Topic 3G

Windown 2003 network security

Trong ch ny, bn s xem xt cc tc ng ca bin bt / tt cc giao thc NetBIOS trn mt my Windown 2003.NetBIOS l vit tt ca Network Basic Input Output System, v l mt API cho php gii quyt cc thit b trn mng, bt k giao thc tim n nh IP hoc IPX.NetBIOS da vo SMB SMB, l vit tt ca Server Message Block, l mt giao thc chia s tp tin, my in, cng ni tip, v truyn thng tru tng ... TASK 3G-1 Investigating Printer Spooler Security Trong phn vng khi ng, to folder c tn l Share. Nhp chut phi vo folder , v chn Sharing And Security. Click Share This Folder, li tn chia s mc nh l Share, v click OK. T Start Menu, chn Printers And Faxes. Nhp i chut vo Add Printer, click Next. Xc nh chn Local Printer. B chn Automatically Detect And Install My Plug And Play Printer. Click Next. 7. Xc nh chn Use The Following Port, cng mc nh l LPT1, v click Next. 8. Chn any printer t danh sch, v click Next. 9. Rt ngn tn printer vi 4 k t u tn, v click Next. 10. Cho php printer c php chia s, click Next twice. 11. Khi bn c nhc nh in mt trang kim tra, click No, v click Next v click Finish. 12. Chn printer, v chn FileServer Properties. 13. Chn Advanced tab, lu v tr mc nh ca th mc spool. N l \WINDOWS\System32\Spool\PRINTERS. 14. Click OK. 15. Nhp chut phi vo printer v chn Properties. 16. Chn Advanced tab, v xc minh rng my in lun lun c sn v cc ti liu s c spooled tng tc in n. 17. Chn Keep Printed Documents, v click OK. 18. Nhp i chut vo My Network Places. 19. Nhp i chut vo Computers Near Me. 20. Nhp i chut vo printer server of yout partners computer. 21. Nhp i chut vo tn printer, v chn Connect. 22. Khi ng Notepad. 23. Nhp vo dng text this is a classified document. 1. 2. 3. 4. 5. 6.

24. Lu tp tin ngoi mn hnh desktop vi tn TOP_SECRET.txt. 25. Chn FilePrint, chn printer bn kt ni, v click Print. Tp tin ca bn s c gi n my ch print. 26. Thc hin trn mn hnh. 27. Khi thng bo li hin th, click Cancel. 28. ng dn n \WINNT\System32\Spool\PRINTERS folder. 29. Thc hin ni dung trn th mc Printers. 30. Nhp i chut vo tp tin SPL. 31. Khi m vi hp thoi hin th, b chn Always Use This Program To Open These Files, v chn Notepad t bng danh sch. 32. Cuc xung di vng ca tp tin. Vo cui tp tin, sau khi tt c cc ngn ng my in c a v chm sc bn s thy tn ca tp tin v ni dung. 33. Nhp i chut vo tp tin SHD. 34. B chn Always Use This Program To Open These Files, v chn Notepad t danh sch. Bn s thy ngi gi tp tin ny t my tnh. 35. ng c 2 trng hp ca Notepad. NAT and ICS Tnh n thi im ny, tt c cc h thng an ninh v cc phng php bn c s dng l hng ti bo mt h iu hnh v d liu trn cng vt l. Tt c cc h thng bo mt m bn to ra t c s dng nu k tn cng c th ch cn ngi tt c cc gi tin ra mng v bin dch li cho h ti gii tr ca mnh. Network Address Translation (NAT) l mt tiu chun Internet c xc nh trong RFC 1631.NAT c s dng mt n l IP ring vi a ch IP ca kt ni Internet bn ngoi.Mc d NAT khng c thit k nh mt c ch an ninh, nhiu mng cn NAT trong cc chnh sch an ninh ca h thm mt lp b sung gia cc Internet v mng ni b.. Khch hng trn mng ni b khng bt buc phi c mt a ch IP cng cng, do s bo tn cc cng a ch IP. Cc khch hng ni b c th c cu hnh vi mt a ch IP t cc khi mng ring. Hy nh rng, a ch IP ring l nhng ngi m khng c nh tuyn trn Internet Chng c nh ngha bi RFC 1918, v cc dy a ch c: N c nh ngha bi RFC 1918, v cc dy a ch l: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 -192.168.255.255

N cng ng ch l Microsoft s dng khong khc cho cc phm vi ring t 169.254.0.0169.254.255.255. Ci ny gii quyt khng c nh ngha trong RFC nhng n cho php cc a ch t nhn khc c s dng trn mng.

