Windows 2000 security maintenance

Computer security includes not only protecting local data on your computer, but also protecting data on your network. A good operating system can identify people trying to access computer resources, prevent specific resources from being improperly accessed by users, and provide users with a simple and effective way to set up and maintain computer security.

Currently, PC users are still using Windows. Compared with previous versions, Windows 2000 based on NT platform technology has greatly improved stability and security. The following is an example of Windows 2000 Professional, and by the way, an application problem is solved.

First, Windows 2000 security features

1. User Accounts and Account Group Features

Ensure that only authorized users can access the computer while effectively managing the user's specific task rights and permissions, such as folder access rights. System built-in groups give most users the full user rights and privileges they need to perform their tasks. Management Interface "Users and Passwords" in the Control Panel.

2. Shared Folder Permissions

By giving shared folder permissions to any folder, you can restrict or allow access to these folders over the network. Set through the project's properties menu. By default, when you add a shared directory in Windows 2000, the operating system will automatically add the EveryOne user group to the privilege module. Since the default permissions of this group are fully controlled, the result is that anyone can share the directory. Read and write. Therefore, after creating a new shared directory, immediately delete the EveryOne group or adjust the permissions of the group to read.

3. NTFS file system features that are more secure than FAT and FAT32:

Disk quota service, which controls the amount of disk space allowed per user;

supports setting permissions for files or folders. Restrict or allow access by users or groups, specifying the type of access, that is, you can limit the files that each user is allowed to read and write to any folder in the disk directory. If you want to share a folder located on an NTFS drive without special settings, NTFS folder access rights are valid on both the local and the network;

NTFS also supports owners to encrypt files and folders to better protect information.

It is recommended to use NTFS disk partitioning.

4. Printer Permissions

Restrict user access by assigning printer permissions. There are three permissions for printing documents, managing documents, and managing printers. Set through the project's properties menu.

5. Auditing

You can use auditing to track accounts used to access files or other objects, as well as user login attempts, shutdown or restart systems, and other specified events. Before an audit occurs, you must use Group Policy to specify the type of event to audit. For example, to audit a folder, first enable Audit Object Access for Audit Policy in Group Policy. Next, you can set up auditing just like setting permissions: select an object (such as a file or folder) and then select the users and groups whose operations you want to audit. Finally, select the action you want to review, for example, trying to open or delete a restricted folder. Successful and failed attempts can be reviewed. Review the audit activity by using the Event Viewer to view the Security log. The audit mechanism for disk access can only be applied to the NTFS file system. The review mechanism should be used by all users who need to be reviewed.

6. User Rights

User rights are rules that determine what actions a user can perform on a computer. In addition, user rights control whether the user can log in to the computer directly, (either locally) or through the network, add users to local groups, delete users, and so on. The built-in group has a set of assigned user rights. Typically, administrators assign user rights by adding a user account to a built-in group, or by creating a new group and assigning specific user rights to the group. Users who are subsequently added to the group automatically get all user rights assigned to the group account. User rights are managed through Group Policy.

7. Other Local Security Settings

Allows the security administrator to configure the security level assigned to the Group Policy object or local computer policy. The local security policy is the security setting used to configure the local computer. These settings include password policies, account lockout policies, audit policies, IP security policies, user rights assignments, recovery agents for encrypted data, and other security options. Because local security policies are primarily set for local users, they are only available on Windows 2000 computers that are not domain controllers.

The above four functions are common and easy to set up, and the security settings such as auditing and user rights are more complicated to use, but the functions are really powerful. Users can fine-tune the operating parameters of the system until they are fully satisfied. Personal needs. For example:

* To prevent malicious attacks from inside the LAN, users can get the record of the location and number of machines that an account is remotely attempted to log in, and cancel the right to remotely log in to an account. This is very useful.

* You can strategically control the resources you have, such as disabling access to a local floppy or optical drive from the network, whether or not it is set to share permissions.

* Protect your data with security policies that make it difficult or impossible for an attacker to crack. The combination of algorithm and key is used to protect the information. Windows 2000 achieves a high level of security by using encryption-based algorithms and keys.

The security settings of Windows 2000 are mainly carried out in the "Local Security Policy". When you use it, click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. Its settings include:

* Account Policy: Password and Account Lockout Policy

* Local Policy: Audit, User Rights and Security Options Policy

* Public Key Policy (IP) Security Policy): Internet Protocol Security (IPSec) management. The IPSec policy is a management policy for secure communication with other computers.

It is best to use the guidance of a senior administrator.

Second, the local security policy settings error, a solution and further recommendations

1. If you do not pay attention to the local security policy setting process, it will cause a lot of trouble. An example:

A machine running Windows 2000 Professional has an error in user settings. In the "Local Policy", set the "Reject Local Login" item of "User Rights Assignment" to "Users, Guests". , EveryOne". The user cannot log in again after logging out, and the system prompts "Unable to make an interactive session." The setting item contains "EveryOne" so that all accounts are forbidden to log in.

Workaround: Windows 2000 stores the current local security settings data record in the config directory under the Windows system directory system32, the file name SECURITY, only to modify it correctly to log in normally. For simplicity, override it with the initial configuration of the system. Since the machine uses the FAT32 format and starts with a clean Win98 floppy disk, copy the SECURITY file in the Windows directory repair subdirectory to the config to overwrite the error file. Login is normal. The correct settings are as follows:

If the machine uses the NTFS format, it must be started with the Windows 2000 installation floppy or the installation CD. In order to prevent the startup disk from being found after a similar failure, it is difficult to solve the problem quickly. You can apply the Windows 2000 Recovery Console feature.