Windows 2000 Server Security Configuration tips

Source: Internet
Author: User
Tags microsoft website

Windows 2000 contains many security functions and options. If you configure them properly, windows will be a safe operating system.
========================================================== ========================================================== =====
Elementary Security
******************

1. Physical Security

The server should be placed in an isolated room with the monitor installed, and the monitor should keep camera records for more than 15 days. In addition, the chassis, keyboard, and computer desk drawer should be locked to ensure that others cannot use the computer even if they enter the room, and the key should be placed in another safe place.

2. Stop the Guest account

In a computer-managed user, the Guest account is disabled, and the Guest account is not allowed to log on to the system at any time. For the sake of security, it is best to add a complicated password to guest. You can open notepad and enter a long string containing special characters, numbers, and letters in it, copy the password of the Guest account.

3. Limit the number of unnecessary users

Remove all Duplicate User Accounts, test accounts, shared accounts, and common Department accounts. The User Group Policy sets the corresponding permissions and regularly checks the system accounts to delete accounts that are no longer in use. Many of these accounts are a breakthrough for hackers to intrude into the system. The more accounts there are, the more likely hackers are to gain legal user permissions. For NT/2000 hosts in China, if there are more than 10 system accounts, you can usually find one or two Weak Password accounts. I once found that 197 of the 180 accounts on a host are weak password accounts.

4. Create two administrator accounts

Although this seems to be in conflict with the above, it actually follows the above rules. Create a general-permission account to receive and process common events. The other account with the administrative permissions only needs to use it as needed. The administrator can use the "RunAs" command to execute some work that requires special privileges for convenient management.

5. Rename the system administrator account

As we all know, the Administrator account of Windows 2000 cannot be deactivated, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please do not use admin or other names. If you change it, you should try to disguise it as a common user, for example, change it to guestone.

6. Create a trap account

What is a trap account? Look!> Create a local account named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, the scripts s can be busy for a while and Their intrusion attempts can be discovered. Or you can do something on its login scripts. Hey, enough damage!

7. Change the Shared File Permission from the "everyone" group to "authorized users"

"Everyone" in Win2000 means that any user with the right to access your network can obtain the shared information. Do not set users who share files to the "everyone" group at any time. Including print sharing. The default attribute is the "everyone" group. Do not forget to change it.

8. Use a Secure Password

A good password is very important for a network, but it is the easiest to ignore. This may already be explained in the previous section. Some company administrators often use the company name, computer name, or other things as usernames when creating accounts, and then set the passwords of these accounts to n, for example, "welcome", "Iloveyou", "letmein", or the user name is the same. Such an account should require the user to change to a complex password when logging on to the account first, but also pay attention to changing the password frequently. When IRC discussed this issue with people a few days ago, we defined a password that could not be cracked during the security period as a good password. That is to say, if someone else gets your password document, it takes 43 days or longer to crack it, and your password policy is 42 days to change the password.

9. Set screen saver password

It is easy and necessary. Setting Screen Protection passwords is also a barrier to prevent internal personnel from damaging the server. Be sure not to use OpenGL and some complex Screen ProtectionProgram, A waste of system resources, let him black screen. Also, it is better to add Screen Protection passwords to the machines used by all system users.

10. partition using NTFS format

Change all partitions on the server to the NTFS format. NTFS file systems are much safer than fat and FAT32 file systems. Needless to say, everyone must have NTFS servers.

11. Run anti-virus software

I have never seen any anti-virus software installed on win2000/NT servers. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. In this way, the famous trojans used by hackers are useless. Do not forget to update the virus database frequently.

12. ensure the security of the backup disk

Once the system data is damaged, backing up the disk is the only way to restore the data. After the data is backed up, the backup disk is protected in a safe place. Never back up data on the same server. In that case, it is better not to back up data.
========================================================== ========================================================== =====

Intermediate security:

1. Use Win2000 security configuration tools to configure policies

Microsoft provides a set of security configuration and analysis tools based on MMC (Management Console). With these tools, you can easily configure your servers to meet your requirements. For details, refer to the Microsoft homepage:

Http://www.microsoft.com/windows200...y/sctoolset.asp

2. disable unnecessary services

Windows 2000 Terminal Services, IIS, and Ras can bring security vulnerabilities to your system. In order to be able to manage servers remotely and conveniently, Terminal Services on many machines are on. If you have enabled the Terminal Services, make sure that you have configured the Terminal Services correctly. Some malicious programs can also run quietly in the form of services. Pay attention to all the services enabled on the server and check them every day. The following are the default services installed at the C2 level:

