Server Security Maintenance Common sense

Skill One: start from the Basics

I know it sounds like crap, but when we talk about the security of a Web server, the best advice I can give you is not to be a layman. When hackers start attacking your network, they first check for common security vulnerabilities before considering a more difficult way to break through the security system. So, let's say, when the data on your server is on a FAT disk partition, even installing all the security software in the world won't help you much.

For this reason, you need to start from the basics. You need to convert all disk partitions that contain sensitive data on the server to NTFS format. Again, you need to update all anti-virus software in a timely manner. I recommend that you run anti-virus software on both the server and the desktop terminal. The software should also be configured to automatically download the latest virus database files on a daily basis. You should also know that you can install anti-virus software for Exchange server. The software scans all incoming e-mails for infected attachments and automatically isolates the infected message before it reaches the user when it discovers a virus.

Another good way to protect your network is to limit the time that users have to access the network based on the time they spend in the company. A temporary employee who usually works during the day should not be allowed to visit the Internet at Three o ' morning, unless the employee's supervisor tells you that it is a special project.

Finally, remember that users need a password to access anything on the entire network. You must be forced to use high intensity passwords consisting of uppercase and lowercase letters, numbers, and special characters. There is a good tool for this task in the Windows NT Server resource bundle. You should also frequently expire and update some expired passwords and require the user's password to be no less than eight characters. If you have done all this work but still worry about the security of the password, try downloading some hacker tools from the Internet and find out how secure those passwords are.

　　Tip Two: Protect your backup

Every good network administrator knows to back up the network server every day and keep tape records away from the field for protection against accidental disasters. However, the security issue is much more than just backup. Most people don't realize that your backup is actually a huge security breach. Getting Started with computers to master web

To understand why, imagine that most backup work starts at about 10:00 or 11:00 of the night. The entire backup process usually ends in the middle of the night, depending on how much data you have to back up. Now, imagine that the time has come to four o'clock in the morning and your backup work is over. But nothing can stop someone from stealing data from your tape record and restoring them to a server in their own home or in your competitor's office.

However, you can prevent this from happening. First, you can protect your tapes with a password and if your backup program supports encryption, you can also encrypt the data. Second, you can schedule your backup program to finish working in the morning. In this way, even if someone wants to sneak in and steal the tapes the night before, they will be unable to succeed because the tape is being used. The data on the tape would be worthless if the burglar still took the tape and took it away.

　　Trick Three: Use callback for RAS

One of the coolest features of Windows NT is the support for remote access to the server (RAS). Unfortunately, a RAS server is an open door to a hacker attempting to enter your system. All the hackers need is a phone number, and sometimes a little patience, and then you can get into a mainframe via RAS. But you can take some steps to keep the RAS server secure.

The technology you are going to use will depend to a large extent on how your remote users use RAS. If a remote user is often calling a host from home or a similar, less volatile place, I recommend that you use the callback feature, which allows remote users to log on and then disconnect. The RAS server then dials a predefined phone number to reconnect the user. Because the number is pre-set, the hacker will have no chance to set the server callback number.

Another option is to qualify all remote users to access a single server. You can place the data that the user normally accesses on a special share point in the RAS server. You can then limit the access of remote users to one server, not the entire network. In this way, even if hackers access the mainframe by means of sabotage, they will be quarantined on a single machine, where the damage is minimized.

Finally, there is a trick to use the unexpected protocol on your RAS server. Every person I know uses the TCP/IP protocol as the RAS protocol. Given the nature of the TCP/IP protocol itself and its typical use, this looks like a reasonable choice. However, RAS also supports the ipx/spx and NetBEUI protocols. If you use NetBEUI as your RAS protocol, you can really confuse some unsuspecting hackers.

　Tip Four: Consider the safety of workstations

It seems strange to talk about the safety of workstations in an article about server security. However, workstations are just one port to the server. Strengthening the security of workstations can improve the security of the entire network. For starters, I recommend that you use Windows 2000 on all workstations. Windows 2000 is a very secure operating system. If you do not want to do so, use Windows NT at least. You can lock the workstation, making it difficult or impossible for someone with no security access to get network configuration information.

