MỤC LỤC
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows 
KIỂM TRA THIẾT LẬP VÀ CẤU HÌNH AN TOÀN MÁY CHỦ WINDOWS
1 . Giới thiệu
 !"
#$%&'$()*+,-./ !"0$1
!20!3$4'2+56'7(
)84!74'!&977+
2 . Kiểm tra các phiên bản hệ điều hành
• :5
• ;<<<
• =!$!;<<>
• =!$!;<<?
3 . Kiểm tra cập nhật các bản vá lỗi
3.1. Hotfixes
@#$'AB8 !"+C&DEF$G!
HI&J#"K!(*LLMNN$O
P+
QR"KSTUU+!"+U!V
!"WSTUU+!"+V
WTX*L !"W/LLM4
(40O1!-+
CNN40T
CTYQ=YF!!Znet start WUAUSERV
RO
=![Z!![ZF!![ZW
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;
CNN\T
@7!88!$!$'A]6$O+
TUU+!"+U[UU+K^_`ab
3.2. Service packs

@NN]$c$9LM*+
=!$%&NN$0N/2
Ld28Ld!-/4$d#$(*+
56'NNLMJe&N($(
$+
=!$%&'"KLML$0
O]S%<< f><< V+
Q=!$%STUU+!"+UV
COTCOgP$](deO40+
@h.T:7!&%D(!L]+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows >
WSUS (Windows Server Update Services),
=W==!$!T540'"K$'=!$%
]+
=W=CTC&'"K$'=!$%
9=W==!$!O9 !"+
Q=W=STUU+!"+UV
if'7NN!$%7]6/6-
NN"K40/j'$N$'
$'AT
• =STUU++!U!UV
• !"STUU+!"+U!UV
• =!"STUU+!"+U!$UV
• %=!STUU+%!!+!UV
4 Windows Access Control
4.1. Phân quyền NTFS (NTFS Permission)
,():5k=%(7!8eLM
"!1el:5k=+
C'2m8:5k=T
• !S)VT5e0LE$=!$]Share Name

nShare/=!ge)&
Everyone Full ControlL$Nn!!Ne$]
77!+
5e=!ef7!$fN!
+
• FSi&!VTF&LM6-T
o F$
o F
o F!!!$
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows a
o F$
o Fo
o F
o F!$
o F!!%
o F$
4.1.1. Audit account logon events
[ 
[           

 
!
[ "
[i&!p0LpDE$O!9
'2%'!'2%&!LMDE&K'N
%+
[  ,2  ET  :Lp  g  m  N  $  '  2    G
!"/LLMK'4l''7LMK'
4LpDE
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows q

[54*0''7$%&!'4%('
8+
[#$ 
4.1.2. Audit account management
[i&!A4%(7f0LpDE.
%SLpg/Lpg/O'2V!C=Q@
Lpg!7'2/dLM6-+,2E#4%(
T
o 5e0%Lpg
o 570LpDE$0
o rs7%LpDE
o 5sN%c%LpDE
[ X''/5s%+
[ A  0  !$!  O  /    t  %&  !  @  =!
F !$%l+
[ C8''7$'8%&!#
4%(
4.1.3. Audit directory service access
[i&!4%(7fLpg!N*LM
F$Q!!uLM-&j!N8Lp
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows `
DE(*'%&!NS=FC@V
8*LM+
[=FC@S=FC!@V80*LMFQK'1
>ET
o C'%S8LpgOVtLM%&!
o C'e!NtLM%&!/veLn/e/
D/++
o 56efN*LM
4.1.4. Audit logon events

i&!4%(7fLpDEmN/mK6+
,2ETi0LpmN$Ld''!eL
%'''4(K'4
[ =4%(LMd'*wmNK!+
[ E2e#4%(!7'2!7e
4.1.5. Audit object access
i&!4%(%Lpg!N0*LM+C'*
LMT
o k
o 5LE
o '
o x!
o r*LMF$Q!!
[ 5!4f6%y*LM=FC@t-h
%&!
[ isfh6-f%0E
&&j!N$7+
[ 5Lp%2e!7'!LpN+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows b
4.1.6. Audit policy change
[ i&!4%77f4s0!z2
'{%$4!7'2
o )
o i&!2'
o *(N
[ :76-h0'!7e
4.1.7. Audit privilege use
[  A4%(7f0Lpg4(0(
$ELM%&l0Lpg
[ rLMsf$*6&6-hc16

