- Izisekelo (CIS, STIG kanye ne-Microsoft) ziqondisa ukuqina okungaguquki nokulinganisekayo.
- Isikhala esincane: faka kuphela okubalulekile, khawulela izimbobo namalungelo.
- Ukupeyisha, ukuqapha, kanye nokubethela kugcina ukuphepha ngokuhamba kwesikhathi.
- Yenza ngokuzenzakalela ngama-GPO namathuluzi ukuze ugcine ukuma kwakho kokuphepha.
Uma uphatha amaseva noma amakhompuyutha abasebenzisi, mhlawumbe uke wazibuza lo mbuzo: ngiyenza kanjani i-Windows ivikeleke ngokwanele ukuze ilale kahle? ukuqina ku-Windows Akulona iqhinga eliphuma kanye, kodwa isethi yezinqumo nokulungiswa ukuze kuncishiswe indawo yokuhlasela, kukhawulelwe ukufinyelela, nokugcina isistimu ilawulwa.
Esimeni sebhizinisi, amaseva ayisisekelo sokusebenza: agcina idatha, ahlinzeka ngamasevisi, futhi axhume izingxenye zebhizinisi ezibalulekile; yingakho beyizisulu eziphokophelwe kakhulu kunoma yimuphi umhlaseli. Ngokuqinisa iWindows ngemikhuba emihle nezisekelo, Unciphisa ukwehluleka, ukhawulela ubungozi futhi uvimbela isigameko ngesinye isikhathi ukuthi sikhuphuke siye kuyo yonke ingqalasizinda.
Yini ukuqina kuWindows futhi kungani kuyisihluthulelo?
Ukuqinisa noma ukuqinisa kuhlanganisa lungisa, khipha noma khawula izingxenye yesistimu yokusebenza, amasevisi, nezinhlelo zokusebenza zokuvala izindawo zokungena ezingaba khona. IWindows inemisebenzi eminingi futhi iyahambisana, yebo, kodwa leyo ndlela "isebenzela cishe yonke into" isho ukuthi iza nokusebenza okuvulekile ongakudingi ngaso sonke isikhathi.
Uma imisebenzi engadingeki kakhulu, izimbobo, noma izivumelwano ozigcina zisebenza, kuba sengozini enkulu. Umgomo wokuqina uwukuthi ukunciphisa indawo yokuhlaselaKhawulela amalungelo futhi ushiye kuphela lokho okubalulekile, okunamapheshana akamuva, ukuhlola okusebenzayo, nezinqubomgomo ezicacile.
Le ndlela ayifani neWindows kuphela; isebenza kunoma iyiphi isistimu yesimanje: ifakiwe isilungele ukuphatha izinkulungwane zezimo ezihlukene. Kungakho kuhle Vala ongakusebenzisi.Ngoba uma ungayisebenzisi, omunye umuntu angase azame ukuyisebenzisela yona.
Izisekelo namazinga ashadi isifundo
Ukuze kuqiniswe ku-Windows, kukhona ama-benchmarks anjengokuthi I-CIS (Isikhungo Sokuphepha Kwe-inthanethi) kanye nemihlahlandlela ye-DoD STIG, ngaphezu kwe I-Microsoft Security Baselines (Izisekelo Zokuphepha zeMicrosoft). Lezi zithenjwa zimboza ukucushwa okunconyiwe, amanani enqubomgomo, nezilawuli zezindima ezihlukene nezinguqulo ze-Windows.
Ukusebenzisa isisekelo kusheshisa kakhulu iphrojekthi: kunciphisa izikhala phakathi kokucushwa okuzenzakalelayo nezinqubo ezingcono kakhulu, kugwema "izikhala" ezijwayelekile zokuphakelwa okusheshayo. Noma kunjalo, yonke indawo ihlukile futhi kuyancomeka ukuba hlola izinguquko ngaphambi kokuwayisa ekukhiqizeni.
I-Windows Hardening Isinyathelo Ngesinyathelo
Ukulungiselela nokuvikeleka ngokomzimba
Ukuqina ku-Windows kuqala ngaphambi kokuthi uhlelo lufakwe. Gcina a qedela uhlu lwesevaHlukanisa ezintsha kuthrafikhi zize zibe lukhuni, vikela i-BIOS/UEFI ngephasiwedi, khubaza qalisa kumidiya yangaphandle futhi ivimbela i-autologon kuma-consoles wokutakula.
