After the system is installed, the first thing to do to do may be to make a variety of optimizations. The software used is also five flowers. These are generally shared software, although they can be used free, but the trial version is time or function or more Or there will be some restrictions. You know that the operating system's own group strategy is a good optimization tool. Using Group Policy We can modify a lot of hidden settings, making the system more personal, and greatly improve system security. This article will discuss some discussions on the settings of the group policy and the security template, and the included operating system is limited to Windows 2000, Windows XP Professional (Windows XP appearing in the following, there is a Home version), as well as Windows Server 2003 .
What is a group strategy?
Group Policy is the management technology that starts using in Windows 2000, and administrators can use group policies to set various options for one or more computers. The use of group strategies is very flexible, including various aspects based on registry-based policy settings, security settings, software installations, script operation, computer boot, and shutdown, user login, and logout.
How to formulate group strategies
The formulation and application of the group policy is very flexible, and there are different ways in different environments. For stand-alone or workgroup environments, we can use the Group Policy Editor to set up and modify the Group Policy. The functionality in the domain environment is more powerful, as long as the administrator deploys the corresponding policy on the domain controller, all client computers on this domain controller will be automatically applied, truly implementation Execute it everywhere.
Group Policy Settings in Single and Working Group Environments
Enter gpedit.msc in the run and enter the Group Policy Editor (Figure 1). The window of the Group Policy Editor is mainly divided into two parts. This is similar to the interface of the registry editor. The left side of the tree map shows all available policy categories, while the right panel shows each other. The strategy that can be formulated in the category is to formulate it as soon as you double-click these policies. In order to make you more understand that the group strategy is used, we will give a few examples to explain (the following content is mainly in the Windows XP operating system as an example, but most of the content is equally applicable to Windows 2000 and Windows Server 2003, but only the details may be slightly different).
Trick: temporarily hidden strategies.
If you are an initial use group strategy, you must get a bullish flower in a wide range of strategies in the group policy editor, because you are not familiar with the specific location of each strategy, sometimes in order to configure a strategy, you may have to flip big in the editor. For a long time, we can use the Filtering function of the Group Policy Editor. Select a category in the tree chart list on the left, then click "Filter" to open the Filter dialog box, where we can set only the policy for specific software. For example, we can choose the policy that only displays IE6 and later IE can use, or hide all policies that cannot be used for Windows 2000.
Trick: Disable User Configuration or Computer Configuration Policy.
Here you should understand the policy structure displayed in the Group Policy Editor, the main structure is divided into two parts: computer configuration and user configuration. If you want to know how much is configured in the current system, or if you want to hide one of the configurations: Right-click the tree diagram on the left side of the group policy editor window Listing The Local Computer Policies in the top, then select Properties, then open a local computer policy property dialog. The "Created" column shows the time generated by the policy. In general, it refers to the installation time of the operating system; and "Modifications" is displayed at the last setup group policy; "Revision" is displayed. How many strategies each in these two categories are configured. If you want to hide one of the strategies here, you can check the corresponding check box below the dialog.
The hidden recycling station icon is for aesthetics, there is only one recycle station icon on the newly installed Windows XP desktop. You may not want your beautiful wallpaper to be blocked by the icon, so how only the only recycle station icon is also deleted? After selecting the delete key, it is not good, but there are more strategies. Open the group policy editor, locate the "User Formulation - Management Template - Desktop" on the tree diagram on the left, then find and double-click the "From Desktop Remove Recycle Bin" in the right panel, you will be able to see To a dialog that is similar to Figure 2, select "Enabled", then click OK to close the dialog. After logging out, log in and see, is there only one icon to disappear.
Protect the secrets in paging files
For important files, we all know that through encryption and set permissions, you can ban other unrelated personnel, but you know that if you really need it, others can get your confidential information through other channels, that is, paging files. We all know that the paging file is supplemented by physical memory, and the purpose is to exchange data between hard disk and memory, and the paging file itself is a file on the hard disk, which is located in the root of the hard disk partition where the system is located, the file name is PageFile.sys . In general, when we run a program, part of these programs may be temporarily saved to paging files, and if we immediately turn off the system immediately, then some of the files still may be saved. Paging files. In this case, if someone gets the hard disk of this computer, just remove the hard disk, use special software, you can read confidential information in the paging file. By configuring group policies, we can avoid this potential risk. Open Group Policy Editor, enable "Shutdown: Clear Virtual Memory Page File" under "Computer Configuration -Windows Settings - Local Policy - Security Options". When this policy is enabled, the system will use "0" or "1" when it is turned off, so all information will naturally disappear. However, pay attention to this, do this slow down the system's shutdown speed, so if it is not necessary, it is not recommended to enable this policy.
