Skip to content

企業建置Windows Server應具備安全準則

從四月份起迄今,台灣不少企業或官方單位遭受到駭客入侵,尤其是勒索病毒的破壞,讓企業端營運資訊系統受到嚴種破壞,讓企業營運產生許多的衝擊。在營運資訊系統上都是核心主機群以及資料庫主機。相關受害主機中Microsoft Server更佔一大部份。IT或資安部們在面對這樣衝擊時,確實需要更細膩的手法,來有效降低壞的風險。因自身累積實務經驗,與大家分享一份細膩的Windows伺服器建置維運安全準則。讓資訊部門在Windows Server建置或維護時,有一個較為安全的設計準則,來達成主機安全運作。當面對攻擊入侵、內部破壞、系統故障時,都有相對應處置對策,降低後續除錯或重建的各類成本。

 

安全規劃設計

安全項目

Windows Server設定安全準則

帳戶

  1. 不同使用者使用不同帳號,不可共用
    (e.g. Local\Administrator 為:系統管理者v.s. 建立專用系統帳號提供給特定資訊系統,例如:CRM, ERP)
  2. 主機群中不同主機,有共通使用者或專案,也不使用相同帳號
  3. 定期檢視、維護主機帳號
    檢查 (啟動> run > compmgmt.msc > 本機使用者和群組 > 使用者)
  4. 最少每半年review主機帳號及使用目的,不再需要之帳號刪除或停用
  5. 刪除或停用不再使用或過期帳號
    • Net user account/del
    • Net user account/active:no
  6. 用戶端
    • 不使用預設Administrator名稱,可從系統工具下本機使用者與群組更改名稱
    • 停用Guest帳號
    • 不顯示上次登入帳號
    • 啟用CTRL+ALT+DEL登入機制

Password

  1. 複雜性密碼長度8以上
  2. 90天或180天定期更換密碼
  3. 密碼輸入錯誤5次,鎖定30分鐘
  4. 輸入錯誤達7次,鎖定帳戶
  5. 密碼更換不再用近五期舊密碼
  6. 必要時得搭配OTP或多元安全驗證機制

權限

  1. 依業務需求限制帳號權限
  2. 以最小配置為原則
  3. 本機與遠端強制關機作業,限定指派給只有Administrator群組成員執行
  4. 非必要勿將主機加入AD,一旦AD管理者帳號權限被取得,將全面潰敗(方便與風險必須取得平衡)
  5. 本機安全設定(GPO用戶權利指派),在取得文件或其他對象,將所有權指派給系統管理者
  6. 只允許本地授權帳戶進行本地遠端Access:本地登入此電腦與網路訪問此電腦,設定為指定授權用戶

漏洞修補

  1. 補丁需再測試環境進行可靠驗證,驗證通過後方可進行升級,最為保險
  2. 重大漏洞須即時修補升級
  3. 更新至最新補丁

日誌

  1. 啟用全部日誌記錄
  2. 對用戶使用者進行日誌記錄
  3. 啟用審核策略,便於日後追蹤分析,包含失敗與成功
  4. 設定日誌覆蓋週期、規則與進行日誌備份,不得大於90天

服務

  1. 關閉非必須服務
  2. 關閉PowerShell 程序與服務(僅適用在GUI安裝模式下作業系統)
  3. 伺服器端在運作常態後禁止機碼變更
  4. 關閉伺服器端Office軟體巨集功能
  5. 關閉RDP服務
  6. 修改Windows Terminal Server RDP Port (e.g. 3389 > 2289)
  7. 因維運需要啟用SNMP服務,必須將SNMP安全選項,將預設(public)修改為SNMP Community String
  8. 透過Msconfig,關閉無效非啟動項目
  9. 透過gpedit.msc (計算機>管理模板>系統)關閉自動撥放功能
  10. 關閉預設共享(C$, D$)
    HKLM\System\CurrentControlSet\Service\LanmanServer\Parameters
    新增一個REG_DWORD AutoShareServer 鍵值為0
  11. 共享文件夾設置,必須指定具權限使用者方擁有此文件夾,非必要不啟用everyone
  12. 將FAT轉換成NTFS,最好在安裝Server OS時就改成NTFS
  13. 禁止匿名者Access命名管道及共享 (將匿名訪問的共享設置刪除)
  14. 禁止遠端access註冊表(Registry),刪除遠端訪問註冊表路徑以及子路徑

防護

  1. 啟用本機防火牆
  2. 依業務需要,允許放行特定「服務」通過防火牆Access主機
  3. 專案多部系統主機相互連線(e.g. Web server access DB server),應建立IP對鎖放行機制
  4. 安裝適用的Server防毒系統
  5. 更新防毒系統,檢查更新版本
  6. 註冊表定期備份
  7. 在磁碟空間允許情況下,建立快照備份
  8. 安裝應用程式,需經過掃毒後進行

維運

  1. 檢查開機磁碟使用量
  2. 定期備份與清理軌跡機記錄
  3. 定期備份或快照系統
  4. 監視CPU / RAM / HDD 用量
  5. 注意主機硬體相關燈號

檔案備份

  1. 離線備份機制必須建立,無法搭建閘道式實體隔離機制,也可以手動以人的方式建立,在面對大規模入侵破壞時,才有最後一根救命的稻草
  2. 透過備份程式以及批次排程來建立「連線與離線」備份儲存裝置

遠端桌面安全管控

資訊部門不會整天在機房內觀看每部主機運作狀態,往往透過監控系統來達成有效率的管理,但遠端桌面成為資訊部門重要中介服務渠道,往往也帶來危機。在遠端桌面管理上,有以下建議:

  1. 在實體主機上,建議將3389 Port進行變更成其他內控熟知通訊埠,例如:2289
  2. 畢竟實體伺服器主機,不會不斷變動機碼與安裝程式,建議修改完RDP通訊埠後,建議鎖定機碼變更,讓駭客入侵後相關處置複雜度變高
  3. 在ESXi虛擬機上的Windows Server,不建議開啟RDP 遠端桌面,改由ESXi管理介面來管控虛擬主機
  4. 透過其他遠端桌面工具要注意其他第三方軟體漏洞風險
  5. 在機房內通常網段互通,建議有充足財力公司,可以在各伺服器群依部門搭建起敵我識別的管控機制,讓主機不會互相跨連登入。只放行IT部門或是依服務使用群進行區隔管理

 

孫子兵法中「善攻者 敵不知其所守 善守者 敵不知其所攻」善用管控手段,自然可以降低駭客或是惡意程式運行的機會,讓企業損失大幅降低。

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

關於精品科技
精品科技(FineArt Technology) 成立於1989年,由交大實驗室中,一群志同道合的學長學弟所組合而成的團隊,為一家專業的軟體研發公司。從國內第一套中文桌上排版系統開始,到投入手寫辨識領域,憑藉著程式最小、速度最快、辨識最準等優異特性,獲得許多國際大廠的合作與肯定。歷經二十個寒暑,精品科技所推出的產品,無不廣受客戶好評。

訊連科技U會議推出6.1版更新 優化視訊會議、線上教學的主持人權限、桌面分享及分組討論功能

20200723日,台北訊】多媒體創作軟體及AI人工智慧領導廠商訊連科技(5203.TW)宣布推出「U會議」及「U簡報」之6.1版更新。於此版更新中,U會議優化了視訊會議中桌面分享的體驗,可於桌面分享時顯示四名與會者畫面,增加會議互動。此外,亦提供多項與會議主持人、共同主持人相關的全新功能。

因應後疫情時代的線上教學及視訊會議時的遠距簡報需求需求,「U會議」(Windows/Mac/Chrome)使用者在「桌面共享」的模式時,可同時瀏覽4個與會者的視訊畫面,提供更佳的互動性。此外,「U會議」持續強化「會議主持人」功能,會議主持人可指定其他與會者擔任會議共同主持人,進行開啟分組討論、或停止他人之桌面分享等控制權限,便於全面掌握會議。U會議也進一步強化分組討論功能,可針對分組討論室命名,方便其他與會者或學員識別。此外,此版更新也加強雜訊處理、提升視訊會議的影音品質,提供所有學校與企業使用者,高品質影音且完善管理工具的線上教學平台。

「U簡報」專為企業直播或遠端教學打造,直播時遠端觀眾可透過文字聊天室,或語音Q&A和講師詢問互動。6.1版本更新功能,若學員於課程中途加入線上直播,仍可閱覽加入時間前之文字聊天室內容,不遺漏重要討論訊息。

「訊連科技推出『U會議』與『U簡報』,專為學校與企業之視訊會議、遠距教學及線上直播打造之雲端溝通平台,可廣泛應用在校園與企業等場域。」訊連科技黃肇雄執行長表示:「後疫情時代來臨,遠距教學與直播互動轉為剛性需求。訊連科技針對反饋,持續開發新功能進行優化,帶領企業與教育單位,共同迎向疫後數位轉型的新浪潮。」

用戶可於即日起至U官方網站下載最新「U會議」與「U簡報」6.1版,或透過程式內建的升級功能取得6.1版更新,體驗最新功能。

U會議6.1版新增功能

  • 會議主持人可指定他人擔任共同會議主持人,或停止他人之桌面分享。
  • 建立分組討論時,會議主持人可為分組討論室命名,方便與會者識別。
  • Windows/Mac/Chrome使用者在U會議「桌面共享」的模式下,可同時瀏覽4位與會者的視訊畫面。
  • 全面強化雜訊處理功能,提升視訊會議之影音品質。

 

U簡報6.1版新增功能

  • 若您於課程中途加入線上直播,仍可閱覽加入時間前之文字聊天室內容,不怕遺漏重要討論訊息。

 

U會議產品資訊

訊連科技「U會議」,即日起可於U官方網站下載,並內建繁體中文、簡體中文、英文、法文、德文、義大利文、西班牙文、日文及韓文等九國語系。

您可根據與會人數及直播時間需求,選擇不同的 U 會議訂閱方案。即日起至7月31日止,免費版本最多可支援25名與會者及60分鐘會議長度。

關於訊連科技U整合通訊服務

訊連科技「U 簡報」、「U 會議」及「U 通訊」整合了遠距直播、視訊會議及即時通訊等功能,為企業及教育機構打造即時、跨國界、跨平台、行動優先、高影音品質之新世代視訊溝通服務。更多資訊,請洽:https://u.cyberlink.com/

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

關於CyberLink
訊連科技創立於1996年,擁有頂尖視訊與音訊技術的影音軟體公司,專精於數位影音軟體及多媒體串流應用解決方案產品研發,並以「抓準技術板塊,擴大全球行銷布局」的策略,深根台灣、佈局全球,展現亮麗的成績。訊連科技以先進的技術提供完美的高解析影音播放效果、以尖端的科技提供完整的高解析度擷取、編輯、製片及燒錄功能且完整支援各種高解析度影片及音訊格式。產品包括:「威力導演」、「PowerDVD」、「威力製片」、「威力酷燒」等。

Trojanized Mac cryptocurrency app collects wallets and screenshots, ESET Research discovers

BRATISLAVA, MONTREAL – ESET researchers have recently discovered websites distributing trojanized cryptocurrency trading applications for Mac computers. These were legitimate apps wrapped with GMERA malware, whose operators used them to steal information, such as browser cookies, cryptocurrency wallets and screen captures. In this campaign, the legitimate Kattana trading application was rebranded – including setting up copycat websites – and the malware was bundled into its installer. ESET researchers saw four names used for the trojanized app in this campaign: Cointrazer, Cupatrade, Licatrade and Trezarus.

“As in previous campaigns, the malware reports to a Command & Control server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address,” says ESET researcher Marc-Etienne M.Léveillé, who led the investigation into GMERA.

ESET researchers have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, the legitimate Kattana site posted a warning suggesting that victims are approached individually to lure them to download a trojanized app, thus pointing to social engineering. Copycat websites are set up to make the bogus application download look legitimate. The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.

In addition to the analysis of the malware code, ESET researchers have also set up honeypots (research computers) and lured GMERA malware operators to remotely control the honeypots. The researchers’ aim was to reveal the motivations behind this group of criminals. “Based on the activity we have witnessed, we can confirm that the attackers have been collecting browser information, such as cookies and browsing history, cryptocurrency wallets and screen captures,” concludes M.Léveillé.

For more technical details on the latest GMERA malicious campaign, read the full blogpost, “Mac cryptocurrency trading application rebranded, bundled with malware,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Portnox Partners with Distology for Sole Distribution of Cloud-Delivered Network Access Control (NAC) Solution in United Kingdom & Ireland

Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region

LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.

We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.

We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.

Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.

The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.

Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.

ESET discovers a chat app spying on users and leaking stolen data

BRATISLAVA – ESET researchers have discovered a new operation within a long-running cyber-espionage campaign in the Middle East, apparently with links to the threat actor group known as Gaza Hackers, or Molerats.

Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality. The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. Both those claims are false; the claim of being “secure” couldn’t be further from the truth, according to ESET researchers.“

In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store,” says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

The Welcome Chat app behaves like any chat app downloaded from outside Google Play: it needs the setting “Allow installing apps from unknown sources” to be activated. After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location. Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C&C) server, and it uploads any harvested information. Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device.“

Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind. Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network,” comments Štefanko.

ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app, or a malicious app developed from scratch. “We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” explains Štefanko.

The Welcome Chat espionage app belongs to the very same Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East. BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, we believe that this cyber-espionage campaign comes from the same threat actors.

While the Welcome Chat-based espionage operation seems to be narrowly targeted, ESET strongly discourages users from installing apps from outside the official Google Play store – unless it’s a trusted source, such as the website of an established security vendor or some reputable financial institution. On top of that, users should pay attention to what permissions their apps require and be suspicious of any apps that require permissions beyond their functionality – and, as a very basic security measure, users should run a reputable security app on their mobile devices.

For more details about Welcome Chat spyware, read the full blog post “Secure chat platform? Nothing could be further from the truth for Welcome Chat” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×