A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
There are a lot of people using Windows, and the security issues of Windows systems are getting more and more attention. Although Windows has many vulnerabilities and many security risks, you can still use a relatively secure Windows system after proper settings and adjustments. This article describes how to adjust the security of windows.
This article provides some solutions to some common security problems. Most of the operations are for Windows 2000/XP, and cannot be performed on Windows 98/ME.
The importance of installing patches for the system is self-evident, especially some important security patches and patches for IE and OE vulnerabilities (even if you are not planning to use them ). Microsoft often releases patches for known vulnerabilities, which can be installed through Windows Update. All you need to do is regularly visit the Windows Update website at: http://windowsupdate.microsoft.com. Alternatively, you can directly click the Windows Update shortcut in the Start Menu. Windows XP and Windows 2000 with SP3 installed are even more advanced. You can automatically check for updates and download them in the background. After the download is complete, you will be notified and asked if you want to start the installation. For Windows 2000/XP users, Microsoft also provides a free and practical tool for security check: Microsoft Baseline Security Analyzer ), this program can automatically perform security detection on your system and provide a complete solution for any problems. It is suitable for users with high security requirements. You can learn more about and download this tool here.
After you install all the patches, let's start adjusting the settings.
Rename and disable Default Accounts
After windows is installed, the system automatically creates two accounts: Administrator and guest. The administrator has the highest permissions, and guest has only the basic permissions and is disabled by default. This Default Account brings you convenience while seriously endangering your system security. If a hacker invades or has any other problems, he will easily know the name of your super user, and the rest is to find the password. Therefore, the security method is to change the Administrator account name, and then create a false Administrator account with almost no permissions. The specific method is:
Enter"Secpol. MSC"Then press enter to open the" Local Security Settings "dialog box, expand" local policy-Security Options "in turn, and in the right window there is a" account: Rename System Administrator Account "policy, after you double-click it, You can reset a user name that is not very noticeable to the Administrator. Then, you can create another restricted user named "Administrator" to confuse the intruder.
Similarly, in the local security settings, expand "local policy-security options". There are many other settings. After proper configuration, your system can be more secure. It is best to disable all the options listed below:
Interactive logon: Do not press CTRL + ALT + DEL.
Network Access: allows anonymous SID/Name conversion.
Network Access: grant the everyone permission to anonymous users.
Fault Recovery Console: allows automatic system management-level logon.
The following options are recommended:
Device: only locally logged on users can access the CD-Rom.
Device: only locally logged on users can access the cloud disk.
Interactive logon: the user name used last time is not displayed.
Network Access: Anonymous Enumeration of anonymous SAM accounts is not allowed.
Network Access: anonymous enumeration of SAM accounts and shares is not allowed.
Network Security: Do not store the hash value of the LAN Manager when the password is changed next time.
System Object: enhances the default permissions of internal system objects (for example, symbolic links ).
Although the absolutely secure password does not exist, the relatively secure password can still be implemented. Run secpol. MSC to configure local security settings. Expand to "Account Policy-Password Policy". After the configuration, you can create a complete password policy, and your password can be protected to the maximum extent.
Force password history. This setting determines the number of passwords used by the user. Many people know that they need to change their passwords on a regular basis, but there are only a few changing passwords in exchange. By configuring this policy, they can know whether the user's password has been used before. If you use the "Maximum Password life" policy, you can ensure the password security. By default, this policy does not save the user's password. You can set it by yourself. We recommend that you save more than five passwords, and you can save up to 24 passwords.
The password can be used for a maximum period of time. This policy determines how long a password will expire and requires the user to change the password. If it is set to 0, the password will never expire. Generally, you can set it to 30 to 60 days. The specific expiration time depends on the strict security requirements of your system. The maximum number of days can be set to 999.
The minimum password validity period. This policy determines how long a password will be used before it can be used again. In combination with the "force password history" mentioned above, you can know whether the new password has been used before. If yes, you cannot continue using the password. If it is set to 0, a password can be reused without limit, and the maximum value is 999.
The minimum password length. This policy determines the length of a password. The valid value ranges from 0 to 14. If it is set to 0, the password is not required. The recommended password length cannot be less than 6 characters.
The password must meet the complexity requirements. If this policy is enabled, the system will check whether the password is valid according to the following rules when setting and changing a password:
The password cannot contain all or part of the user name.
It must contain at least 6 characters.
In addition, the following rules must be followed for character usage. The password must be:
English letters, A-Z, case sensitive.
10 basic numbers, ranging from 0 to 9.
Cannot contain special characters, such !, $, #, %, And so on.
If this policy is enabled, we believe your password will be safer.
Use recoverable encryption to store passwords for all users in the domain. Obviously, this policy should not be enabled.
Secure use of Internet Explorer
Internet Explorer is the most popular browser software today. Because there are many users, the security issues discovered by IE are the most, but it doesn't matter. After reading this section, you can make your IE more secure. Note that all of the following statements are subject to IE 6.0 + SP1. If you use a lower version, some details may be different.
