Use group policies to ensure network security (1)

Group PolicyEach system administrator is well known for its powerful functions. The following describes how to use group policies to ensure network security.

For the purpose of ensuring local network security, many network administrators often "Ask" professional network security tools to enhance the security protection capabilities of local systems or networks. However, most professional network security defense tools require a lot of money. Moreover, some of their security defense capabilities do not satisfy us very much. In this case, can we start from ourselves and rely on our own strength to fully protect local network security? As a matter of fact, as long as we "get out" of the Group Policy is an effective weapon, we can effectively "Drive" the local network security!

1. Lock the firewall more securely

We know that enabling firewall programs can effectively protect the security of local systems and networks. However, many applications may fail to run normally, for this reason, many people often take the initiative to shut down the firewall program, so that the local network or system will be greatly threatened by security. Is there any way to lock the enabled firewall program to prevent normal users from tampering at will? In fact, as long as we modify system-related group policies in Windows XP workstation, we can prevent others from shutting down firewall programs at will, so as to protect the security of the local network or system, the procedure for this method is as follows:

First, click the start button on the Windows XP system desktop and execute the run command from the Start menu to open the run dialog box for the local system, enter the string command "gpedit. msc, click OK to open the system group policy edit window of the local workstation;

Second, in the left-side list area of the Group Policy editing window, double-click the "Computer Configuration" item, under the Group Policy Branch that is subsequently expanded, select "management template", "network", and "network connection" in sequence, under the "Network Connection" option, we can see the "Domain Configuration File" sub-item and "standard configuration file" sub-item. If the local workstation is located in a LAN domain, select the "Domain Configuration File" sub-item. In the list area on the right of the sub-item, double-click the "Windows Firewall: Protect all network connections" item with the mouse, open the Group Policy attribute setting window shown in 1. Select the "enabled" option in the setting window and click "OK, in this way, when we open the attribute setting window of the firewall program again in the future, we will see that the "enable" option is in the gray State and cannot be modified, this means that no one else can close the firewall program at will, so that the security of the local network can be effectively guaranteed!

Figure 1

2. Beware of children secretly surfing the internet

During the holidays, many children often secretly surf the Internet while adults are not at home, and browse some website information that may cause insecure local systems or networks, therefore, some adults often delete the network connections in the local system before going out, so that children cannot perform normal ADSL dial-up Internet connections; however, this method is not very useful for those who are familiar with the Internet, because these children often automatically create new network connections. In fact, we can modify the system group policy to prevent children from randomly creating network connections in the local system, so as to ensure that the local system or network is not attacked by illegal website information, the specific implementation steps of this method are as follows:

First, click the start button on the Windows XP system desktop and execute the run command from the Start menu to open the run dialog box for the local system, enter the string command "gpedit. msc, click OK to open the system group policy edit window of the local workstation;

Second, in the left-side list area of the Group Policy editing window, double-click the "user configuration" item, under the Group Policy Branch that is subsequently expanded, select the "manage template", "network", and "network connection" options, and in the List area on the right of the "Network Connection" option, double-click the "prohibit access to the" New Connection Wizard "project and open the Group Policy attribute setting window shown in 2. Select the" enabled "option in the setting window, click the "OK" button, so that when a child tries to create a new dial-up network connection, the system will prompt that the user does not have the permission to create a network connection, in this way, children cannot access website information at will, and the local network or system will not be vulnerable to attacks or damages from illegal website information.

Figure 2

3. Refuse to share resources

The operating systems used by each computer in the LAN may be different. Some use Windows XP, and some use Windows 2000 or Windows 2003, even some computers are still using Windows 98. By default, Windows 2000 or a later version of the computer system denies Windows 98 computer systems from accessing shared resources through the guest identity. Therefore, many network administrators can easily exchange files, the local guest account is often enabled directly, allowing any user to access Shared resources on other computers from Windows 98. However, the shared resources among other computer systems are also open to the outside world. Obviously, such openness poses a great threat to the security of LAN shared resources, we should prevent anyone from enabling the Guest account at will to ensure that the local shared resources are not open to the outside. The following describes how to prohibit any guest from accessing shared resources at will:

First, click the start button on the system desktop to run the run command from the Start menu to open the run dialog box for the local system, and enter the string command "gpedit. msc, click OK to open the system group policy edit window of the local workstation;

Second, in the left-side list area of the Group Policy editing window, double-click the "Computer Configuration" item, under the Group Policy Branch that is subsequently expanded, select "Windows Settings", "Security Settings", "Local Policy", and "user permission assignment", and in the List area on the right of the "user permission assignment" option, double-click the "Deny access to this computer from the network" project and open the Group Policy attribute setting window shown in 3;

Figure 3

In the settings window, check whether the Guest account exists. If the account is not found, click "add user or group, open the "select user or group" dialog box, select and add the Guest account, and click "OK, in this way, no guest user can access Shared Resources on the local LAN.

4. prevent brute-force password cracking

By default, a Windows XP workstation system allows each visitor to obtain a list of all the shared resources and local user accounts in the local workstation through an empty user connection, the system opened this function to facilitate the transmission and exchange of shared information between users in the LAN. However, while fully enjoying the convenience brought by this default function, many malicious attackers can also exploit this function to secretly obtain information about all local shared resources and user lists, once the information is obtained, they will obtain the user's core password information through brute force cracking, which may pose a great security threat to the local system or network. To prevent malicious attackers from cracking the shared password information, we can use the following methods to deny normal users from accessing and accessing shared resources and user list information through anonymous accounts:

First, click the start button on the system desktop to run the run command from the Start menu to open the run dialog box for the local system, and enter the string command "gpedit. msc, click OK to open the system group policy edit window of the local workstation;

Second, in the left-side list area of the Group Policy editing window, double-click the "Computer Configuration" item, under the Group Policy Branch that is subsequently expanded, select "Windows Settings", "Security Settings", "Local Policy", and "Security Options", and in the List area on the right of the "Security Options" project, double-click the "Network Access: do not allow SAM account and shared Anonymous Enumeration" item, and open the Group Policy attribute setting window shown in 4. In this setting window, select "enabled, click the "OK" button, so that the local workstation will prohibit each visitor from getting the list of all shared resources and all local user accounts in the local workstation by means of an empty user connection, this ensures that the access password for Local Shared resources is not stolen by malicious attackers.

Figure 4