1. 1 unintentional failure
If the administrator's security configuration is improper, some ports that don't need to be opened don't have instant user account passwords, and the settings are too simple, users will reveal or tell others their account passwords, and even more, several people will share their account passwords, which will pose a threat to network security.
1.2 malicious attack
This is the biggest threat to the network on which we live. This kind of attack can be divided into the following two types: one is obvious attack, which selectively destroys the validity and integrity of information, destroys the software and hardware system of the network, or creates information traffic to paralyze our network system; The other is covert attack, that is, stealing, intercepting, deciphering and obtaining confidential information without affecting the daily work of users and systems. Both of these attacks will do great harm to the computer network system, and lead to the leakage of confidential data or system paralysis.
1.3 vulnerability backdoor
Tools and application software such as network operating system can't be 100% bug-free, especially the "Windows" system that we both love and hate. These bugs and bugs are the first choice for viruses and hackers. The huge losses and painful lessons caused by countless viruses (for example, the recent shock wave and shock wave adopted bugs in Windows system) are all caused by our bugs. Most of the incidents in which hackers are immersed in the network are also conducted by taking advantage of loopholes. The "back door" is deliberately set by software developers for their own convenience. Generally speaking, there is no problem, but once the developer doesn't know how to use the "back door" one day, the consequences will be serious, even if he keeps his position, but once the "back door" is opened and leaked, the consequences will be even more unimaginable.
How to improve the security of network information system
2. 1 physical security policy
The purpose of physical security strategy is to protect the physical security of computer systems, servers, network equipment, printers and other hardware entities and communication links, such as taking measures to prevent natural disasters, chemical corrosion, man-made theft and destruction, cable theft and attack. Because many computer systems have strong electromagnetic leakage and radiation, it is necessary for us to ensure a good electromagnetic compatibility working environment for computer systems. In addition, a complete safety management system should be established. The server should be placed in a monitored isolation room, and the monitoring records should be kept for more than 65,438+0 days. In addition, cabinets, keyboards and computer desk drawers should be locked, and keys should be placed in another safe place to prevent unauthorized access to the computer control room and various theft, theft and sabotage activities.
2.2 access control strategy
All kinds of security policies that can be used in the network must cooperate and coordinate with each other to play an effective protection role, and access control policy can be said to be one of the most important core strategies to ensure network security. Its main purpose is to ensure that network information is not illegally accessed and network resources are not illegally used. It is also an important means to maintain network system security and protect network resources. Let's discuss various access control strategies.
2.2. 1 login access control
Login access control provides the first layer of access control for network access. By setting the account, you can control which users can log in to the server, get network information and use resources; By setting account properties, you can set password requirements, control when users can log in to the specified domain, control which workstation users log in to the specified domain, and set the expiration date of user accounts.
Note: When the user's login period expires, the link to the network resources in the domain will not be terminated. However, users can no longer create new links to other computers in the domain.
The user's login process is: first, the identification and verification of user name and password, and then the check of user account login restrictions. As long as one of the two processes is unsuccessful, you can't log in.
Because user name and password are the first line of defense to verify network users. Therefore, as a network security worker, you can take a series of measures to prevent illegal access.
A. Basic settings
The time, method and authority of ordinary user accounts should be limited. Only system administrators can establish user accounts. The following conditions should be considered in the user password: the complexity of the password, the minimum length of the password, the validity period of the password, etc. It should be able to control the site where users log on to the network, limit the time for users to access the network and limit the number of workstations for users to access the network. Access rights of all users should be audited. If the password is entered incorrectly for many times, it should be considered as illegal intrusion, and an alarm message should be given, and the account should be stopped immediately.
