Windows Sever Security Settings Attention _ Security Settings

Personal feeling more useful article about the server security recommendations, many places will be ignored, where the author will be listed, easy to view, configure the server to look at the attention point, very good.

Excerpt from: Siyizhu ' s weblog

Primary safety Articles

1. Physical Security
The server should be placed in the isolation room where the monitor is installed, and the monitor should keep the camera record for more than 15 days. In addition, the chassis, keyboard, computer desk drawer to be locked to ensure that others even enter the room can not use the computer, the key should be placed in another safe place.

2. Stop Guest Account
The Guest account is deactivated in the computer-managed user, and the Guest account login system is not allowed at any time. To be on the safe side, it's a good idea to add a complex password to the guest, you can open Notepad, enter a string containing special characters, numbers, letters, and then handcuff it as a Guest account password.

3.Limit the number of unnecessary users
Remove all duplicate user accounts, test accounts, share accounts, general department accounts, etc. User Group Policy sets the appropriate permissions, and often checks the system's account to remove accounts that are no longer in use. These accounts are often a breach of the hacker's intrusion system, the more the system accounts, the more the hackers are likely to get the permissions of legitimate users. Domestic nt/2000 Host, if the system account more than 10, generally can find one or two weak password account. I once found that a host of 197 accounts in which 180 are weak password accounts.

4. Create 2 Administrator accounts
Although this may seem contradictory to the above, it is in fact subject to the above rules. Create a general permission account to receive letters and handle daily things, and another account with administrators privileges is used only when needed. You can have administrators use the RunAS command to perform some of the tasks that require privileges to facilitate management.

5.Rename the system administrator account
As you all know, the Windows 2000 Administrator account is not deactivated, which means that other people can try this account password over and over. Renaming an administrator account can effectively prevent this. Of course, please do not use the name of admin, change is equal to do not change, try to disguise it as ordinary users, such as change into: Guestone.

6.Create a Trap account
What is a trap account? look!>; creates a local account called "Administrator", sets its permissions to the minimum, does nothing, and adds a super complex password of over 10 bits. This will allow those Scripts s to be busy for some time, and can use this to discover their intrusion attempts. Or do something on it's login scripts. Hey, enough damage!

7.Change permissions for shared files from the Everyone group to authorized users
"Everyone" in Win2000 means that any user who has access to your network will be able to access the shared information. Do not set the users who share files to the Everyone group at any time. Including print sharing, the default property is "Everyone" group, must not forget to change.

8. Using a Secure password
A good password is very important for a network, but it is the easiest to ignore. The preceding one may have been able to illustrate this point. Some corporate administrators often create accounts by using the company name, computer name, or some other guessing thing to do the username, and then set the password of these accounts to n simple, such as "Welcome" "ILOVEYOU" "letmein" or the same username and so on. Such an account should require users to change to a complex password when they first log in, and also be aware of changing the password frequently. The other day, when we were talking about this on IRC, we have a definition of a good password: the password can not be cracked during the security period is a good password, that is to say, if someone gets your password document, it must take 43 days or longer to break out, and your password policy is 42 days must change the password.

9. Set screen protection password
Simple and necessary, setting up a screen saver password is also a barrier to preventing internal personnel from destroying the server. Be careful not to use OpenGL and some complex screen saver, waste system resources, let him black screen on it. Also, the machines used by all system users are also best protected by a screensaver password.

10. partitioning with NTFS format
Change all partitions of the server to NTFS format. The NTFS file system is much more secure than the Fat,fat32 file system. This does not have to say, presumably everyone has the server is already NTFS.

11.Running antivirus software
The WIN2000/NT server I've seen has never seen any anti-virus software installed, which is really important. Some good anti-virus software not only can kill some famous viruses, but also killing a lot of Trojans and backdoor procedures. In that case, the famous Trojans used by hackers are useless. Don't forget to update your virus library frequently.

