In the WindWOS XP system, there are two types of accounts, namely administrator accounts in the Administrators group, and users who are restricted in the UserS group. By default, the administrator account can run all programs in the computer, including the XP system built-in, and the application that is installed; and the limited user has a large limit for the application of the system. For example, many function items in the control panel and some of the system settings, but for the self-installation program, there is no limit on the case where special access is set. For a multiplayer sharing computer, as an administrator The ability to access program permissions. To achieve this, you can take the following three measures:
First, restrict the user's access to the file
If the disk partition file system in which the program is located is NTFS format, the administrator account can use the file and folder security options provided by the NTFS file system to control the access rights of the program and files. Typically, after an application is installed to the system, all accounts of the local computer can access and run the application. If you cancel access to the specified user's access to the application or folder, the user has lost the ability to run the application. For example, to prohibit restricted users from running Outlook Express applications, you can do the following: (1) Log in to the system with the Administrator account, if the current system enables your simple file sharing option, you need to turn this option to close. The specific approach is that in the Windows Browser window Click the "Folder option" under the Tools menu, click the "View" option page, and cancel the selection of the "Using the Simple File Sharing" option, click "OK". (2) Open the Program Files folder, select the Outlook Express folder and click Right click, select Properties. (3) Click the "Security" option page, you can see the user's user with the folder to read and run, click "Advanced". (4) The permissions of the user have changed to not inherited, as shown in Figure 1.
Figure 1 Advanced Security Settings of Outlook Express
(5), click "OK", return to the Properties window, in the User or Group Name list, select the UserS project, click "Delete", click "OK", complete the settings of the permissions. To cancel the user's access restrictions on files or programs, you need to add a specified user or group to a file or folder and give the corresponding access. This approach allows administrators to limit the permissions of his access and run the specified application for each user. But this requires a very important premise, that is, the partition format of the application is required to be NTFS, otherwise, everything is not talking. For the partition of the FAT / FAT32 format, you cannot apply the security options for files and folders, we can prohibit running the specified application by setting up your computer's policy.
Second, enabling "Do not run the specified Windows Application" policy
There is a "Do not run the specified Windows Application" policy in the Group Policy. You can limit the user to run these applications by enabling the policy and add the appropriate application. The setting method is as follows: (1), execute the gpedit.msc command at "Start", start the group policy editor, or run the MMC command to start the console, and load the "Group Policy" management unit into the console; 2), in turn, "Local Computer 'Policy" User Settings "Management Template", click "System", double-click "Do not run the Specified Windows Application" policy in the right pane, select "Enable" option And click "Show". (3), click "Add", enter the name of the application that does not run, such as command prompt cmd.exe, click "OK", at this time, the specified application name is added to the list of prohibited runs. (4) Click "OK" to return to the Group Policy Editor, click "OK" to complete the settings. The system will prompt the system when the user tries to run the application that is not allowed to run the program list. Copying applications that are not allowed to other directories and partitions, still cannot be run. To restore the running capabilities of the specified restricted program, you can set the "Don't Run the Specified Windows Application" policy to "Unconfigured" or "Disabled", or to remove the specified application from the list of the specified application (this Requires the deletion of the list will not be blank). This approach only prevents the user from running from the Windows Explorer, which is not allowed to run for programs that are started by a system procedure or other process. This mode is prohibited from running in the application. The scope of its user object is all users, not just a restricted user, the account in the Administrators group is even restricted, so it has brought the administrator. A certain inconvenience. When an administrator needs to perform an application included in the list of applications that is not allowed to run, you need to remove the application from the group policy editor, and then add the program until the program is completed. Allow the running program list. It should be noted that do not add the Group Policy Editor (GPEDIT.MSC) to the list of prohibited runtime, otherwise the self-locking of the group policy will not be able to start the Group Policy Editor, so you can't set it. Policy make changes. Tip: If you do not have the "command prompt" program, the user can run the prohibited program from the "command prompt" through the cmd command, for example, add the Notepad Program (NOTEPAD.EXE) to the list, through XP's desktop running the program is restricted, but running the notepad command smoothly under the "Command Prompt" to start the Notepad program. Therefore, to completely prohibit the operation of a program, first add cmd.exe to the list of not allowed to run. Third, set software limit strategies
Software Limit Policy is an integral part of the local security policy. The administrator is identified by setting the policy to divide them into trusted and untrustworthy. By giving the corresponding security level to implement control of the program operation . This measure is very effective for solving the controlling operation of unknown code and the untrustful code. Software Settings Policy Use two aspects of settings to limit: security levels and other rules. The security level is divided into two kinds of "not allowed" and "unrestricted". Among them, "unauthorized" will prohibit the operation of the program, regardless of the user's permissions; "unfill" allows the login user to use the permissions he owns to run the program. Other rules, that is, the administrator identifies the specified batch or one file and program by developing rules, and imparts "unshailed" or "unrestricted" security level. In this section, administrators can develop four types of rules, follow the priorities, have a hash rule, certificate rules, path rules, and Internet region rules, which will maximize file access and programs. Authorization level. Software Restriction Policy Setting 1, Access Software Limit Policy As part of the local security policy, software restrictions also include in Group Policy, which must be logged in as a member of the Administrator account or Administrators group member. There are two ways to access the software restriction policy: (1), run the SecPol.msc at "Start", start the local security policy editor, and you can see the Software Limit Policy item under Security Settings. (2), run the gpedit.msc at "Start", start the Group Policy Editor, and see "Software Limit Policy" under "Computer Settings" "Windows Settings" "Security Settings". 2. When the new software restriction policy first opens "Software Limit Policy" for the first time, the project is empty. The strategy needs to be added manually by the administrator. The method is to click "Software Limit Policy" to make it selected, click on the "New Policy" item under the Editor window "Operation" menu, you can see "Software Limit Policy" and "Security Level" and " Other rules and three properties, as shown in Figure 2. Once the new policy operation is performed, the operation cannot be executed again, and this policy cannot be deleted.
