Windows Security Settings

Elementary Security

1. Physical Security

The server should be placed in an isolated room with the monitor installed, and the monitor should keep camera records for more than 15 days. In addition, the chassis, keyboard, and computer desk drawer should be locked to ensure that others cannot use the computer even if they enter the room, and the key should be placed in another safe place.

2. Stop the Guest account

In a computer-managed user, the guest account is disabled, and the guest account is not allowed to log on to the system at any time. For the sake of security, it is best to add a complicated password to guest. You can open notepad and enter a long string containing special characters, numbers, and letters in it, copy the password of the guest account.

3. Limit the number of unnecessary users

Remove all duplicate user Accounts, test accounts, shared accounts, and common Department accounts. The User Group Policy sets the corresponding permissions and regularly checks the system accounts to delete accounts that are no longer in use. Many of these accounts are a breakthrough for hackers to intrude into the system. The more accounts there are, the more likely hackers are to gain legal user permissions. For nt/2000 hosts in China, if there are more than 10 system accounts, you can usually find one or two Weak Password accounts. I once found that 197 of the 180 accounts on a host are weak password accounts.

4. Create two administrator accounts

Although this seems to be in conflict with the above, it actually follows the above rules. Create a general permission account to receive emails and handle some daily tasks. The other account with the administrative permissions can only be used as needed. The administrator can use the "RunAS" command to execute some work that requires special privileges for convenient management.

5. Rename the system administrator account

As we all know, the administrator account of windows 2000 cannot be deactivated, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please do not use Admin or other names. If you change it, you should try to disguise it as a common user, for example, change it to guestone.

6. Create a trap account

What is a trap account? Look!> Create a local account named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, the Scripts s can be busy for a while and Their intrusion attempts can be discovered. Or you can do something on its login scripts. Hey, enough damage!

7. Change the Shared File Permission from the "everyone" group to "authorized users"

"Everyone" in win2000 means that any user with the right to access your network can obtain the shared information. Do not set users who share files to the "everyone" group at any time. Including print sharing. The default attribute is the "everyone" group. Do not forget to change it.

8. Use a Secure Password

A good password is very important for a network, but it is the easiest to ignore. This may already be explained in the previous section. Some company administrators often use the company name, computer name, or other things as usernames when creating accounts, and then set the passwords of these accounts to N, for example, "welcome", "iloveyou", "letmein", or the user name is the same. Such an account should require the user to change to a complex password when logging on to the account first, but also pay attention to changing the password frequently. When IRC discussed this issue with people a few days ago, we defined a password that could not be cracked during the security period as a good password. That is to say, if someone else gets your password document, it takes 43 days or longer to crack it, and your password policy is 42 days to change the password.

9. Set screen saver password

It is easy and necessary. Setting Screen Protection passwords is also a barrier to prevent internal personnel from damaging the server. Be sure not to use OpenGL and some complex screen protection programs, waste system resources, and make it black. Also, it is better to add Screen Protection passwords to the machines used by all system users.

10. partition using NTFS format

Change all partitions on the server to the NTFS format. NTFS file systems are much safer than FAT and FAT32 file systems. Needless to say, everyone must have NTFS servers.

11. Run anti-virus software

I have never seen any anti-virus software installed on Win2000/Nt servers. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. In this way, the famous trojans used by hackers are useless. Do not forget to update the virus database frequently.

12. ensure the security of the backup disk

Once the system data is damaged, backing up the disk is the only way to restore the data. After the data is backed up, the backup disk is protected in a safe place. Never back up data on the same server. In that case, it is better not to back up data.
Intermediate security:

1. Use win2000 security configuration tools to configure policies

Microsoft provides a set of security configuration and analysis tools based on MMC (Management Console). With these tools, you can easily configure your servers to meet your requirements. For details, refer to the Microsoft homepage:

Http://www.microsoft.com/windows2000/techi...y/sctoolset.asp

2. disable unnecessary services

Windows 2000 Terminal Services, IIS, and RAS can bring security vulnerabilities to your system. In order to be able to manage servers remotely and conveniently, Terminal Services on many machines are on. If you have enabled the Terminal Services, make sure that you have configured the Terminal Services correctly. Some malicious programs can also run quietly in the form of services. Pay attention to all the services enabled on the server and check them every day. The following are the default services installed at the C2 level:

Computer Browser service TCP/IP NetBIOS Helper

Microsoft DNS server Spooler

Ntlm ssp Server

RPC Locator WINS

RPC service Workstation

Netlogon Event log

3. disable unnecessary ports

Disabling ports means reducing the number of features. You need to make a decision on security and functionality. If the server is installed behind the firewall, there will be fewer risks, but never think you can rest assured. Use a port scanner to scan the ports opened by the system to determine which services are open, which is the first step for hackers to intrude into your system. The system32driversetcservices file contains a list of well-known ports and services for your reference. The specific method is:

Network neighbors> Properties> Local Connection> Properties> internet Protocol (TCP/IP)> Properties> advanced> Options> TCP/IP filtering> properties enable TCP/IP filtering and add the required tcp, udp protocol.

4. Open Audit Policy

Enabling security audit is the most basic Intrusion Detection Method for win2000. When someone attempts to intrude into your system in some ways (such as user passwords, Account Policies, unauthorized file access, etc.), they will be recorded by security review. Many administrators are unaware of system intrusion for several months until the system is damaged. The following reviews must be enabled, and others can be added as needed:

Policy Settings

System Login event review successful, failed

Account Management review successful, failed

Login event review successful, failed

Audit Object Access successful

Audit policy changed successfully, failed

Audit privilege usage successful, failed

System Event Review successful, failed

5. Enable Password Policy

Policy Settings

Password complexity must be enabled

Minimum Password Length: 6 Characters

Force password five times

Force password: 42 days

6. Enable Account Policy

Policy Settings

Reset Account lock counter for 20 minutes

Account lock time: 20 minutes

Account lock threshold three times

7. Set security record Access Permissions

The security record is unprotected by default. You can set it to be accessible only to the Administrator and system accounts.

8. store sensitive files in another file server

Although the server's hard disk capacity is very large, you should consider whether it is necessary to put some important user data (files, data tables, project files, etc) it is stored in another secure server and often backed up.

9. Do not allow the system to display the username of the Last login

By default, when the terminal service is connected to the server, the logon dialog box displays the account name for the last login, and the local Login Dialog Box is the same. This makes it easy for others to obtain some user names of the system for password speculation. You can modify the registry to prevent the user name that was last logged on from being displayed in the dialog box, specifically:

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonDontDisplayLastUserName

Change the key value of REG_SZ to 1.

10. Do not create a null connection.

By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:

The value of the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous is changed to "1.

10. download the latest patch from the Microsoft website.

Many network administrators do not have the habit of visiting secure sites, so that some vulnerabilities have been around for a long time, and server vulnerabilities are not enough to serve as targets. No one can guarantee that 2000 of the Code with millions of lines does not have any security vulnerabilities. They often visit Microsoft and some security sites to download the latest service pack and vulnerability patches, is the only way to ensure long-term security of servers.
Advanced:

1. Disable DirectDraw

This is the requirement of C2 security standards for video cards and memory. Disabling DirectDraw may affect some programs that require DirectX (such as games, playing Starcraft on servers? My dizzy .. $ % $ ^ % ^ &??), However, the vast majority of commercial sites should be unaffected. Modify the Timeout (REG_DWORD) of the HKLMSYSTEMCurrentControlSetControlGraphicsDriversDCI registry to 0.

2. Disable default share

After win2000 is installed, the system will create some hidden shares. You can click net share under cmd to view them. There are many articles about IPC intrusion on the Internet. I believe you will be familiar with it. To disable sharing, choose Administrative Tools> Computer Management> shared folders> share, right-click the shared folder, and click stop sharing. However, after the machine restarts, these shares will be re-enabled.

Default shared directory path and Function

C $ D $ E $ root directory of each partition. In Win2000 Pro, Only Administrator

And members of the Backup Operators group.

The Server Operatros group can also be connected to these shared directories.

ADMIN $ % SYSTEMROOT % for Remote Management