Windows System Security Settings-elementary security

 

1. Physical Security

The server should be placed in an isolated room with the monitor installed, and the monitor should keep camera records for more than 15 days. In addition, the chassis, keyboard, and computer desk drawer should be locked to ensure that others cannot use the computer even if they enter the room, and the key should be placed in another safe place.

2. Stop the Guest account

In a computer-managed user, the guest account is disabled, and the guest account is not allowed to log on to the system at any time. For the sake of security, it is best to add a complicated password to guest. You can open notepad and enter a long string containing special characters, numbers, and letters in it, copy the password of the guest account.

3. Limit the number of unnecessary users

Remove all duplicate user Accounts, test accounts, shared accounts, and common Department accounts. The User Group Policy sets the corresponding permissions and regularly checks the system accounts to delete accounts that are no longer in use. Many of these accounts are a breakthrough for hackers to intrude into the system. The more accounts there are, the more likely hackers are to gain legal user permissions. For nt/2000 hosts in China, if there are more than 10 system accounts, you can usually find one or two Weak Password accounts. I once found that 197 of the 180 accounts on a host are weak password accounts.

4. Create two administrator accounts

Although this seems to be in conflict with the above, it actually follows the above rules. Create a general permission account to receive emails and handle some daily tasks. The other account with the administrative permissions can only be used as needed. The administrator can use the "RunAS" command to execute some work that requires special privileges for convenient management.

5. Rename the system administrator account

As we all know, the administrator account of windows 2000 cannot be deactivated, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please do not use Admin or other names. If you change it, you should try to disguise it as a common user, for example, change it to guestone.

6. Create a trap account

What is a trap account? Look!> Create a local account named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, the Scripts s can be busy for a while and Their intrusion attempts can be discovered. Or you can do something on its login scripts. Hey, enough damage!

7. Change the Shared File Permission from the "everyone" group to "authorized users"

"Everyone" in win2000 means that any user with the right to access your network can obtain the shared information. Do not set users who share files to the "everyone" group at any time. Including print sharing. The default attribute is the "everyone" group. Do not forget to change it.

8. Use a Secure Password

A good password is very important for a network, but it is the easiest to ignore. This may already be explained in the previous section. Some company administrators often use the company name, computer name, or other things as usernames when creating accounts, and then set the passwords of these accounts to N, for example, "welcome", "iloveyou", "letmein", or the user name is the same. Such an account should require the user to change to a complex password when logging on to the account first, but also pay attention to changing the password frequently. When IRC discussed this issue with people a few days ago, we defined a password that could not be cracked during the security period as a good password. That is to say, if someone else gets your password document, it takes 43 days or longer to crack it, and your password policy is 42 days to change the password.

9. Set screen saver password

It is easy and necessary. Setting Screen Protection passwords is also a barrier to prevent internal personnel from damaging the server. Be sure not to use OpenGL and some complex screen protection programs, waste system resources, and make it black. Also, it is better to add Screen Protection passwords to the machines used by all system users.

10. partition using NTFS format

Change all partitions on the server to the NTFS format. NTFS file systems are much safer than FAT and FAT32 file systems. Needless to say, everyone must have NTFS servers.

11. Run anti-virus software

I have never seen any anti-virus software installed on Win2000/Nt servers. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. In this way, the famous trojans used by hackers are useless. Do not forget to update the virus database frequently.

12. ensure the security of the backup disk

Once the system data is damaged, backing up the disk is the only way to restore the data. After the data is backed up, the backup disk is protected in a safe place. Never back up data on the same server. In that case, it is better not to back up data.