Harden Windows systems with "Group Policy"

1. View local shared resources

Run CMD and enter net share. If abnormal share is found, disable it. But sometimes when you turn off sharing and start up again, you should consider whether your machine has been controlled by hackers or has been infected with a virus.

2. delete a share (input one at a time). net share admin $/delete net share c $/delete net share d $/delete (if e, f ,...... Can continue to delete)

3. Delete the ipc $ empty connection and enter regedit in the run. In the _ blank/> registry, find the value of RestrictAnonymous in the HKEY-LOCAL_MACHINESYSTEMCurrentControSetControlLSA item from 0 to 1.

4. disable port 139. The ipc and RPC vulnerabilities exist here. To disable port 139, select the "Internet Protocol (TCP/IP)" attribute in "Local Connection" of "network and dial-up connection, in "Advanced TCP/IP Settings" and "WinS Settings", enter "disable NETBIOS for TCP/IP". If you check the box, port 139 is disabled.

5. prevent rpc vulnerabilities open the management tool-service-locate RPC (Remote Procedure Call (RPC) Locator) Service-first failure in fault recovery, second failure, and subsequent failure, are set to not operate. This vulnerability does not exist in XP SP2 and 2000 pro sp4.

Close and modify the Registry on port 6.445, and add a key value HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParameters. In the window on the right, set SMBDeviceEnabled to REG_DWORD and set it to 0.

7.3389 close XP: Right-click on my computer and select Properties --/> remote, remove the check box for Remote Assistance and Remote Desktop. Start Win2000server --/> program --/> management tool --/> and find the Terminal Services Service item in the service. Select the property Option to change the Startup Type to manual, and stop the service. (This method is also applicable to XP)
Attention from friends who use 2000 pro, there are many articles on the Internet that show Terminal Services in Win2000pro --/> Settings --> control panel --/> management tools --/>, select the property Option to change the Startup Type to manual and stop the service. You can disable 3389. In fact, Terminal Services does not exist in 2000pro.

There are many intrusion prevention methods for 8.4899 and 3389 on the network. 4899 is actually a server port opened by a remote control software. These control software is powerful, so Hackers often use it to control their bots. In addition, such software is generally not scanned and killed by anti-virus software, it is safer than a backdoor. 4899 is a system-provided service, unlike 3389. You must install it on your own and upload the server to the compromised computer and run the Service to achieve the purpose of control. So as long as your computer has made basic security configurations, it is difficult for hackers to control you through 4899.

9. Disable the service if the PC has no special purpose. based on security considerations, open the control panel, go to management tools-services, and close the following services:

1. Alerter [Notifies selected users and computers to manage alarms]

2. ClipBook [enable the "Clipboard viewer" to store information and share it with remote computers]

3. Distributed File System [combines Distributed File sharing into a logical name and shares it out. After it is disabled, remote computers cannot access sharing.

4. Distributed Link Tracking Server [Lan Distributed Link]

5. Indexing Service [provides the index content and attributes of files on a local or remote computer to disclose information]

7. Messenger [alert]

8. NetMeeting Remote Desktop Sharing [Collection of customer information left by netmeeting]

9. Network DDE [Providing Dynamic Data Exchange for programs running on the same computer or different computers] 10. Network dde dsdm [Managing Dynamic Data Exchange (DDE) Network sharing]

11. Remote Desktop Help Session Manager [manage and control Remote Assistance]

12. Remote Registry [enable Remote computer users to modify the local Registry]

13. Routing and Remote Access [Provide Routing services in LAN and wide area networks. Hacker reason Routing service spying Registration Information]

14. Server [supports sharing of files, printing, and named pipes on this computer over the network]

15. TCP/IPNetBIOS Helper [provides support for NetBIOS on TCP/IP and NetBIOS name resolution on network clients so that users can share files, print and log on to the network]

16. Telnet [allow remote users to log on to this computer and run programs]

17. Terminal Services [allow users to connect to a remote computer in interactive mode]

18. window s Image Acquisition (WIA) [Photo Service, application and digital camera] If you find that the machine has started some strange services, such as r_server, you must immediately stop the service, this is probably because hackers use the server that controls the program.

