Windows 2000 Safety Checklist
Windows2000 contains a lot of security features and options if you are reasonably configured, then Windows 2000 will be a safe operating system. I took the time to turn some websites, and the translation is added to the number of checklist. I hope some help for Win2000 administrators. This article does not have a deep thing, the so-called list, it is not perfect, and many things should be slowly added later, I hope to give an reference to the administrator.
The specific list is as follows:
Primary security
1. Physical security
The server should be placed in the quarantine room installed, and the monitor has to keep more than 15 days of video recording. In addition, the chassis, keyboard, computer desk drawers should be locked to ensure that they cannot use computers even if they enter the room, the key is placed in additional security.
2. Stop Guest account
The Guest account is deactivated in a computer-managed user, and the guest account login system is not allowed. For the sake of insurance, it is best to add a complex password to Guest. You can open a notepad, enter a string containing a special character, number, a long string, then copy it as a Guest account.
3. Limit unnecessary number of users
Remove all Duplicate User accounts, test accounts, share accounts, ordinary department accounts, etc. User Group Policy Sets the appropriate permissions, and often check the system's account, delete the account that is not in use. These accounts are many of the breakthroughs of hackers intrusion system, the more system accounts, and hackers have the possibility of legitimate users, and the more powerful users are generally. Domestic NT / 2000 hosts, if the system account exceeds 10, usually one or two weak password accounts. I have found that 180 accounts in the 197 accounts of a host are all weakly passwords.
4. Create 2 administrators with account
Although this is a bit contradictory, it is in fact to obey the rules of the above. Create a general permissions account to receive and handle some daily things, and another account with Administrators permissions is only used when needed. Allows administrators using the "runas" command to perform some work that require privileges to make it easy to manage.
5. Remove the system administrator account
Everyone knows that Windows 2000's Administrator account cannot be deactivated, which means that others can try the password of this account over again. The Administrator account is renamed to prevent this. Of course, please do not use the name of admin, change it equal to not change, try to disguise it into ordinary users, such as change: guestone.
6. Create a trap account? LOOK!> Create a local account called "Administrator", set its permissions to the lowest, what can't be done, and add more than 10 super complex password. This allows those Scripts S to be busy for a while, and they can discover their intrusion attempts. Or do a hand feet on its login scripts. Oh, enough!
7. Change the permissions of the shared file from the "EVERYONE" group to "Authorized User"
"Everyone" means anyone who has the right to enter your network can get these shared information. Do not set users of shared files to "Everyone" group at any time. Including printing sharing, the default attribute is "Everyone" group, must not forget to change.
8. A good password using a secure password is very important for a network, but it is easier to ignore. The previously said may have explained this. When some company administrators create an account, they often use the company name, computer name, or some other things to make the user name, then set the password of these accounts n simple, such as "Welcome" "IloveYou" "Letmein" or the same as the username. Such an account should be required to change to a complex password when the user is first logged in, and also pay attention to changes in the password. When I discussed this problem before IRC, we gave a good password to a definition: the password that could not be broken during the security period is a good password, that is, if people get your password document, you must spend 43 days or longer can be broken, and your password strategy must change your password in 42 days. 9. Set screen protection password
It is also very simple and necessary. Setting the screen protection password is also a barrier to prevent internal staff to destroy the server. Note Do not use OpenGL and some complex screen saver, waste system resources, let him blank screen. Also, the machines used by all system users are also best coupled with the screen protection password.
10. Use NTFS format partition
Change all partitions of the server into NTFS format. The NTFS file system is much more secure than FAT and FAT32 file system. This doesn't have to say more, I want everyone to get the server is already NTFS.
11. Running anti-drug software
I have never seen the installation of anti-virus software, in fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojans used by the "hacker" are unused. Don't forget to upgrade the virus library.
12. Safeguard the safety of the backup disk
Once the system is destroyed, the backup disk will be the only way you recover your information. After backing up the data, the backup disk is in safe place. Don't put your data on the same server, that's not as good as you want to back up.
