加固NT和IIS的安全(2)

二、配置NT

　　1．设置权限

　　使用用户管理器在所有分区上的根目录上设置如下：

* Administrators:：FULL CONTROL
* System:：FULL CONTROL

　　2．设置屏幕保护

在控制面板中选择显示
选择屏幕保护程序
选中密码保护，点击确定

　　3．设置服务

　　禁止如下的服务：

Alerter (disable)
ClipBook Server (disable)
Computer Browser (disable)
DHCP Client (disable)
Directory Replicator (disable)
FTP publishing service (disable)
License Logging Service (disable)
Messenger (disable)
NetLOGOn (disable)
Network DDE (disable)
Network DDE DSDM (disable)
Network Monitor (disable)
Plug and Play (disable after all hardware configuration)
Remote Access Server (disable)
Remote Procedure Call (RPC) locater (disable)
Schedule (disable)
Server (disable)
Simple Services (disable)
Spooler (disable)
TCP/IP Netbios Helper (disable)
Telephone Service (disable)

　　在必要时禁止如下服务：

SNMP service (optional)
SNMP trap (optional)
UPS (optional

　　设置如下服务为自动启动：

Eventlog ( required )
NT LM Security Provider (required)
RPC service (required)
WWW (required)
Workstation (leave service on: will be disabled later in the document)
MSDTC (required)
Protected Storage (required)

　　4．如果安装了SNMP,改变community的值

　　5．删除IIS例子程序的所在目录

IIS d:\inetpub\iissamples
Admin Scripts d:\inetpub\scripts
Admin Samples %systemroot%\system32\inetsrv\adminsamples
IISADMPWD %systemroot%\system32\inetsrv\iisadmpwd
IISADMIN %systemroot%\system32\inetsrv\iisadmin
Data access c:\Program Files\Common Files\System\msadc\Samples