How to set up the server

web front end nine thousand four hundred and eighty-nine 13 years ago (2011-04-11)

Windows 2000 contains many security features and options. If you configure them properly, Windows 2000 will be a very secure operating system.


1.1 Physical security

The server It should be placed in an isolated room with a monitor installed, and the monitor should keep video recording for more than 15 days. In addition, the chassis, keyboard, and computer desk drawer should be locked to ensure that no one can use the computer even when entering the room. The key should be placed in another safe place.

1.2. Stop Guest Account

stay computer The managed users disable the guest account. The guest account is not allowed to log into the system at any time. To be on the safe side, you'd better add a complex password to the guest. You can open the notepad, enter a long string containing special characters, numbers and letters, and then copy it as the password of the guest account.

1.3 Limit the number of unnecessary users

Remove all duplicate user accounts, test accounts, shared accounts, general department accounts, etc. The user group policy sets the corresponding permissions, frequently checks the system accounts, and deletes accounts that are no longer in use. These accounts are often a breakthrough for hackers to invade the system. The more accounts the system has, the more likely hackers are to obtain the rights of legitimate users. For domestic nt/2000 hosts, if there are more than 10 system accounts, generally one or two weak password accounts can be found. I once found that 180 out of 197 accounts on a host computer were weak password accounts.

1.4. Create two administrator accounts

Although this seems to contradict the above, in fact, it is subject to the above rules. Create an account with general permissions to receive messages and deal with common affairs. Another account with Administrators permissions is only used when necessary. The administrator can use the "RunAS" command to perform some work that requires privileges to facilitate management.

1.5. Rename the system administrator account

As we all know, the administrator account of Windows 2000 cannot be disabled, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please do not use the name of Admin. If you change it, you will not change it. Try to disguise it as an ordinary user, such as guest.

1.6 Create a trap account


What is a trap account? Look!> Create a local account called "Administrator", set its permissions to the lowest level that can do nothing, and add a super complex password with more than 10 digits. This can keep those Scriptss busy for some time, and can be used to discover their intrusion attempts. Or do some tricks on its loginscripts. Hey hey, enough damage!

1.7. Changing the permissions of shared files from "everyone" group to "authorized user" and "everyone" means that any user who has access to your network can obtain these shared files in Win2000. Do not set the users sharing files to the "everyone" group at any time. Including print sharing. The default attribute is in the "everyone" group. Don't forget to change it.

1.8. Use security password

A good password is very important for a network, but it is most easily ignored. The previous statement may already illustrate this point. some company When an administrator creates an account, he or she often uses the company name, computer name, or some other things that can be guessed at, and then sets the password of these accounts to N simple, such as "welcome", "iloveyou", "letmein" or the same as the user name. Such accounts should require users to change their passwords to complex passwords when they first log in, and they should also pay attention to changing their passwords frequently. When the IRC discussed this issue with people the other day, we defined a good password: a password that cannot be cracked during the security period is a good password, that is, if someone gets your password file, it must take 43 days or more to crack it, and your password policy is that you must change the password within 42 days.

1.9 Setting screen saver password

It is very simple and necessary. Setting a screen saver password is also a barrier to prevent internal personnel from damaging the server. Be careful not to use OpenGL and some complicated screen savers to waste system resources and make them black screen. Another point is that all the machines used by system users should also be equipped with screen protection passwords.

1.10 Partition in NTFS format

Change all partitions of the server to NTFS format. The NTFS file system is much safer than FAT and FAT32 file systems. Needless to say, everyone's servers must already be NTFS.

1.11 Running anti-virus software

I have never seen Win2000/Nt servers installed with anti-virus software. In fact, this is very important. Some good anti-virus software can not only kill some famous Viruses , can also check and kill a large number of trojans and backdoor programs. In this way, the famous trojans used by "hackers" will be useless. Don't forget to update the virus database frequently.