Security guarantee under the console
We may need to repair work in the fault recovery console after system failure. However, if you just want to copy the important files on the hard disk to the floppy disk after copying the system, then you may be disappointed. Because in order to ensure the security of the document, by default, in the System Failure Recovery Console, we can only have restricted access to several system directories, and you cannot fully access all hard disk partitions. Not only that, we can only copy files in the disc or floppy disk to the hard disk, but you cannot copy files in the hard disk to the floppy disk. If you don't need this security measure, you can completely disabled by configuring Group Policy, which is also "Computer Configuration -Windows Settings - Local Policy - Security Options", Enable "Fault Recovery Console: Allow all drives and folders Perform a floppy disk replication and access. After entering the console again, you will find that there is no last restriction.
Disable balloon notification
In Windows XP, if the system has any messages, such as the network's Unicom or disconnection, etc., it will be displayed in the system prompt area (which is the display time and many software icons in the lower right corner of the screen). Although it may be fresh in the first time, it will be bored in a long time. The use of group strategies can hide these balloons forever. Also in the group policy editor, locate from the tree diagram on the left to the user formulation - management template - taskbar and start menu, then find and double-click Open "to delete the balloon prompt on the start menu item. ", Then click" Enabled "and determine exit.
Custom IE browser
Internet Explorer is used every day, if you always face this IE window, you will definitely get tired. If you want to beautify the IE window, you can use the group policy. Expand User Configuration -Windows Settings -Internet Explorer Maintenance - Browser User Interface on the tree diagram on the left side of the Group Policy Editor. Here, we can customize the window title bar of the browser, the dynamic logo in the upper right corner, and the icon of the toolbar, just double-click each policy, then follow the instructions in the pop-up window to take effect. If we want IE to use Google as the default search engine after clicking "Search", you can also set it here. Click "URL" under "Internet Explorer Maintenance", then double-click the "Imported URL" policy, check the check box before "Custom Search Bar URL", then enter http://www.google below. COM, determine it. This will now use Google as the default search engine with Google after starting IE again.
Application of login logout script
Using Group Policy, we can set automatically automate script files when users log in and log out. And we can do a lot in the script file. For example, organize disk fragments, empty temporary folders, and the like. We will automatically create a system restore point as the computer starts as an example to illustrate the usage of the policy.
To do this first, you first need to write a script that creates a system restore point, then set the group policy to automate this script file when the computer starts. The script is not very difficult, because this is not the scope of this article, so everyone please check the relevant information (suggest you visit here: http://www.microsoft.com/technet/community/scriptCenter/default.mspx) .
Open Notepad, enter the following:
Set sr = getObject ("Winmgmts: //./root/default: systemrestore)
Msg = "New Restore Point SuccessFully Created." & VBCR
Msg = MSG & "IT IS listed as:" & VBCR
Msg = MSG & "Automatic Restore Point" & Date & "& Time
IF (Sr.CreateRestorePoint ("Automatic Restore Point", 0, 100)) = 0 THEN
MSGBOX MSG
Else
Msgbox "Restore Point Creation Faled!"
END IF
SET SR = Nothing
Then save this file to SystemRestore.vbs, pay attention to the "File Type" drop-down menu, and then enter the full file name in the "File Name" when saving. Then open the Group Policy Editor, locate the Computer Configuration -Windows Settings - Script (Start / Off) ", double-click the" Start "policy to open the Start Properties dialog. Then click the "Add" button and click the Browse button to find the SystemRestore.vbs file, then click OK to exit this tab. After setting, you will automatically create a resequent point after each system is started.
There are still many other strategies that can be set because each selected a policy will display relevant explanation and instructions in the editor, believe those uses that can help you understand each policy and how to use, so there is no more.
Trick: How to edit other computers directly.
