Group PolicyIs very powerful, and its functions are often surprising. The following is a detailed description of the system group policy feature using Win7.
Optimization Methods for Windows 7 (hereinafter referred to as Windows 7) are also emerging. Users often have no clue about how they work together. These methods are even more difficult to identify and how they work. In fact, using the system group policy function of Win7, we can achieve system optimization of Win7. This article explains how to use group policies to make Win7 safer.
Note: The group policy function is only available in Win7 Professional Edition, Enterprise Edition, and Enterprise Edition.
Keep files confidential and put on your drive.
The drive mainly includes hard disks, optical drives, and mobile devices, and is mainly used to store data. Therefore, it is necessary to restrict the use of the drive to effectively prevent leakage of important and confidential information, and block the invasion of viruses and Trojans. Different drives have different limits, and the same drive has different levels of limits. There are two levels of hard disks: hiding and forbidding access. The hidden level is relatively Elementary, but the drive is invisible. It is generally used to prevent children and primary users. Access prohibited can completely block access to the drive. For mobile devices, you can set read, write, and execution permissions. However, viruses and Trojans are generally transmitted by executing malicious programs. Therefore, the most effective way is to disable execution permissions.
Basic defense is invisible to common users
There are some important files on the hard drive of the home computer, and the simplest way is to hide the drive where the file is located. Click Start and enter gpedit in the search box. msc. After confirmation, the Group Policy Editor is opened. Expand "user configuration> management template> Windows Components> Windows Resource Manager" in sequence. In the settings window on the right, go to "hide the specified drives in my computer", select "enabled", select the drive to be hidden from the drop-down list below, and then confirm. Go to "computer" and the drive icon you just selected will disappear.
Tip: This method only hides the drive icon. You can still use other methods to access the drive content, for example, directly type the directory path on the drive in the address bar. In addition, this setting does not prevent users from using programs to access these drives or their content.
Advanced protection for privileged users
The system disk contains important system files and cannot be modified or moved by others. In particular, when some partitions have important files, if you only hide the drive, others can still access it. Of course this is not the case! The safest way is to protect the drive and prohibit unauthorized access.
Similarly, in the Group Policy Manager, expand "user configuration> management template> Windows Components> Windows Resource Manager" to "prevent access to the drive from my computer ", select "enabled", and select the drive to be inaccessible from the drop-down list below. After confirming, the drive will take effect (1 ). When someone else wants to access the relevant drive, the "restriction" Prompt window will appear! When you need to view the information, you only need to change the related policy settings from "enabled" to "not configured.
Tip: how to prevent others from using group policy editing? It is easy to create users with different permissions, so that others can use normal User accounts (do not have the right to enable the Group Policy Editor.
Disable the permission of a mobile device to disallow Trojans
Mobile devices (such as flash and mobile hard drives) have become the most widely used and standard configurations for many users. Because of this, it has become the main channel for spreading viruses and Trojans. The general restriction on read/write permissions does not prevent viruses and trojans from intruding, because virus transmission is implemented by executing viruses and Trojans. Therefore, disabling the execution permission can cut off the virus transmission path.
Expand "Computer Configuration> management template> system> removable storage access", go to "removable disk: deny execution permission", and select "enabled". After confirmation, the settings take effect. Executable files on mobile devices cannot be executed, and computers will not be infected with viruses. If you need to execute the command, you only need to copy it to the hard disk.
Surfing the Internet and putting on iron shirts for browsers
One of the most important purposes of a computer is to access the Internet. To be honest, there is no worry about accessing the internet. Viruses, Trojans, and rogue software are rampant, and many websites are infected with Trojans. Many malware tamper with the browser's home page or other browser settings. Once a trick is made, the browser will pop up a messy page or even a trojan website, making users complain! In addition, some users use browsers to download files without any regularity, which often causes file chaos. Once a virus file is downloaded, it is difficult to clear it. Therefore, how to enhance the browser's "immunity" is particularly important.
