Server security configuration (only for WIN systems)
one,
In principle, turn off all unused services, do not install all software that is not related to the server, and make all patches
Modification 3389
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\Repwd\Tds\Tcp, I saw that PortNumber has no? 0xd3d, this is hexadecimal, which is 3389. I changed the value of XXXX is the default value of RDP (remote desktop protocol), which means that it is used to configure the newly created RDP service in the future. To change the established RDP service, we go to the next key value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations There should be one or more RDP-TCP-like Zijians (depending on how many RDP services you have established), and you will also change the PortNumber.
Modify the system log save address
The default location is
The default location of application logs, security logs, system logs, and DNS logs: %systemroot%\system32\config, the default file size is 512KB, and the administrator will change this default size.
Security log file: %systemroot%\system32\config\
System log file: %systemroot%\system32\config\
Application log file: %systemroot%\system32\config\
The default location of Internet Information Service FTP log: %systemroot%\system32\logfiles\msftpsvc1\, default one log per day
Internet Information Service WWW log default location: %systemroot%\system32\logfiles\w3svc1\, default one log per day
Scheduler service log default location: %systemroot%\
Application logs, security logs, system logs, DNS server logs, these LOG files in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
Schedluler service log in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent
SQL
Delete or change the name
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
// AutoShareWks for the pro version
// AutoShareServer to server version
// 0 Prohibit management sharing such as admin$, c$, d$, etc.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
"restrictanonymous"=dword:00000001
//0x1 Anonymous user cannot list the local user list
//0x2 Anonymous user cannot connect to the native IPC$ share (something that SQL server cannot be started)
Local security policy
Cover TCP port: 21 (FTP, FTP port) 23 (TELNET), 53 (DNS), 135, 136, 137, 138, 139, 443, 445, 1028, 1433, 3389
Can be enclosed TCP ports: 1080, 3128, 6588, 8080 (the above is the proxy port). 25 (SMTP), 161 (SNMP), 67 (boot)
Block UDP port: 1434 (No need to say this)
Block all ICMPs, that is, block PING
The above is the most commonly scanned port, and other ones are also blocked, of course, because 80 is used for WEB
The audit strategy is
Review policy changes: Success, failure
Review login event: Success, failure
Audit object access: failed
Review object tracking: Success, failure
Audit directory service access: failed
Audit privilege use: failed
Review system events: Success, failure
Review account login event: Success, failure
Audit account management: Success, failure
Password policy: Enable "Password must meet complexity requirements", "Password minimum length value" is 6 characters, "forced password history" is 5 times, and "Password maximum retention period" is 30 days.
Set in the account locking policy: After "Reset Account Lock Counter" is 30 minutes, "Account Lock Time" is 30 minutes, and "Account Lock Value" is 30 minutes.
Security Option Settings: Local Security Policy == Local Policy == Security Option == Additional restrictions on anonymous connections, double-click to set the valid policies, and select "Don't allow enumeration of SAM accounts and sharing", because this value is that only non-NULL users are allowed to access SAM account information and sharing information, this item is generally selected.
The last logged-in username is prohibited from displaying on the login screen
Control Panel ==Administrative Tools ==Local Security Policy ==Local Policy ==Security Options
Or change the registration form
Don't Display Last User Name String in HKEY_LOCAL_MACHINE\SOFTTWARE\Microsoft\WindowsNT\CurrentVesion\Winlogn Item Change its data to 1
Disable NetBIOS on TCP/IP in TCP/IP
Modify the default management username (no need to say this), disable the Guest account, except for the ADMIN group users, you can log in remotely to the machine, and remove the remote login of other users
WEB directory user permission settings...
Do the following work in turn:
Select the entire hard drive:
system: Full control
administrator: Full control (allows the propagation of inheritability permissions from the parent to the object)
b.\program files\common files:
Everyone: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
c.\inetpub\wwwroot:
iusr_machine: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
e.\winnt\system32:
Select all directories except inetsrv and centsrv.
Remove the "Allow inheritability permissions from the parent to the object" box and copy.
f.\winnt:
Select in addition to downloaded program files, help, iis temporary compressed files,
offline web pages, system32, tasks, temp, and all directories except web
Remove the "Allow inheritability permissions from the parent to the object" box and copy.
g.\winnt:
Everyone: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
h.\winnt\temp: (Allow access to the database and display on the asp page)
Everyone: Modify (allows the propagation of inheritability permissions from the parent to the object)
(WIN2K3 is better, the default limit is set)
Delete the default IIS directory
Delete all parsing in IIS except ASA and ASP, unless you want to use other CGI programs (which cannot be removed from WIN2K3)
Regularly view logs files in the server
Check whether the ASP program has SQL injection vulnerabilities
Solution:
Added in ASP program
dim listname
if not isnumeric(request("id")) then
"Error parameter"
end if
//The function is to check whether the ID is INT digital type
How to make an asp script run with system permissions?
Modify the virtual directory corresponding to your asp script, and change "Application Protection" to "Low"....
How to prevent asp *s?
Asp * based on FileSystemObject component
cacls %systemroot%\system32\ /e /d guests //disable guests
regsvr32 /u /s //Delete
reduction:
cacls %systemroot%\system32\ /e /p guests:r
regsvr32
Component-based asp *s
cacls %systemroot%\system32\ /e /d guests //disable guests
regsvr32 /u /s //Delete
reduction:
cacls %systemroot%\system32\ /e /p guests:r
regsvr32
You can look at the caclsr syntax, f is full control, and c is write
Save As, change the suffix to the security policy under RAR, 2K and 2K3, borrow REISTLIN and 3Q. Some of the things above are too simple and not written in full. If you are using a fixed IP, you can add the allow access and your own IP to the security policy.
2. Close Messenger, Remote Registry Service, Task Scheduler services and unwanted services..
3. Installation process
Selectively install components
Do not press the default installation components of Windows 2000. Based on the principle of "minimum service + minimum permissions = maximum security", just select the services you need to install. For example: IIS is not installed without being a web server or an FTP server. The smallest components required by a commonly used web server are: Internet service manager, WWW server and auxiliary services related to it.
Join the network after installation
After installing the Windows 2000 operating system, do not add the server to the network immediately, because the various programs on the server have not been patched yet, and there are various vulnerabilities, which are very prone to virus infection and invasion.
Various patches should be put in sequence after all applications are installed, because the patches are installed for different applications, and certain system files are often replaced or modified. If you install the patch first and then install the application, the patch may not have the effect as it should be. For example, HotFix of IIS requires reinstallation every time IIS configuration is changed.
Also, if you are afraid that the server will crash if you are afraid that the load of IIS is too high, you can also turn on CPU limits in performance, such as limiting the maximum CPU usage of IIS to 70%.
Set up and manage accounts correctly
1. Stop using the Guest account and add a complicated password to the Guest.
2. As few accounts as possible, and use some scanning tools to check the system account, account permissions and passwords frequently. To delete the disabled account, commonly used scanning software include: streaming, HSCAN, X-SCAN, STAT SCANNER, etc. To correctly configure the permissions of the account, the password should be at least 8 digits, and the numbers should be mixed with upper and lower case letters, and upper keys of numbers, which will be difficult to decipher.
3. Increase the difficulty of login. Set in "Account Policy → Password Policy": "Password Complexity Required to Enable", "Password Length Minimum Value 8 digits", "Forced Password History 5 times", "Maximum Retention Period 30 Days"; Set in "Account Policy → Account Lock Policy": "Account Lock 3 times incorrect login", "Lock Time 20 minutes", "Reset Lock Count 20 minutes", etc., increasing the difficulty of login is of great benefit to the security of the system.
4. Change the name of the system Administrator account, and do not have the words Admin or other; create a trap account, such as creating a local account named "Administrator", set the permissions to the lowest, you can't do anything, and add a super complex password with more than 10 digits. This will keep those Scripts busy for a while and can use this to discover their invasion attempts.
5. The system does not allow the username you logged in last time. The specific operations are as follows:
Change the key value of "Hkey\Software\Microsoft\WindowsNT\Current Version\Winlogon\Dont Display Last User Name" in the registry to 1.
Properly set directory and file permissions
In order to control the permissions of users on the server, and to prevent possible intrusions and overflows in the future, you must also carefully set the access rights of directories and files. The access permissions of Windows 2000 are divided into: read, write, read and execute, modify, column directories, and full control. By default, most folders are fully controlled by all users (Everyone group) and you need to reset permissions according to the needs of the application. When performing permission control, please remember the following principles:
1. Permissions are accumulated. If a user belongs to two groups at the same time, then he has all the permissions allowed by these two groups.
2. The permissions denied are higher than those allowed (the rejection policy will be executed first). If a user belongs to a group that is denied access to a resource, he must not be able to access the resource regardless of how many permissions the other permissions are opened to him.
3. File permissions are higher than folder permissions.
4. Using user groups to control permissions is a good habit that a mature system administrator must have.
5. Only give users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.
6. Prevent ICMP attacks. ICMP's storm attack and fragmentation attack are more troublesome attack methods for NT hosts, and Windows 2000's method of dealing with is very simple. Windows 2000 comes with a Routing & Remote Access tool, which has begun to take the prototype of a router. In this tool, we can easily define the input and output packet filter. If you set the input ICMP code 255 to discard it, it means that all foreign ICMP messages are discarded.
Network service security management
1. Close unwanted services
Only the necessary services are left, and more services may bring more security factors to the system. For example, Windows 2000's Terminal Services (terminal service), IIS (web service), RAS (remote access service), etc., all have the possibility of vulnerabilities.
2. Close unused ports
Only the ports and protocols required by the service are opened.
The specific method is: open "Online Neighbors → Properties → Local Connections → Properties → Internet Protocol → Properties → Advanced → Options → TCP/IP Filter → Properties" in order, and add the required TCP, UDP ports and IP protocols. According to the service opening port, commonly used TCP ports include: port 80 for web services; 21 for FTP services; port 25 for SMTP; port 23 for Telnet services; and port 110 for POP3. Commonly used UDP ports include: port 53-DNS domain name resolution service; port 161-snmp simple network management protocol. 8000 and 4000 are used for OICQ, the server uses 8000 to receive information, and the client uses 4000 to send information.
3. Prohibit empty connection establishment
By default, any user can connect to the server through an empty connection, enumerate the account and guess the password. The port used for an empty connection is 139. Through an empty connection, files can be copied to the remote server and a task is planned to be executed. This is a vulnerability. There are two ways to prevent the establishment of an empty connection:
(1) Modify the registry Local_Machine\System\
CurrentControlSet\Control\LSA-RestrictAnonymous The value of CurrentControlSet\Control\LSA-RestrictAnonymous is 1.
(2) Modify the local security policy of Windows 2000. Set RestrictAnonymous (extra limit for anonymous connection) to "Enrollment of SAM accounts and shares are not allowed".
First of all, the default installation of Windows 2000 allows any user to obtain all the account and share lists of the system through empty connections. This was originally intended to facilitate LAN users to share resources and files. However, any remote user can also obtain your user list in the same way, and may use brute force to crack the user password to cause damage to the entire network. Many people only know to change the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1 to prohibit empty users from connecting. In fact, there is a RestrictAnonymous option in the local security policy of Windows 2000 (if it is a domain server, it is in the domain server security and domain security policies). There are three values: "0" is the system default, and there are no restrictions. Remote users can know all accounts, group information, shared directories, network transmission lists (NetServerTransportEnum) on your machine; "1" is only allowed to access SAM account information and shared information by non-NULL users; "2" is only Windows It is only supported by 2000. It should be noted that if this value is used, resources cannot be shared anymore, so it is better to set the value to "1".
Network service security configuration
1. Modify the default port. The default port of terminal service is 3389, and you can consider modifying it to another port. The modification method is:
Server side: Open the registry, find a subkey similar to RDP-TCP at "HKLM\SYSTEM\Current ControlSet\Control\Terminal Server\Win Stations" and modify the PortNumber value.
Client: Follow the normal steps to create a client connection, select this connection, select Export in the "File" menu, and a file with the suffix .cns will be generated at the specified location. Open the file and modify the "Server Port" value to the value corresponding to the PortNumber on the server side. Then import the file (Method: Menu → File → Import), so that the client changes the port.
2. Securely configure the Internet service manager. The security configuration for IIS service is as follows:
(1) Stop the default web service, establish a new web service, and set its home directory to another (non-inetpub) directory. It is best not to use a partition with the main system point. If you use the system's default web service, you can hack the server through a simpler attack.
(2) Delete the Inetpub directory that was installed by default (on the disk where the system is installed).
(3) Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.
3. Do not set up Frontpage server extension service. If it is opened, you can remotely open your homepage file under Frontpage for modification.
4. Delete unnecessary IIS extension mappings. The method is: right-click "Default Web Site → Properties → Home Directory → Configuration", open the application window, and remove unnecessary application mappings. If no other mapping is used, only the .asp and .asa mappings are retained.
Safely manage data files
1. For regular backups, you must often back up the data to a dedicated backup server. After the backup is completed, the backup server can be isolated from the network.
2. Turn off the default sharing. After Windows 2000 is installed, the system will create some hidden shares (such as C$, D$, etc.), and use the net share command to view them in the command state, and these shares need to be deleted. However, when the machine restarts, these shares will be restarted and need to be deleted after each startup.
3. Correctly set the file sharing permissions. When setting up shared files, pay attention to changing the permissions of shared files from "everyone" group to "authorized user", including print sharing, so that even if you see them on the connection, you cannot view them.
4. Prevent file name spoofing, effectively prevent file name spoofing by displaying all file names and folders and displaying file type extensions. For example, prevent malicious files with .txt or .exe as extensions from being displayed as .txt files, if you open the file inadvertently, double-click "My Computer → Tools → Folder Options → View", select "Show all files and folders" attribute settings, and remove the "Hide known file type extension" attribute settings.
5. Enable Terminal Service's security log, the system is not enabled by default. You can configure security audits through "Terminal Service Configuration → Permissions → Advanced" to record login and logout events.
Enable logging to detect network traffic at any time using software
If you find any exception, you can check the log file at any time. Is there someone attacking it?
4. Optimization instructions for Windows services
Alerter
Microsoft: Notify selected users and computer system management warnings. If this service is stopped, the program using the system management alert will not be notified. If this service is disabled, all services dependent on it will not be started.
