Shulou(Shulou.com)06/01 Report--

Security configuration requirements

Account number

Number: 1

It is required that the content should be assigned different accounts according to different users to avoid sharing accounts among different users. Avoid

Avoid account sharing for communication between user accounts and devices.

Operation Guide 1. Refer to configuration operation

Go to Control Panel-> Administrative tools-> computer Management, and in system tools-> Local users and groups:

Set up different accounts and account groups according to the requirements of the system.

Detection method

1. Decision conditions

Combined with the requirements and the actual business situation to judge to meet the requirements, according to the requirements of the system, set not

Same account and account group

2. Detection operation

Go to Control Panel-> Administrative tools-> computer Management, and go to system tools-> Local use.

Households and groups ":

Check to set different accounts and account groups according to the requirements of the system

Number: 2

Required content

Accounts that have nothing to do with operation, maintenance and other work should be deleted.

Instructions

1. Refer to configuration operation

A) user management tools are available:

Start-run-compmgmt.msc- local users and groups-user

B) you can also use the net command:

Delete account: net user account/de1

Deactivate account: net user account/active:no

Detection method

1. Judgment condition

Combined with the requirements and the actual business situation to judge to meet the requirements, delete or lock with the operation and maintenance of the equipment

Wait for accounts that have nothing to do with work.

three

Note: unrelated accounts mainly refer to test accounts, shared accounts and long-term unused accounts (more than half a year)

No need to) wait

two。 Detection operation

Start-run-compmgmt.msc- local users and groups-user

Number: 3

Require content renaming Administrator; to disable guest (guest) account.

Instructions

1. Refer to the configuration operation

Go to Control Panel-> Administrative tools-> computer Management, and in system tools-> Local users and groups:

Administrator- > Properties-> change name

Guest account-> attributes-> disabled

Detection method 1. Decision condition

The default account Administrator name has been changed.

The Guest account has been disabled.

2. Detection operation

Go to Control Panel-> Administrative tools-> computer Management, and go to system tools-> Local use.

Households and groups ":

Default account-> Properties-> change name

Guest account-> attributes-> disabled

Password

Number: 1

Required content password length requirements: at least 8 digits

Password complexity requirements: at least three of the following four categories of characters:

Z English capital letters A, B, C,... Z

Z English small letters a, b, c,... Z

Z Arabic numerals 0, 1, 2,... nine

Z non-alphanumeric characters such as punctuation, @, #, $,%, &, *, etc.

four

Operation Guide 1. Refer to configuration operation

Go to "Control Panel-> Administrative tools-> Local Security Policy", and in "account Policy-> password Policy":

"password must meet complexity requirements" Select "started"

Detection method

1. Decision conditions

"password must meet complexity requirements" Select "started"

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and click account Policy-> password.

Strategy ":

Check to see if "password must meet complexity requirements" Select "started"

Number: 2

For devices using static password authentication technology, the lifetime of account passwords is not longer than 90%.

day.

Instructions

1. Refer to the configuration operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and in account Policy-> password Policy: set the maximum password retention period to 90 days.

Detection method

1. Decision conditions

The maximum password retention period is set to 90 days

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and click account Policy-> password.

Strategy ":

Check to see if the maximum password retention period is set to 90 days

Number: 3

Requirement content for devices that use static password authentication technology, devices should be configured so that users cannot repeat them.

Use passwords that have been used for the last 5 times (including 5 times).

Instructions

1. Refer to the configuration operation

Go to "Control Panel-> Administrative tools-> Local Security Policy", and in "account Policy-> password Policy":

Force password History set to remember 5 passwords

Detection method 1. Decision condition

Force password History set to remember 5 passwords

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and click account Policy-> password.

Strategy ":

Check to see if Force password History is set to remember 5 passwords

Number: 4

For devices that use static password authentication technology, it should be configured when the user fails to authenticate continuously.

More than 6 times (excluding 6 times), lock the account used by the user.

Operation Guide 1. Refer to the configuration operation to enter "Control Panel-> Administrative tools-> Local Security Policy", and go to "account Policy-> account".

