Strictly Manage accounts and control network access security

In order to control the security of network access, I believe that many people are diligent in mining, good at summing up, and have found many effective network security control experiences. Under the guidance of these experiences, we have indeed achieved certain results in controlling network access security. However, after careful consideration of these experiences and experiences, it is not difficult to find that many of them must be completed through external tools. If there are no ready-made professional tools available, how can we effectively control network access security? As a matter of fact, we only need to enhance the security settings of the client system, which can also effectively control the security of network access. No, this article is based on the strict management of system accounts, I hope you will be able to help you with some tips to effectively control network access security!

Obtain network access permissions of the consumer group

In many cases, network administrators usually grant permissions to a group of users to facilitate graph management. This increases network management efficiency, but it also brings potential threats to network security, because some trojan programs secretly add user accounts created by themselves to a group of users with high access permissions, the trojan program can easily obtain illegal attack permissions. In view of this, we need to remove the network access permissions of group users in an important host system or server system. The following are the specific steps:

First, open the "Start" menu of the important host system or server system, click the "run" command, and in the displayed system run box, execute "gpedit. msc string command to bring up the Group Policy console interface;

Expand the "Computer Configuration" node on the console interface, and then open the "Windows Settings" directory under the node, select "Security Settings", "Local Policy", and "user permission assignment" sub-directories, and find the Group Policy Option "Access this computer from the network" under the target sub-directory ", double-click the option and the option Setting Dialog Box shown in 1 is displayed;

Here, we will find common users and group users who have certain network access permissions by default. To control network access security, we must select the group users we think are suspicious, click the delete button, and then click OK to save the above settings, in this way, Trojans hidden in a specific group of users cannot access the local system through the network.

Set proper permissions for new users

If some trusted new users need to access the local server system through the network, we need to create a new user in the server system and set the appropriate access permissions for the new users. To do this, we can first open the control panel window of the server system, double-click the "Management Tools" icon, and then double-click the "Computer Management" icon in the management tools list, the computer management window is displayed. Expand the "local users and groups" node in the left area, select the "user" option, and right-click the "user" option, right-click the "new user" command in the menu to bring up the create dialog box shown in 2. Here, you must set the name and password of the new user, especially to make the password slightly more complex, to prevent this user account from being easily cracked by others; of course, we should not add new user accounts to other groups of users easily here.

Next, open the resource manager window of the server system, find the target resource folder to be accessed by the new user, and right-click the folder icon, click the "properties" command in the shortcut menu to bring up the attribute Setting dialog box for the target folder. Click the "Security" tab and click the "add" button on the corresponding tag settings page, open the user account selection dialog box, select and add the newly created user account, and grant the appropriate access permissions to the new user.

Allow specific users to have control permissions

To facilitate network management, we often need to remotely control important host systems in the LAN through the network. However, we can enable remote control at will, it is easy to bring security threats to servers or important host systems. In view of this, we should follow the steps below to grant remote control permissions to trusted special users:

First, in the host system that requires remote control, right-click the "my computer" icon on the desktop and click "manage" in the shortcut menu, the computer management window of the corresponding system appears. Place the cursor on the "System Tools" node on the left side of the window, expand the "local users and groups" and "users" options under the node in sequence, and find specific users that have the right to remotely control from the user list, right-click a specific user and execute the "properties" command in the shortcut menu. The "attribute settings" dialog box for a specific user is displayed;

Click the "affiliated" tab in the dialog box, and the tag settings page shown in 3 is displayed. Check whether the page contains the "Remote Desktop Users" group user options. If not, you can directly click the "add" button and click "advanced" and "Search now" one by one to select and add Users in the "Remote Desktop Users" group, finally, click "OK" to save the settings, so that the specific user has the permission to remotely control the local server system.

Of course, we can also use another method to give specific users control permissions. The specific operation method is: Right-click "my computer ", right-click the "properties" command in the menu, and the System Properties dialog box is displayed. Click the "remote" tab. On the "remote options" page, click the "select remote user" button, click the Add button to select and add the account of a specific user.

Force network verification for users

In many cases, network administrators do not need to set a remote logon password for the convenience of graphs during remote management operations. In the future, they do not need to perform network verification during remote control operations, you can directly log on to the LAN server system. Obviously, this is very dangerous for the server system. To ensure the security of remote control, we need to find a way to force network verification for users. The following is the specific setup steps:

First, select start and run in the server system, open the run text box of the corresponding system, and execute the regedit string command in it. The Registry console interface is displayed; expand HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon on the left of the interface, and select and delete all the DefaultUserName, DefaultPassword, and AutoAdminlogon values under Winlogon;

Next, open the "Start" menu of the server system, click the "run" command, and execute the "control userpasswords2" command in the pop-up system run box to enter the user account Settings dialog box; click the "user" tab, select the account that requires remote control of the server system, and then select the "user and password required for the user to use the local machine" option (4 ), finally, click "OK" to save the settings, so that the server system will force network verification for the user in the future.

To further control network access security, the Windows Server 2008 Server system has specially proposed the network identity authentication function, which forces users to be in a computer system with higher security performance than Windows Vista, in order to have the right to remotely control the server system, you can perform the following operations to enable this function:

First, click "start", "set", and "Control Panel" in the Windows Server 2008 Server system to bring up the system control panel window, click the "system and maintenance" and "system" icons one by one, and then click the "remote settings" button in the list on the left of the page to bring up the remote Settings dialog box; select the "allow computer connections (more secure) only for remote desktops with Network Authentication" option in the dialog box, in this way, we can successfully enable the network identity authentication function of the server system. In the future, we can remotely control users only from computer systems with higher security performance, in order to be eligible for remote control of the server system.

Monitor User Account Logon status

To prevent unauthorized users from logging on to the Server, Windows Server 2008 adds the function of monitoring user account logon, which allows us to identify potential security risks in a timely manner, ensure that the server system can always run stably. To enable the user account logon function, follow these steps:

First, open the "Start" menu of Windows Server 2008, execute the "run" command, and enter the string command "gpedit. msc, click the Enter key to bring up the Group Policy console interface;

Expand the "Computer Configuration", "management template", "Windows components", and "Windows logon options" nodes in the left-side list of the console interface in sequence, double-click the target group policy option "show previous Logon Information During User Logon" under the node. The option Setting Dialog Box 5 is displayed; select the "enabled" option in the dialog box, and click "OK" to save the settings. In this way, the logon function of the monitoring user account on the Windows Server 2008 Server system is successfully enabled.

 

In the future, every time we restart the Windows Server 2008 Server system, the system will automatically display the monitored user logon status information, then we will be able to learn from the prompt information whether there are security risks in the server.