Server security Settings local security policy Settings
- 2020-05-07 20:39:24
- OfStack
Security policy automatic update command: GPUpdate /force (application group policy automatically takes effect without restarting)
Start menu -- > Management tools -- > Local security policy
A, local policy -- > Audit strategy
Review policy change failed
The audit login event failed successfully
The audit object access failed
Audit process tracking no audit
The audit directory service access failed
The audit privilege usage failed
The audit system event failed successfully
The audit account login event failed successfully
Audit account management failed
B, local strategy -- > User permission allocation
Shut down the system: only Administrators group, all others deleted.
Access denied through terminal services: join Guests, User group
Allow login through terminal service: join Administrators group only, delete all others
C, local policy -- > Security options
Interactive login: last username enabled is not displayed
Network access: SAM accounts and Shared anonymous enumeration are not allowed
Network access: storing credentials for network authentication is not allowed
Network access: all shares that can be accessed anonymously are deleted
Network access: can anonymously access the life all deleted
Network access: all remotely accessible registry paths are deleted
Network access: all remotely accessible registry paths and subpaths are deleted
Account: rename guest account rename 1 account
Account: rename the system administrator account to rename 1 account
The setting name in UI Enterprise client desktop computer Enterprise client portable computer High security desktop computer High security portable computer
Accounts: local accounts with a blank password are only allowed for console login
Is enabled
Is enabled
Is enabled
Is enabled
Account: rename the system administrator account
recommended
recommended
recommended
recommended
Account: rename the guest account
recommended
recommended
recommended
recommended
Device: allows unlogin removal
Has been disabled
Is enabled
Has been disabled
Has been disabled
Device: allows formatting and ejecting of removable media
Administrators, Interactive Users
Administrators, Interactive Users
Administrators
Administrators
Device: prevents users from installing printer drivers
Is enabled
Has been disabled
Is enabled
Has been disabled
Device: only locally logged users can access CD-ROM
Has been disabled
Has been disabled
Is enabled
Is enabled
Device: only locally logged users can access the floppy disk
Is enabled
Is enabled
Is enabled
Is enabled
Device: installation of unsigned drivers
Allow installation but issue a warning
Allow installation but issue a warning
Prohibited to install
Prohibited to install
Domain member: requires a strong (Windows 2000 or above) session key
Is enabled
Is enabled
Is enabled
Is enabled
Interactive login: the last user name is not displayed
Is enabled
Is enabled
Is enabled
Is enabled
Interactive login: no need to press CTRL+ALT+DEL
Has been disabled
Has been disabled
Has been disabled
Has been disabled
Interactive login: message text when the user tries to log in
This system is limited to authorized users only. Individuals who attempt unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt unauthorized access will be prosecuted.
Interactive login: message title when the user tries to log in
It is illegal to continue to use it without proper authorization.
It is illegal to continue to use it without proper authorization.
It is illegal to continue to use it without proper authorization.
It is illegal to continue to use it without proper authorization.
Interactive login: number of previous logins that can be cached (in case the domain controller is not available)
2
2
0
1
Interactive login: prompts the user to change the password before it expires
14 days
14 days
14 days
14 days
Interactive login: requires domain controller authentication to unlock the workstation
Has been disabled
Has been disabled
Is enabled
Has been disabled
Interactive login: smart card removal operation
Locked workstation
Locked workstation
Locked workstation
Locked workstation
Microsoft network customers: digitally signed communications (if server agrees)
Is enabled
Is enabled
Is enabled
Is enabled
Microsoft network client: send an unencrypted password to the third party SMB server.
