With the popularity of Windows XP on personal computers, more and more people have begun to be inseparable from Windows XP, although Windows XP has super stable and reliable security. However, the vulnerabilities discovered one after another still put Windows XP at risk of being attacked. This article will discuss how to improve the security of Windows XP operating system, further improve the security of users using Windows XP operating system, and some things that should be paid attention to during maintenance. I hope it will be of some help to the majority of Windows XP users.
1. Installation security policy
(1) Do not choose to install from the network
Although Microsoft supports online installation, this is absolutely unsafe. Do not connect to the network, especially the Internet, before the system is fully installed. Don't even connect all the hardware to install it. Because when Windows XP is installed, after entering the password of the user administrator account "Administrator", the system will establish a "ADMIN" shared account, but it is not protected with the password you just entered. This situation will continue until the computer starts up again. During this period, anyone can enter the system through "ADMIN"; at the same time, after the installation is completed, various services will run automatically immediately, and the server is full of vulnerabilities, which is very easy to intrude from the outside.
(2) To select NTFS format to partition
It is best that all partitions are in NTFS format, because NTFS format partitions are more secure in terms of security. Even if other partitions adopt different formats (such as FAT32), at least the partition where the system is located should be in NTFS format. In addition, the application should not be placed in the same partition as the system, so as not to attackers to exploit application vulnerabilities (such as Microsoft's IIS vulnerabilities) to cause system files to leak, and even allow the intruder to remotely obtain administrator permissions.
(3) Selection of system version
Version selection: Windows XP is available in various languages. For us, you can choose the English version or the Simplified Chinese version. I strongly recommend: If the language does not become an obstacle, please be sure to use the English version. You should know that Microsoft's products are famous for bugs & patches. There are far more bugs in the Chinese version than in the English version, and patches are usually at least half a month later (that is, your machine will be in an unprotected state for half a month after Microsoft announces the vulnerability).
(4) Customization of components
Windows XP will install some commonly used components by default, but it is this default installation that is very dangerous. You should know exactly what services you need, and just install the services you really need. According to security principles, the least services + the minimum permissions = the maximum security.
(5) Distribution of partitions and logical disks
It is recommended to establish more than two partitions, one system partition and more than one application partition to separate the system partition from the application partition to protect the application. Generally speaking, viruses or hackers exploit vulnerability attacks, which damages the system partition without causing damage to the application partition.
2. Account security policy
(1) User security settings
Check the user account and stop unwanted accounts. It is recommended to change the default account name.
1) Disable Guest Account Disable Guest Account in the user managed by computer. To be on the safe side, it is better to add a complicated password to Guest.
2) Restrict unnecessary users Remove all Duplicate User users, test users, shared users, etc. User group policy sets corresponding permissions, and often checks the system users to delete users that are no longer in use.
3) Create two administrator accounts Create a general permission user to receive messages and handle some daily things, and the other user with Administrator permissions only uses them when needed.
4) Administrator users who change the system Administrator account to Windows XP cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as an ordinary user, such as changing it to Guesycludex.
5) Create a trap User Create a local user named "Administrator", set its permissions to the lowest, and can't do anything, and add a super complex password with more than 10 digits.
6) Change the permissions of shared files from Everyone group to authorized users. Do not set the user of shared files to the "Everyone" group, including print sharing. The default attribute is the "Everyone" group.
7) Don't let the system display the username you logged in last Open the registry editor and find the registry key HKLMSoftwareMicrosoftWindowsTCurrentVersionWinlogonDont-DisplayLastUserName, and change the key value to 1.
8) System account/share list The default installation of Windows XP allows any user to obtain all account/share lists of the system through empty users. This was originally intended to facilitate LAN users to share files, but a remote user can also get your user list and use brute force to crack the user password. You can prohibit 139 empty connections by changing the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1. You can also have this option in Windows XP's local security policy (if it is a domain server, it is in the domain server security and domain security policy). RestrictAnonymous (an additional limit for anonymous connections). This option has three values:
0: None. Rely on default permissions (none, depending on the default permissions)
The value 0 is the default system, and there is no limit. Remote users can know all the accounts, group information, shared directories, network transmission lists, etc. on your machine. This setting is very dangerous for the server.
