Given the frequent occurrence of internet hacking incidents, many customers lack adequate security awareness, and server hacking is quite common. Hacking can lead to issues like website virus and Trojan horse infections, data deletion, outbound server attacks, and extensive resource consumption. To enhance the security of the server you are using, it's crucial to ensure system security and heighten security protection awareness.

The principle of server security: Minimum permissions + Least services = Maximum security

System Security

• Set a complex remote server password. It's recommended to use more than eight characters, including a mix of uppercase, lowercase, numbers, and special characters. Avoid weak passwords like '123456' or 'abcdefg'. It's advisable to change the password periodically.
• Change the default ports of the operating system's remote management, such as 3389, 22, etc., to non-default ports to reduce the risk of hacking.
• Enable the system firewall and only open necessary ports, such as remote and website ports. Be cautious with firewall settings to avoid losing remote management capabilities.
• For Windows systems, enable the automatic update feature and regularly patch the system, which is very important. For Linux systems, regularly execute system update commands to keep the system up-to-date.
• On Windows systems, restrict partition permissions exclusively to the administrators and system groups. Remove other permissions, especially for the everyone and users groups, to prevent reading and executing rights.
• Avoid using Internet Explorer on the server to access unknown websites, and refrain from browsing client websites on the server.
• Do not open web pages, images, or other data from client websites on the server, especially executable files.
• Avoid installing unnecessary software like WhatsAPP, Telegram or cloud storage services, and do not register unknown components.
• For Windows systems, it's recommended to use the built-in antivirus software, as third-party antivirus software might have its own security issues.
• On Windows systems, disable wscript.shell to prevent ASP from executing exe files. Execute the following code to disable it.

  takeown  /f C:\Windows\System32\wshom.ocx /a
  takeown /f C:\Windows\System32\shell32.dll  /a
  takeown /f C:\Windows\SysWOW64\wshom.ocx  /a
  takeown /f C:\Windows\SysWOW64\shell32.dll /a
  cacls C:\Windows\System32\wshom.ocx /R users /e
  cacls C:\Windows\SysWOW64\wshom.ocx /R users /e
  cacls C:\Windows\System32\shell32.dll  /R users /e
  cacls C:\Windows\SysWOW64\shell32.dll /R users /e

Application Security

• For servers running multiple websites, it is highly recommended to install a Virtual Host Management System, which typically offers security configuration tools.
• MySQL should be operated by a standard user. Root should have a complex password and remote connection should be prohibited. Avoid using root as the username in programs.
• SQLServer should be operated by a standard user. The 'sa' account should have a complex password and its use as a username in programs should be avoided. It is preferable to rename 'sa'.
• Any application service should not run under an administrator account or 'system' to prevent system intrusion in case of vulnerabilities in the application service.
• If using PHP, disable dangerous functions in the php.ini file with the setting: disable_functions = passthru, exec, system, shell_exec, proc_open, popen

Website Security

• Set websites to read-only mode. For directories requiring upload capabilities, like 'upload', enable write permissions separately and prohibit script execution rights in these directories.
• If using source code developed by third-party software companies, promptly follow official version upgrades and patch updates. For programs developed by internet companies or in-house, pay attention to upload features like message boards and implement strict programmatic restrictions and checks.
• If feasible, on Windows operating systems, store important data like websites and databases on the D drive, and avoid storing data on the system drive.
• Regularly backup important data like websites and databases, either locally or on a different machine.

Information Security

• Absolutely prohibit spam, viruses, Trojans, counterfeit products, and other activities violating local server laws on websites and applications.
• Domains used on servers within the country must be registered. Unregistered domains should be redirected or removed from server IP resolution.
• Promptly address any information security notices from service providers, such as for unregistered domains or inappropriate content, to avoid service closure.