First, Patch Management
Run cmd, enter systeminfo to view current patch information
Second, account management
Account settings, local settings, security settings---Gpedit.msc->windows settings
Password Policy:
1 , password must meet complexity requirements (enabled) 2, password length minimum (8)3, password maximum age (90 days)4, password minimum age (1 days)5 , Enforce password history (6), store passwords with reversible encryption (disabled)
Account Lockout policy:
1 , Reset account lockout counter (after 15 minutes) 2 , Account lockout time (15 minutes) 3, Account lockout threshold (3 invalid login)
Third, Audit policy
Local policies, local settings, security settings---Gpedit.msc->windows settings
1 , Audit policy changes (successes and failures) 2 , Audit logon events (successes and failures) 3 , Audit object access (failed) 4 , audit process tracking (optional) 5 , Audit directory service access (undefined) 6 , Audit privilege use (failed) 7 , Audit system events (successes and failures) 8 , Audit account logon events (successes and failures) 9. Audit account Management (success and failure)
Iv. Non-essential services
Services that are started and need to be stopped include:
alerter– prohibit clipbook– prohibit computer browser– prohibit Internet Connection sharing– prohibit messenger– prohibit remote Registry service– prohibit Rou Ting and Remote access– prohibit server– simple Mail trasfer Protocol (SMTP)-Disable simple Network Management Protocol (SNMP) Serv ice– prohibit simple Network Management Protocol (SNMP) trap– prohibit telnet– prohibit world Wide Web publishing service– prohibit IPSec Policy Ag ent– prohibit Microsoft search– prohibit print spooler– disable runas service– prohibit security Accounts manager– prohibit task scheduler– prohibit
V. Modify part of the command permissions
Xcopy.exe wscript.exe cscript.exe net.exe arp.exe edlin.exe ping.exe route.exe posix.exe Rsh.exe Atsvc.exe Copy.exe cacls.exe ipconfig.exe rcp.exe cmd.exe Debug.exe regedt32.exe regedit.exe Edit.com Telnet.exeFinger.exeNslookup.exeRexec.exe ftp.exe at.exerunonce.exe nbtstat.exe Tracert.exenetstat.exe
Vi. Audit of logs
Local policies, System tools, Computer Management, management tools, control Panel
16382K covers a time earlier than 30 days
Seven, the registration form security
To disallow anonymous user connections:
Hklm\system\currentcontrolset\control\lsa
The "RestrictAnonymous" value is 1
to delete a host default share :
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
Modify or increase the key value AutoShareServer REG_DWORD 0
"Emergency response" Windows security deployment