Use group policies to configure Windows Security Options

BKJIA exclusive Article] We have a lot of knowledge about group policies. This article describes the security settings in Windows configuration "Windows Settings", such:

(1). Account Policy

You can set a password and an account lock policy here. For example, in this grouping policy, we can set the minimum password length or the password must contain complex characters.

(2). Local Policy

"Local Policy" has three security policy items, which can meet various security requirements of the Windows system through configuration. For example, the "Audit Policy" is used to configure the events for collecting Windows Security Event Logs on the server; "user permission assignment" is used to configure which users can access the specified server or workstation through "Remote Desktop; use the "Security Options" configuration to determine whether to activate the "Administrator" account on the specified system and rename the "Administrator" account.

"Audit Policy": allows us to control the types of events that Windows Security Event Logs can collect and specify successful or failed events here, it is used to audit various event types from access to system objects (such as files and registry keys) from the Active Directory.

"User permission allocation" is another powerful security tool in the Group Policy, which can be used to control who can do what on the specified system. Examples of User Permissions include the "local Logon" permission, which is used to control who can log on to the console of the server or workstation interactively, and the "attach and detach device driver" permission, used to grant a group or user the permission to install the device driver.

In addition, there are some security-related Windows Group Policy settings:

Disable the specified file type

In "Group Policy", we can disable program file types such as SHS, MSI, BAT, CMD, COM, and EXE without affecting the normal operation of the system. Assume that you want to disable the REG file of the Registry and prevent the system from running the REG file. The procedure is as follows:

1. open the Group Policy, click "Computer Configuration> Windows Settings> Security Settings> Software Restriction Policy", and choose "create Software Restriction Policy" from the shortcut menu ", generate "security level", "other rules", "force", "assigned file type", and "trusted publishers.

2. double-click "assigned file type" to open the "assigned file type attributes" window. Only the REG file type is left and all other files are deleted. If you want to disable other file types, you can open this window again, enter the file type you want to disable in the blank bar of "file extension", and add it.

3. Double-click "security level> not allowed" and click "set as default. Then, log out of the system or restart the system. This policy takes effect. When you run the REG file, the system prompts "Windows cannot open this program because of a software restriction policy ".

4. to cancel the Software Restriction Policy, double-click "security level> unrestricted" to open the "unrestricted attributes" window and press "set as default.

Tip: to prevent system administrators from being restricted by the "Software Restriction Policy", double-click "force" and select "All Users except local administrators ". If you use the file type restriction policy, this option ensures that the Administrator has the right to run the restricted file type, while other users have no permission to run the restricted file type.

Do not log on to the local machine without permission

When using the computer, we sometimes have to leave our seats for a while. To prevent someone from using the computer, we usually lock the computer. However, in the LAN, in order to facilitate network login, we sometimes create some guest accounts. If the other party uses these accounts to log off the current account and log on to another account, it will be troublesome. Since we cannot delete or disable these accounts, we can use the "Group Policy" to prohibit some accounts from logging on to the local machine, so that the other party can only log on through the network.

In the "Group Policy" window, choose "Computer Configuration> Windows Settings> Security Settings> Local Policies> User permission assignment", and double-click "Deny local Logon" in the right pane, in the pop-up window, add the user or group to be banned.

If we want to do the opposite, prohibit users from logging on from the network. We can only log on from the local computer. You can double-click "Deny access to this computer from the network" to add the user.

Add a password for "Sleep" and "standby"

In the "Group Policy" window, expand "user configuration> management template> system> power management", and double-click "Enter password prompt when restoring from sleep/suspension" in the right pane ", if this parameter is set to "enabled", you are required to enter the user password when we return from the "standby" or "Sleep" status.

Forbidden to modify the homepage of IE browser

If you do not want other people or malicious code on the Internet to modify the web page of your IE browser, select "user configuration"> "management template"> "Windows Components"> "Internet Explorer", and then in the right pane, double-click "Disable and modify homepage Settings" to enable the policy.

Expand "user settings"> "management template"> "Windows Components"> "Internet Explorer" branch step by step, you can find policy options such as "Internet control panel", "offline page", "browser menu", "toolbar", "continuous behavior", and "Administrator-authorized controls. It can be used to create an extremely personalized and secure IE.

Hide Administrator

In Windows, the default system Administrator account name is Administrator. Therefore, in order to prevent malicious cracking of the password of the Administrator account, we can change the Administrator name to another name to enhance security. Select "Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options", and double-click "account: Rename System Administrator Account" in the right pane, enter the user name you want. After the computer is restarted, the new user name takes effect immediately. If a new Guest user is created, the user name is Administrator, and a complicated password is added, it is safer.

To prevent users from seeing the username they have logged on to the Windows logon box, double-click the subitem "Interactive logon: do not display the previous username" and select "enabled" to enable this policy. In this way, the user name that was last logged on to the computer will not be displayed in the Windows logon screen.

Disable Automatic Installation of IE Components

Select "Computer Configuration"> "management template"> "Windows Components"> "Internet Explorer", and double-click "Disable Automatic Installation of Internet Explorer" in the right window, in the displayed window, select "enabled" To Disable Internet Explorer from automatically installing components. This prevents Internet Explorer from downloading this component when a user accesses a website that requires a certain component. Tampering with IE will also be contained! IE is also much safer.

BKJIA exclusive Article. For details about the cooperation site, please indicate the original author and source .]