Current location - Education and Training Encyclopedia - Education and training - Learning network security summary (experience)
Learning network security summary (experience)
Now that most of the operating systems used in home computers are Windows XP and Windows 2000 pro (it is suggested that 98 friends should still be used for the system, and even Microsoft has given up the system, why are they still using it? So I will mainly talk about the security precautions based on these two operating systems.

Common ways for personal computers to be hacked.

Speaking of personal safety when surfing the internet, let's first classify the problems that everyone may encounter. The invasion methods we encounter probably include the following:

(1) The password has been stolen by others.

(2) the system is _blank/ > Trojan horse attacked.

(3) being attacked by malicious java scrpit program when browsing the webpage.

(4)QQ is attacked or information is leaked.

(5) Virus infection.

(6) There are loopholes in the system, allowing others to attack themselves.

(7) Malicious attacks by hackers.

Let's see what measures can be used to prevent attacks more effectively.

View local resources * * *

Delete * * * Enjoy

Delete ipc$ null connection

Security principle of account password

Close your own port 139.

Close port 445

3389 closing

Prevention of 4899

Introduction of common ports

How to view the open ports and filters of this machine?

Disable service

Local strategy

security policy local

User rights allocation strategy

Terminal service configuration

Users and Group Policy

Prevent rpc vulnerability

Self-service DIY security options in local policies

Tool introduction

Avoid being attacked by viruses such as malicious code Trojans.

1. View local * * * resources.

Run CMD and enter net share. If you see abnormal enjoyment, you should close it. But sometimes when you turn off * * * and enjoy it when you turn it on next time, then you have to consider whether your machine has been controlled by hackers or infected with viruses.

2. Delete * * * enjoyment (enter one at a time)

Net share management fee/deletion

Net share c USD/deleted

Net share d $/ delete (if there are E, F, ... you can continue to delete)

3. Delete ipc$ null connection

Enter regedit during operation, and find the numerical data of the numerical name RestrictAnonymous in HKEY-local _ Machine System Current Control A from 0 to 1 in the registry.

4. Close your own port 139, where there are ipc and RPC vulnerabilities.

The way to close the port 139 is to select the Internet Protocol (TCP/IP) attribute in the local connection in the network and dial-up connection, enter the advanced TCP/IP settings and WinS settings, one of which is "Disable NETBIOS of TCP/IP", and then check Close the port 139.

5. Prevent rpc vulnerabilities

Open the management tools-Services-Find RPC (Remote Procedure Call (RPC) Locator) service-Set the first failure, the second failure and subsequent failures in the recovery to no operation.

Windows XP SP2 and Windows 2000 pro sp4 do not have this vulnerability.

6.445 port closed

Modify the registry, add a key value HKEY _ local _ machine \ system \ current control set \ service \ netbt \ parameter, and create an SMBDeviceEnabled in the right window with the type of REG_DWORD and the key value of 0. That's all.

7.3389 Close

Windows XP: Right-click my computer, select Properties-/> Remote, and check the Remote Assistance and Remote Desktop boxes.

Windows 2000 Server start-/> programs-/> administrative tools-/> terminal services service items can be found in services. Select the property option to change the startup type to manual and stop the service. (This method also applies to Windows XP. )

Attention, friends who use Windows 2000 pro, there are many articles on the Internet saying that starting with Windows 2000 pro-/> Settings-/> Control Panel-/> Management Tools-/> Find the terminal service item in the service, select the property option to change the startup type to manual and stop the service. You can turn off 3389, but there is no terminal service in 2000pro.

8.4899 Prevention

There are many intrusion methods about 3389 and 4899 on the Internet. 4899 is actually a server port opened by remote control software. Because of their powerful functions, these control softwares are often used by hackers to control their own broilers, and such softwares are generally not killed by anti-virus software, which is safer than the back door.

Unlike 3389, 4899 is a service that comes with the system. You need to install it yourself, upload the server to the invading computer, and run the service to achieve the purpose of control.

So as long as your computer is equipped with basic security, it is difficult for hackers to control you through 4899.

9. Disable the service

If the PC has no special purpose, for security reasons, please open the control panel, enter administrative tools-services, and then close the following services:

(1) Alarm [Notify selected users and computers to manage alarms].

(2) Clipbook [enables the Clipbook Viewer to store information and share it with remote computers].

(3) The distributed file system 【 makes the scattered record group into a logical name, which can be shared by * * *, and cannot be accessed by remote computers after it is closed.

(4) Distributed link tracking server [for LAN distributed link].

(5) Indexing service [providing indexing contents and attributes of files on local or remote computers and leaking information].

(6) Messenger [alarm].

(7) NetMeeting Remote Desktop Sharing 【 NetMeeting Company's Customer Data Collection 】.

(8) Network DDE[ provides dynamic data exchange for programs running on the same computer or different computers].

(9) Network DDE DSDM[ Manage the enjoyment of dynamic data exchange (DDE) network].

