- Zoyambira (CIS, STIG ndi Microsoft) zimatsogolera kuumitsa kokhazikika komanso koyezera.
- Malo ochepera: ikani zomwe zili zofunika zokha, chepetsani madoko ndi mwayi.
- Kuyika, kuyang'anira, ndi kubisa kumalimbikitsa chitetezo pakapita nthawi.
- Sinthani ndi ma GPO ndi zida kuti musunge chitetezo chanu.
Ngati mumayang'anira maseva kapena makompyuta ogwiritsa ntchito, mwina mwadzifunsapo funso ili: ndipanga bwanji Windows kukhala otetezeka mokwanira kuti agone bwino? kukhazikika mu Windows Si chinyengo chimodzi, koma zisankho ndi zosintha kuti muchepetse kuukira, kuchepetsa mwayi, ndikusunga dongosolo.
M'malo ogwirira ntchito, ma seva ndiwo maziko a ntchito: amasunga deta, amapereka mautumiki, ndikugwirizanitsa zigawo zofunikira zamalonda; ndichifukwa chake iwo amakhala chandamale chachikulu kwa wowukira aliyense. Polimbikitsa Windows ndi machitidwe abwino komanso zoyambira, Mumachepetsa zolephera, mumachepetsa zoopsa ndipo mumalepheretsa zochitika nthawi ina kuti zisamafike kuzinthu zina zonse.
Kodi kuumitsa mu Windows ndi chiyani ndipo ndikofunikira?
Kuwumitsa kapena kulimbikitsa kumakhala ndi konza, chotsani kapena kuletsa zigawo ya makina ogwiritsira ntchito, mautumiki, ndi mapulogalamu kuti atseke malo olowera. Windows ndi yosunthika komanso yogwirizana, inde, koma kuti "imagwira ntchito pafupifupi chilichonse" kumatanthauza kuti imabwera ndi magwiridwe antchito omwe simufunikira nthawi zonse.
Kugwira ntchito kosafunikira, madoko, kapena ma protocol omwe mumagwira, ndiye kuti chiwopsezo chanu chimakulirakulira. Cholinga cha kuumitsa ndi kuchepetsa kuukira pamwambaChepetsani mwayi ndi kusiya zomwe zili zofunika zokha, zokhala ndi zigamba zaposachedwa, kuwunika kwachangu, ndi mfundo zomveka bwino.
Njira iyi si ya Windows yokha; imagwira ntchito ku dongosolo lililonse lamakono: imayikidwa kuti igwire zochitika zosiyanasiyana. Ndicho chifukwa m'pofunika Tsekani zomwe simukugwiritsa ntchito.Chifukwa ngati simuchigwiritsa ntchito, wina angayese kukugwiritsani ntchito.
Zoyambira ndi mfundo zomwe zikuwonetsa maphunzirowo
Kwa kuumitsa mu Windows, pali zizindikiro monga CIS (Center for Internet Security) ndi malangizo a DoD STIG, kuwonjezera pa Microsoft Security Baselines (Microsoft Security Baselines). Maumboni awa amafotokoza masinthidwe omwe akulimbikitsidwa, malingaliro a mfundo, ndi maulamuliro a maudindo ndi mitundu yosiyanasiyana ya Windows.
Kugwiritsa ntchito zoyambira kumafulumizitsa ntchitoyo kwambiri: kumachepetsa mipata pakati pa kusasinthika kosasinthika ndi machitidwe abwino, kupeŵa "mipata" yomwe imafanana ndi kutumizidwa mwachangu. Ngakhale zili choncho, malo aliwonse ndi apadera ndipo m'pofunika kutero yesani kusintha asanawatengere kupanga.
Windows Kuumitsa Gawo ndi Gawo
Kukonzekera ndi chitetezo chakuthupi
Kuwumitsa mu Windows kumayamba dongosolo lisanakhazikitsidwe. Sungani a mndandanda wathunthu wa sevaPatulani zatsopano pamagalimoto mpaka zitawumitsidwa, tetezani BIOS / UEFI ndi mawu achinsinsi, zimitsani boot kuchokera ku media zakunja ndikuletsa autologon pa zotonthoza zobwezeretsa.