1: Do not allow enumeration of SAM accounts and shares (enumerating SAM accounts and sharing is not allowed)
1 This value is only allowed to access SAM account information and share information by non-NULL users.
2: No access without explicit anonymous permissions (no access is allowed without explicit anonymous permissions)
The value 2 is only supported in win2000. If you don’t want any sharing, set it to 2. It is generally recommended to set it to 1.
(2) Password security settings
1) Use a secure password. Pay attention to the complexity of the password and remember to change the password frequently.
2) Turn on password policy Pay attention to applying password policy. If you enable password complexity requirements, set the minimum password length value to 8 digits, set the forced password history to 5 times, and the time is 42 days.
3. Apply security policies
(1) Install antivirus software
Antivirus software can not only kill some famous viruses, but also detect a large number of *s and backdoor programs. Therefore, you should pay attention to running programs frequently and upgrading the virus database.
(2) Install a firewall
Listen to the attacks taken by the outside world on the machine and remind users to take preventive measures as early as possible.
(3) Install system patches
Download the latest patches on Microsoft's website: Regularly visiting Microsoft and some security sites, downloading the latest Service Pack and vulnerability patches is the only way to ensure the long-term security of the server.
(4) Enable the power protection function
When using a computer to process files, the most worrying thing is that the computer suddenly loses power, because this sudden power loss will not only cause the fruits of your hard work to disappear in an instant, but also damage the computer in serious cases. In order to prevent accidental power outages in various situations and ensure the safe and normal operation of the computer, we should enable the function of asking or directly sleeping when pressing the power button in power management.
If you want to enable the power protection function, you can use the mouse to click "Start"/"Control Panel"/"Performance and Maintenance"/"Power Options" on the desktop of Windows XP, select the "Advanced" tab in the pop-up settings box, find the "When pressing the computer power button" setting item under the corresponding tag page, and then select the "Hibernate" or "Ask me what to do" option in the settings box. If the "Shutdown" option is selected, it is equivalent to not enabling the power protection function.
(5) Use the screen saver program
When you see the word "screen saver", you will definitely think of the screen saver in your computer. It mainly uses different methods to display specified pictures in turn to achieve the purpose of screen saver. However, the system will only start the screen saver after the pre-set time is not operated. What should I do if I want to start the screen saver within any specified time?
We can follow the following operation method: In the Start menu of Windows XP, click "Start"/"Search"/"File or Folder" in the pop-up search dialog box, click "All Files and Folders" type and enter the "*. scr" character in the text box of the corresponding file name, and then in the search range drop-down list, select "Native Disk (C:)" or the drive that stores system files on the computer, and finally click the "Search" button.
Then in the found screen saver list, select the required screen saver and create a shortcut for this screen saver to store on the desktop. In the future, when starting the screensaver program, you should directly double-click the screensaver shortcut on the desktop with your mouse. If necessary, you can also add a password to the "screensaver". In this way, you need to re-enter the username and password during recovery, which can protect computer resources more securely.
(6) Stop unnecessary services
It is not a good thing to open too many services, just turn off all unnecessary services! The more service components are installed, the more service functions users can enjoy. However, the service components that users usually use are limited. In addition to occupying a lot of system resources and causing system instability, those rarely used components also provide multiple ways for hackers to remote intrusion.
To this end, we should try to block out those service components that are not needed for the time being. The specific operation method is: First, find "Management Tools"/"Service" in the control panel, then open the "Services" dialog box, select the program that needs to be blocked in the dialog box, right-click, select the "Properties"/"Stop" command from the pop-up shortcut menu, and set "Start Type" to "Manual" or "Disabled", so that the specified service components can be blocked.
4. Cybersecurity Policy
(1) Close unnecessary ports
Close the port means reducing functionality, and you need to make a little decision on security and functionality. If the server is installed behind the firewall, you will have less risk. But, never think you can rest assured. Use a port scanner to scan the open ports of the system to determine which services the system is open may cause hackers. There is a comparison table of well-known ports and services in the \system32\drivers\etc\services file in the system directory for reference. The specific method is: open "Online Neighbor/Properties/Local Connection/Properties/Internet Protocol (TCP/IP)/Properties/Advanced/Options/TCP/IP Filter/Properties" Open "TCP/IP Filter" and add the required TCP and UDP protocols.
(2) Set up access permissions for security records
Security records are not protected by default, set to only Administrators and system accounts have access.
