Quick Search


Tibetan singing bowl music,sound healing, remove negative energy.

528hz solfreggio music -  Attract Wealth and Abundance, Manifest Money and Increase Luck



 
Your forum announcement here!

  Free Advertising Forums | Free Advertising Board | Post Free Ads Forum | Free Advertising Forums Directory | Best Free Advertising Methods | Advertising Forums > Other Methods of FREE Advertising > Auto Surf Traffic Exchanges

Auto Surf Traffic Exchanges This is a list of Auto Surf sites where you can get your site viewed by thousands of people a day. These are not Paid-to-Surf sites, those are listed in the classified's section. These are for traffic building only.

Reply
 
Thread Tools Search this Thread Display Modes
Old 05-27-2011, 04:01 PM   #1
bolsooi66
 
Posts: n/a
Default Windows 7 Ultimate Practical knowledge of security

Currently, WIN2000 SERVER is additional favorite server running programs, in spite of this, to the safe configuration of Microsoft's running program, is not an simple task. This write-up attempts to win2000 SERVER security configuration was discussed.

Very first, customize their WIN2000 SERVER:

one. Model of choice: Win2000 a number of languages, for us, it is easy to pick out English or Simplified Chinese edition, I strongly recommend: The language doesn't develop into a barrier, make sure to make use of the English edition. You realize, Microsoft's item is known for Bug & Patch, much extra than the Chinese edition of the Bug in English, while the patch will be delayed at least half of the general (ie, generally after Microsoft announced the vulnerability of your machine is also there will be two weeks in the unprotected state)

2. Custom components:

Win2000 installed by default in some common components, but it truly is the default installation is extremely dangerous (Mitre Nico said that he can enter any one installed by default server, although I hesitate to say so, but if your host is the default installation of Win2000 SERVER, I can tell you, you're dead)

you should know exactly what services you need, and only You really need to install the service, according to safety principles, at least the minimum service + permissions = maximum security.

typical WEB servers require a minimum component selection is: only install IIS, Com Files, IIS Snap-In, WWW Server components. If you really need to install additional components, please carefully, especially: Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML) that several of the risk services.

3. Management application of choice:

choosing a good remote management software is a especially important thing, not only safety but also of the application needs.

Win2000 the Terminal Service is based within the RDP (Remote Desktop Protocol) remote control software, he's fast, easy to operate, far more suitable for routine operation.

However, Terminal Service also has its shortcomings, because it uses the virtual desktop, along with Microsoft's programming just isn't strict, when you install the software using Terminal Service or restart the server, etc. interacting with the real Desktop The operation, often there will be enough to create misunderstandings of phenomena, such as: re-using the Terminal Service server from Microsoft's Certification (Compaq, IBM, etc.) may well be shut down.

So, for safety reasons, I recommend you go with a remote control software as an aid, and Terminal Service complementarity, as PcAnyWhere is a good selection.

Second, properly installed WIN2000 SERVER:

one. The distribution of partition and logical drive, there are some friends in order to save, just the hard drive into a logical drive, all the software installed in the C drive, this is fairly good, it is actually recommended to establish at least two partitions, one system partition, an application partition, this is because there is often a leak of Microsoft's IIS source / overflow vulnerability, if the system and IIS to the same drive, the file will cause the program to leak or even a remote intruder access to ADMIN.

recommended security configuration is to create three logical drives, the very first is greater than 2G, and important to install the program log file, the second put IIS, the third one FTP, IIS, or FTP either way out of the protection holes will not directly affect the system directory and program files.

to know, IIS and FTP is the external services are relatively simple and easy problems. The separation of the IIS and FTP upload the main program is to prevent intruders to run from IIS. (This could lead to application developers and editors of distress, who cares, anyway you are an administrator)

2. The order of installation options:

Do not think: What is the order important? If installed, how to load you can.

wrong! win2000 installed in a certain order of a few to note:

1st of all, when the access network: Win2000 there is a flaw in the installation, you enter the Administrator password, the system's built ADMIN $ shared, but did not use the password you just to protect it, this situation until you start again after this period, anyone can enter through the ADMIN $ on your machine; the same time, as long as the installation is complete, the types of service will run automatically, and when the server is covered with loopholes, very simple and easy to enter, therefore, fully installed and configured win2000 SERVER, make sure not to host access network.