''2!7e+
4.1.8. Audit process tracking
[ i&!4%(7ff!-!7'2
[ ,2ET$(%2eLd!-/'f!-/'!-/KD.
J/$*LM!N'f
[ hc1te0*'4%($Lp%
LM6-/!9%0hELMjE
2%wE4*+
4.1.9. Audit system events
[ C'4%(7fN(*$NmN
|tLMj%%&!LM%2e+
[ ,2ETil0e'2O'2/%mN
tLMK}
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ?
4.2. Enctyption (Mã hóa).
4.2.1. Giới thiệu
[ =!$!;<<?6K)42mu0s
3n~@%!Q!$!I!S~@%!V&$((
$#(LML!#!73
[ ~@%!Q!$!I!Jeu6#(LM
L!#!7%*LM($6-%*LM
#(
[ ~\'DE05!"!S5 V/|
&P2$•8'%l0+
[ ~@%!7](!,$
=!$!;<<?$NN$]$('8b$
=!$!;<<?x;+
4.2.2. Điều kiện và thực hiện
r~@%!&LMn0-sh8e26
;!$;!LM1e:5k=+il

0  '  2  \  3    O    =!$!  ;<<?
=%OK=!$!;<<?/e$Server Manager.
C07Features/nAdd Features. 5!0eSelect
Features/'6n$BitLocker Drive Encryption
l2m~@%!Q!$I!!7'%
5
, Start\Run/jT gpedit.msc. 5! console Local Group Policy
Editor/  % Computer Configuration/    6  0  8
Administrative Templates/  n Windows Components/  n
BitLocker Drive Encryption+C0$ Control Panel SetupT
Enable Advanced Startup Options/  n Properties. :6  n
Enable/'6%$gn Allow BitLocker without a
compatible TPM/      6  €i+  =    $ Start\Run/  j
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows •
4.2.3. Compression (Nén).
4.2.4. Transactional (Giao tiếp).
4.2.5. Max size (Dung lượng lớn =16TB).
4.3. Sử dụng DACL (Discretionary Access Control List) để phân quyền cho
tập tin và thư mục.
4.3.1. DACL thực thi với
• @W!+
• HH=W!SR55„k5V+
• xQ%!+
• =!k!+
• 5+
4.3.2. DACL mặc định như sau
• =TkC!+
• F!!TkC!+
• C8l#TkC!+
• W!K'4Tx„IK+

n7!7:5k=8l#+C8l#t
kC!*$]k!/="!/k+
:7w)0!‚LM6lh*
&6+5h‚6#44f8&!
4(LM0$(++
a+>+;++)LE…S=!k!!V
54()$]'7…/]e
I$!%LMJ!N$'7…+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows 
R-}
if'7†B6'…%DES
…O1V/'…fLMfN)+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;
a+>+;+;+)x!Sx!i!V
R-}
CfN$()*$]x!/lB6'
%$LpgS!9F!!V*$]x!+
a+>+;+>+rOSW!xV
W!x#fN!7'2\%&'K
0W!m0X!&4(#'-*$]'
2+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows >
R-}
:#fN&T
• %
• "&%
• "%
• !##%
•  ##%
• '%

