NOVOTS KMS 词汇表 Glossary    联系我们 Contact Us
查询 Search  
   
按类别浏览 Browse by Category
NOVOTS KMS .: 操作系统 .: Microsoft Windows Server .: Windows服务器安全加固

Windows服务器安全加固

Windows服务器安全加固及相关部分脚本

项目4年,工作中遇到比较多的问题之一是如何进行服务器系统安全加固,以及如何安全、快速、有效地对已知安全问题进行修复。

 客户是一家跨国IT企业,因此在IT基础架构运维方面比较注重安全,很多规范和策略借鉴了同行业的前辈,再结合自己实际的生产环境,就形成了适应自身的一套方法论,并自上而下强制推行。有了硬性的规定和合适的土壤,这套安全基线也得以全面的在集团内部顺利落地。

由于此规范的应用普遍性和实用性,以下简单对它的关键内容进行叙述,使相关项目管理者对其有一个基本的概念;因项目中主要涉及Windows操作系统,下面的介绍也主要以Windows关键设置为蓝本进行。

 

一、相关服务配置

此安全规范中的第一部分介绍了如何设置和控制Windows一些容易造成系统漏洞的服务;例如NNTPTFTPX-windows/REXDTelnet ServicesSNMP等,尤其是对于应用和WEB服务器,一些不必要的服务是必须要被禁用的,如:ECHO CHARGEN RSTAT TFTP RWALL RUSER DISCARD DAYTIME BOOTPS FINGER SPRAYD PCNFSD NETSTAT WHO CMSD DTSPCD TTDBSERVER等。

此部分由于根据不同的环境会有不同的设置,且这些设置方法和管控规范在业界也有明确的定义,此次不再赘述。

二、系统控制

2.1          日志设置

审核策略配置

该项策略设置的是日志审核项的最小登录配置,具体配置要求如下:

System Value/ Parameter

Recommended Setting

Account logon events

Success & Failure

Account management

Success & Failure

Directory service access

Failure

Logon events

Success & Failure

Object access

Failure

Policy change

Success & Failure

Privilege use

Success & Failure

Process Tracking

(not required to be set)

System events

Failure

对于OSROperating System Resource)项的审核配置要求如下:

System Value/ Parameter

Recommended Setting

For each subdirectory that is listed in follow OSRlist as an Operating System Resource

Enable Auditing on the OSR object, with the following specifications:

Name: Everyone
Apply onto: This folder only
Access: Select "Failed" for each of these accesses:

·      Traverse Folder/Execute File

·      List Folder/Read Data

·      Read Attributes

·      Read Extended Attributes

·      Create Files / Write Data

·      Create Folders / Append Data

·      Write Attributes

·      Write Extended Attributes

·      Delete Subfolders and Files

·      Delete

·      Read Permissions

·      Change Permissions

·      Take Ownership

For each file that is listed in follow OSRlist as an Operating System Resource

Enable Auditing on the OSR object, with the following specifications:

Name: Everyone
Apply onto: This object only
Access: Select "Failed" for each of these accesses:

·      Traverse Folder/Execute File

·      List Folder/Read Data

·      Read Attributes

·      Read Extended Attributes

·      Create Files / Write Data

·      Create Folders / Append Data

·      Write Attributes

·      Write Extended Attributes

·      Delete

·      Read Permissions

·      Change Permissions

·      Take Ownership

Registry keys listed in OSRlist

Object-level auditing is not required at this time

以下是安全标准中涉及的常规OSR列表,针对于Windows 2008OSR项,也同样适用于Windows 2012Windows 2012 R2

%SystemRoot%

%SystemRoot%security

%SystemRoot%system

%SystemRoot%system32

%SystemRoot%system32config

%SystemRoot%system32drivers

%SystemRoot%system32spool

%SystemRoot%system32GroupPolicy

%WinDir%WinSxSBackup

 Note: On servers where this folder does not exist, no action is required.

%SystemDrive%bootBCD

This setting just for windows server 2008, and is not applicable for windows server 2008R2.

%SystemDrive%bootmgr

This setting just for windows server 2008, and is not applicable for windows server 2008R2.

%SystemRoot%system32winload.exe

%SystemDrive% AUTOEXEC.BAT

Note: On servers where this folder does not exist, no action is required.

%SystemDrive% CONFIG.SYS

Note: On servers where this folder does not exist, no action is required.

%SystemDrive%

%SystemRoot%syswow64

Note: On servers where this folder does not exist, no action is required.

%SystemRoot%syswow64drivers

Note: On servers where this folder does not exist, no action is required.

%SystemRoot%System32WinevtLogsSecurity.evtx
(or the Security log file whose location/name is defined in the HKLMSYSTEMCurrentControlSetServicesEventLogSecurity subkey, if the log has been moved from the default location)

%SystemRoot%System32WinevtLogsDNS Server.evtx
(or the Security log file whose location/name is defined in the HKLMSYSTEMCurrentControlSetServicesEventLogDNS Server subkey, if the log has been moved from the default location)

日志容量和覆盖方式设置:

Maximum log size

81920 KB

When maximum event log size is reached

Overwrite events as needed (oldest events first)

由于项目中客户有单独的日志监控和备份服务,因此对于服务器上日志容量规定的较小,如果环境中不存在日志备份服务,那么可以相对的设置大一些。

2.2          标识和验证用户

因为有独立的访问控制系统IAM作为正式上线后的管控措施,因此此安全标准中对于账号的权限只要求到了系统初始配置时的账号要求。

Guest Account --- must be removed or disabled

Creating new userids --- Password resets performed where system or support personnel are aware of the password content.

