IP address modification channel, cleverly cut off

When the TCP/IP parameters of workstations in the LAN are modified at will, IP address conflicts may occur, which may cause great trouble for LAN Management. As a Network Administrator, is there a way to protect your network and prevent others from making decisions at Will-illegally modifying IP addresses? In fact, it is very simple. You only need to refer to the following steps to easily avoid the trouble of illegal IP address modification!

Registry Settings

First, you need to hide the "Network Neighbor" icon on the desktop, so that others cannot enter the TCP/IP Parameter Setting interface through the "Network Neighbor" attribute window. Expand the subkeys "HKEY_CURRENT_USER", "Software", "Microsoft", "Windows", "CurrentVersion", "related ies", and "Explorer" in the registry editing window in sequence, then, under the "Explorer" sub-key, create a double byte value named "NoNetHood" and set it to "1.

Then, hide the "network" icon in the control panel window, and others cannot open the TCP/IP Parameter Setting interface. As long as you open "WindowsSys_tem (remove" _ ") etcpl. cpl file, and then enter a line at [don "t load], such as" netcpl. cpl = no. After saving the code again, the "network" icon disappears from the control panel window.

At this point, all the ways to change the IP address are "disconnected", so that other people can do nothing even if they want to modify the IP address. Of course, this method can only be used by cainiao netizens. For "Prawn" Netizens, it is almost the ears of the deaf. Because once a netizen finds "netcpl. the cpl file still has a way to restore the "network" or "Network Neighbor" icon. Therefore, you still need to do the following to truly cut off the "IP address modification channel:

Expand the "HKEY_CURRENT_USER", "Software", "Microsoft", "Windows", "CurrentVersion", "Policies", and "Network" subkeys in the Registry in sequence, create a dual-byte value named "NoNetSetup" under the "Network" subkey and set it to "1". Then, if you want to open the "Network Neighbor" or "network" attribute window, you will receive a prompt that you are not authorized to access the window.

File Transfer Method

The above method is only applicable to the Windows 98 operating system. How can I disable illegal IP address modification in Windows 2000?

In fact, as long as the "Network and dial-up connections" window is disabled, other people can be prevented from entering the TCP/IP Parameter Setting interface. The specific operation steps are as follows:

Open the Sys_tem (remove "_") folder in the WinNT installation directory, and click "ncpa. cpl file, rename it to another name (note that you must remember the name after renaming, or you will not be able to recover it later), and save it to other folders, you cannot open the "Network Neighbor" attribute window on the desktop.
TIPS: "napa. the cpl file corresponds to the "Network and dial-up connections" function in the system control panel, you should not be able to open the "Network and dial-up connections" window. The fact is that the "Network and dial-up connections" icon in the control panel can still open the window. Why? It turns out that when the Windows 2000 operating system is logged on normally, the "ncpa. cpl" file will be automatically called, even if you have moved it to another location, the system will automatically restore it. Therefore, the "Network and dial-up connections" window is closed only when the file is moved to another location in a pure DOS environment.

Of course, there is also a simple way to quickly disable the "Network and dial-up connections" window:

Open the system running dialog box and run "gpedit. msc command. In the displayed group policy editing window, expand "user configuration", "management template", "Taskbar and Start Menu" in sequence ", in the subwindow on the right of the corresponding "Taskbar and Start Menu", double-click the "delete network and dial-up connections from Start Menu" option. In the displayed interface, select the Enable option and click OK!

Can the above method ensure that other users cannot modify Windows 2000 system network parameters? Of course not. in Windows 2000, users can use the Netsh command to modify network parameters in a DOS environment, therefore, it is necessary to hide the "WinNTSys_tem (remove netsh.exe from" _ "zookeeper folder" command so that illegal users cannot find it. The most effective way to hide the “netsh.exe command is to save it by name and move it to another location, so that illegal users cannot access it in the DOS environment!

Address binding method

In addition to disabling others from illegally modifying IP addresses by cutting off the "channel" for IP address modification, you can also directly restrict the specified IP address so that others can modify the IP address even if they do not, and cannot connect to the network. You can use the address binding method to restrict IP addresses:

First, switch the system to the doscommand line status and run the "ipconfig/all" command. In the displayed window, record the MAC address and IP address of the NIC;
Next, on the proxy server, bind the specified IP address with the corresponding MAC address. Even if someone modifies the IP address on your computer, the proxy server will fail, network connection. For example, when binding an IP address, you can run the "arp-s 10.168.160.10 00-30-6E-36-5A-EF" command in the doscommand line, you can bind the static IP Address "10.168.160.10" with the nic mac address "00-30-6E-36-5A-EF.

In a LAN, workstations that use proxy servers to access the Internet can use the preceding method to restrict the modification of static IP addresses. If you need to "Unbind" the IP address in the future, you only need to run the "arp-d 10.168.160.10 00-30-6E-36-5A-EF" command.

If your LAN uses a layer-3 Switch to connect to each workstation, you only need to restrict the IP address at each switch port so that others can modify the IP address even if the IP address is changed, you cannot access the Internet through a vswitch.