NAT l mt phn tch hp ca mt nh tuyn Dch v truy cp t xa(RRAS), m s c gii quyt ngay, cng nh mt phn ca vic chia s kt ni Internet (ICS). Cc phin bn ca NAT c s dng bi ICS c thu nh li so vi phin bn y khng cho php mc cu hnh RRAS NAT cho php ICS c thit k cho mt vn phng nh hoc cho mt mng gia nh, ni c mt kt ni internet m l c chia s ton b mng. Tt c ngi dng kt ni thng qua mt giao din duy nht, thng kt ni qua mt modem, DSL, hoc im truy cp cp. Remote Access Cc Windown 2003 Routing v Remote Access Serveci (RRAS) bao gm: Network Address Translation (NAT) Giao thc nh tuyn (RIP v OSPF) Remote Authentication Dial-In Service (RADIUS)

Remote Access Server ca RRAS s cho php cho cc kt niPPP v c th c thit lp yu cu chng nhn authentication.RRAS c th c thit lp s dng Remote Authentication Dial-In Service (RADIUS) hoc WindowsAuthentication.If RRAS ang s dng RADIUS, khi yu cu ngi dng cho vic chng thc c thc hin cho cc my chRRAS, cc dial-in cc thng tin c truyn ti my ch RADIUS.Cc my ch RADIUS sau thc hin vic chng thc v y quyn truy cp cho khch hng truy cp vo mng Internet Explorer Enhanced Security Configuration Mt iu bn s nhn thy ngay lp tc khi s dng WindowsServer 2003 l cc chc nng ca Internet Explorer (IE) khc vi phin bn trc ca Windows.IE c cu hnh trong mt vng theo mc nh, v bn s dng trnh duyt, bn c th thy rng bn cn phi thay i cu hnh mc nh Hardening TCP/IP Cc giao thc TCP / IP trong Windows l mt trong nhng thnh phn tn cng hu ht cc my tnh c nhn. Cc cuc tn cng thng thng bao gm acttacks Demial dch v (DoS) tn cng t chi dch v phn tn (DDos) tn cng, gi mo, smurf, v Land attacks... C mt s cu hnh c th c thc hin cho cc Registry m bo vng chc choTCP / IP trong Windows2003. Cu hnh y l khuyn co ca Microsoft, c thit k c bit gip bo v chng li cc cuc tn cng t chi dch.Cc thit lp sau y c th c cu hnh trong Registry. Hy nh phi cn thn trong Registry, l li trong cu hnh c th l nguyn nhn.Windows khng c chc nng cn ng v c th yu cu phi ci t li.T c cu hnh sau y, l tt c cc gi, c tm thy Registry:_MACHINE HKEY_LOCAL \ SYSTEM \ CurrentControlSet \Services.

Syn Attack Defense Nu ai hiu v s nguy him cng nh nguy c tim n ca h thng c th b tn cng DoS (Denial of service) s c s chun b tt nht cho h thng, gim ti thiu cc nh hng ca cc cuc tn cng l yu cu lun c cc nh qun tr mng t ra. Trong bi vit ny ti gii thiu cch hn ch cc tn cng DoS trong h thng Windows Server 2003. Trc tin bn phi cp nht bn v li mi nht t Microsoft v chc chn khng cn bn v li no cha c ci t. Cc thng tin v cc bn update c trn website V vic harden (lm rn m bo vng chc) cho giao thc TCP/IP trn my ch Windows Server 2003 l vic cn lm vi nh qun tr mng. Vi mc nh cc cu hnh trong TCP/IP c thit lp chun cho vic trao i thng tin mt cch thun tin. Nu my tnh ca bn kt ni chc tip vi Internet th theo khuyn co ca Microsoft bn nn m bo giao thc TCP/IP c cu hnh hn ch cc cuc tn cng DoS. Cu hnh cc tham s TCP/IP trong Registry nhm m bo Harden cho TCP/IP Mt s li c th s sy ra khi bn chnh sa cc thng s trong registry bng vic s dng Registry Editor hoc bng mt phng php no khc. Mt s li xy ra c th buc bn phi ci li h iu hnh. Microsoft khng th cam oan l tt c cc li u c th khc phc c. Vic chnh sa registry l mt nguy c rt ln. Di y l cc thng s ca TCP/IP trong registry v bn c th cu hnh nng cao tnh vng chc cho giao thc TCP/IP khi my tnh ca bn kt ni trc tip ti Internet. Tt c cc thng s ca n trong registry c lu ti. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Value name: SynAttackProtect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0,1 Default: 0

