Customized and secure Win 2003 operating system (below)

Foreword:

On May 22, 2003, Microsoft's next-generation operating system Windows Server 2003 Chinese version began to be released in China. From Windows 95 all the way to the present, the author thinks that Microsoft is still talking about the past in terms of security, although there are many loopholes. 2003 overall feels safe to do well, interactive login, network authentication, object-based access control, more complete security policy, data encryption protection... I want to talk about this Windows Server 2003 is installed by default The machine configuration is general. The purpose is to greatly enhance the security through the security configuration described below. Yesterday we published the first half and today we publish the second half of the content.

Three, advanced security settings

1. Prohibit unnecessary services and eliminate hidden dangers.

service in essence it is just a program, it is different from other programs is that it provides a special feature to support the system to complete a specific task. After Windows Server 2003 is installed, there are 84 services by default. By default, there are 36 items that are started with the system. Whether each service is safe, especially if the services that are started with the system are exploited, this is very important for security. Less than two months after the release of Windows Server 2003, a vulnerability based on a default service was discovered. Fortunately, this vulnerability is less harmful to Windows Server 2003, and the service is turned off by default. Below, the author will combine his own experience and talk about how to safely configure all the services of the system.

Open "Services" from "Administrative Tools", Figure 20. You can see the details of all services in the system. Here is an example of a typical Remote Registry service, which is intended to provide a way to securely configure services. Find the Remote Registry service in the list of services, you can see the left blank part of the service as "allowing remote users to modify the registry settings on this computer. If this service is terminated, only users on this computer can modify The registry...", it can be seen that this service is not required under normal circumstances, and if this service is enabled, it may bring security risks to the system, so it must be disabled. Double-click the Remote Registry service to enter its property settings, Figure 21. In the "Startup Type", change the default "Auto" to "Disable" and finally confirm. When this service is closed, all remote actions related to the registry are terminated, which also makes some malicious web pages modify the local registry, and malicious users on the Internet do not want to modify and set the registry. The system is greatly reduced and the probability of being damaged by the middle and upper trojan is achieved, and the purpose of maintaining the security of the system is achieved.


Figure 20



Figure 21

An interesting phenomenon is that the introduction of the Microsoft Windows Installer service, actually had typos ! ! Oh, Figure 22.


FIG. 22
2. Change the default mode of remote control.

For individual users, Terminal Services (different from the services described above) is generally not applicable, it is far more dangerous than it is, it allows any from the network Manage your machine on a virtual machine. Take a look at Microsoft's instructions: You can remotely manage your server by using "Manage Remote Desktop" on any computer running the Windows Server 2003 family of operating systems. Connect and control using the Remote Desktop Connection that comes with the system, Figure 23. Therefore, for ordinary users, terminal services must be prohibited. Go to Terminal Services Configuration from the Administrative Tools and right click on the connection to select its properties, Figure 24. Select the "Remote Control" tab on the connection properties and select "Do not allow remote control" to determine, Figure 25. With such modifications, it is possible to avoid illegal connections by remote users. FIG


23



FIG. 24



FIG. 25
3. Configure local security settings.

Although Microsoft claims that Windows Server 2003 is very secure by default, I found that it is not. There are many places that need to be carefully configured to achieve the required security. "Local security settings" is a place that needs to be configured well.

Open "Local Security Settings" from the "Administrative Tools", Figure 26. Password policies, account lockout policies, audit policies, advocacy rights assignments, security options, etc., need to be carefully configured. The author introduces the method by taking "user rights assignment" as an example. After selecting "User Rights Assignment", you can see all the default groups that can perform a certain behavior. As shown in the seventh item in Figure 26, you can see that a total of 5 groups of users have the right to access the computer remotely. This is not true. Our security requirements need to be reconfigured. Double click on this item to open its properties, Figure 27. Here you can delete the Everyone, Power Users, and Users groups, or you can click Add User or Group to newly identify users or groups that can access this computer remotely. Refer to Figures 5 and 8.


Figure 26



Figure 27

The above described method only, specific behaviors that you want to set permissions, depends on the user The specific situation. Although this requires a lot of patience for one configuration, it is a once-and-for-all approach. In addition, each of the strategies shown in Figure 26 requires specific configuration to create an indestructible system defense.

Four, some safety common sense and precautions

1. Eliminate system intrusions based on the Guest account.

A lot of articles have introduced how to use the Guest user to get the Admin permission. The ideas and methods are not inconspicuous, and people can't help but scream. Why is there such a problem? How to solve this problem?

