Security Hardening Suggestions for Windows Hosts

Configure security groups and open only necessary ports to the public network. Protect the service web console ports and LAN internal communication ports from being exposed to the public network. Disable high-risk ports (135, 139, and 445) or allow limited source IP addresses to access the ports.
Do not run applications using the administrator account. Disallow applications (such as webs) to use the database administrator account to interact with databases.
Periodically back up service data remotely to prevent data loss caused by intrusions.
Periodically detect security vulnerabilities in the system and software, update system security patches in a timely manner, and upgrade the software to the latest official version.
Download and install the software from official channels. For the software downloaded from non-official channels, use antivirus software to scan it before running.
Do not open suspicious email links or web page links.
Do not use the default password or a weak password for the default account.
Set OS system passwords (including administrators and common users) and database account passwords. Set strong passwords for the management account of the web application system. The passwords must contain at least 12 characters.
To improve password strength,
- Do not use empty passwords or default passwords.
- Set a long and complex password.
- Do not set duplicate consecutive characters (for example, AAAAAAAA) or a combination of repeated characters (for example, 123123).
- Use complex combinations. For example, ensure that your password contains uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters.
- Do not use the name, date of birth, commemorative date, login name, email address, or words in the dictionary.
- Do not use common acronyms or abbreviations, for example, passwd.
- Change the password periodically.
- Do not contain Huawei or adjacent characters on the keyboard, for example, 123qwe!@# and passwd.