•  "&%
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows a
0*fNL.T
•  RefLpmN00‡
•  #  Ref
LpgxQ%+
•  "&5sl
#8*LM+
• ('~BfN)
:5k=+
5. Thiết lập GPO
5!;<<>/ ;<<?  % DE!    F
@%-6'!!(*1Ll+
,=![[Z!![[ZF!$5/n=!$! !
=/e%Q"Q/nI+
:f  %  6  e      "!  7  h  m  X!  
+  ,-    .        7  e      7  F$
Q!!Q=!$\'!!
l  C!  C"!Y  =Y=!  =YF
Y!+
=%6-KU"!+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows q
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows `
5.1. Password Policy
:\N%c8e/N%c*;b
%.4+
if'fNT
• @1DN%cT;aN%c+
• :LN%c*T•<+
• :LN%c*&T+

• CN%c*&Tq%.4+
• N%c'h'7heTI+
5.2. Account Lockout Policy
:\*e$(!"!N%cm'N%c+
if'fNT
• 5p%%T;<P+
• :L†%1%Tq+
• 5fNe*f%%TaqP+
5.3. Security Options
F!!U@=!
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows b
if'0*fN\T
r*$]=T
• 5g‚(Lpg+
• ,(C!+
• ,(EDsx!+
• C‚JehE8+
• iJe#hEO(++
• ,(F!7CQ[x€ O#s3%'+
r*$]=T@U@""
• ,(5% !+
• ,(@%C!+
• ,(C!+
• ,(@""+
r*$]CTIK!
• Xl :!%Q!$$Q:!%Q!$+
• ˆ#s3‚1! C!+
• :mO!Nfs19 C!+
• XlC!)N! :!%+
• XlI!:!%! :!%+

r*$]CT5%=!
• ˆ!!+
• :mO5%xOI+
• ,(Q![[Q!+
• ,(:5%C!+
• ,(5%Q+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ?
• ,(F$ +
• C6~!+
r*$]=! „5%!
• XlB#Ld!-sf9=! +
• XlB(x9=! +
• ,($lB(=Q+
r*$]C!
• ,(C!+
• ˆ#LM‚1+
r*$]C!TFUx$!!
• ,(FUx$!!+
• ˆgnF!!"!CQ[x€ !"%+
r*$]C!TQ
• ,(Q!C!+
• ˆ~%!+
• ,(hms-+
• ˆF!+
• ˆ=+
• ˆ=!=$!+
r*$]:!%T:!%„Q[WC
• C6%f*xF=+
• C6!Nf028%f*@F:+
• C6!NfF$=+

• C66-%f*t+
• C66-5CUH)+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows •
5.4. Guest Account
)*
5%X%&%40mN+
if'T
• :7$(%XOfNEN%c
‰7%X$409*%
X$]z=k=!{+
5.5. Administrative Accounts
)
0*%f'T
• 42'N%ce*$]%
F!!S N%c!7`%.4/
'#'/%.4*/%.4O(V
• Š7K'4*$]%F!!+
• ~N2m%%%mNq+
• :7s7%F!!0%%'+
• 5ecF!!%us7%N+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;<
• =D  E      %T x!  SD E Lp
K7V$F!$SDE%fV+
6 . Quản lý dịch vụ
6.1. Đảm bảo an toàn cho các dịch vụ
if'T
• G'1#1$E%f+
• XlBO$(P+
6.2. Cách thức vô hiệu hóa dịch vụ
=DET

• =!$
• =!5
• X€SX!€oV
• =C+IGI
6.3. Một số dịch vụ và cổng thực thi
• = ~T5CU>•Uaaq+
• xCT5CU>q+
• @QFT5CU>?•U`>`U>;`?U>;`•+
• i!!T5CUWQU??+
• Q:=TWQU5CUq>+
• xQT5CU>>?•+
• 5T5CUb;>+
• =‹@=!$!T5CUWQUa>>Ua>a+
• :~H€=T5CUWQU>b/WQU>?/5CU>•+
• H=ICTWQUq<<Uaq<<+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;
Thông tin về một số dịch vụ tham khảo khi kiểm tra HDH.
• Alerter: Q1$EP'''2$
LpgLMn#4'26
2+~e&fe6f$]e+
:f%-uw+
• Application Layer Gateway : Cffe*g
k! !  S  H!  C k! V
O  C  …      e  8    S  
H!C=!V+=t!6$EfLe
%g;hE!7+
• Application Management :~e%ge
$]^~e%.1%&!-
e^:f%uQ+
• Automatic Updates : ~e * ' 4 0 N  N

