Server security Settings-Local Security policy setting _win server

You can also run the input gpedit.msc into the computer configuration →windows settings → security settings → local Policy

Security Policy Automatic Update command: Gpupdate/force (Apply Group Policy automatically does not need to be restarted)


Start Menu-> Administration Tools-> Local Security Policy

A, local policy--> audit policy

Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully
B, local policy--> user Rights Assignment

Shutdown system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join guests, user group
Allow login via Terminal Services: Only join Administrators group, all other delete

C, Local policy--> security options

Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account

The setting name in the UI	Enterprise Client desktop computers	Enterprise Client Portable computers	High-security desktop computers	High-security portable computers
Account: Local account with blank password allows console login only	is enabled	is enabled	is enabled	is enabled
Accounts: Renaming the system Administrator account	Recommended	Recommended	Recommended	Recommended
Account: Rename guest Account	Recommended	Recommended	Recommended	Recommended
Devices: Allow undock without logging in	is disabled	is enabled	is disabled	is disabled
Devices: Allow format and eject of removable media	Administrators, Interactive Users	Administrators, Interactive Users	Administrators	Administrators
Devices: Preventing users from installing printer drivers	is enabled	is disabled	is enabled	is disabled
Device: Only users logged on locally can access CD-ROM	is disabled	is disabled	is enabled	is enabled
Device: Only users logged on locally can access the floppy disk	is enabled	is enabled	is enabled	is enabled
Device: Unsigned driver installation operation	Allow installation but warn	Allow installation but warn	Prohibit installation	Prohibit installation
Domain member: Requires strong (Windows 2000 or later) session key	is enabled	is enabled	is enabled	is enabled
Interactive logon: Do not display the last user name	is enabled	is enabled	is enabled	is enabled
Interactive logon: No need to press Ctrl+alt+del	is disabled	is disabled	is disabled	is disabled
Interactive logon: Message text when a user attempts to log on	This system is limited to authorized users only. Individuals who attempt to engage in unauthorized access will be prosecuted.	This system is limited to authorized users only. Individuals who attempt to engage in unauthorized access will be prosecuted.	This system is limited to authorized users only. Individuals who attempt to engage in unauthorized access will be prosecuted.	This system is limited to authorized users only. Individuals who attempt to engage in unauthorized access will be prosecuted.
Interactive logon: Message headers when a user attempts to log on	Continuing to use without proper authorization is an offence.	Continuing to use without proper authorization is an offence.	Continuing to use without proper authorization is an offence.	Continuing to use without proper authorization is an offence.
Interactive logon: Number of previous logons that can be cached (in case domain controller is not available)	2	2	0	1
Interactive logon: Prompt user to change password before expiration of password	14 days	14 days	14 days	14 days
Interactive logon: Require Domain Controller authentication to unlock workstation	is disabled	is disabled	is enabled	is disabled
Interactive logon: Smart card removal operation	Lock Workstation	Lock Workstation	Lock Workstation	Lock Workstation
Microsoft Network client: Digitally sign communications (if server agrees)	is enabled	is enabled	is enabled	is enabled
Microsoft Network client: Sends an unencrypted password to a third-party SMB server.	is disabled	is disabled	is disabled	is disabled
Microsoft network server: Idle time required before suspending a session	15 minutes.	15 minutes.	15 minutes.	15 minutes.
Microsoft network server: Digitally signed communications (always)	is enabled	is enabled	is enabled	is enabled
Microsoft network server: Digitally signed communications (if customer agrees)	is enabled	is enabled	is enabled	is enabled
Microsoft network server: Automatically log off users when logon hours are exhausted	is enabled	is disabled	is enabled	is disabled
Network access: Allow anonymous Sid/name conversion	is disabled	is disabled	is disabled	is disabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	is enabled	is enabled	is enabled	is enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	is enabled	is enabled	is enabled	is enabled
Network access: Do not allow storage of credentials or. NET Passports for network authentication	is enabled	is enabled	is enabled	is enabled
Network access: Restricting anonymous access to Named Pipes and shares	is enabled	is enabled	is enabled	is enabled
Network access: Sharing and security mode for local accounts	Classic-Local users authenticate as themselves	Classic-Local users authenticate as themselves	Classic-Local users authenticate as themselves	Classic-Local users authenticate as themselves
Network security: Do not store LAN Manager hash value The next time the password is changed	is enabled	is enabled	is enabled	is enabled
Network security: Force logoff after logon hours	is enabled	is disabled	is enabled	is disabled
Network security: LAN Manager Authentication Level	Send NTLMV2 response only	Send NTLMV2 response only	Send NTLMV2 response \ Deny LM & NTLM only	Send NTLMV2 response \ Deny LM & NTLM only
Network security: Minimum session security for clients based on NTLM SSP (including secure RPC)	No minimum	No minimum	Requires NTLMV2 session security requirements 128-bit encryption	Requires NTLMV2 session security requirements 128-bit encryption
Network security: Minimum session security based on NTLM SSP (including secure RPC) servers	No minimum	No minimum	Requires NTLMV2 session security requirements 128-bit encryption	Requires NTLMV2 session security requirements 128-bit encryption
Recovery Console: Allow automatic system admin logon	is disabled	is disabled	is disabled	is disabled
Recovery Console: Allow floppy copy and access to all drives and folders	is enabled	is enabled	is disabled	is disabled
Shutdown: Allow shutdown before not logged in	is disabled	is disabled	is disabled	is disabled
Shutdown: Clean up the virtual memory paging file	is disabled	is disabled	is enabled	is enabled
System cryptography: Use FIPS compliant algorithms to encrypt, hash, and sign	is disabled	is disabled	is disabled	is disabled
System objects: Default owner of objects created by the Administrator (Administrators) group member	Object Creator	Object Creator	Object Creator	Object Creator
System settings: Using certificate rules for Windows executables for software restriction policies	is disabled	is disabled	is disabled	is disabled

I. Consolidation of System accounts

1. Prohibit enumeration of accounts

We know that some worm viruses that have hacking behavior can be used to scan the Windows 2000/XP system's specified port and then guess the administrator system password through a shared session. Therefore, we need to guard against such intrusions by setting the Prohibit enumeration account in the local security policy, as follows:
In the security settings tree of the list on the left of local security policy, expand Local policy → security options on a level-by-layer basis. View the list of related policies on the right. Here you find Network access: Do not allow anonymous enumeration of SAM accounts and shares, right-click, select Properties from the pop-up menu, and then pop up a dialog box to activate the Enabled option, and then click the Apply button to make the settings effective.

2. Account Management

To prevent intruders from exploiting vulnerabilities to log on to the machine, we will set up renaming the Administrator account name and disabling the Guest account here. Set the method to: in the local policy → Security options branch, locate the account: Guest account status Policy, right-click the pop-up menu, select Properties, and then in the Pop-up Properties dialog box, set its status to deactivated and finally "OK" to exit.

Second, strengthen password security

In "Security Settings", the first is located in the "account Policy → password policy", in its right to set up the view, you can make appropriate settings, so that our system password is relatively safe and difficult to crack. An important way to prevent cracking is to update the password regularly, you can make the following settings: The right mouse click Password Maximum age, in the pop-up menu, select Properties, in the pop-up dialog box, you can customize a password settings can be used after the length of time (limited to 1 to 999).

In addition, local security settings allow you to track user accounts for accessing files or other objects, logon attempts, system shutdown or restart, and similar events by setting Audit object access. Such security settings, and so on. In practical applications, we will gradually find that "local security settings" is indeed an indispensable system security tool