Computer Browser Service TCP/IP NetBIOS Helper

Microsoft DNS Server Spooler

Ntlm ssp Server

RPC Locator wins

RPC service Workstation

Netlogon Event Log

3. disable unnecessary ports

Disabling ports means reducing the number of features. You need to make a decision on security and functionality. If the server is installed behind the _ blank "> firewall, there will be fewer risks, but never think you can rest assured. Use a port scanner to scan the ports opened by the system to determine which services are open, which is the first step for hackers to intrude into your system. The \ system32 \ drivers \ etc \ Services file contains a list of well-known ports and services for reference. The specific method is:

Network neighbors> Properties> Local Connection> Properties> Internet Protocol (TCP/IP)> Properties> advanced> Options> TCP/IP filtering> properties enable TCP/IP filtering and add the required TCP, UDP protocol.

4. Open Audit Policy

Enabling security audit is the most basic Intrusion Detection Method for Win2000. When someone attempts to intrude into your system in some ways (such as user passwords, Account Policies, unauthorized file access, etc.), they will be recorded by security review. Many administrators are unaware of system intrusion for several months until the system is damaged. The following reviews must be enabled, and others can be added as needed:

Policy Settings

System Login event review successful, failed

Account Management review successful, failed

Login event review successful, failed

Audit Object Access successful

Audit policy changed successfully, failed

Audit privilege usage successful, failed

System Event Review successful, failed

5. Enable Password Policy

Policy Settings

Password complexity must be enabled

Minimum Password Length: 6 Characters

Force password five times

Force password: 42 days

6. Enable Account Policy

Policy Settings

Reset Account lock counter for 20 minutes

Account lock time: 20 minutes

Account lock threshold three times

7. Set security record Access Permissions

The security record is unprotected by default. You can set it to be accessible only to the Administrator and system accounts.

8. store sensitive files in another file server

Although the server's hard disk capacity is very large, you should consider whether it is necessary to put some important user data (files, data tables, project files, etc) it is stored in another secure server and often backed up.

9. Do not allow the system to display the username of the Last login

By default, when the terminal service is connected to the server, the logon dialog box displays the account name for the last login, and the local Login Dialog Box is the same. This makes it easy for others to obtain some user names of the system for password speculation. You can modify the registry to prevent the user name that was last logged on from being displayed in the dialog box, specifically:

HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ DontDisplayLastUsername

Change the key value of REG_SZ to 1.

10. Do not create a null connection.

By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:

Change the value of LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ LSA-restrictanonymous to "1.

10. download the latest patch from the Microsoft website.

Many network administrators do not have the habit of visiting secure sites, so that some vulnerabilities have been around for a long time, and server vulnerabilities are not enough to serve as targets. No one can guarantee millions of rows or moreCode2000 does not contain any security vulnerabilities. They often visit Microsoft and some security sites. Downloading the latest service pack and vulnerability patches is the only way to ensure the long-term security of servers.
========================================================== ========================================================== =====
Advanced:
*******************

1. Disable DirectDraw

This is the requirement of C2 security standards for video cards and memory. Disabling DirectDraw may affect some programs that require DirectX (such as games, playing Starcraft on servers? My dizzy .. $ % $ ^ % ^ &??), However, the vast majority of commercial sites should be unaffected. Modify the timeout (REG_DWORD) of the Registry HKLM \ System \ CurrentControlSet \ Control \ graphicsdrivers \ DCI to 0.

2. Disable default share

After Win2000 is installed, the system will create some hidden shares. You can click net share under cmd to view them. There are a lot of information about IPC intrusion on the Internet.Article, I believe everyone will be familiar with it. To disable sharing, choose Administrative Tools> Computer Management> shared folders> share, right-click the shared folder, and click stop sharing. However, after the machine restarts, these shares will be re-enabled.

Default shared directory path and Function

C $ d $ e $ root directory of each partition. In Win2000 pro, Only Administrator

Only members of the Backup Operators group can be connected. The Win2000 Server version server operatros group can also be connected to these shared directories ADMIN $ % SystemRoot % shared directories for remote management. The path always points to the Win2000 installation path, for example, C: \ winntfax $ in Win2000 Server, fax $ will arrive when the fax client sends a fax. IPC $ null connection. IPC $ sharing provides the ability to log on to the system.

