Win 2000 Security Settings Checklist

Primary Security

1. Physical Security

The server should be placed in an isolated room with a monitor installed, and the monitor should be kept for more than 15 days. Camera recording. In addition, the chassis, keyboard, and computer desk drawers should be locked to ensure that no one can use the computer even if they enter the room, and the keys should be placed in another safe place.

2. Stop the Guest account

Disable the guest account in the computer management user, and do not allow the guest account to log in to the system at any time. To be on the safe side, it's a good idea to add a complex password to the guest. You can open Notepad, enter a string of long strings containing special characters, numbers, and letters, and copy it as the password for the guest account.

3. Limit the number of unnecessary users

Remove all duplicate user accounts, test accounts, shared accounts, general department accounts, and more. User Group Policy sets the appropriate permissions, and often checks the system's account to delete accounts that are no longer in use. These accounts are often the breakthrough point for hackers to invade the system. The more accounts there are, the more likely it is that hackers will gain access to legitimate users. Domestic nt/2000 hosts, if there are more than 10 system accounts, generally can find one or two weak password accounts. I have found that 180 of the 197 accounts of a host are weak password accounts.

4. Create 2 administrator accounts

Although this seems to be somewhat contradictory to the above, it is in fact subject to the above rules. Create a general privilege account to receive and handle some everyday things, and another account with Administrators privileges is only used when needed. Administrators can use the “ RunAS” command to perform some work that requires privileges to facilitate management.

5. Rename the system administrator account

Everyone knows that the Windows 2000 administrator account cannot be deactivated, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please don't use the name of Admin, it is equal to no change, try to disguise it as a normal user, for example, change to: guestone.

6. Create a trap account

What is a trap account? Look!>Create a local account called ” Administrator", set its permissions to the lowest, and do nothing, and add A super complex password of more than 10 digits. This will keep those Scripts s busy for a while, and you can use them to discover their intrusion attempts. Or do something on top of its login scripts. Oh, it's enough!

7. Change the permissions of shared files from ”everyone” group to "authorized users"

“everyone” In win2000 means that any user who has access to your network can access these shared materials. Do not set the user who shares the file to the ”everyone” group at any time. Including print sharing, the default attribute is ”everyone” group, don't forget to change it.

8. Using a secure password

A good password is very important for a network, but it is the easiest to ignore. What I said earlier may already explain this. Some company administrators often use the company name, computer name, or something else to guess the user name when creating the account, and then set the password of these accounts to N, such as “welcome” “ Iloveyou” “letmein” or the same as the username. Such an account should require the user to change to a complex password when logging in first, and also to change the password frequently. When IRC and people discussed this issue a few days ago, we gave a definition of a good password: a password that cannot be cracked during the security period is a good password. That is, if someone gets your password document, you must spend It takes 43 days or more to crack it, and your password policy is 42 days to change the password.

9. Setting a Screen Saver Password

It's also very simple and necessary. Setting a screen saver password is also a barrier against internal damage to the server. Be careful not to use OpenGL and some complicated screen savers, waste system resources and let him black screen. Another point is that it is best to add a screen saver password to the machines used by all system users.

10. Use NTFS format partition

Change all partitions of the server to NTFS format. The NTFS file system is much more secure than the FAT, FAT32 file system. Needless to say this, I think everyone has to be NTFS.

11. Running anti-virus software

The Win2000/Nt server I have seen has never seen anti-virus software installed. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a lot of Trojans and backdoors. In this case, the famous Trojans used by hackers are useless. Don't forget to upgrade the virus database frequently

12. Secure backup disk

Once the system data is corrupted, the backup disk will be your only way to recover data. After backing up the data, keep the backup disk in a safe place. Don't back up your data on the same server. In that case, don't back up.

Intermediate Security:

1. Use win2000's security configuration tool to configure policies

Microsoft provides a set of MMC (Management Console) security configuration and analysis tools, you can easily configure your server to meet your requirements. . Please refer to the Microsoft homepage for details:

2. Turning off unnecessary services

Windows 2000's Terminal Services, IIS, and RAS can all pose security holes in your system. In order to be able to manage the server remotely, many of the terminal services of the machine are open. If you open it, make sure that you have configured the terminal service correctly. Some malicious programs can also run quietly as a service. Pay attention to all the services that are open on the server and check them in the medium term (every day). The following is the default service for C2 level installation:

Computer Browser service TCP/IP NetBIOS Helper

Microsoft DNS server Spooler

NTLM SSP Server

RPC Locator WINS

RPC service Workstation

Netlogon Event log

3. Turning off unnecessary ports

Turning off ports means reducing functionality, and you need to make a few decisions about security and functionality. If the server is installed behind a firewall, there will be less risk, but never think that you can sit back and relax. Use a port scanner to scan the ports open to the system and determine which services are open as the first step in hacking your system. The \\system32\\drivers\\etc\\services file contains a list of well-known ports and services for reference. The specific method is:

Network Neighborhood> Attributes> Local Connections> Attributes>Internet Protocol (tcp/ip)> Attributes>Advanced>Options>tcp/ip Filter> Attribute Open Tcp /ip screening, add the required tcp, udp, the agreement can be.
Previous12 Next Read more