Windows security

zhaozj2021-02-16  84

1. Stop the Guest account

Inside the computer-managed user, the Guest account is not allowed to log in to the system.

For insurance, you can add a complex password for your Guest. You can open a notepad to enter a string included

Special characters, long strings for digital letters, then copy it as a password of the guest account

2. Restrict unnecessary number of users

Remove all DuPlicate User accounts, test accounts, share account ordinary department account, etc. User group policy settings

Set the appropriate permissions and often check the system's account to delete the accounts that are not used. These accounts are hackers.

The more the account of the breakthrough system of invasive systems, the more the privileges of the hackers get legal users, the larger

3. Create 2 administrators with account

Although this looks and the above contradictions but in fact, it is a general permission to obey the above rules.

Accounts are used to recruit and handle some daily things to have an account with Administrators permission only when needed.

Waiting for use allows the administrator to use the runas command to perform some work that needs privileges can be convenient.

management

4. Remove the system administrator account

Everyone knows that Windows 2000's administrator account cannot be deactivated, which means that others can

The password attempted this account over again and the password of this account can be renamed the Administrator account to prevent this.

Please do not use the name of the admin to change it equal to nothing to do with ordinary users, such as modification.

Guestone

5. Create a trap account

What is a trap account? Look!> Create a local account named administrator to set its permissions

What can't be done in the lowest thing, plus a super complex password more than 10 digits can make those

Scripts S is busy for a while and can discover their intrusion attempt or on its login scripts

Side of the foot

6. Change the permissions of shared files from the Everyone group into authorized users

Everyone means anyone who has the right to enter your network can get these shared funds.

Do not set the user of the shared file to the Everyone group to include print sharing default properties

Is there a must not forget to change the Everyone group

7. Use the security password

A good password is very important for a network but it is the most easily ignored.

It can explain that this time some company administrators create an account, often use the company's computer name or some other

A guess to make a user name and then set the password of these accounts n simple, such as "Welcome"

"ILoveYou" Letmein or the same as the username, etc., such an account should be required to be the first time to log in.

Improve complex passwords It is also necessary to pay attention to this issue of IRC and people to discuss this issue before IRC and people.

The password that can't crack from the defined security period is a good password, that is, if people get your secret.

Code documentation must spend 43 days or longer to crack out and your password strategy is 42 days must change password

8. Set the screen protection password

It is also very simple to set the screen protection password is also a barrier to prevent internal staff from damaging the server.

Washing system resources using OpenGL and some complex screen savers, there is still a point in black screen.

The machine used by the system users is also best coupled with the screen protection password.

9. Use the NTFS format partition

Change all partitions of the server to the NTFS format NTFS file system is safe than Fat, FAT32 file system

More this doesn't have to say more, you must have a server that you have a NTFS.

10. Running anti-virus software

I have never seen the Win2000 / NT server that I have never seen that there is a very important thing to install the anti-virus software.

Some good anti-virus software can not only kill some famous viruses, but also to kill a large number of Trojans and back door procedures.

The famous Trojans used by the people don't forget the regular upgrade virus library.

Intermediate setting

1. Use the WIN2000 security configuration tool to configure the policy

Microsoft provides a set of MMC (management console) security configuration and analysis tools to use them you can configure

Your server to meet your requirements for specific content, please refer to Microsoft Homepage

http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.a

SP

2 Close unnecessary service

Windows 2000 Terminal Services Terminal Services IIS and RAS may bring security to your system

Vulnerability In order to be able to manage the terminal service of many machines in remote convenient management, if you also open

To confirm that you have configured the terminal service Some malicious programs can also pay attention to service.

All services on top of the device (daily) check them below them are the default service for the C2 level installation

Computer Browser Service TCP / IP NetBIOS Helper

Microsoft DNS Server SpoOler

NTLM SSP Server

RPC Locator Wins

RPC Service Workstation

Netlogon Event Log

3. Close unnecessary port

Turning off port means reducing functionality in security and feature, you need to make a decision if the server is installed in the firewall

The rear of the take-off is less, but never think you can use the port scanner scanning system.

The port is confirmed which services are open, which is the first step in the hacker invading your system.

The control table with well-known ports and services in the System32 / Drivers / etc / Services file is available for reference specific methods

Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Sieves

Select> Properties Open TCP / IP Filter Add Required TCP, UDP, and Protocol

4. Open audit strategy

Opening the security audit is the most basic intrusion detection method of Win2000. When someone tries to make some ways to your system

Try the user password, change the account policy without a licensed file access, etc., it will be recorded in the security audit.

Many administrators don't know if the system is invaded for a few months until the system is destroyed below these audits.

Other other can be added as needed

Policy settings

Audit system login event success failure

Audit account management successfully failed

Review login event success failure

Audit object access success

Audit policy change successfully

Audit privilege success failure

Audit system event success failure

5 Open password password strategy

Policy settings

Password complexity requirements are enabled

Password length minimum 6 bit

Forced password history 5 times

Forced password history 42 days

6 open account strategy

Policy settings

Reset account lock counter 20 minutes

Account lock time 20 minutes

Account lock threshold 3 times

7 Set access to safety records

Safety records are unprotected by default, they have the right to use only Administrator and system accounts.

access

8. Do not let the system display the username last login

By default, the Terminal Service Enter the server will display the last login account to the local landing.

The dialog is also the same, making others easy to get some usernames of the system to enter the password to guess the revision registration.

The table can not make the dialog box to display the last login username.

HKLM / Software / Microsoft / Windows

NT / CurrentVersion / Winlogon / DONTDISPLAYLASTUSERNAME

Change the key value of REG_SZ to 1

9. Prohibition of establishing an empty connection

By default, any user enumerates an account to guess password by empty connection. We can

Prohibition of establishing an empty connection by modifying the registry

Local_Machine / System / CurrentControlset / Control / LSA-Restrictanonymous

Value can be changed to 1

10. Download the latest patches to Microsoft Website

Many network administrators have no habits of the security site, so that some vulnerabilities have been a long time.

The vulnerability does not replenish people when the target uses no one to ensure that hundreds of thousands of lines of code have 2000 do not have a safe vulnerability often

Visiting Microsoft and Swellings Downloading the latest service packs and vulnerability patches are only a long-term security of the server.

One-way

~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~`

advanced settings

1. Turn off DirectDraw

This is the requirements of C2 level safety standards to video card and memory. DirectDraw may be used for some need to use.

DirectX's program has an impact on the vast majority of business sites, there is no impact registry HKLM / System / CurrentControlSet / Control / GraphicsDrivers / DCI

Timeout (REG_DWORD) is 0

2. Close the default sharing

Win2000 is installed after the system creates some hidden sharing you can check Net Share under CMD.

There are a lot of articles on IPC invasion on IPC. I believe that everyone must do not stranger these sharing open tubes.

Tools> Computer Management> Shared Folders> Share on the corresponding shared folder to press the right button to stop sharing

These sharing will be reopened after the machine is restarted.

Default shared directory path and function

C $ D $ E $ E $ Each Partition The root of Win2000 Pro is only administrator

And BACKUP OPERATORS group members can connect to Win2000 Server version

The Server OperatROS group can also be connected to these shared directories

Admin $% SYSTEMROOT% Remote Management Shared Directory It is always

Point to Win2000 installation path, such as C: / Winnt

FAX $ in Win2000 Server Fax $ is sent to the FAX client

IPC $ Empty Connection IPC $ Share provides the ability to log in to the system

Netlogon This shared NET Login service in Windows 2000 server is at

Used when the login domain request

Print $% SystemRoot% / System32 / Spool / Drivers User remote management printer

3. Prohibit Dump File production

Dump file is a very useful lookup problem when the system crashes and blue screen (otherwise I will use it.

Translated into spam files) However, it can also provide some sensitive information to hackers such as some application passwords.

Prohibit it to open Control Panel> System Properties> Advanced> Start and Fault Recovery Change Write Debugging Information to No

When you can reopeize it

4. Using the file encryption system EFS

Windows2000 powerful encryption system can add a level of security to disk folder files.

Prevent others from hanging your hard drive on other machines to read the data inside to remember to use EFS to give folders, not just

Is a single file for specific information about EFS can be viewed

http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.as

p

5. Encryption TEMP folder

Some applications will copy some things to the TEMP folder when installing and upgrading, but when the program is upgraded

When they have finished or close, they don't clear the contents of the Temp folder, so encrypting the TEMP folder.

Protecting more about your files

6. Slide the registry

Only Administrators and Backup Operators are accessible from the Internet in Windows2000.

Permissions for the app If you think is not enough, you can further set the registry access permissions, please refer to

http://support.microsoft.com/support/kb/articles/q153/1/83.asp

7. Clear the page file when shutting down

The page file is also the scheduling file is the win2000 used to store the hidden in the program and data file parts that do not load memory.

Some third-party programs of Tibetan files can also contain some other encrypted passwords or other in memory.

Some sensitive information should be clear when it is turned off, you can edit the registry.

HKLM / System / CurrentControlSet / Control / Session Manager / Memory Management

Set the value of ClearPageFileatShutdown 1

8. Prohibit starting from floppy disk and CD ROM

Some third party tools can bypass the original security mechanism by booting the system if your server is very

High can consider using a mobile floppy disk and the optical drive to lock the chassis and throw it a good method.

9. Consider using smart card to replace the password

For passwords, always make the security administrator to refund two difficulties are easily attacked by 10PHTCRACK, if password

Too complex users will write passwords to the password to remember that if the condition allows the smart card to replace complex passwords is a good solution.

10. Consider using IPSec

As its name, IPSec provides IP packet security IPSec provides authentication integrity and

The selected confidential sender computer is encrypted before transmitting data and the receiver computer decrypts data after receiving the data.

Using IPSec, the system's security performance is greatly enhanced for details on IPSES.

http://www.microsoft.com/china/technet/security/ipsecloc.asp

转载请注明原文地址:https://www.9cbs.com/read-13205.html

New Post(0)