Windows Server 2003 is the latest server operating system for Microsoft, which not only inherits the ease of use and stability of Windows 2000 / XP, but also provides higher hardware support and more powerful security features, which is undoubtedly small and medium network application servers. Of course choose. This article makes some instructions on the security policy of Windows 2003 in enterprise account and system monitoring, hoping to play the effect of tipping jade to everyone, and the final goal is to ensure the normal operation of our web server.
I. Enterprise account protection security strategy
Protection of user accounts is generally carried out around the protection of passwords. In order to avoid user identity, it is usually taken, such as increasing the cipher difficulty, enabling account lock policies, limits external connection, and preventing network sniffing, limiting the external connection, and preventing network sniffing.
1, improve the difficulty of cracking password
Improve the difficulty of the password is mainly achieved by using measures such as improving password complexity, increasing password length, increasing replacement frequency, but it is often difficult to do, and some security sensitive users in corporate network must take Some related measures to enforce unsafe password usage habits.
In the Windows system, you can use a range of security settings and to develop appropriate security policies. In the Windows Server 2003 system, you can do "Password Policy" in the security policy. The security policy of the Window Server 2003 system can be targeted for different situations and ranges based on the network. For example, it can be set for local computers, domains and corresponding organizational units, which will depend on the range of the policy.
Taking the domain security strategy as an example, its scope is all members of the fields specified in the enterprise network. Run the Domain Security Policy tool in the domain management tool, then you can make a corresponding settings for the password policy.
The password policy can also be set with "local security policies" on the specified computer, and can also be set by a specific organizational unit in the network.
2, enable account lock strategy
Account lock refers to some cases (for example, an online automatic login attack of the account is subjected to a password dictionary or a violent suspension) to lock this account to protect the account security. It cannot be used again within a certain period of time, thereby frustrating a continuous suspect try.
The Windows2003 system is not allowed to make the user by default, this lock policy is not set, at this time, there is no restriction on the hacker's attack. As long as there is patience, attacking the dictionary by automatically logging in to the tool and password, even the attack of violence mode, then the crack password is just a time and luck. The first step in the account lock policy setting is to specify the threshold of the account lock, that is, the number of times the account invalidated before the account is locked. In general, the number of login failures due to operational mistakes is limited. Setting the lock threshold here 3 times, this only allows 3 login attempts. If all the logins fail, the account will be locked.
However, once the account is locked, even if it is a legal user, it cannot be used. Only administrators can re-enable the account, which has caused many inconveniences. To facilitate the user, you can set the locking time and reset counter at the same time, so that the lock account is started in 3 invalid, and the lock time is 30 minutes. The above account lock settings can effectively avoid automatic guessing tools, while the patient and confidence of manual tricks can also cause a lot of blow. Locking user accounts often cause some inconvenience, but the security of the system is sometimes more important.
3, restrict user login
For users of the enterprise network, they can also protect their household accounts by limiting their login behavior. In this way, even if you have a leak, the system can also block hackers to a certain extent, for Windows Server 2003 networks, run the Active Directory User and Computer Management Tools. Then select the appropriate user and set its account properties.
In the Account Properties dialog box, you can limit the time and place of your login. Click on the "Log Time" button where you can set the time that allows the user to log in so that the login behavior of non-working hours can be prevented. Click on the "Login to" button where you can set it to log in from which computers is allowed to locally. In addition, you can limit the behavior of login via the "Account" option. For example, using "Users must use smart card login" to avoid direct use of password verification. In addition, it is also possible to introduce a more stringent means such as fingerprint verification. 4, limit external connection
For corporate networks, you usually need to provide dial-up access services for users (business people or customers, etc.) for remote dialing. Remote Dial Access Technology is actually accessing remote computers into the local area network in the enterprise through a low-speed dial-up connection. Since this connection cannot be hidden, it is often the best entrance to the hacker invasion internal network. However, take certain measures to effectively reduce risk.
For Windows Server 2003 Remote Access Servers, all users with dial-in permissions will be allowed to establish a connection by default. Therefore, the first step of security prevention is reasonable, strictly set the dial-in permission of the user account, strictly restrict the allocation range of the dial-in permission, as long as it is not necessary, this permission is not given. For users of some special users and fixed branches in the network, network security can be improved by callback technology. Here, the so-called callback refers to the interrupt line immediately after the calling party, and then calls to the calling party. In this way, even if the account and its password are crack, there is no need to worry. It should be noted that an incoming call display service is required.
