Windows 2000 Security Maintenance and Error Resolution Example

  

Computer security includes not only protecting the computer's local data, but also protecting the data on the network. A good operating system can identify people trying to access computer resources, prevent specific resources from being improperly accessed by users, and provide users with a simple and effective way to set up and maintain computer security.

Currently, PC users are still using Windows. Compared with previous versions, Windows 2000 based on NT platform technology has greatly improved stability and security. The following is an example of Windows 2000 Professional, and by the way, an application problem is solved.

First, Windows 2000 security features

1. User Accounts and Account Group Features

Ensure that only authorized users can access the computer while effectively managing the user's specific task rights and permissions, such as folder access rights. System built-in groups give most users the full user rights and privileges they need to perform their tasks. The management interface is "Users & Passwords" in “Control Panel”.

2. Shared Folder Permissions

By giving shared folder permissions to any folder, you can restrict or allow access to these folders over the network. Set through the project's properties menu. By default, when you add a shared directory in Windows 2000, the operating system will automatically add the EveryOne user group to the privilege module. Since the default permissions of this group are fully controlled, the result is that anyone can share the directory. Read and write. Therefore, after creating a new shared directory, immediately delete the EveryOne group or adjust the permissions of the group to read.

3. Features of the NTFS file system that are more secure than FAT and FAT32:

Disk quota service, which controls the amount of disk space allowed per user;

Support for setting files or folders. Restrict or allow access by users or groups, specifying the type of access, that is, you can limit the files that each user is allowed to read and write to any folder in the disk directory. If you want to share a folder located on an NTFS drive without special settings, NTFS folder access is valid on both the local and the network;

NTFS also supports owners to encrypt files and folders to better protect information.

It is recommended to use NTFS disk partitioning.

4. Printer Permissions

Restrict user access by assigning printer permissions. There are three permissions for printing documents, managing documents, and managing printers. Set through the project's properties menu.

5. Auditing

You can use auditing to track accounts used to access files or other objects, as well as user login attempts, shutdown or restart systems, and other specified events. Before the audit occurs, you must use the “group policy” to specify the type of event to audit. For example, to review a folder, first enable “audit object access”>;group policy" Next, you can set up auditing just like setting permissions: select an object (such as a file or folder) and then select the users and groups whose operations you want to audit. Finally, select the action you want to review, for example, trying to open or delete a restricted folder. Successful and failed attempts can be reviewed. View “Security  logs can be used to track audit activity by using the “Event Viewer” The audit mechanism for disk access can only be applied to the NTFS file system. The review mechanism should be used by all users who need to be reviewed.

6. User Rights

User rights are rules that determine what actions a user can perform on a computer. In addition, user rights control whether the user can log in to the computer directly, (either locally) or through the network, add users to local groups, delete users, and so on. The built-in group has a set of assigned user rights. Typically, administrators assign user rights by adding a user account to a built-in group, or by creating a new group and assigning specific user rights to the group. Users who are subsequently added to the group automatically get all user rights assigned to the group account. User rights are managed through “Group Policy".

7. Other Local Security Settings

Allows the security administrator to configure the security level assigned to the “Group Policy” object or local computer policy. The local security policy is the security setting used to configure the local computer. These settings include password policies, account lockout policies, audit policies, IP security policies, user rights assignments, recovery agents for encrypted data, and other security options. Because local security policies are primarily set for local users, they are only available on Windows 2000 computers that are not domain controllers.

The above four functions are commonly used and easy to set up, while the security settings such as auditing and user rights are more complicated to use, but the functions are really powerful. Users can fine-tune the operating parameters of the system until they are fully satisfied. Personal needs. For example:

* To prevent malicious attacks from inside the LAN, users can get the record of the location and number of machines that an account is remotely attempted to log in, and cancel the right to remotely log in to an account. This is very useful.

* You can strategically control the resources you have, such as disabling access to a local floppy or optical drive from the network, whether or not it is set to share permissions.

* Protect your data with security policies that make it difficult or impossible for an attacker to crack. The combination of algorithm and key is used to protect the information. Windows 2000 achieves a high level of security by using encryption-based algorithms and keys.

