- Cov hauv paus ntsiab lus (CIS, STIG thiab Microsoft) qhia qhov sib npaug thiab ntsuas qhov tawv.
- Tsawg qhov chaw: nruab tsuas yog qhov tseem ceeb, txwv cov chaw nres nkoj thiab cov cai.
- Patching, saib xyuas, thiab encryption txhawb kev ruaj ntseg thaum lub sijhawm.
- Automate nrog GPOs thiab cov cuab yeej los tswj koj txoj kev ruaj ntseg.
Yog tias koj tswj hwm servers lossis cov neeg siv khoos phis tawj, tej zaum koj tau nug koj tus kheej lo lus nug no: Kuv yuav ua li cas thiaj li Windows muaj kev nyab xeeb txaus kom tsaug zog zoo? hardening hauv Windows Nws tsis yog ib qho kev ua kom yuam kev ib zaug, tab sis cov txheej txheem kev txiav txim siab thiab kev hloov kho kom txo qis qhov chaw nres, txwv kev nkag mus, thiab ua kom lub kaw lus tswj hwm.
Hauv kev lag luam ib puag ncig, servers yog lub hauv paus ntawm kev ua haujlwm: lawv khaws cov ntaub ntawv, muab kev pabcuam, thiab txuas cov khoom lag luam tseem ceeb; Yog vim li cas lawv thiaj li yog lub hom phiaj tseem ceeb rau txhua tus neeg tawm tsam. Los ntawm kev ntxiv dag zog rau Windows nrog cov kev coj ua zoo tshaj plaws thiab cov hauv paus ntsiab lus, Koj txo qis kev ua tsis tiav, koj txwv kev pheej hmoo thiab koj tiv thaiv qhov xwm txheej ntawm ib qho ntawm qhov nce mus rau qhov seem ntawm cov txheej txheem.
Qhov hardening hauv Windows yog dab tsi thiab vim li cas nws tseem ceeb?
Hardening los yog reinforcement muaj configure, tshem tawm lossis txwv cov khoom ntawm lub operating system, cov kev pabcuam, thiab cov ntawv thov kom kaw cov ntsiab lus nkag. Windows yog ntau yam thiab sib xws, yog, tab sis qhov "nws ua haujlwm rau yuav luag txhua yam" txoj hauv kev txhais tau tias nws los nrog qhib kev ua haujlwm uas koj tsis tas yuav xav tau.
Qhov ntau yam tsis tsim nyog, cov chaw nres nkoj, lossis cov txheej txheem uas koj ua haujlwm, qhov ntau dua koj qhov kev pheej hmoo. Lub hom phiaj ntawm hardening yog txo qhov chaw nresTxwv tsis pub muaj cai thiab tso tseg tsuas yog qhov tseem ceeb, nrog rau cov ntaub ntawv tshiab, kev tshuaj xyuas zoo, thiab cov cai meej.
Txoj hauv kev no tsis yog tshwj xeeb rau Windows; nws siv tau rau txhua qhov kev siv niaj hnub no: nws tau teeb tsa npaj los daws ntau txhiab qhov xwm txheej sib txawv. Yog vim li ntawd nws thiaj li pom zoo Kaw qhov koj tsis siv.Vim yog tias koj tsis siv nws, lwm tus yuav sim siv nws rau koj.
Cov hauv paus ntsiab lus thiab cov qauv uas teev cov chav kawm
Rau hardening hauv Windows, muaj cov qauv ntsuas xws li CIS (Center for Internet Security) thiab DoD STIG cov lus qhia, ntxiv rau Microsoft Security Baselines (Microsoft Security Baselines). Cov ntaub ntawv pov thawj no suav nrog kev pom zoo, kev cai lij choj, thiab kev tswj hwm rau ntau lub luag haujlwm thiab cov qauv ntawm Windows.
Kev siv lub hauv paus tseem ceeb heev ua rau lub phiaj xwm nrawm: nws txo qhov sib txawv ntawm qhov kev teeb tsa ua ntej thiab cov kev coj ua zoo tshaj plaws, zam qhov "khib nyiab" raug xa mus sai. Txawm li cas los xij, txhua qhov chaw ib puag ncig yog qhov tshwj xeeb thiab nws tau pom zoo sim cov kev hloov ua ntej coj lawv mus rau hauv kev tsim khoom.
Windows Hardening Step by Step
Kev npaj thiab kev ruaj ntseg ntawm lub cev
Hardening hauv Windows pib ua ntej lub kaw lus raug teeb tsa. Khaws ib ua kom tiav cov khoom muag serverCais tawm cov tshiab los ntawm kev khiav tsheb mus txog thaum lawv khov kho, tiv thaiv BIOS / UEFI nrog tus password, lov tes taw khau raj los ntawm cov xov xwm sab nraud thiab tiv thaiv autologon ntawm rov qab consoles.