Intermediate security articles:
1. Use the WIN2000 security configuration tool to configure the policy
Microsoft provides a set of MMC (Management Console) Security Configuration and Analysis Tools, using them, you can configure your servers to meet your requirements. For details, please refer to Microsoft Homepage: http: // www. Microsoft. COM / Windows2000 / TechInfo / HowitWorks / Security / SctoolSet. ASP
2. Close unnecessary service
Windows 2000 Terminal Services (Terminal Services), IIS, and RAS may bring security vulnerabilities to your system. In order to be able to manage the server remotely, many machine terminal services are open, if you open, to confirm that you have configured the terminal service. Some malicious programs can also run quietly in service. To pay attention to all services on the server, check them in medium-term (every day). Below is the default service for the C2 level installation:
Computer Browser Service TCP / IP NetBIOS Helper Microsoft DNS Server Spooler NTLM SSP Server RPC Locator WINS RPC Service Workstation Netlogon Event LOG
3. Close unnecessary port
Turning off port means reducing functionality, you need to make a decision on security and feature. If the server is installed behind the firewall, the risk will be less, but never think that you can have no worries. Use the port scanner to scan the ports open, determine which services open is the first step in the hacker invading your system. The comparison table with well-known ports and services in the / SYSTEM32 / DRIVERS / ETC / Services file is available for reference. Specific method: Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Filter> Properties Open TCP / IP Filter, add required TCP, UDP, protocol . 4. Open a review policy
Turning on the security audit is the most basic intrusion detection method of Win2000. When someone tries to perform some ways to your system (such as trying the user password, changing account policies, unlicensed file access), it will be recorded by the security audit. Many administrators do not know in the system for a few months until the system is destroyed. The following reviews must be turned on, others can increase as needed: Policy setting audit system successfully, failure audit account management success, failure audit login event success, failed audit object access success audit policy change success, failure privilege Successful, failed audit system event success, failed
5. Open password password policy
Policy setting password complexity Requirements Enable password length Minimum 6 forced password history 5 mandatory password history 42 days
6. Open account strategy
Policy Settings Reset Account Lock Counter 20 minutes Account Lock Time 20 minutes Account Lock Threshold 3 times
7. Set access to security records
Safety records are not protected by default, set him to only Administrator and system accounts to access.
8. Store sensitive files in additional file servers
Although the hard disk capacity of the server is now large, you should also consider whether it is necessary to store some important user data (files, data sheets, project files, etc.) in another secure server and often back up them.
9. Do not let the system show the name of the last login
By default, when the terminal service is connected to the server, the last login account will be displayed in the login dialog, and the local login dialog is the same. This makes someone else to get some user names of the system, and then give a password speculation. Modifying the registry can not let the dialog box to display the last login username, the specific: HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / WinLogon / DontDisplayLastUsername changed the key value of the REG_SZ to 1.
10. It is forbidden to establish an empty connection
By default, any user enumerates an account by empty connection, and speculates the password. We can ban the establishment of an empty connection by modifying the registry: local_machine / system / currentControlSet / control / lsa-restrictanonymous value is changed to "1".
10. To Microsoft Website Download the latest patch
Many network administrators have no habit of accessing the security site, so that some vulnerabilities have been out of time, and the vulnerability of the server is not replenished by the target. No one dares to guarantee that millions of rows of code 2000 do not have a safe vulnerability, often access Microsoft and some security sites, download the latest service packs and vulnerability patches, is the only way to ensure long-term security of the server.
Advanced article
1. Close DirectDraw
This is the requirements for C2 level safety standards to video cards and memory. Turning off DirectDraw may have an impact on some programs that need to use DirectX (such as games, playing star hegemony on the server. I am dizzy .. $% $ ^% ^ & ??), but for the vast majority of business sites should be There is no effect. Modify the registry HKLM / System / CurrentControlSet / Control / GraphicsDrivers / DCI's Timeout (REG_DWORD) is 0. 2. Close the default sharing
After win2000 is installed, you can create some hidden shares, you can check them in CMD. There are a lot of articles on IPC intrusion on the Internet, I believe that everyone must be unfamiliar with it. To prohibit these sharing, open administrative tools> Computer Management> Shared Folders> Share Press the right button on the appropriate shared folder, point to stop sharing, but the machine will be restarted, these shares will be reopened again.
