In order to more efficiently manage the server, and many system administrators have opened a remote access function, so many managers do not need to server maintenance operation was carried out. However, once opened a remote access function, then the server's security may be affected to some extent; this paper following the method by modifying the registry to ensure a more secure remote access server:
1, refused to create a new LAN connection
We all know that, if allowed to unauthorized users in your Windows 2000 server, free to create a new LAN connection, then the local server's security would be threatened because of illegal users will be able to create a LAN connection through their own "channel" to the local unlawful attacks on a remote server. To do this, you can use the following method to prevent users under the general account, free to the local server components to create a new local area network connection, enabling remote connection refused to create a new channel aims:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, the next pop-up the Registry Editor window, the mouse located in the registry branch HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsNetwork Connections on, as shown in Figure 1;
Figure 1
Network Connections registry in the corresponding sub-branch of the right window, right-click a blank area, from the shortcut menu and then click the pop-up the implementation of the "New" / "double-byte value" command, and the newly created DWORD value name set to "NC_AddRemoveComponents", then double click "NC_AddRemoveComponents" project, the value set in the pop-up window, enter "0", then click "OK" button, and finally press the F5 function key to refresh the system registry, This allows the setting in force.
In order to prevent unauthorized users have created free to modify the properties of a good LAN connection components, resulting in a good LAN connection component has been created can not be used, you can branch in the corresponding registry Network Connections window, right child, then create a named respectively "NC_LanChangeProperties", "NC_RasChangeProperties" double-byte value, and their values are set to "0" and finally click "OK" button, and refresh the system registry.
2, a new user and server connection refused
Perhaps your Windows XP Terminal Server allows multiple clients while maintaining connection with the remote, but the actual connection in the process, sometimes in order to ensure that each remote connection speeds are very fast, you need to remain active in the server context to prevent other new users to stay connected with the server to achieve this purpose, you can operate in accordance with the following steps:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, the next pop-up the Registry Editor window, the mouse located in the registry branch HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services on, as shown in Figure 2;
Figure 2
Terminal Services registry in the corresponding sub-branch of the right window, right-click a blank area, from the pop-up the implementation of the shortcut menu and then click "New" / "DWORD value" command, and the name of the newly created DWORD value set as "fDenyTSConnetions", then double click "fDenyTSConnetions" project, the value set in the pop-up window, enter "1", then click "OK" button, then the system will be able to keep open the terminal server has been connected to the premise to refuse a new user connects with the server, if you will "fDenyTSConnetions" project value is set to "0", the system will allow the terminal server with a number of new users connected.
3, to prevent users from maintaining multiple remote sessions
Windows XP, terminal server by default, can allow a remote connection for each user, while maintaining multiple remote sessions, and for each remote session to maintain any long period of time; but this way, the system efficiency on the terminal server will be affected. To do this, you can use the following method to prevent users from maintaining multiple remote sessions, to ensure that every remote connection the user can only maintain a remote terminal server session:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, the next pop-up the Registry Editor window, the mouse located in the registry branch HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services on;
Terminal Services registry in the corresponding sub-branch of the right window, right-click a blank area of the shortcut from the pop-up menus in the order of implementation of the "New" / "DWORD value" command, and the name of the newly created DWORD value set as "fSingleSessionPerUser", then double click "fSingleSessionPerUser" project, the value set in the pop-up window, enter "1" (shown in Figure 3), and then click "OK" button, the system's terminal server in the future will on the number of remote connections to limit the user's session to ensure that each user can maintain a conversation.
Figure 3
If you "fSingleSessionPerUser" project value is set to "0", then the system will be on a remote terminal server session to connect the number of users without any restrictions.
4, refused to share the remote access port
We all know that Windows 2000 server parallel port, serial port and other equipment, typically installed in a similar network of shared devices like printers, in default, the server allows arbitrary users to remotely access these shared ports. However, to ensure server security, you better against ordinary users remote access to them, to prevent illegal users through their attacks on the server; following a refusal under the general user account, remote access to a shared port specific operations:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, the next pop-up the Registry Editor window, the mouse located in the registry branch HKEY_LOCAL_MACHINESystemcurrentControlSetControlSession Manager on a;
Session Manager registry in the corresponding sub-branch of the right window, right-click a blank area, from the pop-up the implementation of the shortcut menu and then click "New" / "double-byte value" command, and the newly created DWORD value name set to "ProtectionMode", shown in Figure 4, then double click "ProtectionMode" project, the value set in the pop-up window, enter "1", then click "OK" button, and click the server system restarts , this way the server can allow the system administrator to access and manage the shared port.
5, stop the remote to delete the desktop wallpaper
If you do not want unauthorized users to remote desktop free wallpaper forced to delete it, then you just follow the following steps to operate on it:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, open the system registry editing interface, the mouse positioned Registry branch HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services on;
Terminal Services registry in the corresponding sub-branch of the right window, right-click a blank area, from the shortcut menu and then click the pop-up the implementation of the "New" / "DWORD value" command, and the name of the newly created DWORD value set as "fNoRemoteDesktopWallpaper", then double click "fNoRemoteDesktopWallpaper" project, the value set in the pop-up window, enter "0" (Figure 4), and then click "OK" button, and refresh the system registry can be the. It is worth noting that this method only in Windows XP server systems effectively.