As a guest account, the Guest user has very low permissions and the default password is empty. This allows the intruder to log in through the Guest and eventually get Admin privileges. How to do this is beyond the scope of this article, and only how to defend against this guest-based intrusion is described here. Through the analysis of the behavior of the intruder, the author found that it is the best and most fundamental way to disable or completely delete the Guest account. However, in some cases where you have to use the Guest account, you need to do some other defenses. The first is to add a strong password to the Guest. This step can be set in the "Administrative Tools"----"Computer Management"----"Local User and Group"----"User", Figure 28. Then, according to the method described in the primary security configuration, set the access rights of the Guest account to the physical path in detail.


Figure 28
2. Rename the Administrator user and set up a complex password.

The Administrator account has the highest system privileges, and once this account is used, the consequences are unimaginable. This makes it necessary to strengthen the management of this account, first of all, of course, to set a strong and complex password. Down, the author describes how to reconfigure the Administrator account to spoof intruders.

Open "Administrative Tools"----"Local Security Settings", open the "Security Options" in its "Local Policies", and at the end you can see that there is an account policy: Rename System Administrator Account, Figure 29. Double-click this policy to enter its properties to modify it, Figure 30. This is modified to 54master.


Figure 29



Figure 30

Open the "Administrative Tools" ---- "Computer Management" ---- "Local User and group"----"User", Figure 31. Double-click the Administrator to enter its properties, write down its description, Figure 32, and modify it to a different description. Then right click on the "user", select "new user", write the data shown in Figure 33 and determine. FIG


31



FIG. 32



FIG. 33
back to "user", just double-clicking Create a new account into its properties and delete the default full name. Then delete it from the Defaults Users group in the "Subsidiary" tab, Figure 34.

Figure 34

look at Figure 35, if you are an intruder, you can tell the system administrator that is the real you? Who can think of a new account that is not a system administrator and a new member without any permissions that does not belong to any group? The intruder will spend countless energy to find ways to get more of its password, huh, huh. Let him go. FIG


35

3. Other places to pay attention to.

always alert log system, security, and applications to guard against changes in the registry startup items, alert a user account and other sensitive areas is a necessary condition to ensure your system security. Back up your data frequently to deal with catastrophic incidents. The allocation of users and rights should be based on the principle of least privilege, that is, the minimum privilege is assigned to the user without affecting the normal use of the user. It is also very important to feel sometimes. If the system suddenly becomes slower, it is necessary to judge whether it is infected with a virus or not. System security is like family planning. It is a long-term job. Even if you configure the best system, you may be exploited by new vulnerabilities. This makes it necessary for administrators to learn at any time.

Postscript:

period by using the author, Windows Server 2003 gives the overall feeling is good. It starts faster than 2000 and XP, and adds many new DOS features to the system. Use the Defrag command for disk defragmentation; use the Diskpart command to manage disks, partitions, or volumes; use the Taskkill command to manage system processes; use the Logman command to create and manage time-tracking session logs and performance logs. As a Server version, Windows Server 2003's new "Distributed File System" (DFS) can centralize files distributed across multiple servers on a domain into a logical namespace. Users only need to access a single drive. Access to all shared files. Windows Server 2003 has many other new features waiting for users to discover. Interested users can go to **** to download the use version.

However, with the development of Microsoft's operating system faster and faster, WS hardware requirements are getting higher and higher, it is recommended to configure the CPU frequency to 550MHz, memory 256MB, hard disk system partition 2G, display The resolution law is 800*600. This has made some older users less prone to such an attractive new operating system. Other users who have already used it, their problem is that many hardware does not have drivers under Windows Server 2003, and some can be replaced with 2000 or XP, but some will not. The original network card that I don't need to drive can't be recognized. The driver using 2000 or XP still doesn't help.

Overall, the performance of Windows Server 2003 is good. It is the first operating system released after Microsoft publicly announced its emphasis on product security. It has been postponed three times, partly because Improve safety and reliability, and many places have improved over previous versions. For example, when shutting down, you should record the reason for the shutdown. When downloading, you will be prompted for dangerous files... These are new things that were not available in previous versions. In addition, friends who surf the Internet should have a virus firewall that is activated with the system to protect against viruses and Trojans. For the security configuration of the system, as long as the user can flexibly use it, learn from each other's strengths, and have a better security awareness, as an ordinary user, its security can fully meet your requirements.