Primary security
Physical security
The server should be placed in the quarantine room installed, and the monitor has to keep more than 15 days of video recording. In addition, the chassis, keyboard, computer desk drawers should be locked to ensure that they cannot use computers even if they enter the room, the key is placed in additional security.
2. Stop the Guest account
The Guest account is deactivated in a computer-managed user, and the guest account login system is not allowed. For the sake of insurance, it is best to add a complex password to Guest. You can open a notepad, enter a string containing a special character, number, a long string, then copy it as a Guest account.
3. Limit unnecessary number of users
Remove all Duplicate User accounts, test accounts, share accounts, ordinary department accounts, etc. User Group Policy Sets the appropriate permissions, and often check the system's account, delete the account that is not in use. These accounts are many of the breakthroughs of hackers intrusion system, the more system accounts, and hackers have the possibility of legitimate users, and the more powerful users are generally. Domestic NT / 2000 hosts, if the system account exceeds 10, usually one or two weak password accounts. I have found that 180 accounts in the 197 accounts of a host are all weakly passwords.
4. Create 2 administrators with account
Although this is a bit contradictory, it is in fact to obey the rules of the above. Create a general permissions account to receive and handle some daily things, and another account with Administrators permissions is only used when needed. Allows administrators using the "runas" command to perform some work that require privileges to make it easy to manage.
5. Remove the system administrator account
Everyone knows that Windows 2000's Administrator account cannot be deactivated, which means that others can try the password of this account over again. The Administrator account is renamed to prevent this. Of course, please do not use the name of admin, change it equal to not change, try to disguise it into ordinary users, such as change: guestone.
6. Create a trap account
What is a trap account? Look!> Create a local account called "Administrator", set its permissions to the lowest, what can't be done, and add a super complex password that exceeds 10 digits. This allows those Scripts S to be busy for a while, and they can discover their intrusion attempts. Or do a hand feet on its login scripts. Oh, enough!
7. Change the permissions of the shared file from the "EVERYONE" group to "Authorized User"
"Everyone" means anyone who has the right to enter your network can get these shared information. Do not set users of shared files to "Everyone" group at any time. Including printing sharing, the default attribute is "Everyone" group, must not forget to change.
8. Use security password
A good password is very important for a network, but it is easier to ignore. The previously said may have explained this. When some company administrators create an account, they often use the company name, computer name, or some other things to make the user name, then set the password of these accounts n simple, such as "Welcome" "IloveYou" "Letmein" or the same as the username. Such an account should be required to change to a complex password when the user is first logged in, and also pay attention to changes in the password. When I discussed this problem before IRC, we gave a good password to a definition: the password that could not be broken during the security period is a good password, that is, if people get your password document, you must spend 43 days or longer can be broken, and your password strategy must change your password in 42 days. 9. Set screen protection password
It is also very simple and necessary. Setting the screen protection password is also a barrier to prevent internal staff to destroy the server. Note Do not use OpenGL and some complex screen saver, waste system resources, let him blank screen. Also, the machines used by all system users are also best coupled with the screen protection password.
10. Use NTFS format partition
Change all partitions of the server into NTFS format. The NTFS file system is much more secure than FAT and FAT32 file system. This doesn't have to say more, I want everyone to get the server is already NTFS.
11. Running anti-drug software
I have never seen the installation of anti-virus software, in fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojans used by the "hacker" are unused. Don't forget to upgrade the virus library
12. Safeguard the safety of the backup disk
Once the system is destroyed, the backup disk will be the only way you recover your information. After backing up the data, the backup disk is in safe place. Don't put your data on the same server, that's not as good as you want to back up.
Intermediate security articles:
1. Use the WIN2000 security configuration tool to configure the policy
Microsoft provides a set of MMC (Management Console) Security Configuration and Analysis Tools, using them, you can configure your servers to meet your requirements. For details, please refer to Microsoft Home: www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp
2. Close unnecessary service
Windows 2000 Terminal Services (Terminal Services), IIS, and RAS may bring security vulnerabilities to your system. In order to be able to manage the server remotely, many machine terminal services are open, if you open, to confirm that you have configured the terminal service. Some malicious programs can also run quietly in service. To pay attention to all services on the server, check them in medium-term (every day). Below is the default service for C2-level installation: Computer Browser Service TCP / IP NetBIOS Helpermicrosoft DNS Server SpoolerNTLM SSP ServerRPC Locator WinsrPC Service WorkstationNetlogon Event LOG
3. Close unnecessary port
Turning off port means reducing functionality, you need to make a decision on security and feature. If the server is installed behind the firewall, the risk will be less, but never think that you can have no worries. Use the port scanner to scan the ports open, determine which services open is the first step in the hacker invading your system. A comparison table with well-known ports and services in the System32DriverseetcServices file is available. Specific method: Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Filter> Properties Open TCP / IP Filter, add required TCP, UDP, protocol . 4. Open a review policy
Turning on the security audit is the most basic intrusion detection method of Win2000. When someone tries to perform some ways to your system (such as trying the user password, changing account policies, unlicensed file access), it will be recorded by the security audit. Many administrators do not know in the system for a few months until the system is destroyed. The following reviews must be turned on, others can increase as needed: Policy setting audit system successfully, failure audit account management success, failure audit login event success, failed audit object access success audit policy change success, failure privilege Successful, failed audit system event success, failed
5. Open password password policy
Policy setting password complexity Requirements Enable password length Minimum 6 forced password history 5 mandatory password history 42 days
6. Open account strategy
Policy Settings Reset Account Lock Counter 20 minutes Account Lock Time 20 minutes Account Lock Threshold 3 times
7. Set access to security records
Safety records are not protected by default, set him to only Administrator and system accounts to access.
