System Group Policy is almost one of the necessary tools for network administrators to manage the network. The general application skills of this tool are believed to be familiar to many people. However, the author has always believed that as long as we are careful and careful, we will continue to dig new application skills from the system group strategy. If you don't believe it, let's take a look at the following content. I believe they will help you enter a new "new state" of application! Beware of programs, beware of "self-locking"
There is a name in Windows Server that is only allowed to run. "Windows application" group policy project, once you enable the project, and restrict the specified program to run outside, then whether you are in the "only allow running program list", add the gpedit.msc command, as long as "only The Group Policy project that allows Windows applications to run will take effect, the system's Group Policy will automatically "self-lock", even if you use the "gpedit.msc" command under the super administrator account, you can not open the system's Group Policy editing window! Is there a way to limit the running of the application and prevent the system group policy from "self-locking"? The answer is yes, you can follow the steps below: First click "Start" /Run command, in the pop-up system run box, enter the string command "gpedit.msc", click the "OK" button Open the System Group Policy Edit window; expand the User Configuration /Administrative Templates /System project in the window, and in the sub-window to the right of the System project, double-click "Run only licensed Windows applications" Option, in the interface that pops up, select the Enabled option. Then, you will see the "Show" button is activated automatically in the corresponding window, then click the "Show" button, then continue to click the "Add" button in the window after it, and then enter the name of the application you need to run. In the Add Settings box, finally click the "OK" button; below, please do not close the Group Policy Edit window immediately; then open the system run dialog box and execute the "gpedit.msc" command in it, at this time you You will find that the System Group Policy Editor is no longer working! However, fortunately, the Group Policy Edit window has not been closed before. Now you can continue to double-click the "Allow Windows Application Only" project just set in the Group Policy Edit window. In the pop-up policy settings window, select the "Unconfigured" option, and finally click the "OK" button. This will not only limit the purpose of running the application, but also prevent the system group policy from "self-locking". Tip: If you add the specified application name to the "Allow Windows applications only" list, and directly close the Group Policy Edit window, you can use the following steps to recover: Re-start the server system, During the startup process, press the F8 function key continuously until the system's boot menu appears, and then execute the "safe mode with command prompt" command to switch the server system to the command line prompt state; Directly execute the mmc.exe string command at the command prompt. In the pop-up system console interface, click the File menu item and click the Add/Remove Snap-in option from the pop-up drop-down menu. Click on the "Independent" tab in the window, and then in the tab page shown in Figure 1, click the "Add" button; below, click "Group Policy", "Add", "Finish", " Close the "OK" button, you can successfully add a new Group Policy console; in the future, you can reopen the group policy Slightly edit the window, and then follow the above settings, the implementation can not only limit the purpose of running the application, but also prevent the system group policy from "self-locking" phenomenon. System Group Policy is almost one of the necessary tools for network administrators to manage the network. The general application skills of this tool are believed to be familiar to many people. However, the author has always believed that as long as we are careful and careful, we will continue to dig new application skills from the system group strategy. If you don't believe it, let's take a look at the following content. I believe they will help you enter a new "new state" of application! Beware of programs, beware of "self-locking"
There is a name in Windows Server that is only allowed to run. "Windows application" group policy project, once you enable the project, and restrict the specified program to run outside, then whether you are in the "only allow running program list", add the gpedit.msc command, as long as "only The Group Policy project that allows Windows applications to run will take effect, the system's Group Policy will automatically "self-lock", even if you use the "gpedit.msc" command under the super administrator account, you can not open the system's Group Policy editing window! Is there a way to limit the running of the application and prevent the system group policy from "self-locking"? The answer is yes, you can follow the steps below: First click "Start" /Run command, in the pop-up system run box, enter the string command "gpedit.msc", click the "OK" button Open the System Group Policy Edit window; expand the User Configuration /Administrative Templates /System project in the window, and in the sub-window to the right of the System project, double-click "Run only licensed Windows applications" Option, in the interface that pops up, select the Enabled option. Then, you will see the "Show" button is activated automatically in the corresponding window, then click the "Show" button, then continue to click the "Add" button in the window after it, and then enter the name of the application you need to run. In the Add Settings box, finally click the "OK" button; below, please do not close the Group Policy Edit window immediately; then open the system run dialog box and execute the "gpedit.msc" command in it, at this time you You will find that the System Group Policy Editor is no longer working! However, fortunately, the Group Policy Edit window has not been closed before. Now you can continue to double-click the "Allow Windows Application Only" project just set in the Group Policy Edit window. In the pop-up policy settings window, select the "Unconfigured" option, and finally click the "OK" button. This will not only limit the purpose of running the application, but also prevent the system group policy from "self-locking". Tip: If you add the specified application name to the "Allow Windows applications only" list, and directly close the Group Policy Edit window, you can use the following steps to recover: Re-start the server system, During the startup process, press the F8 function key continuously until the system's boot menu appears, and then execute the "safe mode with command prompt" command to switch the server system to