Default shared directory path and function
C $ D $ E $ E $ Each partition root directory. In the Win2000 Pro version, only the Administrator and Backup Operators group members can be connected, and the Win2000 Server version Server OpeRaTROS group can also be connected to these shared directories Admin $% SYSTEMROOT% remote management shared directory. Its path will always point to the Win2000 installation path, such as C: / Winnt Fax $ in Win2000 Server, Fax $ will arrive at FAX client. IPC $ empty. IPC $ sharing provides the ability to log in to the system. Netlogon This shared Net login service for Windows 2000 servers is processed when processed login domain requests for Print $% systemroot% / system32 / spool / drivers user remote management printer
3. Prohibit Dump File
Dump file is a very useful lookup problem when the system crashes and blue screen (otherwise I will translate into garbage files on the literal "). However, it can also provide some sensitive information such as a password such as some applications. To prohibit it, open Control Panel> System Properties> Advanced> Startup and Fault Recovery Change the write debugging information to not. When you use it, you can reopen it again.
4. Use file encryption system EFS
Windows2000 powerful encryption system can add a level of security to disk, folder, file. This prevents others from hanging your hard drive to other machines to read the data inside. Remember to use EFS to the folder, not just a single file. For specific information about EFS, you can view http: // www. Microsoft. COM / Windows2000 / TechInfo / HowitWorks / Security / Encrypt. ASP
5. Encryption TEMP folder
Some applications are installing and upgraded, some things will be copied to the Temp folder, but when the program is upgraded or closed, they do not clear the contents of the Temp folder. So, encrypting the TEMP folder can be protected for your file.
6. Lock the registry
In Windows2000, only Administrators and Backup Operators have access to the registry from the network. If you don't think it is not enough, you can further set registry access rights. For details, please refer to: http: // support. Microsoft. COM / Support / Kb / Articles / Q153 / 1/83. ASP
7. Clear the page file when shutting down
The page file is also a scheduling file, which is a hidden file that Win2000 is used to store the program and data file section of the memory. Some third-party programs can exist in memory in some memory, and some sensitive information may also be included in the page file. To clear the page file when shutdown, edit the registry HKLM / System / CurrentControlSet / Control / Session Manager / Memory Management sets the value of ClearPageFileatShutdown to 1.8. Prohibited from floppy disk and CD ROM boot system
Some third-party tools can bypass the original security mechanism by booting the system. If your server is very high for security requirements, you can consider using a mobile floppy disk and optical drive. Lock the chassis and throw it a good way.
9. Consider using smart card to replace password
For passwords, it always causes the security administrator to refund two difficulties, which is easy to attack 10PHTCRACK and other tools. If the password is too complicated, the user will write a password everywhere in order to remember the password. If the conditions are allowed, it is a good solution to complex passwords with smart cards.
10. Consider using IPsec
As its name, IPSec provides security of IP packets. IPSec provides authentication, integrity, and selectable confidentiality. The sender computer encrypts data before transfer, and the receiver computer decrypts data after receiving the data. Using IPSec can make the system's security performance greatly enhanced. Details about IPSes can be referred to: http: // www. Microsoft. COM / China / TECHNET / Security / IPSecloc. ASP SQL Server Security Checklist
1. Confirm that the latest patches of NT / 2000 and SQL Server have been installed, don't say that everyone should have installed, but I think it is best to remind it here.
2. Assess and select a network protocol that taking into account the biggest security but does not affect the function. Multi-protocols are wise choices, but it sometimes cannot be used in a heterogeneous environment.
3. Set a strong password to the "SA" and "ProBe" account to enhance its security. Set a strong password and save it in a safe place. Note: The ProBe account is used to perform performance analysis and distribution. When used in standard security modes, set high-intensity passwords to this account to affect certain functions.
4. Use a low privileged user as a query operation account for the SQL server service, do not use localsystem or sa. This account should have the minimum right (note that the right to run as a service is required) and should include (but not stop) attacks in the server in the case of compromise. Note that when using the Enterprise Manager to do more, the ACLs on the file, the registry, and the user rights are handled simultaneously.
5. Determine all SQL server data, and the system file is the device in the NTFS partition, and the Appropraite ACLS is applied. If someone gets access to the system, this level of permissions can prevent intruders from damaging data to avoid a major disaster.
6. If you do not use XP_cmdshell to turn off. If you use SQL 6.5, at least the SQLExecutieCmdexec account operation using the SQLEXECUTIECMDEXEC account operation to limit the non-SA user using XP_cmdshell. In any ISQL / OSQL window (or query the analyzer):
Use master exec sp_dropextendedProc'XP_cmdshell '
For details on SQLEXECUTIVECMDEXEC, please see the following article:
Http: // support. Microsoft. COM / Support / Kb / Article / Q159 / 2/21. If you don't need xp_cmdshell, please stop it. Remember that a system administrator can always increase it back if needed. This is also very good - a invasive person may find that it is not, just add him back. Considering that it is also removed from the DLL below but must be tested before some DLL is used by some programs. To find other programs to use the same DLL: First get the DLL.
