The "Seven Swords" piece of server security maintenance skill

Source: Internet
Author: User
Keywords Security server work can

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Do you have vital data on your computer and do not want them to fall into the hands of the wicked? Of course, they are entirely possible. And, in recent years, servers have been more exposed than ever. More and more viruses, malicious hackers, and commercial spies are targeting servers. Obviously, the server security problem is not to be ignored.

It is not possible to talk about all the computer security issues in just one post. After all, there are countless books on the subject that have been discussed. All I have to do is tell you seven tips for maintaining your server's security.

"First Sword": Starting from basics

I know it sounds like crap, but when we talk about the security of Web servers, the best advice I can give you is not to be a layman. When hackers start attacking your network, they first check for common vulnerabilities before considering a more difficult way to break through the security system. So, let's say, when the data on your server is on a FAT disk partition, even installing all the security software in the world won't help you much.

For this reason, you need to start from the basics. You need to convert all disk partitions containing sensitive data on the server to NTFS format. Again, you need to update all anti-virus software in a timely manner. I recommend that you run anti-virus software on both the server and the desktop terminal. The software should also be configured to automatically download the latest virus database files on a daily basis. You should also know that you can install anti-virus software for Exchange Server. The software scans all incoming e-mails for infected attachments and automatically isolates the infected message before it reaches the user when it discovers a virus.

Another good way to protect your network is to limit the time that users have to access the network based on the time they spend in the company. A temporary employee who usually works during the day should not be allowed to visit the Internet at Three o ' morning, unless the employee's supervisor tells you that it is a special project.

Finally, remember that users need a password to access anything on the entire network. You must be forced to use high intensity passwords consisting of uppercase and lowercase letters, numbers, and special characters. There is a good tool for this task in the Windows NT Server resource bundle. You should also frequently expire and update some expired passwords and require the user's password to be no less than eight characters. If you have done all this work but still worry about the security of the password, try downloading some hacker tools from the Internet and find out how secure those passwords are.

Here I recommend a few servers and Web sites security Technology Group:: ①27805343②84814264③75927060④84815626⑤84815663⑥40702240 Super Group (17696688)

"Second Sword": Protecting Your backup

Every good network administrator knows to back up the network server every day and keep tape records away from the field for protection against accidental disasters. But security issues are far more than just backups. Most people don't realize that your backup is actually a huge security breach.

To understand why, imagine that most backup work starts at about 10:00 or 11:00. The entire backup process usually ends in the middle of the night, depending on how much data you have to back up. Now, imagine that the time has come to four o'clock in the morning and your backup work is over. But nothing can stop someone from stealing data from your tape record and restoring them to a server in your home or in your competitor's office.

However, you can prevent this from happening. First, you can protect your tapes with a password and if your backup program supports encryption, you can also encrypt the data. Second, you can schedule your backup program to finish working in the morning. In this way, even if someone wants to sneak in and steal the tapes the night before, they will be unable to succeed because the tape is being used. The data on the tape would be worthless if the burglar still took the tape out.

"The Third Sword": Use callback for RAS

One of the coolest features of Windows NT is the support for remote access (RAS) to the server. Unfortunately, a RAS server is an open door for hackers attempting to enter your system. All the hackers need is a phone number, and sometimes a little patience, and then you can get into a mainframe via RAS. But you can take some steps to keep the RAS server secure.

The technology you are going to use will depend to a large extent on how your remote users use RAS. If a remote user is often calling a host from home or a similar, less volatile place, I recommend that you use the callback feature, which allows remote users to log on and then disconnect. The RAS server then dials a predefined phone number to reconnect the user. Because the number is pre-set, the hacker has no chance to set the server callback number.

Another option is to qualify all remote users to access a single server. You can place the data that the user normally accesses on a special share point in the RAS server. You can then limit the access of remote users to one server, not the entire network. In this way, even if hackers access the mainframe by means of sabotage, they will be quarantined on a single machine, where the damage is minimized.

Finally, one trick is to use unexpected protocols on your RAS server. Every person I know uses the TCP/IP protocol as the RAS protocol. Given the nature of the TCP/IP protocol itself and its typical use, this looks like a reasonable choice. However, RAS also supports the SPX and NetBEUI protocols. If you use NetBEUI as your RAS protocol, you can really confuse some unsuspecting hackers.

"Four Swords": Consider the safety of workstations

It seems strange to talk about the safety of workstations in an article about server security. However, workstations are a port to the server. Strengthening the security of workstations can improve the security of the entire network. For starters, I recommend using Windows 2000 on all workstations. Windows 2000 is a very secure operating system. If you don't want to do this, use Windows NT at least. You can lock the workstation, making it difficult or impossible for someone with no security access to get network configuration information.

