Windwos magic ring Group Policy 2

Following the above rule set in Windwos, this article introducesGroup PolicyThe specific content is as follows.

Manage templates and their enhancement Components

There is also a special type of policy in the Group Policy Editor, that is, the management template. Through the management template, we can mainly set some components of the operating system. The following content mainly describes the related policies in computer configuration.

Offline file confidentiality

Many users with laptops may use their laptops to process work files on a business trip or on their way to work. The offline file function of Windows XP Professional can be used here, when you set shared files or shared folders to be used offline, Windows caches and saves them temporarily.) copy the files or folders you selected on the server to the local hard disk. In this way, when you disconnect from the network, you can use copies of these files to work, but it feels like the shared files on the network. After you re-connect to the network, Windows will synchronize your cache and shared files on the server, in this way, the latest files are retained on the server and your local hard disk. Although the offline file function is very useful, you must note that the offline files cached locally are not encrypted. If you are dealing with sensitive data files, although the server can use access control to protect the security of these files, if you cache the files locally, others may access the content. The solution is also very simple. We can set the encrypted offline File Cache through the Group Policy. Expand the left-side tree structure in the Group Policy Editor to "Computer Configuration/Management Templates/Network/offline files", and enable the "encrypt offline File Cache" policy.

Redirect Windows Installation source location

In this case, you have installed Windows XP on the CD and copied all the installation files to the hard disk for backup purposes. One day, for some reason, such as computer viruses), your important system files are replaced, and the system always reminds you to put the Windows XP installation disc in the optical drive to restore files. Every time this happens, it is troublesome. Isn't there a backup of the Installation File retained on the hard disk? Why can't the system recover directly from this backup? In fact, it is because in the system record that the location of the installation file is still on your optical drive, as long as you change this location record to the location where the backup file is saved. Expand the Group Policy to "Computer Configuration/management template/system", enable the policy "specify Windows Installation File Location, enter the path for saving the installation file in the dialog box below. In this way, if you need to recover the system file from the installation file, the system will first try the path you entered here.

Add other templates

Security templates are powerful, but they can be set through the security template function. If you have installed other Supported tools or downloaded Additional templates from Microsoft, you can also import these templates to your Group Policy Editor. The method is as follows: Right-click the "manage template" branch in the left-side tree structure of the Group Policy Editor, and select "Add/delete template" in the pop-up menu ", the "Add/delete template" dialog box is displayed. The loaded template is displayed. After you click the Add button, you can add other template files, which may come from Microsoft, it may be attached to other software. The default location for saving the template is "% systemroot % \ inf". Here, % systemroot % is an environment variable, representing the Windows folder. If your template file is saved elsewhere, you can click the Add button to locate and load it. In this example, the loaded template is "wuau. adm", which is the SUS client added to Windows XP after SP1 is installed.

After the template is loaded, re-open the Windows component branch under the management template. You can see that the newly added template is already displayed under this branch. In this way, we can use templates to set many templates that are not displayed here to implement more powerful functions.

Application of Software Restriction Policies

The Network Administrator of the organization must have encountered such troubles. The boss does not want employees to chat about QQ or play games during work hours, but there are always employees who install banned software in private. How can this problem be avoided? Although some monitoring software can be used, this seems to be a bit of a violation of privacy. At the same time, there is a very troublesome situation. Nowadays, more and more viruses are spreading through e-mails, and many people are poisoned by accidentally running e-mail attachments, is there any good means to prevent employees from running files with unknown records? Now, if your client is Windows XP Professional, you can use the software restriction policy.

Simply put, Software Restriction Policies are a technology. With this technology, administrators can decide which programs use the word "program", but not just exe files, we can use this technology to restrict the execution of files with any type of extension.) It is trustworthy, and the system will reject the execution of untrusted programs. In general, the administrator can ask the system to identify whether the software is trustworthy using the following methods: file path, file Hash) value, file certificate, the region of the downloaded website in the Internet option, the file publisher, and the specified extension.

Knowledge: Hash is a series of bytes with a fixed length calculated based on a Hash algorithm. It can uniquely identify programs or files. In short, the file's Hash value can be understood as the file's ID card. Each file has a different Hash value. If the file content changes, even if only one byte is changed, the file's Hash value also changes.