What is the best practice if you just temporarily want to modify the Group Policy settings of another computer in the LAN in some need? Command the other party on MSN Messenger? Do you personally go to the other computer? Still direct remote operation. Run "MMC" in your computer to open the console, then click "Add / Remove Administrative Unit" under the File menu, then click the "Add" button to select "Group Policy" control in the list of available independent management units. Table assembly, then click "Add". A dialog will appear, you want to select Group Policy objects, if you want to edit this machine's Group Policy, use the default settings directly to use both; otherwise, you can click the "Browse" button and select another computer. Then click the "Browse" button again, select a computer on a local local area network from the subsequent selection computer dialog (note that you need administrator privileges on the other party). After selecting, you will open a window similar to the General Group Policy Editor, but you can take a closer look, the "Local Computer Policy" "2K3 Policy" has been displayed as "2k3 policy" in the past. However, here should pay attention to the remote connection to other computers using this method, and some of the other computers are required to start state, if you disable certain services in order to optimize the system, it may cause a connection failure. Application of software restriction strategy
The network administrator of the unit must have encountered this kind of trouble, the boss does not want employees to talk to QQ or play games at work, and there are always employees to install the banned software in private. How to avoid this? Although there is a monitoring software to be used, this seems to violate privacy. At the same time, there is a very troublesome situation. Now more and more viruses spread through email. Many people are inadvertently running an accessory of email, and there is no good means to avoid employees. file? Now, if your client is Windows XP Professional, you can use the software restriction policy.
Simply, the software restriction strategy is a technology. In this technique, administrators can decide which procedures (although using "program" this word, but not only EXE file, we can limit any type extension through this technology The file is performed) is trustworthy, and which is unused, for unused programs, the system will refuse to execute. Typically, administrators allow the system to authenticate software to determine whether the software is trusted: the path of the file, the file's hash (HASH) value, the file's certificate, the file downloaded website in the internet option, the file issuance All files of business, specific extensions, and other mandatory properties.
Software Limit Policy can not only be set in a single-machine Windows XP operating system, but can set only only the current user or user group, or affect all users logged in to this computer; can also pass all customers added to this domain through the domain. The end computer is set, and it can also be set to affect a particular user or user group, or all users. We will explain the form of a single machine and set it affected all users. Settings in a single machine and working group environment and this is similar. On the other hand, sometimes we may cause some system components that cannot be run due to the wrong settings (such as disabled files that do not run all MSC suffixes). In this case, we will restart the system to security mode. Then use the Administrator account to log in and delete or modify this policy. Sign in is not subject to these strategies because in security mode.
In this example, we assume that this application: the employee's computer can only run all the programs (C drives) brought by the operating system, as well as Word, Excel, PowerPoint and Outlook, which work must be, the version number is 2003, And assume that the Office program is installed in the D disk, the operating system of the employee computer is Windows XP Professional. Run GPEDIT.MSC Open Group Policy Editor, take a closer look, you can find that there is a software restriction policy entry in "Computer Configuration" and "User Settings". Which one is used? If you want this policy to take effect only for a particular user or user group, use the policy under "User Configuration"; if you want to log in to all users locally to the computer, use the policy under Computer Configuration. Here we need to take effect for all users, so choose the policy under "Computer Configuration".
Before starting configuration, we need to consider a problem. What are the features we have allowed, and what features for disabling software, we have to make a best strategy, enabling all the required software to run correctly, And all unnecessary software can't run. In this example, most of our programs we allow are located in the ProGram Files of the system disk (C drive) and Windows folder, so we can determine which programs are trusted by the way. For Office programs installed on the D disk, it can be determined by a method of path or file hash.
Click on the software restriction policy entry under Computer Configuration, then click "Create a new policy" under the "Operation" menu (currently on the XP installed in SP1, there is no policy for the default, but for the system to install SP2 Here you already have a built default policy), the system will create two new entry: "Security Level" and "Other Rules". Among them, there are two rules, "not allowed" and "unrestricted" under the security level entry, where the former means that all software is not allowed to run, only specially configured minority software Run; while the latter means that all software can be run by default, only specially configured minorities are prohibited from running. Because the software that we need to run in this example has been set, we need to use "not allowed" as the default rule. Double-click this rule, then click the "Set to Default" button and continue after agreed to warning.