The security settings for Windows 2000 are primarily in the "local security policy". Click “Start”, point to "Program", point to "Administrative Tools", and then click “Local Security Policy  Its settings include:

* Account Policy: Password and Account Lockout Policy

* Local Policy: Audit, User Rights, and Security Options Policy

* Public Key Policy (IP) Security Policy): Internet Protocol Security (IPSec) management. The IPSec policy is a management policy for secure communication with other computers.

It is best to use the guidance of a senior administrator.

Second, the local security policy settings error, a solution and further recommendations

1. If you do not pay attention to the local security policy setting process, it will cause a lot of trouble. An example:

A machine running Windows 2000 Professional, user setting error, in the "local policy", "deny user rights allocation" & rdquo; reject local login & rdquo; project Set to “Users,Guests,EveryOne”. The user cannot log in again after logging out, and the system prompts “Cannot engage in an interactive session”. The setting item contains “EveryOne” makes all accounts disabled from logging in.

Solution: Windows 2000 stores the current local security settings in the config directory of the Windows system directory system32, the file name SECURITY, only to modify it correctly to log in. For simplicity, override it with the initial configuration of the system. Since the machine uses the FAT32 format and starts with a clean Win98 floppy disk, copy the SECURITY file in the Windows directory repair subdirectory to the config to overwrite the error file. Login is normal. The correct settings are as follows:

If the machine uses the NTFS format, it must be started with the Windows 2000 installation floppy or the installation CD. In order to prevent the startup disk from being found after a similar failure, it is difficult to solve the problem quickly. You can apply the Windows 2000 Recovery Console feature.

2. Windows 2000 Recovery Console

The Windows 2000 Recovery Console is a command line console that can be launched from the Windows 2000 installer. With the Recovery Console, you can perform many tasks without booting Windows 2000 from the hard disk, start and stop services, format the drive, read and write data on the local drive (including drives formatted as NTFS), and perform many other management task. The Recovery Console is especially useful if you need to repair your system by copying a file from a floppy or CD-ROM to your hard drive, or if you need to reconfigure a service that prevents your computer from starting properly. Because the Recovery Console is very powerful, it can only be used by advanced users who are familiar with Windows 2000. In addition, the administrator must have access to the Recovery Console.
You can run the Recovery Console from the Windows 2000 installation disk or the Windows 2000 Professional CD. As an alternative, you can install the Recovery Console on your computer to resolve the issue if you cannot restart Windows 2000. Simply select the Windows 2000 Recovery Console option from the boot menu. After starting the Recovery Console, you must select the drive you want to log in to (if you have dual boot or multiboot system) and you must log in with an administrator password.

The Recovery Console provides a command line so that you can change your system when Windows 2000 does not start. Once you run the Recovery Console, type “help” at the command prompt to get help with the available commands. To restart your computer, type exit to close the Command Prompt window.

Install the Recovery Console as a startup option to run when your computer cannot be restarted. How to install as a boot option: Log in to Windows 2000 as an administrator or as a user with administrator privileges. Insert the Windows 2000 Professional CD into your CD-ROM drive. If prompted to upgrade to Windows 2000, click “No”. From the command prompt (or from the Windows 2000 "Run" box, type the path to the appropriate Winnt32.exe file (on the Windows 2000 CD) followed by a space and the /cmdcons switch option. For example:

e:\\i386winnt32.exe /cmdcons

Follow the prompts that appear.

The Recovery Console is installed in the Cmdcons folder under the root folder, including the Cmldr file in the root folder. The boot entry for the Recovery Console is included in the Boot.ini file.

Security in Windows 2000 is undoubtedly high, but if you don't pay attention to it in everyday use, the vulnerabilities still exist, such as those that originate from the user. For the average user, I suggest that the local security policy in the management tool of the control panel be hidden to avoid the problem of improper use. The local security policy settings can be initiated from the command line [command format: c:winntsystem32secpol.msc /s] when needed.

Copyright © Windows knowledge All Rights Reserved