Uma usebenzisa i-hardware yakho, beka okokusebenza ezindaweni nge ukulawula ukufinyelela ngokomzimbaIzinga lokushisa elifanele nokuqapha kubalulekile. Ukukhawulela ukufinyelela okubonakalayo kubaluleke njengokufinyelela okunengqondo, ngoba ukuvula i-chassis noma ukubhutha nge-USB kungafaka engozini yonke into.
Ama-akhawunti, imininingwane, nenqubomgomo yephasiwedi
Qala ngokususa ubuthakathaka obusobala: khubaza i-akhawunti yesivakashi futhi, lapho kungenzeka, ikhubaza noma iqamba kabusha uMlawuli wendawoDala i-akhawunti yokuphatha enegama elingelona elincane (umbuzo Ungayakha kanjani i-akhawunti yendawo ku-Windows 11 ungaxhunyiwe ku-inthanethi) futhi isebenzisa ama-akhawunti angafaneleki emisebenzini yansuku zonke, ephakamisa amalungelo ngokuthi "Run as" kuphela lapho kudingekile.
Qinisa umgomo wakho wephasiwedi: qinisekisa ubunkimbinkimbi nobude obufanele. ukuphelelwa yisikhathi ngezikhathi ezithileUmlando wokuvimbela ukusetshenziswa kabusha kanye nokuvalwa kwe-akhawunti ngemva kwemizamo ehlulekile. Uma uphatha amaqembu amaningi, cabanga ngezixazululo ezifana ne-LAPS ukuze uzungezise imininingwane yasendaweni; into ebalulekile gwema imininingwane emile futhi kulula ukuqagela.
Buyekeza ubulungu beqembu (Abalawuli, Abasebenzisi Bedeskithophu Ekude, Izisebenzisi Eziyisipele, njll.) futhi ususe noma yiziphi ezingadingeki. Umgomo we ilungelo elincane Ingumngane wakho ongcono kakhulu wokukhawulela ukunyakaza kwe-lateral.
Inethiwekhi, i-DNS nokuvumelanisa isikhathi (NTP)
Iseva yokukhiqiza kufanele ibe nayo I-Static IP, ibekwe kumasegimenti avikelwe ngemuva kwe-firewall (futhi wazi Ungakuvimba kanjani ukuxhumeka kwenethiwekhi okusolisayo ku-CMD (uma kudingeka), futhi ube namaseva amabili e-DNS achazwe ngokuphinda asetshenziswe. Qinisekisa ukuthi amarekhodi A kanye ne-PTR akhona; khumbula ukuthi ukusakazwa kwe-DNS ... kungase kuthathe Futhi kuhle ukuhlela.
Lungiselela i-NTP: ukuchezuka kwemizuzu nje kwephula i-Kerberos futhi kubangele ukwehluleka okungavamile kokuqinisekisa. Chaza isibali sikhathi esithenjwayo futhi usivumelanise. yonke imikhumbi ngokumelene nayo. Uma ungadingi, khubaza izivumelwano zefa njenge-NetBIOS phezu kwe-TCP/IP noma ukubheka kwe-LMHosts nciphisa umsindo kanye nombukiso.
Izindima, izici namasevisi: okuncane kuningi
Faka kuphela izindima nezici ozidingayo ngenjongo yeseva (IIS, .NET kunguqulo yayo edingekayo, njll.). Iphakethe ngalinye elengeziwe indawo eyengeziwe ngobungozi kanye nokucushwa. Khipha okuzenzakalelayo noma izinhlelo zokusebenza ezengeziwe ezingeke zisetshenziswe (bona I-Winaero Tweaker: Ukulungiswa Okuwusizo Nokuphephile).
Buyekeza izinsizakalo: ezidingekayo, ngokuzenzakalelayo; labo abancike kwabanye, ku Okuzenzakalelayo (ukuqala ukubambezelekile) noma ngokuncika okuchazwe kahle; noma yini enganezeli inani, ivaliwe. Futhi ngezinsizakalo zohlelo lokusebenza, sebenzisa ama-akhawunti wesevisi ethile ngezimvume ezincane, hhayi Uhlelo Lwendawo uma ungalugwema.
I-firewall kanye nokunciphisa ukuchayeka
Umthetho ojwayelekile: vimba ngokuzenzakalelayo futhi uvule kuphela okudingekayo. Uma kuyiseva yewebhu, veza I-HTTP / HTTPS Futhi yilokho; Ukuphatha (RDP, WinRM, SSH) kufanele kwenziwe nge-VPN futhi, uma kungenzeka, kukhawulelwe ikheli le-IP. I-Windows Firewall inikeza ukulawula okuhle ngokusebenzisa amaphrofayili (Isizinda, Esiyimfihlo, Esesidlangalaleni) kanye nemithetho yegranular.
