ʹѺʹع¤Óá¹Ð¹Ó¡ÒõÑ駤èҤ͹¿Ô¡¤ÇÒÁ»ÅÍ´ÀÑÂ

¼èÒ¹»ÕËÅÒÂã¹Í´Õµ ËÁÒÂàÅ¢¢Í§Ë¹èǧҹ ÃÇÁ·Ñé§ Microsoft ÈÙ¹Âì¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·ҧÍÔ¹à·ÍÃìà¹çµ (CIS), ¡ÒÃªÒµÔ Security ˹èǧҹ (NSA), ¡Òûéͧ¡Ñ¹¢éÍÁÙÅÃкºË¹èǧҹ (DISA), áÅÐªÒµÔ Institute ¢Í§Áҵðҹ áÅÐà·¤â¹âÅÂÕ (NIST), ä´é»ÃСÒÈá¹Ç "µÑ駤èҤ͹¿Ô¡·Ò§¤ÇÒÁ»ÅÍ´ÀÑÂ" ÊÓËÃѺ Windows à·èҡѺá¹Ç·Ò§¤ÇÒÁ»ÅÍ´ÀÑÂã´ æ ¤ÇÒÁ»ÅÍ´ÀÑÂà¾ÔèÁàµÔÁ·Õè¶Ù¡µéͧºèͤÃÑé§ÁÕÅѡɳоÔàÈɺ¹ usability adverse

ËÅÒ guides àËÅèÒ¹Õé ÃÇÁ·Ñé§ guides ¨Ò¡ Microsoft ¨Ò¡ CIS áÅÐ ¨Ò¡ NIST »ÃСͺ´éÇÂËÅÒÂÃдѺ¢Í§¡ÒõÑ駤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ guides àËÅèÒ¹ÕéÍÒ¨ÃÇÁ¶Ö§ÃдѺ¡ÒÃÍ͡ẺÁÒÊÓËÃѺ¢éͤÇÒÁµèÍ仹Õé:

• ¡Ò÷ӧҹÃèÇÁ¡Ñ¹¡ÑºÃкº»¯ÔºÑµÔ¡ÒÃÃØè¹à¡èÒ
• ÊÀÒ¾áÇ´ÅéÍÁͧ¤ì¡Ã
• ¤ÇÒÁ»ÅÍ´ÀÑ¢Ñé¹ÊÙ§·ÕèÁտѧ¡ìªÑ¹·Õè¨Ó¡Ñ´
  
  ËÁÒÂà˵Ø:ÃдѺ¹ÕéÁÑ¡àÃÕ¡ÇèÒ¡Òà Specialized Security – ÃдѺ¿Ñ§¡ìªÑ¹¡Ò÷ӧҹ·Õè¨Ó¡Ñ´ËÃ×ÍÃдѺ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§

ÃдѺ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§ ËÃ×Í Security Specialized – ¿Ñ§¡ìªÑ¹·Õè¨Ó¡Ñ´ Í͡ẺÁÒÊÓËÃѺÊÀÒ¾áÇ´ÅéÍÁÁÒ¡ hostile ÀÒÂãµé¤ÇÒÁàÊÕ觷ÕèÊӤѭ¢Í§¡ÒÃâ¨ÁµÕâ´Â੾ÒÐ ÃдѺ¹Õé guards ¢éÍÁÙÅà»ç¹ä»ä´é¤èÒÊÙ§ÊØ´ àªè¹¢éÍÁÙÅ·Õè¨Óà»ç¹ â´ÂºÒ§ÃкºÃÑ°ºÒÅ ÃдѺ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§ÊØ´¢Í§¤Óá¹Ð¹Ó¹ÕéÊÒ¸ÒóÐäÁèàËÁÒÐÊÁÊÓËÃѺÃкº·ÕèãË­è·Õèãªé Windows ä´é àÃÒ¢Íá¹Ð¹ÓÇèÒ ¤Ø³äÁèä´éãªéÃдѺ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§º¹àÇÔÃì¡Ê൪ѹ general-purpose àÃÒ¢Íá¹Ð¹ÓãËé ¤Ø³ãªéÃдѺ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§ã¹Ãкºà·èÒ¹Ñé¹·Õè¨Ð·ÓãËé¤ÇÒÁàÊÕÂËÒÂÊÙ­ËÒ¢ͧÍÒÂØ¡ÒÃãªé§Ò¹ ¡ÒÃÊÙ­àÊÕ¢éÍÁÙÅ·ÕèÁÕ¤èÒÁÒ¡ ËÃ×ÍÊÙ­ËÒ¢ͧÅç͵¡ÒÃà§Ô¹