(3) Email system using web format
Do not use client mail systems such as Outlook and Fox mail to accept emails. Some emails are very harmful now. Once implanted into this machine, it may cause the system to be paralyzed. At the same time, do not observe attachments in strangers' emails, which often carry viruses and *s.
1. Installation security policy
(1) Do not choose to install from the network
Although Microsoft supports online installation, this is absolutely unsafe. Do not connect to the network, especially the Internet, before the system is fully installed. Don't even connect all the hardware to install it. Because when Windows XP is installed, after entering the password of the user administrator account "Administrator", the system will establish a "ADMIN" shared account, but it is not protected with the password you just entered. This situation will continue until the computer starts up again. During this period, anyone can enter the system through "ADMIN"; at the same time, after the installation is completed, various services will run automatically immediately, and the server is full of vulnerabilities, which is very easy to intrude from the outside.
(2) To select NTFS format to partition
It is best that all partitions are in NTFS format, because NTFS format partitions are more secure in terms of security. Even if other partitions adopt different formats (such as FAT32), at least the partition where the system is located should be in NTFS format. In addition, the application should not be placed in the same partition as the system, so as not to attackers to exploit application vulnerabilities (such as Microsoft's IIS vulnerabilities) to cause system files to leak, and even allow the intruder to remotely obtain administrator permissions.
(3) Selection of system version
Version selection: Windows XP is available in various languages. For us, you can choose the English version or the Simplified Chinese version. I strongly recommend: If the language does not become an obstacle, please be sure to use the English version. You should know that Microsoft's products are famous for bugs & patches. There are far more bugs in the Chinese version than in the English version, and patches are usually at least half a month later (that is, your machine will be in an unprotected state for half a month after Microsoft announces the vulnerability).
(4) Customization of components
Windows XP will install some commonly used components by default, but it is this default installation that is very dangerous. You should know exactly what services you need, and just install the services you really need. According to security principles, the least services + the minimum permissions = the maximum security.
(5) Distribution of partitions and logical disks
It is recommended to establish more than two partitions, one system partition and more than one application partition to separate the system partition from the application partition to protect the application. Generally speaking, viruses or hackers exploit vulnerability attacks, which damages the system partition without causing damage to the application partition.
2. Account security policy
(1) User security settings
Check the user account and stop unwanted accounts. It is recommended to change the default account name.
1) Disable Guest Account Disable Guest Account in the user managed by computer. To be on the safe side, it is better to add a complicated password to Guest.
2) Restrict unnecessary users Remove all Duplicate User users, test users, shared users, etc. User group policy sets corresponding permissions, and often checks the system users to delete users that are no longer in use.
3) Create two administrator accounts Create a general permission user to receive messages and handle some daily things, and the other user with Administrator permissions only uses them when needed.
4) Administrator users who change the system Administrator account to Windows XP cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as an ordinary user, such as changing it to Guesycludex.
5) Create a trap User Create a local user named "Administrator", set its permissions to the lowest, and can't do anything, and add a super complex password with more than 10 digits.
6) Change the permissions of shared files from Everyone group to authorized users. Do not set the user of shared files to the "Everyone" group, including print sharing. The default attribute is the "Everyone" group.
7) Don't let the system display the username you logged in last Open the registry editor and find the registry key HKLMSoftwareMicrosoftWindowsTCurrentVersionWinlogonDont-DisplayLastUserName, and change the key value to 1.
8) System account/share list The default installation of Windows XP allows any user to obtain all account/share lists of the system through empty users. This was originally intended to facilitate LAN users to share files, but a remote user can also get your user list and use brute force to crack the user password. You can prohibit 139 empty connections by changing the registry Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous = 1. You can also have this option in Windows XP's local security policy (if it is a domain server, it is in the domain server security and domain security policy). RestrictAnonymous (an additional limit for anonymous connections). This option has three values:
0: None. Rely on default permissions (none, depending on the default permissions)
The value 0 is the default system, and there is no limit. Remote users can know all the accounts, group information, shared directories, network transmission lists, etc. on your machine. This setting is very dangerous for the server.
1: Do not allow enumeration of SAM accounts and shares (enumerating SAM accounts and sharing is not allowed)
1 This value is only allowed to access SAM account information and share information by non-NULL users.
2: No access without explicit anonymous permissions (no access is allowed without explicit anonymous permissions)
The value 2 is only supported in win2000. If you don’t want any sharing, set it to 2. It is generally recommended to set it to 1.