Added: Generally, home computers do not need to transmit or receive Administrative Alerts from computer system management, unless your computer is used on a local area network
Dependency: Workstation
Suggestion: Discontinued
Application Layer Gateway Service
Microsoft: Provides support for third-party communication protocol plug-ins for Internet online sharing and Internet online firewall
Added: If you do not use Internet Online Sharing (ICS) to provide Internet Access and Internet Online Firewall (ICF) software for multiple computers you can turn off
Dependency: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestion: Discontinued
Application Management
Microsoft: Provides software installation services for assignment, distribution, and removal.
Additional: As mentioned above, the software installation and change services
Suggestions: Manual
Automatic Updates
Microsoft: Enable the download and installation of important Windows updates. If you disable this service, you can manually update the operating system from the Windows Update website.
Additional: Allows Windows to automatically check and download update patches to Microsoft Servers under the background automatically online
Suggestion: Discontinued
Background Intelligent Transfer Service
Microsoft: Use idle network bandwidth to transfer data.
Supplement: This is one of the tasks that transfer data in the background via Via HTTP1.1.
Dependencies: Remote Procedure Call (RPC) and Workstation
Suggestion: Discontinued
ClipBook (Scrapbook)
Microsoft: Enable scrapbook viewer to store information and share it with remote computers. If this service is stopped, the scrapbook viewer will not be able to share information with the remote computer. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Share information in the scrapbook with other computers, which are not available for home computers at all.
Dependency: Network DDE
Suggestion: Discontinued
COM+ Event System (COM+ Event System)
Microsoft: Supports System Event Notification Service (SENS), which allows events to be automatically dispersed to subscribed COM components. If the service is stopped, SENS will be shut down and login and logout notifications cannot be provided. If this service is deactivated, no service that obviously depends on it will start.
Additional: Some programs may use COM+ components, such as BootVis' optimize system application, such as DCOM displayed in the event viewer is not enabled
Dependencies: Remote Procedure Call (RPC) and System Event Notification
Suggestions: Manual
COM+ System Application
Microsoft: Manage the settings and tracking of COM+ components. If this service is stopped, most COM+ components will not be able to be properly done. If this service is deactivated, any services that explicitly depend on it will not be started.
Added: If COM+ Event System is a car, then COM+ System Application is the driver, if DCOM displayed in the event viewer is not enabled
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
Computer Browser (Computer Browser)
Microsoft: Maintains a list of updated computers on the network and provides this list to computers that act as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, all services dependent on it will not be started.
Added: Generally, home computers are not needed unless your computer is applied on the district network. However, is it necessary to turn on this slowdown on large district networks?
Dependencies: Server and Workstation
Suggestion: Discontinued
Cryptographic Services
Microsoft: Provides three management services: [Category Directory Database Service] that confirms the Windows file signature; [Protected Root Directory Service] that adds and removes trusted root credential authorization credentials from this computer; and [Key Service] that assists in registering this computer to obtain credentials. If this service is stopped, these management services will not work correctly. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Simply put, it is a Microsoft certification of Windows Hardware Quality Lab (WHQL). If you use Automatic Updates, you may need this
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
DHCP Client (DHCP Client)
Microsoft: Manage network settings by logging in and updating IP addresses and DNS names.
Additional: People using DSL/Cable, ICS, and IPSEC need this to specify dynamic IP
Dependencies: AFD network support environment, NetBT, SYMTDI, TCP/IP Protocol Driver, and NetBios over TCP/IP
Suggestions: Manual
Distributed Link Tracking Client
Microsoft: Maintains the connection between NTFS files on computers or in different computers in network domains.
Supplement: Maintain archive links between different computers in the area network
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Distributed Transaction Coordinator
Microsoft: Coordinate transactions across multiple resource administrators, such as databases, message queues and archive systems. If this service is stopped, these transactions will not occur. If the service is deactivated, any service that clearly dependent on it will not start.
Added: As mentioned above, it is not very useful for home computers unless you enable Message Queuing
Dependencies: Remote Procedure Call (RPC) and Security Accounts Manager
Suggestion: Discontinued
DNS Client (DNS Client)
Microsoft: Resolve and cache the domain name system (DNS) name of this computer. If this service is stopped, the computer will not be able to resolve the DNS name and look for the location of the Active Directory domain control station. If this service is disabled, all services dependent on it will not be started.
Additional: As mentioned above, IPSEC needs to use
Dependency: TCP/IP Protocol Driver
Suggestions: Manual
Error Reporting Service
Microsoft: Allows error reporting for services and applications executed in non-standard environments.
Additional: Microsoft's application error report
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Event Log (Event Log File)
Microsoft: Event messages sent by Windows-based programs and components can be viewed in the Event Viewer. This service cannot be stopped.
Additional: Allow event messages to be displayed on the event viewer
Dependency: Windows Management Instrumentation
Suggestions: Automatic
Fast User Switching Compatibility
Microsoft: Provides application management in a multi-user environment.
Additional: In addition, it is like switching user function in the logout screen
Dependency: Terminal Services
Suggestions: Manual
Help and Support
Microsoft: Make the instructions and support center execute on this computer. If this service is stopped, instructions and support center will not be available. If this service is deactivated, all its dependent services will not be started.
Added: If not used, turn it off
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Human Interface Device Access
Microsoft: Enables universal input access to the Humanized Interface Device (HID), which starts and maintains the use of the shortcuts defined in this keyboard, remote control, and other multimedia devices. If this service is stopped, the shortcut key controlled by this service will no longer work. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: As mentioned above
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
IMAPI CD-Burning COM Service
Microsoft: Use Image Mastering Applications Programming Interface (IMAPI) to manage disc recording. If this service is stopped, the computer will not be able to record the CD. If this service is deactivated, any service that explicitly relies on it will not start.
Supplement: The drag-and-drop burning function on the CD-R and CD-RW optical drives integrated with XP is not as good as the burning software. Turning off can also speed up the opening speed of Nero
Suggestion: Discontinued
Indexing Service
Microsoft: Indexed content and archive properties of native and remote computers; provides fast archive access through flexible query language.
Added: Simply put, it can help you speed up the search, but I think there should be few people searching with remote computers.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Microsoft: Provide network address translation, addressing and name resolution services and/or interference prevention services for your home or small office network.
Added: If you do not use Internet Online Sharing (ICS) or Internet Online Firewall (ICF) included in XP, you can turn it off
Dependencies: Application Layer Gateway Service, Network Connections, Network Location Awareness(NLA), Remote Access Connection Manager
Suggestion: Discontinued
IPSEC Services (IP Security Services)
Microsoft: Manage IP security principles and start ISAKMP/Oakley (IKE) and IP security drivers.
Supplement: Assist in protecting data transmitted over the network. IPSec is an important part of providing security in a virtual private network (VPN), which allows organizations to securely transmit data over the Internet. It may be required on some domains, but most users do not need it very much
Dependencies: IPSEC driver, Remote Procedure Call (RPC), TCP/IP Protocol Driver
Suggestions: Manual
Logical Disk Manager (Logical Disk Administrator)
Microsoft: Detect and monitor new hard disks, and transfer disk area information to the logical disk management system management service for setting. If this service is stopped, the dynamic disk status and setting information may be outdated. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Disk administrators use to dynamically manage disks, such as displaying free disk space, etc. and to use the Microsoft Management Console (MMC) console.
Dependencies: Plug and Play, Remote Procedure Call (RPC), Logical Disk Manager Administrative Service
Suggestions: Automatic
Logical Disk Manager Administrative Service
Microsoft: Set the hard disk and disk area, the service only executes the setting program and then stops.
Additional: Only use the functions of the Microsoft Management Console (MMC) console
Dependencies: Plug and Play, Remote Procedure Call (RPC), Logical Disk Manager
Suggestions: Manual
Messenger (Messenger)
Microsoft: Transfer network transmission and [Alerter] service information between clients and servers. This service has nothing to do with Windows Messenger. If this service is stopped, the Alerter message will not be transmitted. If this service is disabled, all services dependent on it will not be started.
Supplement: Functions that allow networks to transmit prompt messages, such as net send function, can be turned off if you don’t want to be harassed.
Dependencies: NetBIOS Interface, Plug and Play, Remote Procedure Call (RPC), Workstation
Suggestion: Discontinued
MS Software Shadow Copy Provider
Microsoft: Manage software-based disk shadow replication obtained by the disk shadow replication service. If this service is stopped, it is impossible to manage software-based disk shadow replication. If this service is disabled, any service that explicitly depends on it will not start.
Supplement: As mentioned above, the MS Backup program used for backup requires this service
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Net Logon
Microsoft: Supports pass-through verification of account login events on computers on the domain.
Additional: It is unlikely that home computers can use the login domain review service
Dependency: Workstation
Suggestion: Discontinued
NetMeeting Remote Desktop Sharing (NetMeeting Remote Desktop Sharing)
Microsoft: Allows authorized users to remotely access the computer through the company's nearest internal network using NetMeeting. If this service is stopped, the Remote Desktop Sharing will not be available. If the service is deactivated, any service that depends on it will not start.
Added: As mentioned above, users can share control of their computers with other users on the Internet or on the Internet. If you value security and don’t want to open the back door more, just close it.
Suggestion: Discontinued
Network Connections (network online)
Microsoft: Manages objects in the network and dial-up online folders where you can view local area networks and remote online.
Additional: Control your network online
Dependencies: Remote Procedure Call (RPC), Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestions: Manual
Network DDE (Network DDE)
Microsoft: Provides network transmission and security for Dynamic Data Exchange (DDE) for programs executed on the same or different computers. If this service is stopped, DDE transmission and security will not be used. If this service is deactivated, any service that explicitly depends on it will not start.
Added: It seems that ordinary people can't use it
Dependencies: Network DDE DSDM, ClipBook
Suggestion: Discontinued
Network DDE DSDM (Network DDE DSDM)
Microsoft: Dynamic Information Data Exchange (DDE) Network Sharing. If this service is stopped, the DDE network share will not be available. If this service is deactivated, any service that explicitly depends on it will not start.
Added: It seems that ordinary people can't use it
Dependency: Network DDE
Suggestion: Discontinued
Network Location Awareness (NLA)
Microsoft: Collects and stores network settings and location information, and notifies the application when this information changes.
Added: If you do not use ICF and ICS, you can turn it off
Dependencies: AFD network support environment, TCP/IP Procotol Driver, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestion: Discontinued
NT LM Security Support Provider (NTLM Security Support Provider)
Microsoft: Provides security for remote procedure call (RPC) programs that are not transported using named pipes.
Added: If you don't use Message Queuing or Telnet Server, turn it off
Dependency: Telnet
Suggestion: Discontinued
Performance Logs and Alerts (Performance Log Files and Alerts)
Microsoft: Based on the pre-set schedule parameters, collect performance data from the local machine or remote computer, and then write the data to a record or send an alarm. If this service is stopped, no performance information will be collected. If this service is deactivated, any service that explicitly depends on it will not start.
Added: No value service
Suggestion: Discontinued
Plug and Play
Microsoft: Enable the computer to identify and adapt to hardware changes with no or very little input from the user. Stopping or disabling this service will lead to system instability.
Supplement: As the name implies, it is a PNP environment
Dependencies: Logical Disk Manager, Logical Disk Manager Administrative Service, Messenger, Smart Card, Telephony, Windows Audio
Suggestions: Automatic
Portable Media Serial Number
Microsoft: Retrieves the serial number of any portable music player connected to your computer
Add: Re-acquire any music dialing serial number through the online computer? No value service
Suggestion: Discontinued
Print Spooler (Print multitasking buffer processor)
Microsoft: Load the archive into memory for later printing.
Added: If there is no printer, you can turn it off
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Protected Storage (protected storage device)
Microsoft: Provides protected storage areas to store sensitive data such as private keys to prevent unauthorized services, processing, or users from accessing them.
Supplement: Services used to store passwords on your computer, such as Outlook, dialers, other applications, master-slave architecture, etc.
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
QoS RSVP (QoS License Control, RSVP)
Microsoft: Provides network signal and area traffic control installation functions to QoS-identifying programs and control applet items.
Additional: Used to retain 20% bandwidth services. If your network card does not support 802.1p or does not have ACS server on your computer's domain, then it goes without saying that, turn it off
Dependencies: AFD network support environment, TCP/IP Procotol Driver, Remote Procedure Call (RPC)
Suggestion: Discontinued
Remote Access Auto Connection Manager
Microsoft: When the program refers to the remote DNS or NetBIOS name or address, establish a remote network online.
Additional: Some DSL/Cable providers may need to use this to handle login programs
Dependencies: Remote Access Connection Manager, Telephony
Suggestions: Manual
Remote Access Connection Manager
Microsoft: Build a network online.
Supplement: Online use
Dependencies: Telephony, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager
Suggestions: Manual
Remote Desktop Help Session Manager
Microsoft: Manage and control remote assistance. If this service is stopped, remote assistance will not be available. Before stopping this service, please refer to the [Dependencies] tab in the content dialog box.
Additional: As mentioned above, remote assistance can be turned off if it is not used.
Dependency: Remote Procedure Call (RPC)
Suggestions: Disable
Remote Procedure Call (RPC) (Remote Procedure Call, RPC)
Microsoft: Provides endpoint corresponding programs and other RPC services.
Added: Some devices depend on it, don't touch it
Dependency: Too many, go and see it yourself
Suggestions: Automatic
Remote Procedure Call (RPC) Locator
Microsoft: Manage the RPC Name Service database.
Added: As mentioned above, it is rarely used on computers, so you can try to turn it off.
Dependency: Workstation
Suggestions: Disable
Remote Registry (Remote Login Service)
Microsoft: Enable remote users to modify the login settings on this computer. If this service is stopped, login can only be modified by the user on this computer. If this service is deactivated, any service that explicitly depends on it will not start.
Additional: For security reasons, if there is no special requirement, it is recommended to turn it off unless you need remote assistance to modify your login settings.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Removable Storage (removable storage device)
Microsoft: None
Added: Unless you have a Zip disk drive or a portable hardware like USB or a Tape backup device, you can try to turn it off
Dependency: Remote Procedure Call (RPC)
Suggestions: Disable
Routing and Remote Access
Microsoft: Provides routing services to companies connected to local area networks and wide area networks.
Additional: As mentioned above, dial-up online to the district network or VPN service is provided, and most users cannot use it.