SELECT O. Name, c. Text from dbo. Syscomments C, DBO. Sysobjects o Where C. ID = O. ID and O. Name = 'xp_cmdshell'
Second, use the same DLL to find other extended storage operations to use the DLL.
SELECT O. Name, c. Text from dbo. Syscomments C, DBO. Sysobjects o Where C. ID = O. ID and C. Text = 'XPLOG70. DLL '
Users can use the same approach to process the other you want to remove in the following steps.
7. If you do not need to deactivate an object connection and embedding automation storage program (Warning - When these storage programs are derecianted, some enterprise manager features may be lost). These include:
Sp_oacreate
Sp_oadestroy
SP_OAGETERRORINFOFO
SP_OAGETPROPERTY
Sp_oamethod
Sp_oasetproperty
SP_OASTOP
If you decide to stop the process, please write a script. You can re-add them back when you use them. Remember, what we are doing here is the function of locking an app - Your development platform should be placed on other machines.
8. Disable the registry access program you don't need. (With the above warning), these include:
XP_REGADDMULTINTISTRING
XP_RegdeleteKey
XP_REGDELETEVALUES
XP_RegenumValuess
XP_REGREMOVEMULTINTRING
Note: I have previously listed XP_REGREAD / XP_REGWRITE here but the removal of these programs has some main features including logs and sp. The installation is not recommended.
9. Remove other systems that you think will cause threats. This process is quite a lot, and they will also waste some CPU time. Be careful not to do so on a configuration server. First test on the developed machine, confirm that this does not affect any system function. Here is some of the lists we recommend to be assessed:
sp_sdidebug xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive xp_dirtree10. Disable the default login under "Security Options" in Enterprise Manager. (Only SQL 6.5) When using the integrated security, this makes unrecognizable not in the syslogins table to log in to a valid database server.
11. The Guest account that removes the database will be outside the unidentified user. Exceptions are Master and Tempdb databases because they are required for their GUEST account.
12. If you do not have to be, please disable the SQL mail functionality. Its presence makes potential attackers to deliver potential Trojans, viruses or simple implementation of a DOS attack.
13. Check Master. . SP_HELPSTARTUP looks like there is a terrible Trojan process. Determine no one is already placing the secret back door program. Use sp_unmakestartup to remove any suspicious process.
14. Check Master. . SP_Password See there is a Trojan code. Compare your product Scripts and a newly installed system default scripts and convenient save.
15. Record all users access access. Do these settings from Enterprise Manager or by entering the query analyzer with SA: xp_instance_regwrite n'hkey_local_machine ', N'Software / Microsoft / MSSQLServer / MSSQLSERVER', N'Auditlevel ', Reg_dword, 3
16. Rewinding the application Using more user-defined storage and viewing processes So the general pair access can be disabled. Here you should also see how performance boosts do not have to regular query planning operations.
17. Remove unwanted network protocols.
18. Note the physical security of the SQL server. Lock it in a fixed room and pay attention to the safety of the key. As long as there is a chance to go to the server, you will always find a method to enter.
19. Establish a planned task run: FINDSTR / C: "Login Failed" / MSSQL7 / LOG / *. * '
Then redirect output to a text file or email, so you monitor the failed login attempt. This also provides a good way to record attacks for system administrators. There are also many third-party tools to analyze NT log events. Note: You may need to change the path to the path you installing SQL.
20. Set illegal access and login failure log alerts. Go to "Manager SQL Server Messages" in the Enterprise Manager to search for any messages that have no right to access (starting from finding "login failed" and "Denied"). Determine all the information you interested in being recorded to the event log. Then set an alert on this information, send an email or information to an operator that can respond to the problem. twenty one. It is determined that the roles at the server and the database level are only given the required users. When the SQL Server Security Model 7 has many enhancements, it also adds additional licensing layers, we must monitor this layer, determine that no one is awarded to exceed the required permissions.
twenty two. Regularly check groups or all members of the group or role and determine the distribution permission so that your audit work can be simplified. Determine when you are, the public group cannot perform the selection operation from the system table.
twenty three. Take some time to audit the request to log in with a empty password. Use the following code to check: Use the main body selection name, Password from syslogins where password is null order by name
twenty four. If possible, use the integrated security policy in your organization. By using integrated security policies, you can rely on system security, maximizing management work from maintaining two separate security models. This also does not allow the password close to the connection string.
