1. Open “Windows Local Security Policy
"Search” Type“secpol.msc” and press Enter.
2, to prevent hackers or malicious programs from hacking my system passwords
It is well known that brute force cracking Windows passwords is essentially achieved through exhaustive algorithms, especially systems with too simple passwords, brute force methods are more practical of. One thing that needs our attention is that the key to this problem is whether Windows allows remote clients or malicious programs to exhaust the username and password. If not allowed, it is a dead end for a malicious program to attempt to obtain administrator privileges through enumeration. So, how to not allow it? See the picture below:
After ensuring that the selected line is "already enabled", this road is basically blocked. If you don't worry, you can also put it underneath. That line "does not allow anonymous enumeration of SAM accounts and shares" is also set to “ Enabled& rdquo; status.
In addition, will "local strategy" & rdquo; & mdash; & mdash; & ldquo; security options & rdquo; & ldquo; network access: anonymous access to share & rdquo; & ldquo; network access: remote access registry path & rdquo ;, & ldquo; network access: remote access to the registry path and sub-paths, & rdquo; network access: anonymous access to the named pipe & rdquo; these four items contain all the values removed, can further enhance the security of the system.
3, Windows comes with a firewall
A: There are quite a few friends in the choice of a wide range of third-party firewall products, ignore the Windows built-in firewall, and even never opened. “Windows Firewall” is a sub-function of the local security policy. I personally think that as long as you are skilled in configuring this function, its ease of use and security are superior for personal applications and even enterprise needs.
There are two ways to enter:
1, enter the program interface as shown in the address bar below:
Then click on the left side “Advanced Settings” appears as follows:
Use this method to enter to browse existing rules and create new ones.
2. Enter the program interface directly in the “Local Security Policy”:
The right side is blank, and the existing rules are not listed, but new rules can be created.
For example, Adobe Photoshop CS is prohibited from accessing the network. Right-click on a blank space or click on the "New Rule" button in the right column and select the first item in the "New Outbound Rule Wizard" column. > Programs & rdquo (Control rules for program connection), the next step is to select the path where photoshop is located, as shown below:
Next step select "Block connection", then you will be asked "When to apply the rule" ;, you can check according to the actual needs, the default selected "domain, private, public". As shown below:
Then give it a name (arbitrary), the rules are created, and Photoshop.exe will never be able to access the network again. In addition, you can create more advanced rules in the "Connection Security Rules", as shown below:
This interface does not know, the function is so powerful, basically you think of unexpected and unexpected needs, here All are implemented, such as blocking any IP or IP segments that you are not comfortable with, blocking pings, or specifying the operation rights of any port, program name or service name, etc., and the ease of use and reliability are not inferior to any third-party firewall.
3, through the security policy to prohibit the program to run
A: The answer is yes, not only, but also prevent a program from being renamed, change the path, change the suffix, change the shell and then run, this function is called "AppLocker" ;, it is more strict and powerful than prohibiting a program from running in Group Policy. The program interface is as shown below:
Right-click on the left side "Executable Rules" & ——“Create New Rule", in the wizard interface that appears, not only the user group (such as Guest) Account), can also enumerate various qualifications, as shown below:
If you select "Publisher", then the disabled program, and all its upgraded versions and revisions cannot be Run (this condition can be further detailed), such as QQ, Thunder, Cool Dog, etc., their official and customized versions can not run, very smart. This feature can also be applied to quarantine virus operations. If there are viruses or Trojans that cannot be cleaned up in the system, no matter whether the infected person is a program, a script, a dynamic link library, or a batch process, it can no longer be done. From this point of view, the current mainstream anti-virus software, in the virus isolation function is generally not detailed. The remaining two are completely easy to understand by literal meaning, especially the third item “File Hash”, which is quite practical.
This function can also be used in conjunction with the "Software Restriction Policy", as shown below: (If the content shown on the right does not appear, right-click on the left sidebar to create a software restriction policy)
In addition, through the "global object access audit" can also limit the access permissions of the groups for the entire or partial registry or even the file system, as shown below:
When you break through the iron shoes, look for this online When using third-party software for functions, should you first flip through the Windows home? Hehe. If you have a good understanding of PowerShell, you can further simplify the creation and management of AppLocker rules, but the details are not detailed.
At the end of the two additional questions about the "local security policy" failure:
4, can not access the local security policy solution
A: This problem will generally be displayed as "create a snap-in" Failure & rdquo; or CLSID: {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}, the reason for the occurrence is more common in some software to replace or delete this part of the data during installation or uninstallation, the solution is to ensure that your environment variable path contains : quo;%systemroot%system32;%systemroot%;%systemroot%system32wbem”, if not, add it yourself.
Then locate HKEY_CURRENT_USER——Software——Policies——Microsoft——MMC in the registry, assign a value of 0 to RestrictToPermittedSnapins, as shown below:
5, Ensure IPsec Policy Agent Service It is enabled.