- Iyo yekutanga (CIS, STIG neMicrosoft) inotungamira kuenderana uye kuyerwa kuomarara.
- Nzvimbo shoma: isa chete izvo zvakakosha, dzikamisa zviteshi uye neropafadzo.
- Patching, kutarisa, uye encryption inochengetedza kuchengetedza nekufamba kwenguva.
- Gadzirisa neGPOs uye maturusi ekuchengetedza chengetedzo yako.
Kana iwe ukabata maseva kana makombiyuta emushandisi, ungangodaro wakazvibvunza mubvunzo uyu: unoita sei kuti Windows ive yakachengeteka zvakakwana kuti irare zvine mutsindo? kuomesa muWindows Haisi yekunyepedzera kunyengedza, asi seti yezvisarudzo uye zvigadziriso kudzikisa nzvimbo yekurwisa, kudzikisira kupinda, uye kuchengetedza sisitimu iri pasi pekutonga.
Munharaunda yemakambani, maseva ndiwo hwaro hwekushanda: anochengeta data, anopa masevhisi, uye anobatanidza zvakakosha zvebhizinesi; ndosaka vari ivo vanonyanya kunangwa kune chero anorwisa. Nekusimbisa Windows nemaitiro akanakisa uye nheyo, Iwe unoderedza kukundikana, unoderedza njodzi uye iwe unodzivirira chiitiko pane imwe nguva kubva pakukwira kune mamwe ese ezvivakwa.
Chii chiri kuomesa muWindows uye nei chiri kiyi?
Kuomesa kana kusimbisa kunosanganisira gadzirisa, bvisa kana kurambidza zvikamu ye sisitimu yekushandisa, masevhisi, uye maapplication ekuvhara anogona kupinda mapoinzi. Windows inoshanda zvakasiyana-siyana uye inoenderana, hongu, asi iyo "inoshanda kunenge zvese" nzira inoreva kuti inouya neyakavhurika mashandiro ausingade nguva dzose.
Izvo zvakanyanya zvisina basa mabasa, zviteshi, kana maprotocol aunoramba achishanda, ndiko kukura kwekusagadzikana kwako. Chinangwa chekuomesa ndechekuti kuderedza nzvimbo yekurwisaDeredza maropafadzo uye siya chete izvo zvakakosha, zvine zvigamba zvemazuva ano, ongororo inoshanda, uye marongero akajeka.
Iyi nzira haina kungofanana neWindows; inoshanda kune chero yazvino system: yakaiswa yakagadzirira kubata zviuru zvakasiyana siyana. Ndosaka zvichikurudzirwa Vhara zvausiri kushandisa.Nekuti kana ukasaishandisa, mumwe munhu angaedza kuishandisa iwe.
Baselines uye zviyero zvinoronga kosi
Zvekuomesera muWindows, kune mabhenji akadai CIS (Center for Internet Security) uye DoD STIG nhungamiro, kuwedzera kune Microsoft Security Baselines (Microsoft Security Baselines). Aya mareferensi anovhara masisitimu anokurudzirwa, tsika dzemitemo, uye zvidzoreso zvemabasa akasiyana uye shanduro dzeWindows.
Kushandisa baseline kunomhanyisa zvakanyanya purojekiti: inoderedza mikaha pakati peiyo default gadziriso uye akanakisa maitiro, kudzivirira "magapu" akajairika ekukurumidza kutumirwa. Kunyange zvakadaro, nharaunda yese yakasiyana uye zvinokurudzirwa kuti udaro edzai shanduko vasati vaatora mukugadzira.
Windows Kuomesa Nhanho Nenhanho
Kugadzirira uye kuchengetedzwa kwemuviri
Kuomesa muWindows kunotanga system isati yaiswa. Chengeta a yakazara server inventoryKuzviparadzanisa mitsva kubva mumigwagwa kusvikira yaomeswa, chengetedza BIOS/UEFI nepassword, dzima boot kubva kunze media uye inodzivirira autologon pane yekudzoreredza consoles.
