12 Security countermeasures for Windows 2000

Due to the good network capabilities of the Win2000 operating system, some Web servers in the Internet are starting to use Win2000 as the main operating system. But since the operating system is a multi-user operating system, hackers tend to choose Win2000 as the first target in order to hide themselves in the attack. So, as a Win2000 user, how can we adopt reasonable method to guard against Win2000 security? The following author collects and collates some measures to guard against Win2000 safety, now make contributions to them, and I implore you to continue to supplement and perfect.

1, timely backup system

In order to prevent the system from happening in the process of use, we should back up the Win2000 intact system, preferably after completing the installation task of the Win2000 system for the entire system backup, can be based on this backup to verify the integrity of the system, This allows you to discover whether the system files have been illegally modified. If a system file has been compromised, you can also use a system backup to return to normal state. When backing up the information, we can back up the good system information on the CD-ROM, and then periodically compare the system to the contents of the CD to verify that the integrity of the system has been compromised. If the security level requirements are particularly high, you can set the disc to be bootable and verify work as part of the system startup process. This means that the system has not been compromised as long as it can be started on the CD.

2. Set the system format to NTFS

When installing Win2000, you should select a custom installation, select only the system components and services that are required by the individual or organization, and cancel unused network services and protocols, because the more protocols and services are installed, the more intruders the intruder will have, and the more potential system security risks. When selecting the Win2000 file system, you should select the NTFS file system to take full advantage of the NTFS file system security. The NTFS file system can limit the files that each user allows to read and write to any folder in the disk directory, and the Win2000 new disk quota service can also control the amount of disk space allowed per user.

3. Encrypt files or folders

To prevent others from peeking at files in the system, we can use the encryption tools provided by the Win2000 system to protect files and folders. In the Win Explorer, right-click the file or folder you want to encrypt, and then click Properties. Click Advanced on the General tab, and then select the Encrypt content to ensure data security check box.

4. Remove Everyone group from shared directory

By default, when a new shared directory is added to Win2000, the operating system automatically adds the Everyone user group to the Permissions module, because the default permissions for the group are fully controlled, allowing anyone to read and write to the shared directory. Therefore, after you create a new shared directory, delete the Everyone group immediately or adjust the group's permissions to read.

5. Create Emergency Repair Disk

If the system is accidentally damaged and does not start normally, you need a dedicated Win2000 system boot disk, so we must remember to create an emergency Repair Disk after the Win2000 is installed intact. When creating this startup disk, we can use a tool named NTBACKUP.EXE in Win2000 to implement it. Run NTBACKUP.EXE, select "Create an emergency Repair disk" from the toolbar to insert a blank formatted floppy disk in a: drive, click OK, click OK to reach the completion information, and then click OK. The repair disk can no longer be used to recover user account information, and you must back up/restore active Directory, which will be overwritten in the backup.

6. Improve Login Server

Moving the system's login server to a separate machine increases the security level of the system, and it can further improve security by using a more secure login server instead of WIN2000 's own login tool. In a large Win2000 network, it is best to use a separate login server for the login service. It must be a server system that satisfies all system login requirements and has sufficient disk space, and there should be no other services running on this system. A more secure login server can greatly impair the ability of intruders to log on to a file by logging into the system.

7, the use of good security mechanisms

Strict design and management of Win2000 system security rules, its content mainly includes "password rules", "Account lockout Rules", "User rights allocation Rules", "Audit Rules" and "IP Security rules." For all users should be grouped according to the work needs, reasonable user group is the most important basis for system security design. Security rules can be used to limit the lifetime of a user's password and the length of the password. Set the number of times the login failed to lock the workstation, and the user backup files and directories, shutdown, network access and other actions to effectively control.

8. Track and record the system

In order to be able to closely monitor the hacker's attack activity, we should start Win2000 log files to record the operation of the system, when the hacker attacks the system, its clues will be recorded in the log file, so many hackers in the beginning of the attack system, often first by modifying the system's log files, To hide their whereabouts, we must restrict access to log files, and prohibit users of general permissions from viewing log files. Of course, the built-in log management program in the system may not be too powerful, and we should use a dedicated log program to observe those suspicious multiple connection attempts. In addition, we have to be careful to protect the password and users with root permissions, because once the hackers know these root-rights account, they can modify the log file to hide its traces.

9, the use of good login script

Develop system policies and user logon scripts, and make appropriate restrictions on the behavior of network users. We can use the System Policy Editor and user logon scripts to set the working environment for the user. Control the user's operation on the desktop, control the user to execute the program, control the user login time and place (such as only allow users to work hours, in their own office machine login, in addition to all prohibited access), The above measures can further enhance the security of the system.

10, often check system information

If you suddenly feel that something is wrong with your computer at work, it feels like someone is remotely controlling you in a faraway place. At this point, you have to stop the work in time, immediately press Ctrl+alt+del composite key to see if the system is running any other programs, once found that there are inexplicable programs running, you immediately stop it, so as to avoid the whole computer system has a greater threat. However, not all programs run in the list of programs, and some programs such as Back orifice (a hacker's backdoor) do not appear in the list of processes in the Ctrl+alt+del composite key, preferably running attachment/System Tools/System information, and then double-clicking the Software environment , select "Running task", in the task list to find their unfamiliar or not running the program, once you find the program should immediately terminate it, in case of trouble.

11, the virus attacks to be vigilant

Now the virus spread on the internet faster and faster, in order to prevent the active infection, we had better not in the Win2000 Internet access to illegal web sites, do not rush to download and run the truth of the program. For example, if you receive an email with an attachment, and the attachment is a file with the extension exe, then you must not run it at will, because this unknown procedure may be a system-destroying program. Attackers often use the system-destroying program for a name to be emailed to you, with some deceptive themes, to deceive you into saying something: "This thing will surprise you," and "Help Me Test the program" sort of thing. You must be on your guard! To treat these seemingly friendly and well-meaning mail attachments, what we should do is to delete these dubious documents immediately.

12, set the security parameters of the system

Taking full advantage of the local security performance of the NTFS file system, the files and directories in the NTFS file system are designed to read, write, access, and group users. Grant deny access, read, and change permissions to different groups of users, and generally give only the smallest directories and files you need. It is noteworthy that the granting of full control privileges should be given special care. For network resource sharing, it is necessary to design the network share permissions of file system, and never grant share permissions to files and directories that should not be shared. For files and directories that can be shared, separate groups and users should be granted permission to deny access, read, change, and Full control, respectively.