Dependencies: Remote Procedure Call (RPC), NetBIOSGroup
Suggestion: Discontinued
Secondary Logon
Microsoft: Enable the start program under other authentications. If this service is stopped, such login access will not be used. If this service is deactivated, any service that explicitly depends on it will not start.
Additional: Allow multiple users to handle programs, execute clones, etc.
Suggestions: Automatic
Security Accounts Manager (Security Account Administrator)
Microsoft: Store security information for local accounts.
Supplement: Application of the principle of managing accounts and groups ()
Dependencies: Remote Procedure Call (RPC), Distributed Transaction Coordinator
Suggestions: Automatic
Server (Server)
Microsoft: Provides the sharing of archives, printing, and named pipes for this computer through the Internet. If you stop this service, these features will not be available. If this service is disabled, all services dependent on it will not be started.
Added: Simply put, it is the sharing of archives and prints. Unless you share them with other computers, it will be closed.
Dependency: Computer Browser
Suggestion: Discontinued
Shell Hardware Detection
Microsoft: Provides notifications for automatic playback of hardware events.
Supplement: Generally used on memory cards or CD devices or DVD devices
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
Smart Card
Microsoft: Manage the access to the smart card read by this computer. If this service is stopped, the computer will not be able to read the smart card. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't use Smart Card, you can turn it off
Dependency: Plug and Play
Suggestion: Discontinued
Smart Card Helper
Microsoft: Enable support for the older version of non-plug-and-play smart card read heads used by this computer. If this service is stopped, the computer will not support the legacy read header. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't use Smart Card, you can turn it off
Suggestion: Discontinued
SSDP Discovery Service
Microsoft: Enable search for universal plug-and-play devices on your home network.
Additional: As mentioned above, Universal Plug and Play (UPnP) allows computers to find and use devices on the network, searching devices via TCP/IP via the network, such as scanners, digital cameras or printers on the network, that is, using UPnP functions, which can be turned off based on the security-free
Dependency: Universal Plug and Play Device Host
Suggestion: Discontinued
System Event Notification
Microsoft: Tracks system events such as Windows login, network, and power events. Notify the COM+ event system subscribers of these events.
Additional: As mentioned above
Dependency: COM+ Event System
Suggestions: Automatic
System Restore Service
Microsoft: Perform system restore function. To stop the service, close the system restore from my computer -> Content, [System Restore]
Add: Reply the computer to its previous status and turn it off if it is not used.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Task Scheduler (work scheduler)
Microsoft: Allows users to set and schedule automatic work on this computer. If this service is stopped, these work will not be performed at the time they scheduled. If this service is disabled, any service that explicitly depends on it will not start.
Supplement: Set schedule automatic work, such as some timed disk scans, virus timing scans, updates, etc.
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
TCP/IP NetBIOS Helper (TCP/IP NetBIOS Assistant Program)
Microsoft: Enable support for [NetBIOS over TCP/IP (NetBT)] service and NetBIOS name resolution.
Added: If your network does not use NetBios or WINS, you can turn it off
Dependencies: AFD network support environment, NetBt
Suggestion: Discontinued
Telephony (phone voice)
Microsoft: Provides Telephone Voice API (TAPI) support for programs that control telephone voice devices and IPs to connect to the server that is performing this service via a local computer and via a local area network.
Additional: General dial-up modems or some DSL/Cables may be used
Dependencies: Plug and Play, Remote Procedure Call (RPC), Remote Access Connection Manager, Remote Access Auto Connection Manager
Suggestions: Manual
Telnet
Microsoft: Enables a remote user to log in to this computer and execute applications, and supports a variety of TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If the service is stopped, remote users may not be able to access the application. If the service is deactivated, any other services that explicitly depend on the service will fail to start.
Supplement: Remote users are allowed to log in to this computer using Telnet. Most people will misunderstand that they cannot use BBS after turning off. This has nothing to do with BBS. It is based on security reasons. If there is no special requirement, it is recommended to turn it off.
Dependencies: NT LM Security Support Provider, Remote Procedure Call (RPC), TCP/IP Protocol Driver
Suggestion: Discontinued
Terminal Services
Microsoft: Allows multiple users to interact with the same computer, desktop monitors, and applications to remote computers. Remote Desktop enhancements (including system administrator's RD), quick user switching, remote assistance and terminal servers.
Additional: Remote desktop or remote assistance functions are turned off if you don't need them.
Dependencies: Remote Procedure Call (RPC), Fast User Switching Compatibility, InteractiveLogon
Suggestion: Discontinued
Themes
Microsoft: Provides user experience theme management.
Added: Many people use set themes, but if no one uses them, you can close them
Suggestions: Automatic
Uninterruptible Power Supply (continuous power supply system)
Microsoft: Manages the continuous power supply (UPS) connected to this computer.
Supplement: Is it useful for the Continuous Power Supply (UPS) for ordinary people? Unless your power supply has this function, it will be turned off
Suggestion: Discontinued
Universal Plug and Play Device Host
Microsoft: Provides support for universal plug-and-play devices for hosts.
Additional: Used to detect and install Universal Plug and Play (UPnP) devices, such as digital cameras or printers
Dependency: SSDP Discovery Service
Suggestion: Discontinued
Volume Shadow Copy
Microsoft: Manages and performs disk area shadow replication for backup and other purposes. If this service is stopped, shadow copying will not be used for backup and the backup may fail. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: As mentioned above, the MS Backup program used for backup requires this service
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
WebClient
Microsoft: Enable Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any service that explicitly depends on it will not start.
Additional: Use WebDAV to upload files or folders to all web services, for security reasons, you can try to close
Dependency: WebDav Client Redirector
Windows Audio
Microsoft: Manage audio devices for Windows-based programs. If this service is stopped, the audio device and effect will not work properly. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't have a sound card, you can turn it off
Dependencies: Plug and Play, Remote Procedure Call (RPC)
Suggestions: Automatic
Windows Image Acquisition (WIA) (Windows Image Acquisition Program)
Microsoft: Provides image capture services for scanners and digital cameras.
Added: If the scanner and digital camera support WIA function, you can directly see the image and no other driver is needed, so users without scanner and digital camera can turn it off.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Windows Installer (Windows Installer)
Microsoft: Install, repair, and remove software according to the instructions contained in the .MSI archive.
Supplement: It is a system service that assists users in correctly installing, setting, tracking, upgrading and removing software programs. It can manage standard formats for application establishment and installation, and track components such as archive groups, login projects and shortcuts.
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
Windows Management Instrumentation (WMI)
Microsoft: Provides public interfaces and object models to access management information about operating systems, devices, applications and services. If this service has been stopped, most Windows software will not work properly. If this service is disabled, all services dependent on it will not be started.
Supplement: As mentioned above, it is a service that provides a standard infrastructure to monitor and manage system resources, and you are not allowed to touch it.
Dependencies: Event Log, Remote Procedure Call (RPC)
Suggestions: Automatic
Windows Management Instrumentation Driver Extensions (Windows Management Instrumentation Driver Extensions)
Microsoft: Provides system management information given/retrieve from drivers.
Supplement: Extension of Windows Management Instrumentation, providing information
Suggestions: Manual
Windows Time (Windows Time Settings)
Microsoft: Maintains data and time synchronization processing of all clients and servers on the network. If this service is stopped, the date and time synchronization process will not be performed. If this service is disabled, all dependent services will be stopped.
Additional: If you use network time calibration, it will be turned off if you don’t need it.
Suggestion: Discontinued
Wireless Zero Configuration
Microsoft: Provides automatic settings for 802.11 adapter cards
Supplement: Automatically configure wireless network devices, which means that unless you are using wireless network adapter card devices, you need to use this network zero management service.
Dependencies: NDIS Usermode I/O Protocol, Remote Procedure Call (RPC)
Suggestion: Discontinued
WMI Performance Adapter
Microsoft: Provides performance link library information from WMIHiPerf providers.
Supplement: As mentioned above
Dependency: Remote Procedure Call (RPC)
Suggestions: Disabled
Workstation (Workstation)
Microsoft: Establish and maintain client network connection to remote servers. If this service is stopped, these online services will not be available. If this service is disabled, all services dependent on it will not be started.
Supplement: Some essential functions in Internet connection
Dependencies: Alerter, Background Intelligent Transfer Service, Computer Browser, Messenger, Net Logon, Remote Procedure Call (RPC) Locator
Suggestions: Automatic
"Clipbook Server" (folder server): This service allows other users on your network to see your folders. Here I would like to strongly recommend that you change it to manually start and then use other programs to post information on your network.
“Messenger” (message): Send and receive information on the network. If you turn off Alerter, you can safely change it to manually boot.
"Printer Spooler": If you do not configure the printer, it is recommended to start it manually or simply turn it off.
"Error Reporting Service": Services and applications provide error reports when running in non-standard environments. It is recommended to start manually instead.
"Fast User Switching Compatibility": It is recommended to start manually instead.
"Automatic Updates": This function has been mentioned before, and can be changed to manual startup here.
"Net Logon": handles network security functions like registration information. You can change it to manually start.
"Network DDE and Network DDE DSDM" (Dynamic Data Exchange): Unless you are ready to share your Office online, you should change it to boot manually. Note: This is different from using Office in the usual business settings (you will know if you need DDE).
"NT LM Security Support" (NT LM Security Support): Provides security protection in network applications. It is recommended that you change it to manually start.
"Remote Desktop Help Session Manager": It is recommended to start manually instead.
"Remote Registry": enables remote users to modify registry settings on this computer. It is recommended to start manually instead.
"Task Scheduler" (task scheduler): enables users to configure and formulate schedules for automatic tasks on this computer, which plans weekly defragmentation, etc. Unless you are too lazy and don’t even want to turn on the computer, it is recommended to start manually instead.
“Uninterruptible Power Supply”: It manages your UPS. If you don't have one, change it to manually boot or simply turn it off.
"Windows Image Acquisition (WIA)" (Windows Image Acquisition (WIA)): Provides image capture for scanners and cameras. If you don't have these devices, it is recommended to start manually or simply turn it off instead.
5. After installing a server, it is recommended to use the scanning tool to scan for the vulnerabilities in this machine first, and then open or close certain ports as needed. Install SP4 or above patches in win2000, and install sp2 patches in winXP.
The recommended scanning tool is to use X-SCAN
Frequently Start--Run--Windows Update is a good habit
6. Close useless port under win2000
Each service corresponds to the corresponding port. For example, the well-known WWW service port is 80, smtp is 25, ftp is 21, and the default in win2000 installation is all enabled. It is indeed not necessary for individual users. Turning off the port means shutting down useless services.
Configure in the "Administrative Tools" of Control Panel in "Configure Panel" in "Services".
1. Close ports such as 7.9: Close Simple TCP/IP Service, and support the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
2. Close port 80: Turn off WWW service. Displays the name "World Wide Web Publishing Service" in Services, providing web connections and management through the snap-in for Internet Information Services.
3. Turn off port 25: Turn off the Simple Mail Transport Protocol (SMTP) service, which provides the function of sending emails across the network.
4. Turn off port 21: Close the FTP Publishing Service, the service it provides FTP connection and management through the Internet Information Service's snap-in.
5. Turn off port 23: Turn off Telnet service, which allows remote users to log in to the system and run console programs using the command line.
6. Another very important thing is to shut down the server service, which provides RPC support, file, printing and named pipe sharing. Turning off it will turn off the default share of win2k, such as ipc$, c$, admin$, etc. Turning off this service will not affect your common operations.
7. Another one is port 139. Port 139 is the NetBIOS Session port, used for file and print sharing. Note that the Unix machine running samba also has port 139, and the functions are the same. In the past, streaming light 2000 was not very accurate in judging the type of the other party's host. It is estimated that the 139 port is open and it is considered an NT machine. Now it's fine.
The method to turn off 139 port listening is to select the "Internet Protocol (TCP/IP)" attribute in "National Connection" in "Network and Dial-up Connection", enter "Advanced TCP/IP Settings" and "WINS Settings" and "Disable NETBIOS for TCP/IP". When you check it, you will close port 139.
For individual users, they can set it to "Disable" in the various service attribute settings to prevent the service from restarting again and the port will be opened.
7. The security configuration of Win2000 Server. The carefully configured Win2000 server can defend against more than 90% of intrusions and infiltrations. However, as I mentioned at the end of the previous chapter: system security is a continuous process. With the emergence of new vulnerabilities and changes in server applications, the security status of the system is constantly changing. At the same time, since offense and defense are a unity of contradictions, Daoxiao Daoxiao Daoxiao is also constantly changing. Therefore, no matter how skilled the system administrator is, he cannot guarantee that a server that is providing services will never be invaded for a long time.
Therefore, a secure configuration server is not the end of the security work, but on the contrary, it is the beginning of a long and boring security work. In this article, we will briefly discuss the preliminary techniques for Win2000 server intrusion detection, hoping to help you maintain the security of the server for a long time.
The intrusion detection mentioned in this article refers to detection using the functions of Win2000 Server and software/scripts written by the system administrator themselves. The skills of using firewalls or intrusion monitoring systems (IDS) are not within the scope of this article.
Now assume: we have a Win2000 Server server and have undergone preliminary security configuration (for details of security configuration, please refer to the Win2000 Server Security Configuration Introduction <I>), in which case most intruders will be turned away. (Haha, my administrator can go home and sleep) Slowly, I'm talking about most, not all, although the server with preliminary security configuration can defend against most Script kids (script family - people who only know how to invade the server with programs written by others), if they meet a real master, they are still vulnerable. Although real experts will not enter other people's servers casually, it is difficult to ensure that a few evil masters with misconduct have fallen in love with your server. (Am I really that bad?) Moreover, there is often a period of vacuum between the discovery of vulnerabilities and the release of patches. Anyone who knows the vulnerability information can take advantage of the situation. At this time, intrusion detection technology becomes very important.