Second, the patch installation: the installation of the patch should be installed after all the applications, because patches often have to replace / modify certain system files, if you install the patch before installing the application may cause the patch can not be play the desired effect, such as: IIS's HotFix requires that each change the configuration of IIS to be installed on

Third, security configuration WIN2000 SERVER:

even if installed properly WIN2000 SERVER, there are still quite a few loopholes in the program, but also the need for further detailed configuration.

one. Port:

port is connected towards the computer and the logic of the external network interface, is the very first barrier the computer, the port is configured properly or not directly affect the protection of the host, in general, only open the ports you will need to make use of safer approach is to configure the network card properties -TCP/IP- Advanced - Options -TCP/IP screening enabled TCP / IP filtering, port filtering, but for win2000, there is a bad feature: only the provisions of What ports to open, can not restrict which ports closed, so that a large number of ports that require users to open more painful.

2. IIS:

IIS is Microsoft's one of the largest component in the vulnerability, an average of two to three months out of a hole should, and Microsoft's IIS is installed by default and can not compliment, so the configuration of IIS is our focus, it is now together with me:

First, the C disk that what Inetpub directory completely deleted, in the D drive to build a Inetpub (do not worry if you can use the default directory name, a name change, but they have to remember that) in the IIS Manager home directory will point to D: Inetpub;

secondly, that what the default IIS installation scripts and other virtual directory Yigai delete (source of evil ah, forget a href =

3: Application Configuration:

in the IIS Manager to delete any unwanted outside the map must be, must refer towards the ASP, ASA, and you really need to use other types of files , for example, you use stml, etc. (use the server side include), is in fact 90% of the host with the above two maps enough, the rest of the map almost every story has a sad: htw, htr, idq, ida ... ... want to know these stories? to check it before the vulnerability list.

what? can not find where to delete?

in the IIS Manager, right-click the host -> Properties -> WWW Services Edit -> Home Directory Configuration -> application mapping, and then it started to delete one by one (which doesn't select all, hehe). Then, in just the bookmarks window application debugging error message within the script to send text ( ASP error unless you want to know your system when the user / network / database structure) error text writing? whatever you like, own choice. Click OK to exit do not forget to set the virtual site inherit your property.

order to deal with the growing variety of cgi vulnerability scanners, there is a little trick to refer for the IIS will HTTP404 Object Not Found error page through the URL to redirect to a custom HTM files, can current, most CGI vulnerability scanner failure. It can be in reality quite relatively easy, most of the time of writing CGI scanner in order to facilitate, through the HTTP code to view the back page to determine whether vulnerabilities exist, for example, are generally well-known vulnerabilities by taking IDQ one. idq to test,Windows 7 Ultimate, if the return HTTP200, to think that there is this vulnerability, whereas if the return HTTP404 to think not, if you will HTTP404 error message through the URL redirected to HTTP404.htm files, then scan all vulnerabilities, whether it exists or not will be returned HTTP200, 90% of the CGI vulnerability scanner that what you have, the result will conceal your true vulnerability, so that an intruder at a loss no place to start (instead of martial arts often said that loopholes in the body perfect, can we say is this state?) But from a personal point of view, I think that such a solid career protection settings than the additional important tips.

Finally, to become safe, it is possible to use the backup feature of IIS, the setting will be just All backup set down, so that you may always restore IIS security configuration. Also, if that you are afraid of the load is too high causes the server to IIS crash at full capacity, can also open the CPU limitations in performance, for example, the maximum CPU utilization IIS limit 70%.

4. Account Security:

Win2000 account protection is another focus, very first of all, Win2000 the default installation allows any user to get the system through the air all the user accounts / share list, this originally for that convenience of LAN users to share files, but a remote user can also get your list of users and crack user password to use violence law. various of my friends know that it is possible to change the registry Local_Machine Program CurrentControlSet Control LSA-RestrictAnonymous = 1 to prohibit 139 null,

fact, the local safety policy win2000 (if that is the domain server, domain server security and domain safety policy) had this alternative RestrictAnonymous (extra restrictions for anonymous connections) This solution has three values:

0: None. Rely on default permissions (no, depending on the default permissions)

1: Do not allow enumeration of SAM accounts and shares (not enumeration of SAM accounts and shares allowed)

2: No access without explicit anonymous permissions (without explicit anonymous permissions allow access)

0 This value is the default, what restrictions No, the remote user can see all the accounts on your machine, group information, shared directories, network transmission NetServerTransportEnum, etc., within the server for this setup is fairly dangerous.

1 This value is only allowed to users of non-NULL SAM account information access and share information.

2 in this value is only supported in win2000, to note that if you use this value if your share is estimated on all finished, so I suggest that you set to 1 or better. Effectively, now there is no way an intruder to get a list of our customers, our account safe ... ...

