I visited many forums and joined many QQ groups. I found many friends always like to talk about intrusion, attacks, and other topics. Haha ...... I just want to ask these friends-is your computer safe? Are you safe (really doubtful )?
Friend! You can't do anything without a secure environment !!
Computer security has always been the most important issue and a concern of computer enthusiasts. It is a big topic that involves all aspects of the computer. It is not clear in a few days. Here I have summarized some knowledge about System Security Configuration and hope to help you. Only one secure computer can prevent virus harassment and prevent hacker intrusion.
Now let's start our security journey.
I. Installation Process
1. install components selectively
When installing the operating system, use the NTFS format. Do not install components by default in Windows 2000. In line with the principle of "minimum service + minimum permission = maximum security, select only the services required for installation. For example, IIS is not installed on a Web server or FTP server. The minimum components required by common Web servers are Internet Service Manager, WWW server, and related auxiliary services. Uninstall the IIS service if it is installed by default. Uninstall method: Start ----> Settings ----> Control Panel ----> add and delete programs ----> Add/delete Windows components, in the "components (C)" of the "windows component wizard ): remove √ from the box above "Internet Information Service (IIS)", and then "Next" Uninstall IIS. ---->
2. Network Connection
After installing the Windows 2000 operating system, do not immediately connect to the network, because various programs on the system have not been patched, there are various vulnerabilities, it is very easy to be infected with viruses and intrusion, install anti-virus software and firewall. We recommend that you use the Norton Enterprise Edition client (server if used as a server) and Blackice firewall for anti-virus software and firewall. Next, we will finish the following and then go online.
2. correctly set and manage accounts
1. Stop using the Guest account and add a complicated password to the Guest account. A complicated password contains uppercase/lowercase letters, numbers, and special characters (~! @ # ¥ % "",.?) . For example, "G7Y3, ^) y.
2. Use as few accounts as possible, and frequently use scanning tools to view system accounts, account permissions, and passwords. Delete A Disabled Account. Common scanning software includes: streamer, HSCAN, X-SCAN, and stat scanner. Correctly configure the account permissions. The password must contain at least eight characters, for example, "3 H. # 4d & j1 )~ W ", huh ...... Let him break it !! He may be unable to run out of the computer with this password. ^_^
3. For more logon difficulties, set "Password Complexity Requirements enabled" in "Account Policy> password policy" and "Minimum Password Length: 8 characters ", "Force password history 5 times" and "Maximum Retention Period 30 days". In "Account Policy> account locking policy", set "account locking 3 wrong logins ", the "lock time 30 minutes" and "Reset lock count 30 minutes" increase the difficulty of logon, which is of great benefit to system security.
4. Change the name of the system Administrator account without the words Admin. Create a trap account. For example, create a local account named "Administrator" and set the permission to a minimum, nothing can be done, and a super complex password with more than 10 digits can be added. In this way, the "undo" can be busy for a while and discover their intrusion attempts.
3. correctly set directory and file permissions (this step can be done later)
To control the permissions of users on the server and prevent possible intrusion and overflow in the future, you must carefully set the access permissions for directories and files. Windows 2000 has the following access permissions: read, write, read and execute, modify, column directory, and full control. By default, most folders are fully controlled by all users (the Everyone group). You need to reset the permissions based on application requirements. When controlling permissions, remember the following principles:
1. permissions are accumulated. If a user belongs to two groups at the same time, the user has all permissions allowed by the two groups.
2. The denied permission is higher than the permitted permission (the denied policy will be executed first ). If a user is in a group that is denied access to a resource, no matter how many permissions other permissions are granted to him, he cannot access the resource.
3. File permissions are higher than Folder permissions.
4. Using user groups for permission control is a good habit for mature system administrators.
5. Only grant permissions that users really need. The principle of minimizing permissions is an important guarantee of security.
6. Prevent ICMP attacks. ICMP storm attacks and fragment attacks are a headache for NT hosts, while Windows 2000 is easy to cope. Windows 2000 comes with a Routing & Remote Access tool, which is a prototype of a router. In this tool, we can easily define the input/output packet filter. If ICMP code 255 is set to be discarded, all external ICMP packets are discarded.
Iv. Network Service Security Management
1. disable unnecessary services
Leave only the necessary services, and more services may bring more security factors to the system. For example, Terminal Services (Terminal Services), IIS (web Services), and RAS (remote access Services) in Windows 2000 may cause vulnerabilities.
