Win8 system local security policy Q & A

  
The following is a common question for the local security policy in win8 system, to ask one-on-one questions, you can refer to it.
How to open “Windows Local Security Policy Ah?
A:<;Search” Type“secpol.msc” and press Enter.
How to prevent hackers or malicious programs from hacking my system password?
A: As we all know, brute force Windows passwords are essentially implemented by exhaustive algorithms, especially systems with too simple passwords, and brute force methods. More practical. One thing that needs our attention is that the key to this problem is whether Windows allows remote clients or malicious programs to exhaust the username and password. If not allowed, it is a dead end for malicious programs to attempt to obtain administrator privileges through enumeration. So, how to not allow it? See the picture below:

After ensuring that the selected line is "already enabled", this road is basically blocked. If you don't worry, you can also put it underneath. That line "does not allow anonymous enumeration of SAM accounts and shares" is also set to “ Enabled& rdquo; status.
In addition, will "local strategy" & rdquo; & mdash; & mdash; & ldquo; security options & rdquo; & ldquo; network access: anonymous access to share & rdquo; & ldquo; network access: remote access registry path & rdquo ;, & ldquo; network access: remote access to the registry path and sub-paths, & rdquo; network access: anonymous access to the named pipe & rdquo; these four items contain all the values ​​removed, can further enhance the security of the system.
Windows firewall comes with it?
A: There are quite a few friends who choose the dazzling third-party firewall products, ignore the firewall that comes with Windows, and even never opened it. “Windows Firewall” is a sub-function of the local security policy. I personally think that as long as you are skilled in configuring this function, its ease of use and security are superior for personal applications and even enterprise needs.
There are two ways to enter:
1, enter the program interface as shown in the address bar below:

Then click on the left side “Advanced Settings” appears as follows:

Use this method to enter to browse existing rules and create new ones.
2. Enter the program interface directly in the “Local Security Policy”:

The right side is blank, and the existing rules are not listed, but new rules can be created.
For example, Adobe Photoshop CS is prohibited from accessing the network. Right-click on a blank space or click on the "New Rule" button in the right column and select the first item in the "New Outbound Rule Wizard" column. > Programs & rdquo (Control rules for program connection), the next step is to select the path where photoshop is located, as shown below:

Next step select "Block connection", then you will be asked "When to apply the rule" ;, you can check according to the actual needs, the default selected "domain, private, public". As shown below:

Then give it a name (arbitrary), the rules are created, and Photoshop.exe will never be able to access the network again. In addition, you can create more advanced rules in the "Connection Security Rules", as shown below:

This interface does not know, the function is so powerful, basically you think of unexpected and unexpected needs, here All are implemented, such as blocking any IP or IP segments that you are not comfortable with, blocking pings, or specifying the operation rights of any port, program name or service name, etc., and the ease of use and reliability are not inferior to any third-party firewall.
Can I ban a program from running through a security policy?
A: The answer is yes, not only can it prevent a program from being renamed, changed its path, changed its suffix, and then re-runs the shell. The function is called "AppLocker", which is more restrictive and powerful than prohibiting a program from running in Group Policy. The program interface is as shown below:

Right-click on the left side "Executable Rules" & ——“Create New Rule", in the wizard interface that appears, not only the user group (such as Guest) Account), can also enumerate various qualifications, as shown below:

If you select "Publisher", then the disabled program, and all its upgraded versions and revisions cannot be Run (this condition can be further detailed), such as QQ, Thunder, Cool Dog, etc., their official and customized versions can not run, very smart. This feature can also be applied to quarantine virus operations. If there are viruses or Trojans that cannot be cleaned up in the system, no matter whether the infected person is a program, a script, a dynamic link library, or a batch process, it can no longer be done. From this point of view, the current mainstream anti-virus software, in the virus isolation function is generally not detailed. The remaining two are completely easy to understand by literal meaning, especially the third item “File Hash”, which is quite practical.
This function can also be used in conjunction with the "Software Restriction Policy", as shown below: (If the content shown on the right does not appear, right-click on the left sidebar to create a software restriction policy)

In addition, through the "global object access audit" can also limit the access permissions of the groups for the entire or partial registry or even the file system, as shown below:

When you break through the iron shoes, look for this online When using third-party software for functions, should you first flip through the Windows home? Hehe. If you have a good understanding of PowerShell, you can further simplify the creation and management of AppLocker rules, but the details are not detailed.
At the end of the two additional questions about the "local security policy" failure:
1, how can I not access the local security policy?
A: This problem will generally be displayed as "create management" Unit failure  quo; or CLSID: {8FC0B734-A0E1-11D1- A7D3-0000F87571E3}, the reason for the occurrence is more common in some software to replace or delete the part of the data during installation or uninstallation, the solution is to first ensure that your environment variable path is Contains:  %systemroot%system32;%systemroot%;%systemroot%system32wbem”, if not, add it yourself.
Then locate HKEY_CURRENT_USER——Software——Policies——Microsoft——MMC in the registry, assign a value of 0 to RestrictToPermittedSnapins, as shown below:

2, my IP security policy How can I not set it up?
A: Make sure the IPsec Policy Agent service is enabled.

Copyright © Windows knowledge All Rights Reserved