Top 10 security protection codes from Microsoft

Rule 1: If a motivated person can persuade you to execute his program on your computer, the computer will no longer belong to you.

Rule 2: If a motivated person can change the operating system on your computer, the computer will no longer belong to you.

Rule 3: If a motivated person has unlimited physical access to your computer, the computer will no longer belong to you.

Rule 4: If you allow a motivated person to upload a program to your website, the website will no longer belong to you.

Rule 5: powerful security means no weak passwords.

Rule 6: Computer Security is equivalent to reliable system administrators.

Rule 7: Data Encryption is only equivalent to the decryption key.

Rule 8: expired anti-virus programs are not much better than no anti-virus programs.

Rule 9: completely anonymous, whether in reality or on the Internet.

Rule 10: technology is not a panacea.

Every year, Microsoft Security Response Center investigates thousands of Security reports. In some cases, once one of the reports finds that a security vulnerability is caused by a product defect, microsoft will develop patches as soon as possible to fix errors (see Microsoft Security Response Center ). In other cases, the problems reported are only caused by human errors when using the product. There are also many cases between the two. They are discussing real security issues, but they are often not caused by product defects. Over the past few years, Microsoft has developed a list similar to these problems, known as "Ten unchanged security rules ".

Do not bother to prevent the patches that occur in the issues discussed below from going public. Microsoft or other software vendors cannot completely fix these problems because they are produced by the way computers operate. But do not be totally desperate. wise judgment is the key to preventing these problems from occurring on you. If you keep these rules in mind, you can significantly improve the security of your system.

Rule 1: If a motivated person can persuade you to execute his program on your computer, the computer will no longer belong to you.

This is the unfortunate fact of Computer Science: when a computer program is executed, whether or not it is harmful or not, it will follow the instructions of the program. When you choose to execute a program, this decision will entrust control of the computer to the program. Once the program starts to run, it may do anything, but it will not go beyond what you can do on the computer. The program can monitor your key input and send it to the website, open every file on the computer, change the word "yes" in all files to "no", send rude emails to all of your friends, install viruses, and create a "backdoor" for others to remotely control you. or the ISP that is directed to nipolar Kathmandu, or format your hard disk.

So this is very important: never execute or even download programs from untrusted resources, and "resource" refers to writing programs rather than giving them to you. Executing programs and eating sandwiches is a good simulation: if a stranger comes to you and gives you a sandwich, will you eat it? I'm afraid not. What if your best friend gives you a sandwich? You may or may not eat it. It depends on whether she made it by herself or on the road. You may be safe to apply the judgment and thinking used in the sandwich situation to the program.

Rule 2: If a motivated person can change the operating system on your computer, the computer will no longer belong to you.

In the end, the operating system is only a series of 0 and 1. When the processor interprets it, it will lead to a specific computer event. When 0 and 1 change, different events will be completed. Where are values 0 and 1 stored? It is shared with other things on the computer! They are just files, but if other people who use computers can change these files, that's not good.

To understand the cause, we need to think of the operating system file as the most trusted file in the computer, and usually execute it with special privileges at the system level, that is, they can do anything. In addition, you can trust them to manage user accounts, process password changes, and execute the rules on who can do anything. If a motivated person changes these files, they become untrustworthy and will do what this person calls them to do, so there is nothing that he cannot do. He can steal the password, make him the system administrator of the computer, or add new features to the operating system. To prevent this type of attacks, make sure that the system files (and logon files) are fully protected (the Security check list on the Microsoft Security website will help you do this ).

Rule 3: If a motivated person has unlimited physical access to your computer, the computer will no longer belong to you.

If a motivated person can use your computer, he can do a lot of things. Here we list the samples from the Stone Age to the space age:

He can launch extremely low-tech denial-of-service attacks and kill your computer with a sledgehammer.

· He can unplug the computer's socket, transport it out of the building, and hold it for ransom.

· He can use the disk to boot and reformat your hard disk. But wait, you said, "when the computer is turned on, the BIOS on the computer prompts you to enter the password .」 This is no problem. He can open the computer chassis, change the system hardware, and change the BIOS chip (in fact, there are many easier ways ).

· He can remove your hard disk from your computer, install it on his computer, and read the contents.