8. Store sensitive files in additional file servers
Although the hard disk capacity of the server is now large, you should also consider whether it is necessary to store some important user data (files, data sheets, project files, etc.) in another secure server and often back up them.
9. Do not let the system show the username last login
By default, when the terminal service is connected to the server, the last login account will be displayed in the login dialog, and the local login dialog is the same. This makes someone else to get some user names of the system, and then give a password speculation. Modifying the registry can not let the dialog box to display the last login username, the specific: HKLMSoftWaremicrosoftWindows NTCurrentVersionWinLogondontDisPlayLastUsername is changed to 1.
10. It is forbidden to establish an empty connection
By default, any user enumerates an account by empty connection, and speculates the password. We can ban the establishment of an empty connection by modifying the registry: local_machinesystemcurrentControlSetControlllsa-restrictanonymous value is changed to "1".
11. To Microsoft Website Download the latest patch
Many network administrators have no habit of accessing the security site, so that some vulnerabilities have been out of time, and the vulnerability of the server is not replenished by the target. No one dares to guarantee that millions of rows of code 2000 do not have a safe vulnerability, often access Microsoft and some security sites, download the latest service packs and vulnerability patches, is the only way to ensure long-term security of the server.
Advanced article
1. Close DirectDraw
This is the requirements for C2 level safety standards to video cards and memory. Turning off DirectDraw may have an impact on some programs that need to use DirectX (such as games, playing star hegemony on the server. I am dizzy .. $% $ ^% ^ & ??), but for the vast majority of business sites should be There is no effect. Modify Registry HKLMSystemCurrentControlSetControlGraphicsDriversdci's timeout (reg_dword) is 0. 2. Close the default sharing
After win2000 is installed, you can create some hidden shares, you can check them in CMD. There are a lot of articles on IPC intrusion on the Internet, I believe that everyone must be unfamiliar with it. To prohibit these sharing, open administrative tools> Computer Management> Shared Folders> Share Press the right button on the appropriate shared folder, point to stop sharing, but the machine will be restarted, these shares will be reopened again. The default shared directory path and function C $ D $ E $ E $ Estate of each partition. In the Win2000 Pro version, only the Administrator and Backup Operators group members can be connected, and the Win2000 Server version Server OpeRaTROS group can also be connected to these shared directories Admin $% SYSTEMROOT% remote management shared directory. Its path will always point to the Win2000 installation path, such as C: WinNTFAX $ in Win2000 Server, Fax $ will arrive at FAX client. IPC $ empty. IPC $ sharing provides the ability to log in to the system. Netlogon This shared NET Login service for Windows 2000 servers is processed when dealing with the login domain request, using Print $% SystemRoot% System32spoolDrivers user remote management printer specific operations can be referred to: Remove the C $ sharing in Win2000
3. Prohibit Dump File
Dump file is a very useful lookup problem when the system crashes and blue screen (otherwise I will translate into garbage files on the literal "). However, it can also provide some sensitive information such as a password such as some applications. To prohibit it, open Control Panel> System Properties> Advanced> Startup and Fault Recovery Change the write debugging information to not. When you use it, you can reopen it again.
4. Use file encryption system EFS
Windows2000 powerful encryption system can add a level of security to disk, folder, file. This prevents others from hanging your hard drive to other machines to read the data inside. Remember to use EFS to the folder, not just a single file. For specific information about EFS, you can view www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
5. Encryption TEMP folder
Some applications are installing and upgraded, some things will be copied to the Temp folder, but when the program is upgraded or closed, they do not clear the contents of the Temp folder. So, encrypting the TEMP folder can be protected for your file.
6. Lock the registry
In Windows2000, only Administrators and Backup Operators have access to the registry from the network. If you feel not enough, you can further set the registry access, please refer to: http://support.microsoft.com/support/kb/articles/q153/1/83.asp
7. Clear the page file when shutting down
The page file is also a scheduling file, which is a hidden file that Win2000 is used to store the program and data file section of the memory. Some third-party programs can exist in memory in some memory, and some sensitive information may also be included in the page file. To clear the page file when shutdown, edit the registry HKLMSystemCurrentControlSetControlsession ManagerMemory Management sets the value of ClearPageFileatShutdown to 1.8. Prohibited from floppy disk and CD ROM boot system
Some third-party tools can bypass the original security mechanism by booting the system. If your server is very high for security requirements, you can consider using a mobile floppy disk and optical drive. Lock the chassis and throw it a good way.
9. Consider using smart card to replace password
For passwords, it always causes the security administrator to refund two difficulties, which is easy to attack 10PHTCRACK and other tools. If the password is too complicated, the user will write a password everywhere in order to remember the password. If the conditions are allowed, it is a good solution to complex passwords with smart cards.
10. Consider using IPsec
As its name, IPSec provides security of IP packets. IPSec provides authentication, integrity, and selectable confidentiality. The sender computer encrypts data before transfer, and the receiver computer decrypts data after receiving the data. Using IPSec can make the system's security performance greatly enhanced. Details about IPSes can be referring to: http // www.microsoft.com / China / TechNet / Security / IPSecloc.asp
