Windows system security Settings Method--Advanced Security Chapter

　　1. Close DirectDraw

This is the C2 level security standard for video cards and memory requirements. Closing DirectDraw may have an impact on programs that need to use DirectX (such as games, playing StarCraft on the server). I'm dizzy. $%$^%^&?? , but the vast majority of commercial sites should not be affected. Modify the Registry Hklmsystemcurrentcontrolsetcontrolgraphicsdriversdci Timeout (REG_DWORD) is 0.

　　2. Turn off default sharing

Win2000 installed, the system will create some hidden shares, you can play in the cmd net share view them. There are many articles on the internet about IPC intrusion, I believe you must be familiar with it. To disable these shares, open Administrative Tools > Computer Management > Shared Folders > Shares right-click on the appropriate shared folder, point to stop sharing, but after the machine restarts, these shares will be reopened.

Default shared directory paths and features

C $ d$ e$ The root directory of each partition. Win2000 Pro version, only the administrator

and Backup Operators group members to connect, Win2000 server version

The Server Operatros group can also connect to these shared directories

admin$%SYSTEMROOT% A shared directory for remote administration. Its path is always

Point to the installation path for Win2000, such as C:winnt

fax$ in Win2000 server, fax$ will arrive when fax client sends faxes.

ipc$ NULL connection. Ipc$ sharing provides the ability to log on to the system.

NetLogon This shared net Login service in Windows 2000 Server is

Used when Riden land domain request

print$%systemroot%system32spooldrivers users to remotely manage printers

Solution:

Open Registry Editor. REGEDIT

Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters

On the right, create a DWORD key named AutoShareServer. Value is 0

　　3. Prohibit the generation of dump file

Dump files are a useful search for problems when the system crashes and blue screens (or I translate them literally into junk files). However, it can also provide hackers with some sensitive information such as the password of some applications. To disable it, open the Control Panel > System Properties > Advanced > Boot and failback to change the write debug information to none. When you want to use it, you can reopen it.

　　4. Use file encryption system EFS

Windows2000 powerful encryption system can give disk, folder, file plus a layer of security. This will prevent someone from hanging your hard drive on another machine to read the data. Remember to also use EFS for the folder, not just a single file. Specific information about EFS can be viewed in http://www.microsoft.com/windows2000/techi...ity/encrypt.asp

　　5. Encrypt Temp Folder

Some applications copy things to the Temp folder when they are installed and upgraded, but they do not clear the contents of the Temp folder themselves when the program is upgraded or closed. Therefore, the Temp folder encryption can give your file a layer of protection.

　　6. Lock the Registry

In Windows2000, only administrators and Backup Operators have permission to access the registry from the network. If you think it's not enough, you can further set registry access.

　　7. Clears the paging file when shutting down

The paging file, which is the dispatch file, is the hidden file that Win2000 uses to store parts of programs and data files that are not loaded into memory. Some third party programs can have some unencrypted passwords in memory, and the paging file may contain other sensitive information. To clear the paging file when the computer is shut down, you can edit the registry

Hklmsystemcurrentcontrolsetcontrolsession managermemory Management

Set the value of the ClearPageFileAtShutdown to 1.

　　8. Disable boot system from floppy disk and CD ROM

Some Third-party tools can bypass the existing security mechanisms by booting the system. If your server is highly secure, consider using removable floppy disks and optical drives. It's a good idea to lock up the chassis and throw them away.

　　9. Consider using a smart card instead of a password

For passwords, always make the security manager dilemma, vulnerable to 10phtcrack tools such as attacks, if the password is too complex, users to remember the password, will write the password everywhere. If conditions permit, it is a good solution to use smart cards instead of complex passwords.

　　10. Consider using IPSec

As its name implies, IPSEC provides security for IP packets. IPSEC provides authentication, integrity, and selectable confidentiality. The sender computer encrypts the data before it is transmitted, and the receiving computer decrypts the data after it receives the data. The use of IPSec can greatly enhance the security of the system.

Zebian: Bean Technology Application