Primary security
1. Physical security servers should be placed in an isolation room installed in the monitor, and the monitor has to keep more than 15 days of video recording. In addition, the chassis, keyboard, computer desk drawers should be locked to ensure that they cannot use computers even if they enter the room, the key is placed in additional security. 2. Stop the Guest account to deactivate the guest account in the computer-managed user, and the guest account login system is not allowed. For the sake of insurance, it is best to add a complex password to Guest. You can open a notepad, enter a string containing a special character, number, a long string, then copy it as a Guest account. 3. Limit unnecessary users to remove all Duplicate User accounts, test accounts, share accounts, ordinary department accounts, etc. User Group Policy Sets the appropriate permissions, and often check the system's account, delete the account that is not in use. These accounts are many of the breakthroughs of hackers intrusion system, the more system accounts, and hackers have the possibility of legitimate users, and the more powerful users are generally. Domestic NT / 2000 hosts, if the system account exceeds 10, usually one or two weak password accounts. I have found that 180 accounts in the 197 accounts of a host are all weakly passwords. 4. Creating 2 administrators with accounts, although this is a bit contradictory, but in fact, it is in fact to obey the above rules. Create a general permissions account to receive and handle some daily things, and another account with Administrators permissions is only used when needed. Allows administrators using the "runas" command to perform some work that require privileges to make it easy to manage. 5. Remify the system administrator account, you know that Windows 2000's Administrator account cannot be deactivated, which means that others can try the password of this account over again. The Administrator account is renamed to prevent this. Of course, please do not use the name of admin, change it equal to not change, try to disguise it into ordinary users, such as change: guestone. 6. Create a trap account? LOOK!> Create a local account called "Administrator", set its permissions to the lowest, what can't be done, and add more than 10 super complex password. This allows those Scripts S to be busy for a while, and they can discover their intrusion attempts. Or do a hand feet on its login scripts. Oh, enough! 7. Change the permissions of the shared file from the "Everyone" group to "Authorized User" "Everyone" means that any user who has the right to enter your network can get these sharing materials. Do not set users of shared files to "Everyone" group at any time. Including printing sharing, the default attribute is "Everyone" group, must not forget to change. 8. A good password using a secure password is very important for a network, but it is easier to ignore. The previously said may have explained this. When some company administrators create an account, they often use the company name, computer name, or some other things to make the user name, then set the password of these accounts n simple, such as "Welcome" "IloveYou" "Letmein" or the same as the username. Such an account should be required to change to a complex password when the user is first logged in, and also pay attention to changes in the password.
When I discussed this problem before IRC, we gave a good password to a definition: the password that could not be broken during the security period is a good password, that is, if people get your password document, you must spend 43 days or longer can be broken, and your password strategy must change your password in 42 days. 9. Setting the screen protection password is simple and it is also necessary. Setting the screen protection password is also a barrier to prevent internal staff to destroy the server. Note Do not use OpenGL and some complex screen saver, waste system resources, let him blank screen. Also, the machines used by all system users are also best coupled with the screen protection password. 10. Send all partitions of the server into NTFS format using NTFS format partitions. The NTFS file system is much more secure than FAT and FAT32 file system. This doesn't have to say more, I want everyone to get the server is already NTFS. 11. The Win2000 / NT server I have seen when I have running the anti-virus software has never seen there is installed anti-drug software, in fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojans used by the "hacker" are unused. Don't forget to upgrade the virus library 12. Safeguarding the safety of the backup disk Once the system is destroyed, the backup disk will be the only way you recover the information. After backing up the data, the backup disk is in safe place. Don't put your data on the same server, that's not as good as you want to back up. Intermediate security articles:
1. Using Win2000 security configuration tools to configure strategy Microsoft to provide a set of MMC (Management Console) Security Configuration and Analysis Tools, using them you can configure your servers to meet your requirements. For details, please refer to Microsoft Homepage: www.microsoft.com/windows/security/sctoolset.asp 2. Close Unnecessary Services of Windows 2000 Terminal Services, IIS, and RAS may bring security vulnerabilities to your system. In order to be able to manage the server remotely, many machine terminal services are open, if you open, to confirm that you have configured the terminal service. Some malicious programs can also run quietly in service. To pay attention to all services on the server, check them in medium-term (every day). Below is the default service for C2-level installation: Computer Browser Service TCP / IP NetBIOS Helper Microsoft DNS Server Spooler NTLM SSP Server RPC Locator WINS RPC Service Workstation Netlogon Event LOG3. Close Unnecessary Port Close port means reducing functionality, you need to make a decision on security and feature. If the server is installed behind the firewall, the risk will be less, but never think that you can have no worries. Use the port scanner to scan the ports open, determine which services open is the first step in the hacker invading your system. The comparison table with well-known ports and services in the / SYSTEM32 / DRIVERS / ETC / Services file is available for reference. Specific method: Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Filter> Properties Open TCP / IP Filter, add required TCP, UDP, protocol . 4. Opening the audit policy to turn on the security audit is the most basic intrusion detection method of Win2000. When someone tries to perform some ways to your system (such as trying the user password, changing account policies, unlicensed file access), it will be recorded by the security audit. Many administrators do not know in the system for a few months until the system is destroyed. The following reviews must be turned on, others can increase as needed: Policy setting audit system successfully, failure audit account management success, failure audit login event success, failed audit object access success audit policy change success, failure privilege Successful, failed audit system event success, failed 5. Turn on password password policy policy setting password complexity Requirements Enable password length Minimum 6-bit forced password history 5 forced password history 42 days 6. Open the Account Policy Policy Settings Reset Account Locking Counters 20 minutes Account Lock Time 20 minutes Account Lock Threshold 3 Times 7. The access to the security record is not protected by default, and he is set to only the Administrator and the system account have access to access. 8. Store sensitive files in additional file servers Although the hard disk capacity of the server is now large, you should still consider whether it is necessary to store some important user data (files, data sheets, project files, etc.) in another safe. Along the servers and often back up them.