¡ÅØèÁµèÒ§ æ ·Õè·Ó§Ò¹ä´é¡Ñº Microsoft 㹡ÒüÅÔµ guides ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂàËÅèÒ¹Õé ã¹ËÅÒÂ¡Ã³Õ àËÅèÒ¹Õéá¹Ð¹ÓãËéÀѤء¤ÒÁ¤ÅéÒ¡ѹÍÂÙè·Ñé§ËÁ´ ᵡÍÂèÒ§äáçµÒÁ áµèÅÐÃÒ¡ÒÃá¹Ð¹ÓµèÒ§àÅ硹éÍÂà¾ÃÒТͧ¢éÍ¡Ó˹´¢Í§¡®ËÁÒ ¹âºÒ·éͧ¶Ôè¹ áÅФÇÒÁµéͧ¡Ò÷ӧҹ à¹×èͧ¨Ò¡¤ÇÒÁµÑǹÕé ¡ÒõÑ駤èÒÍҨᵡµèҧ仨ҡªØ´Ë¹Ö觢ͧ¤Óá¹Ð¹Ó¡ÒÃ¶Ñ´ä» "ͧ¤ì¡Ã·Õè·ÓãËé¤Óá¹Ð¹Ó㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Õè¾ÃéÍÁãªé§Ò¹·ÕèÊÒ¸ÒóÐ" Êèǹ»ÃСͺ´éǺ·ÊÃØ»¢Í§áµèÅÐÃÒ¡ÒÃá¹Ð¹Ó´éÒ¹¤ÇÒÁ»ÅÍ´ÀÑÂ

ͧ¤ì¡Ã·Õè·ÓãËé¤Óá¹Ð¹Ó㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Õè¾ÃéÍÁãªé§Ò¹ÊÒ¸ÒóÐ

Microsoft Corporation

Microsoft ãËé¤Óá¹Ð¹Óà¡ÕèÂǡѺÇÔ¸Õ¡Ò÷ÕèªèÇÂÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÃкº»¯ÔºÑµÔ¡ÒâͧºÃÔÉÑ·àͧ àÃÒä´éÃѺ¡ÒþѲ¹Ò¢Öé¹ÃдѺ 3 µèÍ仹Õé¢Í§¡ÒõÑ駤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂ:

• ä¤ÅàÍç¹µì¢Í§Í§¤ì¡Ã (EC)
• stand-Alone (SA)
• ¤ÇÒÁ»ÅÍ´ÀÑ specialized – ¿Ñ§¡ìªÑ¹·Õè¨Ó¡Ñ´ (SSLF)

ÍÂèÒ§ÅÐàÍÕ´àÃÒ·´Êͺ¹Õé¤Óá¹Ð¹ÓÊÓËÃѺãªéã¹Ê¶Ò¹¡ÒóìÅÙ¡¤éҨӹǹÁÒ¡ ¤Óá¹Ð¹Ó·ÕèàËÁÒÐÊÁÊÓËÃѺͧ¤ì¡Ã·Õè wishes à¾×èͪèÇÂÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ¢ͧ¤ÍÁ¾ÔÇàµÍÃì·Õèãªé Windows ä´é

àÃÒʹѺʹع¢Í§àÃÒ guides à¹×èͧ¨Ò¡¡Ò÷´ÊͺËÅÒ¡ËÅÒ·ÕèàÃÒä´é´Óà¹Ô¹¡ÒÃã¹ laboratories ¢Í§àÃÒ¤ÇÒÁà¢éҡѹä´é¢Í§â»Ãá¡ÃÁ»ÃÐÂØ¡µìº¹ guides àËÅèÒ¹Ñé¹ ·Ñé§ËÁ´ àÂÕèÂÁªÁàÇçºä«µìµèÍ仹Õé¢Í§ Microsoft à¾×èÍ´ÒǹìâËÅ´ guides ¢Í§àÃÒ:

• windows Vista á¹Ð¹Ó¤ÇÒÁ»ÅÍ´ÀÑÂ:
  http://technet.microsoft.com/en-us/library/bb629420.aspx

  (http://technet.microsoft.com/en-us/library/bb629420.aspx)
• windows XP ºÃ÷ѴËÅÑ¡¤ÇÒÁ»ÅÍ´ÀÑÂ:
  http://go.microsoft.com/fwlink/?LinkId=14839

  (http://go.microsoft.com/fwlink/?LinkId=14839)
• windows ºÃ÷ѴËÅÑ¡¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ Server 2003:
  http://go.microsoft.com/fwlink/?linkid=14845

  (http://go.microsoft.com/fwlink/?linkid=14845)
• á¹Ð¹Ó windows 2000 Security Hardening ÃÒ¡ÒÃ:
  http://go.microsoft.com/fwlink/?LinkId=28591

  (http://go.microsoft.com/fwlink/?LinkId=28591)

¶éҤس»ÃÐʺ»Ñ­ËÒ ËÃ×ÍÁÕ¢éͤԴàËç¹ä´éËÅѧ¨Ò¡·Õè¤Ø³ãªéàÊ鹺͡á¹Ç¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ¢ͧ Microsoft ¤Ø³ÊÒÁÒöãËé¤ÓµÔªÁä´é â´Â¡ÒÃÊ觢éͤÇÒÁÍÕàÁÅãËésecwish@microsoft.com.