Cc thng s trong TCP c th l truyn li cc gi tin trong dng SYN-ACKS. Khi bn cu hnh thng s ny, cc kt ni s nhanh trong b time out hn trong cc v tn cng SYN (l mt dng tn cng DoS). Di y l vi thng s bn c th s dng thit lp trong Registry 0 (tham s mc nh): Khng bo v trc cc cuc tn cng SYN 1: Thit lp SynAttackProtect l 1 s tt hn v n s bo v h thng trc cc cuc tn cng SYN. Tham s ny c ngha, nu l 0 th h thng s truyn li thng tin SYN-ACKS. Nu bn thit lp tham s l 1, khi mt kt ni s c kt qu time out nhanh hn nu nh h thng pht hin thy tn cng SYN. Windows s dng cc tham s sau hn ch cc v tn cng.

TcpMaxPortsExhausted TCPMaxHalfOpen TCPMaxHalfOpenRetried

Lu l trong phin bn Windows Server 2003 Service Pack 1 tham s trong SynAttackProtect vi mc nh l 1 Dead Gateway Nhiu cng c th c cu hnh trong cc thit lp TCP / IP.Youc th, tuy nhin v hiu ha chc nng ny, v mt t chi dch v(hoc khc) tn cng c th gy ra my tnh ca bn chuyn i cng.Cc chi tit c th cho vic ny c nh ngha nh sau: Value Name:DeadGWDetectDefault Key:Tcpip\Parameters Value Range:REG_DWORD Valid Range:0(False),1 (True) Default Value:1 (True)

Khi bn thit lp EnableDeadGWDetect l 1, TCP s cho php thc hin vic pht hin ra deadgateway. Khi dead-gateway c pht hin l enable, TCP c th s truy vn n giao thc IP thay i gateway. Vic s dng backup gateway c nh ngha trong tab Advanced ti TCP/IP configuration. Microsoft khuyn co bn thit lp tham s trong EnableDeadGWDetect l 0. Nu bn khng thit lp l 0, mt tn cng c th sy ra v hng my ch qua mt gatewary khc, v c th cc gi tin t s b tm hay lm g khi cc d liu chy qua gateway ca k tn cng. MTU Restrictions Nhng k tn cng c th s dng ti a truyn n v lc lng mng li s dng cc phn on rt nh. Bng cch s dng Path MTU Discovery, TCP s c gng xc nh kch thc gi ln nht m mt con ng dn ti mt my ch t xa s p ng. Ngc li, khi c s dng khng ng cch, mngc th b ngp vi cc phn on nh.Cc chi tit c th iu chnh gi tr ny c xc nh nh sau: Value Name:EnablePMTUDiscovery Key:Tcpip\Parameters Valid Range:0(False),1 (True) Default Value:1 (True)

Khi bn thit lp EnablePMTUDiscovery l 1, TCP s c gng khm ph Maximum Transmission Unit (MTU) hay mt gi tin ln t nhng ngi dng t xa. Gi tin TCP c th b

