Windows internet server list
When you are releasing a new internet server box what are the typical points you install on it and also do to set it up?
What points do you do to make certain package is secured down and also not going to get endangered?
- Apply security spots, etc
- Run the Microsfot Baseline Security Analyzer (MBSA)
- Disable weak encryption algorithms - Scott, additionally see David Christiansen's article and also the serversniff.com website
- Harden TCP/IP stack - K. Brian Kelley
- White checklist website traffic with an IPSEC policy
- All NetBIOS is gotten rid of or impaired
- Place internet server in a workgroup (not permitted to be on a domain name)
- Make use of a DMZ
- Add customer make up everyone that will certainly be carrying out the computer system
- Configure terminal solutions to permit each customer just one simultaneous join
- Add alternative management accounts that are just made use of if runas does not satisfy for an offered customer
In enhancement to things currently stated, I disable weak SSL ciphers.
EDIT: I located the action - by - action guidelines I created a couple of years earlier.
- Click Start, click Run, type regedt32 or type regedit, and afterwards click OK.
- In Registry Editor, situate the adhering to computer system registry key: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL
- Perform tips 4 thru 8 for the adhering to keys: a. Ciphers \ DES 56/ 56 b. Ciphers \ RC2 40/ 128 c. Ciphers \ RC4 40/ 128 d. Ciphers \ RC4 56/ 128 e. Protocols \ SSL 2.0 \ Client. f. Protocols \ SSL 2.0 \ Server
- On the Edit food selection, click Add Value.
- In the Data Type checklist, click DWORD.
- In the Value Name box, type Enabled, and afterwards click OK.
- Type 00000000in Binary Editor to set the value of the new key equivalent to 0.
- Click OK.
- When you have actually ended up changing the computer system registry, reactivate the computer system.
If feasible start with Windows 2003 SP1 Server and also see to it the constructed in firewall program is activated unless you have a network firewall program to shield it.
See to it the adhering to ports are open if you do arrangement the firewall program : - 3389 : Remote Desktop (RDP) - 80 : HTTP
Optional : - 443 : HTTPS (optional) - 25 : SMTP - 110 : Pop3
- Notepad+npls (around wonderful editor) - free
- 7 - Zip (takes care of zip, arc, and also various other pressed documents) - free
- Beyond Compare v3 (documents contrast and also FTP) - $ yet very little
- Database monitoring
What we do:
- Put internet server in DMZ
- Put internet server in a workgroup (not permitted to be on a domain name)
- Ensure all protection spots are used
- Minimize solutions which are running
- Use URLScan. Remove web server finger print (RemoveServerHeader = 1).
- Harden TCP/IP stack
- Apply IPSEC policy to just allow the website traffic we desire (whitelisting)
- Rename default accounts so they can be targeted by regular scripts/tools.
- Relocate default directory sites (InetPub, WWWRoot, etc)
- Minimize neighborhood customer accounts.
- All NetBIOS is gotten rid of or disabled.