Lock Home Page
The most common problem is that the home page is tampered with. After the Group Policy is locked, this problem can be completely solved. It not only does not bring up a mess of pages, but also reduces the chance of re-poisoning and Trojans. Expand "user configuration> management template> Windows Components> Internet Explorer", go to "Disable and change homepage Settings", select "enabled", and enter the default homepage under "options, after confirmation, the setting takes effect (2 ).
Tip: After this policy is enabled, you cannot set the default homepage. Therefore, if necessary, you must specify a default homepage before modifying the settings.
Ice iesetting
As described above, once the system is poisoned or has a Trojan, the IE homepage will be tampered with, and other iesettings may also be tampered. Therefore, it is necessary to add a protective cover to the IE settings. In particular, once set, iesettings may not change for a long time, so it is better to completely ice it!
Expand "user configuration> management template> Windows Components> Internet Explorer> Internet control panel ", the right pane includes "Disable Advanced page", "Disable connection page", "Disable content page", "Disable General page", "Disable privacy page", "Disable program page", and" disable Security page ", corresponding to the seven tabs in Internet Options in IE (3 ). If all settings are enabled, the "restriction" error dialog box appears when "Internet Options" are enabled. This completely eliminates the modification to the IE browser settings.
Tip: starting the "Disable General page" will delete the "General" tab in "Internet Options. If this policy is enabled, you cannot view and change the homepage, cache, history, webpage appearance, and auxiliary settings. Because this policy will delete the "General" tab, if you set this policy, you do not need to set the following Internet Explorer policies-"Disable change homepage Settings", "Disable Change Temporary Internet File Settings", "Disable change history Settings", "Disable change color settings"," disable change link color settings, disable change font settings, disable Change Language settings, and disable change auxiliary function settings ".
Permission management is eye-catching TO THE SYSTEM
Nowadays, some software is really rogue. For example, many software programs are called for convenience, but some programs or web pages are maliciously bundled during software packaging or greening. The method is generally very low-level. It is implemented only by batch processing files and manual injection of registry information. Therefore, we can use group policies to disable the running of some dangerous files. In addition, in some public places (such as offices), many software are not allowed to be used (such as chat software), so managers can also use group policies to achieve effective management.
Prohibit dangerous files from running
Some types of files (such as ". reg "Registry file and". bat "Batch files) are rarely used by users and are easily exploited by viruses or Trojans. Therefore, disabling these types of files can ensure computer security to a certain extent.
Expand "Computer Configuration> Windows Settings> Security Settings> Software Restriction Policy", right-click the pop-up menu, and select "create Software Restriction policy ", five items are automatically generated: "Security Level", "other rules", "force", "specified file type", and "trusted publisher. Go to the "specified file type" attribute window and leave only the file types that need to be disabled, such as "bat batch files". Delete all other file types. If the type is not in the list, enter the file type to be disabled in the "file extension" text box below and add it. Go to "security level> not allowed" and click "set as default". This policy takes effect. When any batch file is run, the execution is blocked.
I also know you when I disable the program and put it on a vest.
In addition, many companies are not allowed to use chat software. Take QQ as an example. If QQ is directly uninstalled, the user may install it again or install the software elsewhere. In this case, you can use the Group Policy to easily solve the problem.
Expand "Computer Configuration> Windows Settings> Security Settings> Software Restriction Policy> other rules", and select "create hash rule" (4 ). Click "Browse" and select "qqqq.exe". The first line under "File Information" is the generated hash value. This value is unique and the basic information of the file is displayed below, select "Not Allowed" for "security level ". After confirmation and cancellation, log on again and the settings will take effect.
Tip: the benefit of using hash rules is that, no matter whether the program is renamed or moved or any other operation, as long as the hash value is verified to be consistent, the restriction will not expire! Therefore, it can effectively limit the running of some software.
The group policy is used to improve the security of the Windows 7 system. For group policy applications, you should learn more from the website.