In the Windows Server 2003 network, if the active directory works under Native-Mode (Normal Mode), you can manage it by storing remote access policies on the access server or on the Internet Authentication server. A variety of different strategies can be set for a variety of application scenarios. Specific management is more complicated, due to the limited space, you can refer to the relevant information, this will no longer be described in detail.
5, restriction privileged member
In the Windows Server 2003 network, there is also a very effective assistance to prevent hacker intrusion and management negligence, which is the use of "restricted group" security strategy. This policy guarantees the composition of the group member. Add the group to be restricted in the management tool of the domain security policy, type or find the group you want to add in the Group dialog. It is generally necessary to limit members of the privilege group such as the administrator group. The next step is to configure a member of this restricted group. Select the "Security (S)" option of the restricted group here. Then, you can manage the members of this group, you can add or delete members, which can prevent hackers from adding a rear door account from the group when the security policy takes effect.
6, prevent network sniffing
Since the local area network communicates in a broadcast method, the information is easily eavesdropped. The network sniffing is to sniff the valuable information by listening to the data transmitted in the network. For ordinary network sniffing defense is not difficult, can be carried out by the following means:
1) use switched network
Under normal circumstances, the switching network has congenital immunity for ordinary network sniffings. This is because each switching port is a separate broadcast domain in the switched network environment, while the port is bridging, not broadcast. The network sniffing is mainly targeted by communication in the broadcast environment, so it is lost in the switching network.
With the popularity of switching network technology, the threats brought by network sniffings are getting lower and lower, but still cannot be ignored. Suitable range of network sniffings can still be achieved through ARP address deception, and the hacker can still get sniffing capabilities through intrusion of some models of switches and routers.
2) Encrypted session
Established encrypted session connections between communication between communications is also very effective, especially in corporate networks. In this way, even if the hacker has successfully carried out the network sniffing, it is worthless than the ciphertext. There are many means for session encryption in the network, which can be done by customized communication encryption programs, but poor versatility is poor. At this time, the security mechanism for improving IP communication is the most fundamental solution. Due to historical reasons, IP-based network communication technology has no built-in security mechanism. With the development of the Internet, safety issues are gradually exposed. Now, through various efforts, standard safety architectures have also been basically formed. That is the IPSec mechanism, and it will be an important component of the next generation IP network standard IPv6. IPSec mechanism has been well supported in a new generation of operating systems. In Windows Server 2003 systems, both its server products and client products provide support for IPSec. Thereby enhancing safety, scalability, and availability while making deployment and management more convenient.
The relevant management tools are integrated in the Security Policy of the Windows Server 2003 system (such as local security policies, domain security policies, group policies, etc.). For the sake of clarity, learn from the Microsoft Management Console MMC customized management tool.
The specific method is as follows: First click the "Run" option in the Start menu, then type the MMC, and click the "OK" button. In the Console menu, select Add Delete Syndrome (M) command, then click the "Add" button. In the available independent management unit, select the IP Security Policy Management option, double-click, click the Add button, select the computer managed by the management unit, and then click the "Finish" button. Turn off the associated window of the Add Management unit get a new management tool where you can name and save it.
At this point, you can see the existing security policy, users can add, modify, and delete corresponding IP security policies depending on the situation. The Windows Server 2003 system comes with the following strategies:
Security server (require security settings);
Client (only respond);
Server (request security setting);
The "client (only response) policy is based on the requirements of the other party to decide whether to use IPsec;" Server (Request Security Settings) Policy requires clients that support IP security mechanisms using IPSec, but allows IP security mechanisms The client builds an unsafe connection; "The security server (requires security settings)" policy is the most stringent, and it requires that both parties must use the IPSec protocol.
However, the "Security Server (Requireable Security Settings)" policy defaults to trusted communication, so it can still be eavesdropped. Implementing effective prevention directly by modifying this policy or custom-specific strategy. Select "All IP Communication" options, you can edit its rule properties.
Select the Filter Actions tab and select the "Requireable Security Settings" option. Security measures can be edited in the properties settings of this filter operation, where security measures are set to "High" option.
The above methods of using IPsec encrypted data are applicable to enterprise network applications, and all computers in the network can be enforced using IPSec encrypted communication by deploying group policies. Of course, this strict limit will bring some inconvenience, but for system security is worth it. IPSec can also be applied to VPN technology where data streams in the IP tunnel can be encrypted.
