1. Stop the Guest account
Inside the computer-managed user, the Guest account is not allowed to log in to the system.
For insurance, you can add a complex password for your Guest. You can open a notepad to enter a string included
Special characters, long strings for digital letters, then copy it as a password of the guest account
2. Restrict unnecessary number of users
Remove all DuPlicate User accounts, test accounts, share account ordinary department account, etc. User group policy settings
Set the appropriate permissions and often check the system's account to delete the accounts that are not used. These accounts are hackers.
The more the account of the breakthrough system of invasive systems, the more the privileges of the hackers get legal users, the larger
3. Create 2 administrators with account
Although this looks and the above contradictions but in fact, it is a general permission to obey the above rules.
Accounts are used to recruit and handle some daily things to have an account with Administrators permission only when needed.
Waiting for use allows the administrator to use the runas command to perform some work that needs privileges can be convenient.
management
4. Remove the system administrator account
Everyone knows that Windows 2000's administrator account cannot be deactivated, which means that others can
The password attempted this account over again and the password of this account can be renamed the Administrator account to prevent this.
Please do not use the name of the admin to change it equal to nothing to do with ordinary users, such as modification.
Guestone
5. Create a trap account
What is a trap account? Look!> Create a local account named administrator to set its permissions
What can't be done in the lowest thing, plus a super complex password more than 10 digits can make those
Scripts S is busy for a while and can discover their intrusion attempt or on its login scripts
Side of the foot
6. Change the permissions of shared files from the Everyone group into authorized users
Everyone means anyone who has the right to enter your network can get these shared funds.
Do not set the user of the shared file to the Everyone group to include print sharing default properties
Is there a must not forget to change the Everyone group
7. Use the security password
A good password is very important for a network but it is the most easily ignored.
It can explain that this time some company administrators create an account, often use the company's computer name or some other
A guess to make a user name and then set the password of these accounts n simple, such as "Welcome"
"ILoveYou" Letmein or the same as the username, etc., such an account should be required to be the first time to log in.
Improve complex passwords It is also necessary to pay attention to this issue of IRC and people to discuss this issue before IRC and people.
The password that can't crack from the defined security period is a good password, that is, if people get your secret.
Code documentation must spend 43 days or longer to crack out and your password strategy is 42 days must change password
8. Set the screen protection password
It is also very simple to set the screen protection password is also a barrier to prevent internal staff from damaging the server.
Washing system resources using OpenGL and some complex screen savers, there is still a point in black screen.
The machine used by the system users is also best coupled with the screen protection password.
9. Use the NTFS format partition
Change all partitions of the server to the NTFS format NTFS file system is safe than Fat, FAT32 file system
More this doesn't have to say more, you must have a server that you have a NTFS.
10. Running anti-virus software
I have never seen the Win2000 / NT server that I have never seen that there is a very important thing to install the anti-virus software.
Some good anti-virus software can not only kill some famous viruses, but also to kill a large number of Trojans and back door procedures.
The famous Trojans used by the people don't forget the regular upgrade virus library.
Intermediate setting
1. Use the WIN2000 security configuration tool to configure the policy
Microsoft provides a set of MMC (management console) security configuration and analysis tools to use them you can configure
Your server to meet your requirements for specific content, please refer to Microsoft Homepage
http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.a
SP
2 Close unnecessary service
Windows 2000 Terminal Services Terminal Services IIS and RAS may bring security to your system
Vulnerability In order to be able to manage the terminal service of many machines in remote convenient management, if you also open
To confirm that you have configured the terminal service Some malicious programs can also pay attention to service.
All services on top of the device (daily) check them below them are the default service for the C2 level installation
Computer Browser Service TCP / IP NetBIOS Helper
Microsoft DNS Server SpoOler
NTLM SSP Server
RPC Locator Wins
RPC Service Workstation
Netlogon Event Log
3. Close unnecessary port
Turning off port means reducing functionality in security and feature, you need to make a decision if the server is installed in the firewall
The rear of the take-off is less, but never think you can use the port scanner scanning system.
The port is confirmed which services are open, which is the first step in the hacker invading your system.
The control table with well-known ports and services in the System32 / Drivers / etc / Services file is available for reference specific methods
Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Sieves
Select> Properties Open TCP / IP Filter Add Required TCP, UDP, and Protocol
4. Open audit strategy
Opening the security audit is the most basic intrusion detection method of Win2000. When someone tries to make some ways to your system
Try the user password, change the account policy without a licensed file access, etc., it will be recorded in the security audit.
Many administrators don't know if the system is invaded for a few months until the system is destroyed below these audits.
Other other can be added as needed
Policy settings
Audit system login event success failure
Audit account management successfully failed
Review login event success failure
Audit object access success
Audit policy change successfully
Audit privilege success failure
Audit system event success failure
5 Open password password strategy
Policy settings
Password complexity requirements are enabled
Password length minimum 6 bit
Forced password history 5 times
Forced password history 42 days
6 open account strategy
Policy settings
Reset account lock counter 20 minutes
Account lock time 20 minutes
Account lock threshold 3 times
7 Set access to safety records
Safety records are unprotected by default, they have the right to use only Administrator and system accounts.
access
8. Do not let the system display the username last login
By default, the Terminal Service Enter the server will display the last login account to the local landing.
