Make your Windows 2000 safer, and then safer

Windows 2000 system users are particularly many, leading to the top of the attacked system, but this is not to say that Windows 2000 security is not good, as long as reasonable Configuration and management are very safe. I am not using Windows 2000 for a short time. I have gradually found a little way to maintain its security. Here are some personal opinions and shortcomings. Please correct me.

Safe installation to minimize worries

The security of Windows 2000 system should be accumulated from the installation, but this is often overlooked. The following points should be noted when installing Windows 2000:

1. Do not choose to install from the network

Although Microsoft supports online installation, it is absolutely not safe. Do not connect to the network until the system is fully installed, especially the Internet! Don't even connect all the hardware to install it. Because Windows 2000 is installed, after entering the password of the user administrator account "Administrator", the system will create a shared account of "$ADMIN", but it does not protect it with the password just entered. This situation will continue until The computer starts up again. In the meantime, anyone can enter the system through "$ADMIN"; at the same time, after the installation is completed, various services will run automatically at the same time, and the server is full of loopholes, which is very easy to invade from the outside.

2, to choose NTFS format to partition

Preferably all partitions are NTFS format, because NTFS format partitions are more secure in terms of security. Even if other partitions use other formats (such as FAT32), at least the partition where the system is located should be in NTFS format.

In addition, the application should not be placed in the same partition as the system, so that the attacker can exploit the vulnerability of the application (such as Microsoft's IIS vulnerability, we will not know it), causing system file leakage, even Let the intruder gain administrator privileges remotely.

3, system version selection

We generally like to use the Chinese interface software, but for Microsoft things, due to geographical location and market factors, are first in English, and then There are versions in other languages ​​of the country. That is to say, the kernel language of the Windows system is English, so that its kernel version should be much less than the vulnerability in its compiled version. In fact, the Windows 2000 Chinese input method loopholes are soaring that everyone is obvious to all.

The above mentioned security installation can only reduce the worries. Don't think that you can do it once and for all. There is still a lot of work waiting for you to do it. Please continue to look down:

Management system makes it more secure

The system is not safe, don't blame the software itself, think about human factors! Let's talk about the points to be aware of in the management process from the perspective of the administrator:

1. Pay attention to the latest vulnerabilities, patch and install the firewall in time.

The administrator's responsibility is to maintain the system. Security, absorbing the latest vulnerability information, timely patching, and installing the latest version of the firewall is also a must, can help you. But remember: "The road is one foot high, the magic height is one foot", there is no absolute security, the patch will always follow the announcement of the vulnerability, fully believe that the system patch and firewall is not feasible!

2, it is forbidden to establish an empty connection, refused to be outside the door

Hackers often use sharing to attack, in fact, it is not a loophole, only blame the administrator's account and password is too simple, stay Do not worry, or ban it!

This is mainly achieved by modifying the registry. The primary key and key values ​​are as follows:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA]

RestrictAnonymous = DWORD:00000001

Prohibit management sharing

In addition to the above, there is this! Forbidden together!

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters]

AutoShareServer = DWORD:00000000

4, delicate design password, beware of intrusion

Oh, read the second point above And point 3, experienced friends will naturally think of this. Yes, this is a commonplace thing. Many servers are compromised because the administrator password is too simple.

For the password setting, I suggest: 1 length is more than 8 digits is appropriate. 2 complex combinations of uppercase and lowercase letters, numbers, and special symbols, such as: G1$2aLe^, avoid passwords of "pure word" or "word plus number" type, such as: gale, gale123, etc.

Special Note: The SA password in MSSQL 7.0 must not be empty! By default, the "SA" password is empty, and its permissions are "admin". Think about the consequences.

5, limit the number of users in the administrator group

Strictly limit the users of the administrator group, always ensure that only one Administrator (that is, you) is the user of the group. Check the users of the group at least once a day, and find that more users are deleted! There is no doubt that the new user must be the back door left by the intruder! At the same time pay attention to Guest users, smart intruders generally do not add strange user names, so it is easy for administrators to find their whereabouts, they usually activate the Guest user first, then change its password, then put it in the Administrators group, but Guest Why didn't you run to the administrator group? Stop!

6, stop unnecessary services

Too much service is not a good thing, will not have the necessary services to shut down! In particular, even the administrator does not know what the service is, and what to do! Turn it off! Lest to bring disaster to the system.

In addition, if the administrator does not need to remotely manage your computer, it is best to turn off all remote network login functions.

The method of closing a service is very simple. After running cmd.exe, you can directly stop net stop servername.

7, the administrator is safe, do not use the company's server for private purposes

Windows 2000 Server In addition to the server, but also can be a personal user's computer, browse the Internet, send and receive E-mail and so on. As an administrator, you should use the server's browser to browse the web as little as possible to avoid Trojan infection and company privacy information exposure due to browser vulnerabilities. Microsoft IE has a lot of vulnerabilities, I believe you will not know it? In addition, less use of Outlook and other tools on the server to send and receive E-mail, to avoid the virus, to bring losses to the enterprise.

8, pay attention to local security

Preventing remote intrusion is very important, but the local security of the system can not be ignored, the intruder is not necessarily in the distance, it may be around!

(1) In time to put the latest version of the patch to prevent input method loopholes, this is no need to say. The input method vulnerability is not only caused by local intrusion, but if the terminal service is opened, the system door will be opened, and a machine equipped with a terminal client can easily enter!

(2) Do not display the last logged in user

If your machine has to be shared by many people (in fact, a real server should not be like this), it is forbidden It is important to show the user who last logged in, lest others guess the password. The setting method is: in [Start] → [Programs] → [Administrative Tools] → [Local Security Policy], open the "Security Options" of "Local Policies", double-click on the right side of the login screen, do not display the last login user name. ", select "Enabled", and then click [OK], so that the next time you log in, the user name that was last logged in will not be displayed in the username box.

Friendly Tip: In fact, it doesn't have to be so complicated, as long as we carefully click on it!

1. Set a strong password

2. Use the firewall to disable 139, 445, 135, 44, etc. ports that are easily exploited to attack.

3. If it is not necessary, uninstall the services that may be utilized, such as IIS, Serv U, MySQL, Microsoft SQL Server, etc. on the computer.

4. Carefully set the TCP/IP properties in the system and IIS, MySQL, Microsoft SQL Server, POP services.

5. Connect to the network using route dialing and set the DMZ to an empty area.

6.Windows Update is automatically updated.

7. Reliable virus killing support.