Intrusion detection is mainly carried out according to the application. If the corresponding services are provided, there should be a corresponding detection and analysis system for protection. For general hosts, the following aspects should be paid attention to:
1. Detection based on port 80 intrusion
WWW service is probably one of the most common services, and since this service faces a large number of users, the service traffic and complexity are very high, the vulnerabilities and intrusion techniques are also the most. For NT, IIS has always been a headache for system administrators (I wish I could turn off port 80), but fortunately, the logging function that comes with IIS can be a powerful helper for intrusion detection to some extent. The log files that come with IIS are stored in the System32/LogFiles directory by default. They are usually scrolled 24 hours a day. They can be configured in the IIS manager in detail. (I don’t care about you if you match it in detail, but if you don’t record it in detail, don’t cry if you can’t find the intruder’s IP)
Now let's assume (why are you always assuming, are you annoying?) Don't worry, I can't really hack a host to write this article, so I have to assume that we suppose that a WEB server has opened the WWW service. You are the system administrator of this server. You have carefully configured IIS, use the W3C extended log format, and at least recorded time (Time), client IP (Client IP), method (Method), URI resource (URI Stem), URI Query (URI Query), and protocol status (Protocol Status). We use the recently popular Unicode vulnerabilities to analyze: Open the IE window and enter in the address bar: 127.0.0.1/scripts/..%c1% 1c../winnt/system32/?/c+dir By default, you can see the directory list (what? You have done security configuration, can't you see? Restore the default installation, we need to do an experiment), let's see what the IIS log records, open (Ex represents the W3C extension format, and the next string of numbers represents the log recording date): 07:42:58 127.0.0.1 GET /scripts/..\../winnt/system32\ /c+dir 200 The above line of logs indicates that at 07:42:58 GMT (that is, 23:42:58 Beijing time), a guy (invader) used a Unicode vulnerability from the 127.0.0.1 IP on your machine (%c1%1c is decoded to "\", and the actual situation will be slightly different due to different versions of the Windows language), and the parameter is /c dir, the run result is successful (HTTP 200 means correct return). (Wow, the records are so complete, I won’t dare to play Unicode randomly in the future)
In most cases, the IIS log faithfully records any requests it receives (there are special attacks not recorded by IIS, which we will discuss later), so a good system administrator should be good at using this to discover attempts to intrude and thus protect his system. However, IIS's logs are often tens of megabytes, websites with large traffic or even tens of G, and manual inspection is almost impossible. The only option is to use log analysis software. It is very simple to write a log analysis software in any language (actually a text filter). However, considering some actual situations (such as the administrator cannot write programs, or the log analysis software cannot be found on the server for a while), I can tell you a simple method. For example, if you want to know if anyone is trying to get your file from port 80, you can use the following CMD command: find "" /i command uses the NT's own tool (so you are not afraid of being unable to find it in an emergency), and you can easily find the string you want to filter from the text file. "" is the string that needs to be queried, the text file to be filtered, and /i means ignoring upper and lower case. Because I have no intention of writing this article into Microsoft's Help document, please check the Win2000 help file for other parameters of this command and its enhanced version.
Whether it is based on log analysis software or Find commands, you can create a list of sensitive strings, including existing IIS vulnerabilities (such as "+.htr") and resources that may be called for in the future vulnerabilities (such as or) by filtering this constantly updated string table, you will definitely understand the actions of the intruder as soon as possible.
It should be noted that using any log analysis software will occupy a certain system resource. Therefore, for low-priority tasks such as IIS log analysis, it is more appropriate to automatically execute them when they are idle at night. If you write another script to send the filtered suspicious text to the system administrator, it will be even more perfect. At the same time, if the sensitive string table is large and the filtering strategy is complicated, I suggest that it is more cost-effective to write a dedicated program in C.
2. Detection based on security log
Through intrusion monitoring based on IIS logs, we can know the whereabouts of the snoopers in advance (if you handle it improperly, the snoopers will become intruders at any time), but IIS logs are not omnipotent. In some cases, it cannot even record intrusions from port 80. According to my analysis of the IIS log system, IIS will only write to the log after a request is completed. In other words, if a request fails in the middle, there will be no trace in the log file (the mid-way failure here does not mean that HTTP400 errors occur, but that HTTP requests are not completed from the TCP layer, such as an exception interruption when a large amount of data is interrupted). For intruders, it is possible to bypass the log system to complete a large number of activities.
Moreover, for non-80 Only hosts, intruders can also enter the server from other services, so it is very necessary to establish a complete security monitoring system.
Win2000 comes with a very powerful security logging system, and there are very detailed records from user login to privileged use. Unfortunately, security audit is turned off under the default installation, so that some hosts cannot track down the intruders after being hacked. Therefore, the first step we need to do is to open the necessary audit in the management tool - local security policy - local policy - audit policy. Generally speaking, login events and account management are the events we care about the most. It is very necessary to open the successful and failed audits at the same time. For other audits, failure audits should also be opened, so that the intruders can struggle step by step, and if they are not careful, they will be exposed. Just turning on security audits does not completely solve the problem. Without a good configuration of the size and coverage of the security log, a sophisticated intruder can cover his real whereabouts through flood-like forged intrusion requests. Typically, specifying the size of the security log as 50MB and allowing only overwriting of logs from 7 days ago can avoid the occurrence of the above situation.
Setting up a security log but not checking is almost as bad as not setting up a security log (the only advantage is that you can track down the intruders after being hacked). Therefore, it is also very important to develop a security log inspection mechanism. As a security log, the recommended inspection time is every morning. This is because intruders like to act at night (it's fast, otherwise you can't connect when you're halfway through the intrusion, and you can't cry). The first thing you do in the morning is to check if there are any abnormalities in the log, and then you can feel at ease to do other things. If you like, you can also write a script to send the security log to you every day (don't believe this too much. If any expert changes your script, send "Safe and nothing" every day...)
In addition to security logs, system logs and application logs are also very good auxiliary monitoring tools. Generally speaking, intruders not only leave traces in the security logs (if he obtains Admin permission, he will definitely clear the traces), but also leave clues in the system and application logs. As a system administrator, you must have an attitude of not letting go of any abnormalities, so it will be difficult for intruders to hide their whereabouts.
3. File access log and key file protection
In addition to the system's default security audit, for key files, we also need to add file access logs to record access to them.
There are many options for file access: access, modification, execution, new creation, property change... Generally speaking, focusing on access and modification can play a great role in monitoring.
For example, if we monitor the modification, creation of system directories, and even access to some important files (for example, the system32 directory), it will be difficult for intruders to place the backdoor without attracting our attention. It should be noted that there should be too many key files and projects to monitor, otherwise it will not only increase the system burden, but also disrupt the daily log monitoring work.
(Which system administrator has the patience to read four or five thousand garbage logs every day?)
Key files not only refer to system files, but also include any files that may pose a hazard to the system administrator/other users, such as system administrator configuration, desktop files, etc. These may be used to steal system administrator information/passwords.
4. Process monitoring
Process monitoring technology is another powerful weapon to track * backdoors. More than 90% of *s and backdoors exist in the form of processes (there are also *s that exist in other forms, see "Revealing the Mystery of *s III". As a system administrator, it is one of the responsibilities to understand each process running on the server (otherwise, don't say it is safe, and there is no way to even optimize the system). It is very necessary to make a list of processes running on each server, which can help administrators discover intrusion processes at a glance. Exceptional user processes or abnormal resource occupations may be illegal processes. In addition to processes, DLL is also a dangerous thing. For example, after rewriting the * that was originally exe type into a dll, it is more confusing to run with rundll32.
5. Registration Check
Generally speaking, *s or backdoors will use the registry to run themselves again, so checking the registry to discover intrusion is also one of the common methods. Generally speaking, if an intruder only knows how to use popular *s, then since ordinary *s can only write a few specific key values (such as Run, Runonce, etc.), it is relatively easy to find, but for people who can write/rewrite *s by themselves, it is impossible to hide anywhere in the registry, and it is impossible to search by hand. (The registry hiding is ever-changing. For example, the FakeGina technology that is specially proposed is needed. This method of using WINNT external login DLL (Ginadll) to obtain user passwords has been quite popular recently. Once you get hit, the password of the logged-in user will be recorded. I will not introduce the specific prevention methods here.) The response method is to monitor any changes in the registry, so that the *s that rewrite the registry cannot hide. There are many software that monitors the registry, and many software that tracks down *s have such functions. A monitoring software plus regular backup of the registry is backed up. In case the registry is modified by unauthorized, the system administrator can restore it in the shortest time.
6. Port monitoring
Although *s that do not use ports have appeared, most backdoors and *s still use TCP connections. Monitoring the port status is very important for hosts that cannot block ports due to various reasons. We will not talk about the IDS system using NDIS network card advanced programming. For system administrators, understanding the open ports on their servers is even more important than monitoring the process. It is a good habit to often use netstat to view the port status of the server, but it cannot be done 24 hours a day. Moreover, NT's security log has a bad habit. They like to record machine names instead of IP (I don't know what Bill Guy thinks). If you don't have a firewall and do not have intrusion detection software, you can use scripts to log IP logs. Look at this command:
netstat -n -p tcp 10>>, This command automatically checks the connection status of TCP every 10 seconds. Based on this command, we make a file:
time /t>>
Netstat -n -p tcp 10>>
This script will automatically record the time and TCP connection status. It should be noted that if the website visits are relatively large, such operations will consume a certain amount of CPU time, and the log files will become larger and larger, so please be very cautious. (If you make a script, it will be perfect. Who will buy a firewall? :)
Once an exception port is found, special programs can be used to associate the port, executable file and process (such as inzider has such a function, which can discover the ports listened to by the server and find the files associated with the port, and inzider can be downloaded from), so that there is nowhere to hide whether it is TCP or UDP *s.
7. Log monitoring of terminal services
There is a reason for listing the log monitoring of Terminal Services separately. Terminal Service, the terminal service that comes with Microsoft Win2000 server version, is a tool based on Remote Desktop Protocol (RDP). It is very fast and stable, and can become a good remote management software. However, because this software is powerful and only protected by passwords, it is also very dangerous. Once the intruder has an administrator password, he can operate the remote server like the native machine (it does not require advanced NT command line skills, does not require writing special scripts and programs, and as long as he knows how to use the mouse, he can perform all system management operations. It is too convenient and terrible). Although many people are using terminal services for remote management, not everyone knows how to audit terminal services. Most terminal servers do not have terminal logs open. In fact, it is easy to open log audit. Open the remote control service configuration (Terminal Service Configuration) in the management tool, click "Connect", and right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP) 5.0), select the bookmark "Permissions", click "Advanced" in the lower left corner, see the "Advanced" above? Let's join a Everyone group, which represents all users, and then review the success and failure of their "connection", "disconnection", "logout" and "login" success and failure of "login". Too much audit is not good. This audit is recorded in the security log, and can be viewed from "Management Tools"->"Log Viewer". Now I know who is logged in when, but the only drawback is that this shabby game does not record the client's IP (only Can check the IP of online users), but flashy and record the machine name. But! If someone else gives a PIG machine name, you have to be mocked by him. I don’t know what Microsoft thinks. It seems that it still cannot rely entirely on Microsoft. Let’s do it ourselves? Write a program and everything is done. Can you C? No? Where is VB? No? Delphi? ...What? Do you know any programming language? I don’t know, after all, the system administrator is not a programmer, don’t worry, don’t worry, I’ll find a way for you to create a bat file called, this file is used to record the IP of the loginer, and the content is as follows:
time /t >>
netstat -n -p tcp | find ":3389">>
start Explorer
Let me explain the meaning of this file:
The first line is to record the time when the user logs in. time /t means to directly return the system time (if /t is not added, the system will wait for you to enter a new time), and then we use the append symbol ">>" to record this time as the time field in the log;
The second line is to record the user's IP address. Netstat is a command used to display the current network connection status. -n means to display the IP and port instead of the domain name and protocol. -ptcp only displays the tcp protocol. Then we use the pipe symbol "|" to output the result of this command to the find command, and look for the line containing ":3389" from the output result (this is the line where the IP of the customer we want is located. If you change the port of the terminal service, this value must also be changed accordingly). Finally, we also redirect the result to the log file, so in the file, the record format is as follows:
22:40
TCP192.168.12.28:3389192.168.10.123:4903 ESTABLISHED
22:54
TCP192.168.12.28:3389 192.168.12.29:1039 ESTABLISHED
In other words, as soon as this file is run, all IPs connected to port 3389 will be recorded. So how can this batch file be run automatically? We know that terminal service allows us to customize the starting program for the user. In the terminal service configuration, we override the user's login script settings and specify the script that needs to be opened when the user logs in. In this way, each user must execute this script after logging in. Because the default script (equivalent to the shell environment) is Explorer (explorer), I added the command to startExplorer to start Explorer on the last line. If this line of command is not added, the user will not be able to enter the desktop! Of course, if you just need to give the user a specific shell:
For example, you can also replace start Explorer with any shell. This script can also have other ways of writing. As a system administrator, you can freely use your imagination and use your own resources. For example, writing a script to send the IP of each logged-in user to your own mailbox is also a good way for important servers. Under normal circumstances, ordinary users do not have permission to check the terminal service settings, so they will not know that you have conducted IP review of the login. Just put the files and files in a relatively hidden directory. However, it should be noted that this is just a simple terminal service logging policy, and there are not many security measures and permission mechanisms. If the server has higher security requirements, it still needs to be completed through programming or purchasing intrusion monitoring software.
8. Trap technology
Early trap technology was just a disguised port service to monitor scans. With the continuous upgrading of spears and shields, the current trap service or trap host has become more and more perfect, and is more and more like a real service. It can not only intercept semi-open scans, but also disguise the service's response and record the behavior of the intruder, thereby helping to judge the identity of the intruder.
I am not very interested in trap technology. From the perspective of technicians, low-key behavior is more in line with the principle of safety; secondly, the situation where the trap host becomes a springboard for invaders is not only seen in novels, but is also common in real life. If a trap is set up and used to invade, it is really impossible to steal the chicken.
Remember CoolFire said that it can be used as an end to the introduction of trap technology: Don’t enter other people’s systems casually when you don’t understand the situation, because you can never know in advance that the system administrator is a real idiot or a genius pretending to be an idiot...
This is the initial introduction to intrusion monitoring. In actual use, the system administrator's mastery of basic knowledge is directly related to his security sensitivity. Only a system administrator who is experienced and knowledgeable and careful can find the shadow of the intruder from a few clues, prepare for the future, and kill the invasion.
one,
In principle, turn off all unused services, do not install all software that is not related to the server, and make all patches
Modification 3389
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\Repwd\Tds\Tcp, I saw that PortNumber has no? 0xd3d, this is hexadecimal, which is 3389. I changed the value of XXXX is the default value of RDP (remote desktop protocol), which means that it is used to configure the newly created RDP service in the future. To change the established RDP service, we go to the next key value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations There should be one or more RDP-TCP-like Zijians (depending on how many RDP services you have established), and you will also change the PortNumber.