I-firewall ye-perimeter ezinikele ihlale ihlanganisa, ngoba ikhipha iseva futhi iyengeze izinketho eziphambili (ukuhlola, i-IPS, ukuhlukaniswa). Kunoma yikuphi, indlela iyafana: izimbobo ezimbalwa ezivulekile, indawo yokuhlasela engasetshenziswa kancane.
Ukufinyelela kude namaphrothokholi angavikelekile
I-RDP kuphela uma kunesidingo, nge I-NLA, ukubethela okuphezuluI-MFA uma kungenzeka, futhi ikhawulele ukufinyelela kumaqembu athile namanethiwekhi. Gwema i-telnet ne-FTP; uma udinga ukudluliswa, sebenzisa i-SFTP/SSH, futhi okungcono nakakhulu, kusuka ku-VPNI-PowerShell Remoting kanye ne-SSH kumele ilawulwe: khawula ukuthi ubani ongafinyelela kuzo futhi esuka kuphi. Njengenye indlela evikelekile yesilawuli kude, funda ukwenza Yenza kusebenze futhi ulungiselele Ideskithophu yesilawuli kude se-Chrome ku-Windows.
Uma ungayidingi, khubaza isevisi Yokubhalisa Isilawuli kude. Buyekeza futhi uvimbele I-NullSessionPipes y I-NullSessionShares ukuvimbela ukufinyelela ngokungaziwa ezinsizeni. Futhi uma i-IPv6 ingasetshenziswa esimweni sakho, cabanga ukuyikhubaza ngemva kokuhlola umthelela.
Ukupheshela, izibuyekezo, nokulawula ukushintsha
Gcina iWindows isesikhathini samanje nge amabala okuphepha Ukuhlolwa kwansuku zonke endaweni elawulwayo ngaphambi kokuthuthela ekukhiqizeni. I-WSUS noma i-SCCM ingabangane bokuphatha umjikelezo wokuchibiyela. Ungakhohlwa isofthiwe yenkampani yangaphandle, ngokuvamile okuyisixhumanisi esibuthakathaka: ukubuyekezwa kweshejuli nokulungisa ubungozi ngokushesha.
I-Los abashayeli Abashayeli baphinde babambe iqhaza ekwenzeni iWindows ibe lukhuni: izishayeli zedivayisi eziphelelwe yisikhathi zingabangela ukuphahlazeka nokuba sengozini. Misa inqubo evamile yokubuyekeza umshayeli, ubeke phambili ukuzinza nokuphepha ngaphezu kwezici ezintsha.
Ukungena komcimbi, ukucwaningwa kwamabhuku, nokuqapha
Lungiselela ukuhlolwa kokuphepha futhi ukhuphule usayizi welogi ukuze zingaphenduki njalo ezinsukwini ezimbili. Faka phakathi imicimbi kusibukeli senkampani noma i-SIEM, ngoba ukubuyekeza iseva ngayinye ngakunye akusebenzi njengoba isistimu yakho ikhula. ukuqapha okuqhubekayo Ngezisekelo zokusebenza kanye nemikhawulo yesexwayiso, gwema "ukudubula ngokungaboni".
Ubuchwepheshe be-File Integrity Monitoring (FIM) nosizo lokulandelela ushintsho lokucushwa luthola ukuchezuka kwesisekelo. Amathuluzi afana I-Netwrix Change Tracker Benza kube lula ukuthola nokuchaza ukuthi yini eshintshile, ubani futhi nini, ukusheshisa impendulo nokusiza ngokuhambisana (NIST, PCI DSS, CMMC, STIG, NERC CIP).
Ukubethelwa kwedatha lapho uphumule futhi usendleleni
Okwamaseva, Idrayivu Yobhalomfihlo i Isivele iyisidingo esiyisisekelo kuwo wonke amadrayivu anedatha ebucayi. Uma udinga imbudumbudu yeleveli yefayela, sebenzisa... I-EFSPhakathi kwamaseva, i-IPsec ivumela ithrafikhi ukuthi ibethelwe ukuze kugcinwe ubumfihlo nobuqotho, okuthile okubalulekile amanethiwekhi ahlukene noma ngezinyathelo ezinokwethenjelwa kancane. Lokhu kubalulekile lapho uxoxa ngokuqina ku-Windows.