Has been disabled
Has been disabled
Has been disabled
Has been disabled
Microsoft web server: the free time required before the session is suspended
15 minutes
15 minutes
15 minutes
15 minutes
Microsoft web server: digitally signed communications (always)
Is enabled
Is enabled
Is enabled
Is enabled
Microsoft web server: digitally signed communications (if client agrees)
Is enabled
Is enabled
Is enabled
Is enabled
Microsoft web server: automatically logout users when login time runs out
Is enabled
Has been disabled
Is enabled
Has been disabled
Network access: allows anonymous SID/ name conversion
Has been disabled
Has been disabled
Has been disabled
Has been disabled
Network access: SAM accounts and Shared anonymous enumerations are not allowed
Is enabled
Is enabled
Is enabled
Is enabled
Network access: SAM accounts and Shared anonymous enumerations are not allowed
Is enabled
Is enabled
Is enabled
Is enabled
Network access: it is not allowed to store credentials or.NET Passports for network authentication
Is enabled
Is enabled
Is enabled
Is enabled
Network access: restricts anonymous access to named pipes and shares
Is enabled
Is enabled
Is enabled
Is enabled
Network access: Shared and secure modes for local accounts
Classic - local users authenticate with themselves
Classic - local users authenticate with themselves
Classic - local users authenticate with themselves
Classic - local users authenticate with themselves
Network security: do not store the hash value of LAN Manager the next time you change your password
Is enabled
Is enabled
Is enabled
Is enabled
Network security: force logout after login time
Is enabled
Has been disabled
Is enabled
Has been disabled
Network security: LAN Manager authentication level
Only the NTLMv2 response is sent
Only the NTLMv2 response is sent
Send only NTLMv2 response \ reject LM & NTLM
Send only NTLMv2 response \ reject LM & NTLM
Network security: minimal session security for customers based on NTLM SSP (including secure RPC)
No minimum
No minimum
NTLMv2 session security requires 128-bit encryption
NTLMv2 session security requires 128-bit encryption
Network security: minimal session security based on NTLM SSP(including secure RPC) servers
No minimum
No minimum
NTLMv2 session security requires 128-bit encryption
NTLMv2 session security requires 128-bit encryption
Failover console: allows automatic system admin level login
Has been disabled
Has been disabled
Has been disabled
Has been disabled
Failover console: allows floppy disk replication and access to all drives and folders
Is enabled
Is enabled
Has been disabled
Has been disabled
Shutdown: allows for shutdown before login
Has been disabled
Has been disabled
Has been disabled
Has been disabled
Shutdown: cleans up the virtual memory page file
Has been disabled
Has been disabled
Is enabled
Is enabled
System encryption: use FIPS compatible algorithms to encrypt, hash and sign
Has been disabled
Has been disabled
Has been disabled
Has been disabled
System object: the default owner of an object created by an administrator (Administrators) group member
Object creator
Object creator
Object creator
Object creator
System Settings: use certificate rules for the Windows executable for the software restriction policy
Has been disabled
Has been disabled
Has been disabled
Has been disabled
1. Consolidate system account
1. Do not enumerate accounts
We know that some hackers can guess the password of the administrator system by scanning the specified port of the Windows 2000/XP system and then guessing the password of the administrator system through the Shared session. Therefore, we need to prevent this kind of intrusion behavior by setting a ban on enumerating accounts in the "local security policy". The steps are as follows:
In the security Settings directory tree in the list to the left of local security policies, expand local policies → security options layer by layer. To view the list of relevant policies on the right, find "network access: anonymous enumeration of SAM accounts and shares not allowed", right-click, select "properties" in the pop-up menu, and then a dialog box will pop up, activate the "enabled" option here, and finally click "apply" button to make the Settings take effect.
2. Account management
To prevent intruders from exploiting the vulnerability to log into the machine, we will set up here to rename the system administrator account name and disable the guest account. The setting method is: in the "local policy → security options" branch, find the "account: guest account status" policy, right-click the pop-up menu to select "properties", and then in the pop-up property dialog box set its status as "disabled", and finally "ok" exit.
2. Enhance password security
In the "security Settings", first locate in the "account policy → password policy", in the right of the Settings view, can be appropriate to the corresponding Settings, so that our system password is relatively safe, not easy to crack. One important means such as anti cracking is regularly updated password, you can be set as follows: on the basis of the right mouse button click on the "password kept longest period", in the pop-up menu, choose "properties", in the pop-up dialog box, you can custom after a password to be able to use the length of time (limited to between 1 and 999).
In addition, with local security Settings, you can track user accounts used to access files or other objects, login attempts, system shutdown or restarts, and similar events by setting audit object access. Security Settings like this are not one. In practice, you will gradually find that "local security Settings" is indeed an indispensable system security tool