Then open the "Other Rules" entry, you can see that there are four rules here by default, it is set according to the registry path, and the default is set to "unrestricted". Strongly remind you, don't modify these four rules, otherwise your system will run a lot of trouble, because these four paths involve the position where important system programs and files are located. At the same time, we have said earlier, the Program Files folder under the system is allowed to run, and these four default rules already contain this path, so we have to do just for Office programs. Add a rule. At the blank of the right panel, click the right mouse button, select "New Hash Rules", then you can see the interface below. Click the "Browse" button here and locate all the executables that allow the Office program (what is the remember? Winword.exe, Excel.exe, PowerPnt.exe, Outlook.exe, and double-click to join. Then select "Unrestricted" under the Security Level drop-down menu, then click OK to exit. Repeat the above steps, add the executable files of these four software to unrestricted. Here you can consider a problem, why do we choose to establish a hash rule for the executable of each program? Unifying the establishment of a path rule for Office applications is not simpler? In fact, this can avoid executable files, or users copy some green software that does not need to be installed into this directory. Because if the directory rule is established, all files saved in the allowable directory will be executed, including files that allow the program itself, including any other files that the user is copied. The hash rules are different, and a hash value of a particular file is fixed. As long as the content does not change, its hash value will never change. This also avoids the possibility of fake. However, there is also a problem, although the hash value of the file can not change, but the file itself may need some changes. For example, you have a Word's patch, then the hash value of the Winword.exe file may change. So if you choose to create this rule, whenever the software is updated, you also need to see the situation to update the corresponding rules. Otherwise, the operation of the normal program will also be affected.
In addition, there are several strategies that can be used: forcibly, which files can be limited to which files are applied to which files are applied and whether they are applied to the Administrator account; assigned file types, which are used to specify which extensions can be The system is considered an executable file, we can add or remove some type of extension file; the convictions can be used to decide which users can choose the publisher who will be trusted, and other operations needed before trust . These three strategies can make choices according to their own actual situation.
When the software display policy is set, once the restricted user attempts to run the prohibited program, the system will issue a warning and refuse to execute.
Application of policies in the domain environment
This part of the content is more complicated, so we will explain the two simple examples, we must learn how to deploy software through the network, as well as the use of security templates. The following example is a domain controller is Windows Server 2003, and the client is Windows XP Professional.
Active directory includes two aspects: directory and services related to the directory. The directory is a physical container that stores various objects, and the directory service is a service that acts in all information and resources in the directory. Active directory is a distributed directory service, information can be dispersed on multiple different computers, ensuring that users can quickly access, but because there is the same information on multiple sets, it has strong control capabilities in information. .
What is a domain? The activity directory is hierarchy composed of organizational units, domains, domain trees, and forests. The domain is the most basic management unit, and is also the most basic layer of container, which can be stored for basic data such as the user, computer. The domain controller is a Windows Server computer that has an active directory. The domain controller stores directory data and manages the interaction of the user domain, including the user login process, authentication, and directory search. One domain can have one or more domain controllers.
The organizational unit is also a logical unit, like the same domain, the purpose is for the convenience of management. You can include user and user groups, and computers, but organizational units remain part of the domain.
How to install the domain controller? After running DCPROMo.exe on Windows 2000 Server and Windows Server 2003, start the Active Directory Setup Wizard, follow the prompts of the wizard to enter the server as a domain controller.
How does the client join the domain? In addition to Windows XP Home, the remaining versions of the mainstream Windows operating system can join the domain. Take Windows XP Professional as an example, you can choose to join a domain after clicking the Network ID button under the Computer Name tab of the System Properties dialog. For computers joined to the domain, we can use the native account login system, or you can use the domain account login system. You can use the domain account to log in to all the existing resources in the domain.
Software deployment
What we have to do is to install SP1 through all Windows XP client computers in the unit. First go to the Microsoft website to download the SP1 installation file (sp1.exe), save it to a shared folder on the domain controller (c: / deploy), then run the following command on the domain controller: C: / deploy / SP1. EXE / X, and press the default directory directly on the "Select Directory Directory" dialog that appears.
On the domain controller, run the DSA.MSC to open the Active Directory user and the computer console, you can see the interface shown below, which shows all objects in the domain.