9. Do not let the system displays the last login username by default, the last login account will be displayed in the login dialog, the local login dialog is the same. This makes someone else to get some user names of the system, and then give a password speculation. Modifying the registry does not allow the dialog box to display the last login username, the specific: HKLM / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / DontDisplayLastUsername is changed to 1. 10. It is forbidden to establish an empty connection By default, any user enumerates the account, guess the password by enumerating the server by empty connection. We can ban the establishment of an empty connection by modifying the registry: local_machine / system / currentControlSet / control / lsa-restrictanonymous value is changed to "1". 11. To Microsoft Website Download the latest patches, many network administrators have no habits of the security site, so that some vulnerabilities have been out of time, and the loopholes of the server are not replenished. No one dares to guarantee that millions of rows of code 2000 do not have a safe vulnerability, often access Microsoft and some security sites, download the latest service packs and vulnerability patches, is the only way to ensure long-term security of the server. Advanced security
1. Turn off DirectDraw This is a C2-level security standard for video card and memory requirements. Turning off DirectDraw may have an impact on some programs that need to use DirectX (such as games, playing star hegemony on the server. I am dizzy .. $% $ ^% ^ & ??), but for the vast majority of business sites should be There is no effect. Modify the registry HKLM / System / CurrentControlSet / Control / GraphicsDrivers / DCI's Timeout (REG_DWORD) is 0. 2. Close the default sharing Win2000 after installation, you can create some hidden shares, you can check them in CMD. There are a lot of articles on IPC intrusion on the Internet, I believe that everyone must be unfamiliar with it. To prohibit these sharing, open administrative tools> Computer Management> Shared Folders> Share on the appropriate shared folder and press the right button, point to stop sharing, but the machine will be restarted after the machine is restarted. The default shared directory path and function C $ D $ E $ E $ Estate of each partition. In the Win2000 Pro version, only the Administrator and Backup Operators group members can be connected, and the Win2000 Server version Server OpeRaTROS group can also be connected to these shared directories Admin $% SYSTEMROOT% remote management shared directory. Its path will always point to the Win2000 installation path, such as C: / Winnt Fax $ in Win2000 Server, Fax $ will arrive at FAX client. IPC $ empty. IPC $ sharing provides the ability to log in to the system. Netlogon This shared NET Login service for Windows 2000 servers When processed logging in domain requests, use Print $% SystemRoot% / System32 / spool / drivers user remote management printer specific operations can be referred to: Remove the C $ sharing in Win2000. It is a very useful lookup problem when the Dump file is generated in the system crashes and blue screen (otherwise I translated into garbage files). However, it can also provide some sensitive information such as a password such as some applications. To prohibit it, open Control Panel> System Properties> Advanced> Startup and Fault Recovery Change the write debugging information to not. When you use it, you can reopen it again. 4. Use the file encryption system EFS Windows2000 powerful encryption system to add a level of security to disk, folder, and files. This prevents others from hanging your hard drive to other machines to read the data inside. Remember to use EFS to the folder, not just a single file. For details on EFS, you can view www.microsoft.com/windows/security/encrypt.asp 5. Encrypting Temp Folder Some applications When installing and upgrading, some things will be copied to the Temp folder, but when the program is upgraded or turned off, they do not clear the contents of the Temp folder. So, encrypting the TEMP folder can be protected for your file. 6. Sliding the Registry In Windows2000, only Administrators and Backup Operators have access to the registry from the network.
