点击登录
  • 欢迎访问无限星辰技术博客,推荐使用最新版火狐浏览器和Chrome浏览器访问本网站 QQ群
  • 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏无限星辰吧
  • 无限星辰的淘宝店铺已经开张了哦,传送门:http://

win2003WEB服务器NTFS权限设置

经验感想 crx349 1406次浏览 0个评论 扫描二维码

Windows2003+IIS6.0的加固分为两部分,一部分是NTFS用户权限的配置,一部分是IIS6.0的配置。总得来说,前者比较难配置,参考了别人的一些配置和自己的一些实践,找到一个本人觉得还相对满意的做法,由于个人水平有限,希望高手指出我不足的地方,谢谢。由于最近忙着别的事,等忙完之后再把IIS配置的部分还有自己要整理的一些资料奉上~~到时候大家可以到论坛www.n0ws.com上去查看,不过本博客也是提供相关资料的下载的。

下面是我的做法:

首先,配置系统盘下(如:c盘)的权限(已经将IIS的默认文件夹删除)

1.系统盘:选中系统盘,属性,安全选项卡,删掉除了administrators和system组的其他组或者用户。

2.Program Files :右键文件夹->选择属性->选择“安全”选项卡->点击“高级”选项->选中“允许父项…”和“用在此显示…”->点击“复制”->点击确定,退出高级安全设置->把安全选项卡中除了administrators和system组之外的组或者用户删除

高级安全设置效果如下:

win2003WEB服务器NTFS权限设置
 

3.Program Files/Common File/users : 进入到program files下的common file文件夹下面,找到system添加users,默认的权限即可。所谓默认权限就是你添加这个用户系统自动授予这个用户对于操作文件夹或者文件的权限。(可能有人要问为什么要给这个文件夹设置users的权限?答:这个部分里面有一些dll文件是asp中createobject的时候需要的)

4.Documents and Settings:进入系统盘,选中Documents and Settings文件夹右键,删除掉除了administrator、system、power users组之外的其他用户或者组。进入到Documents and Settings文件夹里面,administrator这个文件夹的权限无需设置。ALL users文件夹,进入到高级选项选择“用在此显示的可以应用到子对象的目录替代所有子对象的权限项目”,确定,到安全选项卡下面删掉除了 administrator和system之外的其他用户组和用户,点击确定。Default users文件夹,进入到高级选项选择“用在此显示的可以应用到子对象的目录替代所有子对象的权限项目”,确定,到安全选项卡下面删掉除了 administrator、system、power users之外的其他用户组和用户,点击确定。

5.Windows : 右键文件夹->选择属性->选择“安全”选项卡->删除掉除了administrator和system之外的用户->点击确定。

6.Windows/temp : 右键文件夹->选择属性->选择“安全”选项卡->添加users组->设置users组只具有读取、写入的权限。

7.其他根目录下的文件夹:右键文件夹->选择属性->选择“安全”选项卡->点击“高级”选项->选中“允许父项…”和“用在此显示…”->点击“复制”->点击确定,退出高级安全设置->把“安全”选项卡中除了administrators和system组之外的组或者用户删除

8.批处理:接下来的是一些特殊文件夹、文件的权限,一些服务的修改,危险组件的删除。

批处理的部分最后附上下面的保存为*.bat或者直接从我提供的下载的地方下载即可。

@echo off

ECHO.

ECHO.

ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ECHo.

ECHo “windows2003NTFS加固脚本”

ECHo.

ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ECHO.

ECHO.

ECHO. ————————————————————————-

ECHo 请按提示操作备份好注册表,否则修改后无法还原,本人不负责.

ECHO.