(2) Password security settings
1) Use a secure password. Pay attention to the complexity of the password and remember to change the password frequently.
2) Turn on password policy Pay attention to applying password policy. If you enable password complexity requirements, set the minimum password length value to 8 digits, set the forced password history to 5 times, and the time is 42 days.
3. Apply security policies
(1) Install antivirus software
Antivirus software can not only kill some famous viruses, but also detect a large number of *s and backdoor programs. Therefore, you should pay attention to running programs frequently and upgrading the virus database.
(2) Install a firewall
Listen to the attacks taken by the outside world on the machine and remind users to take preventive measures as early as possible.
(3) Install system patches
Download the latest patches on Microsoft's website: Regularly visiting Microsoft and some security sites, downloading the latest Service Pack and vulnerability patches is the only way to ensure the long-term security of the server.
(4) Enable the power protection function
When using a computer to process files, the most worrying thing is that the computer suddenly loses power, because this sudden power loss will not only cause the fruits of your hard work to disappear in an instant, but also damage the computer in serious cases. In order to prevent accidental power outages in various situations and ensure the safe and normal operation of the computer, we should enable the function of asking or directly sleeping when pressing the power button in power management.
If you want to enable the power protection function, you can use the mouse to click "Start"/"Control Panel"/"Performance and Maintenance"/"Power Options" on the desktop of Windows XP, select the "Advanced" tab in the pop-up settings box, find the "When pressing the computer power button" setting item under the corresponding tag page, and then select the "Hibernate" or "Ask me what to do" option in the settings box. If the "Shutdown" option is selected, it is equivalent to not enabling the power protection function.
(5) Use the screen saver program
When you see the word "screen saver", you will definitely think of the screen saver in your computer. It mainly uses different methods to display specified pictures in turn to achieve the purpose of screen saver. However, the system will only start the screen saver after the pre-set time is not operated. What should I do if I want to start the screen saver within any specified time?
We can follow the following operation method: In the Start menu of Windows XP, click "Start"/"Search"/"File or Folder" in the pop-up search dialog box, click "All Files and Folders" type and enter the "*. scr" character in the text box of the corresponding file name, and then in the search range drop-down list, select "Native Disk (C:)" or the drive that stores system files on the computer, and finally click the "Search" button.
Then in the found screen saver list, select the required screen saver and create a shortcut for this screen saver to store on the desktop. In the future, when starting the screensaver program, you should directly double-click the screensaver shortcut on the desktop with your mouse. If necessary, you can also add a password to the "screensaver". In this way, you need to re-enter the username and password during recovery, which can protect computer resources more securely.
(6) Stop unnecessary services
It is not a good thing to open too many services, just turn off all unnecessary services! The more service components are installed, the more service functions users can enjoy. However, the service components that users usually use are limited. In addition to occupying a lot of system resources and causing system instability, those rarely used components also provide multiple ways for hackers to remote intrusion.
To this end, we should try to block out those service components that are not needed for the time being. The specific operation method is: First, find "Management Tools"/"Service" in the control panel, then open the "Services" dialog box, select the program that needs to be blocked in the dialog box, right-click, select the "Properties"/"Stop" command from the pop-up shortcut menu, and set "Start Type" to "Manual" or "Disabled", so that the specified service components can be blocked.
4. Cybersecurity Policy
(1) Close unnecessary ports
Close the port means reducing functionality, and you need to make a little decision on security and functionality. If the server is installed behind the firewall, you will have less risk. But, never think you can rest assured. Use a port scanner to scan the open ports of the system to determine which services the system is open may cause hackers. There is a comparison table of well-known ports and services in the \system32\drivers\etc\services file in the system directory for reference. The specific method is: open "Online Neighbor/Properties/Local Connection/Properties/Internet Protocol (TCP/IP)/Properties/Advanced/Options/TCP/IP Filter/Properties" Open "TCP/IP Filter" and add the required TCP and UDP protocols.
(2) Set up access permissions for security records
Security records are not protected by default, set to only Administrators and system accounts have access.
(3) Email system using web format
Do not use client mail systems such as Outlook and Fox mail to accept emails. Some emails are very harmful now. Once implanted into this machine, it may cause the system to be paralyzed. At the same time, do not observe attachments in strangers' emails, which often carry viruses and *s.