The Software Restriction policy can be set not only in a Single Windows XP operating system, but can be set to only affect the current user or user group, or affect all users locally logged on to this computer; you can also set all the client computers that join the domain through the domain. You can also set the impact on a specific user, user group, or all users. We will describe it in the form of a single machine and set the impact on all users. The settings in standalone and workgroup environments are similar.

Note: Sometimes, due to incorrect settings, some system components may not be able to run, for example, disabling running all files with the msc suffix and failing to open the Group Policy Editor ), in this case, you only need to restart the system to safe mode, and then use the Administrator account to log on and delete or modify this policy. In security mode, using the Administrator account to log on is not affected by these policies.

In this example, we assume that an employee's computer can only run all program c disks that come with the operating system) and the Word, Excel, PowerPoint, and Outlook required for work, the version number is 2003. Assume that the Office program is installed on disk D, and the operating system of the employee's computer is Windows XP Professional.

Run gpedit. msc to open the Group Policy Editor. There is a Software Restriction Policy entry under "Computer Configuration" and "user settings". 3) Which one is used? If you want this policy to take effect only for a specific user or user group, use the policy under "user configuration". If you want this policy to take effect for all users locally logged on to the computer, use the policy under "Computer Configuration. Here we need to take effect for all users, so select the policy under "Computer Configuration.

Before starting the configuration, we also need to consider the features of the software and disabled software. We need to come up with an optimal strategy, make all the required software run correctly, and none of the unnecessary software can run. In this example, most of the programs we allow are on the System Disk Drive C) under the Program Files and Windows folder, therefore, we can use the path of the file to determine which programs are trusted. For Office programs installed on the d drive, you can also choose the path or file hash method.

Click to open the Software Restriction Policy entry under "Computer Configuration", and then click "create new policy" under the "operations" menu. Currently, the Software Restriction Policy is installed on XP of SP1, there are no rules by default, but the Default policy has been set for the system that installs SP2), the system will create two new entries: "Security Level" and "other rules ". There are two rules under the security level entry: "Not Allowed" and "not limited". The former means that by default, all software is not allowed to run, only a few software with special configuration can be run. The latter means that by default, all software can run, and only a few software with special configuration can be run. Because the software we need to run in this example has been fixed, we need to use "Not Allowed" as the default rule. Double-click the rule, click "set as default", and continue after agreeing to the warning message.

Open the "Other Rules" entry. By default, four rules are set based on the registry path and are set as "unlimited" by default ". We strongly remind you not to modify these four rules. Otherwise, your system may be in great trouble because these four paths involve the location of important system programs and files. In addition, as we mentioned earlier, Files in the Program Files folder and Windows folder on the system disk are allowed to run, and these four default rules already contain this path, therefore, we only need to add a rule for the Office program. Right-click the blank area on the right side of the panel and select "create hash rule". Then, you can see page 4. And double-click Add. Select "unlimited" under the "Security Level" drop-down menu, and click "OK" to exit. Repeat the preceding steps to add the executable files of the four software and set them to unrestricted.

Here we can consider a question: why do we choose to create hash rules for executable files of each program? Isn't it easier to create a uniform path rule for Office applications? In this way, you can avoid the replacement of executable files, or copy unnecessary green software to this directory for running. If a directory rule is created, all files stored in the allowed directory can be executed, including files that allow the program itself and any other files copied by the user. The hash rules are different. The hash value of a specific file is fixed. As long as the file content does not change, its hash value will never change. This avoids the possibility of counterfeiting. However, there is also a problem. Although the file's hash value does not change, the file itself may need some changes. For example, if you have installed a WordPad program, the hash value of the winword.exe file may change. Therefore, if you choose to create such a rule, you also need to update the rule according to the situation after each software update. Otherwise, normal program running will also be affected.

In addition, there are several policies that can be used: mandatory, which can be used to limit the files that the Software Restriction policy applies to and whether the files are applied to the Administrator account; assigned file types, used to specify which extensions can be considered Executable by the system. We can add or delete files with certain extensions. Trusted publishers, it can be used to determine which users can choose to trust the publisher, and other operations that need to be taken before trust. These three policies can be selected based on your actual situation.

After the software display policy is set, once the restricted user attempts to run the banned program, the system will immediately issue a warning and reject the execution.

It is hoped that the introduction of group policies in this article will be helpful to readers. more knowledge about group policies remains to be learned and mastered by readers.