Windows Server 2008 Group Policy Security Practices (same for domain control)

The security features of the Windows Server 2008 system are illegal and powerful, and its strength is not just a new addition to some security features, but also some obscure traditional features. In-depth mining of the Group Policy features of Windows Server 2008 systems allows us to discover a number of security applications:

1 , restrict the use of thunder for malicious download

When the user arbitrarily use Thunderbolt tool for malicious download, not only easy to waste the local system disk space resources, but also greatly consumes the local system's Internet bandwidth resources. In a Windows Server 2008 system environment, there are many ways to restrict normal users from using the Thunderbolt tool for malicious downloading, for example, with the new Advanced Security firewall features of Windows Server 2008 system. or by restricting the download port and other methods to achieve the above control purposes, in fact, in addition to these methods, we can skillfully use the system's software restriction policy to achieve this goal, the following is the specific implementation of the method:

First log on to the Windows Server 2008 system with System Administrator privileges and open the Group Policy Console window;

Next, in the left-hand position of the console window, select the Computer Configuration/Windows Settings/Security settings/Software restriction policies option, right-click the option , and execute the shortcut menu Create software restriction policy "command;

Then display the area to the right of the software restriction policy option, double-click the Force Group Policy item with the mouse, open the Settings dialog box shown in 1, select the all users except local Administrator option, leave the remaining parameters at the default settings, and then click OK button to end the above setting operation;

Figure 1 Software restriction policies

Below, select the additional Rules option under the Software restriction policies node, Right-click the Group Policy option, and select the new path Rule command from the popup shortcut menu, followed by the Settings dialog box , click the " Browse " button to select the Thunder Downloader, while the application should be the " security level" parameter is set to "Do not allow", and finally click the " OK " button to perform the parameter setting save operation;

Restart the Windows Server 2008 system, when the user logged into the system with ordinary rights account, ordinary users will not be able to use the Thunderbolt program for malicious download, but when we have access to the system administrator access to the local computer system, still can run the Thunderbolt program freely download.

2 , deny network virus hidden in temporary files

Now Internet network virus madness, some "cunning" network virus in order to avoid the pursuit of anti-virus software, often find ways to hide themselves in the system temporary folder, so that anti-virus software even found a network virus, but also helpless, because antivirus software on the system temporary folder is not authorized "Dictate". To prevent network viruses from being hidden in the system Temp folder, we can set the software restriction policy for Windows Server 2008 systems as follows:

First open the Group Policy Console window for the Windows Server 2008 system;

Figure 2 Setting the security level parameter to "not allowed"

Next, in the left-hand position of the console window, select the Computer Configuration/Windows Settings/Security settings/Software restriction policies/other rules option, right-click the option, and execute the shortcut menu New path Rule command, open the Settings dialog box shown in 2, click the Browse button in the pop-up File selection dialog box, select and import the temporary folder for the Windows Server 2008 system, and then the security level parameter is set to "Do not allow ", and finally click the " OK " button to save the above settings, so that the network virus in the future can not hide into the system's temporary folder.

3 , prohibit illegal from the outside network Ping Attack

We know that using the ping command of Windows system, we can quickly judge the network connectivity of an important computer in the LAN. However, the ping command is useful to us, but it is also easily exploited by some malicious users. For example, if a malicious user uses professional tools to continuously send ping commands to important computers to test packages, critical computer systems are prone to paralysis because they cannot answer all test packages. To ensure the stability of the Windows Server 2008 Server system, we can modify the system's Group Policy parameters to prohibit illegal ping attacks from the outside network:

Open the Windows Server 2008 Group Policy Console window, select the Computer Configuration node option in the list on the left side of the console, and choose Windows Settings, security settings, Windows Firewall with advanced security from the target node, Windows Firewall with Advanced Security-local Group Policy object option, then use the mouse to select the " Inbound Rules" item under the target option;

Then, in the Actions list to the right of the inbound rules item , click the new Rule option, and the system screen will automatically pop up the New Inbound Rule Wizard dialog box, select the Custom option First, and then select the All Programs item, as prompted by the wizard screen. Then select "ICMPv4" from the list of protocol types, as shown in 3;

Figure 3 List of protocol types select "ICMPv4"

After the wizard screen prompts us to select what type of connection condition we choose, we can select the "Block connection" option, set the application environment corresponding to the inbound rule according to the actual situation, and finally set an appropriate name for the inbound rule that is currently created. After you complete the setup tasks above, restart the Windows Server 2008 Server system, so that the Windows Server 2008 Server system will not be vulnerable to an illegal ping test from the outside network in the future.

