- Madogaran tushe (CIS, STIG da Microsoft) suna jagorantar daidaitaccen taurin da za a iya aunawa.
- Ƙananan sarari: shigar kawai abin da ke da mahimmanci, iyakance tashar jiragen ruwa da gata.
- Faci, saka idanu, da ɓoyewa suna ɗaukar tsaro a kan lokaci.
- Yi atomatik tare da GPOs da kayan aikin don kiyaye yanayin tsaro.
Idan kuna sarrafa sabar ko kwamfutocin masu amfani, tabbas kun yi wa kanku wannan tambayar: ta yaya zan sa Windows ta sami kwanciyar hankali don yin barci da kyau? hardening a cikin Windows Ba dabarar kashewa ba ce, amma saitin yanke shawara da gyare-gyare don rage girman kai hari, iyakance damar shiga, da kiyaye tsarin a ƙarƙashin iko.
A cikin yanayin kamfani, sabobin sune tushen ayyukan: suna adana bayanai, suna ba da sabis, da haɗa mahimman abubuwan kasuwanci; shi ya sa suka zama babbar manufa ga kowane mahari. Ta hanyar ƙarfafa Windows tare da mafi kyawun ayyuka da tushe, Kuna rage gazawa, kuna iyakance haɗari kuma kuna hana abin da ya faru a wani lokaci daga haɓaka zuwa sauran abubuwan more rayuwa.
Menene hardening a cikin Windows kuma me yasa yake da mahimmanci?
Ƙarfafawa ko ƙarfafawa ya ƙunshi saita, cire ko taƙaita abubuwan da aka gyara na tsarin aiki, ayyuka, da aikace-aikace don rufe yuwuwar wuraren shigarwa. Windows yana da dacewa kuma yana dacewa, i, amma cewa "yana aiki don kusan komai" tsarin yana nufin ya zo tare da ayyukan buɗe ido waɗanda ba koyaushe kuke buƙata ba.
Yawan ayyukan da ba dole ba, tashar jiragen ruwa, ko ka'idoji da kuke ci gaba da aiki, mafi girman raunin ku. Manufar taurin shine rage harin samanIyakance gata kuma bar abin da ke da mahimmanci kawai, tare da faci na yau da kullun, dubawa mai aiki, da bayyanannun manufofi.
Wannan hanya ba ta musamman ga Windows ba; ya shafi kowane tsarin zamani: an shigar dashi a shirye don gudanar da al'amura dubu daban-daban. Shi ya sa yana da kyau Rufe abin da ba ku amfani da shi.Domin idan ba ku yi amfani da shi ba, wani yana iya ƙoƙarin yin amfani da shi don ku.
Tushen da ƙa'idodi waɗanda ke tsara kwas
Don hardening a cikin Windows, akwai alamomi kamar CIS (Cibiyar Tsaro ta Intanet) da DoD STIG jagororin, ban da Microsoft Tsaro Baselines (Microsoft Tsaro Baselines). Waɗannan nassoshi sun ƙunshi shawarwarin shawarwari, ƙimar manufofi, da sarrafawa don ayyuka daban-daban da nau'ikan Windows.
Aiwatar da tushen tushe yana haɓaka aikin sosai: yana rage rarrabuwa tsakanin tsayayyen tsari da mafi kyawun ayyuka, guje wa “giɓi” na al'ada na turawa cikin sauri. Duk da haka, kowane yanayi na musamman ne kuma yana da kyawawa don gwada canje-canje kafin daukar su cikin samarwa.
Windows Hardening Mataki-mataki
Shiri da tsaro na jiki
Hardening a cikin Windows yana farawa kafin a shigar da tsarin. Ci gaba a cikakken kayan aikin uwar garkenWare sababbi daga zirga-zirga har sai sun taurare, kare BIOS/UEFI tare da kalmar wucewa, kashe taya daga kafofin watsa labarai na waje kuma yana hana autologon akan na'urorin dawowa.
