I. Enterprise account security policies
User Account protection generally focuses on password protection. To prevent user identities from being captured or stolen due to password cracking, generally, measures such as increasing the difficulty of password cracking, enabling account locking policies, limiting user logon, limiting external connections, and preventing network sniffing can be taken.
1. Increase the difficulty of password cracking
To increase the difficulty of password cracking, you can increase the complexity, length, and frequency of password replacement. However, this is often difficult for users, some security-sensitive users in the enterprise network must take relevant measures to forcibly change the Insecure Password usage habits.
In Windows, you can use a series of security settings and formulate corresponding security policies. In Windows Server 2003, you can set a "password policy" in the security policy. Window Server 2003 system security policies can be tailored to different scenarios and ranges based on network conditions. For example, you can set the Local Computer, domain, and corresponding organizational unit, depending on the scope of the policy to be affected.
Taking the domain security policy as an example, the function scope is all the members of the domain specified in the enterprise network. Run the "Domain Security Policy" tool in the domain management tool, and then you can set the password policy accordingly.
The password policy can also be set on a specified computer by using the "Local Security Policy", or by using a group policy for a specific organizational unit in the network.
2. enable account lock Policy
Account locking refers to locking an account to protect its security in some situations (for example, an account is under an online automatic logon attack using a password dictionary or brute force password cracking. So that it cannot be used again within a certain period of time, thus defeating continuous guessing attempts.
By default, for the convenience of users, this locking policy is not set in Windows2003. In this case, there is no restriction on hacker attacks. As long as you have patience, you can use the automatic logon tool and password dictionary to attack, or even conduct brute-force attacks, cracking the password is just a matter of time and luck. The first step of setting the account lock policy is to specify the threshold value for account locking, that is, the number of times the account was logged on incorrectly before the account was locked. Generally, the number of Logon failures caused by Operation errors is limited. Here, the lock threshold is set to three times, so that only three logon attempts are allowed. If all three logon attempts fail, the account will be locked.
However, once the account is locked, even valid users cannot use it. Only the administrator can re-enable the account, which causes a lot of inconvenience. For the convenience of users, you can set the lock time and Reset Counter time at the same time, so that the account will be locked after three Invalid Logins, and the lock time is 30 minutes. The above account lock settings can effectively avoid attacks by means of automatic guessing tools, and can also cause a great blow to the patience and confidence of manual testers. Locking a user account often causes some inconvenience, but the security of the system is sometimes more important.
3. restrict user logon
Enterprise Network users can also restrict their logon behavior to ensure the security of their accounts. In this way, even if the password is leaked, the system can block hackers to some extent. For Windows Server 2003 networks, run the "Active Directory user and computer" management tool. Select a user and set its account attributes.
In the account properties dialog box, you can restrict the logon time and location. Click the "Logon Time" button to set the logon time for this user, so as to prevent non-working logon. Click the "log on to" button to set the computers on which the account is allowed to log on. In addition, you can use the "Account" option to restrict logon behavior. For example, to avoid password verification, you must use a smart card to log on. In addition, more rigorous methods such as fingerprint verification can be introduced.
4. restrict external connections
Enterprise Networks usually need to provide dial-up access services for remote dialing users (such as business personnel or customers. The remote dial-up access technology uses a low-speed dial-up connection to connect a remote computer to an enterprise's internal LAN. As this connection cannot be hidden, it is often the best entry for hackers to intrude into the internal network. However, taking certain measures can effectively reduce risks.
By default, remote access to the server based on Windows Server 2003 allows all users with dial-in permission to establish a connection. Therefore, the first step of security protection is to reasonably and strictly set the user account's inbound permission and strictly limit the scope of the inbound permission allocation. This permission is not granted as long as it is not necessary. For some special users in the network and users in fixed branches, the network security can be improved through the callback technology. In this case, the callback means that the caller immediately hangs up the line after verification, and then calls back to the caller's phone. In this way, you do not have to worry about cracking your account and password. Note that the incoming call display service must be activated here.
In the Windows Server 2003 network, if the Active Directory is in native-mode, in this case, you can manage the remote access policies stored on the Access Server or the Internet authentication server. You can set different policies for different application scenarios. The specific management is complicated. Due to the limited space, you can refer to the relevant materials and will not detail them here.