Tip: Despite the advanced security firewall features that are available through the Windows Server 2008 Server system, there are a number of security precautions that can be achieved, but an illegal attacker who knows a little bit about technology can somehow modify the firewall's security rules to The various security rules we define ourselves may not work. To prevent illegal attackers from arbitrarily modifying the firewall security rules for Windows Server 2008 Server systems, we can do the following:

First open the Windows Server 2008 Server System start menu, click " run " command, in the System run text box to execute the "regedit" string command, Open the System Registry Console window, select the HKEY_LOCAL_MACHINE node option at the display area on the left side of the window, and select system/controlset001/services/sharedaccess/from the target branch Parameters/firewallpolicy/firewallrules the registry subkey, which has a number of security rules stored under the subkey;

Next Open the "edit" drop-down menu in the Registry Console window, click on the "permissions" option, open the Permissions Settings dialog box, clicking the " Add" button in the dialog box, select "  Everyone"account, import it at the same time, then adjust the " Full Control "of the account to " Deny ", and finally click the" OK "button to perform the set save operation, such a Illegal users will not be able to modify the various security control rules for Windows Server 2008 server systems in the future.

4 , prohibit ordinary users from arbitrary internet access

Usually the Windows Server 2008 system is installed on the important computer, in order to prevent the computer system from security threats, we often need to find ways to restrict the ordinary users in the system free access to the Internet, but if the simple shutdown of the system's access to the Internet, but also affect the access of privileged users to normal internet, So how can we limit the access of ordinary users to Internet access without compromising privileged users? In fact, we can modify the Group Policy parameters of a Windows Server 2008 system by following these steps:

First, log in to the Windows Server 2008 system with normal permissions, open the IE browser window in the corresponding system, click the "Tools" menu item, select "Internet Options " from the drop-down menu, and pop up the Internet Option Settings window;

Next click on the "Connections" tab in the Internet Options Settings window, go to the Connection Options Settings page, clicking the " LAN Settings " button on the Settings page, select the " use a proxy server for LAN " option in the Settings page later , enter the host address and port number of a proxy server, and click the "OK" button to perform the parameter setting save operation;

After you log off the Windows Server 2008 system, swap the user account with special permissions to log on to the Windows Server 2008 system again, click Start, click Run , and then enter the system run box that appears. Gpedit.msc " order, click" OK "button, enter the corresponding system of the Group Policy console window;

Figure 4 Prohibit ordinary users from free access to the Internet

Select the Computer Configuration node option at the left-hand side of the console window, and then expand Administrative Templates, Windows components, Internet Explorer, and the Internet Control Panel subkey from below the target node. Then double-click the "Disable connection pages " Group Policy item under the target subkey, and the system screen will pop up the target Group Policy Property Settings dialog box shown in 4 , select the "Enabled " option, and then click the " OK " button to perform the set save operation. In this way, when users of normal permissions later try to access the network in a Windows Server 2008 system, IE will automatically connect to a failed proxy server, then IE would not normally be able to display the content of the Web page, and a user with special permissions in the Windows When attempting to network access in the Server 2008 system, IE will directly display the contents of the target site and does not need to be brokered through a proxy server.

5 , disconnecting remote connections to restore System State

Many times, malicious users tend to establish multiple remote connections at the same time to consume the valuable resources of Windows Server 2008 server systems, and ultimately to bring down the server system, in the process of actually managing the Windows Server 2008 Server system, Once we find that the server system is suddenly not functioning properly, you can forcibly disconnect all the remote connections to the Windows Server 2008 Server system in order to restore the server system's working state to normal in a timely manner:

First, open the Group Policy Console window on the Windows Server 2008 Server system;

Figure 5 Removing all user remote access connections

Next, select the User Configuration node branch at the left-hand side of the Group Policy Console window and select the Administrative Templates/Network/Network Connections Group Policy option below the target node branch by the mouse, and then double-click Network Connections Branch, under the "Remove all users remote access connection" option, in the Option Settings dialog box shown in 5, select the Enabled option, and then click the OK button to save the above settings so that the Windows Server 2008 Each remote connection in the server system is automatically disconnected, and the operating state of the corresponding system may return to normal immediately.

Note: The above strategy is also applicable to the domain, in the 2008 domain control of different OUs in different application restrictions can also be done within the domain of the client access restrictions and security control.

Originally from: http://blog.csdn.net/wangxiaofei2006/article/details/5852004

Windows Server 2008 Group Policy Security Practices (same for domain control)