2. Disable unused ports.
3. only open the ports and protocols required by the Service.
The specific method is: Open "Network neighbors → properties → local connections → properties → Internet Protocol → properties → advanced → options → TCP/IP filtering → properties" in order ", add the required TCP and UDP ports and IP protocol. According to the Service opening port, the common TCP ports are: 80 ports for Web Services; 21 ports for FTP services; 25 ports for SMTP; 23 ports for Telnet services; and 110 ports for POP3. Commonly used UDP ports include: 53-DNS domain name resolution service; 161-snmp Simple Network Management Protocol. 8000 and 4000 are used for OICQ. The server uses 8000 to receive information, and the client uses 4000 to send information. Without these services, you do not need to open these ports.
4. Do not create a null connection
The default installation in Windows 2000 allows any user to connect to the server through an empty connection, Enumerate accounts, and guess the password. The port used for the empty connection is 139. Through the empty connection, you can copy the file to the remote server and plan to execute a task. This is a vulnerability. You can use either of the following methods to disable NULL connections:
(1) modify the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous value in the Registry to 1.
(2) modify the Local Security Policy of Windows 2000. Set RestrictAnonymous in "Local Security Policy> Local Policy> Option" to "do not allow enumeration of SAM accounts and sharing ".
By default, Windows 2000 allows any user to obtain all the accounts and sharing lists of the system through a blank connection. This is intended to facilitate LAN users to share resources and files. However, at the same time, any remote user can obtain your user list in the same way, and may use the brute force method to crack the user password, causing damage to the entire network. Many people only know to change registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1 to disable empty user connection, in fact Windows 2000 Local Security Policy (if it is a domain server is in the Domain Server Security and Domain Security Policy) there is the RestrictAnonymous option. There are three values: "0", which is the default value and has no restrictions, remote users can know all accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine; the value "1" only allows non-NULL users to access SAM account information and shared information. The value "2" is only supported by Windows 2000. Note that, if this value is used, you cannot share resources any more. Therefore, it is recommended to set the value to "1.
5. Disable useless ports and modify port 3389
Each service in Windows corresponds to the corresponding port. For example, the WWW Service port in zookeeper is 80, smtp is 25, ftp is 21, and these services are enabled by default during win2000 installation. It is really unnecessary for individual users to close the port, that is, to disable useless services.
To close these useless services, you can configure them by using "services" in "Administrative Tools" on the "control panel.
1. Close ports such as 7.9: Close Simple TCP/IP Service and support the following TCP/IP Services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
2. disable port 80: Disable the WWW Service. The "Service" is displayed as "World Wide Web Publishing Service", which provides Web connection and management through the management unit of Internet Information Service.
3. disable port 25: Disable the Simple Mail Transport Protocol (SMTP) Service. It provides the function of sending emails across networks.
4. disable port 21: Disable FTP Hing Service, which provides FTP connection and management through the management unit of Internet Information Service.
5. disable port 23: disable the Telnet service, which allows remote users to log on to the system and run console programs using command lines.
6. It is also important to disable the server Service, which provides RPC support, file, printing, and named pipe sharing. Turn Off win2k's default share, such as ipc $, c $, admin $, and so on. Disabling this service does not affect your co-operation.
7. Another port is port 139, and port 139 is the NetBIOS Session port, which is used for file and print sharing. Note that port 139 is also enabled for unix machines running samba, and the function is the same. In the past, Traffic 2000 was used to judge whether the host type of the other party was inaccurate. It is estimated that port 139 was opened as an NT host, and now it is better.
To disable the 139 listener, select the "Internet Protocol (TCP/IP)" attribute in "Local Connection" of "network and dial-up connection, in "Advanced TCP/IP Settings" and "WINS Settings", enter "disable NETBIOS for TCP/IP". If you check the box, port 139 is disabled.
For individual users, you can set "Disable" in the preceding service attribute settings to avoid opening the port again after the next restart of the service. Now you don't have to worry about sharing your ports with the default ones.
8. Modify 3389
Open the Registry HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWdsRepwdTdsTcp and check whether the PortNumber exists? 0xd3d, which is in hexadecimal format, is 3389. I changed the XXXX value to the default value of RDP (Remote Desktop Protocol). That is to say, it is used to configure the newly created RDP service. To change the already created RDP service, let's go to the next key value: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServerWinStations one or more RDP-TCP-like