Server Security Settings-Local Security Policy Settings

Source: Internet
Author: User

You can also enter gpedit. msc in the running process to enter Computer Configuration → windows Settings → Security Settings → Local Policies

Command for automatic security policy update: GPUpdate/force (the Application Group Policy automatically takes effect without restarting)

Choose Start> Administrative Tools> Local Security Policy

A. Local Policies --> Audit policies

Audit Policy Change failed
Login event review successful failed
An error occurred while accessing the Audit object.
Audit Process Tracking not reviewed
Failed to Audit Directory Service Access
Failed to Audit privilege usage
System Event Review successful failed
Account Logon review successful failed
An error occurred while reviewing account management
B. Local Policies --> User permission allocation

Shut down the system: only the Administrators group and all others are deleted.
Refused to log on through the terminal service: added to the Guests and User groups
Allow logon through Terminal Services: only join the Administrators group, and delete all others

C. Local Policies --> Security Options

Interactive login: do not display the Last User Name Enabled
Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration
Network Access: do not enable the storage credential for network Identity Authentication
Network Access: All Shares that can be accessed anonymously are deleted.
Network Access: delete all anonymous access attempts
Network Access: delete all registry paths that can be remotely accessed
Network Access: delete all registry paths and sub-paths that can be remotely accessed.
Account: Rename Guest Account Rename an account
Account: rename a System Administrator Account Rename an account

Set Name in UI Enterprise Client desktop computer Enterprise Client portable computer High-security desktop computers High-security portable computers

Account: A local account with a blank password can only log on to the console

Enabled

Enabled

Enabled

Enabled

Account: Rename the system administrator account

Recommendation

Recommendation

Recommendation

Recommendation

Account: Rename the Guest account

Recommendation

Recommendation

Recommendation

Recommendation

Device: Allow removal without logon

Disabled

Enabled

Disabled

Disabled

Device: Allows formatting and pop-up of removable media

Administrators, Interactive Users

Administrators, Interactive Users

Administrators

Administrators

Device: prevents users from installing printer drivers

Enabled

Disabled

Enabled

Disabled

Device: only locally logged-on users can access the CD-ROM

Disabled

Disabled

Enabled

Enabled

Device: only local login users can access the floppy disk

Enabled

Enabled

Enabled

Enabled

Device: Installation of the unsigned driver

Allow installation but warn

Allow installation but warn

Installation prohibited

Installation prohibited

Domain member: requires strong (Windows 2000 or later) session keys

Enabled

Enabled

Enabled

Enabled

Interactive login: The Last User Name is not displayed

Enabled

Enabled

Enabled

Enabled

Interactive logon: Do not press CTRL + ALT + DEL

Disabled

Disabled

Disabled

Disabled

Interactive logon: Message text when a user attempts to log on

This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.

This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.

This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.

This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.

Interactive logon: Message title when a user attempts to log on

It is illegal to continue using the service without proper authorization.

It is illegal to continue using the service without proper authorization.

It is illegal to continue using the service without proper authorization.

It is illegal to continue using the service without proper authorization.

Interactive logon: Number of previous logons that can be cached (when the domain controller is unavailable)

2

2

0

1

Interactive login: prompt the user to change the password before the password expires

14 days

14 days

14 days

14 days

Interactive login: requires Domain Controller Authentication to unlock the workstation

Disabled

Disabled

Enabled

Disabled

Interactive login: Smart Card Removal

Lock Workstation

Lock Workstation

Lock Workstation

Lock Workstation

Microsoft Network Customer: Digital Signature communication (if the server agrees)

Enabled

Enabled

Enabled

Enabled

Microsoft Network customers: Send unencrypted passwords to third-party SMB servers.