The dialog is also the same, making others easy to get some usernames of the system to enter the password to guess the revision registration.
The table can not make the dialog box to display the last login username.
HKLM / Software / Microsoft / Windows
NT / CurrentVersion / Winlogon / DONTDISPLAYLASTUSERNAME
Change the key value of REG_SZ to 1
9. Prohibition of establishing an empty connection
By default, any user enumerates an account to guess password by empty connection. We can
Prohibition of establishing an empty connection by modifying the registry
Local_Machine / System / CurrentControlset / Control / LSA-Restrictanonymous
Value can be changed to 1
10. Download the latest patches to Microsoft Website
Many network administrators have no habits of the security site, so that some vulnerabilities have been a long time.
The vulnerability does not replenish people when the target uses no one to ensure that hundreds of thousands of lines of code have 2000 do not have a safe vulnerability often
Visiting Microsoft and Swellings Downloading the latest service packs and vulnerability patches are only a long-term security of the server.
One-way
~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~`
advanced settings
1. Turn off DirectDraw
This is the requirements of C2 level safety standards to video card and memory. DirectDraw may be used for some need to use.
DirectX's program has an impact on the vast majority of business sites, there is no impact registry HKLM / System / CurrentControlSet / Control / GraphicsDrivers / DCI
Timeout (REG_DWORD) is 0
2. Close the default sharing
Win2000 is installed after the system creates some hidden sharing you can check Net Share under CMD.
There are a lot of articles on IPC invasion on IPC. I believe that everyone must do not stranger these sharing open tubes.
Tools> Computer Management> Shared Folders> Share on the corresponding shared folder to press the right button to stop sharing
These sharing will be reopened after the machine is restarted.
Default shared directory path and function
C $ D $ E $ E $ Each Partition The root of Win2000 Pro is only administrator
And BACKUP OPERATORS group members can connect to Win2000 Server version
The Server OperatROS group can also be connected to these shared directories
Admin $% SYSTEMROOT% Remote Management Shared Directory It is always
Point to Win2000 installation path, such as C: / Winnt
FAX $ in Win2000 Server Fax $ is sent to the FAX client
IPC $ Empty Connection IPC $ Share provides the ability to log in to the system
Netlogon This shared NET Login service in Windows 2000 server is at
Used when the login domain request
Print $% SystemRoot% / System32 / Spool / Drivers User remote management printer
3. Prohibit Dump File production
Dump file is a very useful lookup problem when the system crashes and blue screen (otherwise I will use it.
Translated into spam files) However, it can also provide some sensitive information to hackers such as some application passwords.
Prohibit it to open Control Panel> System Properties> Advanced> Start and Fault Recovery Change Write Debugging Information to No
When you can reopeize it
4. Using the file encryption system EFS
Windows2000 powerful encryption system can add a level of security to disk folder files.
Prevent others from hanging your hard drive on other machines to read the data inside to remember to use EFS to give folders, not just
Is a single file for specific information about EFS can be viewed
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.as
p
5. Encryption TEMP folder
Some applications will copy some things to the TEMP folder when installing and upgrading, but when the program is upgraded
When they have finished or close, they don't clear the contents of the Temp folder, so encrypting the TEMP folder.
Protecting more about your files
6. Slide the registry
Only Administrators and Backup Operators are accessible from the Internet in Windows2000.
Permissions for the app If you think is not enough, you can further set the registry access permissions, please refer to
http://support.microsoft.com/support/kb/articles/q153/1/83.asp
7. Clear the page file when shutting down
The page file is also the scheduling file is the win2000 used to store the hidden in the program and data file parts that do not load memory.
Some third-party programs of Tibetan files can also contain some other encrypted passwords or other in memory.
Some sensitive information should be clear when it is turned off, you can edit the registry.
HKLM / System / CurrentControlSet / Control / Session Manager / Memory Management
Set the value of ClearPageFileatShutdown 1
8. Prohibit starting from floppy disk and CD ROM
Some third party tools can bypass the original security mechanism by booting the system if your server is very
High can consider using a mobile floppy disk and the optical drive to lock the chassis and throw it a good method.
9. Consider using smart card to replace the password
For passwords, always make the security administrator to refund two difficulties are easily attacked by 10PHTCRACK, if password
Too complex users will write passwords to the password to remember that if the condition allows the smart card to replace complex passwords is a good solution.
10. Consider using IPSec
As its name, IPSec provides IP packet security IPSec provides authentication integrity and
The selected confidential sender computer is encrypted before transmitting data and the receiver computer decrypts data after receiving the data.
Using IPSec, the system's security performance is greatly enhanced for details on IPSES.
http://www.microsoft.com/china/technet/security/ipsecloc.asp