Yog tias koj siv koj tus kheej kho vajtse, muab cov cuab yeej tso rau hauv qhov chaw nrog kev tswj xyuas lub cevKev ntsuas kub kom zoo thiab kev saib xyuas yog qhov tseem ceeb. Kev txwv kev nkag mus rau lub cev tsuas yog ib qho tseem ceeb xws li kev nkag mus tau zoo, vim tias qhib lub chassis lossis khau raj ntawm USB tuaj yeem cuam tshuam txhua yam.
Accounts, daim ntawv pov thawj, thiab tus password txoj cai
Pib los ntawm kev tshem tawm qhov tsis muaj zog uas pom tseeb: lov tes taw tus account qhua thiab, qhov twg ua tau, disables los yog renames lub zos AdministratorTsim ib tus account tswj hwm nrog lub npe tsis tseem ceeb (nug Yuav ua li cas los tsim ib tus account hauv zos hauv Windows 11 offline) thiab siv cov nyiaj tsis muaj txiaj ntsig rau kev ua haujlwm ib hnub dhau ib hnub, txhawb nqa cov cai los ntawm "Run as" tsuas yog thaum tsim nyog.
Txhim kho koj txoj cai password: xyuas kom tsim nyog qhov nyuaj thiab ntev. ncua sij hawmKeeb kwm los tiv thaiv kev rov siv dua thiab kev kaw nyiaj hauv tuam txhab tom qab kev sim ua tsis tiav. Yog tias koj tswj hwm ntau pab pawg, xav txog cov kev daws teeb meem zoo li LAPS los hloov cov ntawv pov thawj hauv zos; qhov tseem ceeb yog zam cov ntawv pov thawj zoo li qub thiab yooj yim twv.
Saib xyuas cov tswv cuab ntawm pab pawg (Cov Thawj Coj, Cov Neeg Siv Khoom Siv Hauv Chaw Taws Teeb, Cov Neeg Ua Haujlwm thaub qab, thiab lwm yam) thiab tshem tawm cov uas tsis tsim nyog. Lub hauv paus ntsiab lus ntawm tsawg txoj cai Nws yog koj tus phooj ywg zoo tshaj plaws rau kev txwv kev txav mus los.
Network, DNS thiab sijhawm synchronization (NTP)
Lub server tsim khoom yuav tsum muaj Static IP, nyob rau hauv ntu tiv thaiv tom qab firewall (thiab paub Yuav ua li cas thaiv kev sib txuas network tsis txaus ntseeg los ntawm CMD (thaum tsim nyog), thiab muaj ob lub DNS servers txhais rau redundancy. Xyuas kom tseeb tias cov ntaub ntawv A thiab PTR muaj nyob; nco ntsoov tias DNS nthuav tawm ... nws yuav siv sij hawm Thiab nws yog advisable mus npaj.
Configure NTP: qhov sib txawv ntawm feeb tsuas yog ua rau Kerberos thiab ua rau tsis tshua muaj kev lees paub tsis ua tiav. Txhais lub timer ntseeg tau thiab synchronize nws. tag nrho cov nkoj tawm tsam nws. Yog tias koj tsis xav tau, lov tes taw cov txheej txheem qub qub xws li NetBIOS dhau TCP / IP lossis LMHosts nrhiav rau txo suab nrov thiab exhibition.
Lub luag haujlwm, nta thiab kev pabcuam: tsawg dua yog ntau dua
Nruab tsuas yog lub luag haujlwm thiab cov yam ntxwv uas koj xav tau rau lub hom phiaj ntawm lub server (IIS, .NET hauv nws qhov xav tau version, thiab lwm yam). Txhua pob ntxiv yog ntxiv nto rau vulnerabilities thiab configuration. Uninstall lub neej ntawd lossis cov ntawv thov ntxiv uas yuav tsis siv (saib Winaero Tweaker: Kev hloov kho muaj txiaj ntsig thiab nyab xeeb).
Saib xyuas cov kev pabcuam: qhov tsim nyog, tau txais; cov uas vam khom rau lwm tus, hauv Tsis siv neeg (ncua pib) los yog nrog kev cia siab zoo; txhua yam uas tsis ntxiv tus nqi, xiam oob qhab. Thiab rau daim ntawv thov kev pabcuam, siv cov nyiaj pabcuam tshwj xeeb nrog kev tso cai tsawg kawg nkaus, tsis yog Local System yog tias koj tuaj yeem zam tau.