On the management unit we have to deploy SP1, click the right mouse button and select Properties, you can open the local property dialog.
What we need to do is to configure the policy of installing SP1 on the Group Policy tab of this dialog. After clicking the "New" button, you can create a policy in the list, then you need to name this policy, you can choose a name that represents its function (for example, using "sp1 install"), then double-click this policy, you can see To a window similar to the group policy editor we use, you can see from the name, in which all computer settings in the organizational unit can be set in this window. Expand "Computer Configuration - Software Settings - Software Installation" in the tree list on the left side of the window, and select Software Installation. Then select "New-Package" in the "Operation" menu, then enter the deploy / update folder in the newly displayed dialog box, and double-click to join Update.msi (note, not directly entering C) Disc and select this file, but through the online neighbor to find this shared folder and select the file. That is, this Update.msi file in this case should be //2k3/deploy/update/Update.msi, not C: /Deploy/update/Update.msi. Because although these two paths on the server actually represent the same location, for other clients, they can only recognize the previous path) file. The system will then ask the deployment method and select "Assigned" and continue. After a moment, you can see our newly joined software from the panel on the right side of the window. In this way, all clients added to this domain will first check if there is no installation of this software when the login is restarted. If it is already installed, continue the login process; otherwise, you will automatically download the installation file from the server and start installation. Basically, all software installed through Windows Installer can be installed in this way to deploy clients in all domains. Some software, although the Windows Installer technology is also used, but the installation file may just be an exe file (such as MSN Messenger). For this situation, a simple method is to open this EXE file directly with WinRAR and other compression software, and from Extract the MSI file for bulk deployment. The client of this deployment method can be Windows 2000, Windows XP Professional or Windows Server 2003.
Security Policy and Security Template
Although most strategies have instructions in the system, but here is still a particularly special strategy, security strategy! Now the safety problem of the computer has become more and more concerned. Although many irresponsible statements are that Windows seems to be shable, it is a vulnerability, but after proper formulation, Windows security can still be greatly improved. . This journal has introduced the content related to security strategies in May, so I suggest that when I see this part, I will retrieve it before I find it first, then continue to see.
Safety strategy backup and recovery
After all security strategies have been configured, you must save these settings for reference; or want to back up these settings, so you can still restore them after reinstalling the system; or even you may want to directly put these security directly Policy settings apply to other computers. In addition, for network administrators, you may often need to see if there is any problem with the security policy settings of each client, or you need to apply the same security policy to multiple computers. What is a good way? Next we have to introduce the group policy templates and security preparations and analysis tools to help us.
Creation of security templates
We first solve the first problem, how to back up and re-apply your security policy settings and other security settings. Run "MMC" on a computer running Windows XP, you will see a console window, click "Add / Delete Administration Unit" under the File menu of the window, then click the "Add" button, The "Security Template" console component in the available independent management unit, then click the "Add" button below the window, then click "Close" and "OK" to close these options window, you will be able to see the figure below. interface. First expand the "Security Template" branch, where the save location and name of all security templates comes with the operating system are displayed. Insurance, we are not prepared to modify these default templates, but newly built your own templates. At the "Safety Template" node, click the right mouse button and select Add Template Search Path ", then specify a folder that saves our self-built security template in the pop-up window (here we choose to save it directly on the desktop). Click OK After the "Security Template" node appears, the path to the desktop appears, click the right mouse button on this path, and select "New Template" in the Right-click menu, enter the template name in the new pop-up window (here Click "OK" after using template. Expand this new template, you can see that this is similar to what we used to set the security policy, or the same strategy, there are almost the same setting options, what we need to do is to set all the necessary strategies here.
You may notice that in addition to security policies, we can set other content, such as a status of a system service, access control permissions of registry keys, access control permissions for folders, these things can back up and restore security templates. Also applied to other computers through security templates. Two examples will be given.