Lockout Policy ":

Account locking threshold is set to 6 times

Set unlock threshold: 30 minutes

Detection method 1. Decision condition

Account locking threshold is set to less than or equal to 6 times

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and click account Policy-> account.

Lockout Policy ":

Check to see if the account locking threshold is set to less than or equal to 6 times

Supplementary note:

Improper setting may lead to account locking in a large area, which should be set carefully in the domain environment.

The Administrator account itself will not be locked.

Authorization

Number: 1

six

Forced shutdown of content local and remote systems is required to be assigned only to the Administrators group.

Operation Guide 1. Refer to configuration operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

Household right assignment ":

Shut down system is set to assign to Administrators group only

Force shutdown from remote system is set to assign to Administrators group only

Detection method 1. Decision condition

Shut down system is set to assign to Administrators group only

Force shutdown from remote system is set to assign to Administrtors group only

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

Household right assignment ":

Check that "shut down system" is set to "assign to Administrators group only"

Check to see if Force shutdown from remote system is set to "only assigned to

Administrators group "

Number: 2

Requires that content take ownership of a file or other object in the local security settings only to the

Administrators .

Operation Guide 1. Refer to configuration operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

Household right assignment ":

Take ownership of a file or other object is set to assign only to

Administrators group "

Detection method 1. Decision condition

Take ownership of a file or other object is set to assign only to

Administrators group "

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

seven

Household right assignment ":

Check to see if take ownership of a file or other object is set to assign only to

Administrators group "

Number: 3

In the local security settings, only authorized accounts are allowed to log on to this computer with local and remote access.

Instructions

1. Refer to the configuration operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

Household right assignment "

"Log on this computer locally" is set to "specify authorized users"

Access this computer from the network is set to specify authorized users

Detection method 1. Decision condition

"Log on this computer locally" is set to "specify authorized users"

Access this computer from the network is set to specify authorized users

2. Detection operation

Go to Control Panel-> Administrative tools-> Local Security Policy, and go to Local Policy-> use

Household right assignment "

Check to see if "Log on this computer locally" is set to "specify authorized users"

Check to see if access to this computer from the network is set to specify authorized users

Patch

Number: 1

The content is required to install the latest Service Pack patch set without affecting the business. Yes

The server system should be tested for compatibility first.

Operation Guide 1. Refer to configuration operation

Install the latest Service Pack patch set.

For example, as of 2010, the latest version: Service Pack of Windows XP is SP3.

The Service Pack of Windows2000 is Service of SP4,Windows 2003

Pack is SP2

Detection method 1. Decision condition

2. Detection operation

Go to Control Panel-> add or remove programs-> Show update tick to see if XP is

SP3 has been installed, SP4 has been installed in Win2000 system, and SP2 has been installed in Win2003 system.

Protection software

Number: 1

Content is required to have its own firewall enabled or third-party threat protection software installed. Limit permission according to business needs

Applications that allow access to the network, and a range of IP addresses that allow remote login to the device.

Operation Guide 1. Refer to the configuration operation (take starting your own firewall as an example)

Go to "Control Panel-> Network connection-> Local connection", and in the settings of Advanced options

Enable Windows Firewall.

Configure in exceptions to allow the programs required by the business to access the network.

Edit the range of network addresses that are allowed to be accessed in exception-> Edit-> change range.

Description: it can be divided into two situations: server and operation terminal:

The server item is optional and the operator terminal item is required

Detection method 1. Decision condition

Enable Windows Firewall.

The programs in the exception that allow access to the network are required by the business.

2. Detection operation

Go to "Control Panel-> Network connection-> Local connection", and in the settings of Advanced options

Check to see if Windows Firewall is enabled.

Check to see if the exceptions are configured to allow the programs required by the business to access the network.

Check to see if you can edit the allowed access network address in "exception-> Edit-> change range"

Surround.

Antivirus software

Number: 1

Content is required to be installed with antivirus software and updated in a timely manner.

Operation Guide 1. Refer to configuration operation

nine

Install antivirus software and update it in time.

