As a network engineer, ensuring the security of enterprise servers and normal operation is the primary issue in network management. So how can we effectively protect the security of servers? Based on my work experience over the past decade, I have established a protection system from the following seven points.
Entry Point 1: Establish a strong network security system
To isolate an enterprise's servers and "Protect" them one by one, as the core component of the network, it should be integrated with other devices around it for overall planning and arrangement, in order to comprehensively solve security problems and better ensure server security.
Therefore, we must establish an overall, comprehensive, and powerful computer network security system. Only by developing and implementing a unified security system for the entire network can we effectively protect the servers and other components involved in the network. At the same time, every employee in the company should be aware of this security system and be aware that it is enforced.
A complete security system consists of two parts: security management and security technology. From the management point of view, security management regulates and limits various computer network behaviors in written forms such as rules and regulations, such as operating specifications of various network devices. Security Technology, as its name suggests, is a technical point of view, use various software (such as anti-virus software and firewall software) and hardware (such as hardware firewall), various techniques and methods to manage the entire computer network.
Specific to the server, on the one hand, it is necessary to strictly regulate operations on the server, prohibit all behaviors that may be harmful to the server and its data, especially for "write" and "delete; strengthen Management of the Central Data Center and prohibit anyone other than network management personnel from operating the server at will. On the other hand, medicines use existing security technologies as much as possible to ensure server security. For example, you can use the "User Permissions" function provided by Windows 2000/2003 sever to separately grant special server access permissions to each staff member based on their business characteristics, this avoids security risks caused by the use of unified server access permissions.
Entry Point 2: Establish necessary protection Basics
The vulnerability causes security problems. Each attack on the network begins with a security vulnerability. Therefore, to ensure the security of servers, you must establish the necessary protection basis and try to use existing security technologies (such as the System File Format and operating system) to build servers until the entire computer network. This fundamentally ensures the security of the server.
For example, for illegal intruders (including all unauthorized visitors, including hackers), disk data stored in the fat format is easier to access and damage than in the NTFS format. Therefore, it is unsafe for a server to set its disk partition to the fat format. Start from the basics and try to convert all the disk partitions on the server to the NTFS format, especially the disk partitions with sensitive data.
As an enterprise, it is not a problem to purchase an authentic network monitoring software to continuously monitor the entire network, in particular, real-time monitoring reports on "illegal intrusion" and "server operations" can promptly notify network maintenance personnel to respond quickly and minimize losses. At the same time, to address the increasing number of Trojans and viruses, it is essential for enterprises to spend money to buy anti-virus software for online versions.
Entry 3: regularly back up data
If the previous work is done well, there may be more or less losses, but natural disasters and man-made disasters are inevitable. In order to avoid them as much as possible, we also need to use existing technologies to regularly back up data (such as enterprise ERP data to record the daily business data of the company) and properly store the data, which must be completed by network administrators in daily management, it is also a good work habit that must be developed by excellent network administrators.
Is data backed up safe? Theft also exists. Therefore, when backing up data, you should consider locking in the safe and "password protection" to protect your backup media (such as disks and tapes) for the second and third times ). It is best to encrypt and process enterprise data synchronously during backup. In this way, the data will not be decrypted even if it is stolen.
Entry Point 4: Strengthen Client Management
In addition to servers in the network, the client is a network device that is frequently used and a port to the server. So try to replace it with a stable operating system Windows 2000/XP, or even other more secure systems such as Windows. In this way, you can use the "permission management" function to lock the client, making it difficult or impossible for those who do not have security access permissions to obtain network configuration information.
Of course, you can also use another method to limit the functions of the client to a "flexible and simple" terminal, that is,ProgramAnd data reside on servers in the network, but run on the client, all files installed on the client are copies of the operating system and shortcut keys that direct to applications residing on the server. When you double-click the shortcut key icon to run the program, the program uses local resources of the client to run, rather than directly consuming server resources. This method can reduce the damage to the server caused by the damage of the client, which increases the difficulty of troubleshooting.
Entry Point 5: Remote Access Management
One advantage of computer networks is the use of necessary tools to achieve remote access to computer networks (RAS ). The Windows operating system has built in this feature since nt. But it also opens the door to security risks. They only need to know the phone number that can carry out ras to easily implement intrusion. Therefore, if you need remote access, you must strengthen management of remote users to monitor how remote users use Ras. If your remote users are often remotely accessed from the home or from a location that is not frequently changed, we recommend that you use the "Call Back" function. This function allows a remote user to disconnect the connection immediately after logging on to the computer from the remote network, and then the RAS server calls a preset phone number to connect the user again, then, the user performs Ras. In this way, the intrusion of illegal intruders is cut off, because illegal intruders generally do not have the chance to know the number of the RAS server call back, and thus cannot implement illegal intrusion.
In addition, other methods can be used to limit all remote access to a single server by using the principle of "fire zone, the connection between this server and the entire computer network is manually completed. In this way, even if illegal intruders break in, they will be isolated on a single machine, and the attack on the server will be limited to one machine. In addition, some very useful protocol technologies and methods (such as honeypot) can be used to confuse illegal intruders. This increases the technical cost and requires a high level of technology.
Entry 6: Update patches in time
The software cannot be perfect. It is normal to discover its vulnerabilities as it runs. In addition, the implied vulnerabilities are proportional to the software scale. If a vulnerability is discovered, it must be compensated. Otherwise, the vulnerability will become an open door for illegal intruders to allow access. Software developers use their own components or hire special personnel to detect hidden vulnerabilities in the software that has been applied. Once a vulnerability is discovered, the corresponding patches will be released in the form of a service package. Therefore, it is necessary to regularly check the download and install the latest patches. However, you need to use these patch packages in the logical order to avoid running errors of some files. In addition, the anti-virus software installed on the network should be regularly upgraded to effectively prevent the destruction of the network by the new virus.
Entry 7: Real-time security device and Port Check
Enterprises must communicate with external networks and install firewall and other security devices. Firewall and other security devices can isolate your company's computers from illegal intruders from external networks to achieve physical isolation and ensure smooth communication with external networks.
To protect the Intranet security of enterprises, it should be determined that firewall and other security devices will not open any IP addresses to the outside world, especially the IP addresses of servers and clients must be hidden. The more IP addresses open, the more likely the network is to be attacked, and the more dangerous the server is. Of course, there must be at least one IP address for external communication. If there is a web server or email server, their IP addresses should also be made public.
Communication between an IP address and the outside world is implemented through the port, and there are many ports. Therefore, you can view the port through the software, troubleshoot unnecessary ports, and block them, minimize the crisis caused by operating system or other software vulnerabilities.