Perfect Combination of UAC and Applocker in Win7

The perfect combination of UAC and Applocker in Win7-general Linux technology-Linux technology and application information. The following is a detailed description. Today, the Shanghai IT outsourcing service network www.itshanghai.net will share with you the perfect combination of UAC + Applocker in Win7. now I have been looking for ways to protect the system security by using anti-virus software. Since the introduction of UAC functions and new security mechanisms in Microsoft NT6.x, I have seen the dawn of victory. In particular, the more user-friendly UAC settings of Windows 7 and the newly introduced Applocker (Application Control Policy) feature finally gave me a nearly perfect solution and did not dare to enjoy it exclusively. Please advise.
First, let's talk about my computer partition (I am not lazy due to historical reasons): currently, Windows 7 7 is running on drive C, most of my software is installed on the F disk (I don't have the habit of installing the software on C: \ Program Files). The following is a formal start (although I am very arrogant about it, in fact, the operation is very simple ):
1. UAC does not need to be changed according to the default settings of the system. Do not log on with the Administrator user. For security reasons, I have disabled it. I have created two users x86 (Administrator) and user (standard account)
2. to enable UAC to protect non-system disks, right-click a non-system disk and choose Properties> Security> Edit to remove the full control, modification, write, and special permissions of the Authenticated Users user group, only read and execute are retained, folder content is listed and three items are read, so that no process without administrator permission can write or change the disk! But you will also find that when you open a Word document and save it as the disk or download it to the disk with thunder, you will be prompted that you do not have the permission and cannot save it (what we want is this effect ), in this case, you can create a folder and change the permissions you just removed or re-grant the preceding permissions to the folder you want to write!
3. other directories or folders you want to protect are set in the same way, while the folders you want to perform write operations also need to change the permissions (do not bother, security is always troublesome)
4. set Applocker from this step. First, make preparations. Open Control Panel \ system and security \ management tools \ Service ----- find the Application Identity service --- double-click --- start (the system is manual by default, you do not need to make any changes here. You only need to start it so that the subsequent changes to the Group Policy take effect immediately. As for next boot, it does not need to be started. If you are not at ease, can be changed to automatic ).

5. start ---- run --- enter gpedit. msc launch group policy, open computer configuration-Windows Settings-Security Settings-application control policy-Applocker, you can see the following three options: executable rules, windows Installer rules and script rules.

6. Click "executable rules" with the left-click button. The right corner is blank. Right-click the rule and choose create default rule. Three rules are generated by default. The three rules are allowed. The first two rules allow Everyone to run any executable Files in the Program Files and Windows directories, the third is to allow members of the Local Administrators Group to run any applications in any directory. This default rule is not what we want and must be changed!

7. Right-click to delete the third rule from the above default rule.

8. In the same way, create default rules for Windows Installer rules and script rules, and then delete the third rule! Then temporarily disable the group policy to make the setting take effect. Let's test the effect! As you can see, kmplayer.exe in the F: \ kmplayerdirectory cannot be run. At the same time, an extracted file in the H disk cannot be executed (that is because my WinRAR software is also installed on the F disk ). Because the Group Policy blocks all rules except the created default rules.

9. in order for the software installed on the F disk to run, I must recreate and create a new rule, right-click to create a new rule-Next: Operation-Allow --- user or group --- Select --- advanced. Search now --- Select the user you want to allow (I am using x86) --- next step. Condition --- Select path --- next step
Note: There are two options: publisher and file hash. These two options are very useful for software with digital signatures and individual software without signatures!
Select the files or folders you want to allow. for my computer, I have to select the F: \ directory. After this setting, for my current user (x86, in addition to the Program Files and Windows directories, the executable Files on the F disk can be run, but the executable Files in any other location cannot run ,, qq installation software under my H drive cannot run:
So far, we have made it very clear that apart from the specified Program Files and Windows directories and all the directories on the F disk, executable files in other places cannot be run, it perfectly solved the virus from the USB flash disk and the virus running problems that could escape UAC monitoring due to misoperations on other disks! Unless you deliberately copy the virus to the preceding three directories and run it, you are not authorized to run the virus, let alone infect your computer! The three directories in the columns we allow are all monitored by UAC. writing to the directory is permitted by us!
10. Set the same method in Windows Installer rules and script rules. These two rules are for the installer and some script files!
So far, I personally think this setting is safe enough. If you are not at ease, you can install an MSE! Of course, the final factor of security is determined by the people who use computers-to develop good habits and be more effective than any security settings or anti-virus software!

Shanghai IT outsourcing service network www.itshanghai.net