Keep your Windows 2000 safe.

Windows 2000 systems are so much more user-led to the top of the system, but that's not to say that Windows 2000 is not as safe as it is reasonably configured and well-managed. I use Windows 2000 time is not short, for the maintenance of its security, but also gradually feel a little road, the following is a little personal insights, deficiencies, but also please correct me.

Safety installation to minimize worries

The security of the Windows 2000 system should be built up from the time it was installed, but this is often overlooked. The following are some of the things you need to be aware of when you install Windows 2000:

1, do not choose to install from the network

While Microsoft supports online installation, it is absolutely unsafe. Do not connect to the network until the system is fully installed, especially internet! do not even connect all the hardware to the installation. Since Windows 2000 is installed, the system creates a "$ADMIN" shared account after entering the user administrator's password, but does not protect it with the password you just entered, which continues until the computer starts again. During this time, anyone can enter the system through the "$ADMIN", while the installation is complete and the various services will run automatically, while the server is also full of vulnerabilities and is very vulnerable to intrusion from the outside.

2, to select the NTFS format to partition

It is best that all partitions are in NTFS format because the NTFS-formatted partitions are more secure. Even if other partitions are in other formats (such as FAT32), they should be in NTFS format at least in the partition where the system resides.

In addition, the application should not be placed in the same partition as the system, lest the attacker exploit the application's vulnerabilities (such as Microsoft's IIS vulnerabilities, which you will not be unaware of) causing system files to leak, or even remotely obtaining administrator privileges from intruders.

3, the system version of the choice

We generally like to use the Chinese interface software, but for Microsoft's things, due to geographical location and market factors, are the first English version, then the other languages in other countries version. In other words, the kernel language of Windows is English, so that its kernel version should be a lot less than its compiled version of the vulnerability, the fact is so, Windows 2000 of the Chinese input method of the leak uproar we are all for the obvious.

The above mentioned security installation can only reduce worries, do not think that only do these can be once and for all, there are a lot of work waiting for you to do, please continue to look down:

properly manage the system to make it more secure

The system is not safe, do not always complain about the software itself, think more about man-made factors. The following are some of the things you need to be aware of in the management process from an administrator's point of view:

1, focus on the latest vulnerabilities, timely patching and installation of firewalls

The responsibility of the Administrator is to maintain the security of the system, absorb the latest vulnerability information, timely play the corresponding patch, which is the simplest and most effective way to maintain system security. I recommend a good security site abroad: http://www.eeye.com. At the same time, the installation of the latest version of the firewall is also necessary, can help you. But remember: "while, outsmart", there is no absolute security, the patch is always with the leak after the release, fully believe that the system patch and firewall is not feasible.

2, prohibit the establishment of the air connection, refused to be outside the door

Hackers often use sharing to attack, in fact, is not its loophole, only blame the administrator's account and password is too simple, keep not at ease, or forbid to drop good.

This is done primarily by modifying the registry, with primary keys and key values as follows:

[Hkey_local_machine/system/currentcontrolset/control/lsa]

RestrictAnonymous = dword:00000001

3, prohibit the management of sharing

Except for the above, and this is forbidden together.

[Hkey_local_machine/system/currentcontrolset/services/lanmanserver/parameters]

AutoShareServer = dword:00000000

4, Smart design password, careful to prevent intrusion

Oh, look at the top 2nd and 3rd, experienced friends will often think of this point. Yes, it's a cliché, and many servers have been compromised because the admin password is too simple.

For the password settings, I suggest: ① length of more than 8-bit is advisable. ② uppercase and lowercase letters, numbers, special symbols of the complex combination, such as: g1$2ale^, to avoid "pure words" or "word plus number" type of password, such as: Gale, gale123 and so on.

Special Note: The sa password in MSSQL 7.0 must not be empty. By default, the "SA" password is empty, and its permissions are "admin", think about the consequences.

5, limit the number of users of the Administrators group

Strictly restrict the users of the Administrators group, always ensure that only one administrator (i.e. yourself) is the user of the group. Check the group's users at least once a day, and find that more users are deleted! There is no doubt that the new user must be the back door left by the intruder. Also pay attention to the guest users, smart intruders will not add unfamiliar user names, so easy to be found whereabouts of the administrator, they usually activate the guest user, and then change its password, and then put to the Administrators group, but the guest ran to the Administrators group why? Stop.

6. Stop unnecessary service

Too much service is not a good thing, it will not be necessary to turn off all the services. In particular, even the administrator do not know what is the service, still open to do. Turn it off. Lest it bring disaster to the system.

In addition, if the administrator does not go out, do not need to remotely manage your computer, it is best to turn off all the remote network login function. Note that the task Scheduler and RunAs service services are disabled unless specifically required.

The way to close a service is simple, after running Cmd.exe, direct net stop servername.

7, the administrator of the same, do not use the company's server for private purposes

In addition to being able to act as a server, Windows server can also be a personal user's computer, surfing the web, sending and receiving e-mail, and so on. As an administrator, should try to use the server's browser to browse the Web page, to avoid the browser caused by the vulnerability of Trojan infection and the company's privacy information exposure. Microsoft ie a lot of loopholes, I believe that people do not know it? In addition, less on the server using Outlook and other tools to send and receive e-mail, to avoid catching viruses, to bring losses to enterprises.

8. Pay attention to local security

It is important to prevent remote intrusion, but the system's local security should not be overlooked, the intruder is not necessarily in the distance, may be around.

(1) Timely hit the latest version of the patch to prevent the input method loopholes, this is needless to say. The input method is not only caused by the local intrusion, if the Terminal Services, the system will open the door, a device installed terminal client can easily break in.

(2) Do not display the last logged-on user

If your machine is to be shared by many people (in fact, a real server should not be such), it is forbidden to display the last logged-on user is very important, lest others guessed the password. Set the method: At the start]→[Program]→[Administration Tool]→[Local Security policy, open the security options for local policy, double-click "Do not display the last Logged-on user name on the login screen" on the right side, select "Enabled", and then click [OK], The next time you log on, you will not display the last Logged-on user name on the User name box.

The above is a little personal opinion, I hope to help you.