Guarding the position, sturdy Windows XP password defense

        In order to protect the user's own interests and prevent computer resources from being illegally invaded and stolen by others, the use of password confidentiality is the most important and direct means. As the owner of the computer, of course, I hope that my computer has a higher safety factor! Although Windows, which is full of loopholes, is frequently attacked by viruses, the Windows operating system still dominates the market.

For internal management of Windows computers (such as public computers, setting up multi-user Windows, etc.), passwords serve as the first "firewall" to fend off illegal users, but how do you set passwords for Windows? Take Widows XP as an example, just use a password that you think is difficult to crack in "Control Panel → User Account" and complacent! In fact, there are some necessary conditions to strengthen the password defense of Windows XP. The following two "cases" are enough to reflect -

Case 1: Using the net command vulnerability to add users to invade Windows XP login

Intrusion Feasibility Analysis: Windows XP system partition file system is FAT32 format, there is no Chinese character in the super administrator account name created by the Windows XP system to be invaded.

Intrusion process:

1. Boot Windows XP, when the screen displays "Starting Windows XP" step, press "F8" to call up the system startup selection menu, select "band Command line security mode" command item;

2. After a while, list the selection menu of Administrator and other users, select Administrator and press Enter to enter command line mode;

3. Type Command: "net user USERa 123456 /Add" (excluding full-width quotes, the same below), after the carriage return, the system automatically adds the user with USERa name and password 123456. If the USERa user already exists in the system, you can also change the password of the existing USERa user to 123456. Note that you can change it without entering the original password.

4. Then use "net localgroup administrator" The USERa /Add command raises the USERa user to the administrator level, that is, has all the rights to the operating system;

5. The last step is to restart the computer, use the newly added account in the login window, and enter the newly changed The new password has been successfully logged in.

Precautionary measures:

Prevention advice 1: Try to install Windows XP with NTFS file system, although NTFS can be accessed through NTFS for DOS tools in pure DOS state, but this also increases the intrusion. Some difficulty. If your Windows XP partition file system format is FAT32, you can convert it to NTFS format as follows:

1. Click "Start → Run", enter "cmd" in the text box, press Enter; Br>

2. In the newly opened "command prompt" window, enter "convert C: FS: NTFS" (assuming the XP system is located in the C drive), after the carriage return, the system will detect the current partition file The system prompts for the volume label after a while. The original partition has the volume label and should input the same label label as before. After the carriage return, the file system will be converted.

Friendly Tips:

convert is a DOS command for Windows XP. Its function is to convert the FAT file system to NTFS file system. In the "Command Prompt" window, type "convert /?" "You can view the specific parameters of the command (Figure 1).
Figure 1
3. After the conversion is successful, right-click the C drive in the Explorer, select the "Properties" command, and select the "Enable compression to save disk space" check box in the "C Disk Properties" window. After clicking the "OK" button, the system will start to compress the C drive file, and some files will pop up in the warning box. Select All to ignore.

Prevention recommend two: to "Administrator" password for the administrator account name of the application, or modify an account name, the text will refer to the specific method; create another administrator account that contains the best of Chinese characters, the purpose is to The intruder input process is troublesome.

Case 2: Invasion of Widows XP by replacing password management files

Intrusion Feasibility Analysis: Widows XP manages Windows XP logins through the "SPOOLSV.EXE" process (Figure 2). When logging in to the system, the system first calls the "SPOOLSV.EXE" process to check whether the current system uses a password. For accounts that do not have a login password, the "SPOOLSV.EXE" process remembers to use the automatic login method, that is, skip the password detection step. So the success of this case invasion is very high.

Fig. 2
The whole process of intrusion:

1. Find a Windows XP system without a password and enter the "\\Windows\\system32" system directory of the XP system disk. The name "SPOOLSV.EXE" (50KB) is copied to a floppy disk or flash memory (see Figure 3).
Fig. 3
Friendly Tips:

If the specified file is not found in the "\\Windows\\system32" folder, the current system hides the display system file, and clicks on the menu in the Explorer. Tools→Folder Options, uncheck the “Hide Protected Operating System Files (Recommended)” checkbox in the “View” tab and select “Show all files and folders” for “Hidden files and folders” the way. After

2. password file is ready, make sure to be the invasion of Windows XP file system, if it is FAT32, it will be very easy, just find a boot disk, a floppy disk in the "SPOOLSV.EXE "Copy to the "\\Windows\\system32" folder of the target XP system partition. In the case of the NTFS file system, Case 1 has mentioned access via NTFS for DOS. Of course, if NT multi-system coexistence, other system replacements can be entered. The final purpose is to successfully replace the "SPOOLSV.EXE" file.

