PhpWind: seven server security tips

Is there any important data on your server that cannot be made public at will? Of course? Recently, servers have suffered a particularly high risk. more and more viruses, malicious hackers, and commercial espionage all target servers. Obviously

Is there any important data on your server that cannot be made public at will? Of course? Recently, servers have suffered a particularly high risk. more and more viruses, malicious hackers, and commercial espionage all target servers. Obviously, server security issues cannot be ignored for a moment.

Tip 1: start with basics

Starting from the basics is the safest way. You must convert the region containing confidential data on the server to the NTFS format. Likewise, anti-virus programs must be updated on time. We recommend that you install anti-virus software on both servers and desktops. These software should also be set to automatically download the latest virus definition files every day. In addition, anti-virus software should be installed on the Exchange Server, which can scan all emails sent to find infected attachments. if a virus is detected, emails are immediately isolated to reduce the chance of being infected.

Another good way to protect the network is to limit the user's permission to log on to the network based on the employee's working hours. For example, employees in the previous day class should not have the permission to log on to the network in the middle of the night.

Finally, you must use a password to access any data on the network. The password must contain uppercase and lowercase letters, numbers, and special characters. This tool is available in Windows NT Server Resource Kit. You should also set a regular password update with a length of no less than eight characters. If you have done these steps but are still worried about insecure passwords, you can try downloading some hacker tools from the internet and then test how secure these passwords are.

Tip 2: protect backups

Most people do not realize that backup itself is a huge security vulnerability? Imagine that most of the backup work starts at or, depending on the amount of data, it is about midnight after the backup is completed. Now, imagine that the backup work is finished at AM. Someone who is interested can steal the backup disk and restore it on the server in your home or in your competitor's office. However, you can prevent such a thing from happening. First, you can use a password to protect your disk. if your backup program supports encryption, you can also encrypt the data. Second, you can set the backup time to your office time. in this way, even if someone wants to steal the disk in the middle of the night, it will be impossible because the disk is in use; if a thief forcibly removes the disk, he cannot read the damaged data.

Tip 3: Use the RAS callback function

One of the coolest features of Windows NT is to support remote server access (RAS). Unfortunately, the RAS server is too convenient for hackers. they only need a phone number and patience, then you can access the host through RAS. However, you can take some measures to protect the security of the RAS server.

The technology you use is mainly used by remote accessors. If remote users often access the Internet from home or from a fixed place, it is recommended that you use the callback function, which allows remote users to log on and then end up. then, the RAS server will dial out a preset phone number to connect to the user, because the phone number is already in the program, the hacker has no chance to specify the server callback number.

Another approach is to limit that remote users can only access a single server. You can copy data frequently used by users to a special sharing point on the RAS server, and then restrict remote user logon to a single server instead of the entire network. In this way, even if hackers intrude into the host, they can only blame on a single machine and indirectly reduce the damage.

Another technique is to use the "alternative" network protocol on the RAS server. Most of them use the TCP/IP protocol as the RAS protocol. It is reasonable to use the nature and degree of acceptance of TCP/IP protocol, but RAS also supports IPX/SPX and NetBEUI. if you use NetBEUI as the RAS protocol, hackers will be confused if they do not check iron for a moment.

Tip 4: consider Workstation Security issues

I mentioned in my article on server security that Workstation Security does not seem to be a side. However, workstation is the door to the server. enhancing Workstation Security can improve the overall network security. For beginners, we recommend that you use Windows 2000 on all workstations. Windows 2000 is a very secure operating system. if you do not have Windows 2000, you should at least use Windows NT. In this way, you can lock the workstation. if you do not have the permission, it is difficult for the average person to obtain the network configuration information.

Another technique is to restrict users from logging on to a specific workstation only. Another trick is to use a workstation as a simple terminal (dumb terminal) or a smart simple terminal. In other words, no data or software is stored on the workstation. when you use your computer as dumb terminal, the server must execute the Windows NT terminal service program, in addition, all applications only operate on the server, and the workstation can only passively receive and display data. This means that only the least installed Windows version and Microsoft Terminal Server Client are installed on the workstation. This method should be the most secure network design solution.

Tip 5: execute the latest patch

Microsoft has a team of internal personnel who specifically inspect and fix security vulnerabilities. These patches are sometimes released by integrated service packs. A service package usually has two different versions: a 40-bit version that anyone can use, and a 128-bit version that can only be released in the United States and Canada. The 128-bit version uses the 128-bit encryption algorithm, which is much safer than the 40-bit version.

A service package is sometimes released only after several months, but if a serious vulnerability is found, you certainly want to fix it immediately and don't want to wait for a long time. Fortunately, you don't have to wait. Microsoft will release important patches on its FTP site on a regular basis. these latest patches are not included in the latest version of the service package, I recommend that you check the latest patches frequently. remember that the patches must be used in chronological order. if you are confused, the version of some files may be incorrect, it may also cause a Windows host.

Tip 6: issuing strict security policies

Another way to improve security is to develop strong security policies to ensure everyone understands and enforce them. If you are using Windows 2000 Server, you can grant some permissions to a specific agent without having to hand over all the network management rights. Even if you approve some permissions of an agent, you can still set the permissions of the agent, for example, you cannot open a new user account or change the permissions.

Tip 7: firewall, check, and then check

The last tip is to carefully check the firewall settings. Firewall is an important part of network planning, because it can protect the company's computers from malicious attacks.

First, do not publish unnecessary IP addresses. You must have at least one external IP address. If you still have a DNS registered Web server or email server, these IP addresses must be published through the firewall. However, the IP addresses of workstations and other servers must be hidden.

You can also view all the communication ports and make sure that all ports that are not commonly used are closed. For example, TCP/IP port 80 is used for HTTP traffic, so it cannot be blocked. maybe port 81 should never be used, so it should be switched off.