How does pubwinEP prevent remote database modification?

1. Shielding port 1433 (Taking win2000 as an example ):

Set security policy:

"Control Panel"-> "Administrative Tools"-> "Local Security Policy"

Select IP Security Policy> Create Name> activate default response rule next> select "win2000 default (V5)" as the initial authentication method) "-> confirmation on the pop-up warning page-> Security policy creation is completed.

Select the policy you created-> properties-> Add-> select "this rule does not specify a tunnel"-> network type select "all network connections"-> authentication method "win2000 default (v5) "-> the pop-up warning interface directly confirms->" All IP communication "-> select" require Security Settings "for the filter-> continue to the next step and select" All IP communication "-> click" "edit" button, open "IP Filter list"> click "edit" to open "Filter Properties"> in "Addressing", select "any IP Address" as the source address ", select "my IP Address" as the destination address, and select "image"> in "protocol", select "TCP" as the Protocol ", set the protocol port to "from any port" to "to this port: 1433"-> OK. For security reasons, it is best to create an IP Filter to shield port 1434.

After completing the configuration, right-click the policy you Just configured and select assign. Then, restart the machine.

How can I verify that database 1433 cannot be connected?

1) Find a machine (not a local machine) in the LAN to install the enterprise management, add the server that has just configured the Security Policy to register, it should be the screen waiting for registration, the status is displayed: "verifying registration information" or prompting that the connection is denied or the service is not enabled.

2) Find a machine (not a local machine) in the LAN. On the dos console, enter the telnet EP Server IP address 1433. If the security policy is applied successfully, it cannot be connected. The following message is displayed: connecting to xxxxxxx... unable to open the connection to the host on port 1433: Connection Failed. If the application security policy fails, the connection is successful.

2. Disable insecure services

The first step is to shield the port on which other machines connect to the database. However, the operating system also has some vulnerabilities, which may also cause database security. You can run services. msc enters the local service management and disables WMI and Server services (shielding WMI and IPC sharing vulnerabilities). However, some Internet cafes require some functions of Server services. Therefore, for Server services, you can use the following two more flexible methods to shield your account:

1) Batch Processing self-starting method:

Open notepad and enter the following content (remember to press enter at the end of each line ):

Net share ipc $/delete
Net share admin $/delete
Net share c $/delete
Net share d $/delete
Net share e $/delete
...... (If you have several hard disk partitions, write a few lines of such commands)

Save as NotShare. bat (note the suffix !), Then drag the batch processing file to "program"> "start", so that it runs every time it is started, that is, close sharing through the net command.

If you need to enable one or more shares on a specific day, you just need to edit the batch file (delete the corresponding command line ).

2) Key-Value Method for the Registry

"Start" → "run", enter "regedit" to confirm, open registry editor, and find

The following is a reference segment: "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet rvices/lanmanserver/parameters"
 
Double-click "AutoShareServer" in the window on the right to change the key value from 1 to 0. In this way, the sharing of Hard Disk Partitions can be disabled. If you do not have an AutoShareServer entry, you can create one and change the key value. In this window, find the "autoscaling wks" item, change the key value from 1 to 0, and disable admin $ sharing. Last
Locate "restrictanonymous" in "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa", set the key value to 1, and disable IPC $ sharing.