Idan kuna amfani da kayan aikin ku, sanya kayan aiki a wurare tare da sarrafa damar jikiMadaidaicin zafin jiki da kulawa suna da mahimmanci. Iyakance damar jiki yana da mahimmanci kamar samun ma'ana, saboda buɗe chassis ko booting daga kebul na iya lalata komai.
Asusu, takardun shaida, da manufar kalmar sirri
Fara ta hanyar kawar da gazawar bayyane: kashe asusun baƙo kuma, inda zai yiwu, yana kashe ko sake suna Mai Gudanarwa na gidaƘirƙiri asusun gudanarwa tare da suna maras muhimmanci (tambaya Yadda ake ƙirƙirar asusun gida a cikin Windows 11 offline) kuma yana amfani da asusun marasa gata don ayyukan yau da kullun, haɓaka gata ta hanyar "Gudun kamar" kawai idan ya cancanta.
Ƙarfafa manufar kalmar sirrinku: tabbatar da dacewa da rikitarwa da tsayi. ƙarewar lokaci-lokaciTarihi don hana sake amfani da kulle asusun bayan yunƙurin da ba a yi nasara ba. Idan kuna sarrafa ƙungiyoyi da yawa, kuyi la'akari da mafita kamar LAPS don jujjuya takaddun shaidar gida; muhimmin abu shine kauce wa a tsaye takardun shaidarka kuma mai sauƙin zato.
Yi bitar membobin ƙungiyar (Masu Gudanarwa, Masu amfani da Desktop, Masu Ajiyayyen Ajiyayyen, da sauransu) kuma cire duk waɗanda ba dole ba. Ka'idar ta ƙaramin gata Shi ne mafi kyawun abokin ku don iyakance motsi na gefe.
Hanyar sadarwa, DNS da aiki tare lokaci (NTP)
Dole ne uwar garken samarwa ta kasance IP na tsaye, kasance a cikin sassan da aka kare a bayan bangon wuta (kuma ku sani Yadda ake toshe hanyoyin sadarwar da ake tuhuma daga CMD (idan ya cancanta), kuma suna da sabar DNS guda biyu da aka ayyana don sakewa. Tabbatar cewa bayanan A da PTR sun wanzu; tuna cewa yaduwa ta DNS ... yana iya ɗauka Kuma yana da kyau a shirya.
Sanya NTP: karkatar da mintuna kaɗan yana karya Kerberos kuma yana haifar da gazawar tantancewa da ba kasafai ba. Ƙayyade amintaccen mai ƙidayar lokaci kuma daidaita shi. dukan runduna gaba da shi. Idan baku buƙatar hakan, musaki ƙa'idodin gado kamar NetBIOS akan neman TCP/IP ko LMHosts. rage hayaniya da nuni.
Matsayi, fasali da ayyuka: ƙasa da ƙari
Shigar kawai ayyuka da fasalulluka da kuke buƙata don manufar uwar garken (IIS, .NET a cikin sigar da ake buƙata, da sauransu). Kowane ƙarin kunshin shine ƙarin surface don rauni da daidaitawa. Cire tsoho ko ƙarin aikace-aikacen da ba za a yi amfani da su ba (duba Winaero Tweaker: gyare-gyare masu amfani da aminci).
Sabis na bita: waɗanda ake buƙata, ta atomatik; wadanda suka dogara da wasu, a cikin Atomatik (fara jinkiri ba) ko tare da ingantaccen abin dogaro; duk wani abu da baya ƙara ƙima, kashe shi. Kuma don ayyukan aikace-aikacen, amfani takamaiman asusun sabis tare da ƙaramin izini, ba Tsarin Gida ba idan zaka iya guje masa.