Another technique is to control which workstation the person has access to. For example, there is an employee named Bob, and you already know that he is a trouble maker. Obviously, you don't want Bob to be able to open his friend's computer at lunch or to drop his own laptop and hack the whole system. Therefore, you should use the Workgroup user management program and also modify Bob's account so that he can only log on from his own computer (and within the time you specify). Bob is far less likely to attack the Internet from his own computer because he knows someone can track him down.

Tip Five: Give workstations and servers a reasonable division of labor

Another technique is to limit the workstation's functionality to a dumb terminal, or, I don't have a better word to describe, a smart dumb terminal. In general, it means that no data and applications reside on separate workstations. When you use a computer as a dumb terminal, the server is configured to run Windows NT Terminal Services, and all applications are physically running on the server. Everything sent to the workstation is just an updated screen display. This means that there is only one version of Windows that is minimized on the workstation and a client of Microsoft Terminal Services programs. 　　Using this approach may be the safest network design scenario. Using a smart dumb terminal means that programs and data reside on the server but run on workstations. All installed on the workstation is a copy of Windows and an icon that points to applications that reside on the server. When you click on an icon to run the program, the program will use local resources to run, rather than consume the server's resources. This is much less stressful than running a completely dumb terminal program on the server.

Microsoft employs a team of programmers to check security vulnerabilities and fix them. Sometimes, these patches are bundled into a large package and released as a service pack. There are usually two different patch versions: a 40-bit version that anyone can use and a 128-bit version that can only be used in the United States and Canada. The 128-bit version uses a 128-bit encryption algorithm, which is much more secure than the 40-bit version. If you are still using 40-bit service packs and live in the United States or Canada, I strongly recommend that you download the 128-bit version.

Sometimes the release of a service pack may have to wait a few months. Obviously, when a big security leak is discovered, you don't want to wait any longer if it is possible to fix it. Fortunately you don't have to wait. Microsoft regularly publishes important patches on its FTP site. These hot fixes are security patches that have been published since the last service pack was released. I suggest you always check hot patches. Remember that you must use these patches in a logical order. If you use them in the wrong order, the results may cause some file versions to be wrong, and windows may stop working.

　　Tip Six: Use a strong security policy

The other thing you can do to improve security is to make a good, strong security policy. Make sure everyone knows it and know it is enforced. Such a policy needs to include severe penalties for an employee who downloads unauthorized software on a company's machine.

If you use Windows Server, you may be able to specify a user's special permissions to use your server without having to hand over administrator control. A good use is to authorize the Human resources department to delete and disable an account. This allows the human resources department to delete or disable his user account before an outgoing employee knows that he or she will be dismissed. In this way, disgruntled employees will not have the opportunity to disrupt the company's system. At the same time, with special user privileges, you can grant this permission to delete and disable account permissions and restrict the creation of users or change permissions for such activities.

Try a free Techproguild! If you find this article useful, take a look at TechRepublic's Techproguild registration resource, which provides in-depth technical articles covering some it topics, including Windows Server and client platforms, Linux, troubleshooting issues, And the difficulty of the digital Network project, as well as NetWare. With a Techproguild account, you can also read the full text of the popular IT industry Books Online. Click here to register for a 30-day free techproguild probation.

　Tip Seven: Check firewall settings

Our final tip includes checking your firewall settings carefully. Your firewall is an important part of the network because it isolates your company's computers from those that might be damaging them on the Internet.

The first thing you need to do is make sure that the firewall is not open to the outside world beyond the necessary IP address. You always have to have at least one IP address visible to the outside world. This IP address is used to carry out all the Internet traffic. If you also have a DNS-registered Web server or e-mail server, their IP addresses may also be visible through firewalls to the outside world. However, the IP addresses of workstations and other servers must be hidden.

You can also check the port list to verify that you have closed all port addresses that you do not use frequently. For example, TCP/IP port 80 is used for HTTP communication, so you may not want to block this port. However, you may never use port 81 so it should be turned off. You can find a list of uses for each port on the Internet.