the command line prompt state; Directly execute the mmc.exe string command at the command prompt. In the pop-up system console interface, click the File menu item and click the Add/Remove Snap-in option from the pop-up drop-down menu. Click on the "Independent" tab in the window, and then in the tab page shown in Figure 1, click the "Add" button; below, click "Group Policy", "Add", "Finish", " Close the "OK" button, you can successfully add a new Group Policy console; in the future, you can reopen the group policy Slightly edit the window, and then follow the above settings, the implementation can not only limit the purpose of running the application, but also prevent the system group policy from "self-locking" phenomenon. Then at the DOS command prompt, enter the string command "gpupdate /target:computer", click the Enter key, the newly modified security policy will take effect immediately; if you want the newly modified user policy to take effect immediately, Just execute the string command "gpupdate /target:user" at the DOS command prompt. If you want to update both the computer policy and the user policy, you can execute the string command "gpupdate" directly. Different users, different permissions, maybe there are many users in your server, but in order to protect the security of the server, you want these users to have different access control rights to the server, so that in the future, when the server encounters an accident, you can according to the permissions. Different, you can quickly find the user who is "disordered". To assign different access control permissions to different users, you only need to set the server group policy. The following are the specific setup steps: Click the "Start" /"Run" command in turn, the pop-up system In the Run box, enter the string command "gpedit.msc" and click the "OK" button to open the System Group Policy Edit window; in this window, expand "Computer Configuration" /"Windows Settings" /"Security" Set the "/"Local Policy" /"User Rights Assignment" item; in the right window area corresponding to the "User Rights Assignment" item, you will see that there are multiple rights to assign, as shown in Figure 3. For example, if you only want aaa users to remotely access content on the server via a network connection, rather than allowing them to log in to the server locally to write content or execute applications, you can double-click the "Deny local login" permission. In the setting window that opens later, click “Add”, then select the account name corresponding to the aaa user, and click “Add”, so that the aaa user can only access the server through the remote network in the future. The content is gone. Similarly, you can assign local login control rights to bbb users, assign ownership of files or other objects to ccc users, etc. Once different control permissions are assigned to different users, you can later depending on the permission level. Targeted management and control of users. For example, if you find that the server is free to upload illegal information to the server during the time when the server is not connected to the network, you can easily exclude the aaa user. After all, the aaa user does not have such a "copying ability". Protect settings to avoid conflicts In the LAN, the IP address of the workstation is often modified at will, causing IP conflicts, which affects the operating efficiency of the LAN. Although there are many ways to avoid IP address conflicts, but carefully scrutinize, you can easily find that some of these methods are a bit difficult for some rookie users; in fact, with the group policy function, you can easily limit the LAN. The network configuration parameters of the workstation are modified arbitrarily, so as to avoid conflicts of IP addresses in the network: Click the "Start" /"Run" command, and enter the string command "gpedit.msc" in the pop-up system operation box. After clicking the "OK" button, open the system group policy editing window; expand the "User Configuration" /"Administrative Templates" /"Network" /"Network and Dial-up Connection" policy items in the window, corresponding to "Network and Dial-up" In the right window area of the Connection policy, double-click the "Allow TCP/IP Advanced Settings" item; in the pop-up settings window shown in Figure 4, select the "Disable" option and click the "OK" button. In this case, any workstation user will find no when opening the TCP/IP property setting window in the future. Enter the "Advanced" settings window to modify the workstation's IP address or other network parameters, IP address, LAN this way is not that big prone to conflict. Strengthen auditing, stay away from attacks By default, Windows 2003 servers do not enable any kind of security auditing to protect the security of the server. Obviously, this will bring great security risks to the server. In order to avoid attacks on the server, you can enable the security audit policy by protecting the group policy in the server to protect the security of the server: Click the "Start" /"Run" command, and then pop up the system. In the run box, enter the string command "gpedit.msc", click the "OK" button to open the system group policy editing window; locate the mouse in the "Computer Configuration" /"Windows Settings" /"Security Settings" /On the Local Policy /Audit Policy group policy branch, under the Audit Policy branch, you will see that there are multiple audit events that you need to specify, as shown in Figure 5; double-click on the Policy Change project. In the pop-up settings window, if the "success" option is selected, then the server will review the successful operation of all events in the future. If the "fail" option is selected, the server will review the failure of all events in the future. In order to be able to know the security risks of the server as early as possible, we usually need to "system things" The successful operation and the failed operation of the "", "login event", "account login event", "account management event" are reviewed separately, so that even if some operations have been executed but no successful attack, the operation record will be one by one. It is automatically recorded by the server. After careful analysis of the records, we can find out the security risks and take timely remedial measures to ensure the security of the server. For the "object access" event, "directory service access" event, "privileged use" event, etc. Generally, as long as their failed operations are reviewed, the purpose of capturing the attack record can be achieved. Once the audit function is enabled for the related events through the group policy, the server will save the audit records of related events to the “event viewer” of the system in the future. After that, you only need to open the log content in time and carefully analyze the records. , you can find out if the server has been attacked at this time.