Firewall da rage girman kai
Ƙa'idar gama gari: toshe ta tsohuwa kuma buɗe abin da ya dace kawai. Idan uwar garken gidan yanar gizo ce, tona asirin HTTP / HTTPS Kuma shi ke nan; gudanarwa (RDP, WinRM, SSH) yakamata ayi akan VPN kuma, idan zai yiwu, an iyakance ta adireshin IP. Wurin Tacewar zaɓi na Windows yana ba da iko mai kyau ta hanyar bayanan martaba (Yanki, Mai zaman kansa, Jama'a) da ƙa'idodi masu girma.
Keɓaɓɓen bangon wuta na kewaye koyaushe ƙari ne, saboda yana sauke sabar kuma yana ƙarawa zaɓuɓɓukan ci gaba (duba, IPS, segmentation). A kowane hali, hanyar hanya ɗaya ce: ƙarancin buɗe tashoshin jiragen ruwa, ƙasan kai hari mara amfani.
Samun nesa da ƙa'idodi marasa tsaro
RDP kawai idan ya zama dole, tare da NLA, babban boye-boyeMFA idan zai yiwu, da kuma ƙuntata damar zuwa takamaiman ƙungiyoyi da cibiyoyin sadarwa. Kauce wa telnet da FTP; idan kuna buƙatar canja wuri, yi amfani da SFTP/SSH, har ma mafi kyau, daga VPNPowerShell Remoting da SSH dole ne a sarrafa su: iyaka wanda zai iya samun damar su kuma daga ina. A matsayin amintaccen madadin don sarrafa ramut, koyi yadda ake Kunna kuma saita Chrome Remote Desktop akan Windows.
Idan ba kwa buƙatarsa, musaki sabis ɗin Rijistar Nesa. Bita kuma toshe NullSessionPipes y NullSessionShares don hana damar shiga albarkatun da ba a san su ba. Kuma idan ba a yi amfani da IPv6 ba a cikin yanayin ku, yi la'akari da kashe shi bayan tantance tasirin.
Faci, sabuntawa, da sarrafa canji
Ci gaba da sabunta Windows tare da facin tsaro Gwajin yau da kullun a cikin yanayin sarrafawa kafin motsawa zuwa samarwa. WSUS ko SCCM abokan haɗin gwiwa ne don gudanar da zagayowar facin. Kar a manta software na ɓangare na uku, wanda galibi shine hanyar haɗin gwiwa mai rauni: tsara sabuntawa da magance raunin da sauri.
da direbobi Direbobi kuma suna taka rawa wajen taurara Windows: tsofaffin na'urori na iya haifar da hadarurruka da lahani. Kafa tsarin sabunta direba na yau da kullun, ba da fifiko ga kwanciyar hankali da tsaro akan sabbin abubuwa.
Shigar abubuwan da suka faru, dubawa, da sa ido
Sanya bayanan tsaro da ƙara girman log ɗin don kada su juya kowane kwana biyu. Tsaya abubuwan da ke faruwa a cikin mai duba kamfani ko SIEM, saboda yin bitar kowane uwar garken daidaiku ya zama mara amfani yayin da tsarin ku ke girma. ci gaba da saka idanu Tare da ginshiƙan aiki da matakan faɗakarwa, guje wa "harba a makance".
Fayil Integrity Monitoring (FIM) fasahohin da canjin tsari na bin diddigin suna taimakawa gano karkatattun tushe. Kayan aiki kamar Netwrix Canjin Tracker Suna sauƙaƙa ganowa da bayyana abin da ya canza, wanda kuma lokacin, yana hanzarta amsawa da kuma taimakawa tare da bin ka'ida (NIST, PCI DSS, CMMC, STIG, NERC CIP).
Rufaffen bayanai a hutawa kuma a cikin tafiya
Domin sabobin, BitLocker Ya riga ya zama ainihin buƙatu a kan duk faifai tare da mahimman bayanai. Idan kuna buƙatar girman matakin-fayil, yi amfani da... EFSTsakanin sabobin, IPsec yana ba da damar ɓoye zirga-zirga don adana sirri da amincin, wani abu mai mahimmanci a ciki segmented cibiyoyin sadarwa ko tare da matakan dogaro da ƙasa. Wannan yana da mahimmanci yayin tattaunawa akan hardening a cikin Windows.
