Restricting user account privileges to enhance system security

When we discuss the trade-off between system security and convenience, it can sometimes have disastrous consequences to turn the scales over to the convenience tilt. Therefore, the sacrifice of certain convenience, by restricting the user account power to strengthen the system security, should be noteworthy and unavoidable problems.

The concealment of account names

You can implement this by modifying the registry:

1. Run the "regedit" command on the "Start" menu and go to Registry Editor;

2. Open Hkey_local_machine/software/microsoft/windows Nt/currentversion/winlogon/specialaccounts/userlist, Create a new DWORD value, set the name of this value to the account name you want to hide, and set the value to 0 XP system download.

Thus, your hidden account (such as the Administrator account) will not appear on the Welcome screen. To log on to an account that is not available on the Welcome screen, press two times Ctrl+alt+delete to display the "Log on to Windows" dialog box and enter your username and password. However, accounts that are hidden in this way are not able to use Fast User Switching because the two-ctrl+alt+delete technique can only work if no one else is logged in to the computer.

The author in the dormitory is to hide their own administrator account, only in the Welcome screen left a public account, students want to enter the system can only input the password. So it is convenient for students, but also to prevent the good guys to my administrator password cross-examine.

Force access to a specific account by automatically logging in

Of course, you can do even more to use the automatic login feature that doesn't seem to be secure. In this way, you can force other users to enter a particular account without arousing their curiosity to guess the passwords of other accounts. Specific methods:

1. Run the control userpasswords2 command on the Start menu, enter the user account, and in the User tab, cancel the "to use this computer, the user must enter a username and password" check box, and click OK (Figure 1);

2. After that, Windows pops up a prompt box (Figure 2) that asks you to enter the username and password of the account you use to log on automatically each time the computer starts.

Of course, additional settings can be made in the Hkey_local_machine/software/microsoft/windows Nt/currentversion/winlogon primary key to further control the automatic logon process:

1. In fact, after the user completes the automatic login, can cancel the account completely, then returns to the Welcome screen, then chooses other account to log in. Thus, setting up an automatic login is not very meaningful. To avoid this, you can add a string value named ForceAutoLogon to the primary key mentioned above and set this value to 1. This allows the system to automatically log on to the specified account even after logging off;

2. By default, you can hold down the SHIFT key at startup to prevent automatic logons. To eliminate the effect of the SHIFT key on automatic logons, you can add a string value named Ignoreshiftoverride and set the value to 1;

3. You can also limit the number of times an automatic login can be made to automatically turn off this feature after it reaches this number of times. You need to add a DWORD value named AutoLogonCount to the number of times you want to use automatic logon. This way, each time the computer starts and performs an automatic logon, the value of the AutoLogonCount is reduced by 1. By 0 o'clock, Windows will change the value of AutoAdminLogon to 0 (turn off automatic login) and delete the AutoLogonCount value.

It is highly recommended to leave a back door for yourself, and if you follow all of the above methods, you will no longer be able to log in with other accounts. Of course, if the account you specify is at least the user level (which is already a more secure level), it will be possible to run the control userpasswords2 command at least if you cannot modify the registry, so there is room for manoeuvre.

Restricting the use of hard disk partitions and folders

If you think it's not enough to limit the user account, some partitions also do not want others to use or just give them the power to read and run, then you can set their security properties (provided that the system should be Windows XP Pro and that your partition must be NTFS formatted so that it is "secure" in its properties) tab bar, if or fat format, it is recommended to use software such as pqmagic to convert it to NTFS format, which is more advantageous to the system security. The specific steps are as follows:

1. After you log on to the system as an administrator, in "My Computer", right-click a partition, select Properties-〉 security, and in the Security tab bar, you can add or remove the groups or users to which the partition belongs, and select a user to choose settings for their permissions (Figure 3);

2. To add users, click "Add", in the "Select User or Group" window, click "Advanced", and then click "Find Now", in the bottom of the window of the list of users to select a user, and then return to the "Security" tab, in the "group or user name" column to see the added user;

3. Select a user and click "Delete" to delete it. In this way, you can remove other users, so that the partition is only subordinate to the administrator user, when you log on to the system with other user accounts, you will not enter and use the partition depth XP system download.

If you do not want to do too much, but also for their own users to log in as a convenience, you can only retain administrator users and everyone users:

Click the Everyone user, and only select the Read and run item in the following permission bar (both the list folder directory and Read permissions are automatically selected) so that no other user can write new information in the partition.

Of course, you can also let a folder in the partition not be used by other users, the operation ibid (just right click the object to change to a folder). However, one problem must be addressed here, namely, "paternal succession". When you delete a user who is a member of a folder, you jump out of a security prompt (Figure 4), prompting you not to delete the user. This is because the folder is in a partition or folder where the user to whom it belongs is not deleted, so the deletion cannot be performed (but the add operation is done). At this point, you should cut off the child folder inheritance to the parent folder permissions, as follows:

In the Security section of properties, click the Advanced button, and under the Permissions tab bar, remove the inherit from parent the permission entries that can be applied to child objects, including those explicitly defined here check box (Figure 5). When you are sure, you will jump out of a security prompt box and select the "Copy" button to complete the operation. This allows you to perform a delete operation.

Note: All of these actions require users to log on to the system as administrators or as members of their group.