Open Internet Explorer, Click Tools-Internet, and then open the Security tab.
On the Security tab, select "Internet" to set security options for the Internet region. Although there are different levels of default settings, we 'd better adjust them based on our actual situation. Click "Custom Level" below ". The window shown in Figure 3 is displayed, showing all the IE security settings.
Download the signed ActiveX control. The signature obtained by a third-party certification authority proves that the control is safe and you can set it to allow downloading, unless you do not want to install any ActiveX control, or you want to download files from some websites, such as Windows Update and Flash Player Plug-ins.
Download the unsigned ActiveX Control. Compared with the signature-certified ActiveX control, unsigned authentication may include potential security risks. Therefore, you 'd better not set this option to enabled or disabled, or set it to ask, so that you can decide whether to download and install unauthenticated controls based on the nature of the site being accessed.
Initialize ActiveX controls that are not marked as secure and run scripts. Similar to the preceding settings, if you have previously set them to disabled, this option can also be disabled, otherwise, you can set it to ask (recommended) or allow (not recommended) to prohibit the running of the signed controls.
Run ActiveX controls and plug-ins. If you have disabled the running of all ActiveX controls and plug-ins, this option can be safely set as approved by the Administrator. We do not recommend that you set this parameter to allow.
Execute scripts on ActiveX controls marked as secure script execution. This option can be set to the same as above.
Activity scripts are very popular nowadays. Many practical web pages can be created through script programs, such as Windows Update Web pages, which determine the patches you need to download. Therefore, if the script program is disabled, some web pages cannot be browsed normally. We recommend that you disable it. For a few important webpages that cannot be browsed normally, we will see the solution later.
This option allows you to copy files to your clipboard through scripts. It is best to disable this option for security considerations.
If the preceding settings affect a few websites that you must visit (such as Windows Update Website), you do not want to set the security level of the Internet region too low for security reasons, then you can add some websites you trust to the trusted sites. The method is:
On the Security tab of Internet Options, click "trusted site" and click "Site". The window shown in Figure 4 is displayed, in the new window, enter the network address we want to add, such as the https://windowsupdate.microsoft.com, and click Add on the right.
Now, open the content tab in the Internet option and click "auto-complete". Here there are some things to adjust.
For each item listed in, the automatic completion function will save specific content, where "Web address" will save the content you have entered in the IE address bar; the form will save the information you fill in on the webpage, such as the speeches on the Forum (except the username and password) and keywords used in the search engine; the "user name and password on the form" will save the user name and password you entered when you logged on to the Forum or other webpages. Automatic completion can help you save a lot of time, but it also brings a lot of security risks. Once someone uses your account to log in, the user name and password of your website may be viewed by others. Therefore, you can make appropriate adjustments based on the usage of your computer to decide which content can be automatically saved and which cannot.
Now, go to the Advanced tab of Internet Options. Note the following points:
Using Passive FTP is compatible with the firewall and DSL modem. This setting allows you to use passive mode when using IE to browse the FTP server. This mode is more secure, because the server side cannot obtain your IP address, if you cannot access some FTP servers normally, you can try to enable or disable this setting.
Check the Certificate Revocation of the publisher. If this option is selected, When you access some websites that require authentication, ie will first check whether the certificate provided to the site is still valid. We recommend that you enable this setting.
Check whether the certificate of the server is revoked. This option will enable IE to check whether the certificate of the Site Server is still valid.
Check the signature of the Downloaded Program. If this setting is enabled, after you download the program, ie automatically checks whether the program has been illegally modified through the signature. Generally, this setting should be enabled.
If this option is enabled, encrypted pages (mainly URLs with HTTPS headers) are not saved to Temporary Internet folders. This option is necessary if multiple people share the same computer, in this way, you will not be able to snoop on encrypted Web pages that you have accessed through Temporary Internet Files (for example, credit card payment pages for some e-commerce websites ).
The following three settings: using SSL 2.0, using SSL 3.0, and using TLS 1.0 are related to Protocol-based data encryption on the Internet. For example, some websites use SSL encryption for identity authentication and transmission of important data. Therefore, it is recommended that all three options be enabled. However, if an error occurs when you access some encrypted sites after enabling, you can disable the two protocols except SSL 2.0, because there may be conflicts between different versions, SSL 2.0 is the most widely used, and is generally supported by encrypted sites.
A warning is issued for invalid site certificate. After this setting is enabled, ie will send a warning when the site certificate is invalid. This is generally enabled.
A warning is issued when switching between secure and non-secure modes. When this setting is enabled, if you want to migrate from a secure web page (possibly encrypted by SSL) when you enter an insecure web page, ie will send a warning to you to avoid leakage of some private information without your knowledge.
A warning is issued when you redirect the submitted form. When this setting is enabled, some information you submit in some forums or similar places will be sent to other servers, IE will send you an alert. This should also be enabled for security reasons.