Ngati mumagwiritsa ntchito zida zanu, ikani zidazo m'malo ndi kulamulira kupeza thupiKutentha koyenera ndi kuyang'anitsitsa ndizofunikira. Kuchepetsa mwayi wopezeka m'thupi ndikofunikira monganso mwayi wofikira, chifukwa kutsegula chassis kapena kuwotcha kuchokera ku USB kumatha kusokoneza chilichonse.
Maakaunti, zidziwitso, ndi mfundo zachinsinsi
Yambani ndikuchotsa zofooka zodziwikiratu: zimitsani akaunti ya alendo ndipo, ngati n'kotheka, imalepheretsa kapena kutchula dzina la Administrator wakomwekoPangani akaunti yoyang'anira yokhala ndi dzina losachepera (funso Momwe mungapangire akaunti yapafupi Windows 11 offline) ndipo amagwiritsa ntchito maakaunti opanda mwayi pantchito zatsiku ndi tsiku, kukweza mwayi kudzera mu "Thamangani ngati" pokhapokha pakufunika.
Limbitsani malamulo anu achinsinsi: onetsetsani kuti ndizovuta komanso kutalika kwake. nthawi kuthaMbiri yoletsa kugwiritsidwanso ntchito ndi kutseka kwa akaunti pambuyo poyesa kulephera. Ngati mumayang'anira magulu ambiri, ganizirani mayankho ngati LAPS kuti musinthe mbiri yanu; chofunika ndicho pewani zidziwitso zokhazikika ndi zosavuta kulingalira.
Unikaninso umembala wamagulu (Oyang'anira, Ogwiritsa Ntchito Akutali, Ogwiritsa Ntchito Zosungira, ndi zina zotero) ndikuchotsa zilizonse zosafunikira. Mfundo ya mwayi wocheperako Ndi mthandizi wanu wabwino kwambiri wochepetsera mayendedwe apambuyo.
Network, DNS ndi nthawi synchronization (NTP)
Seva yopanga iyenera kukhala nayo Static IP, kukhala m'magawo otetezedwa kuseri kwa firewall (ndikudziwa Momwe mungaletsere maukonde okayikitsa kuchokera ku CMD (pamene pakufunika), ndi kukhala ndi ma seva awiri a DNS omwe amatanthauzidwa kuti awonongeke. Onetsetsani kuti zolemba za A ndi PTR zilipo; Kumbukirani kuti kufalitsa kwa DNS ... zikhoza kutenga Ndipo m'pofunika kukonzekera.
Konzani NTP: kupatuka kwa mphindi zochepa kumaphwanya Kerberos ndikupangitsa kulephera kutsimikizika kosowa. Fotokozani chowerengera chodalirika ndikuchigwirizanitsa. zombo zonse motsutsa izo. Ngati simukufuna kutero, zimitsani ma protocol monga NetBIOS pa TCP/IP kapena LMHosts kuyang'ana. kuchepetsa phokoso ndi chiwonetsero.
Maudindo, mawonekedwe ndi ntchito: zochepa ndizochulukirapo
Ikani maudindo ndi mawonekedwe omwe mukufunikira pa cholinga cha seva (IIS, .NET mumtundu wake wofunikira, ndi zina zotero). Aliyense phukusi owonjezera ndi zowonjezera pamwamba kwa zofooka ndi kasinthidwe. Chotsani zokhazikika kapena zina zomwe sizidzagwiritsidwa ntchito (onani Winaero Tweaker: Zosintha Zothandiza komanso Zotetezeka).
Unikaninso ntchito: zofunikira, zokha; iwo amene amadalira ena, mu Zodziwoneka (kuyamba kuchedwa) kapena ndi kudalira kodziwika bwino; chirichonse chimene sichimawonjezera phindu, cholemala. Ndipo pa ntchito zothandizira, gwiritsani ntchito maakaunti apadera autumiki ndi zilolezo zochepa, osati Local System ngati mutha kuzipewa.
