How to implement secure login to enterprise Windows server? (1)

Windows ServerSecurity includes many layers,Secure LoginIt is undoubtedly the most basic and critical link in many layers. Next let's take a look at how to securely log on to an enterprise Windows Server:

1. Learn to use the Run As Administrator command to manage access

When maintaining a Windows server, you often need the administrator role to perform this operation. When the system administrator logs on to the system using this role, the system may temporarily leave. At this time, it is easy to be used by people with ulterior motives. Sometimes, it is boring to log out of the Administrator account after using any server on the network, and many people will forget it. If the Administrator forgets to log out or does not withdraw from the Administrator role because of the absence of the administrator role, any staff passing through the workstation can destroy the network infrastructure and Windows Server System as long as they wish. It can be seen that the system administrator of the platform logs on to the system as an administrator, which has a large security risk. In this case, how can we improve its security?

The author believes that full and flexible use of the Run As Administrator command can eliminate this security risk. Simply put, any IT personnel usually log on to a restricted User, such as a User group role. When you need to use the administrator role to perform some operations, you can use the Run AS Adminsitrator command to change the permissions. At this time, even if the Administrator does not log out after the maintenance task is completed, the consequences will not be very serious. Because the Console does not grant all the management permissions for Windows servers and networks to users passing. It can only run the management programs that the Administrator has just operated. In fact, it is difficult for passers-by to understand what the previous person is operating.

To implement this security measure, you only need to follow the steps below.

Step 1: first create a user with normal Permissions

The system administrator can create a common role user on the local machine or the Active Directory computer. In daily work, the user logs on to the Windows server system. Wait until you need to Run programs that must have the Administrator permission to Run, such As computer management programs, then use the Run As Adminsitrator command to change user permissions.

Step 2: run the management tool as an administrator

When a program can be run only as an administrator, you do not need to log out or perform other operations. You only need to select the program to be Run, and then select Run As Adminsitrator to Run. However, this operation is obviously troublesome. It is much easier to configure the Administrator's desktop so that the correct certificate is automatically prompted for every shortcut when you add the management tool in the future. To achieve this, follow these steps. For example, if you select a Computer Management Program (do not open it) and select "properties" from the back to right, the following dialog box is displayed.

In the displayed dialog box, select the shortcut tab and select advanced. The system opens a "Advanced properties" dialog box. In this dialog box, you will see an option to run as an administrator. Select this option. In the future, the system will not prompt the user to run the application under the identity of a common user. Instead, a dialog box is automatically opened, asking the user to enter the Administrator account and password.

Note:

You must have the administrator privilege to change the attributes of this shortcut. That is, the common user role cannot perform the preceding operations. Therefore, the administrator needs to change the attributes of the corresponding administrator shortcut in his/her role. Then, the system automatically takes effect when logging on to the common user role. Note that after you change this attribute, only shortcuts are affected. If you open the source program directly instead of using the shortcut method, there will still be no small country. Usually, administrators deploy shortcuts of commonly used management tools on the desktop, and then modify the attributes of this shortcut. In the future, double-click the shortcut on the desktop. Instead of finding the location of the source program to open it.