Detection method 1. Decision condition

Antivirus software has been installed, the virus code is updated no earlier than 1 month, and the virus code of each system

Upgrade time requirements refer to the relevant regulations of each system.

Note: this item is required for operating terminals and optional for servers.

2. Detection operation

Control Panel-> add or remove programs and whether antivirus software is installed. Turn on disease prevention

Virus software control panel, check the virus code update date.

Log security requirements

Number: 1

It is required that the content device should configure the log function to record the user login, including the user login.

Record the account used, whether the login is successful, the login time, and when logging in remotely, the user

The IP address used.

Instructions

1. Refer to the configuration operation

Start-> run-> execute Control Panel-> Administrative tools-> Local Security Policy-> Audit

Strategy. "

Audit login events, double-click, set to both success and failure audit.

Detection method

1. Decision conditions

Audit login events, set to audit both successes and failures.

2. Detection operation

Start-> run-> execute Control Panel-> Administrative tools-> Local Security Policy-> Audit

Strategy. "

Audit login events, double-click to see if they are set to audit both successes and failures.

Number: 2

The content is required to open the audit policy so that it can be traced after security problems arise.

Operation Guide 1. Refer to configuration operation

Check the audit policy:

Start-run-gpedit.msc

Computer configuration-Windows Settings-Security Settings-Local Policy-Audit Policy

The following audits must be opened, and others can be added as needed:

Audit system login event succeeded and failed

Audit account management succeeded and failed

Y audit login event succeeded and failed

Audit object access successful

Audit policy change succeeded and failed

Audit privilege used successfully, failed

Audit system event success, failure

2. Supplementary explanation

It may cause a sharp increase in the number of logs.

Detection method 1. Decision condition

Try to access the object to which access audit has been added, and then check the security log for

Whether there will be relevant records, or other means to intensify to configure the audit policy, and observe

If there is a record entry in the log, the configuration is successful.

2. Detection operation

Number: 3

Required content

Set log capacity and coverage rules to ensure log storage

Operation Guide 1. Refer to configuration operation

Start-run-eventvwr

Right-select the log, properties, and set it according to the actual needs:

Log file size: can be defined as needed

What to do when the upper limit is exceeded (it is recommended that the number of logging days be not less than 90 days)

2. Supplementary explanation

It is recommended to do the same for each log, while ensuring disk space

Detection method 1. Decision condition

2. Detection operation

Start-run-eventvwr, right-select log, properties, view log limit and super

How to handle it when you cross the line.

Unnecessary services, ports

Number: 1

Content is required to shut down unnecessary services

Operation Guide 1. Refer to configuration operation

Go to "Control Panel-> Management tools-> computer Management" and enter "Services and applications"

Preface ":

According to the specific application, you can refer to Appendix A to screen unnecessary services.

Detection method 1. Decision condition

The system administrator should issue a list of services necessary for the system.

View all services. Services that are not on this list need to be turned off.

2. Detection operation

Go to "Control Panel-> Management tools-> computer Management" and enter "Services and applications"

Preface ":

Check all services and see if services that are not in this list have been turned off.

Number: 2

If you need to enable the SNMP service, modify the default SNMP Community String settings.

Operation Guide 1. Refer to configuration operation

Open Control Panel, open Services in Administrative tools, and locate SNMP

Service, right-click to open the Security tab in the Properties panel, and in this configuration

In the interface, you can modify community strings, which is what Microsoft calls "group name."

Call it ".

Detection method 1. Decision condition

Community strings has been changed, not the default "public"

2. Detection operation

Open Control Panel, open Services in Administrative tools, and locate SNMP

Service, right-click to open the Security tab in the Properties panel, and in this configuration

In the interface, check out community strings, which is what Microsoft calls "group name".

Number: 3

If the content is open to the Internet, WindowsTerminial service (Remote Desktop) needs to be modified.

Default service port.

Operation Guide 1. Refer to configuration operation

Start-> run Regedt32

And go to this item:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal

ServerWinStationsRDP-Tcp

If you find the "PortNumber" subkey, you will see the default value, 00000D3D, which is 3389

The hexadecimal representation of the Use hexadecimal values to modify this port number and save the new

Value.

