Win2008 remote control security settings Tips _win Server

To ensure the security of remote control operations on the server, the Windows Server 2008 system has specifically been enhanced in this regard, with a number of new security features being introduced, but not enabled by default, which requires our own hands to set the system properly, To ensure remote control of the security of the Windows Server 2008 Server System.

1. Only allow designated personnel for remote control

If any ordinary user is allowed to remotely control the Windows Server 2008 Server system, the security of the server system must be very difficult to secure effectively. In view of this, we can make the appropriate settings for the Windows Server 2008 Server system, only allow the designated person through Remote Desktop Connection way to remote control, the following is the specific setup steps:

First, open the Start menu of the Windows Server 2008 Server System desktop, expand Programs, Administrative Tools, and Server Manager options in turn, and in the corresponding System Server Manager console window that appears, click the Server Management node option in the left child pane. Then select the Server Summary settings item under the Target Node branch, and then click the Configure Remote Desktop project to enter the Settings dialog box for the remote control Windows Server 2008 system;

Next, click the Select User button in the Remote Desktop section of the Settings dialog box. Open the Setup interface shown in Figure 1, where we see all the user accounts that can be remotely controlled for the Windows Server 2008 Server system, and once you see a strange user account or a user account that does not trust you , we can select it and click the "Delete" button, remove it from the system; Click the Add button in the corresponding settings interface to open the User Account Settings dialog box, select and add the specified administrator user account, and then click OK to end the user account setup operation. As a result, the Windows Server 2008 Server system will only allow remote administration operations by the specified system administrator, and not allow any other user to remotely control the operation.

2, refused to attack the administrator test

As with traditional server operating systems, the Windows Server 2008 Server system still uses the Administrator account to perform system logon operations by default, because such an administrator account is particularly vulnerable to being exploited by some illegal attackers, They attempt to log on to the server by cracking the password of the administrator account and try to test it against it. To deny an illegal attacker the use of an administrator account for attack testing, we can set up a Windows Server 2008 Server system by following these steps:

First in the Windows Server 2008 Server System desktop, click Start/Run, and in the pop-up system run text box, enter the Secpol.msc string command, and then click Enter to open the Local Security Group Policy Console window for the corresponding system;

Second, display the area to the left of the Local Security Group Policy Console window. Locate the Security Settings node option in which the mouse is positioned, select Local Policy/security options under the target Node branch, and locate the target security Group Policy account: Rename the system administrator account under the Security Options branch. And right-click the Group Policy option, from the shortcut menu that appears later, perform the Properties command, open the account: Rename administrator account Group Policy Property Settings dialog box, click the Local Security Settings tab in the dialog box, and open the label Settings page as shown in Figure 2. In this page, we can modify the name of the administrator account to other people not easily guessed the name, for example, you can modify it to "Guanliyuan", and finally click the "OK" button to save the above set of actions, The security of the server system can be effectively guaranteed when an illegal attacker attempts to test the Windows Server 2008 Server system with an administrator account.

3. Modify Telnet port to secure remote connection

The telnet command is the default Telnet program in a Windows Server 2008 server system because it is directly integrated into the server system and is easy to use, so network administrators often use that program when managing servers. However, when you use the Telnet command to remotely manipulate the server system, control information is often transmitted in clear text on the network, some malicious attackers can easily be similar to the account name and password of the control information interception, while the Telnet program authentication method also has obvious weaknesses, That is, it is particularly vulnerable to other people's attacks. Given the telnet command's remote control of the Windows Server 2008 Server System, the "23" default network port is typically used automatically, and the port is almost all familiar to the security of Telnet remote connections, We simply modify the default network port number for this program to prevent others from using the Telnet command to remotely control the server system as follows:

First in the Windows Server 2008 Server System desktop, click the start/Run command, in the pop-up system run text box, enter the "cmd" string command, click the ENTER key, open the corresponding system DOS command line work window;

Second, at the command prompt at the DOS window, the input string command "tlntadmn config port=2991" (where "2991" is the modified new port number) to prevent the newly set network port number from having a conflict with the system's existing port number. We must make sure that the new port number entered here cannot be set to the port number of a known system service; After confirming that the string command is entered correctly, click Enter, and the port number used by the Telnet command will automatically become "2991", at which point the network administrator must know the new port number. To use this program to remotely control operations on a Windows Server 2008 server System.

Of course, we do not go to the server site, can also remotely modify the Windows Server 2008 Server System Telnet program port number, we simply open the DOS command Line Working window on the local client system, at the command prompt at the window, enter the string command "tlntadmn Config \\server port=2991-u xxx-p yyy "(server indicates the host name or IP address of the remote server system, port=2991 the Telnet port number to be modified, and XXX is the user name to log on to the server system. YYY is the password for the application user account, the Telnet port number of the remote server system becomes "2991" after clicking Enter.

　 4, force the use of complex passwords to prevent violent cracking

If the remote login password for the Windows Server 2008 Server system is not sufficiently complex, it is possible for the user to be illegally remotely controlled to successfully break the login password. In fact, many network administrators in order to facilitate memory, often the server system remote login password set relatively simple, this invisible to the illegal attackers to provide the opportunity for brute force, remote control operation Security will also be seriously threatened. To do this, you can enable the system's own password policy by enabling the following Setup actions on the Windows Server 2008 Server system to force users to set a more complex password for the remote control account:

First, in the Windows Server 2008 Server System desktop, click Start/Program/Administrative Tools, and then, in the list of Systems management tools that appears, double-click the Local Security Policy icon to open the Local Security Settings dialog box for the corresponding system.

Next, display the area to the left of the Settings dialog box, with the mouse, select the Account Policy Branch option, and then select the Password policy subkey below the target branch option, and in the right-hand area of the password Policy subkey, we'll see six settings policy options for the password, double-click the Password must meet complexity requirements "Group Policy option to open the target Group Policy Properties Setting window as shown in Figure 3;

Check that the Enabled option is selected, and if it is found that the option is not selected, we should select it in time, and then click OK to save the setup action, so that when the remote login password for the Windows Server 2008 Server system is not set to be complex, The system will automatically eject the relevant prompts;

Next, we then on the "Mandatory password history", "Minimum password length," "with reversible encryption to store passwords", "Maximum password age", "Minimum password age" and other policies to modify on-demand, and finally click the "OK" button to complete all the setup action, So the remote login password can be forced to set up a complex.