á¹ÇµÑ駤èҤ͹¿Ô¡·Ò§¤ÇÒÁ»ÅÍ´ÀÑ ÊÓËÃѺÃкº»¯ÔºÑµÔ¡Òà Windows ÊÓËÃѺ Internet Explorer áÅЪش»ÃÐÊÔ·¸Ô¼Å¢Í§ Office ¹ÕéãËéäÇéã¹µÑǨѴ¡ÒäÇÒÁÊÍ´¤Åéͧ¢Í§ Microsoft ¤ÇÒÁ»ÅÍ´ÀÑÂ:http://technet.microsoft.com/en-us/library/cc677002.aspx.

ÈÙ¹Âì¡ÅÒ§ÊÓËÃѺ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ¢ͧÍÔ¹à·ÍÃìà¹çµ

CIS ä´é¾Ñ²¹Ò benchmarks à¾×èÍãËé¢éÍÁÙÅ·ÕèªèÇÂãËéͧ¤ì¡Ã·Õè·Ó¡ÒõѴÊԹ㨠informed à¡ÕèÂǡѺµÑÇàÅ×Í¡¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Õè¾ÃéÍÁãªé§Ò¹ºÒ§ÍÂèÒ§ CIS ä´éãËé¤ÇÒÁ»ÅÍ´ÀÑ benchmarks ÊÒÁÃдѺ:

• legacy
• Enterprise
• ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§

¶éҤس»ÃÐʺ»Ñ­ËÒ ËÃ×ÍÁÕ¢éͤԴàËç¹ä´éËÅѧ¨Ò¡·Õè¤Ø³ãªé¡ÒõÑ駤èÒࡳ±ìÁҵðҹ CIS µÔ´µèÍ CIS â´Â¡ÒÃÊ觢éͤÇÒÁÍÕàÁÅìä»Âѧwin2k-feedback@cisecurity.org.

ËÁÒÂà˵Ø:¤Óá¹Ð¹Ó¢Í§ CIS ÁÕ¡ÒÃà»ÅÕè¹á»Å§à¹×èͧ¨Ò¡àÃÒà¼Âá¾Ã躷¤ÇÒÁ¹Õé (3 ¾ÄȨԡÒ¹ 2004) àÃÔèÁµé¹ ¤Óá¹Ð¹Ó¡ÒûѨ¨ØºÑ¹¢Í§ CIS ¤ÅéÒ¡Ѻá¹Ç·Ò§·Õè Microsoft ãËé ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺ¤Óá¹Ð¹Ó·Õè Microsoft ãËé ÍèÒ¹Êèǹ¢Í§ "Microsoft Corporation" ¡è͹˹éÒ㹺·¤ÇÒÁ¹Õé

ªÒµÔ Institute ¢Í§ÁҵðҹáÅÐà·¤â¹âÅÂÕ

NIST ÃѺ¼Ô´ªÍºÊÓËÃѺ¡ÒÃÊÃéÒ§¤Óá¹Ð¹Ó㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÊÓËÃѺÊËÃÑ°ÍàÁÃÔ¡ÒÊ˾ѹ¸ìÃÑ°ºÒÅ NIST ÊÃéÒ§ÊÕèÃдѺ¢Í§á¹Ç·Ò§¤ÇÒÁ»ÅÍ´ÀÑ·Õèãªé â´ÂµÑÇá·¹¨Ñ´ ËÒÊ˾ѹ¸ì¢Í§ÊËÃÑ°ÍàÁÃÔ¡Ò Í§¤ì¡ÃÊèǹµÑÇ áÅÐͧ¤ì¡ÃÊÒ¸ÒóÐ:

• SoHo
• Legacy
• Enterprise
• Specialized Security – Limited Functionality

If you experience issues or have comments after you implement the NIST security templates, contact NIST by sending an email message toitsec@nist.gov.

ËÁÒÂà˵Ø:NIST's guidance has changed since we originally published this article (November 3, 2004). NIST's current guidance resembles the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

The Defense Information Systems Agency

DISA creates guidance specifically for use in the United States Department of Defense (DOD). United States DOD users who experience issues or have comments after they implement the DISA configuration guidance can provide feedback by sending an email message tofso_spt@ritchie.disa.mil.

ËÁÒÂà˵Ø:DISA's guidance has changed since we originally published this article (November 3, 2004). DISA's current guidance is similar or identical to the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

The National Security Agency (NSA)

NSA has produced guidance to help secure high-risk computers in the United States Department of Defense (DOD). NSA has developed a single level of guidance that corresponds approximately with the High Security level that is produced by other organizations.