Detection method 1. Decision condition

Find the "PortNumber" subkey, and the setting value is not 00000D3D, that is, decimal 3389

2. Detection operation

Run Regedt32, find this item and determine.

Startup item

Request content to close invalid startup item

Operation Guide 1. Refer to configuration operation

From the start-> run-> MSconfig startup menu, cancel unnecessary startup items.

Detection method 1. Decision condition

2. Detection operation

The system administrator provides the automatic loading process and service list documents necessary for the business.

Check the start-> run-> MSconfig startup menu:

Whether the unwanted automatic loading process has been disabled and cancelled.

Turn off the autoplay function

Number: 1

Require content to turn off Windows auto-playback function

Operation Guide 1. Refer to configuration operation

Start → to run → gpedit.msc, open the Group Policy Editor, and browse to the computer configuration

→ administrative template → system, double-click "turn off autoplay" in the right pane, in the dialog box

Select all drives and make sure.

Detection method 1. Decision condition

All drives "turn off autoplay"

2. Detection operation

The "turn off autoplay" configuration is enabled, enabling range: all drives.

Shared folder

Number: 1

If the content is required to be in a non-domain environment, turn off the default sharing of Windows hard drives, such as Clipper Magi D$.

Operation Guide 1. Refer to configuration operation

Go to "start-> run-> Regedit", enter the Registry Editor, and change the registry

Key value:

HKLM\ System\ CurrentControlSet\ Services\ LanmanServer\ Parameters\

Next, add the AutoShareServer key of type REG_DWORD, with a value of 0.

Detection method 1. Decision condition

HKLM\ System\ CurrentControlSet\

Services\ LanmanServer\ Parameters\ added REG_DWORD type

AutoShareServer key with a value of 0.

2. Detection operation

Go to "start-> run-> Regedit", enter the Registry Editor, and change the registry

Key value:

HKLM\ System\ CurrentControlSet\ Services\ LanmanServer\ Parameters\

To increase the AutoShareServer key of type REG_DWORD with a value of 0

Number: 2

Content is required to set access to the shared folder, and only authorized accounts are allowed to share this article.

Folder.

Operation Guide 1. Refer to configuration operation

Go to Control Panel-> Management tools-> computer Management, and enter system tools-> Total.

Enjoy the folder ":

View the share permissions for each shared folder and grant permissions only to the specified account.

Detection method 1. Decision condition

The sharing permissions for viewing each shared folder are limited to business needs and are not set to

"everyone".

2. Detection operation

Go to Control Panel-> Management tools-> computer Management, and enter system tools-> Total.

Enjoy the folder ":

View the share permissions for each shared folder.

Using the NTFS file system

Requires the content to change the FAT partition to NTFS format without destroying the data

Operation Guide 1. Refer to configuration operation

Convert FAT volumes to NTFS partitions

CONVERT volume / FS: NTFS[ / V] [/ CvtArea:filename] [/ NoSecurity]

[/ X]

Vo l ume specifies the drive letter (followed by a colon), mount point, or volume name

/ FS:NTFS specifies the volume to be converted to NTFS

/ V specifies that CONVERT should run in verbose mode

/ CvtArea:filename specifies a continuation file in the root directory as the NTFS system text

Placeholder for a piece

fifteen

/ NoSecurity specifies the security settings for converted files and directories that everyone can access

/ X if necessary, force unmount the volume first. If there is an open handle, it is invalid.

