The Internet is not always sunny, and there are dark clouds! This is not the case. When surfing the Internet, users often suffer from "harassment". Among them, the IP addresses that illegally steal others' workstation are the most common in LAN environments, this phenomenon seriously affects the efficient management and maintenance of LAN networks by network administrators. To ensure that the workstation can access the content through the network securely, we should first protect the IP address of the local workstation! Now, this article is intended for everyone's thoughts and urgent needs. I hope you can get a little bit out of the following content to make great contributions to protecting IP addresses!
Necessity of IP address protection
We know that the IP address used by the workstation is actually a relatively static logical address, and its value can be set and modified by common users. If we want to restrict normal users from modifying the IP address at will, the DHCP server in the LAN can be used to dynamically allocate IP addresses to the workstation. However, this address allocation method can easily cause network management problems. In addition, many Nic configuration programs carried by the network adapter can also enable users to easily modify IP addresses and MAC addresses. If there is no Nic configuration program, you can also use other software to modify the MAC address of the NIC, or even by modifying the Registry to fool upper-layer network applications, in this case, the IP address of the workstation is easily stolen by others. If the IP address is stolen by someone else, it is easy to make the target workstation unable to access the Internet. Otherwise, all workstations in the LAN cannot access the Internet; if the IP addresses used by routers in the LAN are stolen by others, the entire lan network may be finished.
Protection of IP addresses
Since the IP address of the workstation is stolen by illegal users, it is easy to make the workstation unable to access the Internet. Can we find some suitable and effective methods to prevent all workstation users in the LAN from changing the IP address at will, to ensure that the entire LAN can always work efficiently? The answer is yes! We can use the following special tricks to effectively protect the security of the IP address of the workstation!
1. Modify the Group Policy to disable access to Connection Properties.
In this way, you can modify the attributes of the LAN connection component in the group policy to restrict the user from changing the network connection attribute at will. Once the user cannot open the network connection attribute window, then, the IP address of the workstation Nic cannot be changed at will. If you are using a Win2000 workstation, you can follow the steps below to restrict user theft of others' IP addresses:
Click Start or run. In the displayed system run dialog box, enter the Group Policy Editing Command gpedit. msc, click OK, expand the "user configuration" folder, "management template" folder, "network" folder, and "network and dial-up connection" folder on the Group Policy editing page in sequence;
Then, in the subwindow on the right of the corresponding "network and dial-up connections" folder, select the "properties for accessing lan connection components" option and double-click it with the mouse, in the Setting dialog box that appears later, select the "Disable" option and click "OK" to prevent users from entering the TCP/IP attribute Setting Dialog Box in the future, modify the IP address parameters of the NIC. If you do not believe this, you can open the Network Connection Properties window and select "Internet Protocol (TCP/IP, you will find that the "attribute" button has expired (1 ).
Of course, you can also select the "allow access to lan connection attributes" option in the subwindow on the right of the corresponding "network and dial-up connections" folder and double-click it with the mouse, in the subsequent Settings dialog box, select the "Disable" option and click the "OK" button. In this way, the user will not be able to access the network connection Properties window in the future, let alone modify network parameters. This method is easy to implement, but if you are familiar with the Group Policy editing operation, it will not be very useful.
2. Set the registry to prevent the network attribute from being opened.
This method prevents users from entering the network attribute settings window at will by modifying the network branches related to the Registry, so as to change the IP address. The specific implementation steps of this method are as follows:
First, open the system running box and execute the Registry Editing Command "regedit". In the edit dialog box that appears, expand the Registry branch subitem hkey_users.defasoftsoftwaremicrosoftwindowscurrentversionpoliciesnetwork with the mouse, as shown in 2;
In the subwindow on the right of the corresponding "Network" branch, right-click the blank area and execute the "new"/"Dword Value" command from the shortcut menu, set the New Dword Value name to "NoNetSetup", set its value to "1", click "OK", and restart the computer system;
Then, you can try again to open the network neighbor attribute window. Now you will find that the system is no longer allowed to modify network parameters, so that the IP address of the workstation cannot be modified.