· He can copy your hard disk and bring it back to his nest. There, he has enough time for brute force attacks, such as trying all possible login passwords. There are available programs to automate this job. If there is enough time, there is no doubt that he will succeed. After the success, rule 1 and rule 2 will come in handy.

· You can replace your keyboard with a wireless poster to monitor all the messages you enter, including your password.

Always determine that the protection of a Computer Entity is proportional to its value, and remember that the value of a computer is not only a part of hardware, but also includes data and the value of a person with poor motivation to access your network. Commercial key machines should at least be placed in a locked Data room, which is only accessible to system administrators or maintenance personnel. However, you may also need to consider protecting other computers and use additional protection measures.

If you travel with a notebook computer, it is absolutely important to protect it. Small size, light weight, and other characteristics that make notebook computers a companion to travel are also reasons that make them very easy to steal. Currently, there are locks and alarms available for Pen recording computers. Some computers can also take the hard disk away and carry it with you. You can also use functions like Windows 2000 encrypted file system, which can be mitigated when someone successfully steals a computer. However, the only way for you to fully determine file data security and hardware not changing is to always carry your laptop while traveling.

Rule 4: If you allow a motivated person to upload a program to your website, the website will no longer belong to you.

This rule is basically the opposite of rule 1. In the context of rule 1, a motivated person tricks the victim to download harmful programs to his computer and execute the program. In rule 4, a motivated person uploads a harmful program to someone else's computer and executes the program on his own. Although this is dangerous when you allow strangers to connect to your computer at any time, most of the cases on websites are this one. Many website operators are hospitable for their own benefits, allowing visitors to upload and execute programs. As described above, unpleasant things can happen if a motivated person can execute a process on your computer.

If you have a website running, you must restrict what visitors can do. On your website, only programs written by yourself or trusted developers are allowed. However, these measures may not be enough. If your website is mounted to a shared server with other websites, you need to be careful. If a motivated person has a way to drag on one of the other websites, he is likely to expand his control to the server itself, so that he can control all the above websites, including yours. If you are on a shared server, it is important to understand the policy of the system administrator of the server. (By the way, before making your website public, make sure that you have followed the instructions in the security check list of IIS 4.0 and IIS 5.0 ).

Rule 5: powerful security means no weak passwords.

The purpose of the login program is to establish your identity. Once the operating system knows your identity, you can grant or reject requirements for system resources as appropriate. If a motivated person obtains your password, he can use your identity to log in. In fact, for the operating system, you are the one with bad motives. He can do anything on the system, because he is you. Maybe he wants to read sensitive information stored on your computer, such as your email; maybe you have higher permissions than him on the Internet, therefore, by using your identity, you can do things that you cannot do at ordinary times. Maybe he just wants to do bad things and then blame you. In any case, it is worth protecting your reputation.

Always use the password. Surprisingly, many accounts actually use blank passwords. Select a complex password. Do not use the dog name, anniversary date, or local team name. Also, use the word "password" as the password! Select a password that combines uppercase and lowercase letters, numbers, punctuation marks, and other characters to make it grow better and change frequently. Once a stable password is selected, do not write it down. If you must write it down, at least put it in a safe or lockable drawer. When someone with poor motivation is looking for a password, the first thing they will look for is the yellow tab paper next to your screen. Don't tell others your password. Remember Franklin once said, "If you want two people to keep a secret, it is possible that only one of them will die .」

Finally, consider using something more powerful than a password in the system to identify yourself. For example, Windows 2000 supports the use of smart cards, which can significantly enhance the identifier check that the system can perform. You can also consider biometric products, such as fingerprint and visual network module scanners.

Rule 6: Computer Security is equivalent to reliable system administrators.

Each computer must have a system administrator who can install software, set the operating system, add and manage user accounts, and establish security policies, manage all other tasks related to maintaining the computer's startup and operation. It is defined that such work must be performed by the system administrator to control the computer, so that the system administrator's position is unparalleled. An untrusted system administrator can reverse all your security measures. He can change the permission to use computers, change system security policies, install harmful software, add non-existent users, or do other things. In fact, he can destroy any protection measures of the operating system, because he is the person who controls the operating system, and the worst is that he can conceal his behavior. If you have an untrusted System Administrator, there is obviously no security.

When you hire a system administrator, You need to recognize the trust that the system administrator has, and you can only hire someone who can guarantee that trust. Call the recommender of the system administrator to ask about his past work records, especially when the employer