First, the network of Office environment caused by the harm
With the popularization of Internet access and the increase of bandwidth, on the one hand, the conditions for employees to access the Internet improved, on the other hand, to bring higher network use risk, complexity and confusion, the improper operation of internal staff so that information maintenance personnel. The network's harm to office environment mainly manifests as follows:
1. In order to provide a normal standard office environment for users ' computers, installation of operating system and application software has cost the information center staff a certain amount of energy and time, but also difficult to limit user installation software, resulting in information systems managers must spend more than 50% of their energy to maintain the user's PC system, Can not concentrate on the development of information systems of the deep functions, enhance the value of information systems.
2. Due to the general low awareness of users, anti-virus measures are often not in place, once the virus infection, often spread to the entire network, so that the network paralysis, some of the deadly worm using the TCP/IP protocol of various loopholes, making trojans, viruses spread rapidly, the impact of large-scale, Causes the network to be in a poisonous operation for a long time while the system administrator is powerless.
3. Some Web pages contain malicious code, forcibly installed on the user's computer a variety of web search engine plug-ins, advertising plug-ins or Chinese domain name plug-ins, increase the office computer A large number of resource consumption, resulting in slow computer response;
4. Individual employees to install the software from the network download installed, these software packages downloaded from the network most of the package with a variety of plug-ins, trojans and viruses, and in the installation process, the user is not aware of the forced installation of the office computer, increased the office computer A large number of resource consumption, resulting in computer slow response, or even remote control Some viruses use ARP deception to affect the normal work of the whole area office computer;
5. Some computer enthusiasts use Office computers as a tool to learn computers, privately opened DHCP server, resulting in office computers can not get the normal IP, and user computer and application system server communication interruption, the impact is very bad;
6. Some employees use the company's computer network chatting, listening to songs, watching movies, playing games, some employees 24 hours a day to enable Peer-to-peer software download music and video files, due to FlashGet, Thunder and BT and other software concurrent threads, resulting in a large number of bandwidth by some employees occupy, slow speed of the Internet, Causes the application software system not to carry out the business normally, even the strict computer use management system is also very difficult to guarantee the enterprise the computer only uses in the enterprise business itself, the PC business focus, the control ability is not strong.
Second, network behavior management and maintenance strategy
Strategy 1: Divide the VLAN.
A detailed VLAN division was carried out to prevent large-scale virus outbreaks and spread, reducing the scope of the impact of the fault. The basic principle of VLAN partitioning:
Centralized office building, according to the Office building Yu floor Division VLAN;
Scattered office area, according to the whole building and functional area division, such as running on duty VLAN.
Strategy 2: Establish domain management.
Establish a domain controller, and stipulate that all office computers must be joined to the domain, accept the management of the domain controller, and strictly control the user's permissions. The Shanwei power Plant's employee account number has only standard user permissions. The information system administrator is not allowed to disclose the domain administrator password, landesk Administrator password, and local administrator password.
In today's various rogue plug-ins, advertising plug-ins, trojans and viruses bullying network environment, ordinary employees only have the standard user rights, in fact, the staff of the Office environment is very effective protection.
Office PCs must strictly adhere to the OU naming rules while achieving real-name accountability. The designated employee is responsible for the PC, which is not only the requirement of fixed Assets management, but also the requirement of network security management. It is vital to be responsible for the implementation of the personal name of the PC, once the employee's computer poisoning and the broadcast virus packet are found, the information system administrator can accurately locate and react quickly to avoid expanding the impact.
Strategy 3:pc Maintenance lump sum to the household.
The information system administrator in the actual work may have the local administrator authority as the human feelings, this is actually a suicidal behavior. Any employee with admin privileges, even if it is an information system administrator, uses administrator privileges to access the Internet, a slight carelessness, and then falls into the network trap. In order to avoid this situation, to the PC maintenance personnel, take the area to the user's management, at the same time the area owner's domain account has the local administrator of all office computers in the region; If the regional leader is willing to increase local computer administrator privileges, the increased risk and workload will be borne by himself. The local administrator password for all office computers is mastered, set up, or changed by the domain controller owner.
Strategy 4: On the firewall only open common or business system needs of the port, such as 80, 25, 21, 110, 443, all other ports are blocked, this measure can effectively implement the Peer-to-peer and BT software blockade.
Strategy 5: Computers connected to the plant network must be managed by the information Center. With the help of the DHCP server, on the DHCP server, according to the MAC address of the office computer network card fixed some office computer IP, set up the relevant policy on the firewall, allowing certain IP groups approved by the Information center to access the Internet directly on the computer, Or some IP groups can only connect to the local area Network application server, for the machine IP that does not abide by the OU naming rule and the machine IP that has not been authorized by the information system administrator, do not allow access to the Internet and intranet, can only use stand-alone.
Strategy 6: Establish a WSUS server. WSUS (Microsoft? Windows? Server Update Services is a free Windows Update management service from Microsoft, with the latest version being 2.0.0.2472, in addition to supporting Windows system (Windows 2000 full series, Windows XP full series and Windows Server 2003 full series), you can also support update management for systems such as SQL Server, Exchange 2000/2003, Office xp/2003, and, in the future, WSUS will achieve Microsoft's full range of product update management.
The Automatic Update service for client PCs is set up on the domain server via Group Policy (built into the client Update component in Windows XP, Windows SP3, Windows Server 2003 operating systems), and by default it automatically passes through the http/ The HTTPS protocol connects directly to Microsoft Update to download the update to implement the system update for the client computer.
Strategy 7: Enable the network access system. With the help of deeply convinced Sinfor M5400-AC products of the network access system, check whether the user's computer has the appropriate security policy. Only computers that meet the appropriate security policy are allowed to access the external network, and users who do not have the appropriate security conditions are not allowed to access the Internet. This fundamentally improves the security of enterprise users ' computers and reduces the risk of enterprise users being exposed to worms, viruses, trojans, and spyware.