Group Policy Tips: Protection of Computer Shared Directory Security Tips

In daily office applications, for convenience, we are used to sharing some documents and directories on our computer for others to call. However, the security of shared directories is often difficult to secure, and some illegal users may access or even destroy our shared files. In this case, Group Policy comes in handy.

One, prohibit sharing of blank passwords

Windows default state allows remote users to use a null user connection to obtain a list of shared resources and all account names of a computer on the network. The openness of this function makes it easy for illegal users to use a blank password or violent deciphering to obtain a shared password, thereby achieving the purpose of invading the shared directory.

For this situation, we can first turn off the SAM account and shared anonymous enumeration. Open the “Run” window in the Start menu and type "gpedit.msc" to open the Group Policy Editor. On the left side, find the "Computer Configuration" & —“Windows Settings”—“Security Settings ”—“Local Policies”—“Security Options", double-click on the right side of the "Network Access: Do not allow SAM account and shared anonymous enumeration" items, select in the pop-up window “ The ” option is enabled, and finally click the “OK" button to save the settings. After such a setting, illegal users cannot directly obtain shared information and account lists.
Figure 1 Figure 2

Second, prohibit unauthorized access

In order to meet the principle of minimum permissions, we can impose strict restrictions on accounts accessed by the network. In the Group Policy Editor that opens, select “Computer Configuration”—“Windows Settings”—“Security Settings”—“Local Policies”—“User Rights Assignment” Double-click "Access this computer from the network" on the right side, then add some accounts that must be accessed using the network, and delete accounts such as Everyone, Guest, and so on. Then turn on “ refusal to access this computer from the network & rdquo;, the same reason, only add the authorized account that needs to access the shared directory, delete all other users. When the two strategies work simultaneously, the former replaces the latter.
Figure 3 Figure 4

Three, prohibit anonymous SID/name conversion

In the previous we have prohibited illegal users from directly obtaining the account list, but illegal users can still use the SID of the administrator account to get the default The real name of the administrator. In this regard, we need to open “computer configuration"—“Windows settings"—“security settings”—“local policy"—“security options" Modify <;Web Access: Allow anonymous SID/name conversion" to “deactivated”. However, this may cause problems for users of lower versions on the network when accessing shared resources. Therefore, this configuration should be used with caution when there are multiple versions of the system on the network.
Figure 5
Figure 6

Conclusion: Sharing the catalog makes it easier for us to apply the computer and improve our work efficiency. With these uncomplicated measures, the potential danger will be greatly reduced.

Pre-reading: How to use group strategy. Play computer group strategy skills