Ukuphathwa kokufinyelela nezinqubomgomo ezibalulekile
Sebenzisa umgomo wokuba nelungelo elincane kubasebenzisi namasevisi. Gwema ukugcina ama-hashes we Umphathi we-LAN futhi ukhubaze i-NTLMv1 ngaphandle kokuncika kwefa. Lungiselela izinhlobo zokubethela ze-Kerberos ezivunyelwe futhi unciphise ukwabelana kwefayela nephrinta lapho kungabalulekile khona.
UValora Khawulela noma vimba imidiya ekhiphekayo (i-USB) ukukhawulela ukukhishwa noma ukungena kuhlelo olungayilungele ikhompuyutha. Ibonisa isaziso somthetho ngaphambi kokungena ngemvume (“Ukusetshenziswa okungagunyaziwe kunqatshelwe”), futhi idinga Ctrl + Del + Alt futhi inqamula ngokuzenzakalela izikhathi ezingasebenzi. Lezi yizinyathelo ezilula ezikhulisa ukumelana nomhlaseli.
Amathuluzi ne-automation ukuze uthole ukudonsa
Ukuze usebenzise izisekelo ngobuningi, sebenzisa I-GPO kanye Nezisekelo Zokuphepha ze-Microsoft. Imihlahlandlela ye-CIS, kanye namathuluzi okuhlola, isiza ukukala igebe phakathi kwesimo sakho samanje nalokho okuhlosiwe. Lapho isikali sidinga khona, izixazululo ezifana I-CalCom Hardening Suite (CHS) Zisiza ukufunda ngendawo ezungezile, zibikezele imithelela, futhi zisebenzise izinqubomgomo phakathi nendawo, zigcine ukuqina ngokuhamba kwesikhathi.
Kuzinhlelo zamaklayenti, kunezinsiza zamahhala ezenza kube lula "ukuqina" okubalulekile. I-Syshardener Inikeza izilungiselelo kumasevisi, i-firewall kanye nesofthiwe evamile; I-Hardentools ikhubaza imisebenzi engase isebenziseke (ama-macros, ActiveX, Windows Script Host, PowerShell/ISE isiphequluli ngasinye); futhi I-Hard_Configurator Ikuvumela ukuthi udlale nge-SRP, uhlu olumhlophe ngendlela noma nge-hashi, i-SmartScreen kumafayela endawo, ukuvinjwa kwemithombo engathenjwa kanye nokusebenzisa okuzenzakalelayo ku-USB/DVD.
I-Firewall nokufinyelela: imithetho esebenzayo esebenzayo
Njalo yenza i-firewall ye-Windows isebenze, lungiselela wonke amaphrofayili amathathu ngokuvinjwa okungenayo ngokuzenzakalelayo, futhi uvule amachweba abalulekile kuphela kusevisi (ene-IP scope uma ikhona). Ukuphatha okukude kwenziwa kangcono kakhulu nge-VPN kanye nokufinyelela okunomkhawulo. Buyekeza imithetho yefa futhi ukhubaze noma yini engasadingeki.
Ungakhohlwa ukuthi ukuqina ku-Windows akusona isithombe esimile: kuyinqubo eguquguqukayo. Bhala isisekelo sakho. iqapha ukuchezukaBuyekeza izinguquko ngemva kwesichibi ngasinye futhi uvumelanise izinyathelo nomsebenzi wangempela wemishini. Isiyalo esincane sobuchwepheshe, ukuthinta kokuzenzakalela, nokuhlola ubungozi obucacile kwenza iWindows kube uhlelo olunzima kakhulu ukuliphula ngaphandle kokudela ukusebenza kwayo ngezindlela eziningi.
Umhleli okhethekile kwezobuchwepheshe kanye nezindaba ze-inthanethi onolwazi olungaphezu kweminyaka eyishumi kumidiya ehlukene yedijithali. Ngisebenze njengomhleli kanye nomdali wokuqukethwe kwe-e-commerce, ukuxhumana, ukumaketha ku-inthanethi kanye nezinkampani zokukhangisa. Ngike ngabhala kumawebhusayithi ezomnotho, ezezimali neminye imikhakha. Umsebenzi wami nawo uwuthando lwami. Manje, ngokusebenzisa izihloko zami ku Tecnobits, ngizama ukuhlola zonke izindaba namathuba amasha izwe lobuchwepheshe elisinikeza lona nsuku zonke ukuze sithuthukise izimpilo zethu.