By default, after installing Windows XP, our Windows XP is not very secure. Therefore, it is necessary for us to make some tinkerings to the system. In general, we must use the registry. Admittedly, modifying the registry is a very effective method, but it requires some computer knowledge, otherwise it is very likely to cause a system crash. However, if we pay attention to using Group Policy in Windows XP, we can easily create a secure Windows XP without us having to use the Registry Editor! First, understand the group strategy of XP
We still remember the Windows 98 era, we have used the "policy editor" software on the Windows 98 installation CD, at that time must be amazing for its magical features! The principle of the Group Policy tool is the same as the "Policy Editor" principle in Windows 98. It can be used to operate in a more intuitive interface by taking many actions that are usually necessary to modify the registry to complete. Therefore, in layman's terms, "Group Policy" is an alternative registry editor that allows you to change some important settings in your system. Not only can you save the pain of memory key value, but also avoid the danger of inadvertently modifying the registry. Tips Group Policy is not the same as the Registry Editor. The Registry Editor can theoretically change any key value to make it more satisfying. But group policy is only to control certain items, so in a sense, the tasks that group policy can accomplish, modify the registry will be able to complete. Conversely, modifying the tasks that the registry can do is not necessarily effective through Group Policy. Second, the start of group policy
Click the "Start" → "Run" command, enter "gpedit.msc" in the "Open" column of the "Run" dialog box, and then click the "OK" button to start Windows XP Group Policy Editor. In the opened Group Policy window (as shown in Figure 1), we can find the control object given in the tree structure in the left pane, and the specific settings in the right pane for the left configuration. Strategy. Tips and differences between "Computer Configuration" and "User Configuration" In addition, you may have noticed that the "Local Computer" policy in the left pane is composed of two major subkeys: "Computer Configuration" and "User Configuration". And some of the items in the two are duplicated, as both of them contain "software settings", "Windows settings" and so on. So what is the difference between setting the same project under different subkeys? In fact, the "computer configuration" here is to set the system configuration in the whole computer, it works for the running environment of all users in the current computer; and "user configuration" is to set the current user's system configuration. , it only works for the current user. For example, both provide settings for the "Disable Autoplay" feature. If this feature is selected in "Computer Configuration", all users' disc autorun function will be invalid; if it is selected in "User Configuration" With this function, only the user's CD autorun function is disabled, and other users are not affected. Pay attention to this when setting up. Third, use Group Policy to create a full XP
Through the Group Policy tool, we can make some settings on the system to make it more secure. The following are very practical examples: 1. Limiting the saving function of IE browser When multiple people share a computer, in order to keep the hard disk clean and tidy, it is necessary to limit the use of the browser's saving function. How can this be achieved? The specific method is: select User Settings → Administrative Templates → Windows Components → Internet Explorer → Browser Menu branch. Double-click the ‘File’ menu in the right pane: Disable the 'Save As...’ menu item (Figure 2), and select the Enabled radio button in the settings window that opens (Figure 3). Tips In the Figure 2 pane, we can also use the "File" menu: Disable Save as Web Menu Item, "View Menu: Disable 'Source File' Menu Item" and "Disable Context Menu" and other policy items Make changes so our IE will be safer. 2. It is forbidden to modify the homepage of IE browser. If you don't want others or some malicious code on the network to arbitrarily change the IE browser homepage you set, we can choose User Configuration→Administrative Template→Windows. The Component→→Internet Explorer branch, then in the right pane, double-click the Disable Change Home Page setting policy to enable it (Figure 4). Tips (1) In the Figure 4 pane, the disable function for items such as change history settings, changing color settings, and changing temporary Internet file settings is also provided. If this policy is enabled, the settings in the Home page of its General tab will be grayed out in the Internet Options dialog box in Internet Explorer. (2) If you set the "Disable General Pages" policy in "User Configuration" → "Administrative Templates" → "Windows Components" → "Internet Explorer" → "Internet Control Panel", you do not need to set this policy because "disabled" The General Pages policy will remove the General tab on the interface. (3) Expand the "User Settings" → "Administrative Templates" → "Windows Components" → "Internet Explorer" branch step by step, we can find "Internet Control Panel", "Offline Page", "Browser Menu" under it Policy options such as "Toolbar", "Continuous Behavior", and "Administrator-approved Controls". Use it to create a very personal and secure IE. 3. Add a security policy to our IP Under "Computer Configuration" → "Windows Settings" → "Security Settings" → "IP Security Policy, under Local Computer", there are several settings related to the network. If you are familiar with the Internet, you can also add or modify more network security settings, which will be more secure when running network programs on Windows or surfing the Internet. Tips Because this is more professional, there will be a lot of professional concepts involved, which are not used by the average user. Here is just to remind the network administrators, so skip here. 4. Disable IE component automatic installation Select "Computer Configuration" → "Administrative Templates" → "Windows Components" → "Internet Explorer" project, double-click the "Disable automatic installation of Internet Explorer components" item in the right window, select in the window that opens. The "Enabled" radio button will prevent Internet Explorer from automatically installing components. This prevents Internet Explorer from downloading the component when it is accessed by a user who needs a component, and tampering with IE will be curbed! Relatively speaking, IE will be much safer! Tip If you disable the policy or do not configure it, users accessing a site that requires a component will receive a message prompting the user to download and install the component. Sometimes when users don't look at it, choosing "Install" will often cause problems. A lot of malicious code on the Internet often works like this. 5. Record the user's actions. Many people may use Windows XP as the domain controller of the local area network, so that there are more users to log in. At the same time, Windows XP is also a multi-user operating platform. Therefore, it is necessary for us to record each user's behavior so that their behavior can be monitored and recorded for the system administrator to view and analysis. All of this is almost entirely in "Computer Configuration" → "Windows Settings" → "Security Settings" → "Local Policies" → "Audit Policy". As shown in Figure 5, we can see that there are many audit-related items: audit policy changes, audit login events, audit object access, audit process tracking, audit directory service access, audit privilege usage, audit system events, audit account login events. And audit account management and more. After double-clicking on an item, the window shown in Figure 6 will appear, check the box before the success and failure. Tips (1) Audit is a technology that Microsoft started using from Windows NT. All the audited objects will create corresponding projects in the system log, and will record the operation time and audit category. And the corresponding results. (2) All audit record results can be viewed by selecting “Start” → “Control Panel” → “Administrative Tools” → “Administrative Tools” → “System Tools” → “Event Viewer”. If you double-click on one of the audit items, you can also see its details, including the date, source, time, category, type, information, event, user, computer, description, and data of the audit project (Figure 7). . I believe that it is quite useful for us to manage computers more conveniently and safely. Of course, the Group Policy feature in Windows XP is very powerful. There are a lot of useful settings for us to modify, just limited to the length, I can not explain here one by one.