Security policies for small-and medium-sized nt Networks

Source: Internet
Author: User
Tags call back password protection strong password

Principles for developing security policies

The so-called network security refers to the sum of preventive measures taken to protect the network from various dangers inside and outside the network. The network security policy is designed to address the actual situation of the network (the value of protected information, the danger of being attacked, and the amount of money that can be invested). During network management, select various network security measures. Network security policies can be said to be a balance between cost and efficiency under certain conditions. Although the specific application environment of the network is different, we should follow some general principles when formulating security policies.

1. Adaptability principle: security policies are security measures taken under certain conditions. Our security policies must be combined with the actual application environment of the network. Generally, security policies implemented in one situation may not be suitable in another environment. For example, the campus network environment must allow anonymous logon, while the general enterprise network security policy does not allow anonymous logon.

2. Dynamic principle: security policies are security measures taken in a certain period of time. As users are constantly increasing, the network scale is constantly expanding, and the network technology itself is rapidly changing, security measures are preventive and continuous, therefore, security measures must constantly adapt to network development and environmental changes.

3. simplicity Principle: The more network users, the more network administrators, the more complex the network topology. The more types of network devices and software are used, the more services and bundled protocols the network provides, the more likely a security vulnerability is to occur, the more difficult it is to identify the cause of the problem and the responsibility. A secure network is a relatively simple network. For example, the most insecure network can be called Internet.

4. Systemic principle: network security management is a systematic task and all aspects of the network must be taken into account. That is to say, when formulating security policies, all kinds of users, devices, and situations on the network should be fully considered, and appropriate policies should be taken in a planned and prepared manner. Any omission may reduce the overall network security.

The following security policies are based on the NT Network for Small and Medium campus networks.

Security Policy during Network Planning

It is best to consider network security in the network planning stage, and some security policies should be implemented during network planning.

1. Clarify cybersecurity responsibilities and implementers of security policies. People are the subjects for formulating and implementing network security policies. For small networks, network administrators can be responsible for network security.

2. Set physical security measures (Fire Prevention and theft prevention) and environmental security measures (Power Supply and temperature) for all servers and network devices on the network ). For a small LAN, it is best to place the public servers and primary switches on the network in a centralized IDC.

3. Network Planning should consider fault tolerance and backup. Security policies cannot guarantee absolute network security and prevent hardware faults. Our network should allow some network faults and quickly recover from disasters. The primary network backup system should be located in the central data center.

4. If your network has a fixed connection (static IP address) with the Internet, it is best to install a firewall between the network and the Internet as long as the funds permit.

5. Use a proxy server to access the Internet. This not only reduces access costs, but also hides the network size and features and enhances network security.

Security policies of network administrators

For small networks, network administrators generally assume the role of security administrators. The most important security policy adopted by the network administrator is to ensure the security of the server and assign permissions to various users.

1. the network administrator must understand the important public data (restricted write) and confidential data (restricted read) in the network, where it is, who uses it, and who it belongs, what are the losses caused by loss or leaks. These important data are concentrated on the server in the central data center and managed by dedicated personnel with security experience.

2. Conduct regular security training for all types of users.

3. Only NT is installed on the server. Do not install Windows9x or DoS. Make sure that the server can only be started from nt.

4. All volumes on the server use NTFS.

5. Use the latest service pack to upgrade your NT.

6. Set the BIOS of the server. It cannot be started from removable storage devices (soft drive, optical drive, zip, and scis devices. Make sure that the server is started from the NT under the management of the NT security mechanism.

7. Use BIOS to set the drive to invalid and set the BIOS password. Prevent Unauthorized users from using the console to obtain sensitive data and virus-infected from the drive to the server.

8. Cancel unnecessary services and protocol types on the server. The more services and protocols on the network, the worse the security.

9. Modify the don't Display Last User Name string in the hkey_local _ machine/software/Microsoft/WindowsNT/CurrentVersion/Winlogon field of the server registry to 1 to hide the user name of the last logon console.

10. Do not set Windows NT to automatic logon on the server. Use the NT Security dialog box (CTRL + ALT + DEL) to register.

11. If the server of the C/S software runs in user mode (that is, You need to log on from the server), use autoexnt in the NT Resource Kit to set the automatic running mode at startup.

12. system files and user data files are stored on different volumes respectively. Convenient daily security management and data backup.

13. modify the default "Administrator" user name and add "Strong Password" (more than 10 characters and must contain numbers and symbols). It is best to create another account with the administrator privilege of "Strong Password, this makes it difficult for network administrator accounts to be cracked.

14. The Administrator account is only used for network management. Do not use the Administrator account on any client. Users who belong to the Administrator group and backup group should be especially careful.

15. Remember to save the password file to the Sam file in the // winnt/system32/config directory, and there is a SAM backup in the // winnt/repair directory. Audit the write and Change permissions of Sam files.

16. Users are encouraged to save data to the server. The DOS and Windows9x clients do not have the security provided by NT. Therefore, it is not recommended that you share files on the local hard disk.

