Windows 2000 contains many security features and options. If you configure them properly, then Windows 2000 will be a very secure operating system. I took some time to look through a few websites, translated and pieced things together, and put together a checklist. I hope it will be of some help to Win2000 administrators. There is nothing especially profound in this article, and this so-called checklist is not complete either. A lot of things will have to be added gradually later on. I hope it can serve as a reference for administrators.
The specific checklist is as follows:
Basic security section
1. Physical security
The server should be placed in an isolated room equipped with monitors, and the monitors should keep video records for more than 15 days. In addition, the case, keyboard, and computer desk drawers should be locked, to ensure that even if someone else enters the room, they still cannot use the computer. The keys should be kept in another secure place.
2. Disable the Guest account
Disable the guest account in the users section of Computer Management. The guest account must never be allowed to log into the system at any time. To be safe, it is best to also give guest a complex password. You can open Notepad, enter a long string containing special characters, numbers, and letters, and then paste it in as the password for the guest account.
3.Restrict the number of unnecessary users
Remove all duplicate user accounts, test accounts, shared accounts, ordinary department accounts, etc. Set the corresponding permissions through group policies, and regularly check the system's accounts, deleting accounts that are no longer in use. These accounts are often the breakthrough point hackers use to break into a system. Generally speaking, the more system accounts there are, the greater the chance hackers have of obtaining the privileges of a legitimate user. On domestic NT/2000 hosts, if the system has more than 10 accounts, you can generally find one or two weak-password accounts. I once found a host where 180 of its 197 accounts actually had weak passwords.
4.Create 2 administrator-use accounts
Although this seems a bit contradictory to the point above, in fact it follows the same rule. Create one account with ordinary privileges for receiving mail and handling some daily matters, and another account with Administrators privileges that is used only when needed. Administrators can use the “ RunAS” command to carry out tasks that require privileges, which makes management more convenient.
5.Rename the system administrator account
Everyone knows that the administrator account in Windows 2000 cannot be disabled. This means others can try this account's password over and over again. Renaming the Administrator account can effectively prevent this. Of course, please do not use a name like Admin; changing it like that is the same as not changing it at all. Try to disguise it as an ordinary user, for example: guestone .
6.Create a trap account
What is a trap account? Look!> Create a local account named ” Administrator”, set its permissions to the lowest level so it can do nothing at all, and give it a super-complex password over 10 characters long. This can keep those Scripts busy for a while, and can also help you discover their intrusion attempts. Or you can tamper with its login scripts a bit. Hehe, pretty nasty!
7. Change shared file permissions from the ”everyone” group to “Authorized Users”
In Win2000, “everyone” means that any user who has access to your network can obtain those shared materials. Never set the users of shared files to the ”everyone” group under any circumstances. This includes printer sharing; the default property is also the ”everyone” group, so be sure not to forget to change it.
8. Use secure passwords
A good password is very important for a network, but it is also the easiest thing to overlook. What was said earlier may already explain that. When creating accounts, administrators at some companies often use the company name, computer name, or some other easy-to-guess thing as the username, then set the password for these accounts to something ridiculously simple, such as “welcome” “iloveyou” “letmein” or even the same as the username. Such accounts should require users to change them to complex passwords when they log in for the first time, and passwords should also be changed regularly. A few days ago when discussing this issue with someone on IRC, we came up with a definition of a good password: a password that cannot be cracked within its valid period is a good password. That is, if someone gets your password document, they must need 43 days or more to crack it, while your password policy requires passwords to be changed every 42 days.
9. Set a screen saver password
Very simple and very necessary. Setting a screen saver password is also a barrier against internal personnel damaging the server. Be careful not to use OpenGL or some complicated screen savers, since they waste system resources. A blank screen is enough. One more thing: it is also best to add screen saver passwords to all machines used by system users.
10. Use NTFS partitions
Convert all partitions on the server to NTFS format. The NTFS file system is much more secure than FAT and FAT32. No need to say more about this; I assume everyone's server partitions are already NTFS.
11.Run antivirus software
Among the Win2000/Nt servers I have seen, I have never seen one with antivirus software installed. Actually, this is very important. Some good antivirus software can not only kill some well-known viruses, but can also detect and remove large numbers of trojans and backdoor programs. That way, those famous trojans used by “hackers” will be useless. Don't forget to update the virus definitions regularly.
12.Ensure the security of backup disks
Once system data is damaged, backup disks will be your only way to recover the data. After backing up the data, store the backup disks in a safe place. Never back up the data on the same server; if you do that, it's almost better not to back it up at all.
Intermediate security section:
1.Use Win2000's security configuration tools to configure policies
Microsoft provides a set of MMC-based (Management Console) security configuration and analysis tools. Using them, you can very conveniently configure your server to meet your requirements. For details, please refer to Microsoft's homepage:
http://www.microsoft.com/windows2000/techi...y/sctoolset.asp
2.Turn off unnecessary services
Windows 2000's Terminal Services, IIS, and RAS may all bring security holes to your system. In order to conveniently manage servers remotely, many machines have terminal services enabled. If yours is enabled too, make sure you have configured terminal services correctly. Some malicious programs can also quietly run as services. Pay attention to all services enabled on the server, and check them regularly (daily). The following are the default services for a C2-level installation:
Computer Browser service TCP/IP NetBIOS Helper
Microsoft DNS server Spooler
NTLM SSP Server
RPC Locator WINS
RPC service Workstation
Netlogon Event log
3.Close unnecessary ports
Closing ports means reducing functionality, so you need to make some decisions between security and functionality. If the server is installed behind a firewall, the risk will be somewhat less, but never think you can rest easy. Using a port scanner to scan the ports opened on the system and determine which services are open is the first step for hackers breaking into your system. The \system32\drivers\etc\services file contains a reference table of well-known ports and services. The specific method is:
My Network Places>Properties>Local Area Connection>Properties>internet 协议(tcp/ip)>Properties>Advanced>Options>tcp/ip filtering>Properties Enable tcp/ip filtering, then add the needed tcp, udp, and protocols.
4.Enable audit policies
Enabling security auditing is the most basic intrusion detection method in Win2000. When someone attempts to intrude into your system in certain ways (such as trying user passwords, changing account policies, unauthorized file access, etc.), it will all be recorded by security auditing. Many administrators don't realize their systems have been compromised for months, until the system is damaged. The following audits must be enabled; others can be added as needed:
Policy Setting
Audit system logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit object access Success
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit system events Success, Failure
5. Enable password policies
Policy Setting
Password complexity requirements Enabled
Minimum password length 6 characters
Enforce password history 5 times
Maximum password age 42 days
6.Enable account policies
Policy Setting
Reset account lockout counter after 20 minutes
Account lockout duration 20 minutes
Account lockout threshold 3 times
7.Set access permissions for security logs
By default, security logs are not protected. Set them so that only the Administrator and system accounts have permission to access them.
8.Store sensitive files on another file server
Although server hard drive capacity is now very large, you should still consider whether it is necessary to store some important user data (files, data tables, project files, etc.) on another secure server, and back them up regularly.
9. Do not let the system display the username of the last login
By default, when connecting to a server through terminal services, the login dialog box displays the name of the last account that logged in. The local login dialog box is the same. This makes it easy for others to obtain some system usernames and then attempt password guessing. You can modify the registry so the dialog box does not display the username of the last login. Specifically:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName
Change the REG_SZ value to 1 .
10.Disable null connections
By default, any user can connect to the server through a null connection, and then enumerate accounts and guess passwords. We can disable null connections by modifying the registry:
Change the value of Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous to ”1”.
10. Go to the Microsoft website and download the latest patch programs
Many network administrators do not have the habit of visiting security sites, so even after vulnerabilities have been known for a long time, they still leave their servers unpatched for others to use as targets. No one can guarantee that Windows 2000, with its millions of lines of code, has not a single security hole. Regularly visiting Microsoft and some security sites, and downloading the latest service packs and security patches, is the only way to ensure the long-term security of a server.