3. After replacing the file, the normal way to start Windows XP, after a while you will find that you can not enter a password directly into the Windows XP desktop (XP multi-user system will select the first user login), has been successful invasion .

invasion aftermath: Although this case can successfully enter Windows XP, but after the handover or log off the user asks for a password. In other words, it is only the system startup to skip the login window. Once the login window is activated (switching or logging off the user), the password detection step is performed normally. In addition, it will destroy the system's sleep function.

precautions: Case note "Prevention recommended a" one, to invade some trouble; to enable Windows XP password policy function, which is the subject of this article.
Through the above two cases, it seems that the password of Widows XP is in vain. In fact, this is just a hidden danger of the Widows XP default password step. By defining a more secure password rule, the system's "local security settings" tool is used to fully enforce the Windows XP password defense.

1. Run the "Local Security Settings" tool

Click "Start → Run" and enter "secpol.msc" to activate it. In the tree on the left side of the main window, expand Account Policy → Password Policy. The password rule we want to define is the option displayed in the right panel (as shown in Figure 4)!

Fig. 4
2. Set password rules for each option

First double-click "Password must meet the complexity requirements", set the security setting to "Enabled", at this time The password created by the user in "Control Panel → User Account" must contain three types of characters: uppercase and lowercase English, Arabic numerals and special characters (such as punctuation, !@#$%^&(), etc.), if not included. One of the characters will pop up a dialog box prompt.

Tips: password security test conditions:

⑴ not in their own name, birthday and simple words or numbers obtained from the dictionary lookup as all part of the password; <. BR>
(2). Add special characters to your password, such as "+-*/~", etc. If necessary, you can alternate the case, although most programs support Chinese characters as passwords, but the disadvantages of input ( That is, input Chinese characters in other text boxes, input by using the method of copying and copying. It is recommended not to use Chinese character passwords;

If you think that creating a password is simple, but it is not easy to remember, you can try this method. : First, make an English sentence that you are very familiar with and easy to remember. It can be a famous saying or a sentence like "Hello!Is it my PassWord?", so that we can get a short password of "H!IimPw?" step by step. When you use the password, remember this sentence in your heart (don't read the voice!), enter the keywords.

minimum password length (Figure 5): the user creates a minimum digit of the password can be input 阿拉伯数字 between 0-14, 0 indicates no detection requires a password created. Once the user-created password does not meet the required number of digits, the system will also pop up a dialog box warning;
Figure 5
The longest password retention period (as shown in Figure 6): This option is more interesting, is to set the password The expiration time, that is, the new password that meets the requirements must be replaced within the specified period of time. Of course, setting it to 0 means that the password is not invalid for a long time. The longest cycle time is 999 days.
Figure 6
The minimum password retention period (as shown in Figure 7): and the "Maximum password duration" option In contrast, the minimum time to set a password to survive, during which time the user is not allowed to change the password. Similarly, if you set it to 0, you can change the password at any time. The maximum time a password can survive is 998 days.
Figure 7
Enforce password history (as shown in Figure 8): Frequent password changes will inevitably result in multiple different Password, and the system will help you "remember" the password you have used, and the number of passwords you can remember will be "tell" to you. 0 means no password reservation history, the system can only help you remember 24 password history, the original system memory is also limited ^-^;

Figure 8
for all users in the domain can use Restored encryption to store passwords: To ensure password security, it is recommended to disable this feature.

clear concrete meaning and scope of each option, we have the flexibility to customize password rules, and the author here to provide a reference scenario: Enable password complexity requirements, minimum password length is eight characters long, mandatory password After the history is set to 0, the longest (short) retention period of the password is determined. Generally, the longest retention period is set to 2 to 3 times of the minimum retention period. If the maximum retention period is set to 30 days, the minimum retention period can be set. For 10 days, this is more reasonable.

3. Rename administrator account

Windows XP default system administrator account name is "Administrator" (the so-called true system administrator