12. Secure the backup disk
Once the system data has been compromised, the backup disk will be the only way to recover your data. After backing up the data, keep the backup disk in a safe place. Do not back up the data on the same server, in that case, do not have to back up.

Intermediate Safety article:

1. Using the Win2000 Security Configuration tool to configure the policy
Microsoft provides a set of security configuration and analysis tools based on MMC (management Console) that you can use to configure your server to meet your requirements. Please refer to the Microsoft Homepage for specific content:
Http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp

2.To turn off unnecessary services
Windows 2000 Terminal Services, IIS, and RAS can all bring security vulnerabilities to your system. In order to be able to remote Management Server, many machines Terminal Services are open, if you also open, to confirm that you have the correct configuration of Terminal Services. Some malicious programs can also be quietly run in a service way. Be aware of all the services that are open on the server, and check them for mid-term (daily). The following are the default services for C2-level installations:
Computer Browser Service TCP/IP NetBIOS Helper
Microsoft DNS Server Spooler
NTLM SSP Server
RPC Locator WINS
RPC Service Workstation
Netlogon Event Log

3.To close unnecessary ports
Closing the port means reducing the functionality and requiring you to make a decision on security and functionality. If the server is behind a firewall, it will take less risk, but never think you can sit back and relax. Use the port scanner to scan the ports open by the system and determine which services are open to the first step in hacking your system. The \system32\drivers\etc\services file has a list of well-known ports and services available for reference. The specific methods are:
Network Places >; Properties >; local connections >; Properties >;internet Protocol (TCP/IP) >; Properties >; Advanced >; options >;TCP/IP filtering >; Properties Open TCP/IP filtering, adding required TCP , UDP, protocol can be.

4.Open Audit Policy
Opening security audit is the most basic intrusion detection method in Win2000. When someone tries to invade your system in some way (such as trying a user's password, changing the account policy, unauthorized file access, and so on), it will be logged by the security audit. Many administrators were unaware of the system being hacked for months until the system was compromised. The following audits are required to be open, and others can be added as needed:
Policy settings
Audit System Login Event succeeded, failed
Audit account management Success, failure
Audit Login Event Success, failure
Audit object Access succeeded
Audit policy Change succeeded, failed
Audit privilege use succeeded, failed
Audit system event succeeded, failed

5. Open Password Password Policy
Policy settings
Password complexity requirements Enabled
Minimum password length 6 bits
Enforce password history 5 times
Enforce password history 42 days

6. Open Account Policy
Policy settings
Reset account lockout counter for 20 minutes
Account lockout time 20 minutes
Account lockout threshold value 3 times

7. Setting access rights for Security records
The security record is not protected by default, and it is set to only Administrator and system accounts for access.

8. Store sensitive files in a separate file server
Although the server's hard disk capacity is now large, you should also consider whether it is necessary to put some important user data (files, data sheets, project files, etc.) in another secure server, and often back up them.

9. Do not allow the system to display the last login user name
By default, when Terminal Services is connected to the server, the Login dialog box displays the account that was last logged in, and the local login dialog box is the same. This makes it easy for others to get some user names for the system and then make a password guess. Modify the registry can not allow the dialog box to display the last login username, specifically: HKLM\Software\Microsoft\Windows Nt\currentversion\winlogon\dontdisplaylastusername The key value of the REG_SZ is changed to 1.

10. Prohibit the establishment of an empty connection
By default, any user who connects to the server through an empty connection, then enumerates the account number and guesses the password. We can disable the establishment of a null connection by modifying the registry: The Local_machine\system\currentcontrolset\control\lsa-restrictanonymous value is changed to "1".

11.Download the latest patches to the Microsoft website
Many network administrators do not have the habit of accessing the security site, so that some vulnerabilities have been a long time, but also put the server's loopholes do not supply others as a target. No one can guarantee that millions of lines of code 2000 do not have a bit of security vulnerabilities, frequent access to Microsoft and some security sites, download the latest service pack and bug patches, is the only way to ensure the long-term security of the server.

Advanced Articles

1. Close DirectDraw
This is the C2 level security standard for video cards and memory requirements. Closing DirectDraw may have an impact on programs that need to use DirectX (such as games, playing StarCraft on the server). I'm dizzy. $%$^%^&;?? , but the vast majority of commercial sites should not be affected. Modify the Registry Hklm\system\currentcontrolset\control\graphicsdrivers\dci Timeout (REG_DWORD) is 0.

2.Turn off default sharing
Win2000 installed, the system will create some hidden shares, you can play in the cmd net share view them. There are many articles on the internet about IPC intrusion, I believe you must be familiar with it. To disable these shares, open Administrative Tools >; Computer Management >; shared Folders >; shares right-click on the appropriate shared folder, point to stop sharing, but after the machine restarts, these shares will be reopened.
Default shared directory paths and features
C $ d$ e$ The root directory of each partition. Win2000 Pro version, only the administrator
and Backup Operators group members to connect, Win2000 server version
The Server Operatros group can also connect to these shared directories
admin$%SYSTEMROOT% A shared directory for remote administration. Its path is always
Point to the installation path for Win2000, such as C:\Winnt
fax$ in Win2000 server, fax$ will arrive when fax client sends faxes.
ipc$ NULL connection. Ipc$ sharing provides the ability to log on to the system.
NetLogon This shared net Login service in Windows 2000 Server is
Used when Riden land domain request
print$%SystemRoot%\System32\Spool\Drivers users to remotely manage printers

3. Prohibit the generation of dump file
Dump files are a useful search for problems when the system crashes and blue screens (or I translate them literally into junk files). However, it can also provide hackers with some sensitive information such as the password of some applications. To disable it, open the Control Panel >; System Properties >; advanced >; Boot and failback to change the write debug information to none. When you want to use it, you can reopen it.

4. Using File encryption system EFS
Windows2000 powerful encryption system can give disk, folder, file plus a layer of security. This will prevent someone from hanging your hard drive on another machine to read the data. Remember to also use EFS for the folder, not just a single file. Specific information about EFS can be viewed
Http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

5. Encrypt Temp Folder
Some applications copy things to the Temp folder when they are installed and upgraded, but they do not clear the contents of the Temp folder themselves when the program is upgraded or closed. Therefore, the Temp folder encryption can give your file a layer of protection.

6. Lock the Registry
In Windows2000, only administrators and Backup Operators have permission to access the registry from the network. If you think it is not enough, you can further set registry access, for more information please refer to:
Http://support.microsoft.com/support/kb/articles/Q153/1/83.asp

7. Clear the paging file when shutting down
The paging file, which is the dispatch file, is the hidden file that Win2000 uses to store parts of programs and data files that are not loaded into memory. Some third party programs can have some unencrypted passwords in memory, and the paging file may contain other sensitive information. To clear the paging file when the computer is shut down, you can edit the registry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Set the value of the ClearPageFileAtShutdown to 1.

8. Disable boot system from floppy disk and CD ROM
Some Third-party tools can bypass the existing security mechanisms by booting the system. If your server is highly secure, consider using removable floppy disks and optical drives. It's a good idea to lock up the chassis and throw them away.

9. Consider using a smart card instead of a password
For passwords, always make the security manager dilemma, vulnerable to 10phtcrack tools such as attacks, if the password is too complex, users to remember the password, will write the password everywhere. If conditions permit, it is a good solution to use smart cards instead of complex passwords.

10. Consider using IPSec
As its name implies, IPSEC provides security for IP packets. IPSEC provides authentication, integrity, and selectable confidentiality. The sender computer encrypts the data before it is transmitted, and the receiving computer decrypts the data after it receives the data. The use of IPSec can greatly enhance the security of the system.