Advanced section:
1. Turn off DirectDraw
This is a C2 security standard requirement for the video card and memory. Turning off DirectDraw may affect some programs that need DirectX (for example games—playing StarCraft on a server? I'm dizzy..$%$^%^&??), but it should have no effect on the vast majority of commercial sites. Just modify the registry HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set Timeout(REG_DWORD) to 0.
2. Turn off default shares
After Win2000 is installed, the system creates some hidden shares. You can type net share under cmd to view them. There are many articles online about IPC intrusion, so I'm sure everyone is familiar with it. To disable these shares, open Administrative Tools>Computer Management>Shared Folders>Shares, right-click the corresponding shared folder, and click Stop Sharing. However, after the machine restarts, these shares will be re-enabled.
Default shared directory Path and function
C$ D$ E$ The root directory of each partition. In Win2000 Pro, only Administrator
and members of the Backup Operators group can connect. In the Win2000 Server version,
the Server Operatros group can also connect to these shared directories
ADMIN$ %SYSTEMROOT% A shared directory for remote management. Its path always
points to Win2000's installation path, for example c:\winnt
FAX$ In Win2000 Server, FAX$ is used when the fax client sends a fax.
IPC$ Null connection. The IPC$ share provides the ability to log into the system.
NetLogon This share is used by the Net Login service on Windows 2000 servers when han-
dling domain logon requests
PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS For users to remotely manage printers
Solution:
Open Registry Editor. REGEDIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Create a DWORD key named AutoShareServer on the right. Set the value to 0
3. Disable dump file generation
Dump files are very useful information for troubleshooting when the system crashes or blue-screens (otherwise I would have translated it literally as garbage file). However, they can also provide hackers with some sensitive information, such as passwords for some applications. To disable it, open Control Panel>System Properties>Advanced>Startup and Recovery and change Write debugging information to None. When needed, you can turn it back on again.
4. Use the EFS file encryption system
Windows2000's powerful encryption system can add a layer of security protection to disks, folders, and files. This can prevent others from mounting your hard disk on another machine to read the data inside. Remember to use EFS on folders too, not just individual files. For specific information about EFS, see
http://www.microsoft.com/windows2000/techi...ity/encrypt.asp
5. Encrypt the temp folder
When installing and upgrading, some applications copy certain things into the temp folder, but when the program finishes upgrading or closes, they do not clear out the contents of the temp folder themselves. Therefore, encrypting the temp folder gives your files an extra layer of protection.
6. Lock down the registry
In Windows2000, only administrators and Backup Operators have permission to access the registry over the network. If you feel that is still not enough, you can further set registry access permissions. For details, please refer to:
http://support.microsoft.com/support/kb/ar...s/Q153/1/83.asp
7. Clear the page file when shutting down
The page file, also called the swap file, is a hidden file Win2000 uses to store portions of programs and data files that are not loaded into memory. Some third-party programs may store some unencrypted passwords in memory, and the page file may also contain other sensitive materials. To clear the page file at shutdown, edit the registry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Set the value of ClearPageFileAtShutdown to 1.
8. Disable booting the system from floppy disk and CD Rom
Some third-party tools can bypass the original security mechanisms by booting the system. If your server has very high security requirements, you may want to consider using removable floppy drives and CD drives. Locking up the case is also a good method.
9. Consider using smart cards instead of passwords
Passwords always put security administrators in a dilemma, and are easily attacked by tools such as 10phtcrack. If passwords are too complex, users, in order to remember them, will write them down everywhere. If conditions permit, using smart cards instead of complex passwords is a very good solution.