Kana iwe ukashandisa yako hardware, isa midziyo munzvimbo ine kudzora kuwana kwemuviriTembiricha yakakodzera uye kuongorora zvakakosha. Kudzikamisa kupinda kwemuviri kwakakosha sekuwana zvine musoro, nekuti kuvhura chassis kana kubhowa kubva ku USB kunogona kukanganisa zvese.
Maakaundi, zvitupa, uye password policy
Tanga nekubvisa kushaya simba kuri pachena: dzima account yevaenzi uye, pazvinogoneka, inodzima kana kutumidza zita reMutongi wenzvimboGadzira account account ine zita risiri diki (mubvunzo Maitiro ekugadzira account yemuno mukati Windows 11 offline) uye inoshandisa maakaundi asina kurongeka pamabasa ezuva nezuva, kukwidziridza maropafadzo kuburikidza ne "Mhanya se" chete kana zvichidikanwa.
Simbisa mutemo wako wepassword: simbisa kuomarara kwakakodzera uye kureba. periodic kuperaNhoroondo kudzivirira kushandiswa zvakare uye kuvhara account mushure mekutadza kuedza. Kana iwe uchigona zvikwata zvakawanda, funga mhinduro senge LAPS kutenderedza zvitupa zvemuno; chakakosha ndechekuti dzivisa static magwaro uye nyore kufungidzira.
Ongorora nhengo dzeboka (Administrators, Remote Desktop Users, Backup Operators, nezvimwewo) uye bvisa chero zvisingakoshi. Nheyo ye ropafadzo shoma Ndiyo shamwari yako yepamusoro yekudzikamisa lateral mafambiro.
Network, DNS uye nguva kuwiriranisa (NTP)
Sevha yekugadzira inofanirwa kuve nayo Static IP, kuve muzvikamu zvakachengetedzwa kuseri kwe firewall (uye ziva Maitiro ekuvharisa zvinofungidzirwa network kubatana kubva kuCMD (kana zvichidikanwa), uye iva nemaseva maviri eDNS anotsanangurwa kuti aite basa. Tarisa kuti A uye PTR zvinyorwa zviripo; rangarira kuti DNS kuparadzira ... zvinogona kutora Uye zvinokurudzirwa kuronga.
Gadzirisa NTP: kutsauka kwemaminetsi mashoma kunotyora Kerberos uye kunokonzeresa kutadza kwechokwadi kusingawanzo. Tsanangura nguva yakavimbika uye iwiriranise. ngarava yose pamusoro pazvo. Kana iwe usingade, dzima mapuroteni enhaka seNetBIOS pamusoro peTCP/IP kana LMHosts kutsvaga. kuderedza ruzha uye kuratidzwa.
Mabasa, maficha uye masevhisi: zvishoma zvakanyanya
Isa chete mabasa uye maitiro aunoda kune chinangwa chevhavha (IIS, .NET mushanduro yayo inodiwa, nezvimwewo). Imwe neimwe pasuru yekuwedzera ndeye kuwedzera pamusoro nokuda kwekusagadzikana uye kugadzirisa. Uninstall default kana mamwe maapplication asingazoshandiswe (ona Winaero Tweaker: Inobatsira uye Yakachengeteka Kugadziriswa).
Ongorora masevhisi: iwo anodiwa, otomatiki; avo vanotsamira pane vamwe, mukati Otomatiki (kunonoka kutanga) kana kuti nezvinonyatsotsanangurwa zvinotsamira; chero chinhu chisingawedzeri kukosha, chakaremara. Uye kune masevhisi ekushandisa, shandisa maakaundi ebasa chaiwo nemvumo shoma, kwete Yemunharaunda System kana uchikwanisa kuidzivirira.