If you experience issues or have comments after you implement the NSA Security Guides for Windows XP, you can provide feedback by sending an email message toXPGuides@nsa.gov. To provide feedback on the Windows 2000 guides, send an email message tow2kguides@nsa.gov.

ËÁÒÂà˵Ø:NSA's guidance has changed since we originally published this article (November 3, 2004). NSA's current guidance is similar or identical to the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

Security guidance issues

As mentioned earlier in this article, the high security levels that are described in some of these guides were designed to significantly restrict the functionality of a system. Because of this restriction, you should thoroughly test a system before you deploy these recommendations.

ËÁÒÂà˵Ø:¤Óá¹Ð¹Ó´éÒ¹¤ÇÒÁ»ÅÍ´ÀÑ·ÕèãËéÊÓËÃѺÃдѺ SoHo Ẻ´Ñé§à´ÔÁ ËÃ×Íͧ¤ì¡Ã äÁèä´éÃÒ§ҹä»ÂѧÍÂèÒ§ÁռšÃзºµèͿѧ¡ìªÑ¹¡Ò÷ӧҹ¢Í§Ãкº º·¤ÇÒÁ°Ò¹¤ÇÒÁÃÙé¹Õé¤×Í focused ËÅѡ㹤Óá¹Ð¹Ó·Õèàª×èÍÁ⧡ѺÃдѺ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÊÙ§ÊØ´

àÃÒ¢ÍʹѺʹع efforts ÍصÊÒË¡ÃÃÁà¾×èÍãËé¤Óá¹Ð¹Ó㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÊÓËÃѺãªéã¹´éÒ¹¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§¢Öé¹ àÃÒÂѧ·Ó§Ò¹¡Ñº¡ÅØèÁÁҵðҹ¤ÇÒÁ»ÅÍ´ÀÑ¡ÒþѲ¹Ò¤Óá¹Ð¹Ó hardening »ÃÐ⪹ì·Õè¨Ð·´Êͺ·Ñé§ËÁ´ ¤Óá¹Ð¹Ó㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀѨҡºØ¤¤Å·ÕèÊÒÁàÊÁ͹ÓÍÍ¡ãªé ´éǤÓàµ×͹·Õèà¢éÁ§Ç´à¾×èÍ·´Êͺ¡ÒÃá¹Ç·Ò§¡ÒÃã¹ÊÀÒ¾áÇ´ÅéÍÁ㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂÊÙ§à»éÒËÁÒ·Ñé§ËÁ´ ÍÂèÒ§äáçµÒÁ ¤Óàµ×͹àËÅèÒ¹Õé¨ÐäÁèàÊÁÍ heeded µÃǨÊͺãËéá¹èã¨ÇèÒ ¤Ø³ÍÂèÒ§ÅÐàÍÕ´·´Êͺ¡ÒáÓ˹´¤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Ñé§ËÁ´ã¹Ãкºà»éÒËÁÒ¢ͧ¤Ø³ ·ÓãËéÊÔé¹µÑ駤èÒ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèᵡµèÒ§¨Ò¡·ÕèàÃÒ¢Íá¹Ð¹ÓäÇéÍÒ¨ÊØ´ËÁÒ¤ÇÒÁà¢éҡѹä´é¢Í§â»Ãá¡ÃÁ»ÃÐÂØ¡µì·´Êͺ·Õè¶Ù¡·Óà»ç¹Êèǹ˹Ö觢ͧÃкº»¯ÔºÑµÔ¡Ò÷´Êͺ¡Ãкǹ¡Òà ¹Í¡¨Ò¡¹Õé àÃÒáÅкؤ¤Å·ÕèÊÒÁâ´Â੾ÒÐÍÂèÒ§ÂÔè§ discourage ãªé¤Óá¹Ð¹ÓẺÃèÒ§ã¹Ãкº¡ÒüÅÔµ·Õè¶èÒ·ʹʴ᷹ã¹ÊÀÒ¾áÇ´ÅéÍÁ¡Ò÷´Êͺ

ÃдѺÊÙ§ÊØ´¢Í§ guides ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂàËÅèÒ¹ÕéÃÇÁ¶Ö§¡ÒõÑ駤èÒµèÒ§ æ ·Õè¤Ø³¤ÇôÓà¹Ô¹¡ÒÃÍÂèÒ§Ãͺ¤Íº¡è͹·Õè¤Ø³ãªé㹡ÒûÃÐàÁÔ¹¼Å áÁéÇèÒ¡ÒõÑ駤èÒàËÅèÒ¹ÕéÍÒ¨ÁÕ»ÃÐ⪹ì㹡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂà¾ÔèÁàµÔÁ ¡ÒõÑ駤èÒ·ÕèÍÒ¨ÁռŵèÍ adverse usability ¢Í§Ãкº