10. Consider using IPSec
Just as its name implies, IPSec provides security for IP packets. IPSec provides authentication, integrity, and optional confidentiality. The sending computer encrypts the data before transmission, and the receiving computer decrypts the data after receiving it. Using IPSec can greatly enhance the security performance of the system. For detailed information about IPSes, please refer to: http://www.microsoft.com/china/technet/sec...ty/ipsecloc.asp
The specific checklist is as follows:
Basic security section
1. Physical security
The server should be placed in an isolated room equipped with monitors, and the monitors should keep video records for more than 15 days. In addition, the case, keyboard, and computer desk drawers should be locked, to ensure that even if someone else enters the room, they still cannot use the computer. The keys should be kept in another secure place.
2. Disable the Guest account
Disable the guest account in the users section of Computer Management. The guest account must never be allowed to log into the system at any time. To be safe, it is best to also give guest a complex password. You can open Notepad, enter a long string containing special characters, numbers, and letters, and then paste it in as the password for the guest account.
3.Restrict the number of unnecessary users
Remove all duplicate user accounts, test accounts, shared accounts, ordinary department accounts, etc. Set the corresponding permissions through group policies, and regularly check the system's accounts, deleting accounts that are no longer in use. These accounts are often the breakthrough point hackers use to break into a system. Generally speaking, the more system accounts there are, the greater the chance hackers have of obtaining the privileges of a legitimate user. On domestic NT/2000 hosts, if the system has more than 10 accounts, you can generally find one or two weak-password accounts. I once found a host where 180 of its 197 accounts actually had weak passwords.
4.Create 2 administrator-use accounts
Although this seems a bit contradictory to the point above, in fact it follows the same rule. Create one account with ordinary privileges for receiving mail and handling some daily matters, and another account with Administrators privileges that is used only when needed. Administrators can use the “ RunAS” command to carry out tasks that require privileges, which makes management more convenient.
5.Rename the system administrator account
Everyone knows that the administrator account in Windows 2000 cannot be disabled. This means others can try this account's password over and over again. Renaming the Administrator account can effectively prevent this. Of course, please do not use a name like Admin; changing it like that is the same as not changing it at all. Try to disguise it as an ordinary user, for example: guestone .
6.Create a trap account
What is a trap account? Look!> Create a local account named ” Administrator”, set its permissions to the lowest level so it can do nothing at all, and give it a super-complex password over 10 characters long. This can keep those Scripts busy for a while, and can also help you discover their intrusion attempts. Or you can tamper with its login scripts a bit. Hehe, pretty nasty!
7. Change shared file permissions from the ”everyone” group to “Authorized Users”
In Win2000, “everyone” means that any user who has access to your network can obtain those shared materials. Never set the users of shared files to the ”everyone” group under any circumstances. This includes printer sharing; the default property is also the ”everyone” group, so be sure not to forget to change it.
8. Use secure passwords
A good password is very important for a network, but it is also the easiest thing to overlook. What was said earlier may already explain that. When creating accounts, administrators at some companies often use the company name, computer name, or some other easy-to-guess thing as the username, then set the password for these accounts to something ridiculously simple, such as “welcome” “iloveyou” “letmein” or even the same as the username. Such accounts should require users to change them to complex passwords when they log in for the first time, and passwords should also be changed regularly. A few days ago when discussing this issue with someone on IRC, we came up with a definition of a good password: a password that cannot be cracked within its valid period is a good password. That is, if someone gets your password document, they must need 43 days or more to crack it, while your password policy requires passwords to be changed every 42 days.
9. Set a screen saver password
Very simple and very necessary. Setting a screen saver password is also a barrier against internal personnel damaging the server. Be careful not to use OpenGL or some complicated screen savers, since they waste system resources. A blank screen is enough. One more thing: it is also best to add screen saver passwords to all machines used by system users.
10. Use NTFS partitions
Convert all partitions on the server to NTFS format. The NTFS file system is much more secure than FAT and FAT32. No need to say more about this; I assume everyone's server partitions are already NTFS.
11.Run antivirus software
Among the Win2000/Nt servers I have seen, I have never seen one with antivirus software installed. Actually, this is very important. Some good antivirus software can not only kill some well-known viruses, but can also detect and remove large numbers of trojans and backdoor programs. That way, those famous trojans used by “hackers” will be useless. Don't forget to update the virus definitions regularly.