+*!LpM*%f*&NN
8)%f+:fNN%6(
-%NN/n!9'ssN]-
4$!"NN+
• Background Intelligent Transfer : RA  !M  
W/fewFWl!7-$(
1$E\hO(*+
• Clipbook : C  J  e  K  #  -  L  !#  !
C!/wKfP!N4&&'$E
#-!C!+~e&%
!nn$(fL$N+5wtP'(C[
[Cd+~e&Kn0Lf
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;;
  ' ' !+K $  ( x !  =!
+
• COM+ : C    I$  =  $  =  F
=!$P.$w !"ŒC
€o +:fLe-&$$6/‚
!"])!p*6\fT
www.microsoft.com/com/tech/complus.asp.:/
&0tf1$E&e/*
6efNlf0 
• Computer Browser :i7-f!-(
8e+•31$Ej#(*
%'%f*$'ee…++++‹f1
ge
• Cryptographic services: Q1$EhN[''
!G+Cge6%f$]/
L%7e7&e$-$2m%'8
%'#2L%&!hN!-%&'

f18K+
• DHCP Client: ie7eO%/1$Et
61‚He+~e&Dw+:Lf
ewO#$6A/(e+(Ý kiền cá
nhân: +,-./0"12314"1
3151/467.)
• Distributed Link Tracking Client : ‹.'=!
fN!7=!$!+:feu$(;1
$E!7-|7B'+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;>
• DNS Client:Q1$E'$fN00($
7&A!M'2eDE+:fe
%DEH!-7w1$E+
• Error Reporting :540'A&2
m%'*L%e'$$E+
• Event Log : ~B+:($E8‚e#'
'%%&+SÝ kiền cá nhân: 82,-9#:
;#<0-2=2;>?/@
A;B;>?/@CD%V
• Fast User Switching Compatibility : :fe%g
'$]Lp-$('mm
4'!6+
• Help and Support :=4!MP.'6%
O%%m+
• HTTP SSL: if*9f!$!LM4(\
hR55=SR55ƒ==@V+C‚DE1$E
%ee=!$!+
• Human Interface Device Access Service: l!0$
%&#2!7'f1N+,2E#
P6!72[:K[H![=!+:fe

% Lpg /w1 $E $NLl
<+?qŽ(*d+
• IIS Admin: CJe.1$E$k5
1$EH!H"!=!$SHH=V+:f
e%gf#1$E!7-uw+
• IMAPI CD-Burning COM Service :5N4!g:!
3!4d1$E•!G+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;a
• Indexing services: 540!!7sh
\P'hEL=!8/€""G
ed+57f7$N
4%Kh'$]2mn0+
• IPSEC services: :fL'28e0$n
$•$%f*$]'%'l,:-H!
!=!SH=ICV&f+57
%'dLl'-#0f$N+5epw
+
• Logical Disk Manager : :fLe*.3
h8-S6!7&LM C!/
n !fQ% V/-1$E
%&1$(+,-!-Q% E
01$E&e+57/te%
f  Lp K7 Q%   /  f N   
t*6+
• Messenger: ,m!L]/#%…=!uN!
'&D!(=fLpgG
 !+@nB1$E4n
'*
• MS Software Shadow Copy Provider/Volume Shadow
Copy: RA!M !"~%'!-L3

%'+ 0#/e&D$(w/f
!$(L-%l0etf
$6+
• Net Logon: RA!M$(h4&mN$0
'-0+
Hướng dẫn kiểm tra và thiết lập an toàn máy chủ Windows ;q