Disabled

Disabled

Disabled

Disabled

Microsoft network server: the free time required to suspend a session

15 minutes

15 minutes

15 minutes

15 minutes

Microsoft network server: Digital Signature communication (always)

Enabled

Enabled

Enabled

Enabled

Microsoft network server: Digital Signature communication (If Customer agrees)

Enabled

Enabled

Enabled

Enabled

Microsoft network server: automatically deregister a user when the logon time is used up

Enabled

Disabled

Enabled

Disabled

Network Access: allows anonymous SID/Name Conversion

Disabled

Disabled

Disabled

Disabled

Network Access: Do not allow anonymous enumeration of SAM accounts and shares

Enabled

Enabled

Enabled

Enabled

Network Access: Do not allow anonymous enumeration of SAM accounts and shares

Enabled

Enabled

Enabled

Enabled

Network Access: do not allow storing creden for network identity authentication or. NET Passports

Enabled

Enabled

Enabled

Enabled

Network Access: Restrict anonymous access to named pipes and shares

Enabled

Enabled

Enabled

Enabled

Network Access: sharing and security modes of Local Accounts

Classic-Local User Authentication

Classic-Local User Authentication

Classic-Local User Authentication

Classic-Local User Authentication

Network Security: Do not store the hash value of the LAN Manager when the password is changed next time.

Enabled

Enabled

Enabled

Enabled

Network Security: Force logout after the logon time is exceeded

Enabled

Disabled

Enabled

Disabled

Network Security: LAN Manager Authentication Level

Send NTLMv2 response only

Send NTLMv2 response only

Only Send NTLMv2 response \ reject LM & NTLM

Only Send NTLMv2 response \ reject LM & NTLM

Network Security: Minimum session security for customers based on ntlm ssp (including secure RPC)

No minimum

No minimum

Require NTLMv2 session security requires 128-bit encryption

Require NTLMv2 session security requires 128-bit encryption

Network Security: Minimum Session Security Based on ntlm ssp (including secure RPC) servers

No minimum

No minimum

Require NTLMv2 session security requires 128-bit encryption

Require NTLMv2 session security requires 128-bit encryption

Fault Recovery Console: allows automatic system management-level Logon

Disabled

Disabled

Disabled

Disabled

Recovery Console: Allows disk replication and access to all drives and folders

Enabled

Enabled

Disabled

Disabled

Shutdown: Allow shutdown before Logon

Disabled

Disabled

Disabled

Disabled

Shutdown: Clear Virtual Memory Page files

Disabled

Disabled

Enabled

Enabled

System encryption: FIPS-compatible algorithms are used for encryption, hashing, and signature.

Disabled

Disabled

Disabled

Disabled

System Object: Default owner of the object created by members of Administrators (Administrators)

Object Creator

Object Creator

Object Creator

Object Creator

System settings: Use Certificate Rules for Windows executable files as Software Restriction Policies

Disabled

Disabled

Disabled

Disabled

I. Reinforce the system account

1. Disable enumeration accounts

We know that some worms with Hacker behavior can scan the specified port of Windows 2000/XP system, and then guess the administrator system password through sharing sessions. Therefore, we need to disable enumeration accounts in "Local Security Policy" to defend against such intrusion. The procedure is as follows:
In the "Security Settings" directory tree in the left-side list of "Local Security Policies", expand "Local Policies> Security Options" layer by layer ". View the list of related policies on the right, find "Network Access: Anonymous Enumeration not allowed for SAM accounts and sharing", right-click and choose "properties" from the pop-up menu ", then, a dialog box is displayed. Activate the "enabled" option and click "Apply" to make the setting take effect.

2. Account Management

To prevent intruders from using the vulnerability to log on to the machine, we need to rename the system administrator account name and disable the Guest account here. Set the policy to "Local Policy> Security Options", find the "account: Guest Account Status" policy, right-click the policy, and select "properties" from the shortcut menu ", then, in the pop-up attribute dialog box, set the status to "disabled" and click "OK" to exit.

Ii. Enhance password security

In "Security Settings", you must first choose "Account Policy> password policy". In the "Settings" View on the right, you can set the password as appropriate to ensure the system password is relatively secure, not easy to crack. For example, an important anti-cracking method is to update the password on a regular basis. You can make the following settings accordingly: Right-click "Maximum Password retention period" and choose "attribute" from the pop-up menu ", in the pop-up dialog box, you can customize the length of time (limited to 1 to 999) that can be used after a password is set ).

In addition, through "Local Security Settings", you can also set "Audit Object Access ", trace user accounts used to access files or other objects, logon attempts, system shutdown or restart, and similar events. Such security settings are incomplete. In practical applications, we will gradually find that "Local Security Settings" is indeed an indispensable system security tool.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.