On a single server Helm.. We do the following to make the server ready to go hosting :
Software Installations (All latest versions):
- Active Perl 5.8.x
- PHP CGI 4.4.x, Zend Optimizer 3.1 for Windows, with GD2, Curl, MHash, MCrypt, MSSQL, ionCube support.
- PHP CGI 5.1.x
- Soap Toolkit 3.0
- MS XML 4 SP2
- MS XML 6
- Winzip 10.0/Winrar 3.x
- MySQL Database Server 4.1.x/Latest (Uses Old Password Encryption), ODBC Drivers (ODBC 3.51.12, ODBC 2.50.39, ODBC.NET, MySQL Connector.Net 1.0.7), phpMyAdmin
- MySQL Database Server 5.0.x/Latest if requested ( Optional )
- MySQL Front 2.5 ( GUI Tool to Manage MySQL )
- AwStats 6.5
- Active Ports
- MBSA 2.0
- EditPad Lite Text Editor
- IIS Password/URL Protector
- Python 2.4.x
- Helm 3.2.10 ( with Helm Addons requested )
- ASP.Net 1.1 and ASP.Net 2.0
- SmarterMail 3.x (or any other mail server preferred. License should be provided or we can provide on competitive prices)
and its Webmail setup on IIS.
- SmarterStats 3.x ( or any other stats server you preferred. License should be provided or we can provide on competitive prices)
- SmarterStats Password Changed for Helm.
- Windows Defender Beta 2
- Antivirus ( Optional, If requested and installer is provided )
- MSSQL 2000 or 2005 with latest service pack if requested with Web Based manager like ASP.Net Enterprise Manager ( Optional, If requested and installer is provided )
- SQL 2000 and 2005 Native Clients
- FTP Server ( MS FTP as Default or Gene6 FTP or Serv-U FTP whatever requested )
- MS DNS or Simple DNS
- Front Page Extentions
- Some Commonly used Components like ( CDONTS, ASPSimpleUpload, ASPSmartUpload, ASPSmartMail, JMail ) – All free ones/evaluation versions.
Server Security, Optiomisation and Tweaking :
1) Will assign restrictive permissions possible at root of drive and other application folder and system folders.
Drive Root Permissions
Helm Domains Folder Permissions
Microsoft IIS Folder Permissions
Microsoft FTP Folder Permissions
CDONTS/CDOSYS Folder Permissions
PHP Folder Permissions
Perl Folder Permissions
Python Folder Permissions etc.
2) Will disable Null sessions to prevent unauthorized access to user list on machine, which can then be used with a password cracker to gain illegal access to machine.
3) Will install URL Scan to prevent malicious requests from getting to IIS and causing a buffer overflow.
( URL Scan – Security Tool for IIS - http://www.microsoft.com/technet/security/...ls/urlscan.mspx )
4) Configuration of ASP.Net 1.1 and ASP.Net 2.0 and enabled ASP.NET impersonation, Running them in Medium Trust so that clients can’t access other customers directories and can’t run unmanaged code.
- ASP.NET Folder Permissions
- ASP.NET Impersonation Settings
- ASP.NET 2 Applications Isolation
ASP.Net 1.1 - http://msdn.microsoft.com/library/de...l/thcmch09.asp
ASP.Net 2.0 - http://msdn.microsoft.com/library/de...AGHT000020.asp
Will enable ODBC, OLDEB, Sockets Permissions and MySQL support for ASP.Net 2 running in Medium Trust.
5) Hardening of the TCP/IP stack against Denial of Service Attacks.
Microsoft KB Article : http://support.microsoft.com/default...b;en-us;324270
6) IIS Modifications/Permissions/Various Log File Generation, Disable Rapid Fail Protection, Full W3SVC Log Generation for AWStats and other Stats Program.
7) Mail Server Security/Mail Relaying settings to protect SPAM, Abuse Detections setup. Microsoft IIS SMTP Security and Relay Settings and Log Generations.
Installing MBSA 2.0 to check other security related issues and Vulnerability.
9) Disabling some Unwanted Services like :
- Distributed File System
- Distributed Link Tracking Client
- Distributed Link Tracking Server
- Error Reporting Service
- Fax Service
- Indexing Service
- Netmeeting Remote Desktop Sharing
- Print Spooler
- Telnet
10) Disabling some unused accounts. Disabling the Guest, Support_xxx, and ASPNET accounts. Some of these are disabled by default, and the ASPNET account is only used if IIS 6.0 is run in IIS 5.0 isolation mode (which we don’t). IIS 6.0 now uses “Network Services” account instead of ASPNET.
11) Restricted the system tools that are commonly used by attackers to assist with both the initial compromise and expansion beyond the server. tftp(.exe), ftp(.exe), cmd.exe, bash, net.exe, remote.exe, and telnet(.exe).
12) Disabling Windows Shell Execution.
13) Configuring Windows 2003 Internet Connection Firewall.
14) Installing Microsoft Windows Defender (Antispy Program).
15) Installing Antivirus provided.
16) MS DNS Server Security - Disabling Recursion and Forwarders.
If using SimpleDNS - Enabling Recursion to local IPs and Subnets only and other Security settings etc.
17) NTFS Hacks and Tuning like Turning off NTFS 8.3 Name Generations etc.
18) MySQL Server Security. Disabling Anonymous Accounts, etc.
19) Local Audit Policies Setups like :-
- Account Logon Events
- Account Management
- Directory Service Access
- Logon Events
- Object Access
- Policy change
- Privledge Use
- Process Tracking
- System Events
20) User Rights Assignments like :-
- Audit the access of global system objects
- Interactive Logon to not to display last user name
- Changing all Event Logs properties to maximum Log Size of 16MB; Overwrite old Events as needed
21) NIC Settings/ LAN Connection Settings :
- Disabling Client for MS Networks
- Disabling LMHOSTS lookup
- LAN-Connection shows ICON in Tray when connected (easier access)
22) Installing all Security Patches and Pending Service Packs.
23) Enabling HTTP Compression ( GZip/Deflat ) for IIS 6.0
And many more based on my experience.
For all this we charge $175.. We accept paypal and all major credit card payments. If someone interested then let us know and for any further queries then can PM or Email catch me on MSN too ( Rubal @ Rubal [dot] Net )
Kind Regards