á¿éÁÃÕ¨ÔÊ·ÃÕáÅÐÃкº¡ÒÃà¢éÒ¶Ö§µÑǤǺ¤ØÁÃÒ¡ÒÃá¡éä¢

windows XP áÅÐ Windows ÃØè¹·ÕèãËÁè¡ÇèÒä´éÁÒ¡ tightened ÊÔ·¸Ôì·ÑèÇ·Ñé§Ãкº ´Ñ§¹Ñé¹ ¡ÒÃà»ÅÕè¹á»Å§¤èÒàÃÔèÁµé¹ËÒäÁè¤ÇèÓà»ç¹

¡ÒÃà»ÅÕè¹á»Å§ÃÒ¡Òà (DACL) ¢Í§µÑǤǺ¤ØÁ¡ÒÃà¢éÒ¶Ö§ discretionary à¾ÔèÁàµÔÁÍÒ¨·ÓãËéÊÔé¹ÊØ´·Ñé§ËÁ´ËÃ×ÍÊèǹãË­è¢Í§¡Ò÷´Êͺ¤ÇÒÁà¢éҡѹä´éá;ÅÔपѹ·Õè¨Ð´Óà¹Ô¹¡Òà â´Â Microsoft ºèͤÃÑé§ ¡ÒÃà»ÅÕè¹á»Å§àªè¹àËÅèÒ¹Õéä´éäÁè undergone ¡Òà thorough ·´Êͺ·ÕèÁÕ»¯ÔºÑµÔ¡Òà Microsoft 㹡ÒõÑ駤èÒÍ×è¹ æ ¡Ã³Õ·ÕèʹѺʹعáÅлÃÐʺ¡Òóì¢Í§¿ÔÅ´ìä´éáÊ´§ÇèÒ á¡éä¢ DACL à»ÅÕ蹡Ò÷ӧҹ¢Í§Ãкº»¯ÔºÑµÔ¡Òà fundamental ºèͤÃÑé§ã¹ÅѡɳзÕèà¡Ô¹ ¡ÒÃà»ÅÕè¹á»Å§àËÅèÒ¹ÕéÁռŵèͤÇÒÁà¢éҡѹä´é¢Í§â»Ãá¡ÃÁ»ÃÐÂØ¡µìáÅФÇÒÁàʶÕÂà áÅÐÅ´¿Ñ§¡ìªÑ¹¡Ò÷ӧҹ à¡ÕèÂÇ¢éͧ¡Ñº»ÃÐÊÔ·¸ÔÀÒ¾áÅФÇÒÁÊÒÁÒö

à¹×èͧ¨Ò¡¡ÒÃà»ÅÕè¹á»Å§àËÅèÒ¹Õé àÃÒäÁèá¹Ð¹ÓãËé¤Ø³á¡éä¢á¿éÁÃкº DACLs ã¹á¿éÁ·ÕèÁÕÍÂÙèã¹Ãкº»¯ÔºÑµÔ¡Òú¹Ãкº¡ÒüÅÔµ àÃÒ¢Íá¹Ð¹ÓãËé ¤Ø³»ÃÐàÁÔ¹¡ÒÃà»ÅÕè¹á»Å§ ACL àµÔÁ¤Ø¡¤ÒÁ·ÕèÃÙé¨Ñ¡·Õèà¢éÒ㨢éÍ´ÕÍÒ¨à¡Ô´¢Ö鹫Öè§à»ÅÕè¹á»Å§ÍÒ¨Â×Á¡ÒáÓ˹´¤èÒ·ÕèÃÐºØ guides ¢Í§àÃÒãªé·Ó¡ÒÃà»ÅÕè¹á»Å§ DACL ¢Ñé¹µèÓà¾Õ§ÁÒ¡ÊØ´´éÇÂà˵ؼÅàËÅèÒ¹Õé áÅÐ੾ÒÐ ¡Ñº Windows 2000 ÊÓËÃѺ Windows 2000 ¡ÒÃà»ÅÕè¹á»Å§µèÒ§ æ ·ÕèÃͧ¨Ð¨Óà»ç¹ ¡ÒÃà»ÅÕè¹á»Å§àËÅèÒ¹Õé¨Ð͸ԺÒÂäÇéã¹¹Ñé¹windows 2000 Security Hardening ÃÒ¡ÒÃá¹Ð¹Ó.

