Windows2000 Out-of-print Security Configuration Tutorial: During the cyber war between China and the United States some time ago, I looked at some hacked servers and found that most of the hacked servers were Nt/win2000 machines, which was really terrible. Is Windows2000 really that insecure? In fact, Windows2000 contains many security features and options. If properly configured, windows 2000 will be a very secure operating system. I spent time browsing some websites, translating and sorting out a list. I hope it will be helpful to win2000 administrators. There is nothing profound in this article, and the so-called list is not perfect. I will add a lot of things slowly in the future, hoping to give administrators a reference.
The specific list is as follows:
Main safety items
1. Personal safety
The server should be placed in an isolated room with a monitor, which should keep the camera record for more than 15 days. In addition, cabinets, keyboards and computer desk drawers should be locked to ensure that others can't use the computer even if they enter the room, and the keys should be placed in another safe place.
2. Stop the guest account
Disable the guest account among users managed by the computer, and do not allow the guest account to log on to the system at any time. For the sake of safety, it is best to add a complicated password to the guests. You can open Notepad, enter a long string containing special characters, numbers and letters, and then copy it as the password of the guest account.
3. Limit the number of unnecessary users
Delete all duplicate user accounts, test accounts, * * * shared accounts, general department accounts, etc. User group policies set corresponding permissions, and frequently check the accounts of the system and delete accounts that are no longer used. These accounts are often the breakthrough point for hackers to invade the system. The more accounts there are in the system, the greater the possibility for hackers to gain legal user rights. Domestic nt/2000 hosts can generally find one or two weak password accounts if the system account number exceeds 10. I once found that in the 197 account of a host, 180 account is a weak password account.
4. Create 2 accounts for the administrator.
Although this seems to contradict the above viewpoint, it is actually subject to the above rules. Create an account with general permissions to receive emails and handle some daily things, and another account with administrator permissions can only be used when needed. Administrators can use the "RunAS" command to perform some privileged tasks for the convenience of management.
5. Rename the system administrator account.
As we all know, the administrator account of windows 2000 cannot be deactivated, which means that others can try the password of this account repeatedly. Renaming the administrator account can effectively prevent this. Of course, please don't use names like Admin. If you change it, it means you haven't changed it. Try to pretend to be an ordinary user, for example, change it to: guestone.
6. Create a trap account
What is a trap account? Look! & gt create a local account named "Administrator", set its permissions to the lowest level, and add a super-complex password with more than 10 digits. This will keep these scripts busy for a while, and we can find their intrusion attempts. Or do something about its login script. Hey, hey, this is bad enough!
7. Change the file sharing permission of * * * "Everyone" group to "Authorized Users"
"Everyone" in win2000 means that anyone who can access your network can get these * * * enjoyment materials. Don't set * * * users who like files as "Everyone" group at any time. Including printing * * *, the default attribute is "everyone" group, don't forget to change it.
8. Use a secure password
A good password is very important for a network, but it is the most easily overlooked. What I said before may have explained this point. Administrators of some companies often use the company name, computer name or other things that can be guessed as user names when creating accounts, and then set the passwords of these accounts to n simple ones, such as "Welcome", "ILO Veyou" and "Letmein" or the same as the user names. Such an account should require the user to change the password to a complex password when logging in for the first time, and pay attention to changing the password frequently. When discussing this issue with people in IRC the other day, we defined a good password: a password that cannot be cracked within the security period is a good password, which means that if someone gets your password document, it will take 43 days or even longer to crack it, and your password policy is that you must change your password within 42 days.
9. Set the screen saver password
It is very simple and necessary, and setting the screen saver password is also a barrier to prevent insiders from destroying the server. Be careful not to waste system resources with OpenGL and some complicated screensavers, just let him blank the screen directly. One more thing, it is best to add a screen saver password to all machines used by system users.
10. Partition using NTFS format.
Change all partitions of the server to NTFS format. NTFS file system is much safer than FAT, FAT and FAT32 file systems. Needless to say, everyone's servers are already NTFS.
1 1. Run antivirus software.