Figure 4
6, refused to remotely install printer drivers
By default, Windows 2000 Server system allows general account of the user, the server remotely install the print driver, this way the user can freely install the server a new network printer. But this is the case, the server is going to be security threats, such as illegal users hard task to the network printer to send spam, then can lead to decreased operating performance server system, it can cause a server crash phenomenon appeared. In order to avoid the general account of the user, free to remotely install a local server, print driver, you can follow the following settings to refuse to remotely install the printer driver:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, edit the registry in the following pop-up window, mouse, located in the registry branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintProvidersLanMan Print Services on, as shown in Figure 6;
Right-click "LanMan Print Services" registry branch, and from the shortcut menu to open click "New" / "double-byte value" command, and its name entered as "AddPrintDrivers", then "AddPrintDrivers" double word section the numerical value is set to "1", and finally refresh the system registry, so in future server systems only allows the system administrator and the administrator group user, you can remotely install the print driver has.
7, to limit the number of remote connections
To ensure the Windows XP terminal server is always running efficiently, you should think of ways on the server at the same Shijian the establishment of remote connections quantities appropriate Xian Zhi, Zhe Yang Xingneng terminal server will Dedaowending. In Windows XP terminal server to limit the number of remote connections, you can follow the following steps to limit:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, open the system registry editing interface, the mouse localized in Registry branch HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services on;
Terminal Services registry in the corresponding sub-branch of the right window, right-click a blank area, from the shortcut menu and then click the pop-up the implementation of the "New" / "DWORD value" command, and the name of the newly created DWORD value set as "MaxInstanceCount", then double click "MaxInstanceCount" project, the value set in the pop-up window, enter the appropriate number of connections, such as allowing 10 users to connect simultaneously with the remote server, then you can enter "10" ( shown in Figure 5), and then click "OK" button on it. Under normal circumstances, "MaxInstanceCount" value range of the project "1 ~ 999 999" between, if you want Windows XP Terminal Server for remote connections to limit the number does not, then you can set its value to "999999."
Figure 5
8, to prevent remote access system logs
As the Windows 2000 server system log files, the preservation of all user access to the server information and operation of the safety record of the information, any hacker can attempt to attack the server from the find of traces find. However, by default, the system's log files allowed to be anonymous account or Guest account to remotely view to that way hackers could remotely "erase" their attacks in the log traces left, causing the system administrator can not be timely Discovery System security risk. To do this, you can use the following approach to prevent the general account of the user to remotely access the system log:
Click "Start" / "Run" command, the system is running in the Open dialog box, enter the Registry Editor command "Regedit", click "OK" button, open the system registry editing interface, the mouse positioned Registry branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication on shown in Figure 6;
Figure 6
Then the menu bar and then click the "Edit" / "New" / "double-byte value" command, following in the Application to create a branch named "RestrictGuestAccess" double-byte value, and enter its value to "1 "and finally click" OK "button, so that the server can refuse to general account of the remote access server logs a;
Account if it is to reject common remote access server system log, then you also need to branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSystem registry, create a good "RestrictGuestAccess" double-byte value, while its value is also entered as "1"; if it is to remote access server refused to general account in the security log, then you also need to branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity in the registry, create a good "RestrictGuestAccess" double-byte value, then its value is also entered as "1", the last refresh System Registration table on it.
9, to prevent remote access to the password cache
Windows 2003 Server system by default, will automatically enter an administrator password information all the time being saved to the system cache, and many hackers or illegal attacker once, the eyes of the specified target to the server when the cache, the server cache in a variety of password information can be easily hackers remote access to. Windows 2003 Server system in order to ensure the password information is not illegal to steal the remote, you can follow the operation, to prevent hackers remote access to the password cache:
First, open the system to run box, in which the implementation of the Registry Editor command "Regedit", then locate the mouse on the registry branch HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionpolicies, as shown in Figure 7;
Figure 7
Then click the menu bar "Edit" / "New" / "key" command, create a branch in the policies Network subkey, and the subkey is selected, then click the menu bar "Edit" / " New "/" DWORD "command, in the corresponding area on the right Network subkey, create a" DisablePasswordCaching "double-byte value, then its value input for the" 0x00000001 ", the final re-start about the computer system, so Windows 2003 Server will not automatically remember your password, then hackers will not be able to cache the remote access password.
10, to prevent remote access to shared authority
As Windows server default, will automatically put the local server's disk partition is set as the hidden share, being the case, there 可能 illegal users through professional attack methods, sharing of resources to obtain Zhexie hide the Full Control permission, Conger to the server Dai Lai security threats; do this, you can use the following method, the server automatically canceled hidden share, so unauthorized users can not remote access to shared resources, full control permissions:
First open the Registry Editor window, locate the mouse on the registry branch HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet /
Services / LanmanServer / Parameters on, as shown in Figure 8;
Figure 8
Parameters registry in the corresponding sub-branch of the right window, find the string value "AutoShareServer", and Double click the string value, the value set in the pop-up window, enter "0", and finally click "OK" button, and about the computer system restart, this way the illegal user can not control the remote access permissions to the shared server.