The optimization method for Windows 7 is also endless, users are often patchwork, no clue, and these methods are more difficult to distinguish, and the effect is not known. In fact, using Win7's system group policy function, you can achieve Win7 system optimization. This article explains how to use Group Policy to make Win7 more secure.
Note: The Group Policy feature is only available in Win7 Professional, Ultimate and Enterprise editions.
File confidentiality Put on the invisibility of the drive
Drives mainly include hard drives, optical drives and mobile devices, mainly for storing data. Therefore, limiting the use of the drive can effectively prevent the leakage of important and confidential information, and it is necessary to block the invasion of viruses and Trojans. Different drivers have different limiting methods, and the same drive has different levels of restrictions. Just say hard disk, there are generally two levels of hidden and forbidden access. The hidden level is relatively primitive, just to make the drive invisible, generally used to protect children and primary users, and access is prohibited to completely block access to the drive. For mobile devices, you can choose to set read, write, and execute permissions, but viruses and Trojans are typically spread by executing malicious programs, so disabling execution permissions is most effective.
Primary defense Ordinary users can't see
There are some important files on the hard disk of the home computer. I don't want others to see it. The easiest way is to hide the drive where the file is located. Click “Start”, enter “gpedit.msc” in the search box, and then open the Group Policy Editor, expand “User Configuration & Rarr;Administrative Templates & Rarr;Windows Components & Rarr;Windows Explorer&rdquo ;, in the settings window on the right, go to "Hide & lsquo; My Computer & rsquo; these specified drives", select "Enabled", select the drive you want to hide in the drop-down list below, and then OK. Go to “computer”, the drive icon you just selected is gone.
Tip: This method just hides the drive icon, users can still use other methods to access the contents of the drive, such as typing the directory path on the drive directly in the address bar. In addition, this setting does not prevent users from accessing these drives or their contents using the program.
Advanced Defense Privilege users can use
The system disk has important system files, and can't be modified or moved by others. In particular, when some partitions have important files, if you just hide the drive, others can still access it. Of course, this is not the case! The safest way is to protect the relevant drive and prohibit access by unauthorized users.
Similarly, in the Group Policy Manager, expand “ User Configuration & Rarr; Administrative Templates & Rarr; Windows Components & Rarr; Windows Resource Manager & rdquo; Prevent & ldquo; Prevent & lsquo; My Computer & rsquo; Access Drive & rdquo; , select “Enabled”, select the drive you want to disable in the drop-down list below, and it will take effect after confirmation (as shown in Figure 1). When someone wants to access the relevant drive again, the "Restrictions" window will appear! When you need to view it, just change the relevant policy settings from “enabled” to “not configured”
Tip: How to prevent others from using Group Policy editing? It is very simple, by creating users with different permissions, let others use the ordinary User type of account (without permission to open the Group Policy Editor).
Disabling mobile device execution permissions Broken Trojans
Mobile devices (such as flash memory, mobile hard drives, etc.) have become standard devices for many users and are the most widely used. Because of this, it has also become the main route for the spread of viruses and Trojans. Ordinary restrictions on read and write permissions do not prevent viruses and Trojans from invading, because virus propagation is achieved by executing viruses and Trojans, so disabling execution permissions can cut off the virus transmission path.
. The executable on the mobile device will not be executed and the computer will no longer be infected by the virus. And if you need to perform, just copy to the hard disk.
Internet surfing to wear a cloth shirt for the browser
One of the most important uses of the computer is to go online, but to be honest, the Internet is not at all worry-free, viruses, Trojans and rogue software are rampant, even a lot of big The website will be hung up, and the users are really hard to defend. And a lot of malware will tamper with the browser homepage or other settings of the browser. Once you open the browser, it will pop up a messy page or even a Trojan website, which will make users complain! In addition, some users use the browser to download files without any problems. Regularity often leads to file confusion, and it is difficult to remove virus files once they are downloaded. So how to enhance the browser's "immunity" is particularly important.
