English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Chapter 1: System Information
|
Check the system version |
Windows Server 2008 r2 Enterprise |
|
Purpose |
VPN server |
|
Check the hostname |
|
|
Check network configuration |
Chapter 2: Antivirus Software Management
|
Operation purpose |
Prevent malware and viruses, and other harmful programs |
|
Inspection methods |
Check if the antivirus service is started on the system. |
|
Strengthening methods |
Install antivirus software; enable real-time monitoring; set appropriate monitoring levels; set a password for the antivirus software. |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Install system patches to fix vulnerabilities |
|
Inspection methods |
Scan using vulnerability scanning tools. |
|
Strengthening methods |
Use tools to automate patching. |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Reduce unnecessary system accounts to lower the risk |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->compmgmt.msc (Computer Management)->Local users and groups, check for unused accounts, whether the system account groups are correct, and whether the guest account is locked |
|
Strengthening methods |
Use the 'net user' command /Delete accounts using the 'del' command Use the 'net user' command /Lock accounts with the 'active:no' command |
|
Whether to implement |
|
|
Remarks |
Check the registry to prevent shadow accounts. |
|
Operation purpose |
Enhance the complexity of passwords and lockout policies to reduce the possibility of brute-force attacks |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->secpol.msc (Local Security Policy)->Security settings |
|
Strengthening methods |
1, Account Policy->Password Policy Passwords must meet complexity requirements: Enabled Minimum password length:8characters Password minimum age: 0 days Password maximum age:90 days Enforce password history:1passwords remembered Store passwords using reversible encryption: Disabled 2, Account Settings->Account Lockout Policy Account lockout time:30 minutes Account lockout threshold:5invalid logins Reset account lockout counter:30 minutes 3, Local Policy->Security Options Interactive logon: Do not display the last username: Enabled |
|
Whether to implement |
|
|
Remarks |
“Win+Press the 'R' key to bring up 'Run'->gpupdate /force takes effect immediately |
|
Operation purpose |
Close unnecessary services to reduce risk |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->services.msc |
|
Strengthening methods |
The following services are changed to manual COM+ Event System DHCP Client Diagnostic Policy Service Distributed Transaction Coordinator DNS Client Distributed Link Tracking Client Remote Registry Print Spooler Server (can be disabled if not using file sharing) Shell Hardware Detection TCP/IP NetBIOS Helper Windows Update |
|
Whether to implement |
|
|
Remarks |
Disable services with caution, especially on remote computers |
|
Operation purpose |
Disable default shares |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->cmd.exe->net share, view shares |
|
Strengthening methods |
Disable default shares such as C$, D$ “Win+Press the 'R' key to bring up 'Run'->regedit->Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, create a new AutoShareServer (REG_DWORD) with a value of 0 |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Network access restrictions |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->secpol.msc ->Security settings->Local policy->Security Options |
|
Strengthening methods |
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled Network access: Apply Everyone permission to anonymous users: Disabled Account: Local accounts with empty passwords are only allowed console logon: Enabled |
|
Whether to implement |
|
|
Remarks |
“Win+Press the 'R' key to bring up 'Run'->gpupdate /force takes effect immediately |
|
Operation purpose |
Enhance file system security |
|
Inspection methods |
Check if each system drive uses the NTFS file system |
|
Strengthening methods |
It is recommended to use the NTFS file system, conversion command: convert <drive letter>: /fs:ntfs |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Enhance Everyone permissions |
|
Inspection methods |
Right-click on the system drive (disk)->“Properties”->“Security”, check if each system drive root directory is set to Everyone with full permissions |
|
Strengthening methods |
Remove Everyone's permissions or cancel Everyone's write permissions |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Restrict the permissions of some commands |
|
Inspection methods |
Use the cacls command or Explorer to view the permissions of the following files |
|
Strengthening methods |
It is recommended to restrict the following commands to allow access only to the system and Administrator groups %systemroot%\system32\cmd.exe %systemroot%\system32\regsvr32.exe %systemroot%\system32\tftp.exe %systemroot%\system32\ftp.exe %systemroot%\system32\telnet.exe %systemroot%\system32\net.exe %systemroot%\system32\net1.exe %systemroot%\system32\cscript.exe %systemroot%\system32\wscript.exe %systemroot%\system32\regedit.exe %systemroot%\system32\regedt32.exe %systemroot%\system32\cacls.exe %systemroot%\system32\command.com %systemroot%\system32\at.exe |
|
Whether to implement |
|
|
Remarks |
May affect the normal operation of business systems |
|
Increase the size of the log volume to avoid incomplete logging due to insufficient log file capacity |
|
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->eventvwr.msc ->“windows log”->View the properties of 'Application', 'Security', 'System' |
|
Strengthening methods |
Suggested settings: Log size limit:20480 KB |
|
Whether to implement |
|
|
Remarks |
|
Operation purpose |
Audit system events for troubleshooting in case of future failures |
|
Inspection methods |
“Win+Press the 'R' key to bring up 'Run'->secpol.msc ->Security settings->Local policy->Audit policy |
|
Strengthening methods |
Suggested settings: Audit policy changes: success Audit login events: success, failure Audit object access: success Audit process tracking: success, failure Audit directory service access: success, failure Audit system events: success, failure Audit account login events: success, failure Audit account management: success, failure |
|
Whether to implement |
|
|
Remarks |
“Win+Press the 'R' key to bring up 'Run'->gpupdate /force takes effect immediately |
Note: This template was downloaded from Baidu and I have made appropriate modifications.