Improving the security of Win7 system by using Group Policy skillfully

For Windows 7 optimization settings are endless, the user is often a patchwork, no clue, and these methods are difficult to distinguish the authenticity of the results, how the effect is unknown. In fact, using the WIN7 System Group Policy function, we can realize the Win7 system optimization. This article explains how to use Group Policy to make Win7 more secure.

Note: Group Policy features are available only in the WIN7 professional, flagship, and Enterprise editions.

File secrecy to the drive, put on the invisibility cloak.

The drive mainly includes the hard disk, the optical drive and the mobile device, mainly uses in the storage data and so on. Therefore, restricting the use of drives, can effectively prevent the important and confidential information leakage, sniper virus and Trojan intrusion, very necessary. The drives are different, the restriction methods are different, and the same drive has different limit levels. Say hard disk, generally have hidden and prohibit access to two levels. Hidden levels are relatively rudimentary, leaving the drive invisible, which is generally used to protect children and novice users, and blocking access can completely block drive access. For mobile devices, you can choose to set read, write, and execute permissions, but viruses and Trojans are generally propagated by executing malicious programs, so it is most effective to prohibit execution of permissions.

Primary defense ordinary users do not see

Home computer hard disk has some important files, do not want to let others see, the easiest way is to hide the files in the drive. Click "Start", enter "Gpedit.msc" in the search box, confirm that the Group Policy Editor opens, expand User Configuration → admin template →windows component →windows Explorer, and go to "hide these specified drives in My Computer" in the right setting window. , select Enabled, select the drive that you want to hide in the Drop-down list below, and then determine. Then go to "computer" and the drive icon you just selected is gone.

Tip: This method simply hides the drive icon, and users can still access the contents of the drive in other ways, such as typing the directory path on the drive directly in the address bar. In addition, this setting does not prevent users from using programs to access these drives or their contents.

Advanced defense privileged users can use

System disk has important system files, can not let others casually modify or move. In particular, some partitions have important files, if only to hide the drive, other people can access, so of course not! The safest way to do this is to protect the associated drives and disallow access by users without permission.

Similarly, in the Group Policy Manager, expand User Configuration → admin templates →windows component →windows Explorer, go to prevent access to drive from My computer, select Enabled, and select the drive that you want to disable in the Drop-down list below to take effect ( As shown in Figure 1). When someone else wants to access the associated drive, a "Limit" Prompt window appears! When you need to view it, just change the relevant policy setting from enabled to Not configured.

Tip: How do you prevent others from using Group Policy editing? It's easy to get someone else to use the normal user type account (not having permission to open the Group Policy Editor) by setting up users with different permissions.

Disable the ability to execute a mobile device the posterior approach of Trojan virus

Mobile devices (such as flash memory, mobile hard disk, etc.) have become a standard configuration for many users, and are most widely used. Because of this, it has become the main way to spread viruses and trojans. And the general restrictions on read and write permissions can not prevent viruses and Trojans intrusion, because the virus is transmitted through the implementation of virus and Trojan program to achieve, so disable the execution of the right to cut off the virus transmission.

Expand Computer Configuration → admin templates → system → Removable Storage access, go to removable disk: Deny Execute permissions, select Enabled, and make sure the settings are in effect. The executable on the mobile device will not be able to execute and the computer will no longer be infected with the virus. And if it needs to be done, just copy it to the hard drive.

Surfing the web and putting on a sweater on the browser

Computer is one of the most important uses of the Internet, but to tell the truth, now the Internet is not worry, viruses, Trojans and rogue software rampage, even a number of large sites will be hung horse, users are really impossible to guard against. And a lot of malware will tamper with the browser home page or other browser settings, once the recruit, open the browser will pop up a messy page or even Trojan Web site, so that users frustrated! In addition, some users use the browser to download files without regularity, often get file confusion, virus files Once the download is difficult to clear. So how to enhance the browser's "immunity" is particularly important.

Lock Home

Home page tampering is the most common, and the use of Group Policy locking, you can completely solve the problem. Not only will not pop a messy page, but also reduce the risk of poisoning and the Trojan again. Expand User Configuration → admin templates →windows component →internet Explorer, go to "Disable change home Settings", select "Enabled", and enter the default home page under Options, and after that, the setting takes effect (as shown in Figure 2).

Tip: When you enable this policy setting, users will not be able to set the default home page, so if necessary, users must specify a default home page before modifying the settings.

Frozen IE settings

As mentioned above, once the system poisoned or trojan, in addition to IE homepage will be tampered with, other IE settings may be tampered with. So it is necessary to add a shield to IE settings. In particular, IE settings once set, may not change for a long time, so it is not as complete as ice!

Expand User Configuration → Administrative Templates →windows components →internet explorer→internet Control Panel, and the right pane has "Disable Advanced pages", "Disable connection pages", "Disable content pages", "Disable General pages", "Disable Privacy page", "Disable program pages", and " Disable secure pages, respectively, for the seven tabs in Internet Options in IE (shown in Figure 3). If all is enabled, opening Internet options will bring up the "Limit" error dialog box, which completely eliminates the changes to IE browser settings.

Tip: Starting disable General page will remove the General tab in Internet Options. If you enable this policy, users cannot view and change settings for the home page, cache, history, page appearance, and accessibility features. Because this policy deletes the General tab, if you set this policy, you do not need to set the following Internet Explorer policies--"Disable changing home settings," "Disable changing the Temporary Internet file settings," "Disable change history settings," "Disable changing color settings," " Disable changing link color settings, disable changing font settings, disable changing language settings, and disable changing accessibility settings.

Privilege management to the system with a piercing eyes

Now some software is really rogue, for example, many software beauty its name Yue for the convenience of other people to use, but will be in the software packaging or greening the process of malicious bundled some programs or some Web pages also packaged in. Methods are generally very low-level, but only through batch files and manual injection of registry information, so we can use Group Policy to prohibit some of the dangerous types of files to run. In addition to some public places (such as offices, etc.), a lot of software is not allowed to use (such as chat software, etc.), then managers can also use Group Policy to achieve effective management.

Prevent dangerous files from running

Some types of files, such as the ". Reg" Registry file and the ". bat" batch file, are rarely used by users, and are easily exploited by viruses or trojans, so banning these types of files can help secure the computer to some extent.

Expand Computer Configuration →windows settings → security settings → software restriction policies. Select Create software restriction policy on the pop-up right-click menu to automatically generate the security level, other rules, coercion, specified file types, and trusted publishers. ".". Enter the Properties window for the specified file type, leaving only the file types that you want to prohibit, such as bat batch files, to remove all other file types. If the type is not in the list, enter the file type you want to disable directly in the file name extension text box below. Then enter the "security level → do not allow", click the "Set as Default" button, this policy is in effect. When any batch file is run, it is blocked from executing.

Disabling programs put on a vest I know you too

In addition, many companies are not allowed to use chat software. QQ, for example, if the direct uninstall QQ, users may also be installed, or the software installed to other locations. At this point you may want to use Group Policy to easily handle.

Expand Computer Configuration →windows settings → security settings → software restriction policies → other rules, and select new hash rule (as shown in Figure 4). Click "Browse" to select the QQ execution file "QQ.exe", "File Information" the first line below is the generated hash value, this value is unique, the following will also show the basic information of the file, "Security level" select "Not allowed." After you confirm, log off, log on again, and the settings will take effect.

Tip: The advantage of adopting a hash rule is that no matter whether the program is renamed or moved or any other operation, the limit is not invalidated as long as the hash value is verified to be consistent! This can effectively limit the operation of some software.