1.12 Guarantee the safety of backup disks

Once the system data is damaged, the backup disk will be the only way to restore the data. After backing up the data, keep the backup disk in a safe place. Never back up data on the same server. In that case, it is better not to back up data.


2.1. Use the security configuration tool of Win2000 to configure policies

Microsoft It provides a set of security configuration and analysis tools based on MMC (Management Console), with which you can easily configure your server to meet your requirements. Please refer to the Microsoft homepage for details.

2.2 Turn off unnecessary services

Terminal Services, IIS, and RAS of Windows 2000 may bring security vulnerabilities to your system. In order to manage the server remotely and conveniently, the terminal services of many machines are turned on. If yours is also turned on, make sure you have correctly configured the terminal services. Some malicious programs can also run quietly as services. Pay attention to all services opened on the server, and check them in the interim (every day). The following is level C2

Installed default service:

ComputerBrowserserviceTCP/IPNetBIOSHelper
MicrosoftDNSserverSpooler
NTLMSSPServer
RPCLocatorWINS
RPCserviceWorkstation
NetlogonEventlog

2.3. Close unnecessary ports

Closing ports means reducing functions. You need to make some decisions on security and functions. If the server is installed behind the _blank ">firewall, you will take fewer risks. However, you should never think that you can rest easy. Scanning the open ports of the system with a port scanner to determine which services are open is the first step for hackers to invade your system. There is a comparison table of well-known ports and services in the system32 drivers etc services file for reference. The specific methods are:

Network Neighborhood>Properties>Local Connection>Properties>Internet Protocol (TCP/IP)>Properties>Advanced>Options>TCP/IP Filtering>Properties Open TCP/IP filtering, add the required tcp, udp, and protocol.

2.4. Open Audit Strategy

Opening security audit is the most basic intrusion detection method of Win2000. When someone tries to invade your system in some way (such as trying user passwords, changing account policies, unauthorized file access, etc.), it will be recorded by the security audit. Many administrators did not know that the system was invaded for several months until the system was damaged. The following approvals must be enabled, and others can be added as needed:

Policy settings

Audit system login event succeeded, failed

Audit account management succeeded, failed

Login event audit succeeded, failed

Audit object access succeeded

Audit policy changed successfully, failed

Audit privilege used successfully, failed

Audit system event succeeded, failed

2.5. Enable password policy

Policy settings


Password complexity requires enabling

The minimum password length is 6 bits


Mandatory password history 5 times

Mandatory password history 42 days


2.6 Opening Account Strategy

Policy settings

Reset account lockout counter for 20 minutes

Account lockout time 20 minutes

Account lockout threshold 3 times

2.7. Setting Access Rights for Security Records

The security record is unprotected by default. It is set to be accessible only to the Administrator and the system account.

2.8 Store sensitive files in another file server

Although the hard disk capacity of the server is very large now, you should consider whether it is necessary to store some important user data (files, data tables, project files, etc.) in another secure server and often back them up.

2.9 Do not allow the system to display the last login user name

By default, when the terminal service accesses the server, the login dialog box will display the account name of the last login, as will the local login dialog box. This makes it easy for others to get some user names of the system, and then guess the password. Modifying the registry can prevent the dialog box from displaying the last login user name, specifically:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName

Change the key value of REG_SZ to 1

2.10. No empty connection

By default, any user connects to the server through an empty connection, then enumerates the account number and guesses the password. We can prevent the establishment of empty connections by modifying the registry: change the value of Local_Machine System CurrentControlSet Control LSA RestrictAnonymous to "1".

2.11 Download the latest patch on Microsoft's website

Many network administrators do not have the habit of visiting security sites, so that some of the vulnerabilities have been out for a long time, and they still keep the server vulnerabilities from being used as targets. No one can guarantee that 2000 with millions of lines of code or more will not have any security vulnerabilities. Frequently visiting Microsoft and some security sites, downloading the latest service packs and vulnerability patches, is the only way to ensure the long-term security of the server.