17. restrict the number of users who can log on to servers with sensitive data. In this way, you can narrow down the scope of doubt when a problem occurs.

18. Use the "System Policy Editor" of Windows9x to create a policy file, store it to the server, and control the registry of the Windows9x client. We recommend that you enable "you need to use network for Windows Access for authentication", "log on to WindowsNT", and "Disable domain password Buffering" in the computer policy. To control Windows 9x users, you must first register them online. This prevents users from "dropping" Windows 9x to reduce Client Security.

19. The "System Policy Editor" can further control the behaviors of general users or groups on Windows 9x clients.

20. Generally, users are not allowed to have read/execute permissions on the server. NT itself does not support user space restrictions, which is particularly important to campus network security.

21. Restrict the permissions of the Guest account. It is best not to allow the use of the Guest account. Do not add any permissions to the Everyone group because guest also belongs to this group.

22. Generally, user permissions are not directly granted to users, but are granted through user groups.

23. When a new user is added, a password is assigned and the user "password must be changed upon first login" is controlled. It is best to set the password to no less than 6 characters to prevent security vulnerabilities.

24. at least audit the user's "login and logout" network, "restart, shutdown and System", and "security rule change" activities, but do not forget that excessive audits will affect system performance.

Policies for providing Internet access service networks

25. The file server is not directly connected to the Internet and a dedicated proxy server is set up. The client is not allowed to connect to the Internet through MODEM to form a connection within the firewall.

26. you can use the "TCP/IP security" dialog box to disable TCP/UDP ports not used by machines on the Internet and filter requests sent to the server, in particular, TCP/UDP ports 137, 138, and 139 are restricted.

27. You can consider placing external web servers outside the firewall to isolate external internal access to protect internal sensitive data.

28. The non-TCP/IP protocol can be used to connect servers and clients that only provide internal access, thus isolating Internet access.

29. port scanning tools are used to regularly scan all servers and customers in the network outside the firewall.

The following policies are applicable to the provision of remote access services.

30. remote access requests cannot be answered by machines other than NT's Ras. It is best to set up a dedicated remote access server and place the server in the central data center.

31. For occasional remote access, manual control can be used to start and stop the RAS service.

32. It is best for a fixed user to call back for remote connection.

33. Use the IP Address Allocation of the RAS server to restrict the IP addresses of remote users, and then use the firewall to control and isolate remote access to the customer.

34. Some encryption authentication (e.g., MS-CHAP) is used for passwords for remote access to ensure secure transmission of user passwords over remote lines.

Security policies of network users
Network security is not only a matter of network administrators. Every user on the network has a responsibility. Network users should understand the following security policies:

1. Use a long and difficult-to-guess password. Do not tell anyone your password.

2. know the location of your private data storage and how to back up and restore it.

3. regularly participate in network knowledge and network security training, learn about network security, and develop the work habit of paying attention to security.

4. Try not to share files on the local hard disk, because this will affect the security of your machine. It is best to store shared files on the server, which is safe and convenient for others to use files at any time.

5. Set the BIOS of the client and do not allow start from the soft drive.

6. Use the System Policy Editor/Registry Editor to control "do not display the last logon User Name" and "Disable password cache" on Windows 9x workstation ". Prevent Users whose passwords are obtained from the cache and whose last logon is used.

7. Set screen protection with a display (non-black screen to prevent mistaken shutdown) and password protection.

8. When you leave the machine for a long time, you must exit the network.

9. Install the virus scanning software at startup. Although the vast majority of viruses do not pose a threat to the NT Server, they will soon spread on the client through the NT network.

Security policies that Internet users need to understand
Because the Internet is outside the network, accessing the Internet may expose machines to insecure environments. The following security policies must be adopted based on the preceding security policies:

10. Make sure your machine does not have the "file and printer sharing" service installed. Hackers on the Internet have the opportunity to obtain and share files through this service, which may pose a threat to local data and network security.
11. Do not directly connect to the Internet through modem.

12. Do not download and install unauthenticated software and plug-ins.

13. ActiveX, small Java applications, and scripts on Web pages may leak your secrets and prohibit them from running on browsers.

14. If the email is not encrypted, the content of the email may be leaked. The email you receive cannot be fully confirmed by the sender. For especially confidential and legally valid documents, please encrypt them and use digital authentication to confirm the sender.

In addition to the security policies of the above two types of users, remote access users on the network must follow the following security policies:
15. users use different user accounts and passwords for LAN and remote logon respectively. Due to some remote logon methods (such as telnet), the account and password are not encrypted and may be intercepted.

16. Do not use any remote access software that has not been confirmed by the network security administrator.

17. It is best to inform the network security administrator of the dial-in time, connection time, and phone number.

18. Do not remotely dial in other machines that have not been confirmed by the network security administrator, especially when the machine is connected to the Internet.

The above policies are summarized as follows: the first is to protect your server; the second is to protect your password. The choice of security policies depends entirely on the value of protected information, the possibility and danger of attacks, and the amount of money that can be invested. After balancing these factors, a proper solution is developed, there is no omnipotent method.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.