Win2000 Simple Security Configuration

I. System Installation

Under normal circumstances, Internet Information Service (IIS) only needs to select three items:
Internet Service Manager + Word Wide Web Server + Public File < BR> Accessories and tools can be completely removed (usually not used), plus terminal services, all other things are removed!

About disk partitioning: Under normal circumstances, C disk is divided into 10G Very good enough to use, other application software is installed to the D drive, such as SERV-U providing FTP service, in order to avoid the need to back up the C drive data when the system is completely installed after the system crash.

Second, the installation of hardware drivers

Frequently installed after the driver restart will automatically load some programs, you can use Super Rabbit and other software to clean up the startup items. Other drivers such as sound cards can't be found, you don't need to install them, because you don't need a sound card, you don't need to waste time here. There is no need to install another driver if you encounter a graphics card that the system can recognize by default.

Second, patch installation

After installing the system, if the installed system is not SP4, please install WINDOWS 2000 sp4, then enter Windows Update to update all patches online. You can also download the patch set (download from chinaz.com) to sort it directly, so as not to waste time, Microsoft's website is sometimes very slow.

Copy some necessary software to the D drive

For example, WIN2K installation directory I386, you can place a copy to the D drive for future use (such as when reinstalling IIS).
D disk to create a new SOFT directory for storing commonly used software, such as PHP, MYSQL, DUM, SERV-U, SQL SERVER, etc.

Third, system security settings

1, user management
Delete the TsInternetUser user, and rename the Guest user to disable and change a complex password!
Change the username and password of the Administrator!

2, do not let the system display the last login user name, the specific operation is as follows:
Modify the registry "HKLMSoftwareMicrosoftWindowsNTCurrent VersionWinLogonDont Display
Last User Name" key value, change the REG_SZ key value Into 1.

3, prohibiting the establishment of an empty connection
By default, any user can connect to the server through an empty connection, enumerate the account and guess the password. There are two ways to disable
to establish an empty connection.
(1) modify the registry
Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous change the value to 1.
(2) Modify the local security policy of Win 2000
Set the "local security policy → local policy → options" RestrictAnonymous (an additional limit for anonymous connections) is "not allowed
Xu enumerated SAM account And sharing."

4, open the security audit
management tools - local security policy - local policy - audit policy, under normal circumstances there are a total of 9

Recommended settings are:
Audit policy change: Successful failure
Audit login event: Successful failure
Audit object access: Failed
Audit privilege use: Failed
Audit system event: Successful failure
Audit directory service access: Failed < BR> Audit Account Login Event: Successful Failure
Audit Account Management: Successful Failure
The audit policy does not need to be fully open, such as the success of the object access. Otherwise it will take up too much system resources.

5, IP security policy configuration.
Downloadable ready-made strategy direct import (detailed configuration method can be found online articles), such as http://afei.blog.chinaz.com/UploadFiles/2006-1/128918890.rar, after downloading in the management tool - local Security Policy--IP Security Policy Point Right-Select All Tasks--Import Policy, after import, assign it as a new IP Security Policy, then right-click on the Administrative Tools--Local Security Policy--Security Settings point to select Reload