Wait, at least one account password can be run This is the system built-in administrator, how do? I change change change, in Computer Management -> right click administrator user account and then change its name changed to whatever you what, as long as I remember about the line.

not No, I have changed the user name, and how people nevertheless run my administrator's password? Fortunately, my password is long enough, but this isn't the answer you? ah, it must be in local or Terminal Service login screen to see , well, let's put HKEY_LOCAL_MACHINE SOFTWARE Microsoft WindowsNT CurrentVersion winlogon key in the Don't Display Last User Name string data into a 1, so the program does not automatically display the last logon user name.

the server registry HKEY_LOCAL_ MACHINE SOFTWARE Microsoft WindowsNT CurrentVersion Winlogon key in the Don't Display Last User Name string data revised to 1 to hide the last login console user name.

5. Protection Log:

I encountered such a situation, a host intrusion by others, the program administrator asked me to track down the murderer, I logged into a look: safety log is empty, down, remember: Win2000 the default installation just isn't open any safety audit! then invite you for the local safety policy -> audit policy, open the appropriate review, the audit recommended that:

account management success or failure

logon events success and failure

object access failure

success or failure

policy changes failed

privilege to use the program event success or failure

directory service access failures

account logon events audit project success and failure

small drawback is that there is no record in case you want to see it at all Mozhe; too quite a few items will not only review program resources and cause you do not have time to see, so that the significance of losing the audit.

is associated with:

strategy in the account -> Password policy settings:

password complexity requirements enabled

Minimum password length 6

Enforce password history 5

maximum age of 30 days

In the Account Policy -> Account Lockout Policy settings:

account lockout 3 times the error log



locked for 20 minutes 20 minutes
lock count reset
Similarly, Terminal Service security log isn't open by default, and we can Terminal Service Configration (remote service configuration) - permissions - Advanced to configure security auditing, in general, as long as the record of logon, logoff events on it.

6. directory and file permissions:

to control the user's permissions around the server, but also to prevent a feasible invasion and subsequent overflow, we must be very careful to set the directory and file access permissions, NT access rights are divided into: read, write, read and perform, modify, list directories, full control. In the default case, the majority of the folder for all users (Everyone in this group) is completely open The (Full Control), you need to apply the required permissions to reset.

making access control, keep in mind the following principles:

1> limit is cumulative: If a user belongs to two groups, he had allowed these two groups of all rights;

2> permission denied permission to allow higher than (denial strategy will be executed) if a Users belong to one is denied access to a resource group, no matter the permissions of other how much authority to give him open, he must not access the resources. so please be pretty careful to make use of reject, any refusal might have resulted in improper The system can not function properly;

3> file permissions for the folder permissions than the high (need to explain this, right?)

4> use user groups for access control is a mature system administrator one must have good habits;

5> only permissions for the users really need, the principle of least privilege is an important guarantee for that safety;

7: Prevention of DoS:

In the registry HKLM Program CurrentControlSet Services Tcpip Parameters, change the following value can help protect you against a certain intensity of DoS attacks

SynAttackProtect REG_DWORD 2

EnablePMTUDiscovery REG_DWORD 0

NoNameReleaseOnDemand REG_DWORD 1

EnableDeadGWDetect REG_DWORD 0

KeepAliveTime REG_DWORD 300,000

PerformRouterDiscovery REG_DWORD 0

EnableICMPRedirects REG_DWORD 0

ICMP attacks : ICMP storm attack and fragment attack is also quite daunting NT host attack methods, in fact, highly easy methods to deal with, win2000 comes with a Routing & Remote Access tool that begun to take shape router (Microsoft really, what should do? I heard recently, to do the firewall) in this tool, we can easily define input and output packet filters, for example, setting the input code 255 ICMP dropped to that drop all ICMP packets alien.

Fourth, some of the things to note:

In fact, protection and application is contradictory in lots of cases, so you need to find a balance in which, after all, the server is for users to make use of and not to do OPEN HACK , if the system security policy prevents the application of the principle that the security isn't a good principle. Network safety is a systematic project, which spans not only space, there is still time span. quite a lot of friends (including some system administrators ) considers an the safety configuration of the host is secure, in fact, of which there is a misunderstanding: we can only say that a host in certain cases some time is safe, with the network structure changes, new vulnerabilities are discovered administrator / user operation, the host of the security situation is changing at any time, only to security awareness and safety program throughout the entire process to be truly safe.
  Reply With Quote

Sponsored Links
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 11:59 PM.

 

Powered by vBulletin Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Free Advertising Forums | Free Advertising Message Boards | Post Free Ads Forum