(10) Remote Desktop Help Session Manager.

(1 1) Remote Registry [Allows remote computer users to modify the local registry].

(12) Routing and Remote Access [Providing routing services in local area networks and wide area networks. Hackers spy on the registration information of routing services.

(13) server 【 supports this computer to enjoy the file, print and name pipeline through the network 】.

(14)TCP/IPNetBIOS Helper[ Provide NetBIOS name resolution support on TCP/IP services and clients on the network, so that users can * * * enjoy files, print and log on to the network].

(15)Telnet[ allows remote users to log on to this computer and run programs].

(16) Terminal Service [allows users to connect to remote computers interactively].

(17) Window s s image acquisition (WIA)[ photography services, applications and digital cameras].

If you find that the machine has started some strange services, such as r_server, you must stop the service immediately, because it is entirely possible that this is the server where hackers use the control program.

10, the security principle of account password

First, disable the guest account, rename the administrator account built into the system (the more complicated the better), and then set a password, preferably a combination of 8 or more alphanumeric symbols.

If you use other accounts, it is best not to add them to the administrator. If you join the administrators group, you must also set a security password. Same as above, if you set the administrator's password, you'd better set it to safe mode, because after my research, I found that the account with the highest authority in the system is not the administrator account under normal login, because even with this account, you can log in to safe mode and delete the Sam file, thus changing the password of the system administrator! However, this situation will not happen to the administrator who is set to safe mode, because it is impossible to enter safe mode without knowing this administrator password. This is the password policy: users can set passwords according to their own habits. The following are my suggested settings.

Open Administrative Tools-Local Security Settings-Password Policy.

(1) password must meet complex requirements. Enable.

(2) Minimum password. I set it to 8.

(3) The maximum service life of the password. My default setting is 42 days.

(4) The minimum usage period of the password is 0 days.

(5) Mandatory password history memory 0 password.

(6) Use recoverable encryption to store password disable.

1 1, local policy

This is very important, it can help us find out every move of those people with ulterior motives, and it can also help us track down hackers in the future. Although most hackers will clear the traces he left on your computer when they leave, some are careless. )

Open the administrative tool and find local security settings-local policy-audit policy.

(1) Audit policy change failed.

(2) Auditing the login event failed.

(3) Access to the audited object failed.

(4) There was no audit during the audit trail.

(5) Audit directory service access failed.

(6) The use of audit authority failed.

(7) Failed to audit system events.

(8) Audit of account login time failed.

(9) Audit account management failed.

Then go to administrative tools and find the Event Viewer here.

Application: right click/>; attribute/>; Set the maximum log size. I set it to 50mb and chose not to overwrite the event.

Security: right click/>; attribute/>; Set the maximum log size. I also set 50mb and chose not to overwrite the event.

System: right click/>; attribute/>; Set the maximum log size. I set it to 50mb and chose not to overwrite the event.

12, local security policy

Open the administrative tool and find the local security settings-local policy-security option.

(1) Interactive login. You don't need to press Ctrl+Alt+Del to enable [according to personal needs, but I personally don't need to directly enter a password to log in].

(2) Network access. Enabling anonymous enumeration of SAM accounts is not allowed.

(3) Network access. The following values can be deleted anonymously.

(4) Network access. Anonymous naming pipes can delete the following values.

(5) Network access. Remotely accessible registry paths will delete the following values.

(6) Network access. The subpath of the remotely accessible registry will delete the following values.

(7) Network access. Restrict anonymous access to named pipes and access to * * *.

(8) account. I have talked about it in detail.

13, user rights allocation policy

Open the administrative tool and find local security settings-local policy-user rights assignment.

(1) Generally, by default, there are 5 users accessing the computer from the network, so we delete 4 users except Admin. Of course, we will establish our own ID in the future.

(2) If the remote system is forced to shut down, the Admin account will also be deleted, leaving none.

(3) Refuse to access the computer from the network and delete the ID.

(4) Access this computer from the network, and Admin can also delete it, if you don't use similar 3389 service.

(5) by remote forced shutdown, delete.

14, Terminal Services Configuration, Open Management Tool, Terminal Services Configuration

After (1) is opened, point connection, right click, properties and remote control are not allowed.

(2) Generally, the encryption level is high. Click √ on to use standard Windows authentication! .

(3) Network card, set the maximum number of connections to 0.

(4) Advanced, delete the permissions inside. [Not set by me].

Click Server Settings again. On Active Desktop, set it to disable and restrict each session.

15, User and Group Policy

Open the management tools, Computer Management-Local Users and Groups-Users;

Delete the Support_388945a0 user, etc., leaving only administrator rights to change your name.

Computer Management-Local Users and Groups-Groups

Group. We will not be grouped, there is no need.

16, DIY security option in local policy

(1) Automatically log off the user (local) when the login time runs out, so as to prevent the hacker's password from infiltrating.

