1. Disable IPC empty connection
Cracker can use the net use command to establish an empty connection, and then invade. There are also net view and nbtstat. These are all based on empty connections, so it is enough to prohibit empty connections. Open the registry and find the Local_Machine\System\XTv Black Coastline Network Security Information Station
CurrentControlSet\Control\XTv Black Coastline Network Security Information Station
LSA-RestrictAnonymous Just change this value to "1".
2. Disable At command
Cracker often gives you a * and lets it run, and then it needs the at command. Open the Management Tools-Services and disable the task scheduler service.
3. Close the hyper terminal service
If you open it, the loophole will be broken, I won’t talk about it.
4. Close SSDP Discover Service Service
This service is mainly used to start UPnP devices on home network devices, and the service will also start port 5000. It may cause a DDOS attack, causing CPU usage to reach 100%, thereby crashing the computer. Logically speaking, no one will work hard on personal machines to do DDOS, but this process also occupies bandwidth very much. It will constantly send data packets to the outside world, affecting the network transmission rate, so it is better to turn it off.
5. Close Remote Regisry service
Just look at it and allow remote modification of the registry? Unless you really have a water in your mind.
6. Disable NetBIOS on TCP/IP
Online Neighbors - Properties - Local Connections - Properties - Internet Protocol (TCP/IP) Properties - Advanced - WINS Panel - NetBIOS Settings - Disable NetBIOS on TCP/IP. In this way, Cracker cannot use the nbtstat command to read your NetBIOS information and network card MAC address.
7. Turn off DCOM service
This is port 135. In addition to being used as a query service, it may also cause direct attacks. The method of closing is: enter dcomcnfg in the run, select the default attribute tag in the pop-up component service window, and cancel "Enable distributed COM on this computer".
8. Change the permissions of shared files from "everyone" group to "authorized user"
"everyone" in win2000 means that any user with the right to enter your network can obtain these shared materials. Do not set users of shared files to "everyone" group at any time. Including print sharing, the default attribute is in the "everyone" group, so don't forget to change it.
9. Cancel other unnecessary services
Please decide at your own discretion according to your needs. Here is a reference for the HTTP/FTP server that requires the least services:
l Event Log XTv Black Coastline Network Security Information Station
l License Logging Service XTv Black Coastline Network Security Information Station
l Windows NTLM Security Support Provider XTv Black Coastline Network Security Information Station
l Remote Procedure Call (RPC) Service XTv Black Coastline Network Security Information Station
l Windows NT Server or Windows NT Workstation XTv Black Coastline Network Security Information Station
l IIS Admin Service XTv Black Coastline Network Security Information Station
l MSDTC XTv Black Coastline Network Security Information Station
l World Wide Web Publishing Service XTv Black Coastline Network Security Information Station
l Protected Storage
10. Change the TTL value
Cracker can roughly judge your operating system based on the TTL value of the ping, such as:
TTL=107(WINNT); XTv Black Coastline Network Security Information Station
TTL=108(win2000); XTv Black Coastline Network Security Information Station
TTL=127 or 128(win9x); XTv Black Coastline Network Security Information Station
TTL=240 or 241(linux); XTv Black Coastline Network Security Information Station
TTL=252(solaris); XTv Black Coastline Network Security Information Station
TTL=240(Irix);XTv Black Coastline Network Security Information Station
.
Actually you can change it yourself:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\XTv Black Coastline Network Security Information Station
Parameters: DefaultTTL REG_DWORD 0-0xff(0-255 decimal, default value 128) is changed to an inexplicable number such as 258, which will at least make those little novices dizzy for a long time, and you may not be sure to give up invading.
11. Account security
First of all, all accounts are prohibited except yourself, haha. Then change the name of Administrator. I just created another Administrator account, but it was the kind that didn't have any permissions. Then I opened the notepad, typing it, copying it, and pasting it into the "password". Haha, let's break the password! After breaking it, I realized it was a low-level account. Do you think you are crashing?
12. Cancel display of last logged in user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\XTv Black Coastline Network Security Information Station
Winlogon: DontDisplayLastUserName Change the value to 1.
13. Delete the default share
Someone asked me to share all disks as soon as I turned on the computer. After I changed it back, the restart became sharing. This is the default sharing set by 2K for management. It must be cancelled by modifying the registry: XTv Black Coastline Network Security Information Station
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\XTv Black Coastline Network Security Information Station
Parameters: The AutoShareServer type is REG_DWORD and change the value to 0.
14. Disable LanManager authentication
Windows NT Servers Service Pack 4 and subsequent versions support three different authentication methods: LanManager (LM) authentication; Windows NT (also called NTLM) authentication; Windows NT Version 2.0 (also called NTLM2) authentication;
By default, when a customer tries to connect to a server that supports both LM and NTLM authentication methods, LM authentication is used first. Therefore, it is recommended to prohibit LM authentication methods.
1. Open the registry editor;
2. Position to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa;
3. Select the menu "Edit" and "Add Value";
4. Enter: LMCompatibilityLevel into the numerical name, the value type is: DWORD, click OK;
5. Double-click the newly created data and set the following values according to the specific situation:
0 -Send LM and NTLM responses;
1 -Send LM and NTLM responses;
2 -Send only NTLM response;
3 - Send only NTLMv2 response; (Windows 2000 is valid)
4 - Send only NTLMv2 response, reject LM; (Windows 2000 valid)
5 - Send only NTLMv2 responses, reject LM and NTLM; (Windows 2000 valid)
6. Close the registry editor;
7. Restart the machine.
Cracker can use the net use command to establish an empty connection, and then invade. There are also net view and nbtstat. These are all based on empty connections, so it is enough to prohibit empty connections. Open the registry and find the Local_Machine\System\XTv Black Coastline Network Security Information Station
CurrentControlSet\Control\XTv Black Coastline Network Security Information Station
LSA-RestrictAnonymous Just change this value to "1".
