There are so many users of Windows 2000 system that it ranks at the top of the list of attacked systems. However, this does not mean that the security of Windows 2000 is not good at all. As long as it is properly configured and managed, it is relatively safe. I have been using Windows 2000 for a long time, and I have gradually figured out some ways to maintain its security. Here are some personal opinions. Please correct me if I have any shortcomings.
Safe installation minimizes worries
The security of Windows 2000 system should be accumulated bit by bit from the time of installation, but this is often ignored. The following points need to be noted when installing Windows 2000:
1. Do not choose to install from the Internet
Although Microsoft supports online installation, it is definitely not safe. Do not connect to the network, especially the Internet, before the system is fully installed! Do not even connect all the hardware for installation. Because when Windows 2000 is installed, after entering the password of the user administrator account "Administrator", the system will create a shared account of "$ADMIN", but it will not be protected with the password just entered. This situation will continue until The computer starts again. During this period, anyone can enter the system through "$ADMIN"; at the same time, after the installation is completed, various services will automatically run immediately. At this time, the server is still full of vulnerabilities, making it very easy to intrude from the outside.
2. Select NTFS format to partition
It is best that all partitions are in NTFS format, because NTFS formatted partitions are more secure. Even if other partitions use other formats (such as FAT32), at least the partition where the system is located should be in NTFS format.
In addition, applications should not be placed in the same partition as the system to prevent attackers from exploiting application vulnerabilities (such as Microsoft's IIS vulnerabilities, everyone knows this) to cause the leakage of system files and even allow intruders to remotely obtain management member permissions.
3. Selection of system version
We generally like to use software with Chinese interfaces, but for Microsoft products, due to geographical location and market factors, there are English versions first, and then versions in other languages of various countries. In other words, the kernel language of the Windows system is English, so relatively speaking, its kernel version should have many fewer vulnerabilities than its compiled version. This is also true. The Chinese input method vulnerability of Windows 2000 has made a big fuss for everyone to see.
The safe installation mentioned above can only reduce your worries. Don’t think that you can do it once and for all. There is still a lot of work waiting for you to do. Please continue reading:
·Eight tips to ensure Windows 2000 security (2)
Manage your system properly to make it more secure
The system is not safe. Don’t always complain about the software itself. Think more about the human factors! Let’s talk about some points that need to be paid attention to during the management process from the perspective of administrators:
1. Pay attention to the latest vulnerabilities, apply patches and install firewalls in time
The administrator's responsibility is to maintain the security of the system, absorb the latest vulnerability information, and apply corresponding patches in a timely manner. This is the simplest and most effective way to maintain system security. I would like to recommend a good security site abroad: ttp://www.eeye.com. At the same time, it is also necessary to install the latest version of the firewall, which can help you. But remember: "As high as the road is, so high is the devil." There is no absolute security. Patches will always follow the announcement of vulnerabilities. It is not feasible to fully trust system patches and firewalls!
2. It is forbidden to establish empty connections and keep people out.
Hackers often use sharing to carry out attacks. In fact, it is not its vulnerability. It is just that the administrator's account and password are too simple. If you don't worry about keeping them, it is better to ban them!
This is mainly achieved by modifying the registry. The primary key and key value are as follows:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA]
RestrictAnonymous = DWORD:00000001
3. Prohibit management sharing
In addition to the above, let’s ban this one too!
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters]
AutoShareServer = DWORD:00000000
4. Design passwords carefully to prevent intrusion
Haha, after reading points 2 and 3 above, experienced friends will naturally think of this. Yes, this is a cliché. Many servers are compromised because the administrator password is too simple.
Regarding the setting of passwords, I recommend: ① The length should be more than 8 characters. ② Complex combinations of uppercase and lowercase letters, numbers, and special symbols, such as: G1aLe^. Avoid "pure words" or "words plus numbers" type passwords, such as: gale, gale123, etc.
Special note: The SA password in MSSQL 7.0 must not be empty! By default, the "SA" password is empty, and its permission is "admin", think about the consequences.
·Eight tips to ensure Windows 2000 security (3)
5. Limit the number of users in the administrator group
Strictly limit the users of the Administrator group, and ensure that only one Administrator (that is, yourself) is a user of this group at all times. Check the users of this group at least once a day, and delete any additional users found! There is no doubt that the new users must be backdoors left by intruders! At the same time, pay attention to the Guest user. Smart intruders generally do not add unfamiliar user names, which can easily be discovered by administrators. They usually activate the Guest user first, then change its password, and then put it in the administrator group, but the Guest user Why are you coming to the administrator group for no reason? Stop it!
6. Stop unnecessary services
It is not a good thing to have too many services enabled. Turn off all unnecessary services! Especially if even the administrator doesn’t know what the service is, why is it still running? Turn it off! To avoid causing disaster to the system.
In addition, if the administrator does not go out and does not need to remotely manage your computer, it is best to turn off all remote network login functions. Note that unless specifically needed, disable the "Task Scheduler" and "RunAs Service" services!
The method to shut down a service is very simple. After running cmd.exe, directly net stop servername.
7. Administrators should behave themselves and do not use the company’s servers for personal use.
In addition to being a server, Windows 2000 Server can also act as a computer for individual users, browsing the Internet, sending and receiving E-mails, and so on. As an administrator, you should try to use the server's browser as little as possible to browse the web to avoid Trojan infection and exposure of the company's private information due to browser vulnerabilities. Microsoft IE has a lot of vulnerabilities, I believe everyone is aware of it, right? In addition, it is recommended not to use Outlook and other tools on the server to send and receive emails to avoid contracting viruses and causing losses to the enterprise.
8. Pay attention to local security
Preventing remote intrusion is important, but the local security of the system cannot be ignored. The intruder may not be far away, but may be right around you!
(1) It goes without saying that you should apply the latest patch in time to prevent input method vulnerabilities. Input method vulnerabilities not only lead to local intrusions, but if the terminal service is turned on, the system door will be wide open, and a machine with a terminal client installed can easily break in!
(2)Do not display the last logged in user
If your machine has to be shared by multiple people (in fact, a real server should not be like this), then it is important to disable the display of the last logged-in user to prevent others from guessing the password. The setting method is: Go to [Start] → [Programs] → [Administrative Tools] → [Local Security Policy], open the "Security Options" of "Local Policy", double-click on the right "Do not display the last logged-in user name on the login screen." ", select "Enabled", and then click [OK]. In this way, the username that you logged in last time will not be displayed in the username box the next time you log in.