The "Local Security Policy" that comes with Windows XP is a very good system security management tool. Using it can make our system more secure. First, let's talk about how to start a "local security policy." After you click Control Panel, Administrative Tools, Local Security Policy, you will be taken to the main interface of Local Security Policy. Here you can set various security policies through the commands on the menu bar, and you can select the viewing mode, export list and import policy. Next, let's explore the magic of the "local security strategy." Prohibiting enumeration accounts We know that some worms with hacking can scan the Windows 2000/XP system's designated port and then guess the administrator system password through a shared session. Therefore, we need to defend against such intrusion by setting a ban on enumerating accounts in the Local Security Policy. The steps are as follows: In the Security Settings directory tree on the left side of the Local Security Policy, expand layer by layer. Local Policy Security Options. View the list of related policies on the right, find "Network Access: Do not allow anonymous enumeration of SAM accounts and shares" (Figure 1), right-click, select "Properties" in the pop-up menu, and then pop up a Dialog box, activate the "Enabled" option here, and finally click the "Apply" button to make the settings take effect. Account Management In order to prevent intruders from exploiting the vulnerability to log in to the machine, we need to set the name of the system administrator account and disable the guest account. The setting method is as follows: In the “Local Policy” “Security Options” branch, find the “Account: Guest Account Status” policy, click “Property” in the pop-up menu, and then set its status to “Yes” in the pop-up Properties dialog box. Deactivate" and finally "OK" to exit. Next, let's look at the "Account: Rename System Administrator Account" policy, call up its properties dialog box, and customize the account name in the text box (Figure 2). Assign Local User Rights If you are a system administrator, you can assign specific rights to a group account or a single user account. In Security Settings, navigate to Local Policies User Rights Assignment, and then in the Settings view on the right, you can make security settings for each of the policies under it (Figure 3). For example, if you want to allow a user to take ownership of any available objects in the system: including registry keys, processes and threads, and NTFS file and folder objects (the default setting for this policy is only administrators). First, you should find the "Get ownership of files or other objects" policy in the list, right-click with the mouse, select "Properties" in the pop-up menu, click the "Add User or Group" button here, enter the object name in the pop-up dialog box. And confirm the operation. Using IP policies We know that no matter which kind of hacking program, most of them use ports as channels. Therefore, we need to close those ports that may become intrusion channels. You can check the relevant dangerous port information online to make it ready. Below we use the 23 port of Telnet as an example to illustrate (the author's operating system is Windows XP). First click "Run" in the box, enter "mmc" and press Enter to bring up the console window. We select “File” “Add/Remove Snap-in” “Click “Add” in the separate tab bar” “IP Security Policy Management” and finally follow the prompts. At this time, we have added the "IP security policy, on the local computer" (hereinafter referred to as "IP security policy") to the "console root node" (Figure 4). Now double-click on "IP Security Policy" to create a new management rule. Right-click "IP Security Policy", select "Create IP Security Policy" from the shortcut menu that pops up, open the IP Security Policy Wizard, click "Next" "Name defaults to 'New IP Security Policy'" "Next" "No Select 'Activate default response rule'. Note: When clicking “Next, you need to confirm that “Edit Attribute” is selected at this time, then select “Complete, the “New IP Security Policy Attribute” window appears (Figure 5), select "Add" and then click "Next" without having to select the "Use Add Wizard" option. The source address of the addressing field should be "any IP address" and the destination address should be "my IP address" (you do not have to select a mirror). In the Protocol tab, note that the type should be TCP, and set the IP protocol port from any port to this port 23, and finally click "OK". A "New IP Filter" will appear in the "IP Filter List", select it, switch to the "Filter Actions" tab, click "Add", "Name defaults to 'New Filter Action'" Add "Block" "Complete". The new policy needs to be activated to work. The specific method is to right click on the “New IP Security Policy” and select “Assign” the strategy just developed. Now, when we telnet from another computer to the arming one, the system will report the login failure; scanning the machine with the scanning tool will find that port 23 is still providing service. In the same way, you can block any other suspicious ports, and let the uninvited guests scream "not good". Strengthen password security In the “Security Settings”, first locate the “Account Policy” and “Password Policy”. In the setting view on the right side, you can set the settings as appropriate to make our system password relatively safe and difficult to crack. An important means of anti-hacking is to update the password regularly. You can set the following settings according to this: right click on the "last password retention period", select "Properties" in the pop-up menu, in the pop-up dialog box, everyone can Defines how long a password can be used (limited to between 1 and 999). In addition, through Local Security Settings, you can also track user accounts, login attempts, system shutdowns or restarts, and similar events for accessing files or other objects by setting up Audit Object Access. Security settings like this are not the same. In practical applications, people will gradually find that "local security settings" is indeed an indispensable system security tool.