We need the system to automatically disable the Messenger messenger, and set only the application only to modify the settings of this service, then you can do this: Expand the System Services node in our own security template, find and double-click to open "Messenger" Service, select "Define this Security Policy Setting in Template", then pop up a security setting dialog, which is similar to the dialog box we are using the shared folder permissions, but setting the permissions of system services. Since we only want Administrator to set the service, the default "administrators", "system", "interactive", etc., then click the "Delete" button to remove them, then click the "Add" button, Enter "Administrator" in the "Input Object Name" dialog box of the new pop-up window and enter the "fully control" "Allow" authority to set "Full Control" and click the "OK" button to exit. Then select the "Disabled" radio button in the "Messenger Properties" window. All settings of the service have been completed.
Suppose we need to set the "Folder" folder that only Administrator can access the root directory of the system C, then expand the File System node in the security template, then click the right mouse button on that node, select "Add File" In the pop-up window selected "C: / Folder" folder (this folder needs to be established in advance), then in the following picture, the default number of objects is deleted, then add the default object, then add "Administrator" and sets the appropriate permissions.
After adding the permissions, you will see the window below, you need to pay attention to "to" replace all subfolders and file propagation permissions "and" replace all subfolders and existing permissions on the inheritance " These two options, choose the former, meaning that all subfolders and files under the Folder folder will inherit the permissions settings of the Folder folder; choose the latter means all subfolders and files of the Folder folder will be simultaneously Apply new permissions settings, regardless of them inherited other permissions. One thing to pay attention to, when you configure the folder through the security template, if you apply this template to other computers, and the corresponding locations on other computers don't have those folders you configure, these options will not Take effect.
After all security policies, permission settings, system services are set, click the "Template" node and then save these settings using the "Save" command under the "Operation" menu.
Application and analysis of safety templates
If we intend to apply these settings to other computers, or automatically apply these settings after reinstalling the system, you can do this: The same is to run "MMC" to open the management console, but this time we want to add "security configuration and Analyze the "Console component, assuming the security template file" template.inf "created before, saved on the desktop. First we have to use a security configuration database, although the system provides one by default, but insurel, it is recommended to create a new one. At the "Security Configuration and Analysis" node, click the right mouse button and select "Open Database", enter the name of the new database in the subsequent window (Safe1), then click "Open". Then you need to import the template, select the template.inf file we save on the desktop directly in the window, and then click "Open" again.
If we want to know what is the security policy configuration of the computer now used and what is different from our own suggestion configuration, you can click on the mouse button on the Security Configuration and Analysis node. In the Right-click menu, select "Analyze your computer now" and specify The preservation position of a good log file can be seen after a moment. Click in turn to expand each security policy node, you can see the interface below,
Here each policy has "Database Settings" and "Computer Settings" two values, where "Database Settings" is the standard settings in the security template file we have created, and "Computer Settings" is the current computer settings. For the same settings as the database, the green hook is used, and inconsistent settings will be launched with a red fork. If you want to directly correct a separate security policy settings on the current computer to keep unity, just double-click the policy, then change it directly. However, if you want to keep all security settings (including security policies, system services, registry access, and file and folder access), you can hold unified settings, just click on the Security Configuration and Analysis node. Right-click and select "Configure Computer immediately" in right-click menu.
It is important to pay attention to the application security template (may be the system default provided by the system. It may be that you must be made by your colleague. Some people's settings may not necessarily fit themselves, especially some improper settings. It will affect the normal use of some software. Therefore, for administrators in units, be sure to pay attention to carefully tested in the test environment before the official large-scale application of these templates, ensuring absolute reliability. In addition, the security reincarnation, it is best to back up the system's related data before the application, and recover after the occurrence of unexpliction.
Also, if you want to make a security template for a Windows XP operating system, try to make this template on the Windows XP operating system; also, if you want to make a security template for Windows2000, it is best in Windows 2000 This operation is performed on a computer. In addition, security templates can be used in domain environments and working group environments, and the method is basically no different. Group strategy application order
I believe that you have already noticed that for the same strategy, we may have different settings locally and in the domain, respectively. Then, if the settings in the domain are conflict with each other, which setting is the system? In fact, the application of the strategy has a certain order, the order is as follows:
1. Settings in local group strategy objects
2, the settings in the site group policy object
3, settings in the domain set policy object
4, the settings in the management unit group policy object
Since finally applied policy settings will overwrite the settings of the previous application, this means that in the case of setting up mutual conflicts, the highest level of active directory will achieve priority, that is, the final result is, The policy set in the domain will overwrite local policies.
