System security setting strategy and self-contained firewall introduction (1)

Firewall and anti-virus software has always been an indispensable part of the user's computer. Many netizens' network security relies on these two points to support, and how to use anti-virus software, firewall and strategy The security settings are the key issue. Although ordinary anti-virus software only needs to add the current user security concept to the default settings to start working, but setting a well-functioning security policy is not so simple, especially the software firewall that comes with the computer, if not equipped with powerful Strategy support, then the enemy rate can only account for about 70%. Use Status In today's era of computer Trojan viruses, network security is especially important. The master is dismissive of this, still in the network that does not install soft kill and firewall, "streaking", although the masters did not install kill soft and third-party firewall, but it uses the firewall function built in the system, build The strategy will be against the police line in the future. Many laymen have always thought that Windows Firewall is not reliable. In fact, it is because they don't understand how the firewall strategy is formulated, so they can't let them play the characteristics of the cause, so that the Quartet rushes around to seek medical advice to protect the system security. Overall firewall settings For ordinary Internet users and server administrators, configuring the system's own firewall security policy is as important as anti-virus software. Open the control panel. In the normal settings of the firewall, the user can check whether the current program to the outside world is released based on the data in the exception list, and can edit and add programs and ports accordingly. In the advanced options, the user can specify the configuration of the windows firewall log, whether to record the packet drop and successful connection and specify the name and location of the log file (the default is systemrootpfirewall.log) and its maximum capacity. And because icmp messages are used for diagnostics, reporting error conditions, and configuration, users can set their own settings to enable and disable the type of icmp messages that Windows Firewall allows for all connections selected on the Advanced tab. And by default, no icmp messages are allowed in this list. After setting up the above items, you can enable the built-in firewall for daily work, and then establish the following software policies. Software Restriction Policy Set this to ensure the security of the software running on your computer. First enter gpedit.msc in the Start Run menu to bring up the Group Policy Configuration window. Under the other settings in the Computer Security Configuration - Windows Settings - Security Settings - Software Restriction Policy, the user can see four items here. Software strategy, (small hint: if the security policy has not been set before, the menu will appear after right-clicking the new policy on the software restriction policy) and these four rules are exactly the procedures necessary to ensure that Windows is not disabled. Configured. I. Environment Variables and Priorities Users can then right-click on other rules to create new path rules. Common wildcards are: “*” and “?”, * means any character, ? means any character. Common folder environment variables are (the following is the default installation of XP on the C drive): %SYSTEMDRIVE% means C: %ProgramFiles% means C:\\Program Files %SYSTEMROOT% and %WINDIR% means C:\\WINDOWS %USERPROFILE% C:\\Documents and Settings\\The current user name %ALLUSERSPROFILE% means C:\\Documents and Settings\\All Users %APPDATA% means C:\\Documents and Settings\\current user name\\Application Data %TEMP% and %TMP% means C: \\Documents and Settings\\Current Username\\Local Settings\\Temp The user can also specify the name of the program to be banned from running here, but pay attention to the priority issue. Microsoft specifies: absolute path > path to use wildcards> file name. For example, if the system file is located in the system32 folder and is a system file, it is impossible for the virus to replace it. The spoofed virus files will be located in other Windows directory. At this time, you can disable the operation by establishing two policies: svchost.exe is not allowed, and %windir%\\system32\\svchost.exe is not restricted. The configuration uses the second rule in the priority to use the absolute path with a higher priority than the first file name based path relationship, so as to achieve the effect that the real system file runs and the virus file cannot run. Second, prohibit double extensions and U disk run files Since most users use XP's default settings, including the system to hide known extensions. In order not to confuse the user with the virus multi-extension, it is necessary to establish *.jpg.exe not allowed and *.txt.exe not allowed policy. Then add h:\\*.exe not allowed, h\\*.com does not allow two, so the executable file in the U disk can not be started. (Note: The author's U disk drive letter is h disk)

Third, prohibiting the operation of the four places Currently, many of the virus Trojans sneaked into the user's computer will hide their own tracks, thus avoiding the eyes of managers. Here we need to establish a strategy to prevent Trojans from starting from the Recycle Bin, System Volume Information, C:\\WINDOWS\\system folder, C:\\WINDOWS\\system32\\Drivers folder. As follows: ?:\\Recycled\\*.* Not allowed %windir%\\system\\*.* Not allowed %windir%\\system32\\Drivers\\*.* Not allowed?:\\System Volume Information\\*.* No Allowed Note: When using the *.* format, programs other than executable programs, such as txt, jpg, etc., are not blocked. Fourth, prohibit the camouflage process As the virus will change the file name to a name close to the system process, such as: explorer.exe, sp00lsv.exe, etc., its case and O and 0 problems are not recognized by the user, so here The following strategy needs to be established to make it impossible to start. *.pif does not allow sp0olsv.exe to not allow spo0lsv.exe to not allow sp00lsv.exe to not allow svch0st.exe to not allow expl0rer.exe to not allow explorer.com not allowed Note: Some viruses use the pif suffix, ie explorer.pif.pif And exe, com, are executable files, and the default com priority in XP system is higher than exe executable program, its suffix is ​​extremely concealed. If the user cannot see the program suffix when the display file extension is turned on, it can be viewed through WinRAR or a third-party browser. Port Group Policy When the software policy is completed, the user can enter the last level and configure the computer port policy. As everyone knows, setting up a port strategy can greatly prevent intrusion attacks and common ports of Trojan viruses. The setup process is also very simple. It only takes four steps to proceed as follows: Step 1: Open in sequence: Control Panel - Administrative Tools - Local Security Policy - IP Security Policy, in the next step of the wizard, fill in the security policy name - secure communication request, and remove the hook to activate the default corresponding rule, and click to complete the creation of a new IP security policy. The second step, right-click the IP security policy, in the properties dialog box, use the hook on the left side of the Add Wizard to remove it, then click Add to add a new rule, and in the pop-up new rule properties dialog box, click Add, then pop up In the IP Filter List window, remove the hook to the left of the Add Wizard and add a new filter. The third step, enter the filter properties dialog box, select any IP address in the source address, select my IP address as the destination address, click the protocol option, select TCP in the Select Protocol Type drop-down list, and then in the text box below this port Enter “XXXX” (XXXX is the port number to be closed, such as 3389, 139, etc.), and you can confirm the exit. (Note: The detailed shutdown port setting scheme depends on the port list and its own requirements. The port list can be searched by each major search engine.) Step 4, then select the new IP in the new rule properties dialog box. The filter list, after the activation point filter operation option, will be removed using the left side of the Add Wizard, add a block operation, select the block in the security options of the new filter action attribute, and then go back to the new IP security policy attribute. In the dialog box, check the left side of the new IP filter list to confirm. Right-click on the local security policy window to assign the IP security policy you just created.