B. seriously consider and deal with the built-in account number in the system.
The following measures are suggested: 1. Disable the guest account. I don't understand why Microsoft doesn't allow deleting the Guest account, but we can do something: disable the Guest account in the users and groups managed by the computer, and don't allow the Guest account to log in to the system at any time. If you are not at ease, you can set a long and complicated password for the guest account. Here is a method for colleagues who have a deep understanding of Windows 2 to delete the Guest account: the account information of Windows 2 System is stored in the registry HKEY_LOCAL_MACHINE\SAM, but even our system administrator can't open this primary key, mainly for security reasons, but the "system" account has this right. Smart readers should know what to do. By the way, just start the registry with the "system" permission. The specific method is to add a scheduling task with "at" command to start the Regedit.exe program, then check the registry key and clear the Guest account. First, look at time: 3, run the command in the run dialog box or cmd: at: 31/interactive regedit.exe. In this way, the identity of starting regedit.exe is "system", and the purpose of /interactive is to make the running program run in an interactive interface. After one minute, the regedit.exe program runs, and goes to the following locations in turn: HKEY _ Local _ Machine \ Sam \ Domain \ Account \ User, and deletes the following two keys: one is 1F5, and the other is the Guest under Names. When finished, we use the following command to confirm that the Guest account has indeed been deleted "net user guest". Two. The system administrator should have two accounts, one with administrator rights for system management and the other with general rights for daily operation. In this way, only when maintaining the system or installing software can you log in as an administrator, which is conducive to ensuring security. Three. Rename the administrator account. Microsoft is not allowed to delete and disable the administrator account, so Microsoft has provided great help to Hacker, but we can also rename it, such as changing it to common names such as everyones. Don't change your name to Admin, Admins, etc. Changing the name is tantamount to changing it for nothing.
C. Setting up a fraudulent account
This is a very useful method of self-awareness: create a fraudulent account named Administrator with the lowest privilege. The password setting is quite complicated, long and contains special characters, which is difficult for hackers to crack. Maybe we have discovered his invasion attempt before he successfully cracked it. To say the least, even if he successfully cracked it, he would still be disappointed and find himself busy for a long time.
D. Limit the number of users
Because the more users there are, the more defects there are in setting user permissions and passwords, and the more opportunities and breakthroughs there are for hackers. Deleting temporary accounts, test accounts, * * access accounts, ordinary accounts, former employee accounts and other accounts that are no longer used can effectively reduce system defects.
E. the system is prohibited from displaying the last login user name.
Operating systems above Win9X have the function of remembering the information of previous users. The next time you restart, you will be prompted to enter the login name of the last user in the user list. This information may be used by people with ulterior motives, causing hidden dangers to the system and users. We can hide the login name of the last user by modifying the registry. The modification method is as follows: Open the registry and expand to the following branches:
HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Winlogon
The new string under this branch is named: DontDisplayLastUserName, and the value of the string is set to: "1". When the computer restarts, the last login user name will not be displayed.
F. it is forbidden to establish an empty connection
By default, anyone who connects to the server through a null connection can enumerate accounts and guess passwords. We can prohibit null connections by modifying the registry. The method is as follows: Open the registry, expand to the following branch: HKEY _ local _ machine \ system \ current control set \ control \ LSA, and then change the value of restrictanonymous under this branch to "1".
G. Login through smart card
Portable verifier is used to verify the identity of users. Such as the widely used smart card authentication method. Logging into the network through smart card provides a strong authentication method because it uses encryption-based authentication and ownership evidence when authenticating users who enter the domain.
For example, if someone with ulterior motives gets the user's password, he can use it to impersonate the user and do something he wants to do on the Internet. In reality, many people choose passwords that are quite easy to remember (such as name, birthday, phone number, bank account number, ID number, etc.). ), which will make passwords inherently fragile and vulnerable to attacks.
In the case of using smart cards, those people with ulterior motives can only pretend to be users on the premise of obtaining their smart cards and personal identification numbers (PIN). This combination can reduce the possibility of attack because other information is needed to simulate the user. Another advantage is that the smart card will be locked after inputting the wrong PIN code several times in a row, and it is very difficult to attack the smart card with a dictionary.
2.2.2 Resource Authority Management
Resources include software and hardware of the system and information stored on disk. We can use the rich rights management provided by Microsoft in Windows 2 to control users' access to system resources, so as to achieve the purpose of security management.