ECHO YES=next set NO=exit (this time 30 Second default for n)

ECHO. ————————————————————————-

CHOICE /T 30 /C yn /D n

if errorlevel 2 goto end

if errorlevel 1 goto next

:next

if EXIST backup (echo.)else md backup

if EXIST temp (rmdir /s/q temp|md temp) else md temp

if EXIST backupbackupkey.reg (move backupbackupkey.reg backupbackupkey_old.reg ) else goto run

:run

regedit /e tempbackup-reg1.key1 “HKEY_LOCAL_MACHINESYSTEMCurrentControlSet”

regedit /e tempbackup-reg2.key2 “HKEY_CLASSES_ROOT”

copy /b /y /v tempbackup-reg1.key1+tempbackup-reg2.key2 backupbackupkey.reg

if exist backupwshom.ocx (echo 备份已存在) else copy /v/y %SystemRoot%System32wshom.ocx backupwshom.ocx

if exist backupshell32.dll (echo 备份已存在) else copy /v/y %SystemRoot%system32shell32.dll backupshell32.dll

ECHO 备份已经完成

ECHO.

goto next2

:next2

ECHO.

ECHO. ——————————————————————-

ECHo 修改权限system32目录中不安全的几个exe文件,改为只有Administrators才有权限运行

ECHO YES=next set NO=this set ignore (this time 30 Second default for y)

ECHO. ——————————————————————-

CHOICE /T 30 /C yn /D y

if errorlevel 2 goto next3

if errorlevel 1 goto next21

:next21

echo y|cacls.exe %SystemRoot%system32net.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32net1.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32cmd.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32tftp.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32netstat.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32regedit.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32at.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32attrib.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32cacls.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32fortmat.com /g Administrators:F

echo y|cacls.exe %SystemDrive%boot.ini /g Administrators:F

echo y|cacls.exe %SystemDrive%AUTOEXEC.BAT /g Administrators:F

echo y|cacls.exe %SystemRoot%/system32ftp.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32secedit.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32gpresult.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32gpupdate.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32logoff.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32shutdown.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32telnet.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32wscript.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32doskey.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32help.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32ipconfig.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32nbtstat.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32print.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32debug.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32regedt32.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32reg.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32register.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32replace.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32nwscript.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32share.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32ping.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32ipsec6.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32netsh.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32edit.com /g Administrators:F

echo y|cacls.exe %SystemRoot%system32route.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32tracert.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32powercfg.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32nslookup.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32arp.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32rsh.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32netdde.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32mshta.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32mountvol.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32setx.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32find.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32where.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32finger.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32regsvr32.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32sc.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32shadow.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32runas.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%PCHealthHelpCtrBinariesmsconfig.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%notepad.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%regedit.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%winhelp.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%winhlp32.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32edlin.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32posix.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32atsvc.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32qbasic.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32runonce.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32syskey.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32cscript.exe /g Administrators:F

echo y|cacls.exe %SystemRoot%system32sethc.exe /g Administrators:F

echo “C盘权限设定”

cacls “%SystemRoot%/Registration” /r “everyone” /e

echo “删除C盘的windows目录下的create owner的权限”

cd/

cacls “%SystemRoot%/repair” /r “create owner” /e

cacls “%SystemRoot%/system32” /r “create owner” /e

cacls “%SystemDrive%/system32/config” /r “create owner” /e

cacls “%SystemRoot%/system32/wbem” /r “create owner” /e

echo “删除WINDOWS文件夹下面的power users的权限”

cacls “%SystemRoot%/repair” /r “Power Users” /e

cacls “%SystemRoot%/system32” /r “Power Users” /e

cacls “%SystemDrive%/system32/config” /r “Power Users” /e

cacls “%SystemRoot%/system32/wbem” /r “Power Users” /e

echo “删除WINDOWS下users的访问权限”

