echo .....................dos.... 
echo . 
echo ......... 
echo windows registry editor version 5.00> c:\dosforwin.reg 
echo [hkey_local_machine\system\currentcontrolset\services\tcpip\parameters]>> c:\dosforwin.reg 
echo "enableicmpredirect"=dword:00000000>> c:\dosforwin.reg 
echo "deadgwdetectdefault"=dword:00000001>> c:\dosforwin.reg 
echo "dontadddefaultgatewaydefault"=dword:00000000>> c:\dosforwin.reg 
echo "enablesecurityfilters"=dword:00000000">> c:\dosforwin.reg 
echo "allowunqualifiedquery"=dword:00000000>> c:\dosforwin.reg 
echo "prioritizerecorddata"=dword:00000001>> c:\dosforwin.reg 
echo "reservedports"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\>> c:\dosforwin.reg 
echo 00,00,00,00>> c:\dosforwin.reg 
echo "synattackprotect"=dword:00000002>> c:\dosforwin.reg 
echo "enablepmtudiscovery"=dword:00000000>> c:\dosforwin.reg 
echo "nonamereleaseondemand"=dword:00000001>> c:\dosforwin.reg 
echo "enabledeadgwdetect"=dword:00000000>> c:\dosforwin.reg 
echo "keepalivetime"=dword:00300000>> c:\dosforwin.reg 
echo "performrouterdiscovery"=dword:00000000>> c:\dosforwin.reg 
echo "enableicmpredirects"=dword:00000000>> c:\dosforwin.reg 
echo . 
echo ========================================================== 
echo .. dosforwin.reg ..... 
regedit /s c:\dosforwin.reg 
echo  .. dosforwin.reg .... 
del c:\dosforwin.reg 
echo ============================================================== 
echo . 
echo =============================================================== 
echo ..remote registry service........... 
echo ......... 
echo . 
echo windows registry editor version 5.00> c:\regedit.reg 
echo [hkey_local_machine\system\currentcontrolset\services\remoteregistry]>> c:\regedit.reg 
echo "start"=dword:00000004>> c:\regedit.reg 
echo . 
echo .. regedit.reg ..... 
regedit /s c:\regedit.reg 
echo . 
echo ...... 
del c:\regedit.reg 
echo =============================================================== 
echo ..messenger....... 
echo ......... 
echo windows registry editor version 5.00> c:\message.reg 
echo [hkey_local_machine\system\currentcontrolset\services\messenger]>> c:\message.reg 
echo "start"=dword:00000004>> c:\message.reg 
echo . 
echo .. message.reg ..... 
regedit /s c:\message.reg 
echo . 
echo .. message.reg 
del c:\message.reg 
echo =============================================================== 

echo =============================================================== 
echo ..lanmanserver....... 
echo ......... 
echo windows registry editor version 5.00> c:\lanmanserver.reg 
echo [hkey_local_machine\system\currentcontrolset\services\lanmanserver]>> c:\lanmanserver.reg 
echo "start"=dword:00000004>> c:\lanmanserver.reg 
echo . 
echo .. lanmanserver.reg ..... 
regedit /s c:\lanmanserver.reg 
echo . 
echo .. lanmanserver.reg 
del c:\lanmanserver.reg 

echo ============================================================== 
echo ...tcp/ip netbios helper service 
echo ......... 
echo windows registry editor version 5.00> c:\netbios.reg 
echo [hkey_local_machine\system\currentcontrolset\services\lmhosts]>> c:\netbios.reg 
echo "start"=dword:00000004>> c:\netbios.reg 
echo . 
echo .. netbios.reg ..... 
regedit /s c:\netbios.reg 
echo . 
echo .. netbios.reg 
del c:\netbios.reg 
regedit /s forddos.reg

脚本上未带serv-u的目录安全权限，就一条。单独发这里了

cacls "c:\program files\serv-u" /t /p administrators:f servu:r

还有一个反操作的,已经打包到上面的文件里面了。
注意哦，里面的目录路径自己都要改成自己的哦。

3、脚本映射
删除无用的脚本映射，让你的服务器会更安全。这里根据西部数码的收集了一份
最简单的修改方法是在这个文件c:\windows\system32\inetsrv\metabase.xml，具体自己打开看了。
shtml脚本映射

.shtm,c:\windows\system32\inetsrv\ssinc.dll,5,get,post .shtml,c:\windows\system32\inetsrv\ssinc.dll,5,get,post .stm,c:\windows\system32\inetsrv\ssinc.dll,5,get,post

asp脚本映射

.asp,c:\windows\system32\inetsrv\asp.dll,5,get,head,post,trace .asa,c:\windows\system32\inetsrv\asp.dll,5,get,head,post,trace

php cgi脚本映射

.php,d:\wwwsoft\php\php-cgi.exe,5,get,head,post,trace .php3,d:\wwwsoft\php\php-cgi.exe,5,get,head,post,trace

php isapi脚本映射

.php,d:\wwwsoft\php\php5isapi.dll,5,get,head,post,trace .php3,d:\wwwsoft\php\php5isapi.dll,5,get,head,post,trace

asp.net v2.0脚本映射
asp.net2.0兼容v1.0，所以一般使用2.0的设置就可以了

.asax,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .ascx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .ashx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .asmx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .aspx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .axd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .vsdisco,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .rem,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .soap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .config,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .cs,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .csproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .vb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .vbproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .webinfo,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .licx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .resx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .resources,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .xoml,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .rules,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .master,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .skin,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .compiled,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .browser,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .mdb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .jsl,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .vjsproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .sitemap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .msgx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .ad,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .dd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .ldd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .sd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .cd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .adprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .lddprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug ;.sdm,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .sdmdocument,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .ldb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .svc,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug .mdf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .ldf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .java,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .exclude,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug .refresh,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug