WIN2000/NT IIS防護 TANET網路安全技術 區域聯防之技術支援 台南市 教育局電子資料中心 行政網路組 傅志雄 10/26/2001 /
議程 網路安全威脅類型分析 IIS目前安全威脅及解決方案 Service Pack種類及安裝 IIS建置規劃 IIS安全設定 Microsoft IIS Security Tools 結論 10/26/2001
基礎知識 Windows 2000 Server進階管理 IIS建置及基礎管理 網路運作概念 這研討會假設您已經具備以下基本知識 10/26/2001
一、網路安全威脅類型分析 偽裝/欺騙攻擊法(IP Spoofing) 網路竊聽攻擊法(Sniffing) 電腦病毒(Virus) 通行碼暴力式猜測攻擊法(Brute Force) 特洛伊木馬(Trojan House) 阻絕服務(Denial of service-DoS) 10/26/2001
二、 IIS目前安全威脅及解決方案 紅色警戒病毒 W32/Nimda@MM(簡稱Nimda)病毒 其他 10/26/2001
紅色警戒病毒 感染、繁殖、安裝木馬 造成網路癱瘓 下載並執行CodeRedCleanup.exe以清除Code Re 下載相關修復程式 (MS01-33) 10/26/2001
W32/Nimda@MM(簡稱Nimda)病毒影響 竊取或改變系統密碼,或管理密碼的系統及檔案 ‧ 安裝遠端連線的軟體,例如木馬或後門程式(backdoors) ‧ 安裝鍵盤輸入追蹤及記錄軟體(keystroke logging software) ‧ 任意修改防火牆的規則(firewall rules) ‧ 竊取信用卡帳號,銀行帳戶及個人的機密資料等等. ‧ 修改或刪除重要的檔案(不重要的也會) ‧ 盜用您的電子郵件,或利用您的郵件帳號發送為害您權益及名(商)譽的信件 ‧ 修改系統及檔案的存取權限 ‧ 刪除系統內建的事件檢示器的所有紀錄,讓您根本無法去作稽核與追蹤 10/26/2001
W32/Nimda@MM(簡稱Nimda)解決 更新病毒碼 修正IE及OutLook 修正IIS 10/26/2001
IIS其他安全威脅 NT 伺服器常見的攻擊或入侵漏洞 解決方式 透過URL對於Unicode編碼的漏洞 buffer overflow 遠端使用者瀏覽Server ASP檔原始碼 利用已發現安全漏洞入侵 解決方式 隨時安裝最新修正程式 10/26/2001
三、 Patch種類及安裝 Security Bulletin Search網址: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp?productid=15 10/26/2001
目前Patch August 2001 MS01-044 : 15 August 2001 Cumulative Patch for IIS June 2001 MS01-033 : Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Code Red(六月十八公告)六月發現 May 2001 MS01-026 : 14 May 2001 Cumulative Patch for IIS MS01-025 : Index Server Search Function Contains Unchecked Buffer MS01-023 : Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server March 2001 MS01-016 : Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 10/26/2001
目前Patch January 2001 MS01-004 : Malformed .HTR Request Allows Reading of File Fragments December 2000 MS00-100 : Malformed Web Form Submission Vulnerability November 2000 MS00-086 : Web Server File Request Parsing Vulnerability MS00-084 : Indexing Services Cross Site Scripting Vulnerability October 2000 MS00-080 : Session ID Cookie Marking Vulnerability MS00-078 : Web Server Folder Traversal Vulnerability *****( W32.Nimda.A@mm) August 2000 MS00-060 : IIS Cross-Site Scripting Vulnerabilities MS00-058 : Specialized Header Vulnerability MS00-057 : File Permission Canonicalization Vulnerability July 2000 MS00-044 : Absent Directory Browser Argument Vulnerability 10/26/2001
Patch安裝 比對Windows Service Pack最新版本出版時間與patch發佈時間,可簡化安裝工作(避免重複安裝) 部份patch雖已經不需重新開機就可Run,但為了安全系統還是要重新啟動 比對patch語系 安裝前充分瞭解說明(KB) 10/26/2001
四、 IIS建置規劃 認識IIS 硬體考量 軟體考量(強化OS安全) IIS安裝 IIS設定 10/26/2001
認識IIS 服務介紹 IIS 5.0 只建置Windows 2000平台 WWW, FTP, SMTP, and NNTP 三個額外的應用程式 certificate server, index server, Microsoft transaction server. 10/26/2001
認識IIS IIS系統安全特性 IIS 5.0 緊密結合Windows 2000 Server作業系統之File permissions, registry settings, password usage, user rights,及其他Windows 2000 security,影響非常大,對於如此關係各有利弊。 10/26/2001
安裝考量 Server是否要提供Internet存取? Server是否只提供Intranet存取? Server將建構多少的web sites? Will separate web sites share any content? 需認證存取、只提供匿名者 (或兩者都有)? 支援Secure Socket Layer (SSL) connections? 只提供HTTP服務? 支援FTP服務? Server可允許特定使用者copy, open, delete, and write files? 10/26/2001
硬體安全 放置安全場所(如加鎖防盜防火…..) 移除floppies, CDs, ZIP drives 開機選項為HD優先 設定EEPROM boot password 若與資料庫連接,建議設定兩張網卡 一為Public IP對外,另一Private IP對內連接資料庫網段 10/26/2001
軟體考量(強化OS安全) NTFS檔案系統 System、OS files與Data分開不同partitions. 以最小需求安裝軟體,有需要再加裝 若不支援Dynamice Update DNS,請去除登錄連線網址,避免不必要資訊外漏 10/26/2001
軟體考量(強化OS安全) 移除LMHOSTS lookup 移除NetBIOS Over TCP/IP 最好設定workgroup角色,沒有信任其他網域 Because of this, the default permissions applied to the 安裝目錄於C partition 除了TCP/IP及client for Microsoft networking,減少不必要protocol stacks 更新Service Pack 使用SysKey tools強化password,加密成128-bit狀態,讓Hacker無法利用工具順利測試主機密碼 (使用方式參考下頁) 10/26/2001
參考:SYSKEY使用 使用SYSKEY相當容易,只要在執行命令列打上syskey就可(注意--winnt4.0 sp3以後版本才支援) 如右圖(NT4.0)及 右下圖(windows2000) 10/26/2001
軟體考量(強化OS安全) 安全範本設定使用方法 經由MMC建立安全性設定及分析及安全性範本步驟如下 1.開啟MMC 2.新增嵌入[安全性設定及分析]及安全性範本 3.編修安全性範本 10/26/2001
軟體考量(強化OS安全) 4.編輯完後可由本機安全設定(如下圖) 10/26/2001
軟體考量(強化OS安全) 下載Hisecweb.inf http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe 下載後,使用[安全性設定及分析]工具匯入並設定 10/26/2001
軟體考量(強化OS安全) IIS需要的Service Event Log IIS Admin Service License Logging Service MSDTC Protected Storage Remote Procedure Call (RPC) Service Server Windows NT Server or Windows NT Workstation Windows NTLM Security Support Provider Workstation World Wide Web Publishing Service 10/26/2001
軟體考量(強化OS安全) IIS不需要的Service Alerter ClipBook Server Computer Browser DHCP Client Messenger NetBIOS Interface Net Logon Network DDE & Network DDE DSDM Network Monitor Agent NWLink NetBIOS NWLink IPX/SPX Compatible Transport (not required unless you don't have TCP/IP or another transport) Simple TCP/IP Services Spooler TCP/IP NetBIOS Helper WINS Client (TCP/IP) 10/26/2001
軟體考量(強化OS安全) 以下工具程式移除” LocalSystem 及 Administrators group權限,只給工具程式管理者 (Read 及 Execute)權限 arp.exe ipconfig.exe Nbtstat.exe at.exe net.exe Netstat.exe atsvc.exe nslookup.exe ping.exe cacls.exe posix.exe Qbasic.exe Cmd.exe rcp.exe rdisk.exe debug.exe regedit.exe Regedt32.exe edit.com rexec.exe route.exe edlin.exe rsh.exe Runonce.exe finger.exe secfixup.exe Syskey.exe ftp.exe telnet.exe Tracert.exe xcopy.exe tftp.exe command.com clipsrv.exe dialer.exe hypertrm.exe attrib.exe ping.exe sysedit.exe cscript.exe wscript.exe 10/26/2001
軟體考量(強化OS安全) TCP/IP Filtering(選項) 10/26/2001
IIS安裝 安裝前檢視 IUSR_computername. 確定無法變更Password 及Password永久有效 為本機帳號,非網域帳號 若網站不允許匿名者存取,設定帳戶停用 10/26/2001
IIS安裝 目錄安全 資料類型 目錄 NTFS File權限 Iis權限 靜態文件 \Inetpub\wwwroot\images \Inetpub\wwwroot\home \Inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Read & Execute,Write, Modify) Authenticated Users (Read & Execute) Anonymous (Read & Execute) Read FTP Uploads \Inetpub\ftproot\dropbox WebAdmins or FTPAdmins(Read & Execute, Write, Modify) Specified Users (Write) Write 10/26/2001
IIS安裝 目錄安全 資料類型 目錄 NTFS File權限 Iis權限 Script Files \Inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Read & Execute,Write, Modify) Anonymous: special access(Execute) Scripts only Metabase \WINNT\system32\inetsrv 10/26/2001
IIS Log File ACLs 變更路徑: 設定權限: %systemroot%\system32\LogFiles Administrators (Full Control) System (Full Control) Everyone (RWC) 避免檔案被刪除 10/26/2001
移除Sample 範例名 虛擬目錄 路徑 IIS Samples \IISSamples c:\inetpub\iissamples IIS Documentation \IISHelp c:\winnt\help\iishelp Data Access \MSADC c:\program files\common files\system\msadc 10/26/2001
IIS安裝 不使用的服務啟動設定由自動設為手動或停用 10/26/2001
IIS安裝 Metabase安全設定 Metabase為儲存IIS所有設定檔,提供IIS載入記憶體快速存取,有別Windows Registry. IIS啟動時會載入Metabase ,IIS關閉時回存 Metabase為儲存特殊格式名稱為 MetaBase.bin,路徑為 \Winnt\system32\inetsrv 避開非授權使用者 10/26/2001
五、 IIS安全設定 Internet Services Manager – Master Properties 10/26/2001
Internet Services Manager – Master Properties Snap-Ins Microsoft Management Console (MMC) 10/26/2001
Internet Services Manager – Master Properties Internet Service Manager 10/26/2001
Internet Services Manager – Master Properties 10/26/2001
Internet Services Manager – Master Properties WWW Master Properties Web Site Tab Ensure Enable logging is selected Home Directory Tab Disable (uncheck) Read, Write, Directory browsing options Ensure Log visits is selected Ensure None is selected for the Execute Permissions drop down box Directory Security Tab If any site hosted by this server will NOT allow Anonymous access, Disable(uncheck) Anonymous access, under Authentication methods and select appropriate authentication method 10/26/2001
Internet Services Manager – Master Properties FTP Master Properties FTP Site Tab Set appropriate number of connections for max users on FTP server Set maximum seconds for timeout (inactivity), 600 seconds is reasonable Ensure Enable logging is selected Security Accounts Tab Ensure Allow Anonymous Connections is selected Select Allow only anonymous connections Home Directory Tab Ensure Log visits is selected 10/26/2001
Internet Services Manager – Master Properties Server Extensions Master Properties Ensure Log authoring actions is selected Ensure Require SSL for authoring is selected Ensure manage permissions manually is selected Ensure Allow authors to upload executable is DISABLED (UNCHECKED) 10/26/2001
Internet Services Manager – Master Properties 10/26/2001
六、 Microsoft IIS Security Tools IIS Lockdown Tool URLScan HFNetChk Microsoft Personal Security Advisor (MPSA) 10/26/2001
Microsoft IIS Security Tools 使用前注意事項 1.詳細閱讀說明(尤其是Note) 2.使用前先找實驗機器試驗 3.備份IIS設定檔 (儲存電腦上您管理的所有 Web 站台、FTP 站台、虛擬目錄、目錄與檔案的設定值) 10/26/2001
備份IIS設定檔步驟 10/26/2001
IIS Lockdown Tool 功能說明 快速簡易及無誤的設定網站,讓管理者即時保護網站遠離威脅 提供兩種操作方式 Express Lockdown mode: 提供基本功能網站最高安全設定 Advanced Lockdown mode: 提供最適當輔助說明及推薦最佳的設定方式,讓管理者自訂安全設定,並提供”還原”設定功能 10/26/2001
IIS Lockdown Tool安裝 下載IISLockD.exe - 184 Kb 網址: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32362 Release Date - 23 Aug 2001 10/26/2001
IIS Lockdown Tool安裝 安裝IIS Lockdown步驟 1.點選如右圖開始安裝程序 2.接受Microsoft EULA. (END-USER LICENSE AGREEMENT) 3.輸入安裝路徑 10/26/2001
IIS Lockdown Tool安裝結果 IISLockd.exe-----執行程式 Iislockd.chm------說明文件 404.dll-------------執行Lockdown後對映檔 10/26/2001
IIS Lockdown Tool使用目的 Remove Script Mappings Index Server Web Interface (.IDQ) Server-Side Includes (.SHTML, .SHTM, .STM) Internet Data Connector (.IDC) Internet Printing (.printer) HTR Scripting (.HTR) Remove sample Web files Remove the Scripts virtual directory Remove the MSADC virtual directory Disable Distributed Authoring and Versioning (WebDAV) Set file permissions to prevent the IIS anonymous user account from executing system utilities Set file permissions to prevent the IIS anonymous user account from writing to Web content directories 10/26/2001
IIS Lockdown Tool使用前 原對應Script Mappings 10/26/2001
IIS Lockdown Tool操作 點選IISLockd.exe執行程式 10/26/2001
IIS Lockdown Tool操作 選擇操作模式(Express Lockdown ) 10/26/2001
IIS Lockdown Tool操作 執行前確認動作 10/26/2001
IIS Lockdown Tool操作 快速執行各項預設設定 10/26/2001
IIS Lockdown Tool操作 繼續快速執行各項預設設定(到出現Finished…….) 10/26/2001
IIS Lockdown Tool操作 完成畫面 10/26/2001
IIS Lockdown Tool操作使用後 檢視成果 10/26/2001
IIS Lockdown Tool回復操作 再次點選IISLockd.exe執行程式,可以進行回復設定 10/26/2001
IIS Lockdown Tool操作 執行回復(Undo)動作 10/26/2001
IIS Lockdown Tool操作 完成執行回復(Undo)動作 10/26/2001
IIS Lockdown Tool操作 檢視對應Script Mappings 是否回復 10/26/2001
IIS Lockdown Tool操作 選擇操作模式(Advanced Lockdown ) 10/26/2001
IIS Lockdown Tool操作 管理者自定操作的選項(第一頁) 10/26/2001
IIS Lockdown Tool操作 管理者自定操作的選項(第二頁) 10/26/2001
IIS Lockdown Tool操作 執行前確認動作 10/26/2001
IIS Lockdown Tool操作 依照選擇項目快速執行設定 10/26/2001
IIS Lockdown Tool操作 完成…… 10/26/2001
IIS Lockdown Tool完成報告 Backed up metabase Locked httpext.dll Locked idq.dll Removed script map: .htw, C:\WINNT\System32\webhits.dll Removed script map: .ida, C:\WINNT\System32\idq.dll Removed script map: .idq, C:\WINNT\System32\idq.dll Removed script map: .htr, C:\WINNT\System32\inetsrv\ism.dll Removed script map: .idc, C:\WINNT\System32\inetsrv\httpodbc.dll Removed script map: .shtm, C:\WINNT\System32\inetsrv\ssinc.dll Removed script map: .shtml, C:\WINNT\System32\inetsrv\ssinc.dll Removed script map: .stm, C:\WINNT\System32\inetsrv\ssinc.dll Removed script map: .printer, C:\WINNT\System32\msw3prt.dll Removed printer virtual dir (/LM/W3SVC/1/ROOT/Printers) Removed samples (/LM/W3SVC/1/ROOT/IISSamples) Removed MSADC virtual dir (/LM/W3SVC/1/ROOT/MSADC) Removed scripts virtual dir (/LM/W3SVC/1/ROOT/Scripts) Set Deny All ACE for anonymous web users on system utilities under C:\WINNT Set Deny Write ACE for anonymous web users under c:\winnt\help\iishelp Set Deny Write ACE for anonymous web users under 10/26/2001
URLScan功能說明 功能說明 ISAPI filter to provide powerful filtering for HTTP Requests The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator. 10/26/2001
URLScan使用注意及下載 Release Date - 11 Sep 2001 使用注意: Microsoft recommends that the tool only be used by experienced web administrators. 下載網址及KB(Knowledge Base) The tool is available for downloading at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571. Detailed instructions for installing and using it are available in the download package, or in Microsoft Knowledge Base article Q307608. Release Date - 11 Sep 2001 10/26/2001
URLScan安裝 安裝URL Scan步驟 1.點選如右圖UrlScan.exe開始安裝程序 2.接受Microsoft EULA. (END-USER LICENSE AGREEMENT) 10/26/2001
URLScan安裝 3.Tthe UrlScan ISAPI filter is installed to the Master Web Site properties of the IIS Web Server the filter is installed as a High priority filter. 4. During the installation you will be prompted to restart IIS. 5. 安裝路徑%windir%\system32\inetsrv\urlscan which is normally c:\winnt\system32\inetsrv\urlscan. 10/26/2001
URLScan安裝 檢視安裝結果(1). ISAPI filter安裝在master web site properties ISAPI filters如下圖 10/26/2001
URLScan安裝 檢視安裝結果(2). %windir%\system32\inetsrv\urlscan folder.如下圖 10/26/2001
Configuring UrlScan UrlScan.ini (UrlScan設定檔) IIS啟動使才讀取(效能考量) 三種啟動方式: 1.使用IISReset 2.NET STOP W3SVC and then NET START W3SVC 3. Right clicking the server name in Internet Service Manager and selecting to Restart IIS. Selecting "Restart internet services on <pcname>" the default options built into UrlScanl.dll will result in a configuration that will reject all requests to the server. It is necessary to provide a UrlScan.ini file for UrlScan to pass requests to be served 10/26/2001
Configuring UrlScan [AllowVerbs] default值=1 HTTP methods----GET、HEAD、POST [DenyVerbs] default值=0 包括WebDAV [AllowExtensions] UseAllowExtensions=1" .asp .htm .html .txt .jpg .jpeg .gif [DenyExtensions] UseAllowExtensions=0" .htw .ida .idq .htr .idc .shtm [DenyUrlSequences] .. ./ \ : % & 10/26/2001
Configuring UrlScan urlscan.log 記錄ISAPI filter每次載入之設定及實施結果 [Thu, Sep 27 2001 - 06:28:41] ---------- UrlScan.dll Initializing ---------- [Thu, Sep 27 2001 - 06:28:41] URLs will be normalized before analysis. [Thu, Sep 27 2001 - 06:28:41] URL normalization will be verified. [Thu, Sep 27 2001 - 06:28:41] URLs may contain OEM, international and UTF-8 characters. [Thu, Sep 27 2001 - 06:28:41] URLs must not contain any dot except for the file extension. [Thu, Sep 27 2001 - 06:28:41] Only the following verbs will be allowed (case sensitive): [Thu, Sep 27 2001 - 06:28:41] 'GET' [Thu, Sep 27 2001 - 06:28:41] 'HEAD' [Thu, Sep 27 2001 - 06:28:41] 'POST' [Thu, Sep 27 2001 - 06:28:41] Requests for following extensions will be rejected: [星期一, 九月 17 2001 - 17:10:32] Client at 211.244.166.4: URL contains extension '.ida', which is disallowed. Request will be rejected. Raw URL='/default.ida' 10/26/2001
UrlScan攻防 10/26/2001
HFNetChk 功能說明: HFNetChk工具為command-line,主要幫助使用者檢查windows NT4.0或Windows2000作業系統Patch檔更新狀況,除此之外也Check hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000 (including MSDE), and Internet Explorer 5.01 or later 工作原理: 啟動HFNetChk工具時,會找尋或自動下載XML檔案(Mssecure.xml),原XML是被壓縮成.cab(由Microsoft數位簽証),HFNetChk會Scan系統所有product並比對XML記錄的hotfixes資訊,比對資訊提供系統是否缺少更新Patch或hotfixes. 10/26/2001
HFNetChk安裝 下載Microsoft Network Security Hotfix Checker (HFNetChk) version 3.1 網址如下(nshc.exe - 204 Kb ) http://www.microsoft.com/downloads/release.asp?releaseid=31154 Release Date - 2 Jul 2001 點選圖示(如右圖) 出現Microsoft EULA(END-USER LICENSE AGREEMENT) 10/26/2001
HFNetChk安裝 選擇安裝路徑 (如右圖) 安裝完畢 題示使用Command-line方式執行程式 10/26/2001
HFNetChk使用語法 HFNETCHK.exe /?|more 查詢語法 HFNETCHK.exe -h hostname HFNETCHK.exe -h h1,h2,h3 HFNETCHK.exe -i 192.168.1.1 -a m -t 10 -v HFNETCHK.exe -i 192.168.1.1,192.168.1.8 -h hostname -x mssecure.xml HFNETCHK.exe -d domain_name -a b -o tab -x c:\temp\mssecure.xml HFNETCHK.exe -r 192.168.1.1-192.168.1.254 -a i -t 20 HFNETCHK.exe -x http://www.xyz.abc/mssecure.xml HFNETCHK.exe -x "c:\Space In Path\mssecure.xml" 10/26/2001
HFNetChk執行 C:\Documents and Settings\Administrator\桌面\新資料夾\Microsoft Network Security Hotfix Checker>hfnetchk -i 127.0.0.1 下載最新XML檔(經微軟數位認證) 10/26/2001
HFNetChk執行 Microsoft Network Security Hotfix Checker, 3.1 Developed for Microsoft by Shavlik Technologies, LLC info@shavlik.com (www.shavlik.com) ** Attempting to download the XML from http://download.microsoft.com/download/x ml/security/1.0/NT5/EN-US/mssecure.cab. ** ** File was successfully downloaded. ** 10/26/2001
HFNetChk執行結果 Scanning 127.0.0.1 .............. Done scanning 127.0.0.1 ** Attempting to load C:\Documents and Settings\Administrator\Using XML data version = 1.0.1.155 Last modified on 10/20/2001. Scanning 127.0.0.1 .............. Done scanning 127.0.0.1 ---------------------------- 127.0.0.1 WINDOWS 2000 SERVER SP2 Patch NOT Found MS00-077 Q299796 Patch NOT Found MS00-079 Q276471 Patch NOT Found MS01-007 Q285851 Patch NOT Found MS01-013 Q285156 WARNING MS01-022 Q296441 Patch NOT Found MS01-025 Q296185 Patch NOT Found MS01-031 Q299553 Patch NOT Found MS01-036 Q299687 Patch NOT Found MS01-037 Q302755 Patch NOT Found MS01-040 Q292435 Patch NOT Found MS01-041 Q298012 Patch NOT Found MS01-046 Q252795 Internet Information Services 5.0 Patch NOT Found MS01-044 Q301625 10/26/2001
HFNetChk實作 hfnetchk -o tab > scan.txt hfnetchk -i 127.0.0.1,163.26.1.110 > scan2.txt 若不具Admin權限會有以下訊息 ---------------------------- 163.26.1.x INFORMATION Admin rights are required to scan. 10/26/2001
Microsoft Personal Security Advisor (MPSA) 說明 MPSA是容易使用Web application,可幫助Windows NT4.0及Windows2000使用者安全上的資訊. 當使用者進入MPSA site後,點選”Scan Now”按鈕,將可以收到有關您系統上之安全上的設定報告,並提供更好的安全改善建議 例如:尚未Update之patches或密碼的安全性, Internet Explorer和Outlook Express安全設定、Office巨集保護設定等 10/26/2001
Microsoft Personal Security Advisor (MPSA) 網址:http://www.microsoft.com/technet/mpsa/start.asp 10/26/2001
Microsoft Personal Security Advisor (MPSA) 注意事項: 1)目前MPSA hotfix檢測只支援英文版本. 2) MPSA支援Windows NT 4.0 Workstation and Windows 2000 Professional 3) MPSA 也不支援web server相關patches 10/26/2001
MPSA使用 開始Scan時下載XML安全資訊 10/26/2001
MPSA使用 掃瞄完畢 10/26/2001
MPSA掃瞄結果說明 如下圖說明 10/26/2001
MPSA掃瞄各項結果 如下圖 10/26/2001
MPSA掃瞄總結評等 如下圖 10/26/2001
資源 訂閱安全Maillist MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM 瀏覽Microsoft Security Web Sites Microsoft Security: http://www.microsoft.com/security The Microsoft TechNet Security: http://www.microsoft.com/technet/security/default.asp 10/26/2001
七、結論 建立管理原則,技術不是萬靈單 安全防禦困難度與網路複雜性成正比 必定有人會侵入您的系統,大部份人不相信自己系統出問題,直到被入侵 最安全的網路系統必定有良好的管理 網路安全是危機管理 持續性的警覺性是維護高安全要付出的代價 安全與生產力是相對,簡單安全防護達不到所要安全 不存在絕對安全的平台或系統 10/26/2001