Windows 2000 Server Security Configuration Guide

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; Microsoft Windows 2000 (Microsoft window operating system 2000, Win2K) is a 32-bit window operating system that was released by Microsoft at the end of 1999 in the Windows NT series. Originally called Windows NT 5.0. The English version was listed on December 19, 1999 and the Chinese version was listed in the spring. Windows 2000 is an interruptible, graphical, and business-oriented operating system designed for a single processor or a symmetric multiprocessor 32-bit Intel x86 computer. Its user version was replaced by Windows XP in August 2001, while the server version was replaced by Windows Server 2003 in April 2003.

WIN2000 server is currently one of the more popular server operating systems, but it is not easy to configure Microsoft's operating system securely. This paper attempts to make a preliminary discussion on the security configuration of Win2000 Server.

First, customize their own WIN2000 SERVER;

1. Version of the choice: WIN2000 have a variety of languages, for us, you can choose the English version or Simplified Chinese version, I strongly recommend: in the case of language does not become an obstacle, please be sure to use the English version. You know, Microsoft's products are known as Bugs & Patch, the Chinese version of the bug far more than the English version, and the patch is usually late at least half a month (that is, the general Microsoft released a loophole after your machine will be in unprotected condition for half a month)

2. Component customization: Win2000 installs some common components by default, but it is extremely dangerous for this default installation (Mitnico said he could go to any server that was installed by default, but if your host is the default installation of WIN2000 server, I can tell you that you're dead. You should know exactly what services you need, and just install the services you really need, according to security principles, minimal Service + minimum privileges = maximum security. The minimum component selection required for a typical Web server is to install only the COM Files,iis snap-in,www server component of IIS. If you do need to install additional components, be careful, especially: Indexing Service, FrontPage Server Extensions, Internet service Manager (HTML), these dangerous services.

3. Managing the selection of applications
Choosing a good remote management software is very important, not only the security requirements, but also the application needs. WIN2000 's Terminal service is a remote control software based on RDP (Remote Desktop Protocol), which is fast, easy to operate and more suitable for routine operation. However, Terminal service also has its shortcomings, because it uses the virtual desktop, plus Microsoft programming is not rigorous, when you use the Terminal service to install software or restart the server and the real desktop interactive operation, often will appear in distress phenomenon, For example: the use of Terminal Service to restart the Microsoft certification server (COMPAQ, IBM, etc.) may be directly off the machine. So, to be on the safe side, I suggest that you be equipped with a remote control software as a supplement, and terminal Service complementary, like pcanywhere is a good choice.

Ii. properly install WIN2000 SERVER

1. Partitioning and Logical disk allocation, some friends for the sake of convenience, it is not good to divide the hard disk into a logical disk, all software is installed on C drive, it is very bad, it is recommended to establish a minimum of two partitions, a system partition, an application partition, because Microsoft's IIS often have leaks source/overflow vulnerabilities, If you put the system and IIS on the same drive, it can cause the system files to leak and even the intruder will get admin remotely. The recommended security configuration is to create three logical drives, the first larger than 2G, to install the system and important log files, the second to put IIS, the third place FTP, so that no matter whether IIS or FTP out of security vulnerabilities will not directly affect the system directory and system files. You know, IIS and FTP are external services and are more prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS. (This may cause the program developers and editors to worry about him, anyway, you are Administrator J)

2. Selection of installation order: Don't think: What's important in order? As long as the installation is good, how to install all can. Wrong！ There are several sequences of Win2000 in the installation that must be noted:

First, when to access the network: Win2000 in the installation of a vulnerability, after you enter the administrator password, the system has established a admin share, but did not use the password you have just entered to protect it, this situation continues until you start again, during this period, Anyone can enter your machine through admin, and as soon as the installation completes, the various services will automatically run, and at this time the server is covered with loopholes, very easy to enter, therefore, in the fully installed and configured Win2000 Server, must not connect the host to the network.

Second, the installation of patches: patches should be installed after all applications installed, because the patch will often replace/modify some system files, if the first installation of the patch and then install the application may cause the patch can not play a due effect, For example, the hotfix of IIS requires that every change in the configuration of IIS be installed (abnormal?). ）