For example:

Covert C:/FS:NTFS

Note:

1. The new online system must require NTFS partition, and the online system does not damage the data.

Application in case

2. When there is access to other non-WIN systems and data sharing, it is not recommended to set the

FAT partition changed to NTFS format

Detection method 1. Decision condition

2. Detection operation

Network access

Number: 1

Content is required to disable anonymous access to named pipes and shares

sixteen

Operation Guide 1. Refer to configuration operation

"Control Panel-> Administrative tools-> Local Security Policy", in "Local Policy-> Security selection"

Item ": network access: shares that can be accessed anonymously are set to delete all

"Control Panel-> Administrative tools-> Local Security Policy", in "Local Policy-> Security selection"

Item ": network access: named pipes that can be accessed anonymously are set to delete all

Detection method 1. Decision condition

Delete all anonymous access named pipes and shares

2. Detection operation

Check "Control Panel-> Administrative tools-> Local Security Policy" and go to "Local Policy-> Security"

Full options: network access: shares that can be accessed anonymously, named pipes that can be accessed anonymously

Whether to delete all

Number: 2

Content is required to disable remotely accessible registry paths and subpaths

Operation Guide 1. Refer to configuration operation

"Control Panel-> Administrative tools-> Local Security Policy", in "Local Policy-> Security selection"

Key ": network access: remotely accessible registry path is set to delete all

"Control Panel-> Administrative tools-> Local Security Policy", in "Local Policy-> Security selection"

Key ": network access: remotely accessible registry paths and subpaths are set to delete all

Except

Detection method 1. Decision condition

Delete all remotely accessible registry paths and subpaths

3. Detection operation

Check "Control Panel-> Administrative tools-> Local Security Policy" and go to "Local Policy-> Security"

Full options: in network access, view, remotely accessible registry path, remotely accessible

Whether the accessed registry paths and subpaths are set to delete all

Session timeout settin

Number: 1

seventeen

Required content

For remotely logged-in accounts, set the inactive connection time of 15 minutes

Operation Guide 1. Refer to configuration operation

Go to "Control Panel-Administrative tools-Local Security Policy" and click "Security Policy-Security"

Full options: Microsoft Network Server is set to required before suspending session

The free time is 15 minutes.

Detection method 1. Decision condition

The Microsoft Network Server is set to the idle time required before suspending the session

The interval is 15 minutes.

2. Detection operation

Go to "Control Panel-Administrative tools-Local Security Policy" and click "Security Policy-Security"

Full options: view the Microsoft Network Server settings

Registry Settings

Number: 1

The content is required to update the registry information without affecting the stable operation of the system.

Operation Guide 1. Refer to configuration operation

Auto login:

HKLM\ Software\ Microsoft\ WindowsNT\

CurrentVersion\ Winlogon\ AutoAdminLogon (REG_DWORD) 0

Y Source routing spoofing protection:

HKLM\ System\ CurrentControlSet\

Services\ Tcpip\ Parameters\ DisableIPSourceRouting

(REG_DWORD) 2

Delete an anonymous user null link

HKEY_LOCAL_MACHINE

SYSTEM\ Current\ Control\ Set\ Control\ Lsa

Set the value of restrictanonymous to 1. If the value does not exist, you can do it yourself.

Created with type REG_DWORD

The restart system takes effect after the modification is completed.

Y fragment × × protection:

HKLM\ System\ CurrentControlSet\

eighteen

Services\ Tcpip\ Parameters\ EnablePMTUDiscovery

(REG_DWORD) 1

Y Syn flood × × protection:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services

Below, you can set:

TcpMaxPortsExhausted . Recommended value: 5.

TcpMaxHalfOpen . Recommended value: 500.

TcpMaxHalfOpenRetried . Recommended value data: 400

Detection method 1. Decision condition

2. Detection operation

Click start-> run, then type regedit in the open line, and then click OK to view the phase.

Follow the list items to view

User names and user groups cannot be enumerated remotely using the empty connection scan tool

Appendix A: ports and Services

Service name Port Service description shutdown method disposal recommendation

System service part

Echo 7/TCP RFC862_ Echo Protocol

Close "Simple"

TCP/IP Services service

Business.

Recommended closure

Echo 7/UDP RFC862_ Echo Protocol

Discard 9/UDP RFC863 abrogate agreement

Discard 9/TCP RFC863 abrogate agreement

Daytime 13/UDP RFC867 daytime protocol

Daytime 13/TCP RFC867 daytime protocol

Qotd 17/TCP

RFC865 daytime agreement.

Quote

Qotd 17/UDP

RFC865 daytime agreement.

