Eight cool tips in Windows system group policies

BKJIA exclusive Article: we have previously introduced the application of related policy groups. This article continues to introduce the eight tips for using Microsoft group policies to protect Windows security. We hope that you can learn and use them in practical applications.

1. Hide the drive Windows XP/2003 specified in my computer)

This group of policies can delete icons representing the Selected hardware drive from my computer and Windows Resource Manager. And all the drives represented by the drive letter do not appear in the standard open dialog box.

Go to "Group Policy console> User Configuration> management template> Windows Components> Windows Resource Manager"> "hide the specified drives in my PC" and enable this policy, select one or more drives from the list box below.

Tip: this policy only deletes the drive icon. You can still access the drive content in other ways. At the same time, this policy does not prevent users from using programs to access these drives or their content. It also does not prevent users from using disk management plug-and-play to view and change the drive features.

2. prevent access to the drive Windows 2000/XP/2003 from my computer)

This policy prevents users from viewing the content of the drive selected in my computer or Windows Resource Manager. It also prohibits you from using the run dialog box, image network drive dialog box, or Dir command to view the directories on these drives.

Go to "Group Policy console> User Configuration> management template> Windows Components> Windows Resource Manager"> "prevent access to the drive from my computer" and enable this policy, select one or more drives from the list box below. Tip: The icons that indicate the specified drive will still appear on "My Computer", but if you double-click the icon, a message Interpretation Setting will appear to prevent this operation. These settings do not prevent users from using other programs to access local and network drives. It does not prevent them from using disk management plug-and-play to view and change the drive features.

3. Do not use Command Prompt Windows 2000/XP/2003)

In Windows 2000/XP/2003, we can run cmd.exe to enter the command prompt state, and continue to run some DOS commands and other command line programs. For security considerations, some systems should block this function.

Open "block access command prompt" in "Group Policy console> User Configuration> management template> System" and enable this policy, select "Also disable command prompt script processing" in the list box below. This setting also determines the batch file. cmd and. whether bat can run on a computer.

If this setting is enabled, a message is displayed when the user tries to open the command window, explaining the setting to block this operation.

4. Do not change the display attribute Windows 2000/XP/2003)

Select "display" in "Control Panel" or right-click the blank area on the Windows desktop and select "properties" to go to the "Display Settings" dialog box, you can set the desktop theme, desktop background, screen saver, and display settings. If you don't want others to modify the settings at will, you can hide the settings through the Group Policy.

Open "Group Policy console → user configuration → management template → Control Panel → display ", you can then see the policy configurations such as hiding the desktop tab, hiding the topic tab, hiding the Protection Program tab, and hiding the settings tab. You can configure these items as needed. For example, if the "Hide 'desktop" tab policy is enabled, and then the "show properties" dialog box is opened, the "desktop" label is invisible, in this way, you can no longer change the desktop properties.

5. Disable Registry Editor Windows 2000/XP/2003)

To prevent others from modifying the Registry file after entering the computer, you can disable access settings for the Registry Editor in the Group Policy. For more information, see "Group Policy console> User Configuration> System"> "Disable registry editing tools" and enable this policy.

After this policy is enabled, the system will disable this type of operation and bring up a warning message when you try to start the Registration Table editor regedit.exe and Regedt32.exe.

6. Completely prohibit access to "control panel" Windows 2000/XP/2003)

If you do not want other users to access the computer's "Control Panel", you can also use group policies. Open "forbidden access control panel" in "Group Policy console> User Configuration> management template> extended panel" and enable this policy.

After this policy is enabled, you can prevent the launch of the Panel supervisor program control.exe. Others will not be able to start the "Control Panel" or run any "Control Panel" project ). In addition, this setting will delete the "control panel" from the "Start" menu ". In addition, this setting also removes the control panel folder from "Windows Resource Manager.

7. Do not create a new dial-up connection for Windows 2000/XP/2003)

If you do not want others to establish a new connection on the computer to dial up the Internet, you can also set up a group policy. Open the "prohibit access to new connection wizard" in "Group Policy console> User Configuration> management template> network connection" and enable this policy.

After this policy is enabled, "New Connection" does not appear in the "Network Connection" folder and "Start Menu ".

Tip: This setting cannot prevent users from using other programs such as Internet Explorer to bypass this setting. In addition, this setting takes effect only after the computer is restarted.

8. Disable "Add/delete programs" Windows 2000/XP/2003)

The "add or delete programs" item in "Control Panel" allows you to install, uninstall, repair, and add and delete Windows functions and components, as well as a wide range of Windows programs. If you want to prevent other users from installing or uninstalling programs, you can use group policies.

Open "delete" Add/delete programs "in" Group Policy console> User Configuration> management template> Control Panel> Add> Delete programs "and enable this policy, when we open the "Add/delete programs" module in the "control panel", a warning window is displayed, and "Add/delete programs" cannot be run.

In addition, in the Add/Remove Programs Branch, you can also add new programs, add programs from CD-ROM or floppy disk, and add programs from Microsoft in the Add/delete programs item for Windows programs, add programs from the network, and so on, through setting these policy items, the system files and applications in the computer are protected.

BKJIA exclusive Article. For details about the cooperation site, please indicate the original author and source .]