Modify the system log save address
The default location is
The default location of application logs, security logs, system logs, and DNS logs: %systemroot%\system32\config, the default file size is 512KB, and the administrator will change this default size.
Security log file: %systemroot%\system32\config\
System log file: %systemroot%\system32\config\
Application log file: %systemroot%\system32\config\
The default location of Internet Information Service FTP log: %systemroot%\system32\logfiles\msftpsvc1\, default one log per day
Internet Information Service WWW log default location: %systemroot%\system32\logfiles\w3svc1\, default one log per day
Scheduler service log default location: %systemroot%\
Application logs, security logs, system logs, DNS server logs, these LOG files in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
Schedluler service log in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent
SQL
Delete or change the name
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
// AutoShareWks for the pro version
// AutoShareServer to server version
// 0 Prohibit management sharing such as admin$, c$, d$, etc.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
"restrictanonymous"=dword:00000001
//0x1 Anonymous user cannot list the local user list
//0x2 Anonymous user cannot connect to the native IPC$ share (something that SQL server cannot be started)
Local security policy
Cover TCP port: 21 (FTP, FTP port) 23 (TELNET), 53 (DNS), 135, 136, 137, 138, 139, 443, 445, 1028, 1433, 3389
Can be enclosed TCP ports: 1080, 3128, 6588, 8080 (the above is the proxy port). 25 (SMTP), 161 (SNMP), 67 (boot)
Block UDP port: 1434 (No need to say this)
Block all ICMPs, that is, block PING
The above is the most commonly scanned port, and other ones are also blocked, of course, because 80 is used for WEB
The audit strategy is
Review policy changes: Success, failure
Review login event: Success, failure
Audit object access: failed
Review object tracking: Success, failure
Audit directory service access: failed
Audit privilege use: failed
Review system events: Success, failure
Review account login event: Success, failure
Audit account management: Success, failure
Password policy: Enable "Password must meet complexity requirements", "Password minimum length value" is 6 characters, "forced password history" is 5 times, and "Password maximum retention period" is 30 days.
Set in the account locking policy: After "Reset Account Lock Counter" is 30 minutes, "Account Lock Time" is 30 minutes, and "Account Lock Value" is 30 minutes.
Security Option Settings: Local Security Policy == Local Policy == Security Option == Additional restrictions on anonymous connections, double-click to set the valid policies, and select "Don't allow enumeration of SAM accounts and sharing", because this value is that only non-NULL users are allowed to access SAM account information and sharing information, this item is generally selected.
The last logged-in username is prohibited from displaying on the login screen
Control Panel ==Administrative Tools ==Local Security Policy ==Local Policy ==Security Options
Or change the registration form
Don't Display Last User Name String in HKEY_LOCAL_MACHINE\SOFTTWARE\Microsoft\WindowsNT\CurrentVesion\Winlogn Item Change its data to 1
Disable NetBIOS on TCP/IP in TCP/IP
Modify the default management username (no need to say this), disable the Guest account, except for the ADMIN group users, you can log in remotely to the machine, and remove the remote login of other users
WEB directory user permission settings...
Do the following work in turn:
Select the entire hard drive:
system: Full control
administrator: Full control (allows the propagation of inheritability permissions from the parent to the object)
b.\program files\common files:
Everyone: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
c.\inetpub\wwwroot:
iusr_machine: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
e.\winnt\system32:
Select all directories except inetsrv and centsrv.
Remove the "Allow inheritability permissions from the parent to the object" box and copy.
f.\winnt:
Select in addition to downloaded program files, help, iis temporary compressed files,
offline web pages, system32, tasks, temp, and all directories except web
Remove the "Allow inheritability permissions from the parent to the object" box and copy.
g.\winnt:
Everyone: read and run
List file directories
Read (allows to propagate inheritability permissions from the parent to the object)
h.\winnt\temp: (Allow access to the database and display on the asp page)
Everyone: Modify (allows the propagation of inheritability permissions from the parent to the object)
(WIN2K3 is better, the default limit is set)
Delete the default IIS directory
Delete all parsing in IIS except ASA and ASP, unless you want to use other CGI programs (which cannot be removed from WIN2K3)
Regularly view logs files in the server
Check whether the ASP program has SQL injection vulnerabilities
Solution:
Added in ASP program
dim listname
if not isnumeric(request("id")) then
"Error parameter"
end if
//The function is to check whether the ID is INT digital type
How to make an asp script run with system permissions?
Modify the virtual directory corresponding to your asp script, and change "Application Protection" to "Low"....
How to prevent asp *s?
Asp * based on FileSystemObject component
cacls %systemroot%\system32\ /e /d guests //disable guests
regsvr32 /u /s //Delete
reduction:
cacls %systemroot%\system32\ /e /p guests:r
regsvr32
Component-based asp *s
cacls %systemroot%\system32\ /e /d guests //disable guests
regsvr32 /u /s //Delete
reduction:
cacls %systemroot%\system32\ /e /p guests:r
regsvr32
You can look at the caclsr syntax, f is full control, and c is write
Save As, change the suffix to the security policy under RAR, 2K and 2K3, borrow REISTLIN and 3Q. Some of the things above are too simple and not written in full. If you are using a fixed IP, you can add the allow access and your own IP to the security policy.
2. Close Messenger, Remote Registry Service, Task Scheduler services and unwanted services..
3. Installation process
Selectively install components
Do not press the default installation components of Windows 2000. Based on the principle of "minimum service + minimum permissions = maximum security", just select the services you need to install. For example: IIS is not installed without being a web server or an FTP server. The smallest components required by a commonly used web server are: Internet service manager, WWW server and auxiliary services related to it.
Join the network after installation
After installing the Windows 2000 operating system, do not add the server to the network immediately, because the various programs on the server have not been patched yet, and there are various vulnerabilities, which are very prone to virus infection and invasion.
Various patches should be put in sequence after all applications are installed, because the patches are installed for different applications, and certain system files are often replaced or modified. If you install the patch first and then install the application, the patch may not have the effect as it should be. For example, HotFix of IIS requires reinstallation every time IIS configuration is changed.
Also, if you are afraid that the server will crash if you are afraid that the load of IIS is too high, you can also turn on CPU limits in performance, such as limiting the maximum CPU usage of IIS to 70%.
Set up and manage accounts correctly
1. Stop using the Guest account and add a complicated password to the Guest.
2. As few accounts as possible, and use some scanning tools to check the system account, account permissions and passwords frequently. To delete the disabled account, commonly used scanning software include: streaming, HSCAN, X-SCAN, STAT SCANNER, etc. To correctly configure the permissions of the account, the password should be at least 8 digits, and the numbers should be mixed with upper and lower case letters, and upper keys of numbers, which will be difficult to decipher.
3. Increase the difficulty of login. Set in "Account Policy → Password Policy": "Password Complexity Required to Enable", "Password Length Minimum Value 8 digits", "Forced Password History 5 times", "Maximum Retention Period 30 Days"; Set in "Account Policy → Account Lock Policy": "Account Lock 3 times incorrect login", "Lock Time 20 minutes", "Reset Lock Count 20 minutes", etc., increasing the difficulty of login is of great benefit to the security of the system.
4. Change the name of the system Administrator account, and do not have the words Admin or other; create a trap account, such as creating a local account named "Administrator", set the permissions to the lowest, you can't do anything, and add a super complex password with more than 10 digits. This will keep those Scripts busy for a while and can use this to discover their invasion attempts.
5. The system does not allow the username you logged in last time. The specific operations are as follows:
Change the key value of "Hkey\Software\Microsoft\WindowsNT\Current Version\Winlogon\Dont Display Last User Name" in the registry to 1.
Properly set directory and file permissions
In order to control the permissions of users on the server, and to prevent possible intrusions and overflows in the future, you must also carefully set the access rights of directories and files. The access permissions of Windows 2000 are divided into: read, write, read and execute, modify, column directories, and full control. By default, most folders are fully controlled by all users (Everyone group) and you need to reset permissions according to the needs of the application. When performing permission control, please remember the following principles:
1. Permissions are accumulated. If a user belongs to two groups at the same time, then he has all the permissions allowed by these two groups.
2. The permissions denied are higher than those allowed (the rejection policy will be executed first). If a user belongs to a group that is denied access to a resource, he must not be able to access the resource regardless of how many permissions the other permissions are opened to him.
3. File permissions are higher than folder permissions.
4. Using user groups to control permissions is a good habit that a mature system administrator must have.
5. Only give users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.
6. Prevent ICMP attacks. ICMP's storm attack and fragmentation attack are more troublesome attack methods for NT hosts, and Windows 2000's method of dealing with is very simple. Windows 2000 comes with a Routing & Remote Access tool, which has begun to take the prototype of a router. In this tool, we can easily define the input and output packet filter. If you set the input ICMP code 255 to discard it, it means that all foreign ICMP messages are discarded.
Network service security management
1. Close unwanted services
Only the necessary services are left, and more services may bring more security factors to the system. For example, Windows 2000's Terminal Services (terminal service), IIS (web service), RAS (remote access service), etc., all have the possibility of vulnerabilities.
2. Close unused ports
Only the ports and protocols required by the service are opened.
The specific method is: open "Online Neighbors → Properties → Local Connections → Properties → Internet Protocol → Properties → Advanced → Options → TCP/IP Filter → Properties" in order, and add the required TCP, UDP ports and IP protocols. According to the service opening port, commonly used TCP ports include: port 80 for web services; 21 for FTP services; port 25 for SMTP; port 23 for Telnet services; and port 110 for POP3. Commonly used UDP ports include: port 53-DNS domain name resolution service; port 161-snmp simple network management protocol. 8000 and 4000 are used for OICQ, the server uses 8000 to receive information, and the client uses 4000 to send information.
3. Prohibit empty connection establishment
By default, any user can connect to the server through an empty connection, enumerate the account and guess the password. The port used for an empty connection is 139. Through an empty connection, files can be copied to the remote server and a task is planned to be executed. This is a vulnerability. There are two ways to prevent the establishment of an empty connection:
(1) Modify the registry Local_Machine\System\
CurrentControlSet\Control\LSA-RestrictAnonymous The value of CurrentControlSet\Control\LSA-RestrictAnonymous is 1.
(2) Modify the local security policy of Windows 2000. Set RestrictAnonymous (extra limit for anonymous connection) to "Enrollment of SAM accounts and shares are not allowed".
First of all, the default installation of Windows 2000 allows any user to obtain all the account and share lists of the system through empty connections. This was originally intended to facilitate LAN users to share resources and files. However, any remote user can also obtain your user list in the same way, and may use brute force to crack the user password to cause damage to the entire network. Many people only know to change the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1 to prohibit empty users from connecting. In fact, there is a RestrictAnonymous option in the local security policy of Windows 2000 (if it is a domain server, it is in the domain server security and domain security policies). There are three values: "0" is the system default, and there are no restrictions. Remote users can know all accounts, group information, shared directories, network transmission lists (NetServerTransportEnum) on your machine; "1" is only allowed to access SAM account information and shared information by non-NULL users; "2" is only Windows It is only supported by 2000. It should be noted that if this value is used, resources cannot be shared anymore, so it is better to set the value to "1".
Network service security configuration
1. Modify the default port. The default port of terminal service is 3389, and you can consider modifying it to another port. The modification method is:
Server side: Open the registry, find a subkey similar to RDP-TCP at "HKLM\SYSTEM\Current ControlSet\Control\Terminal Server\Win Stations" and modify the PortNumber value.
Client: Follow the normal steps to create a client connection, select this connection, select Export in the "File" menu, and a file with the suffix .cns will be generated at the specified location. Open the file and modify the "Server Port" value to the value corresponding to the PortNumber on the server side. Then import the file (Method: Menu → File → Import), so that the client changes the port.
2. Securely configure the Internet service manager. The security configuration for IIS service is as follows:
(1) Stop the default web service, establish a new web service, and set its home directory to another (non-inetpub) directory. It is best not to use a partition with the main system point. If you use the system's default web service, you can hack the server through a simpler attack.
(2) Delete the Inetpub directory that was installed by default (on the disk where the system is installed).
(3) Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, MSADC.
3. Do not set up Frontpage server extension service. If it is opened, you can remotely open your homepage file under Frontpage for modification.
4. Delete unnecessary IIS extension mappings. The method is: right-click "Default Web Site → Properties → Home Directory → Configuration", open the application window, and remove unnecessary application mappings. If no other mapping is used, only the .asp and .asa mappings are retained.
Safely manage data files
1. For regular backups, you must often back up the data to a dedicated backup server. After the backup is completed, the backup server can be isolated from the network.
2. Turn off the default sharing. After Windows 2000 is installed, the system will create some hidden shares (such as C$, D$, etc.), and use the net share command to view them in the command state, and these shares need to be deleted. However, when the machine restarts, these shares will be restarted and need to be deleted after each startup.
3. Correctly set the file sharing permissions. When setting up shared files, pay attention to changing the permissions of shared files from "everyone" group to "authorized user", including print sharing, so that even if you see them on the connection, you cannot view them.
4. Prevent file name spoofing, effectively prevent file name spoofing by displaying all file names and folders and displaying file type extensions. For example, prevent malicious files with .txt or .exe as extensions from being displayed as .txt files, if you open the file inadvertently, double-click "My Computer → Tools → Folder Options → View", select "Show all files and folders" attribute settings, and remove the "Hide known file type extension" attribute settings.
5. Enable Terminal Service's security log, the system is not enabled by default. You can configure security audits through "Terminal Service Configuration → Permissions → Advanced" to record login and logout events.
Enable logging to detect network traffic at any time using software
If you find any exception, you can check the log file at any time. Is there someone attacking it?
4. Optimization instructions for Windows services
Alerter
Microsoft: Notify selected users and computer system management warnings. If this service is stopped, the program using the system management alert will not be notified. If this service is disabled, all services dependent on it will not be started.