For environments that are not convenient to implement IPSec, you can consider using VPN. The VPN here refers to a virtual private network. VPN technology is currently the best solution for end-to-end secure communication, which is mainly suitable for connectivity to the client through an open network and server. For example, the client is connected to a private network for enterprise or departments over Internet / Intranet.
Second, the enterprise system monitoring security strategy
Despite the constant repair of the system, the new security vulnerability general will end out of the software system complexity. Therefore, in addition to repairing the security vulnerability, it is necessary to monitor the operating state of the system in order to find out the invasion of various vulnerabilities in time. This monitoring is especially important if there is already a safe vulnerability but not all is repaired. 1. Enable system audit mechanism
The system audit mechanism can track the various types of events in the system and write log files for administrators to analyze, find system and application failures, and various security events.
All operating systems, applications, etc. have logging, so events that will occur in the system can occur in real time as needed. At the same time, you can find hackers' intrusion and invasion. Of course, if you want to achieve this, you must have some relevant knowledge. First you must learn how to configure the system to enable the corresponding audit mechanism and simultaneously record a variety of security events.
For Windows Server 2003 servers and workstation systems, in order not to affect system performance, the default security policy does not review security events. From the Safety Configuration and Analysis tool, the analysis results of the SECEDIT security template are known that these red tags should be enabled, which can be used to find hackers from exterior and internal hackers. For critical application servers and file servers, the remaining security policies should be enabled at the same time.
If the Audit Object Access policy has been enabled, the NTFS file system must be used as required. The NTFS file system not only provides access control to the user, but also audits the user's access operation. However, this review feature requires a corresponding configuration for specific objects.
First add users and groups to be reviewed in the "Advanced" property of the audited object "Security" attribute. After selecting the user to be reviewed in this dialog, you can set events and results to review them. After all the audit strategies take effect, you can discover the hacker's spider musca by checking the log of the system.
2, log monitoring
After the security audit policy is enabled in the system, the administrator should regularly view the record of the security log, otherwise it will lose timely remedies and defense. In addition to security logs, administrators should pay attention to check the log files of various services or applications. In Windows 2003 IIS 6.0, the log function has been launched by default, and the path stored by the log file is default in the System32 / Logfiles directory, open the IIS log file, you can see the HTTP request to the web server, IIS6.0 system comes with The log function can be a resource for the intrusion detection from some extent.
3, monitor open ports and connect
The monitoring of the log can only find an intrusion event that has occurred, but it is powerless to the informed intrusion and destruction behavior. At this time, administrators will need to master some basic real-time monitoring techniques.
Usually, after the system is hacked or viruse, the wooden hip door will be left in the system. At the same time it and the outside communication will establish a socket session connection, which may find it, the netstat command can check the session state check, where you can view the open port and the established connection. Of course, some dedicated detection programs can be used to detect ports and connects, which is much more software.
4, monitor sharing
It is the most comfortable way to invade a system through sharing. If the non-strict, the easiest way is to use the system implied management sharing. Therefore, as long as the hacker is able to scan the IP and user password, you can use the NET USE command to connect to the sharing. In addition, when browsing to a web page containing a malicious script, the computer's hard disk may also be shared, so monitoring the sharing connection of this unit is very important.
Monitoring the specific method of the shared connection of this unit is as follows: In the Windows Server 2003 computer, open the Computer Management tool and expand the Shared Folder option. Click on the "Share" option, you can view its right window to check if there is a new suspicious share. If there is suspicious sharing, you should be deleted immediately. You can also view the session that connects to the machine by selecting the Session option. Windows NT / 2000 IPC $ shared vulnerability is one of the most harmful vulnerabilities. Even if you don't break your password immediately, you can still connect to the system through "empty connections", and make additional attempts. 5, monitoring process and system information
For Trojans and Remote Monitoring, in addition to monitoring open ports, you should also look up through the task manager's process viewing function. After installing the Windows Server2003 Support (from the product disc installation), you can get a process View Tool Process Viewer; usually, hidden process boarding under other processes, so the memory image of the process may find an exception. The current Trojans are getting harder and harder, often it will register themselves into a service, thereby avoiding it in the list of processes. Therefore, we should also combine the monitoring of other information in the system, which can be checked accordingly in the software environment in system information.