Firewall thiab raug minimization
Txoj cai dav dav: thaiv los ntawm lub neej ntawd thiab tsuas yog qhib qhov tsim nyog. Yog tias nws yog lub vev xaib server, nthuav tawm HTTP / HTTPS Thiab qhov ntawd yog nws; kev tswj hwm (RDP, WinRM, SSH) yuav tsum ua dhau VPN thiab, yog tias ua tau, txwv los ntawm IP chaw nyob. Lub Windows Firewall muaj kev tswj xyuas zoo los ntawm cov profiles (Domain, Private, Public) thiab cov kev cai granular.
Ib qho kev mob siab rau perimeter firewall yog ib qho ntxiv, vim nws offloads server thiab ntxiv cov kev xaiv qib siab (Kev tshuaj xyuas, IPS, segmentation). Nyob rau hauv txhua rooj plaub, txoj kev mus kom ze yog tib yam: tsawg dua qhib chaw nres nkoj, tsawg siv tau qhov chaw nres.
Kev nkag mus rau tej thaj chaw deb thiab tsis ruaj ntseg raws tu qauv
RDP tsuas yog yog tias tsim nyog kiag li, nrog NLA, siab encryptionMFA yog ua tau, thiab txwv tsis pub nkag mus rau cov pab pawg tshwj xeeb thiab cov tes hauj lwm. Tsis txhob telnet thiab FTP; Yog tias koj xav tau kev hloov pauv, siv SFTP / SSH, thiab zoo dua, los ntawm VPNPowerShell Remoting thiab SSH yuav tsum tau tswj: txwv leej twg tuaj yeem nkag tau rau lawv thiab los ntawm qhov twg. Raws li kev ruaj ntseg rau kev tswj chaw taws teeb, kawm yuav ua li cas Qhib thiab teeb tsa Chrome Chaw Taws Teeb Desktop ntawm Windows.
Yog tias koj tsis xav tau, lov tes taw qhov kev pabcuam Remote Registration. Tshuaj xyuas thiab thaiv NullSessionPipes y NullSessionShares los tiv thaiv tsis qhia npe nkag mus rau cov peev txheej. Thiab yog tias IPv6 tsis siv rau hauv koj rooj plaub, xav txog kev kaw nws tom qab ntsuas qhov cuam tshuam.
Patching, hloov tshiab, thiab hloov tswj
Khaws Windows mus txog hnub nrog kev ruaj ntseg thaj ua rau thaj Kev sim txhua hnub hauv qhov chaw tswj hwm ua ntej tsiv mus rau ntau lawm. WSUS lossis SCCM yog cov phooj ywg los tswj lub voj voog thaj. Tsis txhob hnov qab cov software thib peb, uas feem ntau yog qhov tsis muaj zog txuas: teem caij hloov tshiab thiab kho qhov tsis zoo sai sai.
lub cov neeg tsav tsheb Cov tsav tsheb kuj tseem ua lub luag haujlwm hauv kev ua kom lub Windows hardening: cov tsav tsheb dhau los tuaj yeem ua rau muaj kev sib tsoo thiab qhov tsis zoo. Tsim kom muaj cov txheej txheem hloov tshiab tsis tu ncua, ua kom muaj kev ruaj ntseg thiab kev nyab xeeb dua li cov yam ntxwv tshiab.
Kev txheeb xyuas qhov xwm txheej, txheeb xyuas, thiab saib xyuas
Txhim kho kev soj ntsuam kev ruaj ntseg thiab nce cav loj kom lawv tsis txhob tig txhua ob hnub. Centralize cov xwm txheej hauv tus neeg saib xyuas lossis SIEM, vim tias kev tshuaj xyuas txhua tus neeg rau zaub mov yuav ua tsis tau raws li koj lub cev loj hlob. kev soj ntsuam tas li Nrog rau kev ua tau zoo hauv paus thiab kev ceeb toom pib, tsis txhob "tawm qhov muag tsis pom kev".
Cov ntaub ntawv Integrity Monitoring (FIM) thev naus laus zis thiab kev teeb tsa kev hloov pauv kev taug qab pab txheeb xyuas qhov sib txawv ntawm lub hauv paus. Cov cuab yeej xws li Netwrix Hloov Tracker Lawv ua kom yooj yim rau kev txheeb xyuas thiab piav qhia txog qhov hloov pauv, leej twg thiab thaum twg, ua kom cov lus teb thiab pab ua raws li (NIST, PCI DSS, CMMC, STIG, NERC CIP).
Cov ntaub ntawv encryption thaum so thiab hauv kev thauj mus los
Rau cov servers, BitLocker Nws yog ib qho tseem ceeb uas yuav tsum tau muaj ntawm txhua lub drives nrog cov ntaub ntawv rhiab heev. Yog tias koj xav tau cov ntaub ntawv-qib granularity, siv ... EFSNyob nruab nrab ntawm cov servers, IPsec tso cai rau kev khiav tsheb mus rau encrypted los khaws kev ceev ntiag tug thiab kev ncaj ncees, ib yam dab tsi tseem ceeb hauv segmented networks los yog nrog tsawg txhim khu kev qha cov kauj ruam. Qhov no yog qhov tseem ceeb thaum sib tham txog hardening hauv Windows.
