Shulou(Shulou.com)06/02 Report--

This article mainly introduces the group policy and user settings of win2008 R2 WEB server settings. Friends who need it can refer to it.

Improve system security by optimizing the setting of group policy, renaming the default administrator of the system, users, creating trap accounts, and so on.

When doing the following security, you must make sure that your server software has been fully configured and can be used properly, otherwise if you install the software after the security setting, the installation may fail or other errors may occur, resulting in the failure of the environment configuration.

Password policy

The strength of the system password is directly related to the security of the system, if your password is too simple, in case your remote connection port is swept, it will be minutes to crack your password. Therefore, our system password must be set up to meet the security requirements, such as the use of uppercase and lowercase English, numbers, special symbols, length of not less than 6 digits and other measures to strengthen password security. In systems above Windows 2008, the system provides a "password policy" setting. Let's set it and enter the "local security policy" first.

Open Security Settings-account Policy-password Policy-password must meet complexity requirements, enable.

Audit strategy

The role of the audit policy is that in case a malicious user is cracking your password, logging in to your system, or modifying your system, you can detect and deal with it as soon as possible.

The default is no audit, and we have to modify it. Here is the audit policy I modified.

We can basically capture the required information, and we only need to analyze these generated logs to find out where the problem lies.

User rights assignment

Here is mainly to limit which users can log in to the server using remote connection, the default is Administrators group and Remote Desktop Users group, members of these two groups can log in to the server remotely, and we generally as WEB servers, there are not too many users, there may be only one administrator, so there is no need to specify groups, just specify users directly.

Modify system users and groups

1. Rename the default user name and user group of the system, which is divided into two steps.

⑴, rename the default administrator administrator and guest account, such as I rename administrator to wobushiad and guest to wobushiguest

Later, you will log in to the server using the modified user name wobushiad.

⑵, create a new user named administrator, who belongs to the Guests group, set a super complex password (type a string of characters in notepad, including case, numbers, and special symbols to copy into it, you do not need to remember this password yourself), and disable the account. This account is a trap account and we will not use it ourselves.

Then modify the default administrator group administrators and Guest group

Security option

Interactive login: do not display the last user name, enable

Network access: anonymous enumeration of SAM accounts and shares is not allowed, enable

Network access: do not allow storage of network authentication passwords and credentials, enable

Network access: remotely accessible registry path, emptying Baidu included batch queries

Network access: remotely accessible registry paths and subpaths, empty

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.