3.1 Close DirectDraw

This is a C2 safety standard Yes video Card and memory requirements. Turning off DirectDraw may have an impact on some programs that need DirectX (such as games, playing StarCraft on the server? I'm dizzy... $% $^% ^&?), but it should have no impact on most commercial sites. Modify the Timeout (REG_DWORD) of the registry HKLM SYSTEM CurrentControlSet Control GraphicsDrivers DCI to 0.

3.2. Close Default Sharing

After the installation of win2000, the system will create some hidden shares. You can view them by clicking net share under cmd. There are many articles about IPC intrusion on the Internet. I believe you are not unfamiliar with it. To disable these shares, open Management Tools>Computer Management>Shared Folders>Share, right click the corresponding shared folder, and click Stop Sharing. However, these shares will be restarted after the machine is restarted.

Default shared directory path and function

C $D $E $The root directory of each partition. In Win2000 Pro, only Administrators and Backup Operators group members can connect. Win2000 Server version

The Server Operators group can also connect to these shared directories ADMIN $% SYSTEMROOT%, which are used for remote management. Its path always points to the installation path of Win2000, such as c: winnt. In Win2000 Server, FAX $will arrive when fax client sends fax. IPC $empty connection. The IPC $share provides the ability to log on to the system. The NetLogon share is used by the Net Login service of the Windows 2000 server to process login domain requests. PRINT $% SYSTEMROOT% SYSTEM32 SPOOL DRIVERS Users can remotely manage printers

terms of settlement:

Open Registry Editor. REGEDIT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

Create a DWORD key named AutoShareServer on the right. The value is 0.

3.3 Prohibit the generation of dump file

The dump file is a very useful information for finding problems when the system crashes and the screen is blue (otherwise I would literally translate it into garbage). However, it can also provide hackers with some sensitive information, such as passwords of some applications. To disable it, open Control Panel>System Properties>Advanced>Startup and Recovery, and change the written debugging information to None. When you need it, you can reopen it.

3.4 Using the file encryption system EFS

The powerful encryption system of Windows 2000 can add a layer of security protection to disks, folders and files. This can prevent others from attaching your hard disk to other machines to read the data inside. Remember to use EFS for folders, not just individual files.

3.5. Encrypt the temp folder

Some applications will copy some things to the temp folder during installation and upgrade, but when the program is upgraded or closed, they will not clear the contents of the temp folder by themselves. Therefore, encrypting the temp folder can give your files a layer of protection.

3.6 Lock the registry

In Windows 2000, only administrators and Backup Operators can access the registry from the network. If you think it is not enough, you can further set the registry access permissions.

3.7 Clear the page file when powering down

The page file, also known as the scheduling file, is a hidden file used by Win2000 to store the program and data files that are not loaded into memory. Some third-party programs can store some unencrypted passwords in memory, and the page file may also contain other sensitive information. To clear the page file when shutting down, you can edit the registry HKLM SYSTEM CurrentControlSet Control Session Manager Memory Management

Set the value of ClearPageFileAtShutdown to 1.

3.8 Do not start the system from floppy disk and CD Rom

Some third-party tools can bypass the original security mechanism by booting the system. If your server has high security requirements, you can consider using removable floppy disks and optical drives. It is a good way to lock the case and throw it away.

3.9 Consider using smart cards instead of passwords

For passwords, the security administrator is always in a dilemma and vulnerable to attacks by tools such as 10phtcrack. If the password is too complex, the user will scribble the password everywhere in order to remember it. If conditions permit, it is a good solution to replace complex passwords with smart cards.

3.10 Consider using IPSec

As its name implies, IPSec provides security for IP packets. IPSec provides authentication, integrity, and optional confidentiality. The sender's computer encrypts the data before transmission, while the receiver's computer decrypts the data after receiving it. Using IPSec can greatly enhance the security performance of the system.