Attack and Defense practices: system Intrusion Prevention

Source: Internet
Author: User

1. Security Technical Measures to Prevent the host from becoming a zombie

1. Reinforce the system by using the features of the Operating System

The operating system is usually installed in the default mode. If no security reinforcement is performed, the security is hard to guarantee. Attackers can exploit it to become a zombie. Therefore, the first step to prevent the host from becoming a zombie is system reinforcement.

Since most users still use Windows XP, all content in this article is based on Windows XP.

(1) enhance the security of system logon accounts and passwords

The password set by the system must meet the requirements of complexity and minimum length. It should include not only common English letters, numbers, and uppercase/lowercase letters, but also special characters (such ), the number of characters in the password should not be less than 8 characters.

To prevent hackers from logging on to the system using the default account, we recommend that you set a password for the Administrator account and disable the guest account.

(2) Cancel Remote Assistance and Remote Desktop Connection

Right-click my computer on the desktop, select properties, and select the Remote tab in system properties, then, deselect the check boxes "Remote Assistance" and "Remote Desktop Connection.

(3) Disable dangerous system services

In Windows XP, some ports are associated with corresponding system Services, and some Services are also associated with specific ports in the system, such as Terminal Services and port 3389. Therefore, disabling unnecessary services not only reduces system resource consumption, but also enhances system security.

In the "Start" -- "run" box, enter "services. msc" and press enter to enter the "service" management interface. Disable the following services:

NetMeeting Remote Desktop Sharing
Remote Desktop Help Session Manager
Remote Registry
Routing and Remote Access
Server
TCP/IP NetBIOS Helper
Telnet
Terminal Services


(4) disable ports 137, 138, 139, and 445.

Right-click "Network neighbors" on the desktop and select "properties ". On the "local connection" Page, open the "Internet Protocol (TCP/IP)" attribute dialog box. In this dialog box, click the "advanced" button, select the "WINS" option, and select "Disable NetBIOS on TCP/IP" to disable ports 137, 138, and 139. In addition, you can disable port 445 by canceling "Microsoft Printer and file sharing" in the "local connection" attribute.

(5) Start the System Audit Policy

"Start" -- Enter "gpedit" in the "run" box. msc, go to the Group Policy Editor, and choose computer configuration> Windows Settings> Security Settings> Local Policies> Audit Policy, A successful audit will be performed to Audit Logon Events, Audit Object Access, Audit System Events, and Audit Account Logon Events.

(6) User Rights Assignment

In the Group Policy Editor, choose computer configuration> Windows Settings> Security Settings> Local Policy> User permission assignment to delete all users in the "access to this computer from network" policy, in the "Deny access to this computer from the network" policy, make sure that there is an "everyone" account, and then delete all users in the "allow login through Terminal Services" policy, make sure that the "everyone" account is included in the "reject logon through Terminal Services" policy.

(7) Disable default share

In the Group Policy Editor, choose "Computer Configuration"> "Windows Settings"> "Security Settings"> "Security Options", and set "Network Access: Do not allow anonymous enumeration of SAM accounts" and "network access: do not enable all SAM accounts and shared anonymous enumerations; Enable "network access: all contents in "share with anonymous access", "pipeline with anonymous access", and "Registry path with remote access" are deleted.

Open the Registry Editor, go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters item, and create a new key value named "Autoshareserver" on the right of the registry. The key value is a DWORD value of 0, in this way, the sharing of system C $, D $, and E $ can be disabled. To disable admin $ sharing, you should also create a new key value named "autoscaling wks" in this registry key ", DWORD value with a key value of 0.

Finally, open "Resource Manager", select "Folder Options" in the "Tools" menu, and in the "Advanced Settings" box in the folder options interface that appears, cancel multiple options for "use simple file sharing.

2. Reinforce the operating system using security software

To reinforce the security of the operating system, we can install corresponding security software to further enhance the security performance of the system.

(1) install anti-virus software

Installing anti-virus software in the system is mainly used to prevent hackers from using Trojans to control our hosts. After installing anti-virus software, we must immediately update the virus database to the latest status. If necessary, we should also set to automatically update the virus database on time every day.

