Server Security Settings [common knowledge about network security]

1. Patch
Microsoft's style is three days and one day, and there are too many vulnerabilities. Just make up a little. Use "start-Windows Update" and install all the patches.

2. delete default share
2.1 Delete IPC $ share
The default installation of Win2k is easy for attackers to obtain the account list, even if the latest service Ack is installed. There is a default shared IPC $ in Win2k, and there are also ADMIN $ C $ d $ and so on, while IPC $ allows anonymous users (I .e. Unlogged users) to access, you can use this default share to obtain the user list. How can we prevent such problems, in "Administrative Tools \ Local Security Policies \ Security Settings \ Local Policies \ Security Options", "additional restrictions on anonymous connections" can be changed to "do not allow enumeration of SAM accounts and sharing". Most of these connections can be prevented, but they are not complete. If you use nethacker, you only need to use an existing account to obtain all the account names. Therefore, we need another method to back up,
(1): create a file startup. CMD with the following command line "net share IPC $ Delete" (excluding quotation marks)
(2) Add one or more startup. CMD tasks to Windows scheduled tasks. The scheduled time is "run at computer startup ". You can also put this file in "start-Program-start" to delete IPC $ sharing as soon as it is started.
(3) restart the server.
2.2 Delete ADMIN $ share
Modify the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters
Add the autoscaling wks sub-Key (REG_DWORD) with a key value of 0.
2.3 clear default disk sharing (C $, d $, etc)
Modify the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters
Add the AutoShareServer sub-Key (REG_DWORD) with a key value of 0.

3. Modify the Default User Name
"Rename the Guest account" in "Administrative Tools \ Local Security Policies \ Security Settings \ Local Policies \ Security Options" is to change "guest" to ABC or another name, the following machine login name is also set to "ABC" or another name, and then changed "rename the system administrator account". Once I was bored, I scanned my IP address segment with the light of Xiao Rong and found that the Administrator name of n Internet cafe servers is the default administrator and a simple password. If someone wants to build a meat machine, it's really easy.