Password never expires ---

通常情况下,密码永不过期选项不能被应用于用户账号,除非用户账号满足以下条件:

May not be enabled for any userids except on:

  • Replicate

  • Guest

  • IUSR_{system} and IWAM_{system} user accounts created by Internet Information Server (IIS)

  • User accounts that are only associated with a started process(es) and are set to 'Disabled' status, so they can not be logged onto. (example: tmersrvd)

  • User accounts that satisfy all of the following criteria:

  a) 'Logon locally' user right is disabled

  b) Userid is not a member of the Administrators group

  c) All interactive login methods (FTP, telnet, rexec, SSH, etc) are disabled for the userid 3a) Denying access to the user rights: 'Access this computer from network' and 'Logon through Terminal Services', or 3b) Another method that disables interactive login methods for the given service or protocol.

对于密码相关的策略要求如下:

System Value/ Parameter

Recommended Setting

Enforce password history

4 passwords remembered

Maximum password age

90 days

Minimum password length

8 characters

Password must meet complexity requirements

Enabled

Store password using reversible encryption

Disabled

Account lockout threshold

5

Account lockout duration

'15' minutes: The locked account will be unlocked automatically after 15 minutes.

Reset Account Lockout Counter After

15 minutes

2.3          受保护资源权限设置

Windows中的关键系统文件和关键注册表项在本安全标准中被列为受保护的资源,对于这些系统文件和注册表项,需控制访问权限,防止普通用户有意或无意修改受保护资源,造成系统崩溃等问题。

以下设置均针对于普通用户(普通用户包含Everyone, Users, Authenticated Users组成员及其他包含普通用户的组的成员)。

System Value/Parameter

Recommended Setting

The following objects are designated as OSRs. The access listed in the 'Agreed to Setting' column is the maximum authority permitted to general users (e.g. Everyone, Users, Authenticated Users, or other groups containing general users).

%SystemRoot%

Read & Execute
List Folder Contents
Read

%SystemRoot%security

Read & Execute

List Folder Contents
Read

%SystemRoot%system

Read & Execute
List Folder Contents
Read

%SystemRoot%system32

Read & Execute
List Folder Contents
Read

%SystemRoot%system32config

no general user authorizations permitted

%SystemRoot%system32drivers

Read & Execute
List Folder Contents
Read

%SystemRoot%system32spool

Read & Execute
List Folder Contents
Read

%SystemRoot%system32GroupPolicy

Read & Execute
List Folder Contents
Read

%WinDir%WinSxSBackup

Read & Execute
List Folder Contents
Read


Note: On servers where this folder does not exist, no action is required.

%SystemDrive%bootBCD

Read & Execute

Read

This setting just for windows server2008, and is not applicable for windows server 2008R2.

%SystemDrive%bootmgr

Read & Execute

Read

This setting just for windows server2008, and is not applicable for windows server 2008R2.

 

%SystemRoot%system32winload.exe

Read & Execute
Read

%SystemDrive%AUTOEXEC.BAT

Read & Execute
Read

Note: On servers where this file does not exist, no action is required.

 

%SystemDrive%CONFIG.SYS

Read & Execute
Read

Note: On servers where this file does not exist, no action is required.

 

%SystemDrive%

 

 

Read & Execute
List Folder Contents
Read

%SystemRoot%syswow64

 

Read & Execute

List Folder Contents

Read

Note: On servers where this folder does not exist, no action is required.

 

%SystemRoot%syswow64drivers

 

Read & Execute

List Folder Contents

Read

Note: On servers where this folder does not exist, no action is required.

 

%SystemRoot%System32WinevtLogsSecurity.evtx
(or the Security log file whose location/name is defined in the HKLMSYSTEMCurrentControlSetServicesEventLogSecurity subkey, if the log has been moved from the default location)

No general user authorizations permitted

%SystemRoot%System32WinevtLogsDNS Server.evtx
(or the Security log file whose location/name is defined in the HKLMSYSTEMCurrentControlSetServicesEventLogDNS Server subkey, if the log has been moved from the default location)

No general user authorizations permitted

Note: On servers where this log file does not exist, no action is required.

hkey_classes_root

Maximum authorization allowed for general userids or general user groups is Read

HKLMSYSTEMCurrentControlSetServices EventlogSecurity

General users may not be granted access to this subkey

HKLMSYSTEMCurrentControlSetServices EventlogApplication

Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

HKLMSYSTEMCurrentControlSetServices EventlogSecurity

Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

HKLMSYSTEMCurrentControlSetServicesEventlogSystem

Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

HKLMSYSTEMCurrentControlSetServicesEventlogDNS Server

Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1
Note: On servers where the DNS Server subkey does not exist, no action is required.

Task Scheduler Service

Each active entry must specify the full path of the file/command/script to be executed.

Task Scheduler Service

For each active entry's file/command/script executed, and all directories in its path, the maximum authority permitted to general users (unless otherwise specified in the OSR section of this tech spec) is:

Files/commands/scripts:
- Read & Execute
- Read

Directories:
- Read & Execute
- List Folder Contents
- Read

2.4          其他项

其他如禁止驱动器上的自动运行、禁止显示上一次登录用户名、登录时显示警告信息和一些加密验证等,在此省略。

三、使用工具:


这篇文章对你多有用?

相关文章

article Windows 7 远程服务器管理工具 安装
通过 Windows 7 远程服务器管理工具,IT...

(No rating)  3-17-2011    Views: 1618   
article Windows Server服务器日常管理技巧
高效管理服务器一直离不开有效的服务器管理技巧,...

(No rating)  3-3-2013    Views: 863   
article Windows Server 2003 服务器群集简介
简介服务器群集是一组协同工作并运行 Microsoft...

(No rating)  9-24-2012    Views: 833   

用户评语

添加评语
当前还没有评语.


.: .: .: .: .:
[ 登陆 ]
北京护航科技有限公司 2006

Novots Technologies Limited