Firewall uye exposure kuderedza
Mutemo wakajairika: vhara nekukasira uye vhura chete izvo zvinodiwa. Kana iri webhu server, buritsa pachena HTTP / HTTPS Uye ndizvozvo; manejimendi (RDP, WinRM, SSH) inofanira kuitwa pamusoro peVPN uye, kana zvichibvira, inodziviswa neIP kero. Iyo Windows firewall inopa kutonga kwakanaka kuburikidza nemaprofile (Domain, Private, Public) uye granular mitemo.
Iyo yakatsaurirwa perimeter firewall inogara ichiwedzera, nekuti inoburitsa sevha uye inowedzera advanced options (kuongorora, IPS, segmentation). Chero zvazvingaitika, nzira yacho yakafanana: madoko mashoma akavhurika, asingagone kushandiswa kurwisa nzvimbo.
Remote yekuwana uye kusachengeteka maprotocol
RDP chete kana zvichidikanwa, ne NLA, yakakwira encryptionMFA kana zvichibvira, uye kurambidza kupinda kune chaiwo mapoka uye network. Dzivisa telnet uye FTP; kana uchida kutamiswa, shandisa SFTP/SSH, uye kunyange zvirinani, kubva kuVPNPowerShell Remoting uye SSH inofanirwa kudzorwa: muganhu ndiani anogona kuzviwana uye kubva kupi. Seimwe nzira yakachengeteka yeremote control, dzidza maitiro Shandisa uye gadzirisa Chrome Remote Desktop paWindows.
Kana usiri kuida, dzima iyo Remote Registration sevhisi. Ongorora uye vhara NullSessionPipes y NullSessionShares kudzivirira kusazivikanwa kwekuwana zviwanikwa. Uye kana IPv6 isingashandiswe mune yako, funga kuidzima mushure mekuongorora maitiro.
Patching, inogadziridza, uye shanduko yekutonga
Chengetedza Windows inoenderana ne zvigamba zvekuchengetedza Kuyedzwa kwezuva nezuva munzvimbo inodzorwa usati watamira kune kugadzirwa. WSUS kana SCCM vanobatana pakubata chigamba kutenderera. Usakanganwa yechitatu-bato software, iyo inowanzova isina simba chinongedzo: hurongwa hwekuvandudza uye kugadzirisa kusasimba nekukurumidza.
ari vatyairi Vatyairi vanoitawo basa mukuomesa Windows: madhiraivha echinyakare anogona kukonzera kubondera uye kusagadzikana. Gadzira yenguva dzose yekuvandudza mutyairi maitiro, kuisa pamberi kugadzikana uye kuchengetedzeka pamusoro pezvinhu zvitsva.
Chiitiko kutema, kuongorora, uye kuongorora
Gadzirisa chengetedzo yekuongorora uye wedzera saizi yelogi kuti irege kutenderera mazuva maviri ega ega. Isa pakati zviitiko mumubatanidzwa wekuona kana SIEM, nekuti kudzokorora sevha yega yega hazvigoneke sezvo system yako inokura. kuenderera mberi kwekutarisa Nematanho ekutanga ekuita uye zvikumbaridzo zveyambiro, dzivirira "kupfura usingaone".
Faira Integrity Monitoring (FIM) matekinoroji uye gadziriso shanduko yekutevera inobatsira kuona kutsauka kwekutanga. Zvishandiso zvakadai Netwrix Shandura Tracker Vanoita kuti zvive nyore kuona uye kutsanangura zvakachinja, ndiani uye rini, kukurumidza kupindura uye kubatsira nekuteerera (NIST, PCI DSS, CMMC, STIG, NERC CIP).
Data encryption pakuzorora uye pakufamba
Kune maseva, Bitlocker Chatove chinhu chakakosha pane ese madhiraivha ane sensitive data. Kana iwe uchida faira-level granularity, shandisa... EFSPakati pemaseva, IPsec inobvumira traffic kuti ivharwe kuchengetedza kuvanzika uye kuvimbika, chimwe chinhu chakakosha mu segmented network kana nematanho asina kuvimbika. Izvi zvakakosha pakukurukura kuomesa muWindows.