Added: Generally, home computers do not need to transmit or receive Administrative Alerts from computer system management, unless your computer is used on a local area network
Dependency: Workstation
Suggestion: Discontinued
Application Layer Gateway Service
Microsoft: Provides support for third-party communication protocol plug-ins for Internet online sharing and Internet online firewall
Added: If you do not use Internet Online Sharing (ICS) to provide Internet Access and Internet Online Firewall (ICF) software for multiple computers you can turn off
Dependency: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestion: Discontinued
Application Management
Microsoft: Provides software installation services for assignment, distribution, and removal.
Additional: As mentioned above, the software installation and change services
Suggestions: Manual
Automatic Updates
Microsoft: Enable the download and installation of important Windows updates. If you disable this service, you can manually update the operating system from the Windows Update website.
Additional: Allows Windows to automatically check and download update patches to Microsoft Servers under the background automatically online
Suggestion: Discontinued
Background Intelligent Transfer Service
Microsoft: Use idle network bandwidth to transfer data.
Supplement: This is one of the tasks that transfer data in the background via Via HTTP1.1.
Dependencies: Remote Procedure Call (RPC) and Workstation
Suggestion: Discontinued
ClipBook (Scrapbook)
Microsoft: Enable scrapbook viewer to store information and share it with remote computers. If this service is stopped, the scrapbook viewer will not be able to share information with the remote computer. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Share information in the scrapbook with other computers, which are not available for home computers at all.
Dependency: Network DDE
Suggestion: Discontinued
COM+ Event System (COM+ Event System)
Microsoft: Supports System Event Notification Service (SENS), which allows events to be automatically dispersed to subscribed COM components. If the service is stopped, SENS will be shut down and login and logout notifications cannot be provided. If this service is deactivated, no service that obviously depends on it will start.
Additional: Some programs may use COM+ components, such as BootVis' optimize system application, such as DCOM displayed in the event viewer is not enabled
Dependencies: Remote Procedure Call (RPC) and System Event Notification
Suggestions: Manual
COM+ System Application
Microsoft: Manage the settings and tracking of COM+ components. If this service is stopped, most COM+ components will not be able to be properly done. If this service is deactivated, any services that explicitly depend on it will not be started.
Added: If COM+ Event System is a car, then COM+ System Application is the driver, if DCOM displayed in the event viewer is not enabled
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
Computer Browser (Computer Browser)
Microsoft: Maintains a list of updated computers on the network and provides this list to computers that act as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, all services dependent on it will not be started.
Added: Generally, home computers are not needed unless your computer is applied on the district network. However, is it necessary to turn on this slowdown on large district networks?
Dependencies: Server and Workstation
Suggestion: Discontinued
Cryptographic Services
Microsoft: Provides three management services: [Category Directory Database Service] that confirms the Windows file signature; [Protected Root Directory Service] that adds and removes trusted root credential authorization credentials from this computer; and [Key Service] that assists in registering this computer to obtain credentials. If this service is stopped, these management services will not work correctly. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Simply put, it is a Microsoft certification of Windows Hardware Quality Lab (WHQL). If you use Automatic Updates, you may need this
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
DHCP Client (DHCP Client)
Microsoft: Manage network settings by logging in and updating IP addresses and DNS names.
Additional: People using DSL/Cable, ICS, and IPSEC need this to specify dynamic IP
Dependencies: AFD network support environment, NetBT, SYMTDI, TCP/IP Protocol Driver, and NetBios over TCP/IP
Suggestions: Manual
Distributed Link Tracking Client
Microsoft: Maintains the connection between NTFS files on computers or in different computers in network domains.
Supplement: Maintain archive links between different computers in the area network
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Distributed Transaction Coordinator
Microsoft: Coordinate transactions across multiple resource administrators, such as databases, message queues and archive systems. If this service is stopped, these transactions will not occur. If the service is deactivated, any service that clearly dependent on it will not start.
Added: As mentioned above, it is not very useful for home computers unless you enable Message Queuing
Dependencies: Remote Procedure Call (RPC) and Security Accounts Manager
Suggestion: Discontinued
DNS Client (DNS Client)
Microsoft: Resolve and cache the domain name system (DNS) name of this computer. If this service is stopped, the computer will not be able to resolve the DNS name and look for the location of the Active Directory domain control station. If this service is disabled, all services dependent on it will not be started.
Additional: As mentioned above, IPSEC needs to use
Dependency: TCP/IP Protocol Driver
Suggestions: Manual
Error Reporting Service
Microsoft: Allows error reporting for services and applications executed in non-standard environments.
Additional: Microsoft's application error report
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Event Log (Event Log File)
Microsoft: Event messages sent by Windows-based programs and components can be viewed in the Event Viewer. This service cannot be stopped.
Additional: Allow event messages to be displayed on the event viewer
Dependency: Windows Management Instrumentation
Suggestions: Automatic
Fast User Switching Compatibility
Microsoft: Provides application management in a multi-user environment.
Additional: In addition, it is like switching user function in the logout screen
Dependency: Terminal Services
Suggestions: Manual
Help and Support
Microsoft: Make the instructions and support center execute on this computer. If this service is stopped, instructions and support center will not be available. If this service is deactivated, all its dependent services will not be started.
Added: If not used, turn it off
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Human Interface Device Access
Microsoft: Enables universal input access to the Humanized Interface Device (HID), which starts and maintains the use of the shortcuts defined in this keyboard, remote control, and other multimedia devices. If this service is stopped, the shortcut key controlled by this service will no longer work. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: As mentioned above
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
IMAPI CD-Burning COM Service
Microsoft: Use Image Mastering Applications Programming Interface (IMAPI) to manage disc recording. If this service is stopped, the computer will not be able to record the CD. If this service is deactivated, any service that explicitly relies on it will not start.
Supplement: The drag-and-drop burning function on the CD-R and CD-RW optical drives integrated with XP is not as good as the burning software. Turning off can also speed up the opening speed of Nero
Suggestion: Discontinued
Indexing Service
Microsoft: Indexed content and archive properties of native and remote computers; provides fast archive access through flexible query language.
Added: Simply put, it can help you speed up the search, but I think there should be few people searching with remote computers.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Microsoft: Provide network address translation, addressing and name resolution services and/or interference prevention services for your home or small office network.
Added: If you do not use Internet Online Sharing (ICS) or Internet Online Firewall (ICF) included in XP, you can turn it off
Dependencies: Application Layer Gateway Service, Network Connections, Network Location Awareness(NLA), Remote Access Connection Manager
Suggestion: Discontinued
IPSEC Services (IP Security Services)
Microsoft: Manage IP security principles and start ISAKMP/Oakley (IKE) and IP security drivers.
Supplement: Assist in protecting data transmitted over the network. IPSec is an important part of providing security in a virtual private network (VPN), which allows organizations to securely transmit data over the Internet. It may be required on some domains, but most users do not need it very much
Dependencies: IPSEC driver, Remote Procedure Call (RPC), TCP/IP Protocol Driver
Suggestions: Manual
Logical Disk Manager (Logical Disk Administrator)
Microsoft: Detect and monitor new hard disks, and transfer disk area information to the logical disk management system management service for setting. If this service is stopped, the dynamic disk status and setting information may be outdated. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: Disk administrators use to dynamically manage disks, such as displaying free disk space, etc. and to use the Microsoft Management Console (MMC) console.
Dependencies: Plug and Play, Remote Procedure Call (RPC), Logical Disk Manager Administrative Service
Suggestions: Automatic
Logical Disk Manager Administrative Service
Microsoft: Set the hard disk and disk area, the service only executes the setting program and then stops.
Additional: Only use the functions of the Microsoft Management Console (MMC) console
Dependencies: Plug and Play, Remote Procedure Call (RPC), Logical Disk Manager
Suggestions: Manual
Messenger (Messenger)
Microsoft: Transfer network transmission and [Alerter] service information between clients and servers. This service has nothing to do with Windows Messenger. If this service is stopped, the Alerter message will not be transmitted. If this service is disabled, all services dependent on it will not be started.
Supplement: Functions that allow networks to transmit prompt messages, such as net send function, can be turned off if you don’t want to be harassed.
Dependencies: NetBIOS Interface, Plug and Play, Remote Procedure Call (RPC), Workstation
Suggestion: Discontinued
MS Software Shadow Copy Provider
Microsoft: Manage software-based disk shadow replication obtained by the disk shadow replication service. If this service is stopped, it is impossible to manage software-based disk shadow replication. If this service is disabled, any service that explicitly depends on it will not start.
Supplement: As mentioned above, the MS Backup program used for backup requires this service
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Net Logon
Microsoft: Supports pass-through verification of account login events on computers on the domain.
Additional: It is unlikely that home computers can use the login domain review service
Dependency: Workstation
Suggestion: Discontinued
NetMeeting Remote Desktop Sharing (NetMeeting Remote Desktop Sharing)
Microsoft: Allows authorized users to remotely access the computer through the company's nearest internal network using NetMeeting. If this service is stopped, the Remote Desktop Sharing will not be available. If the service is deactivated, any service that depends on it will not start.
Added: As mentioned above, users can share control of their computers with other users on the Internet or on the Internet. If you value security and don’t want to open the back door more, just close it.
Suggestion: Discontinued
Network Connections (network online)
Microsoft: Manages objects in the network and dial-up online folders where you can view local area networks and remote online.
Additional: Control your network online
Dependencies: Remote Procedure Call (RPC), Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestions: Manual
Network DDE (Network DDE)
Microsoft: Provides network transmission and security for Dynamic Data Exchange (DDE) for programs executed on the same or different computers. If this service is stopped, DDE transmission and security will not be used. If this service is deactivated, any service that explicitly depends on it will not start.
Added: It seems that ordinary people can't use it
Dependencies: Network DDE DSDM, ClipBook
Suggestion: Discontinued
Network DDE DSDM (Network DDE DSDM)
Microsoft: Dynamic Information Data Exchange (DDE) Network Sharing. If this service is stopped, the DDE network share will not be available. If this service is deactivated, any service that explicitly depends on it will not start.
Added: It seems that ordinary people can't use it
Dependency: Network DDE
Suggestion: Discontinued
Network Location Awareness (NLA)
Microsoft: Collects and stores network settings and location information, and notifies the application when this information changes.
Added: If you do not use ICF and ICS, you can turn it off
Dependencies: AFD network support environment, TCP/IP Procotol Driver, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Suggestion: Discontinued
NT LM Security Support Provider (NTLM Security Support Provider)
Microsoft: Provides security for remote procedure call (RPC) programs that are not transported using named pipes.
Added: If you don't use Message Queuing or Telnet Server, turn it off
Dependency: Telnet
Suggestion: Discontinued
Performance Logs and Alerts (Performance Log Files and Alerts)
Microsoft: Based on the pre-set schedule parameters, collect performance data from the local machine or remote computer, and then write the data to a record or send an alarm. If this service is stopped, no performance information will be collected. If this service is deactivated, any service that explicitly depends on it will not start.
Added: No value service
Suggestion: Discontinued
Plug and Play
Microsoft: Enable the computer to identify and adapt to hardware changes with no or very little input from the user. Stopping or disabling this service will lead to system instability.
Supplement: As the name implies, it is a PNP environment
Dependencies: Logical Disk Manager, Logical Disk Manager Administrative Service, Messenger, Smart Card, Telephony, Windows Audio
Suggestions: Automatic
Portable Media Serial Number
Microsoft: Retrieves the serial number of any portable music player connected to your computer
Add: Re-acquire any music dialing serial number through the online computer? No value service
Suggestion: Discontinued
Print Spooler (Print multitasking buffer processor)
Microsoft: Load the archive into memory for later printing.
Added: If there is no printer, you can turn it off
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Protected Storage (protected storage device)
Microsoft: Provides protected storage areas to store sensitive data such as private keys to prevent unauthorized services, processing, or users from accessing them.
Supplement: Services used to store passwords on your computer, such as Outlook, dialers, other applications, master-slave architecture, etc.
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
QoS RSVP (QoS License Control, RSVP)
Microsoft: Provides network signal and area traffic control installation functions to QoS-identifying programs and control applet items.
Additional: Used to retain 20% bandwidth services. If your network card does not support 802.1p or does not have ACS server on your computer's domain, then it goes without saying that, turn it off
Dependencies: AFD network support environment, TCP/IP Procotol Driver, Remote Procedure Call (RPC)
Suggestion: Discontinued
Remote Access Auto Connection Manager
Microsoft: When the program refers to the remote DNS or NetBIOS name or address, establish a remote network online.
Additional: Some DSL/Cable providers may need to use this to handle login programs
Dependencies: Remote Access Connection Manager, Telephony
Suggestions: Manual
Remote Access Connection Manager
Microsoft: Build a network online.
Supplement: Online use
Dependencies: Telephony, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager
Suggestions: Manual
Remote Desktop Help Session Manager
Microsoft: Manage and control remote assistance. If this service is stopped, remote assistance will not be available. Before stopping this service, please refer to the [Dependencies] tab in the content dialog box.
Additional: As mentioned above, remote assistance can be turned off if it is not used.
Dependency: Remote Procedure Call (RPC)
Suggestions: Disable
Remote Procedure Call (RPC) (Remote Procedure Call, RPC)
Microsoft: Provides endpoint corresponding programs and other RPC services.
Added: Some devices depend on it, don't touch it
Dependency: Too many, go and see it yourself
Suggestions: Automatic
Remote Procedure Call (RPC) Locator
Microsoft: Manage the RPC Name Service database.
Added: As mentioned above, it is rarely used on computers, so you can try to turn it off.
Dependency: Workstation
Suggestions: Disable
Remote Registry (Remote Login Service)
Microsoft: Enable remote users to modify the login settings on this computer. If this service is stopped, login can only be modified by the user on this computer. If this service is deactivated, any service that explicitly depends on it will not start.
Additional: For security reasons, if there is no special requirement, it is recommended to turn it off unless you need remote assistance to modify your login settings.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Removable Storage (removable storage device)
Microsoft: None
Added: Unless you have a Zip disk drive or a portable hardware like USB or a Tape backup device, you can try to turn it off
Dependency: Remote Procedure Call (RPC)
Suggestions: Disable
Routing and Remote Access
Microsoft: Provides routing services to companies connected to local area networks and wide area networks.
Additional: As mentioned above, dial-up online to the district network or VPN service is provided, and most users cannot use it.