Gudanar da samun dama da manufofi masu mahimmanci
Aiwatar da ƙa'idar mafi ƙarancin gata ga masu amfani da sabis. Guji adana hashes na Manajan LAN kuma a kashe NTLMv1 ban da abin dogaro na gado. Sanya nau'ikan ɓoyayyen Kerberos da aka yarda kuma rage raba fayil da firinta a inda ba shi da mahimmanci.
Daraja Ƙuntata ko toshe kafofin watsa labarai masu ciruwa (USB) don iyakance fitar da malware ko shigarwa. Yana nuna sanarwar doka kafin shiga ("An haramta amfani da mara izini"), kuma yana buƙata Ctrl + Alt Del kuma ta atomatik yana ƙare zaman marasa aiki. Waɗannan matakai ne masu sauƙi waɗanda ke ƙara juriyar maharin.
Kayan aiki da sarrafa kansa don samun jan hankali
Don amfani da tushe cikin girma, yi amfani GPO da Tsarin Tsaro na Microsoft. Jagorar CIS, tare da kayan aikin tantancewa, suna taimakawa wajen auna tazarar da ke tsakanin halin ku na yanzu da makasudi. Inda ma'auni ya buƙaci shi, mafita kamar CalCom Hardening Suite (CHS) Suna taimakawa don koyo game da muhalli, tsinkaya tasiri, da aiwatar da manufofi a tsakiya, suna kiyaye taurin kan lokaci.
A kan tsarin abokin ciniki, akwai abubuwan amfani kyauta waɗanda ke sauƙaƙa "ƙarfafa" mahimman abubuwan. Syshardener Yana ba da saitunan akan ayyuka, Tacewar zaɓi da software na gama gari; Hardentools yana hana ayyukan da za a iya amfani da su (macro, ActiveX, Mai watsa shiri na Rubutun Windows, PowerShell/ISE kowane mai bincike); kuma Hard_Configurator Yana ba ku damar yin wasa tare da SRP, masu ba da izini ta hanya ko zanta, SmartScreen akan fayilolin gida, toshe hanyoyin da ba a amince da su ba da aiwatar da atomatik akan USB/DVD.
Firewall da samun dama: dokoki masu amfani waɗanda ke aiki
Koyaushe kunna Firewall Windows, saita duk bayanan martaba guda uku tare da toshe mai shigowa ta tsohuwa, sannan buɗe tashar jiragen ruwa masu mahimmanci kawai zuwa sabis (tare da iyakokin IP idan an zartar). Gudanarwa mai nisa yana da kyau ta hanyar VPN kuma tare da iyakanceccen dama. Bitar dokokin gado kuma a kashe duk wani abu da ba a buƙata.
Kar ka manta cewa taurara a cikin Windows ba hoto ba ne: tsari ne mai kuzari. Takaddun tushen tushen ku. yana lura da karkacewaYi bitar canje-canje bayan kowane faci kuma daidaita matakan zuwa ainihin aikin kayan aiki. Ƙananan horo na fasaha, taɓawa na aiki da kai, da fayyace ƙimar haɗari sun sa Windows ya zama tsarin da ya fi wahalar karya ba tare da sadaukar da iyawar sa ba.
Edita ya ƙware a fannin fasaha da al'amuran intanet tare da gogewa fiye da shekaru goma a cikin kafofin watsa labaru na dijital daban-daban. Na yi aiki a matsayin edita da mahaliccin abun ciki don kasuwancin e-commerce, sadarwa, tallan kan layi da kamfanonin talla. Na kuma yi rubutu a shafukan yanar gizo na tattalin arziki, kudi da sauran fannoni. Aikina kuma shine sha'awata. Yanzu, ta hanyar labarai na a ciki Tecnobits, Ina ƙoƙarin bincika duk labarai da sababbin damar da duniyar fasahar ke ba mu kowace rana don inganta rayuwarmu.