2 New Software Restriction Policy 3. Set the default security level New Software restriction policy, the default security level of the policy is "unrestricted", if you want to change the default security level, you need to set it in the Security Level. The method is as follows: (1) Open "Security Level", in the right pane, you can see two settings, where there is a small-to-the-counter setting is the default setting; (2), click is not the default The setting of the value, click Right-click, select "Set to Default" item. When "Unautomnated" is the default value, the system displays a prompt information dialog box, click "OK". This step can also double-click non-default settings, in the pop-up attribute window, click "Set to Default". 4. Setting the scope of the setting policy and the object through the policy "Forced" property to set the policy application software file contains the library file and the object of the role contains the administrator account. Under normal circumstances, in order to avoid unnecessary problems in the system and to facilitate management of the system, the scope of the policy should be set to all software files that do not contain library files, and the object object is set to all users except local administrators. The way the settings are as follows: (1), click Software Limit Policy, double-click "Force" attribute item in the right pane; (2), select "All Software files other than the library file (such as a DLL file)" Options and "All User Other Users Other Users Except for Local Administrators" options, click OK. 5. Developing rules only through security levels, clearly unable to achieve control of files and procedures, must identify files and programs that prohibit or allow running by developing reasonable rules, and to implement these files and programs Flexible control. The above mentioned above has four types of rules: hashing rules, certification rules, path rules, and Internet regions. They identify files and the method of setting rules as follows: Hatt rules: The hash rules calculated using the hash algorithm, which is uniquely identified a series of fixed-length bytes of the file. When the hash rules have been established, the user access or runs files, the software restriction policy allows or blocks the file to access or run according to the file's hash and security level. When the file moves or renames, the software restriction policy is still valid for the file. The method is as follows: (1), click "Other Rules" under Software Limit Policy, right-click on the "Other Rules", or right click on the blank area of the right pane, select "New hash rules ". (2) Click "Browse", specify files or programs you want to identify, such as cmd.exe, confirm, in the file hash, you can see the calculated hash, in the "Security Level", "Not Allowed "Or" unrestricted ", as shown in Figure 3. Click "OK", you can see the rack of the new type with hash in "Other Rules". Figure 3 Creation of new hash rules
Certificate Rules: Use the signature certificate associated with the file or program. The certificate required by the certificate rule can be self-signed, issued by the certification authority (CA) or by the Windows2000 public key mechanism. Certificate rules are not applied to the EXE file and DLL files, which are primarily applied to scripts and Windows installation packages. When a file is identified by its signature certificate, the software restriction policy determines whether it can be run according to the security level of the file. The movement and renovation of the file will not affect the application of the certificate rules. When the certificate rules are set, they are required to access the certificate file used to identify the file, the extension of the certificate file is .cer. Create a method with hash rules. Path Rule: Identify using the path or program path, which can use a specified file, a class of files represented by wildcard or all files in a certain path and a subfolder. Since the logo is done by the path, the path rule will lose its role when the file is moved or renamed. In the path rule, according to the size of the path range, the priority level is high, the greater the range, the lower the priority. The priority of the usual path is high to low as: a specified file, a path, path, a class of files, paths, and last level paths represented by wildcard representation. Create a method with hash rules. Internet Regional Rule: Use the Internet area to download the INTERNET area. The area mainly includes: Internet, local intranet, local computer, restricted site, trusted site. This rule is primarily applied to Windows installation package. Create a method with hash rules. 6. Maintaining the file type of executable code Whether it is the rule, the file type it affects only those listed in the "Assigned File Type" property, these types are shared by all rules. In some cases, administrators may need to delete or add some types of files so that the rules can lose or generate such files, which requires us to maintain the "Assigned File Type" property. The method is as follows: (1), click "Software Limit Policy", double-click the "Assigned File Type" attribute item in the right pane; (2), if a file type is added, in the "File Extension" Enter the added extension, click "Add"; if you want to delete a file type, click the type of formulation in the list, click "Delete". As shown in Figure 4. Figure 4 assigned file type
7. The priority of the operation of the flexible control procedure using the rules of the flexible control program is from high to sequential: hashing rules, certificate rules, path rules, Internet regions. If there is more than one rule acting on the same program, the security level of the highest priority rule set will determine if the program can run. If more than one similar rule acts on the same program, the most restricted rules in the same rules will work. This provides us with a way to flexibly control the procedure. Although the effect of a single rule is comprehensive, it also limits those parts we need. The comprehensive role of composite rules will produce such an effect such as "other than we need / unwanted, other all are not allowed / unrestricted" This may be the security level we really need. Tip: The effectiveness of the software restriction strategy requires logout and re-login the system. If a security level is "unscrupulous" rule for a program for a program in the software restriction policy, this program is included in the "Do not run the specified Windows Application" policy, then in the final program, then the final program It is not allowed to run. To cancel the limitations of the program, you need to delete the relevant rules: In the list of rules in Other rules, right-click on the rules you want to delete and select "Delete".