I have never seen any Win2000/Nt server with antivirus software installed. Actually, this is very important. Some good antivirus software can not only kill some famous viruses, but also kill a large number of Trojans and backdoor programs. In this case, the famous Trojan horse used by hackers is useless. Don't forget to upgrade the virus database frequently.
12. Make sure the backup disk is safe.
Once the system data is destroyed, the backup disk will be the only way for you to recover the data. After backing up the data, keep the backup disk in a safe place. Never back up data on the same server, in that case, it is best not to back up.
Intermediate safety clauses:
1. Use the security configuration tool of win2000 to configure the policy.
Microsoft provides a set of security configuration and analysis tools based on MMC (Management Console). With these tools, you can easily configure your server to meet your needs. For details, please refer to Microsoft homepage:/Windows 2000/TechInfo/HowNetworks/Security/scottoolset.asp.
2. Turn off unnecessary services
Windows 2000 Terminal Services, IIS and RAS may bring security holes to your system. In order to manage the server remotely and conveniently, the terminal service of many machines is turned on. If your is turned on, make sure that you have properly configured Terminal Services. Some malicious programs can also run quietly as services. Pay attention to all services opened on the server and check them regularly (daily). The following are the default services for C2-level installations:
Computer browser service TCP/IP NetBIOS helper
Microsoft DNS server spooler
NTLM SSP server
RPC locator succeeded.
RPC service workstation
Netlogon event log
3. Close unnecessary ports
Closing the port means reducing functionality, and you need to make a decision on security and functionality. If the server is installed behind a firewall, the risk will be less, but don't think you can sit back and relax. Scanning the ports opened by the system with a port scanner to determine which services are opened is the first step for hackers to invade your system. There is a well-known comparison table of ports and services in the file \system32\drivers\etc\services for reference. The specific method is:
Online Neighbors > Properties > Local Area Connection > Properties > Internet Protocol (Tcp/ip) >: Properties > Advanced > Options > TCP/IP Filtering >; Property to open tcp/ip filtering and add the required tcp, udp and protocols.
4. Open the audit policy
Open security audit is the most basic intrusion detection method in win2000. When someone tries to invade your system in some way (such as trying user password, changing account policy, unauthorized file access, etc.). ), will be recorded by the security audit. Many administrators didn't know that the system was hacked months before it was destroyed. The following audits must be started, and additional audits can be added as needed:
Policy setting
Audit the success and failure of system login events.
Audit the success and failure of account management.
The login event was successfully approved, but failed.
Audit object access succeeded.
Audit the success and failure of policy changes.
Audit authority used successfully, failed.
Audit system events for success and failure.
5. Open the password password policy
Policy setting
Password complexity needs to be enabled.
The minimum password length is 6 digits.
Force password history 5 times
Mandatory password history 42 days
6. Account opening strategy
Policy setting
Reset the account lockout counter for 20 minutes.
The account locking time is 20 minutes.
3 times account lockout threshold
7. Set the access rights of security records
By default, security records are unprotected. Make it accessible only to administrators and system accounts.
8. Store sensitive files in another file server.
Although the hard disk capacity of the server is very large now, you should consider whether it is necessary to store some important user data (files, data tables, project files, etc.). ) in another secure server, and often back them up.
9. Don't let the system display the last login user name.
By default, when Terminal Services accesses the server, the last logged-in account will be displayed in the login dialog box, as will the local login dialog box. This makes it easy for others to get some user names of the system and then guess the password. Modify the registry to prevent the last login user name from being displayed in the dialog box, especially:
HKLM \ Software \ Microsoft \ Windows NT \ Current version \ Winlogon \ Dontdisplaylastusername
Change the key value of REG_SZ to 1.
10. Empty connection is not allowed.
By default, any user connects to the server through a null connection, then enumerates the accounts and guesses the password. We can prohibit the establishment of empty connections by modifying the registry:
The value of local _ machine \ system \ currentcontrolset \ control \ LSA-restrictanonymous can be changed to "1".
10. Download the latest patch from Microsoft website.
Many network administrators don't have the habit of visiting secure websites, so that some loopholes have been out for a long time, and there are still loopholes in the server that don't supply others as targets. No one can guarantee that millions of lines of code will not have security holes in 2000. Frequent visits to Microsoft and some security websites and downloading the latest service packages and vulnerability patches are the only way to ensure the long-term security of the server.