Quote

Chargen 19/TCP

RFC864 character production Association

Discussion

nineteen

Chargen 19/UDP

RFC864 character production Association

Discussion

Ftp 21/TCP File transfer Protocol (Control)

Close "FTP"

Publishing Service "

Service.

Choose according to the situation

Open up

Smtp 25/TCP simple Mail sending Protocol

Close "Simple Mail"

Transport Protocol "

Service.

Recommended closure

Nameserver

42/TCP

WINS Hostname Service

Close "Windows"

Internet Name

Service "service.

Recommended closure

42/UDP

Domain

53/UDP

Domain name server

Close "DNS Server"

Service.

Choose according to the situation

Open up

53/TCP

Choose according to the situation

Open up

Dhcps 67/UDP

DHCP server

/ Internet connection sharing

Close "Simple"

TCP/IP Services service

Business.

Recommended closure

Dhcpc 68/UDP DHCP protocol client

Close "DHCP Client"

Service.

Recommended closure

Http 80/TCP

HTTP World wide Web launch Service

Business

Close "World Wide"

Web Publishing

Service "service.

Choose according to the situation

Open up

Epmap

135/TCP

Basic services of RPC service system

Unable to close

135/UDP cannot be shut down

Netbios-ns 137/UDP NetBIOS name resolution

In the TCP/IP selection of the network card

Check the "WINS" page in the item

Disable the

NETBIOS "

Choose according to the situation

Open up

Netbios-dgm 138/UDP NetBIOS Datagram service is selected on a case-by-case basis

Open up

Netbios-ssn 139/TCP NetBIOS session service system basic service cannot be shut down

Snmp 161/UDP SNMP service shuts down the "SNMP" service

Choose according to the situation

Open up

Https 443/TCP

Secure Hypertext transfer Protocol

Close "World Wide"

Web Publishing

Service "service

Choose according to the situation

Open up

twenty

Microsoft-ds

445/UDP

SMB server

Run regedit, open

HKEY_LOCAL_MA

CHINE\ System\ Cur

RentControlSet\ Serv

Ices\ NetBT\ Parame

Ters adds a name named

"SMBDeviceEnable

Subkey of d ", type

Dword with a value of 0 to re-

Start the computer

Choose according to the situation

Open up

445/TCP

Isakmp 500/UDP

IPSec ISAKMP local

Security mechanism

Close "IPSEC Policy"

Agent "service

Seldom used clothes

Service, if not used

Ipsec, recommended off

Closed

RADIUS 1645/UDP

Old-style RADIUS

Internet authentication server

Business

Close "Remote"

Access Connection

Manager "service

Recommended closure

RADIUS 1646/UDP

Old-style RADIUS

Internet authentication server

Business

Recommended closure

Radius 1812/UDP

Authentication Internet body

Copy of verification service

Recommended closure

Radacct 1813/UDP

Accounting Internet authentication

Certificate service

Recommended closure

MSMQ-RPC 2105/TCP

MSMQ-RPC message team

Column

Close "Message"

Queuing "service.

Recommended closure

Termsrv 3389/TCP Terminal Services

Close "Terminal"

Services "service.

Choose according to the situation

Open up

Other common services

Apache

80/TCP

8000/TCP

Apache HTTP service

Apparatus

Turn off "Apache2" service

Business.

Choose according to the situation

Open up

Ms-sql-s

1433/TCP

1434/UDP

Microsoft database

Close

MSSQLServer suit

Business.

Choose according to the situation

Open up

ORACLE 1521/TCP Oracle database

Close

"OracleOraHome90

TNSListener "service.

Choose according to the situation

Open up

twenty-one

Remote

Administrator

4899/TCP

Famatech remote control company

Making software

Close "Remote"

Administrator

Service

"Service.

Choose according to the situation

Open up

Sybase 5000/TCP Sybase company database

Close "Sybase"

Open with the word "SQLServer"

The initial service.

Choose according to the situation

Open up

PcAnywhere

5631/TCP

5632/UDP

Symantec remote control company

Making software

Close "pcAnywhere"

The word Host Service

Start the service.

Choose according to the situation

Open up

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.