A. using groups to manage access to resources
A group is a collection of user accounts. Using groups instead of individual users to manage access to resources can simplify the management of network resources. Groups can be used to grant permissions to multiple users at a time. After we set certain permissions for one group, when we want to grant other groups or users the same permissions in the future, we only need to add users or groups to the group.
For example, members of the sales department can access the cost information of products, but they can't access the salary information of company employees, while employees of the personnel department can access the salary information of employees, but they can't. When an employee of a sales department is transferred to the personnel department, if our permission control is based on each user, the permission setting is quite troublesome and easy to make mistakes. If we manage by groups, it will be quite simple. We just need to remove users from the sales group and add them to the personnel group.
B. Managing data using NTFS
NTFS file system provides us with rich rights management functions. Using NTFS file system, we can define the permissions for each user or group to read, write, list folder contents, read and execute, modify, complete control, and even define some special permissions. NTFS only applies to NTFS disk partitions, not to FAT or FAT32 partitions. Whether users access files or folders, and whether these files or folders are on the computer or on the network, the security function of NTFS is effective. NTFS uses access control lists (ACLs) to record all users, accounts, groups and computers that are granted access to files or folders, including the access rights granted to them. Note: To correctly and skillfully use NTFS to control the distribution of permissions, we must deeply understand the characteristics of NTFS permissions, inheritance, the characteristics of "denied" permissions and the results of copying and moving files and folders. A network system administrator should systematically consider the user's work situation, effectively combine various permissions, and then grant them to users. The effective combination of various permissions can make users finish their work conveniently, and at the same time, it can effectively control users' access to server resources, thus strengthening the security of the network and the server.
2.2.3 network server security control
The network server is the heart of our network, and protecting the security of the network server is the primary task of our security work. Without server security, there is no network security. In order to effectively protect the security of the server, we must start from the following aspects.
A. Strict server authority management
Because of the important position of the server, we must carefully analyze and evaluate the work content and nature of users who need to work on the server, and grant appropriate permissions according to their work characteristics. These permissions should ensure that the user can finish the work smoothly, but we must never give him more permissions (even if we completely believe that he will not destroy it, we should also consider his misoperation) and delete some unused and unnecessary users and groups (such as employee transfer or dismissal). It is also necessary for network security workers to restrict or prohibit remote management and restrict remote access rights according to the situation.
B. Strictly carry out backup operations
As a network administrator, data loss is the most common thing due to disk drive failure, power failure, virus infection, hacker attack, misoperation, natural disasters and other reasons. In order to ensure that the system can recover from the disaster as quickly as possible, minimize downtime and save data as much as possible, backup is the simplest and most reliable method. Windows 2 integrates a powerful graphics backup tool. It is specially designed to prevent data loss caused by hardware or storage media failure. It provides five backup types: normal, copy, differential, incremental and daily. We can flexibly arrange these five backup types according to the time and space consumed by backup to achieve our goal.
Warning: For the data backed up from Windows 2 NTFS volume, it must be restored to Windows 2 NTFS volume to avoid data loss, while retaining access rights and encrypting file system setting information, disk quota information, etc. If it is restored to the FAT file system, all encrypted data will be lost and the file will be unreadable.
C. strictly start the standby server.
For some very important servers, such as domain controller, bridgehead server, DHCP server, DNS server, WINS server, etc. , including those application servers that will seriously affect the company's business once down, we should establish a backup mechanism at any cost, so that even if a server fails, it will not have much impact on our work. We can also use the cluster function of Windows 2 Advance Server to use two or more servers, which can not only play a backup role, but also improve service performance.
D. using RAID to realize fault tolerance function
There are two ways to use RAID: software and hardware. Which one to use should consider the following factors:
Hardware fault-tolerant function is faster than software fault-tolerant function.
Hardware fault tolerance is more expensive than software fault tolerance.
The hardware fault-tolerant function may be limited by the manufacturer, and only a single manufacturer's equipment can be used.
The hardware fault-tolerant function can realize the hot-plug technology of hard disk, so the failed hard disk can be replaced without shutting down.
