Windows 2000 systems are so much more user-led to the top of the system, but that's not to say that Windows 2000 is not as safe as it is reasonably configured and well-managed. I use Windows 2000 time is not short, for the maintenance of its security, but also gradually feel a little road, the following is a little personal insights, deficiencies, but also please correct me.
Safety installation to minimize worries
The security of the Windows 2000 system should be built up from the time it was installed, but this is often overlooked. The following are some of the things you need to be aware of when you install Windows 2000:
1, do not choose to install from the network
While Microsoft supports online installation, it is absolutely unsafe. Do not connect to the network until the system is fully installed, especially internet! Do not even connect all the hardware to install. Since Windows 2000 is installed, the system creates a "$ADMIN" shared account after entering the user administrator's password, but does not protect it with the password you just entered, which continues until the computer starts again. During this time, anyone can enter the system through the "$ADMIN", while the installation is complete and the various services will run automatically, while the server is also full of vulnerabilities and is very vulnerable to intrusion from the outside.
2, to select the NTFS format to partition
It is best that all partitions are in NTFS format because the NTFS-formatted partitions are more secure. Even if other partitions are in other formats (such as FAT32), they should be in NTFS format at least in the partition where the system resides.
In addition, the application should not be placed in the same partition as the system, lest the attacker exploit the application's vulnerabilities (such as Microsoft's IIS vulnerabilities, which you will not be unaware of) causing system files to leak, or even remotely obtaining administrator privileges from intruders.
3, the system version of the choice
We generally like to use the Chinese interface software, but for Microsoft's things, due to geographical location and market factors, are the first English version, then the other languages in other countries version. In other words, the kernel language of Windows is English, so that its kernel version should be a lot less than its compiled version of the vulnerability, the fact is so, Windows 2000 of the Chinese input method of the leak uproar we are all for the obvious.
The above mentioned security installation can only reduce worries, do not think that only do these can be once and for all, there are a lot of work waiting for you to do, please continue to look down:
Management system makes it more secure
The system is not safe, do not always complain about the software itself, think more about man-made factors! The following are some of the things you need to be aware of in the management process from an administrator's point of view:
1, focus on the latest vulnerabilities, timely patching and installation of firewalls
The responsibility of the Administrator is to maintain the security of the system, absorb the latest vulnerability information, timely play the appropriate patch, install the latest version of the firewall is also necessary, can help you. But remember: "while, outsmart", there is no absolute security, patches are always with the release after the leak, fully believe that the system patch and firewall is not feasible!
2, prohibit the establishment of the air connection, refused to be outside the door
Hackers often use sharing to attack, in fact, is not its loophole, only blame the administrator's account and password is too simple, keep not at ease, or forbid to drop good!
This is done primarily by modifying the registry, with primary keys and key values as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
RestrictAnonymous = dword:00000001
3, prohibit the management of sharing
In addition to the above, there is this! Forbid it together!
[Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]
AutoShareServer = dword:00000000
4, Smart design password, careful to prevent intrusion
Oh, look at the top 2nd and 3rd, experienced friends will often think of this point. Yes, it's a cliché, and many servers have been compromised because the admin password is too simple.
For the password settings, I suggest: ① length of more than 8-bit is advisable. ② uppercase and lowercase letters, numbers, special symbols of the complex combination, such as: g1$2ale^, to avoid "pure words" or "word plus number" type of password, such as: Gale, gale123 and so on.
Special Note: The sa password in MSSQL 7.0 must not be empty! By default, the "SA" password is empty, and its permissions are "admin", think about the consequences.
5, limit the number of users of the Administrators group
Strictly restrict the users of the Administrators group, always ensure that only one administrator (i.e. yourself) is the user of the group. Check the group's users at least once a day, and find out how many additional users are deleted! There is no doubt that the new user must be the intruder left the back door! Also pay attention to the guest users, smart intruders will not add unfamiliar user names, so easy to be found whereabouts of the administrator, they usually activate the guest user, and then change its password, and then put to the Administrators group, but the guest ran to the Administrators group why? Stop it!
6. Stop unnecessary service
Too much service is not a good thing, will not have to turn off all the necessary services! In particular, even the administrator do not know what is the service, but also open to do! Turn it off! Lest it bring disaster to the system.
In addition, if the administrator does not go out, do not need to remotely manage your computer, it is best to turn off all the remote network login function.
The way to close a service is simple, after running Cmd.exe, direct net stop servername.
7, the administrator of the same, do not use the company's server for private purposes
In addition to being able to act as a server, Windows server can also be a personal user's computer, surfing the web, sending and receiving e-mail, and so on. As an administrator, should try to use the server's browser to browse the Web page, to avoid the browser due to the vulnerability of Trojan infection and the company's secret information exposure. Microsoft IE loopholes a lot, I believe that people do not know it? In addition, less on the server to use Outlook and other tools to send and receive e-mail, to avoid catching viruses, to bring losses to enterprises.
8. Pay attention to local security
To prevent remote intrusion is important, but the system's local security can not be ignored, the intruder is not necessarily in the distance, there may be around!
(1) Timely hit the latest version of the patch to prevent the input method loopholes, this is needless to say. Input method Vulnerability is not only caused by local intrusion, if the Terminal Services, the system will open the door, a terminal client machine can easily break in!
(2) Do not display the last logged-on user
If your machine is to be shared by many people (in fact, a real server should not be such), it is forbidden to display the last logged-on user is very important, lest others guessed the password. Set the method at (Start)→(program)→(Admin tool)→(Local Security policy), open the "Security options" for "Local Policy", double-click "Do not display the last Logged-on user name on the login screen" on the right side, select "Enabled", and then click (OK), The next time you log on, you will not display the last Logged-on user name on the User name box.
Friendship tip: In fact, not so complicated, as long as we carefully on the line!
1. Set a strong and powerful password
2. Use a firewall to disable 139,445,135, 44, and other ports that are easily exploited to attack.
3. Uninstall potentially exploited services such as IIS on your computer, serv U, MySQL, Microsoft SQL Server, and so on, if not necessary.
4. Carefully set the TCP/IP properties in the system and IIS, MySQL, Microsoft SQL Server, pop services.
5. Use routing dialing to connect to the network, and set the DMZ to an empty zone.
6.Windows update is updated automatically.
7. Reliable virus killing support.