Kev tswj xyuas kev nkag mus thiab cov cai tseem ceeb
Siv lub hauv paus ntsiab lus tsawg kawg nkaus rau cov neeg siv thiab cov kev pabcuam. Tsis txhob khaws cov hashes Tus Thawj Tswj LAN thiab lov tes taw NTLMv1 tshwj tsis yog rau cov kev vam khom qub qub. Configure pub Kerberos encryption hom thiab txo cov ntaub ntawv thiab tshuab luam ntawv sib koom qhov twg nws tsis tseem ceeb.
Lub Valora Txwv lossis thaiv cov xov xwm tshem tawm tau (USB) txwv tsis pub malware exfiltration lossis nkag. Nws nthuav tawm tsab ntawv ceeb toom kev cai lij choj ua ntej nkag mus ("Kev txwv tsis pub siv"), thiab xav tau Ctrl + Alt + Del thiab nws cia li terminates inactive zaug. Cov no yog cov kev ntsuas yooj yim uas ua rau kom tus neeg tawm tsam tsis kam.
Cov cuab yeej thiab automation kom nce traction
Txhawm rau siv cov txheej txheem hauv ntau, siv GPO thiab Microsoft's Security Baselines. CIS cov lus qhia, nrog rau cov cuab yeej ntsuas, pab ntsuas qhov sib txawv ntawm koj lub xeev tam sim no thiab lub hom phiaj. Qhov twg scale xav tau nws, kev daws teeb meem xws li CalCom Hardening Suite (CHS) Lawv pab kawm txog ib puag ncig, kwv yees qhov cuam tshuam, thiab siv cov cai hauv nruab nrab, tswj kev ua kom tawv tawv dhau sijhawm.
Ntawm cov neeg siv khoom siv, muaj cov khoom siv dawb uas yooj yim "hardening" qhov tseem ceeb. Syshardener Nws muaj kev teeb tsa ntawm cov kev pabcuam, firewall thiab cov software sib xws; Hardentools disables muaj peev xwm exploitable functions (macros, ActiveX, Windows Script Host, PowerShell/ISE ib browser); thiab Hard_Configurator Nws tso cai rau koj ua si nrog SRP, whitelists los ntawm txoj kev lossis hash, SmartScreen ntawm cov ntaub ntawv hauv zos, thaiv cov chaw tsis ntseeg siab thiab tsis siv neeg tua ntawm USB / DVD.
Firewall thiab nkag mus: cov kev cai siv tau ua haujlwm
Ib txwm qhib lub qhov rais firewall, teeb tsa tag nrho peb cov profiles nrog kev nkag los ntawm kev thaiv los ntawm lub neej ntawd, thiab qhib tsuas yog cov chaw nres nkoj tseem ceeb mus rau qhov kev pab cuam (nrog IP Scope yog muaj). Kev tswj hwm chaw taws teeb tau zoo tshaj plaws los ntawm VPN thiab nrog kev txwv tsis pub nkag. Saib xyuas cov kev cai qub qub thiab lov tes taw txhua yam uas tsis xav tau ntxiv lawm.
Tsis txhob hnov qab tias hardening hauv Windows tsis yog cov duab zoo li qub: nws yog txheej txheem dynamic. Cov ntaub ntawv koj lub hauv paus. saib xyuas deviationsTshawb xyuas cov kev hloov pauv tom qab txhua thaj ua rau thaj thiab hloov cov kev ntsuas mus rau qhov tseeb ntawm cov khoom siv. Ib qho kev qhuab qhia me ntsis, kov ntawm automation, thiab kev ntsuam xyuas pom tseeb ua rau Windows muaj zog ntau dua los ua txhaum yam tsis muaj kev txi nws ntau yam.
Tus kws kho tshwj xeeb hauv kev siv thev naus laus zis thiab teeb meem hauv internet nrog ntau tshaj kaum xyoo ntawm kev paub hauv cov xov xwm sib txawv. Kuv tau ua haujlwm ua tus editor thiab tus tsim cov ntsiab lus rau e-lag luam, kev sib txuas lus, kev lag luam online thiab cov tuam txhab tshaj tawm. Kuv kuj tau sau rau ntawm kev lag luam, nyiaj txiag thiab lwm cov vev xaib. Kuv txoj hauj lwm kuj yog kuv lub siab nyiam. Tam sim no, dhau ntawm kuv cov ntawv hauv Tecnobits, Kuv sim tshawb nrhiav txhua yam xov xwm thiab lub cib fim tshiab uas lub ntiaj teb kev siv tshuab muab rau peb txhua hnub los txhim kho peb lub neej.