à»ÅÕè¹á»Å§ÊÔ·¸Ôì·ÕèËÅÒ¡ËÅÒ·Õèá¾Ãè¡ÃШÒ·ÑèÇ·Ñé§ÃÕ¨ÔÊ·ÃÕáÅÐá¿éÁÃкºäÁèÊÒÁÒöàÅÔ¡·Ó â¿Åà´ÍÃìãËÁè àªè¹â¿Åà´ÍÃìâ»Ãä¿Åì¢Í§¼Ùéãªé·ÕèäÁèÍÂÙè㹡ÒõԴµÑé§Ãкº»¯ÔºÑµÔ¡Òà µé¹©ºÑº ÍÒ¨ä´éÃѺ¼Å¡Ãзº ´Ñ§¹Ñé¹ ¶éҤسàÍÒ¡ÒõÑ駤èÒ Group Policy ·Õè·Ó¡ÒÃà»ÅÕè¹á»Å§ DACL ËÃ×ͤسãªéà»ç¹¤èÒàÃÔèÁµé¹Ãкº ¤Ø³äÁèÊÒÁÒöÂé͹¡ÅѺ DACLs ·Õèà´ÔÁ

à»ÅÕè¹à»ç¹ DACL ã¹¹Ñé¹% SystemDrive %â¿Åà´ÍÃìÍÒ¨·ÓãËéà¡Ô´Ê¶Ò¹¡ÒóìÊÁÁµÔµèÍ仹Õé:

• ÍÍ¡¶Ñ§ÃÕä«à¤ÔÅäÁè¿Ñ§¡ìªÑ¹à»ç¹áºº áÅÐäÁèÊÒÁÒö¡Ùé¤×¹á¿éÁ
• Å´¤ÇÒÁ»ÅÍ´ÀÑ·ÕèªèÇÂãËé´ÙäÁèãªè¼Ùé´ÙáÅà¹×éÍËҢͧàÇçºä«µì¢Í§¼Ùé´ÙáŶѧÃÕä«à¤ÔÅ
• ÅéÁàËÅǢͧâ¾Ãä¿Åì¼Ùéãªé·Ó§Ò¹ÍÂèÒ§·Õè¤Ò´äÇé
• Å´¤ÇÒÁ»ÅÍ´ÀÑ·ÕèãËé¼ÙéãªéẺâµéµÍº¡Ñº¡ÒÃà¢éҶ֧ẺÍèÒ¹ºÒ§Êèǹ ËÃ×Íâ¾Ãä¿Åì¼Ùéãªé·Ñé§ËÁ´ã¹Ãкº
• »Ñ­ËÒ´éÒ¹»ÃÐÊÔ·¸ÔÀÒ¾àÁ×èÍá¡éä¢ DACL ¨Ó¹Ç¹ÁÒ¡ä´éâËÅ´äÇéã¹ Group Policy object «Ö觻ÃСͺ´éÇÂàÇÅÒ¡ÒÃà¢éÒÊÙèÃкº·ÕèÁÕ¤ÇÒÁÂÒÇËÃ×ÍàÃÔèÁÃкºãËÁè«éӢͧÃкºà»éÒËÁÒÂ
• »Ñ­ËÒ»ÃÐÊÔ·¸ÔÀÒ¾¡Ò÷ӧҹ ¡ÒÃÃÇÁÃкº slowdowns ·Ø¡ æ ªÑèÇâÁ§ 16 ËÃ×Í à¾×è͵Ñ駤èÒà»ç¹ reapplied à»ç¹'¹âºÒ¡ÅØèÁ'
• »Ñ­ËÒ¤ÇÒÁà¢éҡѹä´é¢Í§â»Ãá¡ÃÁ»ÃÐÂØ¡µìËÃ×Íâ»Ãá¡ÃÁ»ÃÐÂØ¡µì»Ñ­ËÒ

à¾×èͪèǤس㹡ÒÃź¼ÅÅѾ¸ì¢Í§¡ÒÃàªè¹ÊÔ·¸Ôìã¹á¿éÁáÅÐÃÕ¨ÔÊ·ÃÕ worst, Microsoft ¨ÐãËéàËÁÒÐÊÁ¨Ó˹èÒ efforts line with ÊÑ­­Ò½èÒÂʹѺʹع¢Í§¤Ø³ ÍÂèÒ§äáçµÒÁ ¤Ø³äÁèÊÒÁÒöÍÂÙèÂé͹¡ÅѺ¡ÒÃà»ÅÕè¹á»Å§àËÅèÒ¹Õé àÃÒÊÒÁÒöÃѺ»ÃСѹà·èÒ¹Ñé¹·Õè ¤Ø³ÊÒÁÒö¡ÅѺ价Õè¡ÒõÑ駤èÒÍ͡㹤ÃÑ駷Õèá¹Ð¹Ó â´Â¡ÒÿÍÃìáÁµä´Ã¿ìÎÒÃì´´ÔÊ¡ìãËÁè áÅÐ â´Â¡ÒõԴµÑé§Ãкº»¯ÔºÑµÔ¡ÒÃ

