From: http://goaler.xicp.net/showlog.asp?id=437
Some time, China-US network wars, I saw some black servers, found that most of the black servers were NT / Win2000 machine, it is really terrible. Is Windows2000 really unsafe? In fact, Windows2000 contains a lot of security features and options, if you are reasonably configured, Windows 2000 will be a safe operating system. I took the time to turn some websites, and the translation is compiled. I organize a checklist. I hope some help for Win2000 administrators. This article does not have a deep thing, the so-called list, it is not perfect, and many things should be slowly added later, I hope to give an reference to the administrator.
The specific list is as follows: Primary Security 1. Physical security server should be placed in an isolation room installed in the monitor, and the monitor is to keep more than 15 days of video recording. In addition, the chassis, keyboard, computer desk drawers should be locked to ensure that they cannot use computers even if they enter the room, the key is placed in additional security.
2. Stop the Guest account to deactivate the guest account in the computer-managed user, and the Guest account will not be allowed to log in. For the sake of insurance, it is best to add a complex password to Guest. You can open a notepad, enter a string containing a special character, number, a long string, then copy it as a Guest account.
3. Limit unnecessary users to remove all Duplicate User accounts, test accounts, share accounts, ordinary department accounts, etc. User Group Policy Sets the appropriate permissions, and often check the system's account, delete the account that is not in use. These accounts are many of the breakthroughs of hackers intrusion system, the more system accounts, and hackers have the possibility of legitimate users, and the more powerful users are generally. Domestic NT / 2000 hosts, if the system account exceeds 10, usually one or two weak password accounts. I have found that 180 accounts in the 197 accounts of a host are all weakly passwords.
4. Creating 2 administrators with accounts, although this is a bit contradictory, but in fact, it is in fact to obey the above rules. Create a general permissions account to receive and handle some daily things, and another account with Administrators permissions is only used when needed. Allows administrators using the "runas" command to perform some work that require privileges to make it easy to manage.
5. Remify the system administrator account, you know that Windows 2000's Administrator account cannot be deactivated, which means that others can try the password of this account over again. The Administrator account is renamed to prevent this. Of course, please do not use the name of admin, change it equal to not change, try to disguise it into ordinary users, such as change: guestone.
6. Create a trap account? LOOK!> Create a local account called "Administrator", set its permissions to the lowest, what can't be done, and add more than 10 super complex password. This allows those Scripts S to be busy for a while, and they can discover their intrusion attempts. Or do a hand feet on its login scripts. Oh, enough!
7. Change the permissions of shared files from the "EVERYONE" group to "Authorized users" "Everyone" means that any user who has the right to enter your network can get these sharing materials. Do not set users of shared files to "Everyone" group at any time. Including printing sharing, the default attribute is "Everyone" group, must not forget to change. 8. A good password using a secure password is very important for a network, but it is easier to ignore. The previously said may have explained this. When some company administrators create an account, they often use the company name, computer name, or some other things to make the user name, then set the password of these accounts n simple, such as "Welcome" "IloveYou" "Letmein" or the same as the username. Such an account should be required to change to a complex password when the user is first logged in, and also pay attention to changes in the password. When I discussed this problem before IRC, we gave a good password to a definition: the password that could not be broken during the security period is a good password, that is, if people get your password document, you must spend 43 days or longer can be broken, and your password strategy must change your password in 42 days.
9. Setting the screen protection password is simple and it is also necessary. Setting the screen protection password is also a barrier to prevent internal staff to destroy the server. Note Do not use OpenGL and some complex screen saver, waste system resources, let him blank screen. Also, the machines used by all system users are also best coupled with the screen protection password.
10. Send all partitions of the server into NTFS format using NTFS format partitions. The NTFS file system is much more secure than FAT and FAT32 file system. This doesn't have to say more, I want everyone to get the server is already NTFS.
11. The Win2000 / NT server I have seen when I have running the anti-virus software has never seen there is installed anti-drug software, in fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojans used by the "hacker" are unused. Don't forget to upgrade the virus library
12. Safeguarding the safety of the backup disk Once the system is destroyed, the backup disk will be the only way you recover the information. After backing up the data, the backup disk is in safe place. Don't put your data on the same server, that's not as good as you want to back up.
Intermediate security articles:
1. Using Win2000 security configuration tools to configure strategy Microsoft to provide a set of MMC (Management Console) Security Configuration and Analysis Tools, using them you can configure your servers to meet your requirements. For details, please refer to Microsoft Home: http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp
2. Close Unnecessary Services of Windows 2000 Terminal Services, IIS, and RAS may bring security vulnerabilities to your system. In order to be able to manage the server remotely, many machine terminal services are open, if you open, to confirm that you have configured the terminal service. Some malicious programs can also run quietly in service. To pay attention to all services on the server, check them in medium-term (every day). Below is the default service for C2-level installation: Computer Browser Service TCP / IP NetBIOS Helpermicrosoft DNS Server SpoolerNTLM SSP ServerRPC Locator WinsrPC Service WorkstationNetlogon Event LOG
3. Close Unnecessary Port Close port means reducing functionality, you need to make a decision on security and feature. If the server is installed behind the firewall, the risk will be less, but never think that you can have no worries. Use the port scanner to scan the ports open, determine which services open is the first step in the hacker invading your system. The comparison table with well-known ports and services in the / SYSTEM32 / DRIVERS / ETC / Services file is available for reference. Specific method: Online Neighbor> Properties> Local Connections> Properties> Internet Protocol (TCP / IP)> Properties> Advanced> Options> TCP / IP Filter> Properties Open TCP / IP Filter, add required TCP, UDP, protocol . 4. Opening an audit policy to turn on the security audit is the most basic intrusion detection method of Win2000. When someone tries to perform some ways to your system (such as trying the user password, changing account policies, unlicensed file access), it will be recorded by the security audit. Many administrators do not know in the system for a few months until the system is destroyed. The following reviews must be turned on, others can increase as needed: Policy setting audit system successfully, failure audit account management success, failure audit login event success, failed audit object access success audit policy change success, failure privilege Successful, failed audit system event success, failed
5. Open password password policy policy setting password complexity Requirements Enable password length Minimum 6 mandatory password history 5 mandatory password history 42 days
6. Open Account Policy Policy Settings Reset Account Lock Counter 20 minutes Account Lock Time 20 minutes Account Lock Threshold 3 times
7. The access to the security record is not protected by default, and he is set to only the Administrator and the system account have access to access.