Advanced article
1. Close DirectDraw.
This is the requirement of C2 security standard for graphics card and memory. Turning off DirectDraw may affect some programs that need DirectX (such as games, playing StarCraft on the server? Oh, my God .. $% $%&; ? ), but it should have no impact on most commercial websites. Modify the timeout value (REG_DWORD) of the registry HKLM \ System \ Current Control Set \ Control \ Graphics Driver \ DCI to 0.
2. Turn off the default * * *
After installing win2000, the system will create some hidden enjoyment. You can click on the network share under cmd to view them. There are many articles about IPC intrusion on the Internet, which I believe everyone must be familiar with. To prohibit these * * * enjoyment, open Administrative Tools > Computer Management > * * * Enjoy Folders > * * * Enjoy Right-click the corresponding * * * Enjoy Folder and click Stop * * * Enjoy, but these * * * enjoy will be reopened after the machine is restarted.
Default * * * Enjoy directory paths and functions.
The root directory of each partition. In Win2000 Pro edition, only administrators exist.
And backup operator, Win2000 Server version.
The server operator group can also connect to these * * * shared directories.
ADMIN$ %SYSTEMROOT% * * Shared directory for remote management. Its path will always be
Point to the installation path of Win2000, such as c:\winnt.
FAX$ In Win2000 Server, FAX$ will arrive when the fax client sends a fax.
IPC$ null connection. IPC$*** provides the ability to log in to the system.
NetLogon * * * enjoys the network login service of Windows 2000 server.
Used when processing login domain requests.
Print $% systemroot% \ system32 \ spool \ drivers users manage printers remotely.
3. It is forbidden to generate dump files.
Dump file is a very useful information to find the problem when the system crashes and the screen turns blue (otherwise I will translate it into junk file word for word). However, it can also provide some sensitive information to hackers, such as the passwords of some applications. To disable it, open control panel > system properties > advanced > startup and recovery and change the written debugging information to none. You can reopen it when you want to use it.
4. Use file encryption system EFS
Windows2000' s powerful encryption system can add a layer of security protection to disks, folders and files. This can prevent others from hanging your hard disk on other machines to read the data inside. Remember to use EFS for folders, not just individual files. See/windows2000/techinfo/hownetworks/security/encrypt.asp for specific information about EFS.
5. Encrypt temporary folder
Some applications will copy some things to the temp folder when installing and upgrading, but they will not clear the contents of the temp folder when the program is upgraded or closed. Therefore, encrypting the temp folder can provide additional protection for your files.
Lock registry
In windows2000, only administrators and backup operators can access the registry from the network. If it is not enough, you can further set the registry access rights. For details, please refer to:/support/kb/articles/q153/1/83.asp.
7. Clear the page file when you turn it off.
Page file, also known as scheduling file, is a hidden file used by win2000 to store programs and data files that are not loaded into memory. Some third-party programs can store some unencrypted passwords in memory, and page files may also contain other sensitive materials. To clear the page file when you close it, you can edit the registry.
HKLM \ System \ Current Control Set \ Control \ Session Manager \ Memory Management
Set the value of ClearPageFileAtShutdown to 1.
8. It is forbidden to start the system from floppy disk and CD.
Some third-party tools can bypass the original security mechanism by booting the system. If your server has very high security requirements, please consider using removable floppy disks and CDs. It's a good idea to lock the box and throw it away. www.jz5u.com
9. Consider using smart cards instead of passwords.
For passwords, security administrators are always in a dilemma and vulnerable to attacks by tools such as 10phtcrack. If the password is too complicated, users will scribble everywhere to remember it. If conditions permit, it is a good solution to replace complex passwords with smart cards.
10. consider using IPSec
As the name implies, IPSec provides the security of IP packets. IPSec provides authentication, integrity and optional confidentiality. The sender's computer encrypts the data before transmission, while the receiver's computer decrypts the data after receiving it. Using IPSec can greatly improve the security performance of the system.