Kuwanikwa manejimendi nemitemo yakakosha
Shandisa musimboti werunako rudiki kune vashandisi nemasevhisi. Dzivisa kuchengeta maheshi e LAN maneja uye dzima NTLMv1 kunze kwekutsamira kwenhaka. Rongedza anotenderwa maKerberos encryption marudzi uye kuderedza faira neprinta kugovera pazvisina kukosha.
Kukosha Dzinga kana kuvharisa midhiya inobviswa (USB) kudzikamisa malware exfiltration kana kupinda. Inoratidza chiziviso chepamutemo usati wapinda ("Kushandiswa kusina mvumo kunorambidzwa"), uye inoda Ctrl + Alt + Del uye inodzima otomatiki masesheni asingashande. Aya ndiwo matanho akareruka anowedzera kurwisa kweanorwisa.
Zvishandiso uye otomatiki kuti uwane traction
Kuti uise baselines muhuwandu, shandisa GPO uye Microsoft's Security Baselines. Mazano eCIS, pamwe chete nematurusi ekuongorora, anobatsira kuyera musiyano uripo pakati pemamiriro ako azvino uye chinangwa. Apo chiyero chinoda, mhinduro dzakadai se CalCom Hardening Suite (CHS) Ivo vanobatsira kudzidza nezve nharaunda, kufanotaura zvinokanganisa, uye kushandisa marongero pakati, kuchengetedza kuoma nekufamba kwenguva.
Pane macustomer masisitimu, kune zvemahara zvinoshandiswa zvinorerutsa "kuomesa" zvakakosha. Syshardener Inopa zvigadziriso pamasevhisi, firewall uye yakajairika software; Hardentools inodzima mabasa anogona kushandiswa (macros, ActiveX, Windows Script Host, PowerShell/ISE per browser); uye Zvakaoma_Configurator Iyo inokutendera kuti utambe neSRP, whitelists nenzira kana hashi, SmartScreen pamafaira emuno, kuvharira kweasina kuvimbika masosi uye otomatiki kuuraya pa USB/DVD.
Firewall uye kuwana: mitemo inoshanda inoshanda
Gara uchimisikidza Windows firewall, gadzirisa ese maprofiles matatu ane anouya anouya anovharira nekusarudzika, uye vhura. zviteshi zvakakosha chete kushumiro (ine IP scope kana iripo). Remote manejimendi inoitwa zvakanyanya kuburikidza neVPN uye ine inorambidzwa kupinda. Ongorora mitemo yenhaka uye wodzima chero chinhu chisisadiwe.
Usakanganwe kuti kuomesa muWindows hausi mufananidzo wakamira: inzira ine simba. Nyora nheyo yako. monitors kutsaukaOngorora shanduko mushure mechikamu chimwe nechimwe uye gadzirisa zviyero kune chaiyo basa remidziyo. Chidiki chehunyanzvi chirango, kubata otomatiki, uye yakajeka yekuongorora njodzi inoita kuti Windows ive yakanyanya kuomarara sisitimu yekupwanya pasina kupira kuita kwayo kwakasiyana.
Mharidzo inyanzvi mune tekinoroji uye internet nyaya ine anopfuura makore gumi echiitiko mune akasiyana dhijitari media. Ndakashanda semupepeti uye mugadziri wezvemukati we e-commerce, kutaurirana, online kushambadzira uye kushambadzira makambani. Ndanyorawo pane zvehupfumi, mari uye mamwe masekete mawebhusaiti. Basa rangu ndirowo shungu dzangu. Zvino, kuburikidza nezvinyorwa zvangu mu Tecnobits, Ndinoedza kuongorora nhau dzose nemikana mitsva iyo nyika yetekinoroji inotipa zuva rega rega kuvandudza hupenyu hwedu.