Seven newbie skills Deadly server security maintenance

Are there any vital data on your computer, and don't want them to fall into the hands of the wicked? Of course, they have this possibility. Moreover, in recent years, servers have been at greater risk than before. More and more viruses, hackers, and commercial spies have made the server their goal. Obviously, the security of the server cannot be ignored.

It is impossible to tell all the computer security issues in just one article. After all, there are countless books on this topic. All I have to do next is to tell you seven tips for maintaining your server's security.

Tip 1: Start with Basics

I know this sounds like nonsense, but when we talk about the security of web servers, the best advice I can give you is Don't be a layman. When hackers start attacking your network, they first check for general security vulnerabilities before considering the more difficult means of breaking through the security system. So, for example, when the data on your server is in a FAT disk partition, even installing all the security software in the world won't help you much.

For this reason, you need to start from the basics. You need to convert all disk partitions on the server that contain sensitive data to NTFS format. Again, you need to keep all your anti-virus software up to date. I recommend that you run anti-virus software on both the server and the desktop. The software should also be configured to automatically download the latest virus database files every day. You should also know that you can install anti-virus software for Exchange Server. This software scans all incoming emails for infected attachments. When it finds a virus, it automatically isolates the infected email before it reaches the user.

Another good way to protect your network is to limit the amount of time users spend accessing the network based on the time they spend in the company. A temporary employee who normally works during the day should not be allowed to access the network at 3 am unless the employee's supervisor tells you that it is for a special project.

Finally, remember that users need a password when they access anything on the entire network. You must force everyone to use high-intensity passwords consisting of uppercase and lowercase letters, numbers, and special characters. There is a good tool for this task in the Windows NT Server Resource Kit. You should also often invalidate some expired passwords and update them to require the user's password to be at least eight characters. If you have done all of this work but are still concerned about the security of your password, you can try to download some hacking tools from the Internet and find out how safe these passwords are.

Tip 2: Protect Your Backup

Every good network administrator knows to back up the network server every day and keep the tape records away from the scene to protect against accidents. However, the security issue is much more than just a backup. Most people don't realize that your backup is actually a huge security hole.

To understand why this is the case, most of the backup work starts at around 10:00 or 11:00. The entire backup process usually ends in the middle of the night, depending on how much data you have to back up. Now, imagine that time is up to four in the morning and your backup job is over. However, nothing prevents someone from stealing data from your tape records and restoring them to a server in your home or in your competitor's office.

However, you can stop this from happening. First, you can protect your tape with a password and if your backup program supports encryption, you can also encrypt it. Second, you can set the backup program to work in the morning when you go to work. In this case, even if someone wants to sneak in and steal the tape the night before, they will not be able to succeed because the tape is being used. If the thief still ejects the tape and takes it away, the data on the tape is worthless.

Tip 3: Use Callback for RAS

One of the coolest features of Windows NT is remote server access (RAS) support. Unfortunately, a RAS server is an open door for a hacker trying to get into your system. Everything a hacker needs is a phone number, and sometimes it takes a little patience to get into a host via RAS. But you can take some measures to ensure the security of the RAS server.

The technology you want to use will depend to a large extent on how your remote users use RAS. If remote users often call the host from home or similar, non-changing places, I suggest you use The callback feature, which allows remote users to log in and disconnect afterwards. The RAS server then dials a pre-defined phone number to connect the user again. Because this number is pre-set, the hacker has no chance to set the number that the server will call back.

Another option is to restrict access to a single server for all remote users. You can place the data that the user usually accesses on a special share point on the RAS server. You can then restrict access to remote users to a single server, not the entire network. In this way, even if hackers enter the host through destruction, they will be isolated on a single machine, where the damage they cause is reduced to a minimum.

Last but not least, the trick is to use an unexpected protocol on your RAS server. Everyone I know uses the TCP/IP protocol as the RAS protocol. Considering the nature and typical use of the TCP/IP protocol itself, this seems like a reasonable choice. However, RAS also supports the IPX/SPX and NetBEUI protocols. If you use NetBEUI as your RAS protocol, you can really confuse some unsuspecting hackers.

Tip 4: Consider workstation security issues

It seems strange to talk about workstation security in an article about server security. However, the workstation is a port to the server. Strengthening the security of workstations can increase the security of the entire network. For beginners, I recommend using Windows 2000 on all workstations. Windows 2000 is a very secure operating system. If you don't want to do this, then at least use Windows NT. You can lock the workstation, making it difficult or impossible for someone without secure access to get network configuration information.