25. Check all non-SA users' access processes and privileges of the reserved storage process. Use the following query to periodically query which process has public storage privileges. (Use "Type" in SQL Server instead of "xtype"): Use master select sysobjects. Name from sysObjects, sysprotects where sysprotects. UID = 0 and xtype ('x', 'p') and sysobjects. ID = sysprotects. ID ORDER BY NAME
26. When using the Enterprise Manager, use the integrated security policy. In the past, enterprise manager was found in the standard security mode to store the "SA" password in the registry of PlainText. Note: Even if you change the modal, the password will remain in the registry. Use regedit and check the key: hkey_current_user / Software / Microsoft / MSSQLServer / SQLEW / RegeDi / SQL 6.5
Now the data is hidden
HKEY_USERS / {Yoursid} / Software / Microsoft / Microsoft SQL Server / 80 / Tool / Sqlew / Registered Server X / SQL Server Group
("SQL Server Group" is the default value but you may have established a user group so it changes its location accordingly.)
27. Develop an audit plan and set a monthly security report, including reports available to IT, including any new Exploit, successful attack, backup protection, and object access failure statistics.
28. Do not allow users to log in to SQL Server interactively. This rule applies any server. Once a user can interactively enter a server, it is possible to obtain administrator's access privileges to obtain administrator privileges.
30. Try to limit query and access to SQL Server. Users can query a lot of things in SQL Server with minimal permissions. If the Winnt / 2000 important floppy disk production is small
One. Create a installation boot disk in WinNT
1. Prepare 3 blank, formatted 3.5-inch 1.44 MB floppy disk.
2. Insert one of the discs into the floppy drive running any version of Windows or MS-DOS. 3. Insert the Windows NT CD (CD) into the CD-ROM drive.
4. Click Start, then click Run".
In the Open box, type D: / I386 / WinNT / OX (where D represents the drive letter assigned to the CD-ROM drive), and then click OK.
5. Press the screen prompt operation.
two. Create a boot disk in WinNT
1. Prepare 1 blank, use NT format 3.5-inch 1.44 MB floppy disk, must be formatted by NT!
2. Insert the floppy disk into the floppy drive.
3. NTLDR, NTDLECT under C: / (here C is the System partition). COM, Boot. INI, NTBOOTDD. Sys, bootsect. DOS (later two files optional, depending on the situation, usually the two files are replicated, there is no relationship) to the floppy disk.
three. Produce an emergency repair disk (ERD) in WinNT
1.1. Prepare 1 blank, formatted 3.5-inch 1.44 MB floppy disk.
2. Insert the floppy disk into the floppy drive.
3. Start -> Run -> RDisk / s
four. Create a boot disk in Win2000
1. Prepare 4 blank, formatted 3.5-inch 1.44 MB floppy disk.
2. Insert one of the discs into the floppy drive running any version of Windows or MS-DOS.
3. Insert the Windows 2000 CD (CD) into the CD-ROM drive.
4. Click Start, then click Run".
In the Open box, type D: / bootdisk / makeboot A: (where D represents the drive letter assigned to the CD-ROM drive), then click OK.
5. Press the screen prompt operation.
note:
Disks created from the Windows 2000 Professional CD cannot be used under Windows 2000 Server, which is reversed, and disks created from the Windows 2000 Server CD cannot be used under Windows 2000 Professional.
Fives. Create a boot disk in Win2000
1. Prepare 1 blank, use Win2000 formatted 3.5-inch 1.44 MB floppy disk, must be formatted by Win2000!
2. Insert the floppy disk into the floppy drive.
3. NTLDR, NTDLECT under C: / (here C is the System partition). COM, Boot. INI, IO. SYS is copied to the floppy disk.
six. Create an emergency repair disk (ERD) in Win2000
1. Prepare a sluggish, formatted 1.44 (MB) floppy disk.
2. Open Backup Programs (Start -> Run -> NTBackup.exe).
On the Welcome tab, click "Emergency Repair Disk".
According to the description displayed on the screen.
Important:
After completing the installation, the information set by the original system is saved in the SystemRoot / Repair folder of the system partition. If you use the "Emergency Repair Disk" to fix your system, you can access the information in the folder. Be sure to change or delete the folder.