5. Restrict privileged group members
In the Windows Server 2003 network, there is also a very effective auxiliary means to prevent hacker intrusion and Management negligence, which is to use the "Restricted Group" security policy. This policy ensures that the composition of group members is fixed. Add the group to be restricted in the administrative tool of the domain security policy. In the "Group" dialog box, type or search for the group to be added. Generally, you must restrict members of privileged groups such as the Administrator group. The next step is to configure the members of the restricted group. Select the "Security (s)" option for the restricted group. Then, you can manage the composition of members in the group. You can add or delete members. When the security policy takes effect, hackers can avoid adding backdoor accounts to the group.
6. Prevent Network sniffing
Because the LAN uses the broadcast method for communication, the information is easily eavesdropped. Network sniffing refers to sniffing valuable information by listening to the data transmitted in the network. It is not difficult to defend against common network sniffing attacks by the following means:
1) Switch Network
In general, the exchange network is inherently immune to common network sniffing methods. This is because in the switched network environment, each switching port is an independent broadcast domain, and ports are bridging through switches instead of broadcasting. Network sniffing is mainly used for communication in the broadcast environment, so it is useless in the exchange network.
With the popularization of the exchange network technology, network sniffing brings about a lower and lower threat, but it cannot be ignored. ARP Address Spoofing can still enable a certain range of network sniffing. In addition, hackers can still obtain the sniffing capability by intruding some vswitches and vrouters.
2) encrypted sessions
Establishing an encrypted session connection between both parties is also an effective method, especially in the enterprise network. In this way, even if hackers have successfully sniffed the network, the captured data is ciphertext, which is of no value. There are many ways to encrypt sessions in the network. You can customize a dedicated communication encryption program, but the versatility is poor. At this time, improving the security mechanism of IP communication is the most fundamental solution.
For historical reasons, IP-based network communication technology does not have a built-in security mechanism. With the development of the Internet, security problems are gradually exposed. Now, through various efforts, the standard security architecture has been basically formed. That is, the IPsec mechanism, which will be an important component of the next generation of IP network standard IPv6. The IPSec mechanism has been well supported in the next generation of operating systems. In Windows Server 2003, both server products and client products provide support for IPSec. This enhances security, scalability, and availability while making deployment and management more convenient.
Management tools related to security policies of Windows Server 2003 (such as local security policies, domain security policies, and group policies) are integrated. For clarity, please refer to the management tools customized by MMC on the Microsoft Management Console.
The procedure is as follows: Click the run option in the Start Menu, type MMC, and click OK. In the "console" menu, select the "add or delete Management Unit (m)" command, and then click the "add" button. In the available independent management unit, select the "IP Security Policy Management" option and double-click or click the "add" button to select the computer managed by the management unit, click "finish. Close the window for adding a management unit and you will get a new management tool, which can be named and saved here.
Now you can see the existing security policy. You can add, modify, and delete the corresponding IP Security Policy as needed. Windows Server 2003 comes with the following policies:
Secure Server (requiring security settings );
Client (response only );
Server (Request security settings );
The "client (response only)" policy determines whether to use IPsec based on the requirements of the other party. The "server (Request security settings)" policy requires clients that support the IP Security Mechanism to use IPsec, however, clients that do not support the IP Security Mechanism are allowed to establish insecure connections. The "Security Server (security settings required)" policy is the strictest, which requires both parties to use the IPSec protocol.
However, by default, the "Secure Server (requiring security settings)" policy allows untrusted communications that are not encrypted and therefore can still be eavesdropped. You can directly modify this policy or customize a special policy to implement effective prevention. Select the "All IP communication" option, where you can edit its rule attributes.
On the "Filter Operations" tab, select the "require Security Settings" option. You can edit the security measures in the attribute settings of the filter operation. Here, you can set the security measures to the "high" option.
The above IPSec-encrypted data communication method is applicable to enterprise network applications. by deploying a group policy, all computers in the network can be forced to use IPsec-encrypted communication. Of course, this strict limitation will cause some inconvenience, but it is worthwhile for system security. IPsec can also be used in VPN technology, where data streams in the IP tunnel can be encrypted.
