Tips for using Windows Group policies to manage network sharing (1)

Windows Group PolicyTo improve system security and optimize the system. Network Sharing is prone to network risks. However, using Windows Group Policy to manage network sharing can effectively achieve network security. The specific content is as follows.

In a LAN environment, in order to facilitate information exchange with others, we often share some important information in our computers so that other users can call the LAN. However, in the process of shared access, we often suffer from some security attacks or some shared access failures. To improve the shared access efficiency and reduce shared security risks, we often need to learn some sharing resource control and management skills. This is not the case. In this article, we will start from the Windows Group Policy and recommend several tips for managing and controlling shared resources, I believe that you will be able to share and access resources under the "command" skills below!

1. Denied anonymous users from sharing Access Permissions

In workstations installed with Windows XP, anonymous users usually have the same access permissions as the Everyone account by default. If we accidentally grant higher shared access permissions to the Everyone account, therefore, anonymous users will also have relatively high shared access permissions, which obviously brings great security risks to shared access. To ensure the absolute security of folder shared access, it is necessary to modify the Windows Group Policy to deprive anonymous users of the shared access permission to the maximum extent. The specific setting method is as follows:

First, click the start button on the system desktop. In the displayed system start menu, select the run project to open the system running dialog box, then enter the Windows Group Policy to edit the string command "gpedit. msc, click "OK" in the dialog box, and enter the Windows Group Policy editing window on the local computer;

In the left-side List Pane of the editing window, expand the "Computer Configuration" Policy Branch with the mouse, double-click the "Windows Settings/Security Settings/Local Policies/Security Options" item next to the desired branch options, and in the right pane of the "Security Options" project, find the "Network Access: Apply everyone's permissions to anonymous users" option, right-click it, and execute the "attribute" command from the shortcut menu that appears, open the target policy attribute setting interface shown in 1;

Figure 1

On the settings page, check whether the policy "Network Access: Apply everyone's permissions to anonymous users" is "enabled, once the target policy has been enabled, we must set it to "disabled" in time and click "OK, therefore, anonymous users will not be able to pose a potential security threat to shared access because they cannot obtain sufficient permissions. Of course, for the sake of security and security, we should not grant too high shared access permissions to the local computer's Everyone account.

2. Restrict Anonymous users to share access content

By default, Windows XP wks allow anonymous users to access many shared resources in the local system, which clearly threatens the security of local computers. To reduce system security threats, we can limit that anonymous users can only access the shared folder specified by the local system, and before allowing anonymous users to access the shared folder of the target, we also need to set the NTFS permission to ensure that anonymous users can only have the minimum operation permission on the target shared folder. For example, if you want Anonymous Users to only access the "aaa" shared folder on the drive of the local system, but do not have the permission to access other shared resources, you can follow the steps below to set a Windows Group Policy:

First, click the start button on the system desktop. In the displayed system start menu, select the run project to open the system running dialog box, then enter the Windows Group Policy to edit the string command "gpedit. msc, click "OK" in the dialog box, and enter the Windows Group Policy editing window on the local computer;

In the left-side List Pane of the editing window, expand the "Computer Configuration" Policy Branch with the mouse, double-click the "Windows Settings/Security Settings/Local Policies/Security Options" item next to the desired branch options, and in the right pane of the "Security Options" project, find the "Network Access: Share with anonymous access" option and right-click it. Execute the "properties" command from the shortcut menu to open the target policy attribute setting interface shown in 2;

Figure 2

On the settings page, select all the shared resources that are allowed by the system by default, and click the DEL key on the keyboard to delete all the shared resources. Then, based on the actual situation, add the target shared folder "F: \ aaa" that needs to be opened to anonymous users for a long time, and click "OK". Then, anonymous users can only access "F: \ aaa "shared the resources in the folder. Of course, before opening the "F: \ aaa" folder to anonymous users, we must set the NTFS permission of the target folder to "read ", make sure that anonymous users have the minimum access permission to the target shared folder.

After completing the above operations, we also need to open the "Network Access: Named Pipes with anonymous access" policy's attribute setting window and "network access: remote access to the registry path "policy attribute settings window, and then delete all the redundant shared resource items in the two windows, in this way, anonymous users can only access the specified shared folder.

3. Prevent Unauthorized super account name Retrieval

We know that many illegal attackers often use the sid id of the Super Administrator Account to obtain the Administrator name information of the Super account, and then try to log on with the real name of the Administrator.

The computer system in which shared resources are located to obtain the highest control permissions for shared resources. Obviously, this approach poses a great threat to the security of local shared resources. In view of this, we can modify the system's group policy to prevent illegal users from using SID to steal the real name information of the Super administrator. The following describes the specific setting method:

Click Start/run to open the system running dialog box, and then enter the Windows Group Policy Edit string command gpedit. msc, click "OK" in the dialog box, and enter the Windows Group Policy editing window on the local computer;

Expand the "Computer Configuration" Policy Branch in the left-side area of the editing window with the mouse, double-click the "Windows Settings/Security Settings/Local Policies/Security Options" item next to the desired branch options, and in the right pane of the "Security Options" project, right-click the "Network Access: Allow anonymous SID/Name conversion" option and run the "attribute" command from the shortcut menu, open the target policy attribute setting interface shown in 3;

Figure 3

On the settings page, check whether the policy "Network Access: allows anonymous SID/Name conversion" is "enabled, once the target policy has been started, we must set it to "disabled" in time and click "OK, the unauthorized user will not be able to obtain the real name information of the Administrator through the Administrator's SID identification information, so that the risk of illegal control of local shared resources will be greatly reduced. Of course, if the LAN environment has multiple workstation systems of different versions and the policy "Network Access: Allow anonymous SID/Name conversion" is disabled, this can easily lead to some inexplicable problems in shared access.