Of course, you can move your cursor to the HKEY_CLASSES_ROOTInterface {0000010C-0000-0000-C000-000000000046} branch, delete the branch directly, or set the following option value to invalid, it can also prevent users from entering the network attribute setting window at will. This method is only valid in the Win98 environment and requires you to be familiar with the registry editing work. Otherwise, do not change the registry settings at will to avoid system malfunction.
3. modify the system service and hide the local connection icon.
This method stops the system's Network Connection Service to prevent users from entering the network parameter settings window and modifying the IP address at will. When using this method, you can follow the steps below:
Click Start, programs, administrative tools, and services. In the displayed System Service List window, find the "Network Connections" option related to the Network and dial-up Connections, and double-click it;
On the page shown in figure 3, click the drop-down button in the "Startup Type" area and select the "disabled" option from the drop-down menu, click "application" and "OK" in sequence, so that the user cannot find the local connection icon in the system's network and dial-up connection window, in this way, they will naturally not be able to open the network attribute settings window, thus making random changes to the IP address of the workstation. Of course, if you disable the "Plug and play" service, you will not be able to find the "shadow" of the local connection icon if you restart the computer system ". Although this method prevents users from modifying the network parameters of the workstation, it affects dial-up network settings and new connection settings. Therefore, this method can be used only when no dial-up connection is available, or, it is applicable when other types of network connections are not required.
In addition to hiding the local connection icon by modifying the system service, we can also cancel the unregister operation of the network and dial-up connection icons, so that the system cannot find the local connection icon, this allows you to hide the network attribute setting window. The specific implementation method of this method is as follows:
Click "start"/"run" command in sequence. In the displayed system running dialog box, enter "regsvr32 netmask X. dll/u command, and then click OK. Similarly, Run "regsvr32 Netman. dll/u command, "regsvr32 Netshell. dll/u command, and then restart the computer system, so that the system can not find the local connection icon, the user will naturally have no way to open the network parameter settings window, you have changed the IP address. Because this method needs to modify the registry of the system, it is recommended that you back up the registry before executing the preceding command to avoid unexpected problems and the system cannot run normally.
4. cleverly bind the address and refuse to forcibly change the address
This method is currently the most commonly used method. By binding the IP address and physical address of the workstation Nic together, it limits that the NIC of the specified workstation can only use the specified IP address, if you change the IP address to another value, the workstation cannot access the Internet.
Before using this method, you first need to find the physical address of the specified network adapter. If you only have a small number of workstation addresses to bind, you can in the Win2000 or WinXP system, run the "ipconfig/all" command to obtain the MAC address of the specified workstation Nic. Run the "msconfig" command in Win98 to obtain the physical address of the specified Nic. If you need to find the MAC address of multiple workstation NICs, you can use a professional search tool named "MAC address scanner, to obtain the physical addresses of all network adapters of the entire network.
After finding the physical address of the specified network adapter, you can click Start or run in sequence. In the displayed system run box, run the cmd command, switch the system to Ms-dos and run the "arp-s ip mac" string command in the doscommand line to restrict the specified ip address to the specified Nic. For example, if you want to restrict an IP address such as "61.100.120.10" to a NIC whose MAC address is "00-01-30-17-86-50, then you can enter the "arp-s 61.100.120.10 00-01-30-17-86-50" string command in the doscommand line. After you click the Enter key, the IP address of the workstation cannot be changed at will. If you forcibly change the IP address at this time, your workstation will not be connected to the Internet in any case. Although this method is a little simple, it is only valid for workstations that access the Internet through proxy servers, but not for other types of workstations.
5. Configure COM attributes and adjust the authentication level
This method is to modify the Distributed COM Configuration Attribute to adjust the application to be operated by workstation users with anonymous permissions, in this way, wks can be prevented from accessing the "local connection" attribute dialog box. When using this method, you can follow the steps below:
Click "start"/"run" commands. In the displayed system running dialog box, enter the Distributed COM configuration command "dcomcnfg" and click "OK, open a COM Configuration Attribute dialog box and click the "Default attribute" tab of the window;