For environments that are inconvenient to implement IPSec in a wide range, you can consider using VPN. The VPN here refers to the virtual private network. VPN technology is the best solution to achieve end-to-end secure communication. It is mainly applicable to the connection between the client and the server through an open network. For example, a client connects to a private network of an enterprise or department over the Internet or intranet.
Ii. Enterprise System Monitoring Security Policies
Although the system is constantly being repaired, due to the complexity of the software system, new security vulnerabilities will always emerge. Therefore, in addition to fixing security vulnerabilities, you must monitor the system's running status in real time so that you can detect intrusions using various vulnerabilities in a timely manner. This kind of monitoring is especially important if security vulnerabilities are already fixed but not all have been fixed.
1. enable the system audit mechanism
The system audit mechanism can track and record various events in the system and write log files for administrators to analyze and find System and Application faults and various security events.
All operating systems and application systems have the log function. Therefore, you can record events that occur in the system in real time as needed. In addition, you can view the security-related log files to detect hacker intrusions and post-intrusion behaviors. Of course, to achieve this goal, you must have some relevant knowledge. First, you must learn how to configure the system to enable the corresponding audit mechanism and enable it to record various security events.
For Windows Server 2003 servers and workstation Systems, in order not to affect system performance, the default security policy does not audit security events. According to the analysis results of the security configuration and analysis tool using the SeCEdit security template, these red-marked audit policies should have been enabled, this can be used to detect intrusions from external and internal hackers. For key application servers and file servers, the remaining security policies should be enabled at the same time.
If you have enabled the Audit object access policy, you must use the NTFS file system. The NTFS file system not only provides user access control, but also allows you to review user access operations. However, this review function requires corresponding configuration for specific objects.
First, add the users and groups to be reviewed in the "advanced" attribute of the "Security" attribute of the audited object. In this dialog box, select the user to be reviewed, and you can set the event and result for review. After all audit policies take effect, you can check the system logs to find the clues of hackers.
2. log monitoring
After the security audit policy is enabled in the system, the administrator should check the security log records frequently. Otherwise, the time for timely remediation and defense is lost. In addition to security logs, administrators should also check log files of various services or applications. In Windows 2003 IIS 6.0, the log function is enabled by default, and the path for storing log files is in the system32/logfiles directory by default, to open the IIS log file, you can see the HTTP request to the Web server. The log function provided by the iis6.0 system can be a good helper for intrusion detection to some extent.
3. Monitor open ports and connections
Log monitoring can only detect intrusion events that have already occurred, but it cannot perform any intrusion or damage. In this case, administrators are required to master some basic real-time monitoring technologies.
After the system is infiltrated by hackers or viruses, a Trojan backdoor is left in the system. At the same time, it establishes a socket session connection with external communication, so that it may be found that the netstat command can check the session status, you can view the opened ports and established connections here. Of course, some special detection programs can also be used to detect ports and connections. There are many such software.
4. Monitoring and sharing
It is the most comfortable way to intrude into a system through sharing. If the prevention is lax, the simplest method is to use the hidden management and sharing of the system. Therefore, as long as hackers can scan the IP address and user password, they can use the net use command to connect to the shared. In addition, when browsing a webpage containing malicious scripts, the computer's hard disk may also be shared. Therefore, it is very important to monitor the local shared connections.
The following describes how to monitor the local shared connections: on a Windows Server 2003 computer, open the "Computer Management" tool and expand the "shared folder" option. Click the "share" option to view the right window to check whether new suspicious shares exist. If any suspicious shares exist, delete them immediately. In addition, you can select the "session" option to view all the sessions shared with the machine. The IPC $ sharing vulnerability in Windows NT/2000 is one of the most dangerous vulnerabilities currently. Even if the hacker does not crack the password immediately, he can still connect to the system through "null connection" and try other methods.
5. monitor processes and system information
For Trojans and remote monitoring programs, in addition to monitoring open ports, you should also use the process view function of the task manager to find the process. After installing the support tool for Windows server2003 (installed from the product CD), you can obtain a process viewing tool process viewer. Generally, hidden processes are hosted in other processes, therefore, an exception may be found when you view the memory image of a process. Nowadays, Trojans are increasingly difficult to find. They often register themselves as a service, thus avoiding the problem of being present in the Process List. Therefore, we should also monitor other information in the system, so that we can check the items in the software environment of the system information.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
