Build a safer system: Start With permission Control

After frequent system recruitment, we realized that we should not use an account with administrator permissions to log on.WindowsTo avoid malware. This reminder cannot be said. However Important measures to prevent windows from being affected by malware. I will explain all these measures below:

　1. Several initial steps to lock windows

The following are the basic steps for locking windows:

· Run the hardware and software firewalls of your entire network on each host, such as WindowsXPSP2 Windows Firewall.

· Use tool software to ensure that the latest upgrade software and service packages are used for windows and all other software in a timely manner. If you only manage a small number of systems, you can use the automatic upgrade tool. If you manage a large number of computers, you can use Windows server to upgrade the service.

· Use the latest anti-virus software with the latest signature library. For more information about anti-virus software vendors, seeMicrosoftAnti-Virus Software partner webpage.

· Use the latestSpywareProtection tools, such as Microsoft's Windows antispyware.

　2. run Windows with lower Permissions

As you know, executing an application by someone without administrator permissions may cause the application to crash. It is usually very easy to handle this inconvenient problem. For example, in computer games \ProGram files. This path is under the sub-directory of the game rather than under the user configuration file. By allowing unauthorized users to "fully control" sub-directories of the program, you can run the game regardless of the permissions you have.

Below are some resources for running the application with low permissions:

· Windows 2000 and later versions have a tool named "RunAs. This tool allows you to use an administrator account to run specific applications after logging on with an account without permission.

· When you log on with an account that has no permissions, makemeadmin is a very useful tool and software. This software allows you to execute specific applications with administrator permissions. Aaron margosis discussed this issue in depth. You can see more related articles in his network logs.

· The tool software named dropmyrights adopts the opposite method. This tool enables you to runBrowserAnd the email client software and other applications with the greatest risk, give up the Administrator permission. If you manage a large network, you may want to check the dropmyrights software that enables the Group Policy function.

Remember that some websites may not be accessible when you access some websites as unauthorized users. For example, websites that enable SSL and some websites that use ActiveX controls may not work. Privbar is a ready-made tool that can trace whichIEThe file in the browser is run with the Administrator permission, but not with the Administrator permission.

 

　　3. Do not run unreliable source code

The following advice is clearly raised to security personnel in the security group: Do not run code from untrusted sources. By avoiding suspicious websites that provide inappropriate content, avoiding pirated software, and using P2P file sharing services, you can significantly reduce risks in these areas. What do you know?PhishingAttack and how to avoid phishing attacks. Next, you should use strong passwords at home or at work. It is best to use smart cards and other types of identification tools.

　　4. Protect the new system when installing the computer

Remember that there are manyWormActive activities on the Internet, even in many enterprise networks. Therefore, before you implement the above measures, you need to take simple steps to protect the system:

· If you use network-based installation technologies, such as remote installation services, you must create a system network dedicated to creating a new system network. This new system does not allow direct communication with potentially dangerous networks.

· If you use other automated system creation programs, such as a disk image with the sysprep program, use the software firewall to set this image.

· If you manually install the system, you should disable the network for system installation and enable the firewall function, and then access the network, or install the system when the system is protected by the hardware firewall.

Fortunately, Windows XP SP2 and Windows Server 2003 SP1 are enabled by default. Most computer manufacturers pre-install the above two types of computer productsOperating System.

　5. Related Resources

Here are some additional resources for IT professionals to help them lock windows:

· The antivirus defense-in-depth Guide provides a more detailed guide to avoid malware.

· The Windows Server 2003 Security Guide provides detailed instructions to enhance security based on server tasks.

· The Windows XP security guide reveals how to enhance the security of Windows XP.

· Threats and Countermeasures: The security settings of Windows Server 2003 and Windows XP systems can be used as reference files for other security guides, includes information about security settings provided in windows and the possible consequences of using (or not using) these security settings.

· Windows 2000 Server Security Solution: although this solution has been around for several years, it provides a guide to enhance the security of Windows 2000 Servers Based on tasks.