Windows Group Policy improvement host Security rectification practices (1)

Some time ago, the customer's superior authority conducted a comprehensive host vulnerability analysis on the entire Information System of the customer. Due to the high information security requirements of the customer's organization, this vulnerability analysis is also very thorough, and many security vulnerabilities have been found, especially for Windows hosts on the network.

After implementing these rectification opinions and fixing host vulnerabilities, we found that there were a lot of computers involved and the workload was heavy. It was basically impossible to operate on computers one by humans. At this time, I thought of a powerful management tool in Windows-group policy. Using group policies to modify the configuration features in batches and the use of computer startup scripts, the entire security repair work takes only one day to complete. However, it may take at least one month to perform operations by computer. We will share with you the entire process of using group policies to fully protect Windows systems.

I. Host Vulnerability Analysis

In this evaluation, Windows host security vulnerability analysis involves 11 Windows 2003 servers, 12 Windows 2000 servers, and 30 Windows XP clients. The main problems found are:

1) Multiple unnecessary services and ports are enabled

Multiple Windows hosts enable multiple services that are not needed. Some started services may not be related to the currently hosted services, such as DHCP Client, Remote Registry, Task schedony, Telephony, and Messenger. Multiple ports that may be vulnerable to attacks are enabled in the system, such as ports 135, 139, 445, 593, 1025, 2745, 3127, and 6129.

Unnecessary services are enabled. Malicious users can intrude into the system by attempting to attack services that are not needed. administrators usually ignore unnecessary services during management and maintenance, it is impossible to fix security vulnerabilities that do not require services in a timely manner, leaving more attack methods for malicious users.

Unnecessary ports are enabled. Attackers can exploit these ports to attack the system, obtain information about the system, control the computer or spread viruses, and cause harm to the computer.

2) The default account is not renamed or disabled.

Windows host does not change the default Administrator username: Administrator.

The Default Account brings convenience while seriously endangering system security. Without changing the Administrator account, malicious attackers can easily learn the name of the Super User, just guess the password.

3) User information for Logon not blocked

The User Name of the last logon is displayed when you log on to the operating system.

This security function is not configured. When you start the host system, the user name for the last logon is displayed on the logon page. You only need to enter the password. Malicious attackers only need to guess the password, and do not need to guess the user name to facilitate the attack.

4) Enable default sharing in the operating system

C $, D $, Admin $, and IPC $ are enabled for the host.

Many shared folders are enabled by default. Such as C $, D $, and ADMIN $, which poses many hidden risks to system security. In addition, the existence of IPC $ share allows any user to obtain all the accounts and share lists of the system through an empty user connection. Attackers may use this function to search for user lists and use dictionary tools to attack servers.

5) the screen saver password is not used.

Screen lock is not set for multiple Windows systems after screen saver.

In many cases, the Administrator forgets to lock the system when leaving the server. By default, screen saver starts after a certain period of time. If password protection is set in screen saver. To a large extent, it can protect the host system from unauthorized operations and reduce security risks.

6) account password length and complexity do not meet security requirements

In order to improve the difficulty of the user's password dictionary, you need to configure a password policy, password complexity requirements, and set a strong password for the user.

7) user identification is not reinforced

To prevent unauthorized users from repeatedly trying user passwords, an operating system user identification failure policy should be configured, that is, measures taken to log on to the account and reach the threshold.

8) audit policy not reinforced

Review is the most powerful tool to trace malicious operations. The default audit scope of the system is relatively simple and does not provide sufficient information for the analysis of security incidents. Therefore, you need to configure the security audit function of the operating system to ensure that logs are available for analysis when security events occur.