v khi chng i qua cac Routers kt ni vo h thng mng vi MTUs khc bng vic khm ph ra ng ca MTU v gii hn kch c cc gi TCP. Microsoft khuyn co bn thit lp EnablePMTUDiscovery l 0. Khi bn thc hin vic ny, mt MTU vi kch thc l 576 s c s dng trong tt c cc kt ni. Nu bn khng thit lp thng s ny l 0 mt tn cng da trn cc thng s MTU t cc kt ni c th s nh hng n h thng ca bn. Keep Alive TCP mc nh hnh vi trong Windows khng xc minh cc kt ninhn ri. l khuyn co rng nhng kt ni ny c xc nhn(bng cch s dng phn mm ca bn th ba, nu cn thit) chosn c bng cch gi mt gi tin gi-sng v ch i phn hi.Nu khng c phn ng, sau kt ni nhn ri c th b ng ca Cc chi tit c th iu chnh gi tr ny c xc nh nh sau: Value Name:KeepAliveTime Key:Tcpip\Parameters Value Range:REG_DWORD (Gi tr ny c tnh bng mili giy) Valid Range:1-0xFFFFFFFF Default Value:7,200,000 (2 gi)

Tham s ny iu khin: vic TCP c gng kim tra mt kt ni, v d gi tin cha b cht. Nu my tnh t xa c kt ni, n s c lu li cc gi tin b tht lc. Keep-alive s khng gi (vi thit lp mc nh). Bn c th s dng mt chng trnh cu hnh cc thng s cho mt kt ni. Khuyn co t nh sn xut thit lp l 300,000 (5 pht). TASK 3G-2 Configuring TCP/IP in the Registry 1. 2. 3. 4. M Registry Editor. Vo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. M key Tcpip\Parameters. bng bn phi, nhp chut phi v thm gi tr REG_DWORD sau y: a. SynAttackProtect b. EnablePMTUDiscovery c. KeepAliveTime Nhp i chut vo SynAttackProtect, v nhp gi tr 2. Nhp i chut vo EnablePMTUDiscovery, v nhp gi tr 0. Nhp i chut vo KeepAliveTime, v nhp gi tr thp phn 300,000. Trong k hiu thp phn n l 493E0. ng Registry Editor.

5. 6. 7. 8.

TCP/IP Filtering Mt tnh nng c xy dng trong Windows 2003 bn c th thm vo phng php ca bn mt lp bo v l TCP / IP lc c kim sot truy cp mng trong nc cho mt host. Lc TCP / IP c lp ca cc qu trnh khc, chng hn nh IPSec, v cc dch v khc, chng hn nh my ch v my trm dch v. i truy cp, bn cn phi thc hin nh tuyn v truy cp t xa cc b lc Khi bn cu hnh lc, bn c ty chn kim sot truy cp vo cng TCP, n cng UDP, v giao thc IP c th. Mi im truy cp c iu khin bi cc gi tr s. Ni cch khc, bn kim sot truy cp cng bi s cng, chng hn nh 80 cho c nhn truy cp kim sot ton b mt giao thc,. s dng s giao thc IP. Cc bng danh sch sau y, tham kho nhanh chng, mt s thng s giao thc IP s dng trong b lc . Protocol Number 1 6 17 Protocol Acronym IP TCP UDP Full Name of Protocol Internet Protocol Transmission Control Protocol User Datagram Protocol

Khi bn kch hot giao thc TCP / IP lc trn mt giao din, n c kch hot trn giao din tt c Tuy nhin, bn phi cu hnh cc b lc c th trn c s mi giao din. Khi bn cu hnh cc b lc, ty chn l cho php tt c cc cng ,cc cng s c cho php. Hy nh rng y l cu hnh cc cng trong nc-khng gi i. H thng khng s lc cc yu cu bt u lu tr, v vy bn s khng cn phi m cng cao i vi phn hi ca mng. Cui cng, nu bn mun lc cc giao thc, thc c rng bn khng th chn ICMP tin nhn ny l trng hp,. ngay c khi bn loi tr giao thc IP 1 t danh sch cc giao thc c cho php. Mt cch n gin ngn chn lu thng TCP, v d, l vic chn nhng ty chn lc cc cng TCP, nhng khng thmbt k cng vo danh sch c cho php. TASK 3G-3 Configuring Port and Protocol Filtering 1. 2. 3. 4. 5. 6. 7. 8. iu hng n cc thuc tnh giao din mng ca bn. Di chuyn v chn Internet Protocol (TCP/IP), v click Properties. Click nt Advanced. Hin th Options tab. Chn TCP/IP Filtering v click Properties. Check Enable TCP/IP Filtering. Ch cho php cc cng TCP sau: 20,21,23,25,80,110 v 443. Ch cho php cc giao thc sau: 6 v 17.

