1. install security policies
(1) do not select to install from the network
Although Microsoft supports online installation, it is absolutely insecure. Do not connect to the network, especially the Internet, before the system is fully installed. Do not even connect all hardware to install it. During Windows XP installation, after entering the user administrator account "Administrator" password, the system will create a "admin" shared account, but it does not use the password you just entered to protect it, this situation continues until the computer starts again. During this period, anyone can access the system through "admin". After the installation is complete, various services will run automatically immediately, and the servers are vulnerable to external intrusion.
(2) Select NTFS format for partitioning
It is best that all partitions are in the NTFS format, because the partitions in the NTFS format are more secure. Even if other partitions use other formats (such as FAT32), at least the partition where the system is located should be in NTFS format. In addition, the applicationProgramDo not place it in the same partition as the system, so that attackers may exploit application vulnerabilities (such as Microsoft's IIS vulnerabilities) to cause system file leakage and even allow intruders to remotely obtain administrator privileges.
(3) System Version Selection
Version Selection: Windows XP has versions in various languages. For us, you can select the English or Simplified Chinese version. I strongly recommend that: when the language is not a barrier, please use the English version. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after Microsoft publishes the vulnerability, your host will be unprotected for half a month ).
(4) component Customization
Windows XP installs some common components by default, but it is very dangerous to install them by default. You should know exactly what services you need, in addition, only install the services you actually need. According to the security principle, the minimum service + minimum permission = maximum security.
(5) Partition and Logical Disk allocation
We recommend that you create more than two partitions, one system partition, and more than one application partition, and separate the system partition from the application partition to protect the application. In general, viruses or hackers exploit vulnerabilities to attack the application, the system partition is damaged without damaging the application partition.
2. Account Security Policy
(1) user security settings
Check the user account to stop unwanted accounts. We recommend that you change the default account name.
1) disable the Guest account. For the sake of insurance, it is best to add a complicated password to guest.
2) restrict unnecessary users to remove all Duplicate User Users, test users, and shared users. The User Group Policy sets the corresponding permissions and regularly checks the users of the system to delete users that are no longer in use.
3) create two administrator accounts to create a general permission user for receiving emails and processing some daily things. The other user with administrator permissions can only use it as needed.
4) Rename the system administrator account Windows XP's administrator user cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as a common user, for example, change it to guesycludx.
5) create a trap user to create a local user named "Administrator", set its permissions to the lowest level, and do nothing, add a super complex password with more than 10 digits.
6) change the Shared File Permission from the Everyone group to an authorized user. Do not set the user of the shared file to the "everyone" group, including printing and sharing, the default attribute is the "everyone" group.
7) do not allow the system to display the user name that was last logged on. Open the Registry Editor and find the registry key hklmsoftwaremicrosoftwindowstcurrentversionwinlogondont-displaylastusername. Change the key value to 1.
8). SYSTEM account/share list default installation of Windows XP allows any user to obtain all accounts/share lists of the system through empty users. This is intended to facilitate LAN users to share files, however, a remote user can also obtain your user list and use the brute force to crack the user password. You can disable null connection 139 by changing the Registry LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ LSA-restrictanonymous = 1, you can also set the restrictanonymous option in the Windows XP Local Security Policy (if the Domain Server is in the Domain Server Security and domain security policy ), this option has three values:
0: None. Rely on default permissions (none, depending on the default permission)
The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists on your machine, this setting is very dangerous for servers.
1: do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)
1. This value only allows non-null users to access Sam account information and share information.
2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)
2. This value is supported in Win2000. If you do not want to share any data, set it to 2. We recommend that you set this parameter to 1.
(2) password security settings
1) Pay attention to the complexity of passwords when using secure passwords. Remember to change passwords frequently.
2) When enabling the password policy, pay attention to the application of the password policy. For example, to enable the Password Complexity Requirements, set the minimum password length to 8 bits, set the force password history to 5 times, and the time is 42 days.
3. Application Security Policy
(1) install anti-virus software
Anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. Therefore, pay attention to running programs frequently and upgrading the virus database.
(2) install the Firewall
Listen for external attacks on the local machine and notify users to take preventive measures as soon as possible.
(3) install System Patches
Download the latest patches from the Microsoft Website: frequent access to Microsoft and some security sites, download the latest service pack and vulnerability patches, is the only way to ensure the long-term security of servers.
(4) enable power protection
When using a computer to process files, the most worrying thing is that the computer suddenly loses power, because this sudden power loss will not only render the result of hard work, but also damage the computer. To prevent unexpected power loss in various circumstances and ensure computer security and normal operation, we should enable the function of asking or directly sleeping when the power button is pressed in power management.
To enable power protection, click Start, control panel, performance and maintenance, and power options on the Windows XP desktop ", select the "advanced" tab in the pop-up setting box, and find the "when the computer power button is pressed" setting item on the corresponding tab page, then select "Sleep" or "Ask me what to do" in the setting box. If you select the "shutdown" option, the power protection function is not enabled.
(5) use screen saver
When we see the word "Screen Saver", we will naturally think of screen saver in the computer. It mainly aims to achieve screen protection by displaying the specified image in turn in different ways. However, the system only starts the screen saver after the preset time is reached without the computer. What should I do if I want to start the screen saver at any specified time?
Follow these steps: In the Start Menu of Windows XP, click Start/search/file or folder ", in the displayed Search dialog box, click "all files and folders" and enter "*. "SCR" character, then in the search range drop-down list, select "Local disk (C :)" or the drive that stores system files on the computer, and then click "Search.
Then, in the list of Screen Saver programs found, select the desired screensaver program and create a shortcut for the screensaver program to be stored on the desktop. When you want to start the Screen Saver program in the future, double-click the screen saver shortcut on the desktop with the mouse. If necessary, you can also add a password to the screen saver. In this way, you need to re-enter the user name and password when restoring the screen saver, it can protect computer resources more securely.
(6) Stop unnecessary services
Too many services are not a good thing. Please turn off unnecessary services! The more service components are installed, the more service functions you can enjoy. However, the service components that users usually use are limited after all, and those rarely used components occupy a lot of system resources, which may cause system instability, it also provides multiple ways for hackers to remotely intrude into the system.
To this end, we should try to block the service components that are not needed for the moment. The specific operation method is as follows: first, find "Management Tools"/"services" in the control panel, then open the "service" dialog box, and select the program to be blocked in the dialog box, right-click, select "properties"/"stop" from the shortcut menu, and set "Start type" to "Manual" or "disabled ", in this way, you can block the specified service component.
4. Network Security Policy
(1) disable unnecessary ports
Disabling ports means reducing the number of features. You need to make a decision on security and functionality. If the server is installed behind the firewall, there will be fewer risks. But never think you can rest assured. Use a port scanner to scan the opened ports of the system to determine which services open to the system may cause hacker intrusion. The \ system32 \ drivers \ etc \ Services file in the system directory contains a list of well-known ports and services for your reference. The specific method is: Enable "network neighbor/attribute/Local Connection/attribute/Internet Protocol (TCP/IP) /properties/advanced/options/TCP/IP filtering/properties open "TCP/IP filtering" and add the required TCP and UDP protocols.
(2) Set security record Access Permissions
The security record is unprotected by default and is set to accessible only by administrators and system accounts.
(3) Use an email system in Web format
Do not use client email systems such as outlook and Fox mail to receive emails. Some emails are very harmful now. Once implanted in the local computer, it may cause system paralysis. At the same time, do not view attachments in emails from strangers. These attachments often carry viruses and Trojans.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