Another technique is to control which workstation the person has access to. For example, there is an employee named Bob, and you already know that he is a troublemaker. Obviously, you don't want Bob to be able to open his friend's computer at lunch or to drop his laptop and hack the whole system. Therefore, you should use the Workgroup user management program and also modify Bob's account so that he can only log on from his own computer (and within the time you specify). Bob is far less likely to attack the Internet from his own computer because he knows someone can track him down.

Another technique is to limit the function of a workstation to a dumb terminal, or, I don't have a better word to describe, a "smart" dumb terminal. In general, it means that no data and applications reside on separate workstations. When you use your computer as a dumb terminal, the server is configured to run Windows NT Terminal Services, and all applications are physically running on the server. Everything sent to the workstation is just an updated screen display. This means that there is only one version of Windows that is minimized on the workstation and one Microsoft Terminal Services client. Using this approach may be the safest network design scenario.

Using a "smart" dumb terminal means that programs and data reside on the server but run on workstations. All installed on the workstation is a copy of Windows and an icon that points to applications that reside on the server. When you click on an icon to run the program, the program will use local resources to run, rather than consume the server's resources. This is much less stressful than running a completely dumb terminal program on the server.

"Sword Five": Using popular Patches

Microsoft employs a team of programmers to check security vulnerabilities and fix them. Sometimes these patches are bundled into a large package and released as a service pack. There are usually two different patch versions: a 40-bit version that anyone can use and a 128-bit version that can only be used in the United States and Canada. The 128-bit version uses a 128-bit encryption algorithm, which is much more secure than the 40-bit version. If you are still using 40-bit service packs and live in the United States or Canada, I strongly recommend that you download the 128-bit version.

Sometimes it may take months for a service pack to be released-obviously, when a large security vulnerability is discovered, you don't want to wait any longer if it is possible to fix it. Fortunately you don't have to wait. Microsoft regularly publishes important patches on its FTP site. These hot fixes are security patches that have been published since the last service pack was released. I suggest you always check hot patches. Remember that you must use these patches in a logical order. If you use them in the wrong order, the results may cause some file versions to be wrong, and windows may stop working.

"Sixth Sword": Using a strong security policy

Another thing you can do to improve security is to make a good, strong security policy. Make sure everyone knows it and know it is enforced. Such a policy would include severe penalties for an employee downloading unauthorized software on a company's machine.

If you use Windows Server, you may be able to specify a user's special permissions to use your server without having to hand over administrator control. A good use is to authorize the Human resources department to delete and disable an account. This allows the human resources department to delete or disable his user account before an outgoing employee knows that he or she will be dismissed. In this way, disgruntled employees will not have the opportunity to disrupt the company's system. Also, with special user rights, you can grant permission to delete and disable account permissions and restrict the creation of users or change permissions.

Try a free Techproguild! If you find this article useful, take a look at TechRepublic's Techproguild registration resource, which provides in-depth technical articles covering some it topics, including Windows Server and client platforms, Linux, troubleshooting issues, and digital Network project difficulties, as well as NetWare. With a Techproguild account, you can also read the full text of popular IT industry Books Online. Click here to register for a 30-day free techproguild probation.

"Seventh Sword" repeatedly check your firewall

Our final tip includes checking your firewall settings carefully. Your firewall is an important part of the network because it isolates your company's computers from those that might be damaging them on the Internet.

The first thing you need to do is make sure that the firewall is not open to the outside world beyond the necessary IP address. You always have to have at least one IP address visible to the outside world. This IP address is used to carry out all Internet traffic. If you have DNS-registered Web servers or e-mail servers, their IP addresses may also be visible through firewalls. However, the IP addresses of workstations and other servers must be hidden.

You can also check the port list to verify that you have closed all port addresses that you do not use frequently. For example, TCP/IP port 80 is used for HTTP communication, so you may not want to block this port. However, you may never use port 81 so it should be turned off. You can find a list of uses for each port on the Internet.

Conclusion:

Server security is a big problem. You don't want critical data to be corrupted by viruses or hackers or stolen by someone who might use the data against you. At the end of this article, I also want to tell you a simple and easy way, that is, if you can not handle yourself, to find friends to help, the Internet has a lot of such technical support, such as http://safe.admin5.com (very professional server Generation team), and so on, here I will not say more, So as not to promote the suspicion Ah!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.