12.Ensure the security of backup disks
Once system data is damaged, backup disks will be your only way to recover the data. After backing up the data, store the backup disks in a safe place. Never back up the data on the same server; if you do that, it's almost better not to back it up at all.
Intermediate security section:
1.Use Win2000's security configuration tools to configure policies
Microsoft provides a set of MMC-based (Management Console) security configuration and analysis tools. Using them, you can very conveniently configure your server to meet your requirements. For details, please refer to Microsoft's homepage:
http://www.microsoft.com/windows2000/techi...y/sctoolset.asp
2.Turn off unnecessary services
Windows 2000's Terminal Services, IIS, and RAS may all bring security holes to your system. In order to conveniently manage servers remotely, many machines have terminal services enabled. If yours is enabled too, make sure you have configured terminal services correctly. Some malicious programs can also quietly run as services. Pay attention to all services enabled on the server, and check them regularly (daily). The following are the default services for a C2-level installation:
Computer Browser service TCP/IP NetBIOS Helper
Microsoft DNS server Spooler
NTLM SSP Server
RPC Locator WINS
RPC service Workstation
Netlogon Event log
3.Close unnecessary ports
Closing ports means reducing functionality, so you need to make some decisions between security and functionality. If the server is installed behind a firewall, the risk will be somewhat less, but never think you can rest easy. Using a port scanner to scan the ports opened on the system and determine which services are open is the first step for hackers breaking into your system. The \system32\drivers\etc\services file contains a reference table of well-known ports and services. The specific method is:
My Network Places>Properties>Local Area Connection>Properties>internet 协议(tcp/ip)>Properties>Advanced>Options>tcp/ip filtering>Properties Enable tcp/ip filtering, then add the needed tcp, udp, and protocols.
4.Enable audit policies
Enabling security auditing is the most basic intrusion detection method in Win2000. When someone attempts to intrude into your system in certain ways (such as trying user passwords, changing account policies, unauthorized file access, etc.), it will all be recorded by security auditing. Many administrators don't realize their systems have been compromised for months, until the system is damaged. The following audits must be enabled; others can be added as needed:
Policy Setting
Audit system logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit object access Success
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit system events Success, Failure
5. Enable password policies
Policy Setting
Password complexity requirements Enabled
Minimum password length 6 characters
Enforce password history 5 times
Maximum password age 42 days
6.Enable account policies
Policy Setting
Reset account lockout counter after 20 minutes
Account lockout duration 20 minutes
Account lockout threshold 3 times
7.Set access permissions for security logs
By default, security logs are not protected. Set them so that only the Administrator and system accounts have permission to access them.
8.Store sensitive files on another file server
Although server hard drive capacity is now very large, you should still consider whether it is necessary to store some important user data (files, data tables, project files, etc.) on another secure server, and back them up regularly.
9. Do not let the system display the username of the last login
By default, when connecting to a server through terminal services, the login dialog box displays the name of the last account that logged in. The local login dialog box is the same. This makes it easy for others to obtain some system usernames and then attempt password guessing. You can modify the registry so the dialog box does not display the username of the last login. Specifically:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName
Change the REG_SZ value to 1 .
10.Disable null connections
By default, any user can connect to the server through a null connection, and then enumerate accounts and guess passwords. We can disable null connections by modifying the registry:
Change the value of Local_Machine\System\CurrentControlSet\Control\LSA-RestrictAnonymous to ”1”.
10. Go to the Microsoft website and download the latest patch programs
Many network administrators do not have the habit of visiting security sites, so even after vulnerabilities have been known for a long time, they still leave their servers unpatched for others to use as targets. No one can guarantee that Windows 2000, with its millions of lines of code, has not a single security hole. Regularly visiting Microsoft and some security sites, and downloading the latest service packs and security patches, is the only way to ensure the long-term security of a server.