cacls “%SystemRoot%/addins” /r “users” /e

cacls “%SystemRoot%/AppPatch” /r “users” /e

cacls “%SystemRoot%/Connection Wizard” /r “users” /e

cacls “%SystemRoot%/Debug” /r “users” /e

cacls “%SystemRoot%/Driver Cache” /r “users” /e

cacls “%SystemRoot%/Help” /r “users” /e

cacls “%SystemRoot%/IIS Temporary Compressed Files” /r “users” /e

cacls “%SystemRoot%/java” /r “users” /e

cacls “%SystemRoot%/msagent” /r “users” /e

cacls “%SystemRoot%/mui” /r “users” /e

cacls “%SystemRoot%/repair” /r “users” /e

cacls “%SystemRoot%/Resources” /r “users” /e

cacls “%SystemRoot%/security” /r “users” /e

cacls “%SystemRoot%/system” /r “users” /e

cacls “%SystemRoot%/TAPI” /r “users” /e

cacls “%SystemRoot%/Temp” /r “users” /e

cacls “%SystemRoot%/twain_32” /r “users” /e

cacls “%SystemRoot%/Web” /r “users” /e

cacls “%SystemRoot%/system32/3com_dmi” /r “users” /e

cacls “%SystemRoot%/system32/administration” /r “users” /e

cacls “%SystemRoot%/system32/Cache” /r “users” /e

cacls “%SystemRoot%/system32/CatRoot2” /r “users” /e

cacls “%SystemRoot%/system32/Com” /r “users” /e

cacls “%SystemRoot%/system32/config” /r “users” /e

cacls “%SystemRoot%/system32/dhcp” /r “users” /e

cacls “%SystemRoot%/system32/drivers” /r “users” /e

cacls “%SystemRoot%/system32/export” /r “users” /e

cacls “%SystemRoot%/system32/icsxml” /r “users” /e

cacls “%SystemRoot%/system32/lls” /r “users” /e

cacls “%SystemRoot%/system32/LogFiles” /r “users” /e

cacls “%SystemRoot%/system32/MicrosoftPassport” /r “users” /e

cacls “%SystemRoot%/system32/mui” /r “users” /e

cacls “%SystemRoot%/system32/oobe” /r “users” /e

cacls “%SystemRoot%/system32/ShellExt” /r “users” /e

cacls “%SystemRoot%/system32/wbem” /r “users” /e

goto next3

:next3

ECHO.

ECHO.

ECHO. ————————————————————————

ECHo 禁止不必要的服务,如果要退出请按Ctrl+C

ECHO YES=next set NO=this set ignore (this time 30 Second default for y)

ECHO. ————————————————————————

CHOICE /T 30 /C yn /D y

if errorlevel 2 goto next4

if errorlevel 1 goto next31

:next31

echo Windows Registry Editor Version 5.00 >tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanworkstation] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAlerter] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBrowser] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDfs] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesScheduler] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLmHosts] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTlntSvr] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccess] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtmsSvc] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteRegistry] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkWks] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMessenger] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogon] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogon] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetDDE] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetDDEdsdm] >>tempServices.reg

echo “Start”=dword:00000004 >>tempServices.reg

regedit /s tempServices.reg

ECHO.

goto next4

:next4

ECHO.

ECHO. ————————————————————————-

ECHo 防止人侵和攻击. 如果要退出请按Ctrl+C

ECHO YES=next set NO=this set ignore (this time 30 Second default for y)

ECHO. ————————————————————————-

CHOICE /T 30 /C yn /D y

if errorlevel 2 goto next5

if errorlevel 1 goto next41

:next41

echo Windows Registry Editor Version 5.00 >tempskyddos.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters] >>tempskyddos.reg

