8 tips to ensure Windows 2000 Security

Windows 2000 has a large number of users, which leads to the top spot in the attacked system. However, this does not mean that Windows 2000 is a little less secure. It is still safer to reasonably configure and manage it. It's not too short for me to use Windows 2000. I have gradually come up with some opportunities to maintain its security. Here are some personal opinions and shortcomings. please correct me.

Secure installation to minimize worries

Windows 2000 system security should be accumulated from the installation of 1.1 drops, but this is often ignored. Note the following when installing Windows 2000:

1. Do not select to install from the network

Although Microsoft supports online installation, it is absolutely insecure. Do not connect to the network, especially the Internet, before the system is fully installed! Do not even connect all hardware for installation. During Windows 2000 installation, after entering the user Administrator account "Administrator" password, the system will create a "$ ADMIN" shared account, but it does not use the password you just entered to protect it. This situation will continue until the computer starts up again. During this period, anyone can access the system through "$ ADMIN". After the installation is complete, various services will run automatically immediately, and the servers are vulnerable to vulnerabilities, it is very easy to intrude from the outside.

2. Select NTFS format for partitioning.

It is best that all partitions are in the NTFS format, because the partitions in the NTFS format are more secure. Even if other partitions use other formats (such as FAT32), at least the partition where the system is located should be in NTFS format.

In addition, do not place applications in the same partition as the system to prevent System File leakage caused by application vulnerabilities (such as Microsoft's IIS vulnerabilities, which are not unknown, attackers can even obtain administrator privileges remotely.

3. System Version Selection

We generally like software that uses Chinese interfaces, but for Microsoft products, due to geographical location and market factors, the English version is available first, and then other languages in different countries. That is to say, the kernel language of Windows is English. In this way, its kernel version should be much less vulnerable than its compiled version. This is also true, the Chinese Input Method vulnerability in Windows 2000 is widely known to all.

The security installation mentioned above can only reduce your worries. Never think that you can do this once and for all. There is still a lot of work waiting for you to do. Please continue.

Human Factors to ensure system security

The system is not safe. Do not blame the software. think more about human factors! From the Administrator's point of view, the following points should be noted in the management process:

1. Pay attention to the latest vulnerabilities, promptly patch and install the Firewall

Administrators are responsible for maintaining system security, absorbing the latest vulnerability information, and applying patches in a timely manner. This is the simplest and most effective way to maintain system security. I recommend a good security site abroad: ttp: // www.eeye.com. At the same time, installing the latest version of firewall is also necessary to help you. But remember: there is no absolute security, and the patches will always follow the vulnerability announcement. We believe that system patches and firewalls are not feasible!

2. It is prohibited to establish an empty connection and reject others from the door.

Hackers often use sharing to launch attacks. It is not actually a vulnerability. It is just a pity that the Administrator's account and password are too simple and can't be safely kept. It is better to disable them!

This is mainly achieved by modifying the registry. The primary key and key values are as follows:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA]

RestrictAnonymous = DWORD: 00000001.

3. Prohibit management and sharing

In addition to the above, this is also prohibited!

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters]

AutoShareServer = DWORD: 00000000

4. Well-designed passwords to prevent intrusion

Haha, after reading the above 2nd and 3rd points, experienced friends will naturally think about this point. Yes, this is a commonplace. Many servers are attacked because the administrator password is too simple.

For password settings, I suggest: ① The length should be more than 8 characters. ② A complex combination of uppercase and lowercase letters, numbers, and special symbols, such as G1aLe ^. Do not use passwords of the "Pure word" or "word plus digit" type, such as gale and gale123.

Note: The SA password in MSSQL 7.0 must not be blank! By default, the "SA" password is empty, and its permission is "admin". Think about the consequences.

5. Limit the number of users in the Administrator Group

Users in the Administrator group are strictly restricted. Always ensure that only one Administrator (yourself) is the user in the group. Check the group of users at least once a day and find that all more users are deleted! Undoubtedly, the new users must be the backdoors left by intruders! At the same time, pay attention to the Guest users. Smart intruders generally do not add unfamiliar user names, which are easy to be found by administrators. They usually activate the Guest users first and then change their passwords, put it in the Administrator group, but Guest ran to the Administrator group without reason. Why? Stop!

6. Stop unnecessary services

Too many services are not a good thing. Please turn off unnecessary services! In particular, even administrators do not know what the service is and what it is about! Turn it off! This prevents system disasters.

In addition, if the Administrator does not go out and does not need to remotely manage your computer, it is best to disable all remote network logon functions. Note: Unless necessary, disable the "Task Scheduler" and "RunAs Service" services!

Closing a service is very simple. Run cmd.exe and directly stop servername.

7. The Administrator keeps himself confidential and does not use the company's servers for private purposes.

In addition to servers, Windows 2000 Server can also be used as a computer for individual users to browse Web pages and send and receive E-mails. As an administrator, you should try to use the server's browser to browse webpages as little as possible to avoid Trojan Infection and company privacy information exposure due to browser vulnerabilities. Microsoft IE has many vulnerabilities. I believe you will not know it? In addition, it rarely uses tools such as Outlook on the server to send and receive E-mails, avoiding virus infection and causing losses to enterprises.

8. Pay attention to local security

It is important to prevent remote intrusion, but the local security of the system cannot be ignored. Intruders may not be in the distance and may be around!

(1) install the latest patch in time to prevent Input Method vulnerabilities. The Input Method Vulnerability not only causes local intrusion. If Terminal Services are enabled, the system door will be wide open, and a machine with a terminal client can easily break in!

(2) The last logged on user is not displayed.

If your machine has to be shared by many people (in fact, a real server should not be like this), it is forbidden to show that the last login user is very important, so that others do not guess the password. The setting method is as follows: In [start] → [Program] → [Administrative Tools] → [Local Security Policy], open the "Security Options" of "Local Policy ", double-click "do not display the user name of the last logon on the login screen" on the right, select "enabled", and then click [OK, the user name that was last logged on will not be displayed in the User Name box next time you log on.