WIN8 system Local Security Policy FAQ

Here is a one-to-one question answer for the FAQ on the local Security policy for the WIN8 system, which you can refer to.

How do I open the Windows Local Security policy?

Answer: "Search" type "secpol.msc" and return.

How to prevent hackers or malicious programs from brute force to break my system password?

A: As we all know, violence to crack windows password is essentially through the exhaustive algorithm to achieve, especially the password is too simple system, the method of brute force is still more practical. One thing we should be aware of is whether Windows allows remote clients or malicious programs to make a poor user name and password, and if not, a malicious program attempting to get administrator rights through enumerations is a dead end. So, how is it not allowed? See the following figure:

When you make sure that the selected line is "enabled," The road is basically blocked, and you can also place it below the line "Do not allow anonymous enumeration of SAM accounts and shares" is also set to Enabled status.

In addition, "local Policy"--"Security Options": "Network access: Shares that can be accessed anonymously, network access: Remote Access registry path, network access: Remotely accessible registry paths and Subpath, network access: Named pipes that can be accessed anonymously all of these four items contain values that are all deleted. Can further enhance the security of the system.

Does windows have its own firewall handy?

A: A considerable number of friends in the selection of a dazzling array of Third-party firewall products, ignoring the windows of the firewall, and even never point to open. "Windows Firewall" is subordinate to the local security policy, and I personally think that as long as the ability to skillfully configure this feature, for personal applications and even business needs, its ease of use and security are superior.

There are two ways to enter:

1, as shown in the following figure address bar to enter the program interface:

Then click on the left "Advanced settings" to appear as follows:

You can use this method to browse for existing rules and create new rules.

2, directly in the "Local Security Policy" into the program interface:

The right blank piece does not list existing rules, but you can create new rules.

For example, to prohibit Adobe Photoshop CS from accessing the network, right click on the white space or click "New Rule" in the right column, select the first "program" (Rule of Control Program connection) in the new Outbound Rules Wizard, and next select the path to Photoshop, as shown in the following illustration:

Next select "Block Connection", then ask you "when to apply this rule", you can check according to the actual needs, the default selected "domain, private, public" three. As shown in the following illustration:

Then give it a name (arbitrary), the rule is created well, from now on Photoshop.exe make every effort also can not access the network. In addition, you can create more advanced rules in the connection security rules as shown in the following illustration:

This interface does not look unaware, the function is so powerful, basically you think of and unexpected needs, here are all implemented, such as blocking arbitrary you look uncomfortable IP or IP segment, closed ping, or specify any port, program name or service name operation rights, etc., ease of use and reliability of any third party firewall.

Can I prevent a program from running through security policy?

A: The answer is yes, not only can, but also prevent a program is renamed, change the path, change the suffix, change the shell and then run, this function is called "AppLocker", than you in Group Policy to prohibit a program to run more stringent, more powerful. The program interface is shown in the following illustration:

Right-click the executable rule on the left-create new rule, not only the user groups (such as the Guest account) can be qualified in the wizard interface that appears, but also the various qualifying conditions, as shown in the following illustration:

If you choose "Publisher", then the disabled program, and all its lifting level version, the revision can not run (this condition can be further detailed settings), such as QQ, thunder, Cool Dog, their official version and custom version of all can not run, very intelligent bar. This function can also be applied to isolate the virus operation, if the system has no clear virus or trojan, whether infected with the program, script, dynamic link library, or batch processing, all can no longer do evil. From this point of view, the current mainstream anti-virus software, in the virus isolation function is generally not detailed. The remaining two items are completely understandable by literal meaning, especially the third "file hash", which is quite practical.

This feature can also be used in conjunction with the software restriction policy, see the following figure: (If the right side of the content is not present, right click on the left column to create software restriction policies)

In addition, the global object access audit also restricts the group's access to the entire or local registry, or even to the file system, as shown in the following illustration:

When you pale on the internet to look for this function of Third-party software, should you first turn over the windows of its own possessions? hehe. If you have any knowledge of PowerShell, you can further simplify the creation and management of the AppLocker rules, limited to the length of the detailed examples.

Finally, add two common questions about the "Local Security Policy" failure:

1, how can I not access the local security policy ah?

A: This problem generally appears as "Create Snap-in failed" or clsid:{8fc0b734-a0e1-11d1-a7d3-0000f87571e3}, the reason is more common in some software when installing or unloading replace, delete this part of data, The solution is to first make sure that your environment variable path contains: "%systemroot%system32;%systemroot%;%systemroot%system32wbem" and that you don't have to add it yourself.

Then locate the HKEY_CURRENT_USER--SOFTWARE--POLICIES--MICROSOFT--MMC in the registry and assign a value of 0 to the Restricttopermittedsnapins, as shown in the following figure:

2, my IP Security policy how to set not AH?

A: Make sure that the IPSec Policy Agent service is enabled.

Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join