Firewall ndi kuchepetsa kuwonekera
Lamulo lazonse: block mwachisawawa ndikungotsegula zomwe zili zofunika. Ngati ndi seva yapaintaneti, wonetsani HTTP / HTTPS Ndipo ndi zimenezo; administration (RDP, WinRM, SSH) iyenera kuchitidwa pa VPN ndipo, ngati n'kotheka, yoletsedwa ndi adilesi ya IP. Windows Firewall imapereka chiwongolero chabwino kudzera mu mbiri (Domain, Private, Public) ndi malamulo a granular.
Chowotcha chozimitsa chodzipatulira nthawi zonse chimakhala chowonjezera, chifukwa chimatsitsa seva ndikuwonjezera zosankha zapamwamba (kuwunika, IPS, magawo). Mulimonse momwe zingakhalire, njirayo ndi yofanana: madoko ochepa otseguka, malo owukira osagwiritsidwa ntchito.
Kufikira kutali ndi ma protocol osatetezedwa
RDP pokhapokha ngati kuli kofunikira, ndi NLA, kubisa kwakukuluMFA ngati nkotheka, ndikuletsa mwayi wopezeka m'magulu ndi maukonde enaake. Pewani telnet ndi FTP; ngati mukufuna kusamutsa, gwiritsani ntchito SFTP/SSH, ndipo ngakhale bwino, kuchokera ku VPNPowerShell Remoting ndi SSH ziyenera kuwongoleredwa: kuchepetsa omwe angazipeze komanso kuchokera komwe. Monga njira ina yotetezeka yowongolera kutali, phunzirani momwe mungachitire Yambitsani ndikusintha Chrome Remote Desktop pa Windows.
Ngati simukuzifuna, zimitsani ntchito ya Remote Registration. Unikani ndi kuletsa NullSessionPipes y Malingaliro a kampani NullSessionShares kuteteza mwayi wosadziwika wazinthu. Ndipo ngati IPv6 sikugwiritsidwa ntchito kwa inu, ganizirani kuyimitsa mutatha kuwona momwe ikukhudzira.
Kusintha, kusintha, ndi kusintha
Sungani Windows yatsopano ndi zigamba zachitetezo Kuyesedwa kwa tsiku ndi tsiku kumalo olamulidwa musanasamuke kupanga. WSUS kapena SCCM ndi othandizira pakuwongolera kuzungulira kwa zigamba. Musaiwale mapulogalamu a chipani chachitatu, omwe nthawi zambiri amakhala ulalo wofooka: zosintha zadongosolo ndikukonza zofooka mwachangu.
ndi madalaivala Madalaivala amakhalanso ndi gawo pakuumitsa Windows: madalaivala akale amatha kuyambitsa ngozi komanso kusatetezeka. Khazikitsani njira yosinthira dalaivala nthawi zonse, kuyika patsogolo kukhazikika ndi chitetezo pazinthu zatsopano.
Kudula mitengo, kuwerengera, ndi kuyang'anira zochitika
Konzani kuwunika kwachitetezo ndikuwonjezera kukula kwa chipika kuti zisazungulira masiku awiri aliwonse. Ikani zochitika pakati pa owonerera makampani kapena SIEM, chifukwa kuwunika seva iliyonse payekha kumakhala kosatheka pamene dongosolo lanu likukula. kuwunika mosalekeza Ndi zoyambira zogwirira ntchito komanso chenjezo, pewani "kuwombera mwachimbulimbuli".
Ukadaulo wa File Integrity Monitoring (FIM) ndi kalondolondo wakusintha kasinthidwe umathandizira kuzindikira zolakwika zoyambira. Zida monga Netwrix Change Tracker Amapangitsa kuti zikhale zosavuta kuzindikira ndi kufotokoza zomwe zasintha, ndani ndi liti, kufulumizitsa kuyankha ndikuthandizira kutsata (NIST, PCI DSS, CMMC, STIG, NERC CIP).
Kubisa kwa data popuma komanso podutsa
Kwa ma seva, BitLocker Ndilo chofunikira kale pama drive onse okhala ndi data tcheru. Ngati mukufuna kukula kwa fayilo, gwiritsani ntchito ... EFSPakati pa maseva, IPsec imalola kuti magalimoto asungidwe mwachinsinsi kuti asunge chinsinsi komanso kukhulupirika, chinthu chofunikira kwambiri maukonde magawo kapena ndi njira zochepa zodalirika. Izi ndizofunikira pokambirana za kuuma mu Windows.