echo “EnableDeadGWDetect”=dword:00000000 >>tempskyddos.reg

echo “EnableICMPRedirects”=dword:00000000 >>tempskyddos.reg

echo “PerformRouterDiscovery”=dword:00000000 >>tempskyddos.reg

echo “NoNameReleaseOnDemand”=dword:00000001 >>tempskyddos.reg

echo “KeepAliveTime”=dword:000493e0 >>tempskyddos.reg

echo “EnablePMTUDiscovery”=dword:00000000 >>tempskyddos.reg

echo “SynAttackProtect”=dword:00000002 >>tempskyddos.reg

echo “TcpMaxHalfOpen”=dword:00000064 >>tempskyddos.reg

echo “TcpMaxHalfOpenRetried”=dword:00000050 >>tempskyddos.reg

echo “TcpMaxConnectResponseRetransmissions”=dword:00000001 >>tempskyddos.reg

echo “TcpMaxDataRetransmissions”=dword:00000003 >>tempskyddos.reg

echo “TCPMaxPortsExhausted”=dword:00000005 >>tempskyddos.reg

echo “DisableIPSourceRouting”=dword:0000002 >>tempskyddos.reg

echo “TcpTimedWaitDelay”=dword:0000001e >>tempskyddos.reg

echo “EnableSecurityFilters”=dword:00000001 >>tempskyddos.reg

echo “TcpNumConnections”=dword:000007d0 >>tempskyddos.reg

echo “TcpMaxSendFree”=dword:000007d0 >>tempskyddos.reg

echo “IGMPLevel”=dword:00000000 >>tempskyddos.reg

echo “DefaultTTL”=dword:00000016 >>tempskyddos.reg

echo 删除IPC$(Internet Process Connection)是共享“命名管道”的资源

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa] >>tempskyddos.reg

echo “restrictanonymous”=dword:00000001 >>tempskyddos.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterfaces] >>tempskyddos.reg

echo “PerformRouterDiscovery”=dword:00000000 >>tempskyddos.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters] >>tempskyddos.reg

echo “BacklogIncrement”=dword:00000003 >>tempskyddos.reg

echo “MaxConnBackLog”=dword:000003e8 >>tempskyddos.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAfdParameters] >>tempskyddos.reg

echo “EnableDynamicBacklog”=dword:00000001 >>tempskyddos.reg

echo “MinimumDynamicBacklog”=dword:00000014 >>tempskyddos.reg

echo “MaximumDynamicBacklog”=dword:00002e20 >>tempskyddos.reg

echo “DynamicBacklogGrowthDelta”=dword:0000000a >>tempskyddos.reg

echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters] >>tempskyddos.reg

echo “autoshareserver”=dword:00000000 >>tempskyddos.reg

regedit /s tempskyddos.reg

ECHO.

ECHO.

goto next5

:next5

ECHO.

ECHO. ————————————————————————

ECHo 防止ASP木马运行 卸除Wscript.Shell, Shell.application, Wscript.Network

ECHO YES=next set NO=this set ignore (this time 30 Second default for y)

ECHO. ———————————————————————–

CHOICE /T 30 /C yn /D y

if errorlevel 2 goto next6

if errorlevel 1 goto next51

:next51

echo Windows Registry Editor Version 5.00 >tempdel.reg

echo [-HKEY_CLASSES_ROOTShell.Application] >>tempdel.reg

echo [-HKEY_CLASSES_ROOTShell.Application.1] >>tempdel.reg

echo [-HKEY_CLASSES_ROOTCLSID{13709620-C279-11CE-A49E-444553540000}] >>tempdel.reg

echo [-HKEY_CLASSES_ROOTADODB.CommandCLSID] >>tempdel.reg

echo [-HKEY_CLASSES_ROOTCLSID{00000566-0000-0010-8000-00AA006D2EA4}] >>tempdel.reg

regedit /s tempdel.reg

regsvr32 /u %SystemRoot%system32wshom.ocx

del /f/q %SystemRoot%System32wshom.ocx

regsvr32 /u %SystemRoot%system32shell32.dll

del /f/q %SystemRoot%System32shell32.dll

rmdir /q/s temp

ECHO.

goto next6

:next6

ECHO.

ECHO.

ECHO. ———————————————————————

ECHo 设置已经完成重启后才能生效.

ECHO YES=reboot server NO=exit (this time 60 Second default for y)

ECHO. ———————————————————————-

CHOICE /T 30 /C yn /D y

if errorlevel 2 goto end

if errorlevel 1 goto reboot

:reboot

shutdown /r /t 0

:end

if EXIST temp (rmdir /s/q temp|exit) else exit


无限星辰 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明win2003WEB服务器NTFS权限设置
喜欢 (0)
[]
分享 (0)

您必须 登录 才能发表评论!