10. account and password security principles

First, disable the guest account and rename the Built-in administrator account ~~ (The more complicated the change, the better. It is better to change it to Chinese), and then set a password, preferably a combination of 8 or more letters and numbers. (Let the damn hackers guess it ~) If you are using another account, it is best not to add it to the administrators group. If you join the administrators group, you must also set a safe enough password, it is best to set it in security mode, because my research has found that the account with the highest permissions in the system is not the adminitrator account under normal login, because even with this account, you can also log on to the security mode and delete the sam file to change the administrator password of the system!

This is not the case for the administrator set in Security Mode, because it is impossible to enter security mode without knowing the administrator password. The maximum permission is the password policy: You can set the password according to your habits. The following is my Recommended settings (for password security settings, I have already mentioned above, and I will not go on here. Refer to: 369 passwords you should not use

Open the management tool. Local Security Settings. Password Policy

1. The password must comply with complex requirements. Enable

2. Minimum password value. I set it to 8.

3. The maximum password validity period is 42 days by default.

4. The minimum password validity period is 0 days.

5. Force password history to remember 0 passwords

6. Use recoverable _ blank/> encryption to store and disable passwords

11. Local Policy:

This is very important. It can help us find every action of the people who are tested and track down hackers in the future.

(Although hackers usually clear the traces on your computer when they leave, but there are also some careless) Open the management tool

Find the local security settings. Local Policy. Audit Policy

1. Audit Policy Change failed

2. login event review successful failure

3. An error occurred while accessing the Audit object.

4. No review is performed during the review and tracking process.

5. Failed to Audit Directory Service Access

6. failed to review privilege usage

7. System Event Review failed

8. An error occurred while checking the Account Logon Time

9. Account Management Review failed

Then go to the management tool to find

Event Viewer

Application: Right-click/> properties/> to set the maximum log size. I set 50 mb and select not to overwrite the event.

Security: Right-click/> properties/> to set the maximum log size. I also set 50 mb and select not to overwrite the event.

System: Right-click/> properties/> to set the maximum log size. I have set 50 mb and select not to overwrite the event.

12. Local Security Policy:

Open management tools

Find the local security settings. Local Policy. Security Options

1. Interactive login. You do not need to press Ctrl + Alt + Del to enable this function. [You do not need to enter a password to log in as needed.]

2. network access. do not enable Anonymous Enumeration for SAM Accounts

3. network access. Anonymous sharing is allowed to delete the following values.

4. network access. Anonymous Named Pipes can be used to delete the following values.

5. network access. The Registry path that can be remotely accessed will delete the following values.

6. network access. The sub-path of the remote access registry will delete the following values.

7. network access. Restrict anonymous access to named pipes and shares

8. account. (as mentioned above)

13. user permission allocation policy:

Open management tools

Find the local security settings. Local Policy. user permission allocation

1. By default, there are 5 users accessing the computer from the network. In addition to Admin, we delete 4 users. Of course, we have to create an ID of our own.

2. Force shutdown from the remote system, and the Admin account is also deleted.

3. Refuse to Access this computer from the network and delete the ID

4. Admin can also delete the computer from the network. If you do not use services similar to 3389

5. Force shutdown at the remote end. Delete

14. Terminal service configuration

Open management tools

Terminal service configuration

1. After it is enabled, click "Connect", "right-click", "attribute", and "Remote Control". The "Remote Control" button is not allowed.

2. Regular, encryption level, high. Click √ on standard Windows verification!

3. Nic, set the maximum number of connections to 0

4. Advanced: Delete the permissions in it. [I have not set the permissions]

Click server settings. On Active Desktop, disable the settings and restrict each session to use.

15. user and group policies

Open management tools

Computer Management. Local users and groups. users;

Delete Support_388945a0 users, etc.

Only the adminisrator permission you have changed the name

Computer Management. Local users and groups. Group

Group.

16. self-built security options for local DIY policies

1) when the login time is used up, the user is automatically logged out (local) to prevent hacker password penetration.

2) The Last login name (remote) is not displayed on the login screen. If the 3389 service is enabled, the user name you have logged on to will not be left. Let him guess your user name.

3) additional restrictions on anonymous connections

4) do not press alt + crtl + del (unnecessary)

5) Allow shutdown before login [Prevent remote shutdown/start, force shutdown/start]

6) only the local login user can access the cd-rom.

7) only local login users can access the cloud drive

8) prompts about the reason for canceling Shutdown

A. Open the control panel window and double-click the "power options" icon. In the subsequent power Properties window, go to the "advanced" tab page;