Advanced Security Articles
1. Close DirectDraw
This is the C2 level security standard for video cards and memory requirements. Shutting down DirectDraw may have an impact on some programs that need to use DirectX, but for most commercial sites it should be unaffected. Modify the Registry Hklmsystemcurrentcontrolsetcontrolgraphicsdriversdci Timeout (REG_DWORD) is 0.
2. Turn off default sharing
Win2000 installed, the system will create some hidden shares, you can play in the cmd net share view them. There are many articles on the internet about IPC intrusion, I believe you must be familiar with it. To disable these shares, open Administrative Tools > Computer Management > Shared Folders > Shares right-click on the appropriate shared folder, point to stop sharing, but after the machine restarts, these shares will be reopened.
Default shared directory paths and features
C $ d$ e$ The root directory of each partition. Win2000 Pro version, only the administrator
and Backup Operators group members to connect, Win2000 server version
The Server Operatros group can also connect to these shared directories
admin$%SYSTEMROOT% A shared directory for remote administration. Its path is always
Point to the installation path for Win2000, such as C:winnt
fax$ in Win2000 server, fax$ will arrive when fax client sends faxes.
ipc$ NULL connection. Ipc$ sharing provides the ability to log on to the system.
NetLogon This shared net Login service in Windows 2000 Server is
Used when Riden land domain request
print$%systemroot%system32spooldrivers users to remotely manage printers
3. Prohibit the generation of dump file
Dump files are a useful search for problems when the system crashes and blue screens (or I translate them literally into junk files). However, it can also provide hackers with some sensitive information such as the password of some applications. To disable it, open the Control Panel > System Properties > Advanced > Boot and failback to change the write debug information to none. When you want to use it, you can reopen it.
4. Use file encryption system EFS
Windows2000 powerful encryption system can give disk, folder, file plus a layer of security. This will prevent someone from hanging your hard drive on another machine to read the data. Remember to also use EFS for the folder, not just a single file. Specific information about EFS can be viewed in http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
5. Encrypt Temp Folder
Some applications copy things to the Temp folder when they are installed and upgraded, but they do not clear the contents of the Temp folder themselves when the program is upgraded or closed. Therefore, the Temp folder encryption can give your file a layer of protection.
6. Lock the Registry
In Windows2000, only administrators and Backup Operators have permission to access the registry from the network. If you think it is not enough, you can further set registry access, for more information please refer to http://support.microsoft.com/support/kb/articles/Q153/1/83.asp
7. Clears the paging file when shutting down
The paging file, which is the dispatch file, is the hidden file that Win2000 uses to store parts of programs and data files that are not loaded into memory. Some third party programs can have some unencrypted passwords in memory, and the paging file may contain other sensitive information. To clear the paging file when the computer is shut down, you can edit the registry hklmsystemcurrentcontrolsetcontrolsession managermemory Management sets the ClearPageFileAtShutdown value to 1.
8. Disable boot system from floppy disk and CD ROM
Some Third-party tools can bypass the existing security mechanisms by booting the system. If your server is highly secure, consider using removable floppy disks and optical drives. It's a good idea to lock up the chassis and throw them away.
9. Consider using a smart card instead of a password
For passwords, always make the security manager dilemma, vulnerable to 10phtcrack tools such as attacks, if the password is too complex, users to remember the password, will write the password everywhere. If conditions permit, it is a good solution to use smart cards instead of complex passwords.
10. Consider using IPSec
As its name implies, IPSEC provides security for IP packets. IPSEC provides authentication, integrity, and selectable confidentiality. The sender computer encrypts the data before it is transmitted, and the receiving computer decrypts the data after it receives the data. The use of IPSec can greatly enhance the security of the system. For more information about ipses, refer to Http://www.microsoft.com/china/technet/security/ipsecloc.asp