Kuwongolera kofikira ndi mfundo zofunika kwambiri
Gwiritsani ntchito mfundo yochepetsera mwayi kwa ogwiritsa ntchito ndi ntchito. Pewani kusunga ma hashes a Woyang'anira LAN ndi kuletsa NTLMv1 kupatula kudalira cholowa. Konzani mitundu yololedwa ya Kerberos ndikuchepetsa kugawana mafayilo ndi chosindikizira pomwe sikofunikira.
Mtengo Tsekani kapena kuletsa zochotseka (USB) kuchepetsa kuthamangitsidwa kwa pulogalamu yaumbanda kapena kulowa. Imawonetsa chidziwitso chalamulo musanalowe ("Kugwiritsa ntchito mosaloledwa ndikoletsedwa"), ndipo kumafunikira Del Del + Del + ndipo imayimitsa yokha magawo osagwira ntchito. Izi ndizosavuta zomwe zimawonjezera kukana kwa wowukirayo.
Zida ndi automation kuti mupeze zokopa
Kuti mugwiritse ntchito zoyambira zambiri, gwiritsani ntchito GPO ndi Microsoft's Security Baselines. Maupangiri a CIS, pamodzi ndi zida zowunika, amathandizira kuyeza kusiyana pakati pa zomwe zikuchitika ndi zomwe mukufuna. Kumene sikelo imafuna, mayankho monga CalCom Hardening Suite (CHS) Amathandizira kuphunzira za chilengedwe, kulosera zomwe zingachitike, ndikugwiritsa ntchito mfundo pakati, ndikusunga zolimba pakapita nthawi.
Pa makina a kasitomala, pali zida zaulere zomwe zimathandizira "kuumitsa" zofunika. Syshardener Amapereka zoikamo pa mautumiki, firewall ndi mapulogalamu wamba; Zida zamphamvu imalepheretsa ntchito zomwe zingagwiritsidwe ntchito (macros, ActiveX, Windows Script Host, PowerShell/ISE pa msakatuli aliyense); ndi Hard_Configurator Imakulolani kusewera ndi SRP, whitelists mwa njira kapena hashi, SmartScreen pamafayilo am'deralo, kutsekereza kwa magwero osadalirika ndikudzipangira zokha pa USB/DVD.
Firewall ndi mwayi: malamulo othandiza omwe amagwira ntchito
Nthawi zonse yambitsani Windows firewall, sinthani mbiri zonse zitatu zotsekera zomwe zikubwera mwachisawawa, ndikutsegula. madoko ovuta okha ku utumiki (ndi IP scope ngati ikuyenera). Kuwongolera kwakutali kumachitika bwino kudzera pa VPN komanso ndi mwayi woletsedwa. Onaninso malamulo olowa ndikuletsa chilichonse chomwe sichikufunikanso.
Musaiwale kuti kuumitsa mu Windows si chithunzi chokhazikika: ndi njira yosinthira. Lembani maziko anu. kuyang'anira zopatukaOnaninso zosintha pambuyo pa chigamba chilichonse ndikusintha miyeso kuti igwirizane ndi momwe zida zimagwirira ntchito. Kuwongolera pang'ono kwaukadaulo, kukhudza kwa makina, komanso kuwunika kowonekera bwino kwachiwopsezo kumapangitsa Windows kukhala yovuta kwambiri kuti ithyole popanda kusiya kusinthasintha kwake.
Mkonzi wokhazikika pazaukadaulo komanso nkhani zapaintaneti yemwe ali ndi zaka zopitilira khumi pazama media osiyanasiyana. Ndagwira ntchito ngati mkonzi komanso wopanga zinthu pa e-commerce, kulumikizana, kutsatsa pa intaneti ndi makampani otsatsa. Ndalembanso pamawebusayiti azachuma, azachuma ndi magawo ena. Ntchito yanga ndi chidwi changanso. Tsopano, kudzera mu zolemba zanga mu Tecnobits, Ndimayesetsa kufufuza nkhani zonse ndi mwayi watsopano umene dziko laukadaulo limatipatsa tsiku lililonse kuti tisinthe miyoyo yathu.