How to open "Windows Local Security Policy" ah? A: "Search” type “secpol.msc” and press Enter. How to prevent hackers or malicious programs from hacking my system password? A: As we all know, brute force cracking Windows passwords is essentially realized by exhaustive algorithms, especially for systems with too simple passwords. The method of brute force is still quite practical. One thing that needs our attention is that the key to this problem is whether Windows allows remote clients or malicious programs to exhaust the username and password. If not allowed, it is a dead end for malicious programs to attempt to obtain administrator privileges through enumeration. So how is it not allowed? See the picture below: After ensuring that the selected line is in the “enabled” setting, this road is basically blocked. If you don't worry, you can also put the following line “Allow no SAM account and shared anonymous. The enumeration & rdquo; is also set to “ Enabled & rdquo; status. In addition, will be "local policy" & rdquo; & mdash; & mdash; & ldquo; security options & rdquo; & ldquo; network access: anonymous access can be shared & rdquo; & nbsp; network access: remote access registry path & rdquo;, & ldquo ; network access: remote access to the registry path and sub-paths, & rdquo; network access: anonymous access to the named pipe & rdquo; these four items contain all the values removed, can further enhance the security of the system. Is the firewall that comes with Windows easy to use? A: A considerable number of friends have ignored the Windows firewall that they have chosen when they choose a wide range of third-party firewall products. They have never even opened it. “Windows Firewall” is a sub-function of the local security policy. I personally think that as long as you are skilled in configuring this function, its ease of use and security are superior for personal applications and even enterprise needs. There are two ways to enter: 1. Enter the program interface as shown in the address bar of the following figure: Then click on the left side “Advanced Settings” appears as follows: After entering this method, you can browse existing rules and create new rules. 2. Enter the program interface directly in the “Local Security Policy”: The right side is blank, and the existing rules are not listed, but new rules can be created. For example, Adobe Photoshop CS is prohibited from accessing the network. Right click on the blank space or click on the “New Rule” button in the right column and select the first item in the “New Outbound Rule Wizard” dialog box. The rules of the program connection), the next step is to select the path where photoshop is located, as shown below: Next select “Block the connection”, and then you will be asked “When to apply the rule”, you can check according to actual needs. By default, "Domain, Private, Public" is selected. As shown below: After you give it a name (arbitrary), the rules are created, and Photoshop.exe can't access the network anymore. In addition, you can create more advanced rules in the "Connection Security Rules", as shown below: This interface does not know, the function is so powerful, basically the requirements you think of and can not be expected, here are all implemented, such as blockade Any IP or IP segment that you are not comfortable with, close the ping, or specify the operation rights of any port, program name or service name, etc., the ease of use and reliability is not inferior to any third-party firewall. Can I disable a program from running through a security policy? A: The answer is yes. Not only can it prevent a program from being renamed, changed its path, changed its suffix, and then re-runs the shell. This function is called “AppLocker”, which is more than prohibiting a program from running in Group Policy. Strict and more powerful. The program interface is as shown below: Right click on the left side "Executable rules" “——“Create new rules", in the wizard interface that appears, not only can limit user groups (such as Guest account), but also For various qualifications, as shown below: If you select "Publisher", then the disabled program, and all its upgrades and revisions will not work (this condition can be further detailed), such as QQ , Thunder, cool dogs, etc., their official and customized versions can not run, very smart. This feature can also be applied to quarantine virus operations. If there are viruses or Trojans that cannot be cleaned up in the system, no matter whether the infected person is a program, a script, a dynamic link library, or a batch process, it can no longer be done. From this point of view, the current mainstream anti-virus software, in the virus isolation function is generally not detailed. The remaining two are completely easy to understand by literal meaning, especially the third item “File Hash”, which is quite practical. This function can also be used in conjunction with the “software restriction policy”, as shown in the figure below: (If the content shown on the right does not appear, right-click on the left sidebar to create a software restriction policy) In addition, access audit through the global object access ” can also limit access to the entire or partial registry or even the file system of each group, as shown below: When you break through the iron shoes to find third-party software for this function on the Internet, should you first turn over Windows What about the family? Ha ha. If you have a good understanding of PowerShell, you can further simplify the creation and management of AppLocker rules, but the details are not detailed. Finally, add two more questions about the “local security policy” failure: 1. How can I not access the local security policy? A: This problem is usually displayed as “Create Management Unit Failed” or CLSID: {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}. The reason for this is more common when some software replaces or deletes part of the data during installation or uninstallation. The solution is to first ensure that your environment variable path contains: "%systemroot%\\system32;%systemroot%;%systemroot%system32\\wbem”, if not, add it yourself. Then in the registry, locate HKEY_CURRENT_USER——Software——Policies——Microsoft——MMC, assign a value of 0 to RestrictToPermittedSnapins, as shown below: 2. How can I set my IP security policy? A: Make sure the IPsec Policy Agent service is enabled.