Use secure Windows disk format

On the Internet, I often see some friends who say that Windows has many operating system vulnerabilities and is not secure. As a result, servers are often infiltrated by hackers. A secure server is defined not only for hardware security, but also for operating system security. To set a secure operating system, we need to reinforce the system from the details, by combining the comprehensive settings with the normal maintenance of management personnel, a truly secure server can be created.

In windows, some major partition formats are FAT, FAT32, and NTFS. Currently, the mainstream disk formats are NTFS, because NTFS not only reduces disk space waste, this reduces the possibility of disk fragmentation and provides file encryption and File compression functions. The most important thing is that the NTFS format maximizes security performance and can better assign user permissions, therefore, when installing the server operating system, You must select an NTFS file system to improve system security.

When installing the operating system, You must select the NTFS file format.

650) this. width = 650; "style =" float: none; "title =" 1.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555213144-0.png" alt = "143473631.png"/>

1) In an NTFS disk, you can easily set permissions for this file or directory on the "Security" tab of the directory or file properties panel.

650) this. width = 650; "style =" float: none; "title =" 2.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555213I1-1.png" alt = "142136991.png"/>

2) use the volume copy function of the NTFS format disk to automatically create a copy of the server disk for future data restoration

650) this. width = 650; "style =" float: none; "title =" 3.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555213049-2.png" alt = "143810623.png"/>

3) using the NTFS format disk quota can effectively limit the user's disk capacity

650) this. width = 650; "style =" float: none; "title =" 4.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555214060-3.png" alt = "143813770.png"/>

Compared with the FAT/FAT32 file system, the NTFS file system features security. NTFS provides the security required for servers or workstations.

In the NTFS partition, each file and folder NTFS stores an access control list AccessControlList and ACL. the access control list contains all licensed user accounts, groups, and computers. An ACL must contain an AccessControlEntry, ACE ). If no access control item is verified in the file or folder access control list, access to the file is denied.

NTFS uses transaction logs to automatically record all folders and file updates. When an operation fails due to system damage or power failure, the system can redo or restore unsuccessful operations using log files.

4) use the NTFS disk format encryption function to encrypt directories.

Right-click the file or folder to be encrypted, click Properties, select general on the Properties panel, and click Advanced ]. Select the encrypted content to protect data check box

650) this. width = 650; "style =" float: none; "title =" 5.png" src = "http://www.bkjia.com/uploads/allimg/131227/155521IC-4.png" alt = "143816115.png"/>

EFS encryption is used for encryption in the NTFS disk format. After encryption, the directory is only accessible to the current login user, that is, the directory cannot be viewed by other administrators, unless the user is unencrypted. The access to this user is transparent. That is to say, if you encrypt some data, your access to the data will be completely allowed and will not be subject to any restrictions. When other unauthorized users attempt to access encrypted data, they receive an error message "Access Denied.

The user authentication process of EFS encryption is performed when you log on to Windows. As long as you log on to Windows, you can open any authorized encrypted file. The access to this user is transparent, which ensures that the privacy and file security of each user take into account the convenience of operations.

EFS encryption is based on public key policies. When you use EFS to encrypt a file or folder, the system first generates a FEK (FileEncryptionKey, file encryption key) consisting of pseudo random numbers ), then, the encrypted file will be created using FEK and data extension standard X algorithm, stored on the hard disk, and unencrypted original files will be deleted.

What if other people want to share files or folders encrypted by EFS? After the system is reinstalled, the SID (Security Identifier) changes so that the files encrypted by EFS cannot be opened, therefore, to ensure that others can share EFS encrypted files or reinstall the system to open EFS encrypted files, you must back up the certificate.

To back up a certificate, follow these steps:

① Click Start. à run. Enter "certmgr." In the displayed dialog box. msc ", press enter, and in the displayed" certificate "dialog box, double-click to expand the certificate. The options are as follows: current user, individual, and certificate, the certificate named by your username will appear in the column on the right

650) this. width = 650; "style =" float: none; "title =" 6.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555212W2-5.png" alt = "143819650.png"/>

② Select the certificate, right click, and select all tasks. The export command opens the export certificate wizard dialog box.

650) this. width = 650; "style =" float: none; "title =" 7.png" src = "http://www.bkjia.com/uploads/allimg/131227/15552121c-6.png" alt = "143823346.png"/>

③ When the wizard prompts "whether to export the private key with the Certificate", select YES to export the private key, the wizard prompts you to request a password. For security reasons, you can set a secure password for the certificate. After selecting the saved file name and file path, click "finish" to export the certificate smoothly. A file with the PFX extension appears on the SAVE path, this is the exported certificate.

650) this. width = 650; "title =" 8.png" src = "http://www.bkjia.com/uploads/allimg/131227/1555211259-7.png" alt = "143919750.png"/>

When another user or reinstall the system wants to use the encrypted file, just remember the certificate and password, right-click the certificate and choose install certificate, the certificate import wizard dialog box is displayed. Click Next by default. after entering the correct password, you can import the certificate to open the encrypted file.

This article is from the "no trace" blog, please be sure to keep this source http://hucwuhen.blog.51cto.com/6253667/1308384