(2) install the Firewall

Hacker intrusions usually start from scanning the system for high-risk ports. Therefore, high-risk ports (such as 135, 137, 138, 139, 445, and 3389) are disabled) necessary. Although the previous section describes how to manually close the system's high port, security software can also be used for reinforcement. At the same time, we should also restrict processes and applications that can communicate with the Internet in the system to reduce the security risks caused by vulnerabilities in network applications.

Although the Windows XP system itself has an "Internet firewall", it is far from meeting the increasing security requirements. Therefore, we solve these problems by installing third-party firewall software.

The existing firewalls on the market not only provide basic firewall functions for packet filtering and application tracing, but also have their own unique functions. For example, Tiny Firewall. It not only has common application layer firewall functions, but also has IDS, file integrity detection and active defense functions. In addition, it provides users with a real-time network connection monitoring function, allowing users to keep abreast of the current network connection situation and understand which ports are used by connected network applications, target connected to, and the IP address of the other party is displayed directly. Figure 1 shows its network connection monitoring interface.

Figure 1 Tiny Firewall network connection monitoring page

(3) Use a Proxy Server

To scan a computer, a hacker must first know the Internet IP address of the computer. Hiding this public IP address increases the difficulty of hacker attacks. The best way to hide an IP address is to use the proxy server. For common network users, you can use HTTP proxy and install simple proxy software on the computer to Hide IP addresses.

It is very easy to use HTTP proxy. Visit the website that provides this function, as shown in http://www.web4proxy.com/and 2. Enter the site you want to access in the text box before the "start browsing" button to browse the website you want to access by hiding the IP address.

Figure 2 WEB Proxy Interface

However, the use of HTTP proxy can only prevent the risk of leaking IP addresses due to Web browsing. To Hide IP addresses during other network activities, such as QQ chat and online games, you must install the agent server software in the system.

Waysonline is a proxy server software that does not need to be installed. You must register it for free before use.

 

Figure 3 Waysonline webpage logon page

Enter the account and password to log on. In this case, right-click the green "W" icon in the Windows taskbar. In the "running program" menu item in this menu, we can select various proxy methods.

2. Security Management Measures to Prevent the host from becoming a zombie

Even if we do a good job in system security technical measures, if we cannot effectively manage the system's security and effectively control our network behavior, then, these security technical measures have become useless.

Security management measures can be implemented in two parts: System Security Management and network operation behavior management.

1. System Security Management

A comprehensive system security management should include the following:

(1) operating system vulnerability patch management. Patching the system is a very important task. We can do this through the "repair system vulnerabilities" function of 360 security guard.

(2) network application version update. We should promptly upgrade QQ, MSN, Web browser and other applications to the latest version.

(3) antivirus software virus database and firewall rule review. Although antivirus software can update the virus database by means of automatic updates, we recommend that you update the virus database on time and manually update the virus database before each manual antivirus operation. At the same time, for firewall rules, especially application rules, we should always check whether unknown rules are added for timely cancellation.

(4) regularly check system audit logs. Check the logs generated by these reviews to check whether the system has been intruded or has been intruded by some intrusion.

(5) When using a computer, you need to develop the habit of viewing the running processes of the system. You can view the detailed information of the processes running in the current system through the "comprehensive system diagnosis" of 360 security guard.

(6) Check the current network connection status frequently. If you have not installed the Tiny Firewall mentioned above, you can still learn the network connection status of the current system through "network connection status" on the "advanced" tab of 360 security guard. 6.

Figure 6 360 Network Connection status of security guard

2. User Network Operation Behavior Control

The network behaviors to be controlled include:

(1) Use a highly secure browser. Only go to regular websites to browse news and download MP3, MP4, and software.

(2) enter a URL in the address bar of the browser to access the website. For example, some online banking are using a method called EV-SSL authentication to mark the authenticity of the site, if the user finds that their IE8 browser address bar URL address becomes green, then we can be sure that this website is real. In addition, do not easily click the link of the website in the instant chat software interface such as email or QQ, which can effectively reduce the risk of cyberphishing attacks.

(3) do not browse pornographic or gambling websites.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.