Safe use of Outlook Express
Outlook Express is an e-mail program that comes with windows. Through Oe, you can not only send and receive emails, but also browse newsgroups, which is very convenient. However, many people do not like this program and want to unmount it from their own systems, mainly because many people say that it is easy to use OE for infectious diseases. The kitchen knife can also hurt people, but every family has to have a kitchen knife. So, instead of considering how to uninstall Oe, consider how to set it to make OE safer. This section focuses on OE 6 + SP1. If you use a lower version, some details may be different.
You can see the main settings of OE in the tool-option,
Here we mainly focus on the Security tab.
Select the security area of Internet Explorer to be used. This setting allows you to decide to send emails (especially emails in HTML) what security zone is used as a security zone (that is, the regions with different security levels set in Internet Options of Internet Explorer ). it is wise and safe to set it as a restricted area. In this way, if the HTML email you receive contains harmful code, it will not harm your system. (Of course, the premise is that you have set a reasonable limit for the restricted area in Internet Options of IE. security level ).
This is also a very effective security policy when other programs send me an email in my name, many viruses spread through the contact address in the OE address book by sending the right-click containing viruses. Enabling this setting can effectively solve this problem. Once another program sends an email via Oe, Oe will first ask if you want to send the email. For those suspicious right-click, you only need to cancel sending.
Attachments that may contain viruses cannot be saved or opened. When this setting is enabled, attachments in some formats in the email cannot be saved or opened, if you receive a right-click with an attachment, the options for saving and opening the attachment will be unavailable, further enhancing the security.
Finally, open the reading tab in the OE option and select "read all emails in plain text". In this way, HTML emails received in the future will be automatically converted to plain text, you don't have to worry about the virus and malicious scripts embedded in the email being automatically executed when previewing or viewing the email.
Reinforce your Internet connection
By default, in order to establish a network connection, Windows will install many protocols and run many services. Some of the protocols and services are not necessary, such as NETBIOS, file and printer sharing, the equation "minimum service + minimum permission = maximum security" is always true. Therefore, it is necessary to disable unnecessary services and uninstall unnecessary protocols, to enhance our system security.
For Windows 9x/me Systems
1. Double-click the Network icon in the control panel
2. Select the Microsoft network client and click Uninstall.
3. disable file and printer sharing. If you do need to share files, you can set a password for them.
4. Select TCP/IP and click the Properties button to open the NetBIOS tab. deselect "I want to use netbios on TCP/IP. Select the DNS settings tab and disable DNS (if you do not need it ). On the WINS settings tab, select disable wins resolution.
5. OK, and restart the computer.
For Windows 2000/XP systems
1. Open the network connection in the control panel, right-click the Internet connection, and select Properties
2. If you do not need to share files and printers, select and unmount (you can not detach, but at least do not use) file and printer sharing in Windows Network
3. Double-click the Internet Protocol (TCP/IP) and then click the Advanced button.
4. Open the WINS tab, cancel selecting enable LmHosts query, and select disable NetBIOS on TCP/IP.
5. Enter services. MSC in the running process and press Enter.
6. Find the TCP/IP NetBIOS Helper Service, stop the service, and set the start type to manual or disabled.
7. restart the computer
Disable default share
By default, shared items are created by default on Windows 2000/XP. Although this share requires you to provide the Administrator's username and password for connection, but it is always insecure to put it there, but it cannot be deleted according to the conventional method. Let's modify the Registry together.
Run regedit to open the Registry Editor and choose HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/LanmanServer/parameters. For Windows 2000 Professional and Windows XP, create a New DWORD key named "autoscaling wks" in the right panel and set the key value to "0". For Windows 2000 Server and Windows Server 2003, create a DWORD key named "AutoShareServer" and set the key value to "0". The setting takes effect after the computer is restarted.
Firewall and anti-virus software
No matter how you set it, the firewall is necessary as long as you connect to the Internet. The firewall can completely protect your system and block harmful things from the Internet. We recommend that you use two types of firewalls: one is Symantec's Norton Internet Security. This software includes not only the network firewall, but also Norton AntiVirus, a famous anti-virus software. Norton Internet Security is very powerful. It not only provides anti-virus and anti-hacker features, but also helps you filter the ads you see when browsing the Web page and emails you receive, filter porn and other illegal content on the Internet. However, Norton Internet Security has high requirements on the system, and the running of old computers may be slower. In this case, you can try zone alarm or China-made Skynet. They have good requirements on the system and have powerful functions. In addition, both of them can be downloaded from the Internet for free.
Windows XP users can also use the built-in firewall. Although there are not so many fancy features, the basic protection is still competent. Enable this function: Open Control Panel-network and Internet connections. Double-click Network Connections to open the Properties dialog box. On the Advanced tab, select "use Internet Connection Firewall" on my computer, then you can click Settings for further configuration.
In terms of anti-virus software, we recommend that you try Kaspersky Antivirus from Russia. Not many people know this software in China, but it is well received internationally, fortunately, the software has already entered the Chinese market and has a Chinese version.
After the above settings, your system security should be improved a lot, but it should be noted that no matter how protective the system and software is, correct use habits are the most important, therefore, we have developed good habits from now on. Otherwise, how to protect them is useless.
Hope you can have a secure system!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service