Server Security Settings-Local Security Policy Settings

You can also enter gpedit. msc in the running process to enter Computer Configuration → windows Settings → Security Settings → Local Policies

Command for automatic security policy update: GPUpdate/force (the Application Group Policy automatically takes effect without restarting)

Choose Start> Administrative Tools> Local Security Policy

A. Local Policies --> Audit policies

Audit Policy Change failed
Login event review successful failed
An error occurred while accessing the Audit object.
Audit Process Tracking not reviewed
Failed to Audit Directory Service Access
Failed to Audit privilege usage
System Event Review successful failed
Account Logon review successful failed
An error occurred while reviewing account management
B. Local Policies --> User permission allocation

Shut down the system: only the Administrators group and all others are deleted.
Refused to log on through the terminal service: added to the Guests and User groups
Allow logon through Terminal Services: only join the Administrators group, and delete all others

C. Local Policies --> Security Options

Interactive login: do not display the Last User Name Enabled
Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration
Network Access: do not enable the storage credential for network Identity Authentication
Network Access: All Shares that can be accessed anonymously are deleted.
Network Access: delete all anonymous access attempts
Network Access: delete all registry paths that can be remotely accessed
Network Access: delete all registry paths and sub-paths that can be remotely accessed.
Account: Rename Guest Account Rename an account
Account: rename a System Administrator Account Rename an account

Set Name in UI	Enterprise Client desktop computer	Enterprise Client portable computer	High-security desktop computers	High-security portable computers
Account: A local account with a blank password can only log on to the console	Enabled	Enabled	Enabled	Enabled
Account: Rename the system administrator account	Recommendation	Recommendation	Recommendation	Recommendation
Account: Rename the Guest account	Recommendation	Recommendation	Recommendation	Recommendation
Device: Allow removal without logon	Disabled	Enabled	Disabled	Disabled
Device: Allows formatting and pop-up of removable media	Administrators, Interactive Users	Administrators, Interactive Users	Administrators	Administrators
Device: prevents users from installing printer drivers	Enabled	Disabled	Enabled	Disabled
Device: only locally logged-on users can access the CD-ROM	Disabled	Disabled	Enabled	Enabled
Device: only local login users can access the floppy disk	Enabled	Enabled	Enabled	Enabled
Device: Installation of the unsigned driver	Allow installation but warn	Allow installation but warn	Installation prohibited	Installation prohibited
Domain member: requires strong (Windows 2000 or later) session keys	Enabled	Enabled	Enabled	Enabled
Interactive login: The Last User Name is not displayed	Enabled	Enabled	Enabled	Enabled
Interactive logon: Do not press CTRL + ALT + DEL	Disabled	Disabled	Disabled	Disabled
Interactive logon: Message text when a user attempts to log on	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.
Interactive logon: Message title when a user attempts to log on	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.
Interactive logon: Number of previous logons that can be cached (when the domain controller is unavailable)	2	2	0	1
Interactive login: prompt the user to change the password before the password expires	14 days	14 days	14 days	14 days
Interactive login: requires Domain Controller Authentication to unlock the workstation	Disabled	Disabled	Enabled	Disabled
Interactive login: Smart Card Removal	Lock Workstation	Lock Workstation	Lock Workstation	Lock Workstation
Microsoft Network Customer: Digital Signature communication (if the server agrees)	Enabled	Enabled	Enabled	Enabled
Microsoft Network customers: Send unencrypted passwords to third-party SMB servers.	Disabled	Disabled	Disabled	Disabled
Microsoft network server: the free time required to suspend a session	15 minutes	15 minutes	15 minutes	15 minutes
Microsoft network server: Digital Signature communication (always)	Enabled	Enabled	Enabled	Enabled
Microsoft network server: Digital Signature communication (If Customer agrees)	Enabled	Enabled	Enabled	Enabled
Microsoft network server: automatically deregister a user when the logon time is used up	Enabled	Disabled	Enabled	Disabled
Network Access: allows anonymous SID/Name Conversion	Disabled	Disabled	Disabled	Disabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Enabled	Enabled	Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Enabled	Enabled	Enabled
Network Access: do not allow storing creden for network identity authentication or. NET Passports	Enabled	Enabled	Enabled	Enabled
Network Access: Restrict anonymous access to named pipes and shares	Enabled	Enabled	Enabled	Enabled
Network Access: sharing and security modes of Local Accounts	Classic-Local User Authentication	Classic-Local User Authentication	Classic-Local User Authentication	Classic-Local User Authentication
Network Security: Do not store the hash value of the LAN Manager when the password is changed next time.	Enabled	Enabled	Enabled	Enabled
Network Security: Force logout after the logon time is exceeded	Enabled	Disabled	Enabled	Disabled
Network Security: LAN Manager Authentication Level	Send NTLMv2 response only	Send NTLMv2 response only	Only Send NTLMv2 response \ reject LM & NTLM	Only Send NTLMv2 response \ reject LM & NTLM
Network Security: Minimum session security for customers based on ntlm ssp (including secure RPC)	No minimum	No minimum	Require NTLMv2 session security requires 128-bit encryption	Require NTLMv2 session security requires 128-bit encryption
Network Security: Minimum Session Security Based on ntlm ssp (including secure RPC) servers	No minimum	No minimum	Require NTLMv2 session security requires 128-bit encryption	Require NTLMv2 session security requires 128-bit encryption
Fault Recovery Console: allows automatic system management-level Logon	Disabled	Disabled	Disabled	Disabled
Recovery Console: Allows disk replication and access to all drives and folders	Enabled	Enabled	Disabled	Disabled
Shutdown: Allow shutdown before Logon	Disabled	Disabled	Disabled	Disabled
Shutdown: Clear Virtual Memory Page files	Disabled	Disabled	Enabled	Enabled
System encryption: FIPS-compatible algorithms are used for encryption, hashing, and signature.	Disabled	Disabled	Disabled	Disabled
System Object: Default owner of the object created by members of Administrators (Administrators)	Object Creator	Object Creator	Object Creator	Object Creator
System settings: Use Certificate Rules for Windows executable files as Software Restriction Policies	Disabled	Disabled	Disabled	Disabled