Dependencies: Remote Procedure Call (RPC), NetBIOSGroup
Suggestion: Discontinued
Secondary Logon
Microsoft: Enable the start program under other authentications. If this service is stopped, such login access will not be used. If this service is deactivated, any service that explicitly depends on it will not start.
Additional: Allow multiple users to handle programs, execute clones, etc.
Suggestions: Automatic
Security Accounts Manager (Security Account Administrator)
Microsoft: Store security information for local accounts.
Supplement: Application of the principle of managing accounts and groups ()
Dependencies: Remote Procedure Call (RPC), Distributed Transaction Coordinator
Suggestions: Automatic
Server (Server)
Microsoft: Provides the sharing of archives, printing, and named pipes for this computer through the Internet. If you stop this service, these features will not be available. If this service is disabled, all services dependent on it will not be started.
Added: Simply put, it is the sharing of archives and prints. Unless you share them with other computers, it will be closed.
Dependency: Computer Browser
Suggestion: Discontinued
Shell Hardware Detection
Microsoft: Provides notifications for automatic playback of hardware events.
Supplement: Generally used on memory cards or CD devices or DVD devices
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
Smart Card
Microsoft: Manage the access to the smart card read by this computer. If this service is stopped, the computer will not be able to read the smart card. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't use Smart Card, you can turn it off
Dependency: Plug and Play
Suggestion: Discontinued
Smart Card Helper
Microsoft: Enable support for the older version of non-plug-and-play smart card read heads used by this computer. If this service is stopped, the computer will not support the legacy read header. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't use Smart Card, you can turn it off
Suggestion: Discontinued
SSDP Discovery Service
Microsoft: Enable search for universal plug-and-play devices on your home network.
Additional: As mentioned above, Universal Plug and Play (UPnP) allows computers to find and use devices on the network, searching devices via TCP/IP via the network, such as scanners, digital cameras or printers on the network, that is, using UPnP functions, which can be turned off based on the security-free
Dependency: Universal Plug and Play Device Host
Suggestion: Discontinued
System Event Notification
Microsoft: Tracks system events such as Windows login, network, and power events. Notify the COM+ event system subscribers of these events.
Additional: As mentioned above
Dependency: COM+ Event System
Suggestions: Automatic
System Restore Service
Microsoft: Perform system restore function. To stop the service, close the system restore from my computer -> Content, [System Restore]
Add: Reply the computer to its previous status and turn it off if it is not used.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Task Scheduler (work scheduler)
Microsoft: Allows users to set and schedule automatic work on this computer. If this service is stopped, these work will not be performed at the time they scheduled. If this service is disabled, any service that explicitly depends on it will not start.
Supplement: Set schedule automatic work, such as some timed disk scans, virus timing scans, updates, etc.
Dependency: Remote Procedure Call (RPC)
Suggestions: Automatic
TCP/IP NetBIOS Helper (TCP/IP NetBIOS Assistant Program)
Microsoft: Enable support for [NetBIOS over TCP/IP (NetBT)] service and NetBIOS name resolution.
Added: If your network does not use NetBios or WINS, you can turn it off
Dependencies: AFD network support environment, NetBt
Suggestion: Discontinued
Telephony (phone voice)
Microsoft: Provides Telephone Voice API (TAPI) support for programs that control telephone voice devices and IPs to connect to the server that is performing this service via a local computer and via a local area network.
Additional: General dial-up modems or some DSL/Cables may be used
Dependencies: Plug and Play, Remote Procedure Call (RPC), Remote Access Connection Manager, Remote Access Auto Connection Manager
Suggestions: Manual
Telnet
Microsoft: Enables a remote user to log in to this computer and execute applications, and supports a variety of TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If the service is stopped, remote users may not be able to access the application. If the service is deactivated, any other services that explicitly depend on the service will fail to start.
Supplement: Remote users are allowed to log in to this computer using Telnet. Most people will misunderstand that they cannot use BBS after turning off. This has nothing to do with BBS. It is based on security reasons. If there is no special requirement, it is recommended to turn it off.
Dependencies: NT LM Security Support Provider, Remote Procedure Call (RPC), TCP/IP Protocol Driver
Suggestion: Discontinued
Terminal Services
Microsoft: Allows multiple users to interact with the same computer, desktop monitors, and applications to remote computers. Remote Desktop enhancements (including system administrator's RD), quick user switching, remote assistance and terminal servers.
Additional: Remote desktop or remote assistance functions are turned off if you don't need them.
Dependencies: Remote Procedure Call (RPC), Fast User Switching Compatibility, InteractiveLogon
Suggestion: Discontinued
Themes
Microsoft: Provides user experience theme management.
Added: Many people use set themes, but if no one uses them, you can close them
Suggestions: Automatic
Uninterruptible Power Supply (continuous power supply system)
Microsoft: Manages the continuous power supply (UPS) connected to this computer.
Supplement: Is it useful for the Continuous Power Supply (UPS) for ordinary people? Unless your power supply has this function, it will be turned off
Suggestion: Discontinued
Universal Plug and Play Device Host
Microsoft: Provides support for universal plug-and-play devices for hosts.
Additional: Used to detect and install Universal Plug and Play (UPnP) devices, such as digital cameras or printers
Dependency: SSDP Discovery Service
Suggestion: Discontinued
Volume Shadow Copy
Microsoft: Manages and performs disk area shadow replication for backup and other purposes. If this service is stopped, shadow copying will not be used for backup and the backup may fail. If this service is deactivated, any service that explicitly depends on it will not start.
Supplement: As mentioned above, the MS Backup program used for backup requires this service
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
WebClient
Microsoft: Enable Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any service that explicitly depends on it will not start.
Additional: Use WebDAV to upload files or folders to all web services, for security reasons, you can try to close
Dependency: WebDav Client Redirector
Windows Audio
Microsoft: Manage audio devices for Windows-based programs. If this service is stopped, the audio device and effect will not work properly. If this service is deactivated, any service that explicitly depends on it will not start.
Added: If you don't have a sound card, you can turn it off
Dependencies: Plug and Play, Remote Procedure Call (RPC)
Suggestions: Automatic
Windows Image Acquisition (WIA) (Windows Image Acquisition Program)
Microsoft: Provides image capture services for scanners and digital cameras.
Added: If the scanner and digital camera support WIA function, you can directly see the image and no other driver is needed, so users without scanner and digital camera can turn it off.
Dependency: Remote Procedure Call (RPC)
Suggestion: Discontinued
Windows Installer (Windows Installer)
Microsoft: Install, repair, and remove software according to the instructions contained in the .MSI archive.
Supplement: It is a system service that assists users in correctly installing, setting, tracking, upgrading and removing software programs. It can manage standard formats for application establishment and installation, and track components such as archive groups, login projects and shortcuts.
Dependency: Remote Procedure Call (RPC)
Suggestions: Manual
Windows Management Instrumentation (WMI)
Microsoft: Provides public interfaces and object models to access management information about operating systems, devices, applications and services. If this service has been stopped, most Windows software will not work properly. If this service is disabled, all services dependent on it will not be started.
Supplement: As mentioned above, it is a service that provides a standard infrastructure to monitor and manage system resources, and you are not allowed to touch it.
Dependencies: Event Log, Remote Procedure Call (RPC)
Suggestions: Automatic
Windows Management Instrumentation Driver Extensions (Windows Management Instrumentation Driver Extensions)
Microsoft: Provides system management information given/retrieve from drivers.
Supplement: Extension of Windows Management Instrumentation, providing information
Suggestions: Manual
Windows Time (Windows Time Settings)
Microsoft: Maintains data and time synchronization processing of all clients and servers on the network. If this service is stopped, the date and time synchronization process will not be performed. If this service is disabled, all dependent services will be stopped.
Additional: If you use network time calibration, it will be turned off if you don’t need it.
Suggestion: Discontinued
Wireless Zero Configuration
Microsoft: Provides automatic settings for 802.11 adapter cards
Supplement: Automatically configure wireless network devices, which means that unless you are using wireless network adapter card devices, you need to use this network zero management service.
Dependencies: NDIS Usermode I/O Protocol, Remote Procedure Call (RPC)
Suggestion: Discontinued
WMI Performance Adapter
Microsoft: Provides performance link library information from WMIHiPerf providers.
Supplement: As mentioned above
Dependency: Remote Procedure Call (RPC)
Suggestions: Disabled
Workstation (Workstation)
Microsoft: Establish and maintain client network connection to remote servers. If this service is stopped, these online services will not be available. If this service is disabled, all services dependent on it will not be started.
Supplement: Some essential functions in Internet connection
Dependencies: Alerter, Background Intelligent Transfer Service, Computer Browser, Messenger, Net Logon, Remote Procedure Call (RPC) Locator
Suggestions: Automatic
"Clipbook Server" (folder server): This service allows other users on your network to see your folders. Here I would like to strongly recommend that you change it to manually start and then use other programs to post information on your network.
“Messenger” (message): Send and receive information on the network. If you turn off Alerter, you can safely change it to manually boot.
"Printer Spooler": If you do not configure the printer, it is recommended to start it manually or simply turn it off.
"Error Reporting Service": Services and applications provide error reports when running in non-standard environments. It is recommended to start manually instead.
"Fast User Switching Compatibility": It is recommended to start manually instead.
"Automatic Updates": This function has been mentioned before, and can be changed to manual startup here.
"Net Logon": handles network security functions like registration information. You can change it to manually start.
"Network DDE and Network DDE DSDM" (Dynamic Data Exchange): Unless you are ready to share your Office online, you should change it to boot manually. Note: This is different from using Office in the usual business settings (you will know if you need DDE).
"NT LM Security Support" (NT LM Security Support): Provides security protection in network applications. It is recommended that you change it to manually start.
"Remote Desktop Help Session Manager": It is recommended to start manually instead.
"Remote Registry": enables remote users to modify registry settings on this computer. It is recommended to start manually instead.
"Task Scheduler" (task scheduler): enables users to configure and formulate schedules for automatic tasks on this computer, which plans weekly defragmentation, etc. Unless you are too lazy and don’t even want to turn on the computer, it is recommended to start manually instead.
“Uninterruptible Power Supply”: It manages your UPS. If you don't have one, change it to manually boot or simply turn it off.
"Windows Image Acquisition (WIA)" (Windows Image Acquisition (WIA)): Provides image capture for scanners and cameras. If you don't have these devices, it is recommended to start manually or simply turn it off instead.
5. After installing a server, it is recommended to use the scanning tool to scan for the vulnerabilities in this machine first, and then open or close certain ports as needed. Install SP4 or above patches in win2000, and install sp2 patches in winXP.
The recommended scanning tool is to use X-SCAN
Frequently Start--Run--Windows Update is a good habit
6. Close useless port under win2000
Each service corresponds to the corresponding port. For example, the well-known WWW service port is 80, smtp is 25, ftp is 21, and the default in win2000 installation is all enabled. It is indeed not necessary for individual users. Turning off the port means shutting down useless services.
Configure in the "Administrative Tools" of Control Panel in "Configure Panel" in "Services".
1. Close ports such as 7.9: Close Simple TCP/IP Service, and support the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
2. Close port 80: Turn off WWW service. Displays the name "World Wide Web Publishing Service" in Services, providing web connections and management through the snap-in for Internet Information Services.
3. Turn off port 25: Turn off the Simple Mail Transport Protocol (SMTP) service, which provides the function of sending emails across the network.
4. Turn off port 21: Close the FTP Publishing Service, the service it provides FTP connection and management through the Internet Information Service's snap-in.
5. Turn off port 23: Turn off Telnet service, which allows remote users to log in to the system and run console programs using the command line.
6. Another very important thing is to shut down the server service, which provides RPC support, file, printing and named pipe sharing. Turning off it will turn off the default share of win2k, such as ipc$, c$, admin$, etc. Turning off this service will not affect your common operations.
7. Another one is port 139. Port 139 is the NetBIOS Session port, used for file and print sharing. Note that the Unix machine running samba also has port 139, and the functions are the same. In the past, streaming light 2000 was not very accurate in judging the type of the other party's host. It is estimated that the 139 port is open and it is considered an NT machine. Now it's fine.
The method to turn off 139 port listening is to select the "Internet Protocol (TCP/IP)" attribute in "National Connection" in "Network and Dial-up Connection", enter "Advanced TCP/IP Settings" and "WINS Settings" and "Disable NETBIOS for TCP/IP". When you check it, you will close port 139.
For individual users, they can set it to "Disable" in the various service attribute settings to prevent the service from restarting again and the port will be opened.
7. The security configuration of Win2000 Server. The carefully configured Win2000 server can defend against more than 90% of intrusions and infiltrations. However, as I mentioned at the end of the previous chapter: system security is a continuous process. With the emergence of new vulnerabilities and changes in server applications, the security status of the system is constantly changing. At the same time, since offense and defense are a unity of contradictions, Daoxiao Daoxiao Daoxiao is also constantly changing. Therefore, no matter how skilled the system administrator is, he cannot guarantee that a server that is providing services will never be invaded for a long time.
Therefore, a secure configuration server is not the end of the security work, but on the contrary, it is the beginning of a long and boring security work. In this article, we will briefly discuss the preliminary techniques for Win2000 server intrusion detection, hoping to help you maintain the security of the server for a long time.
The intrusion detection mentioned in this article refers to detection using the functions of Win2000 Server and software/scripts written by the system administrator themselves. The skills of using firewalls or intrusion monitoring systems (IDS) are not within the scope of this article.
Now assume: we have a Win2000 Server server and have undergone preliminary security configuration (for details of security configuration, please refer to the Win2000 Server Security Configuration Introduction <I>), in which case most intruders will be turned away. (Haha, my administrator can go home and sleep) Slowly, I'm talking about most, not all, although the server with preliminary security configuration can defend against most Script kids (script family - people who only know how to invade the server with programs written by others), if they meet a real master, they are still vulnerable. Although real experts will not enter other people's servers casually, it is difficult to ensure that a few evil masters with misconduct have fallen in love with your server. (Am I really that bad?) Moreover, there is often a period of vacuum between the discovery of vulnerabilities and the release of patches. Anyone who knows the vulnerability information can take advantage of the situation. At this time, intrusion detection technology becomes very important.