Locking the home page
The home page being tampered with is the most common, and with Group Policy Locking, you can completely solve this problem. Not only will it not pop up a messy page, but it will also reduce the chance of poisoning and trojan again. Expand “User Configuration →Administrative Templates→Windows Components→Internet Explorer",Enter“Disable Change Home Page Settings>, select “Enabled”,“Options Enter the default home page below, after confirming The settings take effect (as shown in Figure 2).
Tip: When this policy setting is enabled, users will not be able to set the default home page, so if necessary, the user must specify a default home page before modifying the settings.
Ice IE Settings
As mentioned above, once the system is poisoned or has a Trojan, the IE homepage will be tampered with, and other IE settings may be tampered with. Therefore, it is very necessary to add a protective cover to the IE. In particular, once the IE settings are set, they may not change for a long time, so it is better to freeze them completely!
Expanding “User Configuration & Rarr;Management Templates & Rarr;Windows Components & Rarr;Internet Explorer→Internet Control Panel”, In the right pane, there is “Disable advanced page”, “Disable connection page”, “Disable content page”, “Disable regular page”, “Disable privacy page”, “Disable program page” & rdquo ; and “ disable security page & rdquo;, respectively correspond to the seven tabs in the IE "Internet Options" (as shown in Figure 3). If all are enabled, opening the "Internet Options" will bring up the "limit" error dialog box, which completely eliminates the changes to the IE browser settings.
Tip: Starting & ldquo;Disabling regular pages> will remove the “General” tab in <;Internet Options". If this policy is enabled, users cannot view and change the settings for the home page, cache, history, page appearance, and accessibility. Because this policy removes the "General" tab, if you set this policy, you don't need to set the following Internet Explorer policy ——“Disable change home page settings",“disable change Internet temporary file settings”, “Disable change history settings",“disable change color settings",“disable change link color settings",“disable change font settings",“disable change language settings” and “disable Change accessibility settings”.
Permission management to match the system with eye-catching eyes
Some of the software is really flowing now, for example, many softwares are famous for their convenience, but they will be maliciously bundled in the process of software packaging or greening or some web pages will be Pack it in. The method is generally low-level, and it is implemented by batch files and manual injection of registry information, so we can use Group Policy to prohibit some dangerous types of files from running. In addition, in some public places (such as offices), many software is not allowed (such as chat software, etc.), then managers can also use Group Policy to achieve effective management.
Disallow dangerous files from running
Some types of files (such as “.reg” registry files and “.bat” batch files) are rarely used by users, and are easily infected by viruses or Trojans. Utilize, so prohibiting the operation of these types of files can guarantee the security of the computer to a certain extent.
Expanding “Computer Configuration →Windows Settings & Rarr;Security Settings & Rarr; Software Restriction Policy" , <;Other Rules", "Force", “specified file types” and “trusted publishers” five items. Go to the Properties window of the specified file type & rdquo;, leaving only the file types that need to be forbidden, such as “bat batch file”, to delete all other file types. If the type is not in the list, just enter the file type you want to disable in the <;file extension" text box below, and add it. Go to “security level →not allowed", click the “set as default” button, this policy will take effect. When you run any batch file again, it will be blocked.
Disabling the program I also know you when I put on the vest. In addition, many companies do not allow chat software. Take QQ as an example. If you uninstall QQ directly, the user may install it again or install the software to another location. At this point, you can use Group Policy to easily get it.
In turn, expand “Computer Configuration →Windows Settings & Rarr; Security Settings & Rarr; Software Restriction Policy & Rarr; Other Rules " Click “Browse”Select QQ executable file“QQ.exe”,“File information” The first line below is the generated hash value. This value is unique. The basic information of the file will also be displayed below. , “Security Level"Select “not allowed”. After confirming and logging out, log in again and the settings will take effect.
Tip: The advantage of using hash rules is that no matter the program is renamed or moved or any other operation, as long as the hash value is verified, the restriction will not expire! Therefore, some software can be effectively restricted. Running.