The method of building the system fortress with the Group Policy under Windows system

Source: Internet
Author: User

First, prevent access to the drive from My Computer (Windows 2000/xp/2003)

This policy makes it impossible for users to view the contents of the drive selected in My Computer or Windows Explorer. It also prohibits viewing directories on these drives using the Run dialog box, Mirror Network Drive dialog box, or dir command.

In the Group Policy console → User Configuration → Administrative Templates →windows component →windows Explorer, "Prevent access to drive from my Computer" and enable this policy, and select a drive or several drives in the list box below.

Tip: These icons that represent the specified drive will still appear in my computer, but if the user double-clicks the icon, a message will appear explaining that the setting prevents this action. These settings also do not prevent users from using other programs to access local and network drives. And does not prevent them from using Disk Management Plug and Play to view and change drive characteristics.

Second, hide the drive specified in My Computer (Windows xp/2003)

This Group policy can remove the icon representing the selected hardware drive from My Computer and Windows Explorer. And all drives represented by the drive letter are not present on the standard Open dialog box.

Open "Hide these specified drives in My Computer" in Group Policy console → User Configuration → Administrative Templates →windows component →windows Explorer and enable this policy, and select a drive or several drives in the list box below.

Tip: This policy deletes only the drive icon. Users can still continue to access the contents of the drive by using other means. At the same time, this policy does not prevent users from using programs to access these drives or their contents. Also does not prevent users from using Disk Management Plug and Play to view and change drive characteristics.

Third, prohibit the use of command prompt

(Windows 2000/xp/2003)

Under Windows 2000/xp/2003, we can run Cmd.exe into the command prompt state and continue to run some DOS commands and other command-line programs. For security reasons, some systems should block this feature.

Open the Block Access command prompt in Group Policy console → User Configuration → administrative templates → system and enable this policy. And in the list box below, select whether command prompt script processing is also disabled, and this setting also determines whether batch files .cmd and. Bat can run on the computer.

If you enable this setting, when a user attempts to open a command window, the system displays a message explaining that the setting prevents the operation.

Four, completely prohibit access to the control Panel

(Windows 2000/xp/2003)

If you do not want other users to be able to access the computer's control panel, you can also use Group Policy to implement it. Open the "Disable access Control Panel" in the Group Policy console → User Configuration → administrative templates → extensions panel and enable this policy.

V. Disable changing Display properties

(Windows 2000/xp/2003)

Select "Display" in Control Panel or right-click a space in the Windows desktop to select Properties. You can go to the Display Settings dialog box to set up the desktop theme, desktop background, screensaver, display settings, and so on, if you don't want people to change the settings, It can be hidden by Group Policy.

Open the Group Policy console → User Configuration → administrative templates → control Panel → display, and then you can see the Hidden Desktop tab, hidden Themes tab, Hidden Saver tab, hidden Settings tab, and other policy configuration, you can configure these items as needed. For example, when the "Hide Desktop tab" Policy is enabled, the "Show Properties" dialog box opens and the Desktop tab is not visible, which makes it impossible to make changes to the desktop properties.

VI. Disable Registry Editor

(Windows 2000/xp/2003)

To prevent the registry file from being modified by other people entering the computer, you can disable access to Registry Editor in Group Policy. How to: Open the Block access Registry Editing Tool in Group Policy console → user Configuration → system and enable this policy.

When this policy is enabled, the user attempts to start Registry Editor (Regedit.exe and Regedt32.exe) and the system disables such actions and pops a warning message.

This policy enables you to prevent the start of the Control Panel program file (Control.exe). Other people will not be able to start Control Panel (or run any Control Panel items). In addition, this setting removes Control Panel from the Start menu. This setting also removes the Control Panel folder from Windows Explorer.

Seven, prohibit the establishment of a new dial-up connection

(Windows 2000/xp/2003)

Group Policy can also be done if you do not want someone to make a new connection on your computer to dial up to the Internet. Open the "Disable access to New Connection Wizard" and enable this policy on the Group Policy console → User Configuration → administrative Templates → network → network connection.

When this policy is enabled, "Establish a new connection" does not appear in the Network Connections folder and the Start menu.

Tip: This setting does not prevent users from using other programs such as Internet Explorer to circumvent this setting. In addition, this setting must be restarted before the computer can take effect.

Eighth, limit the use of applications

(Windows 2000/xp/2003)

If your computer is set up with multiple users, some programs may not want other users to run at will, or they can be set in Group Policy.

Open "Run only licensed Windows applications" and enable this policy on the Group Policy console → User Configuration → administrative Templates → system then click the "Show" button on the "Allowed Applications list" below to pop up a "Show content" dialog box where you click Add button to add an application that is allowed to run. Later, a typical user can only run programs in the Allowed Applications list.

Ninth, disable Add/Remove Programs

(Windows 2000/xp/2003)

The Add or Remove Programs item in Control Panel allows you to install, uninstall, fix, and add and remove Windows features and components, as well as a wide variety of Windows programs. If you want to prevent other users from installing or uninstalling programs, you can use Group Policy to implement them.

Open the Delete Add/Remove Programs program in the Group Policy console → User Configuration → administrative templates → control Panel → add → Remove programs and enable this policy. When we open the Add/Remove Programs module in Control Panel, the warning window is automatically ejected, and Add/Remove Programs will not run.

In addition, in the Add/Remove Programs branch, you can also add a new program in the Windows Add/Remove Programs item, add programs from CD-ROM or floppy disks, add programs from Microsoft, add programs from the network, and so on, through the settings of these policy items, plays a role in protecting system files and applications in your computer.

Note : More attention to the computer Tutorials section, triple Computer office group: 189034526 welcome you to join

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.