Eight tactics to ensure Windows 2000 security

Windows 2000 system users are particularly numerous, leading to the top of the attacked system, but this does not mean that Windows 2000 security is not good, as long as reasonable configuration and management It is quite safe. I am not using Windows 2000 for a short time. I have gradually found a little way to maintain its security. Here are some personal opinions and shortcomings. Please correct me.

Safe installation to minimize worries

The security of Windows 2000 system should be accumulated from the installation, but this is often overlooked. The following points should be noted when installing Windows 2000:

1. Do not choose to install from the network

Although Microsoft supports online installation, it is absolutely not safe. Do not connect to the network until the system is fully installed, especially the Internet! Don't even connect all the hardware to install. Because Windows 2000 is installed, after entering the password of the user administrator account <Administrator", the system will create a shared account of “$ADMIN”, but it does not protect it with the password just entered. This situation will always be Continue until the computer starts up again. In the meantime, anyone can enter the system through “$ADMIN” at the same time, the installation is complete, the various services will run automatically, and the server is full of loopholes, which is very easy to invade from the outside.

2, choose NTFS format to partition

It is best to have all partitions in NTFS format, because NTFS format partitions are more secure in terms of security. Even if other partitions use other formats (such as FAT32), at least the partition where the system is located should be in NTFS format.

In addition, the application should not be placed in the same partition as the system, so as to prevent the attacker from exploiting the vulnerability of the application (such as Microsoft's IIS vulnerability, we will not know it), causing system file leakage, even Let the intruder gain administrator privileges remotely.

3, system version selection

We generally like to use the Chinese interface software, but for Microsoft things, due to geographical location and market factors, are first in English, and then There are versions in other languages ​​of the country. That is to say, the kernel language of the Windows system is English, so that its kernel version should be much less than the vulnerability in its compiled version. In fact, the Windows 2000 Chinese input method loopholes are soaring that everyone is obvious to all.

The above mentioned security installation can only reduce worries. Don't think that you can do it once and for all. There is still a lot of work waiting for you to do it. Please continue to look down:

Properly manage the system to make it more secure

The system is not safe, don't blame the software itself, think about the human factors! Let's talk about the management process from the perspective of the administrator. Points:

1, pay attention to the latest vulnerabilities, timely patch and install the firewall

The administrator's job is to maintain the security of the system, absorb the latest vulnerability information, and timely put the appropriate patch, This is the easiest and most effective way to maintain system security. I recommend a good security site from abroad: ttp://www.eeye.com. At the same time, installing the latest version of the firewall is also a must, can help you. But remember: "The road is one foot high, the magic height is one foot", there is no absolute security, the patch will always follow the announcement of the vulnerability, fully believe that the system patch and firewall is not feasible!

2, it is forbidden to establish an empty connection, refused to leave the door

Hackers often use sharing to attack, in fact, it is not a loophole, just blame the administrator's account and password is too simple, keep not assured, or It's forbidden to drop!

This is mainly done by modifying the registry. The primary key and key values ​​are as follows:

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA]

RestrictAnonymous = DWORD: 00000001

3, prohibit management sharing

In addition to the above, there is a prohibition together!

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\ Parameters]

AutoShareServer = DWORD:00000000

4, delicate design password, beware of intrusion

Oh, read the second and third points above, have experience Friends will naturally think of this . Yes, this is a commonplace thing. Many servers are compromised because the administrator password is too simple.

For the setting of the password, I suggest that: 1 length is more than 8 digits is appropriate. 2 complex combinations of uppercase and lowercase letters, numbers, and special symbols, such as: G1$2aLe^, avoiding "single words" or "words plus numbers" type of passwords, such as: gale, gale123, etc.

Special Note: The SA password in MSSQL 7.0 must not be empty! By default, the SA” password is empty, and its permissions are “admin”, think about the consequences.

5, limit the number of users in the administrator group

Strictly limit the users of the administrator group, and always ensure that only one Administrator (that is, you) is the user of the group. Check the users of the group at least once a day, and find that more users are deleted! There is no doubt that the new users must be the back door left by the intruders! At the same time, pay attention to the Guest users, smart intruders generally do not add strangers. Usernames, so it's easy for administrators to find their whereabouts. They usually activate the Guest user first, then change its password, and then put it in the Administrators group, but the Guest runs to the Administrators group for no reason? Stop!

6, stop unnecessary services

Too many services are not a good thing, turn off the necessary services, especially the administrator does not know what to do, What are you doing? Turn it off! Don't bring disaster to the system.

In addition, if the administrator does not need to remotely manage your computer, it is best to turn off all remote network login functions. Note that if you need it, disable "Task Scheduler", "RunAs Service" service!

The method of closing a service is very simple. After running cmd.exe, you can directly stop net stop servername.

7, the administrator is safe, do not use the company's server for private purposes

Windows 2000 Server In addition to the server, but also can be a personal user's computer, browse the Internet, send and receive E-mail and so on. As an administrator, you should use the server's browser to browse the web as little as possible to avoid Trojan infection and company privacy information exposure due to browser vulnerabilities. Microsoft IE has a lot of vulnerabilities, I believe you will not know it? In addition, there are few tools on the server to use Outlook and other tools to send and receive E-mail, to avoid the virus, and bring losses to the enterprise.

8, pay attention to local security

Preventing remote intrusion is very important, but the local security of the system can not be ignored, the intruder is not necessarily in the distance, it may be around!

(1) In time to put the latest version of the patch to prevent input method loopholes, this is no need to say. The input method vulnerability is not only caused by local intrusion. If the terminal service is opened, the system door will be opened, and a machine with a terminal client can easily enter!

(2) Not displayed Secondary login users

If your machine has to be shared by multiple people (in fact, a real server should not be like this), it is important to prohibit the user who last logged in, so as not to guess Password. The setting method is: in [Start] → [Program] & rarr; [Administrative Tools] & rarr; [Local Security Policy], open the "local policy" & rdquo; security options & rdquo;, double-click on the right side of the login screen Do not display the last login user name ”, select “Enabled”, and then click [OK], so that the next time you log in, the user name that was last logged in will not be displayed in the username box.