Netlogon, the net login service shared on Windows 2000 Server, is used to process login domain requests.

Print $ % SystemRoot % \ system32 \ spool \ drivers remote printer Management

Solution:

Open Registry Editor. Regedit

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters

Create a DWORD key named AutoShareServer on the right. The value is 0.

3. Disable dump file generation

Dump files are useful in searching for problems when the system crashes and the blue screen (or I will translate them into junk files literally ). However, it can also provide some sensitive information to hackers, such as the passwords of some applications. To disable it, Open Control Panel> System Properties> advanced> Start and fault recovery and change the write debugging information to none. You can open it again.
4. Use the file encryption system EFS

The powerful encryption system of Windows2000 can provide security protection for disks, folders, and files. This prevents others from attaching your hard disk to another machine to read the data. Remember to use EFs for folders, not just a single file. For more information about EFS, see

Http://www.microsoft.com/windows200...ity/encrypt.asp

5. encrypt the temp folder

Some applications will copy some items to the temp folder during installation and upgrade, but they will not clear the contents of the temp folder when the program is upgraded or disabled. Therefore, encryption to the temp folder provides multiple protection for your files.

6. Lock the Registry

In Windows2000, Only Administrators and Backup Operators have the permission to access the registry from the network. If you think it is not enough, you can further set the Registry access permission. For details, refer:

Http://support.microsoft.com/suppor...s/Q153/1/83.asp

7. Clear page files when shutting down

The page file, that is, the scheduling file, is a hidden file used by Win2000 to store programs and data files that are not loaded into the memory. Some third-party programs can store unencrypted passwords in the memory, and the page files may contain other sensitive information. To clear the page file when shutting down, edit the Registry

HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ Memory Management

Set clearpagefileatshutdown to 1.

8. Do not start the system from a floppy disk or cd rom.

Some third-party tools can bypass the original security mechanism by guiding the system. If your server has high security requirements, consider using removable floppy disks and optical drives. It is a good method to lock the machine box.

9. Consider using a smart card instead of a password

The password is always a dilemma for the security administrator and is vulnerable to attacks by tools such as 10 phtcrack. If the password is too complex, the user will write the password everywhere in order to remember the password. If conditions permit, it is a good solution to replace complex passwords with smart cards.

10. Consider using IPSec

As the name implies, IPSec provides the security of IP packets. IPSec provides authentication, integrity, and optional confidentiality. The sender's computer encrypts the data before transmission, and the receiver's computer decrypts the data after receiving the data. IPsec can greatly enhance the security performance of the system.

SF must open the port, which is an extremely solution to port security.

Legend server open port + peanut shell + some required ports

You can use TCP/IP to filter these ports and only open these ports to increase security. (open other services and add the ports on your own)

TCP/IP filter port-> TCP port

Port 7220... rungate 1

Port 7210... rungate 2: Enable three rungates at the same time

Port 7200... rungate 3

Port 7100

Port 7012

Port 6000

Port 5600

Port 5500

Port 5100

Port 5000

Port 4900

Port 3389

Port 3372

Port 3100

Port 3000

Port 1027

Port 1025

Port 0135

The \ system32 \ drivers \ etc \ Services file contains a list of well-known ports and services for reference. The specific method is:

Network neighbors> Properties> Local Connection> Properties> Internet Protocol (TCP/IP)> Properties> advanced> Options> TCP/IP filtering> properties enable TCP/IP filtering and add the required TCP, protocol.

I opened three rungate ports to solve the 7200 error that occurs when multiple players log on to the server at the same time, making the server suddenly kill. It is better to open three ports. Yes * (ggggg7 original)

How to open three rungate ports:

Copy the rungate folder to rungate1, rungate2, and rungate3 to change mirgate. ini to gateport = 7200, gateport = 7210, and gateport = 7220.

Dbsrv200 folder! Change serverinfo.txt to 127.0.0.1 127.0.0.1 7200 127.0.0.1 7210 127.0.0.1 7220

Mir200 folder! Change servertable.txt

1 127.0.0.1 7200

2 127.0.0.1 7210

3 127.0.0.1 7220

Then run rungate1, rungate2, and 3 runcmd.exe under rungate3.

M2server prompts:

Gate 0 opened

Gate 1 opened

Gate 2 opened

Adding a firewall as appropriate will be better

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.