How to maintain the school server security

Maintenance of campus network server security is important, and any flaws are likely to bring the entire campus network security risks. The current attacks on the campus network servers include two categories: deliberate attacks such as denial of service attacks, network viruses and so on, these acts take up a lot of server resources, affecting the normal operation of the server speed and work, and even paralysis of the server where the network, the other one is intentional intrusion, this behavior will cause the server to sensitive information, the intruder is more is wanton destruction of the server. to protect the security of the network server will try to avoid being affected by the network server, the two behaviors. In this paper, Windows2000 based server operating system, for example, in conjunction with their school experience in server maintenance, introduced Some web server security maintenance skills.

1. Close Guest account: the Computer Management inside the guest account disabled users away, do not allow guest login account at any time. To be safe, the best to the guest plus a complex password, you can open Notepad, in which Enter the string contains special characters, numbers, letters, long string, and then put it as a copy into the guest account password.

2. Create an administrator with more than 2 accounts: Although this seems somewhat contradictory, and above this point, but the fact is subject to the above rules. To create an account prepared to receive general authority to deal with some everyday things and the other has Administrators privilege account only when needed to use. allows administrators to use the "RunAS" command to perform some necessary privileges to make some of the work to facilitate management.

3. Renamed the system administrator account as we all know, windows 2000 the administrator account can not be disabled, which means that other people can try again and the side of the account's password. Renamed the Administrator account can effectively prevent this. Of course, please Do not use names like Admin, changed did not mean change, as it disguised as ordinary users, such as change: guestone.

4. Account to create a trap: What is the trap account? Look!> Create a file named "Administrator" in the local account, it's permissions set to the minimum, nothing can not do that, and with a more than 10 super- complex passwords. This will allow those who Scripts s busy for some time, and can attempt to find their invasion. or login scripts in its hands and feet to do the above.

5. To share the file permissions from the "everyone" group to "authorized users", "everyone" means any right in the win2000 into your network users have access to these shared data. At no time should share files User set "everyone" group. including print sharing, the default attribute is "everyone" group, must not forget to change.

6. Using Secure Password: a good password is very important for a network, but it is the most easily overlooked. In front of you can say that this may have been a little. Some of the company's administrator to create accounts, it tends to with the company name, Computer name, or a guess on some other things to do user name, and then again to set the password for these accounts have N as simple as "welcome" "iloveyou" "letmein" or with the same user name, etc. .

This account should require users to change the first time this land into a complex password, but also pay attention to often change your password. The other day and people in IRC to discuss this issue, we give a definition down a good password: security during the period can not break out of the password is a good password, that is, if someone got your password document, must spend 43 days or longer to break out, and your password policy is 42 days must change your password.

7. Set screen saver password: very simple and very necessary, set the screen saver password is also to prevent damage to internal staff as a barrier server. Note Do not use OpenGL, and some complex screen saver, a waste of system resources, so that he can be a blank screen . Another point, all systems used by the users machine has the best screen saver with a password.

8. Win2000 system using the Security Configuration Tool to configure the policy: a set of Microsoft-based integrated MMC (Management Console) Security Configuration and Analysis Tool, using them can easily configure the server to meet your requirements. Details please refer to Microsoft's home page : http://www.microsoft.com/windows2000/techi...y/sctoolset.asp. reposted elsewhere in the Research Papers Download http://www.hi138.com 9. Close unnecessary ports: off port means reducing features, security and functionality in the above decision requires you to make a point. If the server is installed behind the firewall, to take the risk would be less, but never think you can sit back and relax. system with a port scanner scans for open ports, determine what services are open to hacking your system is the first step. \ system32 \ drivers \ etc \ services file has well-known ports and services table for reference. specific methods To: My Network Places> Properties> Local Area Connection> properties> internet protocol (tcp / ip)> Properties> Advanced> Options> tcp / ip filtering> Properties to open the tcp / ip filter, add the required tcp, udp, protocol can be.

10. Let the system displays the last login user name
By default, Terminal Services access server, the login dialog box will display the last login account specified, the local login dialog box is the same. This makes it easy to get people some of the system user name, and then for password guessing . to modify the registry to prevent the dialog box shows the last login user name, specifically:
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ DontDisplayLastUserName the REG_SZ key value to 1.

11. Prohibit the establishment of air connections
By default, any user connected to the server through the air connection, and then enumerate the accounts, password guessing. We can modify the registry to prohibit the establishment of air links:
Local_Machine \ System \ CurrentControlSet \ Control \ LSA-RestrictAnonymous value to "1".

12. To the Microsoft website to download the latest patch
Many network administrators do not have the habit of visiting the secure site, so that loopholes are out for a long time, and also placed the server's vulnerability does not supply people with Dang Bazi. Who can not guarantee more than a few millions of lines of code, not a little security 2000 vulnerability, Microsoft and several security frequently visited site, download the latest service pack and patches is to protect the server, the only way to lasting security. Links http://www.hi138.com Research Papers Download