Hardware fault tolerance can use caching technology to improve performance.
Microsoft Windows 2 Server supports three types of software RAID, which are briefly introduced below:
U RAID (striped volume)
RAID, also known as disk striping technology, is mainly used to improve performance and does not belong to the security category. Skip here, interested friends can refer to relevant information.
U RAID 1 (mirror volume)
RAID 1, also known as disk mirroring technology, is realized by using the fault-tolerant driver of Windows 2 Server (Ftdisk.sys). In this way, data is written to both disks at the same time. If one disk fails, the system will automatically use the data from the other disk to continue running. With this scheme, the disk utilization rate is only 5%.
Mirror volume can be used to protect system disk partition or boot disk partition, which has good reading and writing performance and occupies less memory than RAID 5 volume.
Disk duplex technology can be used to further enhance the security of mirror volumes, which does not require additional software support and configuration. (Disk Duplex Technology: If a disk controller controls two physical disks, when the disk controller fails, neither disk can be accessed. Disk duplex technology uses two disk controllers to control two physical disks, which enhances the security when two disks form a mirror volume: even if one disk controller is damaged, the system can still work. )
A mirrored volume can contain any partition, including a boot disk partition or a system disk partition. However, both disks in the mirrored volume must be Windows 2 dynamic disks.
U RAID 5 (striped volume with parity)
In Windows 2 Server, RAID 5 is the most widely used method for fault-tolerant volumes, which requires at least three drives and at most 32 drives. Windows 2 achieves fault tolerance by adding parity translation slices to each disk partition in a RAID-5 volume. If a single disk fails, the system can use parity information and data in the remaining disks to reconstruct the lost data.
Note: RAID-5 volumes cannot protect system disks and boot disk partitions.
E. strictly monitor the services started by the system.
Many Trojan horses or virus programs have to create a background service or process in the system. We should always check the system. Once we find some unfamiliar processes or services, we should pay special attention to whether there is dangerous software, such as Trojan horse, virus or spy running. As a network administrator, it is a fixed habit to check system processes and startup options frequently. Here's a suggestion for junior network administrators: after installing the operating system and application programs, export a list of system services and processes by using tool software (such as Windows Optimizer), and often compare the existing list of services and processes with the previously exported list in the future. Once you find a strange process or service, be especially careful.
2.2.4 Network monitoring and locking control
Network administrators should monitor the network, and servers should record users' access to network resources. For illegal network access, the server should give an alarm in the form of graphics, text or sound to attract the attention of the network administrator. If criminals try to access the network, the network server should automatically record the number of attempts to access the network. If the number of illegal visits reaches the set value, the account will be automatically locked.
Allows the server to perform some operations, such as loading and unloading management modules, and installing and deleting software on the server console. The security control of network server includes setting a password to lock the server console to prevent illegal users from modifying, deleting important service components or destroying data; You can set the server login time and duration, as well as the interval between detection and shutdown of illegal visitors.
Firewall control
The concept of firewall originated from the ancient castle defense system. In ancient wars, in order to protect the safety of a city, a moat was usually dug around the city, and everyone who went in and out of the castle had to pass a suspension bridge and be guarded by guards. When designing the modern network, the designer used this idea for reference and designed the network firewall technology that I want to introduce now.
The basic function of firewall is to check and filter the data packets transmitted between networks according to certain security regulations to determine their legitimacy. It isolates the internal and external networks by establishing a corresponding communication monitoring system at the network boundary to prevent the external network from invading. We usually realize this function through a device called packet filtering router, which is also called shielding router. As a firewall, routers are very different from ordinary routers in working mechanism. Ordinary routers work in the network layer, and can determine the routing of packets according to the IP address of network layer packets; Packet filtering routers should check and filter IP addresses, TCP or UDP packet headers. Packets inspected by the packet filtering router will be further inspected by the application gateway. Therefore, from the perspective of protocol hierarchy model, firewall should cover network layer, transport layer and application layer.
You look at the rest: there are too many' I can't copy'
In addition, the group IDC has many products online, which are cheap and have a good reputation.