9. Click OK thc hin sng lc ca bn. 10. Click OK ng Advanced TCP/IP Properties. 11. Click OK, v click Close ng TCP/IP v Interface Properties. 12. Khi bn c nhc khi ng li my ch, click No. Thc hin y nhng thay i ca bn, bn s phi khi ng li my ch, tuy nhin, mc ch ca lp ny, chng ta cn phi c tt c cc cng v giao thc c sn. 13. Quay tr li v tr li cc thit lp lc gip cho phn cn li ca nhim v chc nng khng c gii hn. 14. Thi gian ny, khi ng li my tnh ca bn khi bn c nhc n. Sau , ng nhp vo ti khon Administrator v xc nh cc thit lp TCP/IP ng cha. 15. ng tt c cc ca s ang m. Windows Firewall Trong khi bn cn phi c mt tng la chy trong mng ca bn, bn c th mun xem xt vic s dng cc phn mm tng la a phng trn cc my ch ca bnc nhiu nh cung cp sn phm c sn s dng,. v trong phn ny, bn s nhn vo Windows Firewall gii php m l mt phn ca Server 2003. n gin ch cn gi l Windows Firewall, iu ny thay th cc sn phm bo mt ln hn, v t hiu qu,Internet Connection Firewall. Cc tng la cng c tm thy trn Windows Server 2003. chy Windows Firewall trn my ch ca bn, bn s cn phikch hot Windows Firewall/Dch v ICS. Mt khi bn kch hot dch v, tuy nhin, cc bc tng la khng t ng chy, bn vn phi quay v tng la. TASK 3G-4 Enabling Windows Firewall 1. 2. 3. 4. T Start Menu, chn Control PanelWindows Firewall. Bn phi kch hot Windows Firewall/ICS service, click Yes. Chn nt radio On. Bn c th kch hot Windows Firewall ngay by gi. Click OK.

TASK 3G-5 Configuring Windows Firewall 1. T Start Menu, chn Control PanelWindows Firewall. 2. M Windows Firewall, v m command prompt. 3. Trong command prompt, ping my tnh trong mng. Lu , d khng ping thnh cng. Ri khi command prompt. 4. Chuyn tip ti Advanced tab, v click nt Setting ti ICMP. 5. Chuyn tip ti Windows Firewall ICMP Settings.

6. Check vo check box k tip: Cho php n yu cu echo v click OK. 7. Chuyn tip ti command prompt, v xc minh rng my trong mng hon thnh bc 6. 8. Trong command prompt, Ping my tnh trong mng ca bn. 9. ng tt c cc ca s ang m. TASK 3G-6 Configure Server 2003 1. T Start Menu, chn Administrative ToolsLocal Security Policy. 2. M Account Policies, Password Policy. 3. Thit lp cc ty chn sau y: Enfore password history: 0 Maximum Password age: 0 Minimum password age: 0 Minimum password length: 0 Password must meet complexity requirements: Disable 4. ng local Security policy. 5. T Start Menu, chn Control PanelWindows Firewall. 6. Chn nt tt radio, v click OK. 7. M Computer Management, v chn Local Users And Groups option. 8. Nhp chut phi vo ti khon Administrator, v chn Delete. Chn Yes cnh bo kp thi. 9. Nhp chut phi vo ti khon scnpXXX, v chn Rename. 10. Nhp Administrator vi tn ti khon mi. 11. ng ca s Computer Management. 12. ng xut khi Windows hin ti. 13. ng nhp tr li Administrator. Nh mt khu ca bn l aA1234!. 14. Nhn Cntrl+Alt+Del v thay i mt khu. 15. Thay i ti khon Administrator sang Administrator2 v i tn ti khon SCNP001 sang Administrator. Vi mt khu c, g aA1234! v trng c 2 New Password v Confirm Password, v click OK. 16. Click OK thay i mt khu thnh cng, v click Cancel. 17. ng xut v ng nhp Administrator vi khng c mt khu m bo nhng thay i din ra.