Windows 8 local security policy FAQs

Applicability:
Windows 8
Procedure:
How can I enable "Windows local security policy?
A: "Search", type "secpol. msc", and press enter.

How can I prevent hackers or malicious programs from brute force cracking my system password?
A: As we all know, brute-force password cracking is actually implemented through the exhaustive algorithm. Especially for systems with too simple passwords, the brute-force password cracking method is more practical. One thing we need to note is that the key to this problem is whether Windows allows remote clients or malicious programs to provide a poor user name and password. If not, attackers attempt to obtain administrator privileges through enumeration. So, how can I not allow it? See the figure below:



After the selected row is "enabled", the path is basically blocked, you can also set the "do not allow anonymous enumeration of SAM accounts and shares" status under it to "enabled.
In addition, select "local policy"-"security options": "Network Access: share with anonymous access" and "network access: registry paths that can be remotely accessed "," network access: Registry paths and subpaths that can be remotely accessed ", and" network access: all values of the named pipes that can be accessed anonymously are deleted, which further enhances the security of the system.

Is Windows Firewall easy to use?
A: a considerable number of friends have ignored Windows Firewall when choosing a wide array of third-party firewall products, or even never clicked on it. Windows Firewall is a sub-function of the local security policy. I personally think that as long as you are skilled in configuring this function, the ease of use and security of personal applications and even enterprise needs are superior.

There are two access methods:
1. Enter the program interface as shown in the address bar below:



Click "advanced settings" on the left to see the following:



After using this method, you can browse existing rules and create new rules.
2. Directly go to the program interface in "local security policy:



There is a blank area on the right, and no existing rules are listed. However, you can create new rules.
For example, Adobe Photoshop CS is prohibited from accessing the network. Right-click the blank area or click "create rule" in the right column ", in the new outbound rule wizard, select the first program (rule for controlling program connection), and then select the path of photoshop, as shown in the following figure:



Next, select "block connection". Then, you will be asked "when to apply this rule". You can select "domain, private, and public" based on your actual needs. As shown in the following figure:



After that, you can create a new name for the rule (in any way, the rule is created. From this photoshop.exe, you cannot access the network by all means. In addition, you can create more advanced rules in "connection security rules", as shown in the following figure:



I don't know about this interface. It's so powerful that you can't think of any unexpected needs. This is all done here. For example, you can block any IP or IP segment that you are not comfortable with, and disable ping, or you can specify any port, program name, or service name Operation permission. The ease of use and reliability do not affect any third-party firewall.

Can I disable the running of a program through security policies?
A: The answer is yes. Not only can it, but it can also prevent a program from being renamed, changed the path, changed the suffix, and changed the shell before running. This function is called "AppLocker ", it is stricter and more powerful than forbidding a program to run in a group policy. The program interface is shown in the following figure:



Right-click "executable rules" on the left-side and choose "create new rules". In the displayed wizard, you can not only restrict user groups (such as Guest accounts), but also enumerate various restrictions, as shown in the following figure:



If you select "publisher", the disabled program, and all its upgrading/downgrading versions and revisions cannot run (this condition can be further set in detail), such as QQ, thunder, and Codoy, their official and customized editions cannot run. It's intelligent. This function can also be used to isolate viruses. If viruses or Trojans cannot be cleared in the system, whether they are infected with programs, scripts, dynamic link libraries, or batch processing, no more evil. From this point alone, the current mainstream anti-virus software is generally not detailed in terms of the virus isolation function. The remaining two items are easy to understand by literal meaning, especially the third item "file hash", which is quite practical.
This function can also be used with the "software restriction policy", as shown in the following figure: (if the content shown on the right is not displayed, right-click on the left bar to create a software restriction policy)



In addition, the "global object access review" can also restrict the access permissions of each group for the entire or local registry or even the file system, as shown in the following figure:


When you are looking for third-party software for this feature on the Internet, should you first flip the Windows home? Haha. If you have some knowledge about PowerShell, you can further simplify the creation and management of AppLocker rules.
At last, I will add two FAQs about "local security policy" faults:

1. Why can't I access the local security policy?
A: This problem is usually displayed as "failed to create a management unit" or CLSID: {8fc0b734-a0e1-11d1-a7d3-109f87571e3}. The cause is mostly seen in replacing or deleting this part of data when some software is installed or uninstalled, the solution is to first make sure that your environment variable path contains "% systemroot % system32; % systemroot % system32wbem". If not, add it.
Locate HKEY_CURRENT_USER -- Software -- Policies -- Microsoft -- MMC in the registry and assign a value of 0 to RestrictToPermittedSnapins, as shown in the following figure:




2. Why can't I set my IP security policy?
A: Make sure that the IPsec Policy Agent service is enabled.