Another technique is to control which workstations a person can access. For example, there is an employee called Bob, and you already know that he is a troublemaker. Obviously, you don't want Bob to open his friend's computer at lunch or to drop his own notebook and hack the entire system. Therefore, you should use the Workgroup User Manager to also modify Bob's account so that he can only log in from his own computer (and within the time you specify). Bob is far less likely to attack the network from his own computer because he knows that others can catch him up.

Tip 5: Make a reasonable division of workstations and servers

Another technique is to limit the functionality of the workstation to a dumb terminal, or, I have no better words to describe, a "smart" "Dumb terminal. In general, it means that no data and applications reside on separate workstations. When you use your computer as a dumb terminal, the server is configured to run Windows NT Terminal Services, and all applications are physically running on the server. Everything sent to the workstation is nothing more than an updated screen display. This means that there is only one minimal version of Windows and one client for Microsoft Terminal Services on the workstation. Using this method is perhaps the safest network design.

Using a "smart" dumb terminal means that the program and data reside on the server but run on the workstation. All installed on the workstation is a copy of Windows and some icons pointing to applications residing on the server. When you click on an icon to run the program, the program will run using the local resources instead of consuming the server's resources. This is much less stressful on the server than running a full dumb terminal program.

Microsoft hired a team of programmers to check for security holes and fix them. Sometimes these patches are bundled into a large package and released as a service pack. There are usually two different patch versions: a 40-bit version that anyone can use and a 128-bit version that can only be used in the US and Canada. The 128-bit version uses a 128-bit encryption algorithm, which is much safer than the 40-bit version. If you are still using a 40-bit service pack and live in the US or Canada, I highly recommend downloading the 128-bit version.

Sometimes a service pack may have to wait for several months to release -- obviously, when a big security hole is discovered, you don't want to wait until it is possible to fix it. Fortunately, you don't need to wait. Microsoft regularly releases important patches on its FTP site. These hotspot patches are security patches that have been published since the last time the service pack was released. I suggest you check the hot fix frequently. Remember that you must use these patches in a logical order. If you use them in the wrong order, the result may be a version error in some files and Windows may stop working.

Tip 6: Use a Strong Security Policy

To improve security, another job you can do is to develop a good, powerful security policy. Make sure everyone knows it and knows it is enforced. Such a policy needs to include severe penalties for an employee who downloads unauthorized software on a company machine.

If you use Windows 2000 Server, you may be able to specify the user's special usage rights to use your server without having to hand over the administrator's control. A good use is to authorize Human Resources to delete and disable an account. In this way, the HR department can delete or disable his user account before a clerk knows that he will be fired. In this way, dissatisfied employees will not have the opportunity to disrupt the company's system. At the same time, with special user rights, you can grant this permission to delete and disable account permissions and restrict the creation of users or changes to permissions and other activities.

Try the free TechProGuild! If you find this article useful, check out TechRepublic's TechProGuild registration resource, which provides in-depth technical articles covering some IT topics, including Windows server and client platforms, Linux, troubleshooting issues, and digital networking projects. The difficulty, as well as NetWare. With a TechProGuild account, you can also read the full text of popular IT industry books online. Click here to sign up for a free 30-day TechProGuild trial.

Tip 7: Check Firewall Settings

Our last tip includes a close look at your firewall settings. Your firewall is an important part of the network because it isolates your company's computers from those on the Internet that might damage them.

The first thing you need to do is to make sure that the firewall does not open up any necessary IP addresses to the outside world. You always have to make at least one IP address visible to the outside world. This IP address is used for all Internet communications. If you have a DNS-registered web server or email server, their IP addresses may also be visible to the outside world through a firewall. However, the IP addresses of workstations and other servers must be hidden.

You can also check the port list to verify that you have closed all port addresses that you don't use. For example, TCP/IP port 80 is used for HTTP communication, so you may not want to block this port. However, you may never use port 81 so it should be turned off. You can find a list of the uses for each port on the Internet.

Server security issues are a big issue. You don't want critical data to be corrupted by viruses or hackers or by someone who might use it to deal with you. In this article, I introduced seven areas that you should pay attention to in the next security review.