Elementary Security Chapter
1. Physical Security
The server should be placed in an isolated room where a monitor is installed and the monitor To keep more than 15 days of video recording. In addition the case keyboard and computer desk drawer must be locked to ensure that others cannot use the computer even if they enter the room. The keys must be kept in another safe place.
2. Stop the guest account
Disable the guest account in the computer management user and do not allow the guest account to log in to the system at any time. To be on the safe side it is best to add a complex password to the guest. You can open the notepad enter a long string of special characters numbers and letters in it and copy it in as the password of the guest account.
3. Limit the number of unnecessary users
remove all duplicate user accounts test accounts shared accounts general department accounts etc. The user group policy sets the corresponding permissions and frequently checks the system accounts and deletes accounts that are no longer in use. These accounts are often the breakthrough points for hackers to invade the system. The more accounts in the system the more likely the hackers to obtain the rights of legitimate users. For domestic nt/2000 hosts if there are more than 10 system accounts one or two weak password accounts can generally be found. I once found out that 180 of the 197 accounts on a host were weak password accounts.
4. Create two administrator accounts
Although this point seems to be inconsistent with the above point it actually obeys the above rules. Create a general authority account to receive letters and process some daily tasks and another account with Administrators authority is used only when needed. Administrators can use the 'RunAS' command to perform some tasks that require privileges to facilitate management.
5. Rename the system administrator account
Everyone knows that the Windows 2000 administrator account cannot be disabled which means that others can try the password of this account over and over again. Rename the Administrator account can effectively prevent this. Of course please do not use a name like Admin. If you change it you have not changed it. Try to disguise it as an ordinary user for example change it to guestone.
6. Create a trap account
What is a trap account? Look!\u0026gt;Create a local account named \u0026rdquo; Administrator\u0026rdquo; set its permissions to the lowest level and do nothing and Plus a super complex password with more than 10 digits. This can keep those Scripts busy for a while and can use this to detect their intrusion attempts. Or do some tricks on its login scripts. Hey enough damage!
7. Change the permissions of shared files from the \u0026rdquo;everyone\u0026rdquo; group to \u0026ldquo;authorized users\u0026rdquo;
\u0026ldquo;everyone\u0026rdquo; in win2000 means that any user who has the right to access your network can obtain these shared data . Do not set the user sharing the file as the \u0026rdquo;everyone\u0026rdquo; group at any time. Including print sharing the default attribute is 'everyone' group so don't forget to change it.
8. Use a secure password
A good password is very important for a network but it is the easiest to overlook. What has been said before may have explained this point. When some company administrators create accounts they often use company names computer names or something else they can guess as user names and then set the passwords of these accounts to N simple such as \u0026ldquo;welcome\u0026rdquo; \u0026ldquo; iloveyou\u0026rdquo; \u0026ldquo;letmein\u0026rdquo; or the same as the username etc. Such an account should require the user to change to a complex password when logging in for the first time and also pay attention to frequently changing the password. When discussing this issue with people at IRC a few days ago we defined a good password: a password that cannot be cracked during the security period is a good password. In other words if someone gets your password file you must spend It takes 43 days or longer to crack and your password policy is that you must change your password in 42 days.
9. Setting a screen saver password
is very simple and necessary. Setting a screen saver password is also a barrier to prevent insiders from damaging the server. Be careful not to use OpenGL and some complex screen savers waste system resources just make him a black screen. Another point is that it is best to add a screen saver password to the machines used by all system users.
10. Use NTFS format partition
change all partitions of the server to NTFS format. NTFS file system is much safer than FAT FAT32 file system. Needless to say everyone must have NTFS servers.
11. Run anti-virus software
I have never seen a Win2000/Nt server with anti-virus software installed. In fact this is very important. Some good anti-virus software can not only kill some famous viruses but also a large number of Trojan horses and backdoor programs. In this case the famous Trojan horses used by 'hackers' are useless. Don’t forget to update the virus database frequently
12. Ensure the safety of the backup disk
Once the system data is damaged the backup disk will be the only way for you to restore the data. After backing up the data keep the backup disk in a safe place. Never back up your data on the same server. In that case it is better not to back up.
Intermediate safety articles:
1. Use win2000's security configuration tool to configure the strategy
Microsoft provides a set of security configuration and analysis tools based on MMC (Management Console) using them you can easily configure your server to meet your needs Claim. For details please refer to the Microsoft homepage:
2. Turn off unnecessary services
Windows 2000's Terminal Services (Terminal Services) IIS and RAS may bring security holes to your system. In order to manage the server conveniently remotely the terminal services of many machines are turned on. If yours is also turned on make sure you have correctly configured the terminal services. Some malicious programs can also run quietly as a service. Pay attention to all the services opened on the server and check them on a mid-term (daily) basis. The following are the default services installed at C2 level:
Computer Browser service TCP/IP NetBIOS Helper
Microsoft DNS server Spooler
NTLM SSP Server< p> RPC Locator WINS
RPC service Workstation
Netlogon Event log
3. Closing unnecessary ports
Closing ports means reducing functionality. You need to make a little decision on security and functionality. If the server is installed behind a firewall you will take fewer risks but never think you can sit back and relax. Scanning the open ports of the system with a port scanner to determine which services are open is the first step for hackers to invade your system. There is a comparison table of well-known ports and services in the file \\system32\\drivers\\etc\\services for reference. The specific method is:
Network Neighborhood\u0026gt;Properties\u0026gt;Local Area Connection\u0026gt;Properties\u0026gt;Internet Protocol (tcp/ip)\u0026gt;Properties\u0026gt;Advanced\u0026gt;Options\u0026gt;tcp/ip Filtering\u0026gt;Properties Open tcp/ip filtering add the required tcp udp and protocols.Previous 12 Next Read the full text?List of common system processes in Win 2000