Windows security Setting Method--Primary safety Chapter

　　1. Physical Security

The server should be placed in the isolation room where the monitor is installed, and the monitor should keep the camera record for more than 15 days. In addition, the chassis, keyboard, computer desk drawer to be locked to ensure that others even enter the room can not use the computer, the key should be placed in another safe place.

　　2. Stop Guest Account

The Guest account is deactivated in the computer-managed user, and the Guest account login system is not allowed at any time. To be on the safe side, it's a good idea to add a complex password to the guest, you can open Notepad, enter a string containing special characters, numbers, letters, and then handcuff it as a Guest account password.

　　3. Limit the number of unnecessary users

Remove all duplicate user accounts, test accounts, share accounts, general department accounts, etc. User Group Policy sets the appropriate permissions, and often checks the system's account to remove accounts that are no longer in use. These accounts are often a breach of the hacker's intrusion system, the more the system accounts, the more the hackers are likely to get the permissions of legitimate users. Domestic nt/2000 Host, if the system account more than 10, generally can find one or two weak password account. I once found that a host of 197 accounts in which 180 are weak password accounts.

　　4. Create 2 Administrator accounts

Although this may seem contradictory to the above, it is in fact subject to the above rules. Create a general permission account to receive letters and handle daily things, and another account with administrators privileges is used only when needed. You can have administrators use the RunAS command to perform some of the tasks that require privileges to facilitate management.

　　5. Rename the system administrator account

As you all know, the Windows 2000 Administrator account is not deactivated, which means that other people can try this account password over and over. Renaming an administrator account can effectively prevent this. Of course, please do not use the name of admin, change is equal to do not change, try to disguise it as ordinary users, such as change into: Guestone.

　　6. Create a Trap account

What is a trap account? Look!> creates a local account called "Administrator", sets its permissions to the minimum, does nothing, and adds a super complex password of over 10 bits. This will allow those Scripts s to be busy for some time, and can use this to discover their intrusion attempts. Or do something on it's login scripts. Hey, enough damage!

　　7. Change the permissions of shared files from the Everyone group to "authorized users"

"Everyone" in Win2000 means that any user who has access to your network will be able to access the shared information. Do not set the users who share files to the Everyone group at any time. Including print sharing, the default property is "Everyone" group, must not forget to change.

　　8. Use a Secure password

A good password is very important for a network, but it is the easiest to ignore. The preceding one may have been able to illustrate this point. Some corporate administrators often create accounts by using the company name, computer name, or some other guessing thing to do the username, and then set the password of these accounts to n simple, such as "Welcome" "ILOVEYOU" "letmein" or the same username and so on. Such an account should require users to change to a complex password when they first log in, and also be aware of changing the password frequently. The other day, when we were talking about this on IRC, we have a definition of a good password: the password can not be cracked during the security period is a good password, that is to say, if someone gets your password document, it must take 43 days or longer to break out, and your password policy is 42 days must change the password.

　　9. Set Screen protection password

Simple and necessary, setting up a screen saver password is also a barrier to preventing internal personnel from destroying the server. Be careful not to use OpenGL and some complex screen saver, waste system resources, let him black screen on it. Also, the machines used by all system users are also best protected by a screensaver password.

　　10. partitioning with NTFS format

Change all partitions of the server to NTFS format. The NTFS file system is much more secure than the Fat,fat32 file system. This does not have to say, presumably everyone has the server is already NTFS.

　　11. Running antivirus software

The WIN2000/NT server I've seen has never seen any anti-virus software installed, which is really important. Some good anti-virus software not only can kill some famous viruses, but also killing a lot of Trojans and backdoor procedures. In that case, the famous Trojans used by hackers are useless. Don't forget to update your virus library frequently.

　　12. Secure the backup disk

Once the system data has been compromised, the backup disk will be the only way to recover your data. After backing up the data, keep the backup disk in a safe place. Do not back up the data on the same server, in that case, do not have to back up.

Zebian: Bean Technology Application