Intrusion detection is mainly carried out according to the application. If the corresponding services are provided, there should be a corresponding detection and analysis system for protection. For general hosts, the following aspects should be paid attention to:
1. Detection based on port 80 intrusion
WWW service is probably one of the most common services, and since this service faces a large number of users, the service traffic and complexity are very high, the vulnerabilities and intrusion techniques are also the most. For NT, IIS has always been a headache for system administrators (I wish I could turn off port 80), but fortunately, the logging function that comes with IIS can be a powerful helper for intrusion detection to some extent. The log files that come with IIS are stored in the System32/LogFiles directory by default. They are usually scrolled 24 hours a day. They can be configured in the IIS manager in detail. (I don’t care about you if you match it in detail, but if you don’t record it in detail, don’t cry if you can’t find the intruder’s IP)
Now let's assume (why are you always assuming, are you annoying?) Don't worry, I can't really hack a host to write this article, so I have to assume that we suppose that a WEB server has opened the WWW service. You are the system administrator of this server. You have carefully configured IIS, use the W3C extended log format, and at least recorded time (Time), client IP (Client IP), method (Method), URI resource (URI Stem), URI Query (URI Query), and protocol status (Protocol Status). We use the recently popular Unicode vulnerabilities to analyze: Open the IE window and enter in the address bar: 127.0.0.1/scripts/..%c1% 1c../winnt/system32/?/c+dir By default, you can see the directory list (what? You have done security configuration, can't you see? Restore the default installation, we need to do an experiment), let's see what the IIS log records, open (Ex represents the W3C extension format, and the next string of numbers represents the log recording date): 07:42:58 127.0.0.1 GET /scripts/..\../winnt/system32\ /c+dir 200 The above line of logs indicates that at 07:42:58 GMT (that is, 23:42:58 Beijing time), a guy (invader) used a Unicode vulnerability from the 127.0.0.1 IP on your machine (%c1%1c is decoded to "\", and the actual situation will be slightly different due to different versions of the Windows language), and the parameter is /c dir, the run result is successful (HTTP 200 means correct return). (Wow, the records are so complete, I won’t dare to play Unicode randomly in the future)
In most cases, the IIS log faithfully records any requests it receives (there are special attacks not recorded by IIS, which we will discuss later), so a good system administrator should be good at using this to discover attempts to intrude and thus protect his system. However, IIS's logs are often tens of megabytes, websites with large traffic or even tens of G, and manual inspection is almost impossible. The only option is to use log analysis software. It is very simple to write a log analysis software in any language (actually a text filter). However, considering some actual situations (such as the administrator cannot write programs, or the log analysis software cannot be found on the server for a while), I can tell you a simple method. For example, if you want to know if anyone is trying to get your file from port 80, you can use the following CMD command: find "" /i command uses the NT's own tool (so you are not afraid of being unable to find it in an emergency), and you can easily find the string you want to filter from the text file. "" is the string that needs to be queried, the text file to be filtered, and /i means ignoring upper and lower case. Because I have no intention of writing this article into Microsoft's Help document, please check the Win2000 help file for other parameters of this command and its enhanced version.
Whether it is based on log analysis software or Find commands, you can create a list of sensitive strings, including existing IIS vulnerabilities (such as "+.htr") and resources that may be called for in the future vulnerabilities (such as or) by filtering this constantly updated string table, you will definitely understand the actions of the intruder as soon as possible.
It should be noted that using any log analysis software will occupy a certain system resource. Therefore, for low-priority tasks such as IIS log analysis, it is more appropriate to automatically execute them when they are idle at night. If you write another script to send the filtered suspicious text to the system administrator, it will be even more perfect. At the same time, if the sensitive string table is large and the filtering strategy is complicated, I suggest that it is more cost-effective to write a dedicated program in C.
2. Detection based on security log
Through intrusion monitoring based on IIS logs, we can know the whereabouts of the snoopers in advance (if you handle it improperly, the snoopers will become intruders at any time), but IIS logs are not omnipotent. In some cases, it cannot even record intrusions from port 80. According to my analysis of the IIS log system, IIS will only write to the log after a request is completed. In other words, if a request fails in the middle, there will be no trace in the log file (the mid-way failure here does not mean that HTTP400 errors occur, but that HTTP requests are not completed from the TCP layer, such as an exception interruption when a large amount of data is interrupted). For intruders, it is possible to bypass the log system to complete a large number of activities.
Moreover, for non-80 Only hosts, intruders can also enter the server from other services, so it is very necessary to establish a complete security monitoring system.
Win2000 comes with a very powerful security logging system, and there are very detailed records from user login to privileged use. Unfortunately, security audit is turned off under the default installation, so that some hosts cannot track down the intruders after being hacked. Therefore, the first step we need to do is to open the necessary audit in the management tool - local security policy - local policy - audit policy. Generally speaking, login events and account management are the events we care about the most. It is very necessary to open the successful and failed audits at the same time. For other audits, failure audits should also be opened, so that the intruders can struggle step by step, and if they are not careful, they will be exposed. Just turning on security audits does not completely solve the problem. Without a good configuration of the size and coverage of the security log, a sophisticated intruder can cover his real whereabouts through flood-like forged intrusion requests. Typically, specifying the size of the security log as 50MB and allowing only overwriting of logs from 7 days ago can avoid the occurrence of the above situation.
Setting up a security log but not checking is almost as bad as not setting up a security log (the only advantage is that you can track down the intruders after being hacked). Therefore, it is also very important to develop a security log inspection mechanism. As a security log, the recommended inspection time is every morning. This is because intruders like to act at night (it's fast, otherwise you can't connect when you're halfway through the intrusion, and you can't cry). The first thing you do in the morning is to check if there are any abnormalities in the log, and then you can feel at ease to do other things. If you like, you can also write a script to send the security log to you every day (don't believe this too much. If any expert changes your script, send "Safe and nothing" every day...)
In addition to security logs, system logs and application logs are also very good auxiliary monitoring tools. Generally speaking, intruders not only leave traces in the security logs (if he obtains Admin permission, he will definitely clear the traces), but also leave clues in the system and application logs. As a system administrator, you must have an attitude of not letting go of any abnormalities, so it will be difficult for intruders to hide their whereabouts.
3. File access log and key file protection
In addition to the system's default security audit, for key files, we also need to add file access logs to record access to them.
There are many options for file access: access, modification, execution, new creation, property change... Generally speaking, focusing on access and modification can play a great role in monitoring.
For example, if we monitor the modification, creation of system directories, and even access to some important files (for example, the system32 directory), it will be difficult for intruders to place the backdoor without attracting our attention. It should be noted that there should be too many key files and projects to monitor, otherwise it will not only increase the system burden, but also disrupt the daily log monitoring work.
(Which system administrator has the patience to read four or five thousand garbage logs every day?)
Key files not only refer to system files, but also include any files that may pose a hazard to the system administrator/other users, such as system administrator configuration, desktop files, etc. These may be used to steal system administrator information/passwords.
4. Process monitoring
Process monitoring technology is another powerful weapon to track * backdoors. More than 90% of *s and backdoors exist in the form of processes (there are also *s that exist in other forms, see "Revealing the Mystery of *s III". As a system administrator, it is one of the responsibilities to understand each process running on the server (otherwise, don't say it is safe, and there is no way to even optimize the system). It is very necessary to make a list of processes running on each server, which can help administrators discover intrusion processes at a glance. Exceptional user processes or abnormal resource occupations may be illegal processes. In addition to processes, DLL is also a dangerous thing. For example, after rewriting the * that was originally exe type into a dll, it is more confusing to run with rundll32.
5. Registration Check
Generally speaking, *s or backdoors will use the registry to run themselves again, so checking the registry to discover intrusion is also one of the common methods. Generally speaking, if an intruder only knows how to use popular *s, then since ordinary *s can only write a few specific key values (such as Run, Runonce, etc.), it is relatively easy to find, but for people who can write/rewrite *s by themselves, it is impossible to hide anywhere in the registry, and it is impossible to search by hand. (The registry hiding is ever-changing. For example, the FakeGina technology that is specially proposed is needed. This method of using WINNT external login DLL (Ginadll) to obtain user passwords has been quite popular recently. Once you get hit, the password of the logged-in user will be recorded. I will not introduce the specific prevention methods here.) The response method is to monitor any changes in the registry, so that the *s that rewrite the registry cannot hide. There are many software that monitors the registry, and many software that tracks down *s have such functions. A monitoring software plus regular backup of the registry is backed up. In case the registry is modified by unauthorized, the system administrator can restore it in the shortest time.
6. Port monitoring
Although *s that do not use ports have appeared, most backdoors and *s still use TCP connections. Monitoring the port status is very important for hosts that cannot block ports due to various reasons. We will not talk about the IDS system using NDIS network card advanced programming. For system administrators, understanding the open ports on their servers is even more important than monitoring the process. It is a good habit to often use netstat to view the port status of the server, but it cannot be done 24 hours a day. Moreover, NT's security log has a bad habit. They like to record machine names instead of IP (I don't know what Bill Guy thinks). If you don't have a firewall and do not have intrusion detection software, you can use scripts to log IP logs. Look at this command:
netstat -n -p tcp 10>>, This command automatically checks the connection status of TCP every 10 seconds. Based on this command, we make a file:
time /t>>
Netstat -n -p tcp 10>>
This script will automatically record the time and TCP connection status. It should be noted that if the website visits are relatively large, such operations will consume a certain amount of CPU time, and the log files will become larger and larger, so please be very cautious. (If you make a script, it will be perfect. Who will buy a firewall? :)
Once an exception port is found, special programs can be used to associate the port, executable file and process (such as inzider has such a function, which can discover the ports listened to by the server and find the files associated with the port, and inzider can be downloaded from), so that there is nowhere to hide whether it is TCP or UDP *s.
7. Log monitoring of terminal services
There is a reason for listing the log monitoring of Terminal Services separately. Terminal Service, the terminal service that comes with Microsoft Win2000 server version, is a tool based on Remote Desktop Protocol (RDP). It is very fast and stable, and can become a good remote management software. However, because this software is powerful and only protected by passwords, it is also very dangerous. Once the intruder has an administrator password, he can operate the remote server like the native machine (it does not require advanced NT command line skills, does not require writing special scripts and programs, and as long as he knows how to use the mouse, he can perform all system management operations. It is too convenient and terrible). Although many people are using terminal services for remote management, not everyone knows how to audit terminal services. Most terminal servers do not have terminal logs open. In fact, it is easy to open log audit. Open the remote control service configuration (Terminal Service Configuration) in the management tool, click "Connect", and right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP) 5.0), select the bookmark "Permissions", click "Advanced" in the lower left corner, see the "Advanced" above? Let's join a Everyone group, which represents all users, and then review the success and failure of their "connection", "disconnection", "logout" and "login" success and failure of "login". Too much audit is not good. This audit is recorded in the security log, and can be viewed from "Management Tools"->"Log Viewer". Now I know who is logged in when, but the only drawback is that this shabby game does not record the client's IP (only Can check the IP of online users), but flashy and record the machine name. But! If someone else gives a PIG machine name, you have to be mocked by him. I don’t know what Microsoft thinks. It seems that it still cannot rely entirely on Microsoft. Let’s do it ourselves? Write a program and everything is done. Can you C? No? Where is VB? No? Delphi? ...What? Do you know any programming language? I don’t know, after all, the system administrator is not a programmer, don’t worry, don’t worry, I’ll find a way for you to create a bat file called, this file is used to record the IP of the loginer, and the content is as follows:
time /t >>
netstat -n -p tcp | find ":3389">>
start Explorer
Let me explain the meaning of this file:
The first line is to record the time when the user logs in. time /t means to directly return the system time (if /t is not added, the system will wait for you to enter a new time), and then we use the append symbol ">>" to record this time as the time field in the log;
The second line is to record the user's IP address. Netstat is a command used to display the current network connection status. -n means to display the IP and port instead of the domain name and protocol. -ptcp only displays the tcp protocol. Then we use the pipe symbol "|" to output the result of this command to the find command, and look for the line containing ":3389" from the output result (this is the line where the IP of the customer we want is located. If you change the port of the terminal service, this value must also be changed accordingly). Finally, we also redirect the result to the log file, so in the file, the record format is as follows:
22:40
TCP192.168.12.28:3389192.168.10.123:4903 ESTABLISHED
22:54
TCP192.168.12.28:3389 192.168.12.29:1039 ESTABLISHED
In other words, as soon as this file is run, all IPs connected to port 3389 will be recorded. So how can this batch file be run automatically? We know that terminal service allows us to customize the starting program for the user. In the terminal service configuration, we override the user's login script settings and specify the script that needs to be opened when the user logs in. In this way, each user must execute this script after logging in. Because the default script (equivalent to the shell environment) is Explorer (explorer), I added the command to startExplorer to start Explorer on the last line. If this line of command is not added, the user will not be able to enter the desktop! Of course, if you just need to give the user a specific shell:
For example, you can also replace start Explorer with any shell. This script can also have other ways of writing. As a system administrator, you can freely use your imagination and use your own resources. For example, writing a script to send the IP of each logged-in user to your own mailbox is also a good way for important servers. Under normal circumstances, ordinary users do not have permission to check the terminal service settings, so they will not know that you have conducted IP review of the login. Just put the files and files in a relatively hidden directory. However, it should be noted that this is just a simple terminal service logging policy, and there are not many security measures and permission mechanisms. If the server has higher security requirements, it still needs to be completed through programming or purchasing intrusion monitoring software.
8. Trap technology
Early trap technology was just a disguised port service to monitor scans. With the continuous upgrading of spears and shields, the current trap service or trap host has become more and more perfect, and is more and more like a real service. It can not only intercept semi-open scans, but also disguise the service's response and record the behavior of the intruder, thereby helping to judge the identity of the intruder.
I am not very interested in trap technology. From the perspective of technicians, low-key behavior is more in line with the principle of safety; secondly, the situation where the trap host becomes a springboard for invaders is not only seen in novels, but is also common in real life. If a trap is set up and used to invade, it is really impossible to steal the chicken.
Remember CoolFire said that it can be used as an end to the introduction of trap technology: Don’t enter other people’s systems casually when you don’t understand the situation, because you can never know in advance that the system administrator is a real idiot or a genius pretending to be an idiot...
This is the initial introduction to intrusion monitoring. In actual use, the system administrator's mastery of basic knowledge is directly related to his security sensitivity. Only a system administrator who is experienced and knowledgeable and careful can find the shadow of the intruder from a few clues, prepare for the future, and kill the invasion.