8. Store sensitive files in additional file servers Although the hard disk capacity of the server is now large, you should still consider whether it is necessary to store some important user data (files, data sheets, project files, etc.) in another safe. Along the servers and often back up them.
9. Do not let the system displays the last login username by default, the last login account will be displayed in the login dialog, the local login dialog is the same. This makes someone else to get some user names of the system, and then give a password speculation. Modifying the registry can not let the dialog box to display the last login username, the specific: HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / WinLogon / DontDisplayLastUsername changed the key value of the REG_SZ to 1.
10. It is forbidden to establish an empty connection By default, any user enumerates the account, guess the password by enumerating the server by empty connection. We can ban the establishment of an empty connection by modifying the registry: local_machine / system / currentControlSet / control / lsa-restrictanonymous value is changed to "1".
11. To Microsoft Website Download the latest patches, many network administrators have no habits of the security site, so that some vulnerabilities have been out of time, and the loopholes of the server are not replenished. No one dares to guarantee that millions of rows of code 2000 do not have a safe vulnerability, often access Microsoft and some security sites, download the latest service packs and vulnerability patches, is the only way to ensure long-term security of the server.
Advanced article
1. Turn off DirectDraw This is a C2-level security standard for video card and memory requirements. Turning off DirectDraw may have an impact on some programs that need to use DirectX (such as games, playing star hegemony on the server. I am dizzy .. $% $ ^% ^ & ??), but for the vast majority of business sites should be There is no effect. Modify the registry HKLM / System / CurrentControlSet / Control / GraphicsDrivers / DCI's Timeout (REG_DWORD) is 0. 2. Close the default sharing Win2000 installation, the system creates some hidden shares, you can check them in CMD. There are a lot of articles on IPC intrusion on the Internet, I believe that everyone must be unfamiliar with it. To prohibit these sharing, open administrative tools> Computer Management> Shared Folders> Share Press the right button on the appropriate shared folder, point to stop sharing, but the machine will be restarted, these shares will be reopened again. The default shared directory path and function C $ D $ E $ E $ Estate of each partition. In the Win2000 Pro version, only the Administrator and Backup Operators group members can be connected, and the Win2000 Server version Server OpeRaTROS group can also be connected to these shared directories Admin $% SYSTEMROOT% remote management shared directory. Its path will always point to the Win2000 installation path, such as C: / WinNTFAX $ in Win2000 Server, Fax $ will arrive at FAX client. IPC $ empty. IPC $ sharing provides the ability to log in to the system. Netlogon This shared NET Login service for Windows 2000 servers uses Print $% systemroot% / system32 / spool / drivers user remote management printer when processing login domain requests
3. It is a very useful lookup problem when the Dump file is generated in the system crashes and blue screen (otherwise I translated into garbage files). However, it can also provide some sensitive information such as a password such as some applications. To prohibit it, open Control Panel> System Properties> Advanced> Startup and Fault Recovery Change the write debugging information to not. When you use it, you can reopen it again.
4. Use the file encryption system EFSWINDOWS2000 powerful encryption system to add a layer of security to disk, folder, file. This prevents others from hanging your hard drive to other machines to read the data inside. Remember to use EFS to the folder, not just a single file. Specific information about EFS can be viewed at http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
5. Encrypting Temp Folder Some applications When installing and upgrading, some things will be copied to the Temp folder, but when the program is upgraded or turned off, they do not clear the contents of the Temp folder. So, encrypting the TEMP folder can be protected for your file.
6. Sliding the Registry In Windows2000, only Administrators and Backup Operators have access to the registry from the network. If you feel not enough, you can further set the registry access, please refer to: http://support.microsoft.com/support/kb/articles/q153/1/83.asp
7. Clearing the page file page file when turning off is also a scheduling file, which is the hidden file that Win2000 is used to store programs and data file parts that is not loaded. Some third-party programs can exist in memory in some memory, and some sensitive information may also be included in the page file. To clear the page file when shutdown, edit the registry HKLM / System / CurrentControlSet / Control / Session Manager / Memory Management sets the value of ClearPageFileatShutdown to 1.8. It is forbidden from the floppy disk and CD ROM boot system some third-party tools to bypass the original security mechanism by booting the system. If your server is very high for security requirements, you can consider using a mobile floppy disk and optical drive. Lock the chassis and throw it a good way.
9. Considering the use of smart cards to replace the password for password, always make the security administrator to refund two difficulties, it is easy to attack 10PHTCRACK and other tools. If the password is too complicated, the user will write a password to write a password. If the conditions are allowed, it is a good solution to complex passwords with smart cards.
10. Consider using IPsec as the meaning of its name, IPSec provides the security of IP packets. IPSec provides authentication, integrity, and selectable confidentiality. The sender computer encrypts data before transfer, and the receiver computer decrypts data after receiving the data. Using IPSec can make the system's security performance greatly enhanced. Details about IPSes can be referring to: http // www.microsoft.com / China / TechNet / Security / IPSecloc.asp