2. Disable At command
Cracker often gives you a * and lets it run, and then it needs the at command. Open the Management Tools-Services and disable the task scheduler service.
3. Close the hyper terminal service
If you open it, the loophole will be broken, I won’t talk about it.
4. Close SSDP Discover Service Service
This service is mainly used to start UPnP devices on home network devices, and the service will also start port 5000. It may cause a DDOS attack, causing CPU usage to reach 100%, thereby crashing the computer. Logically speaking, no one will work hard on personal machines to do DDOS, but this process also occupies bandwidth very much. It will constantly send data packets to the outside world, affecting the network transmission rate, so it is better to turn it off.
5. Close Remote Regisry service
Just look at it and allow remote modification of the registry? Unless you really have a water in your mind.
6. Disable NetBIOS on TCP/IP
Online Neighbors - Properties - Local Connections - Properties - Internet Protocol (TCP/IP) Properties - Advanced - WINS Panel - NetBIOS Settings - Disable NetBIOS on TCP/IP. In this way, Cracker cannot use the nbtstat command to read your NetBIOS information and network card MAC address.
7. Turn off DCOM service
This is port 135. In addition to being used as a query service, it may also cause direct attacks. The method of closing is: enter dcomcnfg in the run, select the default attribute tag in the pop-up component service window, and cancel "Enable distributed COM on this computer".
8. Change the permissions of shared files from "everyone" group to "authorized user"
"everyone" in win2000 means that any user with the right to enter your network can obtain these shared materials. Do not set users of shared files to "everyone" group at any time. Including print sharing, the default attribute is in the "everyone" group, so don't forget to change it.
9. Cancel other unnecessary services
Please decide at your own discretion according to your needs. Here is a reference for the HTTP/FTP server that requires the least services:
l Event Log XTv Black Coastline Network Security Information Station
l License Logging Service XTv Black Coastline Network Security Information Station
l Windows NTLM Security Support Provider XTv Black Coastline Network Security Information Station
l Remote Procedure Call (RPC) Service XTv Black Coastline Network Security Information Station
l Windows NT Server or Windows NT Workstation XTv Black Coastline Network Security Information Station
l IIS Admin Service XTv Black Coastline Network Security Information Station
l MSDTC XTv Black Coastline Network Security Information Station
l World Wide Web Publishing Service XTv Black Coastline Network Security Information Station
l Protected Storage
10. Change the TTL value
Cracker can roughly judge your operating system based on the TTL value of the ping, such as:
TTL=107(WINNT); XTv Black Coastline Network Security Information Station
TTL=108(win2000); XTv Black Coastline Network Security Information Station
TTL=127 or 128(win9x); XTv Black Coastline Network Security Information Station
TTL=240 or 241(linux); XTv Black Coastline Network Security Information Station
TTL=252(solaris); XTv Black Coastline Network Security Information Station
TTL=240(Irix);XTv Black Coastline Network Security Information Station
.
Actually you can change it yourself:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\XTv Black Coastline Network Security Information Station
Parameters: DefaultTTL REG_DWORD 0-0xff(0-255 decimal, default value 128) is changed to an inexplicable number such as 258, which will at least make those little novices dizzy for a long time, and you may not be sure to give up invading.
11. Account security
First of all, all accounts are prohibited except yourself, haha. Then change the name of Administrator. I just created another Administrator account, but it was the kind that didn't have any permissions. Then I opened the notepad, typing it, copying it, and pasting it into the "password". Haha, let's break the password! After breaking it, I realized it was a low-level account. Do you think you are crashing?
12. Cancel display of last logged in user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\XTv Black Coastline Network Security Information Station
Winlogon: DontDisplayLastUserName Change the value to 1.
13. Delete the default share
Someone asked me to share all disks as soon as I turned on the computer. After I changed it back, the restart became sharing. This is the default sharing set by 2K for management. It must be cancelled by modifying the registry: XTv Black Coastline Network Security Information Station
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\XTv Black Coastline Network Security Information Station
Parameters: The AutoShareServer type is REG_DWORD and change the value to 0.
14. Disable LanManager authentication
Windows NT Servers Service Pack 4 and subsequent versions support three different authentication methods: LanManager (LM) authentication; Windows NT (also called NTLM) authentication; Windows NT Version 2.0 (also called NTLM2) authentication;
By default, when a customer tries to connect to a server that supports both LM and NTLM authentication methods, LM authentication is used first. Therefore, it is recommended to prohibit LM authentication methods.
1. Open the registry editor;
2. Position to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa;
3. Select the menu "Edit" and "Add Value";
4. Enter: LMCompatibilityLevel into the numerical name, the value type is: DWORD, click OK;
5. Double-click the newly created data and set the following values according to the specific situation:
0 -Send LM and NTLM responses;
1 -Send LM and NTLM responses;
2 -Send only NTLM response;
3 - Send only NTLMv2 response; (Windows 2000 is valid)
4 - Send only NTLMv2 response, reject LM; (Windows 2000 valid)
5 - Send only NTLMv2 responses, reject LM and NTLM; (Windows 2000 valid)
6. Close the registry editor;
7. Restart the machine.