Server Security Settings _ Intermediate article _win server

1. Using the Win2000 Security Configuration tool to configure the policy
Microsoft provides a set of security configuration and analysis tools based on MMC (management Console) that you can use to configure your server to meet your requirements. Please refer to the Microsoft Homepage for specific content:
2. To turn off unnecessary services
Windows2000 TerminalServices (Terminal Services), IIS, and RAS can all bring security vulnerabilities to your system. In order to be able to remote Management Server, many machines Terminal Services are open, if you also open, to confirm that you have the correct configuration of Terminal Services. Some malicious programs can also be quietly run in a service way. Be aware of all the services that are open on the server, and check them for mid-term (daily). The following are the default services for C2-level installations:
Computerbrowserservicetcp/ipnetbioshelper
Microsoftdnsserverspooler
Ntlmsspserver
Rpclocatorwins
Rpcserviceworkstation
Netlogoneventlog
3. To close unnecessary ports
Closing the port means reducing the functionality and requiring you to make a decision on security and functionality. If the server is installed behind the _blank > firewall, there will be less risk, but never think you can sit back and relax. Use the port scanner to scan the ports open by the system and determine which services are open to the first step in hacking your system. The \system32\drivers\etc\services file has a list of well-known ports and services available for reference. The specific methods are:
Network Places > Properties > Local Connections > Properties >internet Protocol (TCP/IP) > Properties > Advanced > Option >TCP/IP Filter the > property to open TCP/IP filtering, add the required tcp,udp, the protocol.
4. Open Audit Policy
Opening security audit is the most basic intrusion detection method in Win2000. When someone tries to invade your system in some way (such as trying a user's password, changing the account policy, unauthorized file access, and so on), it will be logged by the security audit. Many administrators were unaware of the system being hacked for months until the system was compromised. The following audits are required to be open, and others can be added as needed:
Policy settings
Audit System Login Event succeeded, failed
Audit account management Success, failure
Audit Login Event Success, failure
Audit object Access succeeded
Audit policy Change succeeded, failed
Audit privilege use succeeded, failed
Audit system event succeeded, failed
5. Open Password Password Policy
Policy settings
Password complexity requirements Enabled
Minimum password length 6 bits
Enforce password history 5 times
Enforce password history 42 days
6. Open Account Policy
Policy settings
Reset account lockout counter for 20 minutes
Account lockout time 20 minutes
Account lockout threshold value 3 times
7. Setting access rights for Security records
The security record is not protected by default, and it is set to only Administrator and system accounts for access.
8. Store sensitive files in a separate file server
Although the server's hard disk capacity is now large, you should also consider whether it is necessary to put some important user data (files, data sheets, project files, etc.) in another secure server, and often back up them.
9. Do not allow the system to display the last login user name
By default, when Terminal Services is connected to the server, the Login dialog box displays the account that was last logged in, and the local login dialog box is the same. This makes it easy for others to get some user names for the system and then make a password guess. Modify the registry to not allow the dialog box to display the last login username, specifically:
Hklm\software\microsoft\windowsnt\currentversion\winlogon\dontdisplaylastusername
Change the key value of the REG_SZ to 1.
10. Prohibit the establishment of an empty connection
By default, any user who connects to the server through an empty connection, then enumerates the account number and guesses the password. We can disable the establishment of a null connection by modifying the registry:
The local_machine\system\currentcontrolset\control\lsa-restrictanonymous value is changed to "1".
10. Download the latest patches to the Microsoft website
Many network administrators do not have the habit of accessing the security site, so that some vulnerabilities have been a long time, but also put the server's loopholes do not supply others as a target. No one can guarantee millions of lines above the code 2000 not a bit of security vulnerabilities, frequent visits to Microsoft and some security sites, download the latest servicepack and vulnerability patches, is the only way to ensure the long-term security of the server.