Is there some important data on your server that cannot be disclosed at will? Of course there is, right? Recently, servers are at particularly high risk. More and more viruses, malicious hackers, and commercial spies are targeting servers. Obviously, server security issues cannot be ignored for a moment.
Tip 1: Start with the basics
Starting from the basics is the safest way. You must convert all areas on the server that contain confidential data to NTFS format; similarly, anti-virus programs must be updated on time. It is recommended to install anti-virus software on both the server and desktop computers. The software should also be set up to automatically download the latest virus definition files every day. In addition, the Exchange Server (mail server) should also be equipped with anti-virus software. This type of software can scan all incoming emails to look for virus-infected attachments. If a virus is found, the email will be immediately quarantined to reduce the user's chance of being infected. .
Another good way to protect your network is to limit user access to the network based on employee working hours. For example, employees who work during the day should not have access to the network in the middle of the night.
Finally, access to any data on the network requires a password login. Force everyone to use a mix of uppercase and lowercase letters, numbers, and special characters when setting passwords. There is such tool software in the Windows NT Server Resource Kit. You should also set a password that you update regularly and must be at least eight characters long. If you have taken these measures but are still worried that your passwords are not secure, you can try downloading some hacking tools from the Internet and test how secure these passwords are.
Tip 2: Protect your backups
What most people don’t realize is that backups themselves are a huge security hole, right? Just imagine, most backup jobs start at 10 or 11 pm. Depending on the amount of data, it may be midnight after the backup is completed. Now, imagine it's four in the morning and the backup has finished. This is the perfect time for someone to steal the backup disk and restore it on a server at home or at your competitor's office. However, you can prevent this from happening. First, you can password-protect your disk, and if your backup program supports encryption, you can also encrypt the data. Secondly, you can set the time for the backup to be completed when you enter the office in the morning. In this case, even if someone wants to sneak in and steal the disk in the middle of the night, they will not be able to because the disk is in use; if the thief takes the disk away by force, he will It is also impossible to read the damaged data.
Tip 3: Use the callback function of RAS
One of the coolest features of Windows NT is support for Remote Access Server (RAS). Unfortunately, RAS servers are too convenient for hackers. All they need is a phone number, a little patience, and then they can gain access through RAS. host. However, you can take some measures to protect the security of your RAS server.
The technique you use depends largely on how the remote accessor works. If the remote user often accesses the Internet from home or a fixed place, it is recommended that you use the callback function. It allows the remote user to hang up after logging in, and then the RAS server will dial the preset phone number to connect the user. Because this Once the phone number is already pre-programmed, the hacker has no chance to specify the number the server should call back.
Another approach is to restrict remote users to access a single server. You can copy frequently used data to a special shared point on the RAS server, and then limit remote user logins to one server rather than the entire network. In this way, even if hackers invade the host, they can only cause trouble on a single machine, indirectly reducing the damage.
One final trick is to use an "alternative" network protocol on the RAS server. Many people use the TCP/ip protocol as the RAS protocol. Taking advantage of the nature and acceptance of the TCP/IP protocol itself, this choice is quite reasonable, but RAS also supports IPX/SPX and NetBEUI protocols. If you use NetBEUI as the RAS protocol, hackers will definitely be confused if they are not careful for a moment.
Tip 4: Consider workstation security
It may seem out of place to mention workstation security in an article about server security. However, the workstation is the door into the server. Strengthening the security of the workstation can improve the security of the overall network. For starters, Windows 2000 is recommended on all workstations. Windows 2000 is a very secure operating system. If you don't have Windows 2000, at least use Windows NT. This way you can lock down your workstation, and without permission, it would be difficult for the average person to obtain network configuration information.
Another tip is to restrict users to log in from specific workstations. Another trick is to treat the workstation as a dumb terminal, or in other words, a smart dumb terminal. In other words, there will be no data or software on the workstation. When you use the computer as a dumb terminal, the server must execute the Windows NT Terminal Service program, and all applications only run on the server. The workstation can only passively receive and Just display data. This means that the workstation only has a minimal version of Windows installed, and a copy of Microsoft Terminal Server Client. This approach should be the most secure network design option.
Tip 5: Implement the latest patches
Microsoft has a group of manpower dedicated to checking and patching security vulnerabilities. These fixes (patches) are sometimes collected into service packs and released. Service packs usually come in two different versions: a 40-bit version that anyone can use, and a 128-bit version that is only available in the United States and Canada. The 128-bit version uses a 128-bit encryption algorithm, which is much more secure than the 40-bit version.
Sometimes it takes several months for a service pack to be released, but if a serious vulnerability is discovered, of course you want to patch it immediately and don't want to wait for a belated service pack. Fortunately, you don’t need to wait. Microsoft will regularly release important patches on its FTP site. These latest patches have not yet been included in the latest version of the service pack. I recommend that you check out the latest patches frequently. , remember that the patches must be used in chronological order. If used out of order, it may lead to incorrect versions of some files and may also cause Windows to crash.
Tip 6: Enact strict security policies
Another way to improve security is to develop a strong security policy and make sure everyone understands it and enforces it. If you use Windows 2000 Server, you can authorize some permissions to specific agents without giving up all network management rights. Even if you approve certain permissions of the agent, you can still limit the level of their permissions. For example, they cannot open new user accounts or change permissions.
Tip 7: Firewall, check, check again
One final tip is to double-check your firewall settings. Firewalls are an important part of network planning because they protect company computers from malicious damage from the outside.
First, don't publish IP addresses that aren't necessary. You must have at least one external IP address, and all network communications must pass through this address. If you also have a DNS-registered web server or email server, these IP addresses must also be published through the firewall. However, the IP addresses of workstations and other servers must be hidden.
You can also check all communication ports to make sure that all infrequently used ones have been closed. For example, TCP/IP port 80 is used for HTTP traffic, so this port cannot be blocked. Maybe port 81 will never be used, so it should be turned off.