Advanced section:
1. Turn off DirectDraw
This is a C2 security standard requirement for the video card and memory. Turning off DirectDraw may affect some programs that need DirectX (for example games—playing StarCraft on a server? I'm dizzy..$%$^%^&??), but it should have no effect on the vast majority of commercial sites. Just modify the registry HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set Timeout(REG_DWORD) to 0.
2. Turn off default shares
After Win2000 is installed, the system creates some hidden shares. You can type net share under cmd to view them. There are many articles online about IPC intrusion, so I'm sure everyone is familiar with it. To disable these shares, open Administrative Tools>Computer Management>Shared Folders>Shares, right-click the corresponding shared folder, and click Stop Sharing. However, after the machine restarts, these shares will be re-enabled.
Default shared directory Path and function
C$ D$ E$ The root directory of each partition. In Win2000 Pro, only Administrator
and members of the Backup Operators group can connect. In the Win2000 Server version,
the Server Operatros group can also connect to these shared directories
ADMIN$ %SYSTEMROOT% A shared directory for remote management. Its path always
points to Win2000's installation path, for example c:\winnt
FAX$ In Win2000 Server, FAX$ is used when the fax client sends a fax.
IPC$ Null connection. The IPC$ share provides the ability to log into the system.
NetLogon This share is used by the Net Login service on Windows 2000 servers when han-
dling domain logon requests
PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS For users to remotely manage printers
Solution:
Open Registry Editor. REGEDIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Create a DWORD key named AutoShareServer on the right. Set the value to 0
3. Disable dump file generation
Dump files are very useful information for troubleshooting when the system crashes or blue-screens (otherwise I would have translated it literally as garbage file). However, they can also provide hackers with some sensitive information, such as passwords for some applications. To disable it, open Control Panel>System Properties>Advanced>Startup and Recovery and change Write debugging information to None. When needed, you can turn it back on again.
4. Use the EFS file encryption system
Windows2000's powerful encryption system can add a layer of security protection to disks, folders, and files. This can prevent others from mounting your hard disk on another machine to read the data inside. Remember to use EFS on folders too, not just individual files. For specific information about EFS, see
http://www.microsoft.com/windows2000/techi...ity/encrypt.asp
5. Encrypt the temp folder
When installing and upgrading, some applications copy certain things into the temp folder, but when the program finishes upgrading or closes, they do not clear out the contents of the temp folder themselves. Therefore, encrypting the temp folder gives your files an extra layer of protection.
6. Lock down the registry
In Windows2000, only administrators and Backup Operators have permission to access the registry over the network. If you feel that is still not enough, you can further set registry access permissions. For details, please refer to:
http://support.microsoft.com/support/kb/ar...s/Q153/1/83.asp
7. Clear the page file when shutting down
The page file, also called the swap file, is a hidden file Win2000 uses to store portions of programs and data files that are not loaded into memory. Some third-party programs may store some unencrypted passwords in memory, and the page file may also contain other sensitive materials. To clear the page file at shutdown, edit the registry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Set the value of ClearPageFileAtShutdown to 1.
8. Disable booting the system from floppy disk and CD Rom
Some third-party tools can bypass the original security mechanisms by booting the system. If your server has very high security requirements, you may want to consider using removable floppy drives and CD drives. Locking up the case is also a good method.
9. Consider using smart cards instead of passwords
Passwords always put security administrators in a dilemma, and are easily attacked by tools such as 10phtcrack. If passwords are too complex, users, in order to remember them, will write them down everywhere. If conditions permit, using smart cards instead of complex passwords is a very good solution.
10. Consider using IPSec
Just as its name implies, IPSec provides security for IP packets. IPSec provides authentication, integrity, and optional confidentiality. The sending computer encrypts the data before transmission, and the receiving computer decrypts the data after receiving it. Using IPSec can greatly enhance the security performance of the system. For detailed information about IPSes, please refer to: http://www.microsoft.com/china/technet/sec...ty/ipsecloc.asp
ko20010214
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器