Windows Security Adjustment Wizard
Author: .com.cn
There are a lot of people using Windows, and the security issues of the Windows system are more and more attention. Although Windows has many vulnerabilities, there are many security hazards, but after appropriate settings and adjustments, you can also use relatively safe Windows. This article tells you about the security adjustment of Windows, I hope to be useful to you. This article will give you some solutions for some common security issues, most of which are for Windows 2000 / XP, which is not guaranteed to be feasible on Windows 98 / ME. The importance of preparing to install patch to install patch is self-evident, especially some important security patches and patches for IE, OE vulnerabilities (even if you don't plan to use them). Microsoft will regularly publish some of the known vulnerabilities, which generally can be installed through Windows Update. What you need to do is just regularly accessing the Windows Update website, address: http://windowsupdate.microsoft.com. Or click on the shortcut to Windows Update in the Start menu. Windows XP and Windows 2000 installed in SP3 are more progress, automatically check the update, download it in the background, notify you and ask if you start installing. For Windows 2000 / XP users, Microsoft also provides a practical free tool for checking security: a Benchmark Security Analyzer (Microsoft Baseline Security Analyzer), which can automatically detect your system, and problems You can provide a complete solution. It is very suitable for users with high security requirements. You can learn more and download this tool in detail here. After you have installed all the patches, start our adjustment settings below. Rename and disable the default account After installing Windows, the system will automatically create two accounts: Administrator and Guest, where the Administrator has the highest permission, and Guest has only basic permissions and is disabled by default. And this default account will bring you convenience and serious harm to your system security. If there is a hacker intrusion or anything else, he will easily learn your name of the super user, and the rest is to find a password. Therefore, the security approach is to change the name of the Administrator account, and then build a fake administrator account with almost no permissions. The specific method is: Enter "SECPOL.MSC" in operation and enter the "Local Security Settings" dialog box, open the Local Policy - Security Options, with an "account: Rename System Management in the right window: Rename System Management The policy of the account ", double-click Open, you can reset a username that is not very eye-catching. You can then create a restricted user named administrator to confuse your intrusion.
The setting of the security option is also in the local security settings, expands "Local Policy - Security Options", there are still many other settings. After reasonable configuration, you can make your system more secure. The options listed below are all prohibited: interactive login: No need to press CTRL Alt DEL. Network Access: Allow anonymous SID / name conversion. Network Access: Let Everyone Permissions apply to anonymous users. Fault Recovery Console: Allows Automatic System Management Level to log in. The following options are best enabled: Device: Users logged in locally access to the CD-ROM. Equipment: Users log in locally access to the floppy drive. Interactive login: Do not display the username used last time. Network Access: No anonymous enumerations of anonymous SAM accounts are allowed. Network Access: No SAM account and anonymous enumerations are allowed. Network Security: Do not store the HASH value of LAN Manager when you change your password next time. System object: Enhance the default permissions of internal system objects (such as Symbolic Links). Reliable Password Although absolutely secure passwords do not exist, relatively safe passwords can be implemented. This still needs to run SecPol.msc to configure local security settings. Expand to the Account Policy - Password Policy, through the configuration here, you can create a complete password policy, and your password can also get the maximum protection. Forced password history, this setting determines the number of passwords that save users used. Many people know that they want to replace their passwords frequently, but in exchange, they are limited, in which they can know if the user replaces the password that is previously used. If the "password longest use period" is again, the password is guaranteed. By default, this policy does not save the user's password, you can set it yourself, it is recommended to save more than 5, and you can save up to 24. The password is longest, this policy determines how long it can be used, and will expire, and ask the user to replace the password. If set to 0, the password will never expire. Under normal circumstances, it can be set to about 60 days, and the specific expiration time should look at the security requirements for security. And the maximum can be set for 999 days. The shortest use period of the password, this policy determines that a password is to be used again after it is used. The "Forced Password History" told above will learn whether the new password is used before, if so, this password cannot be continued. If set to 0, a password can be used without restrictions, while the maximum is 999. The password length minimum, this policy determines the length of a password, the valid value is between 0 and 14. If set to 0, it means that the password is not required. The recommended password length cannot be less than 6 digits. The password must comply with complexity requirements. If this policy is enabled, when setting up and change a password, the system will check if the password is valid in the following rules: The password cannot contain all or part of the username. At least 6 characters. And in the use of characters, the following rules must be followed, the password must be: English letters, A-Z, sensitive. Basic 10 numbers, 0-9. You cannot include special characters, such as!, $, #,%, And more. If this policy is enabled, I believe that your password will be safe. For all users in the domain to store passwords, it is obvious that this policy is best not to be enabled. Safe Using Internet ExplorerNternet Explorer is the most popular browser software today.
Because there are many people used, the security issues found by IE are most, but it doesn't matter. I have seen this section, you can make your IE more secure. It should be noted that the following narratives are subject to IE 6.0 SP1, and if you use a lower version, some details may be different. Open Internet Explorer, click Tool -Internet option, then open the Security tab. Select "Internet" in the Security tab, you can set some security options in the Internet area. Although there are different levels of default settings, we'd better adjust it according to your actual situation. Click "Custom Level" below. Figure 3 window will appear, which shows all IE security settings.
Download the signed ActiveX control, pass the third party's authentication agency signing proves that the ActiveX control is secure, and you can set this control, unless you don't want to install any ActiveX control, or you want yourself download from some websites, For example, Windows Update, and plug-ins for playing Flash, etc. Download unsigned ActiveX controls, compared to the signature authenticated ActiveX control, unsigned authentication may contain potential security hazards, so you'd better not set to enable, or disabled, or set to inquiry so you You can decide whether to download the unauthenticated control based on the nature of the site being accessed. For initialization and script running without marking the secure ActiveX control, similar to the previous settings, if you set it to disable, then this option is also disabled, otherwise you can set it to inquiry (recommended setting) or allow ( Not recommended) to prohibit running of signed controls. Run ActiveX controls and plugins, assume that you have banned all ActiveX controls and plugins, then this option can be assured to approve it. It is not recommended here to allow. The ActiveX control marked as a secure execution script executes the script, which can be set to the same as before. Active script, now a variety of scripts are very popular. You can create a lot of practical web pages through the script, such as a Windows Update web page, is through the script program to determine the patches you need to download. So if you disable the scrippus, some web pages will not be browsed normally. Here, you recommend that you are set to disabled, as for a few important but normally, we will see a solution later. Allow past scripts, this option allows the web to copy the file into your clipboard through the script, and is best disabled for security consideration. Java small program script, JavaScript is a public, multi-platform, object-oriented scripting language. The JavaScript script is used in many web pages, but it is best to disable it. If the above settings affect a small number you have to access (such as Windows Update website), but you don't want to set the security level of the Internet area too low, then you can add some of your trust to trust. Go in the site. The method is: Under the Security tab of the Internet Option, click "Trusted Site", then click the "Site" button, the window will appear, enter the network address we want to add in the new window (for example https: // WindowsUpdate.microsoft.com) Then click "Add" on the right side so you can.
Now, open the content tab in the Internet option, click "Auto Direction", and some things need to be adjusted here.
For each item listed, the auto-completion feature saves a specific content, where "Web Address" saves the content you have entered in the IE address bar; "Form" will save the information you fill in on the web, for example Speaking on the forum (in addition to user name and password), the keyword used in the search engine; "Username and Password on" form "will save your name and password you entered when you log in to the forum or other pages. Automatic completion can help you save a lot of time, but it also brings a lot of security hazards. Once someone uses your account to log in, you will be able to see it by others by the username and password of the website. So you can decide which content can be saved automatically according to your computer's usage, which is not available. Now we go to the Advanced tab of the Internet option. Here is a few points to note: Use Passive FTP to compatibility with the firewall and DSL modem compatibility, this setting will allow the use of passive mode when using IE to browse the FTP server, this mode is more secure, because the server cannot get your IP Address, if you don't access it properly, you can try it or disable this setting. Check the publisher's certificate revocation, if this option is selected, when you visit some sites that require authentication, IE will first check whether the certificate provided by the site is still valid. In general, it is recommended that you enable this setting. Check the server's certificate revocation, this option will make the IE check whether the certificate of the site server is still valid, and this setting should also be enabled. Check the signature of the downloaded program, if this setting is enabled, IE will pass the signature automatic check program after you download the program. This setting should generally be enabled. Will not be saved to the Internet Temporary folder for encryption pages (mainly URLs) after the encrypted page is enabled. If many people share the same computer, this option is very necessary, so others cannot spy the encrypted web page you visited through the Internet (such as certain e-commerce websites). The next three settings: Use SSL 2.0, use SSL 3.0 and use TLS 1.0 to follow the protocol encryption data on the Internet. For example, some websites identify authentication and important data transmission, SSL encryption is used in this process. So the best suggestions are all enabled all three options. But if you have an error when you have access to some encryption sites, you can disable other two protocols other than SSL 2.0, because there may be conflicts between different versions, while SSL 2.0 is the most widely used, general The encrypted site will support it. WARNING for the invalid site certificate, after the settings are enabled, IE will warn when I encounter an invalid site certificate, remind you to pay attention. This is usually enabled. A warning is issued while the conversion between security and non-secure mode is enabled. If you want to enter an unsafe page from a secure web page (may be SSL encrypted), IE will issue a warning reminder You are to avoid you to leak some private information without knowing. When the submitted form will issue a warning, after the settings are enabled, some information you submit in some forums or similar places If you are sent to other servers, IE will issue an alert to remind you. Therefore, this should also be enabled. Safe use Outlook ExpressOutlook Express is an email program comes with Windows. It is also easy to browse through the newsgroup through Outlook ExpressOutlook Express. However, many people don't like this procedure, I still want to unload it from my own system, mainly because many people say that OE is easy to infect viruses.
The kitchen knife can also hurt, but every family has to have a kitchen knife, so it is better to consider how to uninstall OE is better than considering how settings will make OE more secure. All of this section is mainly OE 6 SP1, if you use a lower version, some details may be different. OE's main settings can be seen under tool - option, where we are mainly concerned about the Security tab. Select the Internet Explorer security zone you want to use, this setting allows you to decide to treat emails (especially using HTML languages) as security areas (that is, we set different security levels in Internet Explorer's Internet option) The area). Set it to a restricted area is a more sensible and secure approach. This way, if you receive some harmful code in the HTML message, you will not harm your system (of course, you have set a reasonable security level to the restricted area in the IE's Internet option). When other programs send emails in my name, I remind me that this is also a very effective security policy. I have had a lot of viruses to send a virus-containing right click through the contact address in the OE address book. Enable this setting to effectively solve this problem. Once there are other programs to send emails through OE, OE will first ask if you send it, for those suspicious right-clicks, as long as the delivery is available. An attachment that may contain viruses is stored or opened. When this setting is enabled, the attachments in some formats in the email cannot be saved and opened, then if you receive the right-click, save and open accessories The option will be unavailable, further enhance security.
Last point, open the reading tab in the OE option, select "Read all messages in plain text", so that the HTML mail received later is automatically converted into a plain text, do not have to worry about embedded viruses and malicious scripts in the email. Automatically execute when preview or view emails. Strengthening your Internet connection By default, in order to establish a network connection, Windows will install a lot of protocols and run a lot of services in some protocols and services are not required, such as NetBIOS, files, and printer sharing, etc., "least service smallest Permissions = maximum security "This equation is always established, so we need to turn off unwanted services, uninstalling unwanted protocols to enhance our system security. For Windows 9X / ME 1. Double-click Network Icon in Control Panel 2. Select the Microsoft Network Client, then click Uninstall 3. Disable files and printer sharing, if you really need to share, you can set a password to them 4. Select TCP / IP, then click the Properties button, open the NetBIOS tab, and cancel "I want to use NetBIOS on TCP / IP. Then select the DNS Settings tab and select Disable DNS (if you don't need it). Under the WINS Settings tab, check WINS resolution 5. OK, then restart your computer for Windows 2000 / XP system 1. Open the network connection in the control panel, right click on the Internet connection, select Properties 2. If you don't need to share files And printers, then select and uninstall (can not uninstall, but at least do not use) Windows network files and printer sharing 3. Double-click the Internet Protocol (TCP / IP), then click the Advanced button 4. Open the WINS tab, cancel the enable LMHOSTS query selection, then select NetBIOS5 on TCP / IP. Enter services.msc on the run and enter the carriageway. 7. Restart the computer to close the default sharing defaults to have a shared sharing in the installed Windows 2000 / XP computer, although this sharing requires you to provide an administrator's username and password can be connected, but put there always people I don't feel unsafe, and I can't delete it according to the regular way. Let's modify the registry. Run "regedit" Open the Registry Editor, locate "HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters", for Windows 2000 Professional And Windows XP, create a DWORD button name "AutoSharewks" in the right panel, set the key value to "0"; for Windows 2000 Server and Windows Server 2003, create a DWORD button name "AutoShareserver", the same settings The key value is "0", and the setting will take effect after restarting the computer. The firewall and anti-virus software don't care what you have done, as long as you connect on the Internet, the firewall is necessary. The firewall can completely protect your system, The harmful thing on the Internet is outside the door. It is recommended that the firewall you use mainly, one is Symant EC's Norton Internet Security, this software includes not only a network firewall, but also Norton AntiVirus, a famous anti-virus software.