(2) The last login name is not displayed on the login screen (remote). If you open the 3389 service, your login user name will not be retained when others log in. Let him guess your user name.

(3) Additional restrictions on anonymous connections.

(4) It is forbidden to press alt+crtl +del (unnecessary).

(5) It is allowed to shut down before logging in [to prevent remote shutdown/startup and forced shutdown/startup].

(6) Only locally logged-in users can access the CD.

(7) Only locally logged-in users can access the floppy disk drive.

(8) Cancel the shutdown reason prompt.

A. Open the control panel window, double-click the "Power Options" icon, and enter the "Advanced" tab in the subsequent power properties window;

B, in the setting item of "Power Button" on this page, set "When the computer power button is pressed" to "Shut down", and click "OK" to exit the setting box;

C. In the future, when you need to shut down, you can directly press the power button to shut down. Of course, we can also enable the sleep function key to realize fast shutdown and startup;

D. If hibernation mode is not enabled in the system, you can open the power option in the control panel window and enter the hibernation tab page, where you can select the "Enable hibernation" option.

(9) It is forbidden to track downtime events.

Start "Start-/>" Run "Run-/>; Enter "gpedit.msc" and select "Computer Configuration"-/> on the left side of the window that appears. Management Template-/> System, double-click the shutdown event tracker in the right window, select Disable in the dialog box that appears, click OK, save and exit, and you will see a shutdown window similar to Windows 2000.

17, Introduction to Universal Port

Transmission Control Protocol (TCP)

2 1 FTP

22 shh

23 Remote login

25 TCP SMTP

53 TCP DNS

80 HTTP

135 electronic map

138[ shock wave]

139 small and medium-sized enterprises

445

1025 DCE/ 1ff 70682-0a 5 1-30e 8-076d-740 be 8ce 98 b

1026 DCE/ 12345778- 1234-ABCD-ef00-0 123456789 AC

1433 TCP SQL SERVER

563 1 TCP PCANYWHERE

5632 UDP PCANYWHERE

3389 terminal service

4444[ shock wave]

User Datagram Protocol (user datagram protocol)

67 [Shock Wave]

137 netbios-ns

16 1SNMP agent is running/default community name of SNMP agent.

Regarding UDP, only Tencent QQ can open 4000 or 8000 or 8080, so we just need to run this machine and use 4000 port.

18. In addition, introduce how to check the open ports of this machine and the filtering of TCP\IP ports.

Start-run -cmd, enter the command netstat -a, and you will see, for example (this is the open port of my machine).

Original local address external address status

TCP YF 00 1:epmap YF 00 1:0 LISTE

TCP YF001:1025YF001:0 list

TCP (user name): 1035 yf00 1:0 LISTE

TCP YF 00 1:NetBIOS-SSN YF 00 1:0 LISTE

UDP YF 00 1: 1 129 *:*

UDP YF 00 1: 1 183 *:*

UDP yf00 1: 1396 *:*

UDP yf00 1: 1464 *:*

UDP yf00 1: 1466 *:*

UDP yf00 1:4000 *:*

UDP yf00 1:4002 *:*

UDP yf00 1:6000 *:*

UDP yf00 1:600 1 *:*

UDP yf00 1:6002 *:*

UDP yf00 1:6003 *:*

UDP yf00 1:6004 *:*

UDP yf00 1:6005 *:*

UDP yf00 1:6006 *:*

UDP yf00 1:6007 *:*

UDP yf00 1: 1030 *:*

UDP yf00 1: 1048 *:*

UDP YF 00 1: 1 144 *:*

UDP yf00 1: 1226 *:*

UDP yf00 1: 1390 *:*

UDP yf00 1:netbios-ns *:*

UDP yf00 1:netbios-dgm *:*

UDP yf00 1:isakmp *:*

Now let's talk about the filtering of TCP/IP based on Windows.

Control Panel-Network and Dial-up Connections-Local Area Connection-Internet Protocol (TCP/IP)- Properties-Advanced-Options -TCP/IP Filtering-Properties. Then add the required tcp and UDP ports. If you don't know the port well, don't filter it easily, otherwise some programs may not be available.

19, about the browser

IE browser (or browser based on IE kernel) has privacy problems, and the index.dat file records the information of your surfing the Internet. So I suggest you change to a kernel browser. Firefox, which is very popular now, is very good If you want to build a personalized browser of your own, Firefox is the first choice. It has powerful extended customization function! There is also the legendary fastest browser Opera, with amazing speed and gorgeous interface.

Of course, because some domestic web pages are not written in the standard HTML language certified by WC3 organization, IE can't be lost, so I keep them. You can use Webroot WindowWasher to handle IE privacy.

RAMDISK uses memory to create a virtual hard disk and writes cache files into it, which not only solves the privacy problem, but also improves the network speed theoretically.

20. The last and most crucial trick: install software and firewall. (Editor: Li Lei)