I. Reinforce the system account

1. Disable enumeration accounts

We know that some worms with Hacker behavior can scan the specified port of Windows 2000/XP system, and then guess the administrator system password through sharing sessions. Therefore, we need to disable enumeration accounts in "Local Security Policy" to defend against such intrusion. The procedure is as follows:
In the "Security Settings" directory tree in the left-side list of "Local Security Policies", expand "Local Policies> Security Options" layer by layer ". View the list of related policies on the right, find "Network Access: Anonymous Enumeration not allowed for SAM accounts and sharing", right-click and choose "properties" from the pop-up menu ", then, a dialog box is displayed. Activate the "enabled" option and click "Apply" to make the setting take effect.

2. Account Management

To prevent intruders from using the vulnerability to log on to the machine, we need to rename the system administrator account name and disable the Guest account here. Set the policy to "Local Policy> Security Options", find the "account: Guest Account Status" policy, right-click the policy, and select "properties" from the shortcut menu ", then, in the pop-up attribute dialog box, set the status to "disabled" and click "OK" to exit.

Ii. Enhance password security

In "Security Settings", you must first choose "Account Policy> password policy". In the "Settings" View on the right, you can set the password as appropriate to ensure the system password is relatively secure, not easy to crack. For example, an important anti-cracking method is to update the password on a regular basis. You can make the following settings accordingly: Right-click "Maximum Password retention period" and choose "attribute" from the pop-up menu ", in the pop-up dialog box, you can customize the length of time (limited to 1 to 999) that can be used after a password is set ).

In addition, through "Local Security Settings", you can also set "Audit Object Access ", trace user accounts used to access files or other objects, logon attempts, system shutdown or restart, and similar events. Such security settings are incomplete. In practical applications, we will gradually find that "Local Security Settings" is indeed an indispensable system security tool.