The "Local Security Policy" provided by Windows XP is a good system security management tool, which can make our system safer.
First, let's talk about how to start the "Local Security Policy ". Click "Control Panel" "Administrative Tools" "Local Security Policy" to go to the main interface of "Local Security Policy. You can set various security policies by using commands on the menu bar, and select the view mode, export the list, and import policies.
Next we will discuss the advantages and disadvantages of the Local Security Policy.
Disable enumeration accounts
We know that some worms with Hacker behavior can scan the specified port of Windows 2000/XP system, and then guess the administrator system password through sharing sessions. Therefore, we need to disable enumeration accounts in "Local Security Policy" to defend against such intrusion. The procedure is as follows:
In the "Security Settings" directory tree on the left side of the "Local Security Policy" list, expand "Local Policy" and "Security Options" layer by layer ". View the list of related policies on the right, find "Network Access: Do not allow anonymous enumeration of SAM accounts and shares" (Figure 1), right click, select "properties" in the pop-up menu, and a dialog box will pop up. Activate the "enabled" option and click "Apply" to bring the setting into effect.
Account Management
To prevent intruders from using the vulnerability to log on to the machine, we need to rename the system administrator account name and disable the Guest account here. Set the policy to "account: Guest Account Status" in the "local policy" and "Security Options" branches. Right-click the policy and choose "properties" from the shortcut menu ", then, in the pop-up attribute dialog box, set the status to "disabled" and click "OK" to exit.
Next, we can view the policy "account: Rename the system administrator account" to bring up its properties dialog box. In the text box, you can customize the account name (figure 2 ).
Assign Local User Rights
If you are a system administrator, you can assign specific rights to a group account or a single user account. In "Security Settings", locate "Local Policy" and "User Rights Assignment", and then in the settings view on the right, security settings can be set for each policy (Figure 3 ).
For example, if you want to allow a user to gain ownership of any objects in the system: including registry items, processes and threads, NTFS files, and folder objects (the default setting of this policy is only administrator ). First, you should find the "get ownership of files or other objects" policy in the list, right-click it, select "properties" from the pop-up menu, and click "add user or group" here, in the displayed dialog box, enter the Object Name and confirm the operation.
Active IP policy
We know that no matter which type of hackerProgramMostly use ports as channels.
Therefore, we need to disable ports that may become intrusion channels. You can query information about dangerous ports on the Internet to prevent attacks. The following uses port 23 used by Telnet as an example (the operating system of the author is Windows XP ).
Click "run" and enter "MMC" in the box, and press Enter. The console window is displayed. Select "file", "Add/delete Management Unit", click "add" in the independent tag bar, and then click "IP Security Policy Management". Finally, follow the prompts to complete the operation. At this time, we have added the "IP Security Policy" to the "Console Root Node" on the Local Computer (hereinafter referred to as "IP Security Policy") (Figure 4 ).
Double-click "IP Security Policy" to create a new management rule. Right-click "IP Security Policy" and select "create IP Security Policy" from the shortcut menu to open the IP Security Policy wizard, click "Next", "the default name is" new IP Security Policy "," Next ", and" do not select "Activate default response rule". Note: When you click "Next, make sure that "Edit attributes" is selected at this time, and then select "finish". The "new IP Security Policy attributes" window appears (Figure 5). Select "add ", then, click "Next" without selecting the "use add wizard" option.
Select "any IP Address" for the source address in the addressing bar, and select "my IP Address" for the target address (you do not need to select an image ). In the Protocol Label column, note that the type should be TCP, set the IP protocol port from any port to this port 23, and click "OK. In this case, a "new IP Filter" will appear in the "IP Filter list". Select it and switch to the "filter operation" tab, click "add", "The name defaults to" New Filter operation ", and" add "," Block ", and" complete ".
The new policy must be activated before it can take effect. The specific method is: Right-click the new IP Security Policy and select "Assign" the policy just created.
Now, when we Telnet from another computer to the fortified computer, the system will Report Logon failure; scan this machine using a scanning tool and we will find port 23 is still providing services. In the same way, you can block any other suspicious ports, so that the uninvited customers can yell "bad.
Enhance password security
In "Security Settings", you must first choose "Account Policy" and "Password Policy". In the "Settings" View on the right, you can set the security policy as appropriate, in order to make our system passwords relatively secure and difficult to crack. An important anti-cracking method is to update the password on a regular basis. You can set the password as follows: Right-click "Maximum Password retention period" and select "attribute" from the pop-up menu ", in the pop-up dialog box, you can customize the length of time (limited to 1 to 999) that can be used after a password is set ).
In addition, use "Local Security Settings ", you can also set Audit Object Access to track user accounts, logon attempts, system shutdown, restart, and similar events used to access files or other objects. Such security settings are incomplete. In practice, we will gradually find that "Local Security Settings" is indeed an indispensable system security tool.