µÑÇÍÂèÒ§àªè¹ »ÃѺà»ÅÕè¹ÃÕ¨ÔÊ·ÃÕ DACLs ÁռŵèÍÊèǹãË­è¢Í§¡ÅØèÁÃÕ¨ÔÊ·ÃÕ áÅÐÍÒ¨·ÓãËéÃкº·Ó§Ò¹äÁèä´éµÒÁ·Õè¤Ò´äÇé ¡ÒûÃѺà»ÅÕè¹ DACLs º¹ poses ¤ÕÂìÃÕ¨ÔÊ·ÃÕà´ÕÂǹéÍÂÁջѭËҡѺÃкº·ÕèãË­è¢Öé¹ ÍÂèÒ§äáçµÒÁ ¢Íá¹Ð ¹ÓãËé ¤Ø³ÍÂèÒ§ÃÐÁÑ´ÃÐÇѧãËé¾Ô¨Òóҷ´Êͺ¡è͹·Õè¤Ø³ãªé¡ÒÃà»ÅÕè¹á»Å§àËÅèÒ¹Õé ÍÕ¡¤ÃÑé§ àÃÒÊÒÁÒöÃѺ»ÃСѹà·èÒ¹Ñé¹·Õè ¤Ø³ÊÒÁÒö¡ÅѺ价Õè¡ÒõÑ駤èÒÍ͡㹤ÃÑ駷Õèá¹Ð¹ÓËÒ¡¤Ø³¿ÍÃìáÁµãËÁè áÅеԴµÑé§Ãкº»¯ÔºÑµÔ¡ÒÃ

ä¤ÅàÍç¹µìà¤Ã×Í¢èÒ¢ͧ Microsoft: à«ç¹ª×èÍẺ´Ô¨Ô·ÑÅÊ×èÍÊÒà (àÊÁÍ)

àÁ×èͤسà»Ô´ãªé§Ò¹¡ÒõÑ駤èÒ¹Õé ä¤Åà͹µìµéͧŧ»ÃÔÁÒ³¡ÒÃãªé§Ò¹¢Í§ºÅçÍ¡¢éͤÇÒÁà«ÔÃì¿àÇÍÃì (SMB) àÁ×èͼÙéµÔ´µèÍà«ÔÃì¿àÇÍÃì·ÕèäÁèµéͧ¡ÒÃŧÅÒÂÁ×ͪ×èÍã¹ smb «Ö觷ÓãËéä¤Åà͹µì¹é͵è͡Ѻà«ÊªÑ¹ hijacking â¨ÁµÕ áÅÐÁÕ¤èÒ·ÕèÊӤѭ áµèäÁè ÁÕ¡ÒÃà»Ô´ãªé§Ò¹¤ÅéÒ¡ѹà»ÅÕ蹺¹à«ÔÃì¿àÇÍÃì¡ÒÃà»Ô´ãªé§Ò¹à«ÔÃì¿àÇÍÃìà¤Ã×Í¢èÒ¢ͧ Microsoft: à«ç¹ª×èÍẺ´Ô¨Ô·ÑÅÊ×èÍÊÒà (àÊÁÍ)ËÃ×ÍMicrosoft network client: Digitally sign communications (if client agrees), the client will be unable to communicate successfully with the server.

¤ÇÒÁ»ÅÍ´ÀÑ¢ͧà¤Ã×Í¢èÒÂ: äÁèà¡çº¤èÒáμÙé¨Ñ´¡Òà LAN 㹡ÒÃà»ÅÕè¹á»Å§ÃËÑʼèÒ¹¶Ñ´ä»

When you enable this setting, the LAN Manager (LM) hash value for a new password will not be stored when the password is changed. The LM hash is relatively weak and prone to attack compared with the cryptographically stronger Microsoft Windows NT hash. Although this setting provides extensive additional security to a system by preventing many common password-cracking utilities, the setting can prevent some applications from starting or running correctly.

Ãкº¡ÒÃà¢éÒÃËÑÊ: ãªé FIPS algorithms ·Õèà¢éҡѹä´éÊÓËÃѺ¡ÒÃà¢éÒÃËÑÊÅѺ hashing áÅÐà«ç¹ª×èÍ

When you enable this setting, Internet Information Services (IIS) and Microsoft Internet Explorer use only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only web browsers that support TLS 1.0 can connect. If this setting is enabled on a web client, the client can connect only to servers that support the TLS 1.0 protocol. This requirement may affect a client’s ability to visit websites that use Secure Sockets Layer (SSL).ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁ ãËé¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õé à¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft::
Additionally, when you enable this setting on a server that uses Terminal Services, clients are forced to use the RDP client 5.2 or later versions to connect.

ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁ ãËé¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õé à¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft::

Automatic Update service or Background Intelligent Transfer Service (BITS) is disabled

One of the key pillars of the Microsoft security strategy is to make sure that systems are kept current on updates. A key component in this strategy is the Automatic Updates service. Both Windows Update and Software Update services use the Automatic Updates service. The Automatic Updates service relies on the Background Intelligent Transfer Service (BITS). If these services are disabled, the computers will no longer be able to receive updates from Windows Update through Automatic Updates, from Software Update services (SUS), or from some Microsoft Systems Management Server (SMS) installations. These services should be disabled only on systems that have an effective update-distribution system that does not rely on BITS.

NetLogon service is disabled

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

NoNameReleaseOnDemand

This setting prevents a server from relinquishing its NetBIOS name if it conflicts with another computer on the network. This setting is a good preventive measure for denial of service attacks against name servers and other very important server roles.

àÁ×èͤسà»Ô´ãªé§Ò¹¡ÒõÑ駤èÒ¹Õ麹àÇÔÃì¡Ê൪ѹ àÇÔÃì¡Ê൪ѹ refuses relinquish ª×èÍ NetBIOS áÁéÇèÒª×è͢ѴáÂ駡Ѻª×èͧ͢ÃкºÊӤѭÂÔè§ àªè¹µÑǤǺ¤ØÁâ´àÁ¹ ʶҹ¡ÒóìÊÁÁµÔ¹ÕéÊÒÁÒö»Ô´ãªé§Ò¹¿Ñ§¡ìªÑ¹¡Ò÷ӧҹ¢Í§â´àÁ¹·ÕèÊӤѭ Microsoft ¢ÍʹѺʹع efforts ÍصÊÒË¡ÃÃÁà¾×èÍãËé¤Óá¹Ð¹Ó´éÒ¹¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÓËÃѺ¡ÒÃãªéã¹´éÒ¹¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·ÕèÊÙ§ ÍÂèÒ§äáçµÒÁ ¤Óá¹Ð¹Ó¹ÕéµéͧÁÕÍÂèÒ§ÅÐàÍÕ´·´Êͺã¹ÊÀÒ¾áÇ´ÅéÍÁ¢Í§à»éÒËÁÒ ¢Íá¹ÐÇèÒ ¼Ùé´ÙáÅÃкº·Õèµéͧãªé¡ÒõÑ駤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂà¾ÔèÁàµÔÁà¡Ô¹¡ÇèÒ¤èÒàÃÔèÁµé¹ãªé guides ÍÍ¡ Microsoft à»ç¹¨Ø´àÃÔèÁµé¹ÊÓËÃѺ¤ÇÒÁµéͧ¡Òâͧͧ¤ì¡Ã¢Í§µ¹àͧ ¡ÒÃʹѺʹع ËÃ×Í ÊÓËÃѺ¤Ó¶ÒÁà¡ÕèÂǡѺºÃÔÉÑ· guides µÔ´µèÍͧ¤ì¡Ã·Õè¤Óá¹Ð¹Ó㹡ÒùÓÍÍ¡ãªé

´Ù¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺ¡ÒõÑ駤èÒ¤ÇÒÁ»ÅÍ´ÀѤء¤ÒÁáÅÐ Countermeasures: ¡ÒõÑ駤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂã¹ Windows Server 2003 áÅÐ Windows XP. àÁ×è͵éͧ¡ÒôÒǹìâËÅ´ÃÒ¡ÒÃá¹Ð¹Ó¹Õé áÇÐä»·ÕèàÇçºä«µìµèÍ仹Õé¢Í§ Microsoft:ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺ¼Å¢Í§¡ÒõÑ駤èÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑÂà¾ÔèÁàµÔÁ·ÕèÊӤѭºÒ§ ¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õéà¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft:ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺÅѡɳоÔàÈÉ¡Ó˹´ãËé algorithms ·Õèà¢éҡѹä´é¡Ñº FIPS ¤ÅÔ¡ËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õéà¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft:Microsoft ¨ÐãËé¢éÍÁÙŵԴµèͧ͢ºÃÔÉÑ·Í×è¹ à¾×èͪèÇÂãËé¤Ø³ÊÒÁÒö¢ÍÃѺ¡ÒÃʹѺʹع·Ò§à·¤¹Ô¤ä´é ¢éÍÁÙŵԴµè͹ÕéÍÒ¨à»ÅÕè¹á»Å§â´ÂäÁèµéͧá¨é§ãËé·ÃÒºÅèǧ˹éÒ Microsoft äÁèÃѺ»ÃСѹ¤ÇÒÁ¶Ù¡µéͧ¢Í§¢éÍÁÙÅ¡ÒõԴµè͡ѺºÃÔÉÑ·Í×è¹æ àËÅèÒ¹Õé

For information about your hardware manufacturer, visit the following Microsoft website: