Protect your system with a "local security policy"

        The "Local Security Policy" that comes with Windows XP is a very good system security management tool. Using it can make our system more secure.

First, we'll look at how to start it, "local security policy." After you click Control Panel, Administrative Tools, Local Security Policy, you will be taken to the main interface of Local Security Policy. Here you can set various security policies through the commands on the menu bar, and you can select the viewing mode, export list and import policy.

Next we explore the magical "Local Security Policy".

Prohibit enumeration of accounts

We know that some worms with hacking can scan the designated port of Windows 2000/XP system and then guess the administrator system password through the shared session. Therefore, we need disabled by setting the "Local Security Policy" in the enumeration of the account, so resist these intrusions, the steps are as follows:





in the "Local In the Security Settings directory tree on the left side of the Security Policy, expand Local Policies Security Options layer by layer. View the list of related policies on the right, find "Network Access: Do not allow anonymous enumeration of SAM accounts and shares" (Figure 1), right-click, select "Properties" in the pop-up menu, and then pop up a Dialog box, activate the "Enabled" option here, and finally click the "Apply" button to make the settings take effect.

Account Management

In order to prevent intruders from exploiting the vulnerability to log in to the machine, we need to set the name of the system administrator account and disable the guest account. The setting method is as follows: In the “Local Policy” “Security Options” branch, find the “Account: Guest Account Status” policy, click “Property” in the pop-up menu, and then set its status to “Yes” in the pop-up Properties dialog box. Deactivate" and finally "OK" to exit.

Next, we will review the "Account: Rename System Administrator Account" policy, call up its properties dialog box, and customize the account name in the text box (Figure 2).


Assign local user rights

If you are a system administrator, you can assign specific rights to a group account or a single user account. In Security Settings, navigate to Local Policies User Rights Assignment, and then in the Settings view on the right, you can make security settings for each of the policies under it (Figure 3).
For example, if you want to allow a user to take ownership of any available objects in the system: including registry keys, processes and threads, and NTFS file and folder objects (the default setting for this policy is only administrators). First, you should find the "Get ownership of files or other objects" policy in the list, right-click with the mouse, select "Properties" in the pop-up menu, click the "Add User or Group" button here, enter the object name in the pop-up dialog box. And confirm the operation.

Using IP Strategy

We know that no matter which kind of hacking program, most of them are through the port as a channel.

Therefore, we need to close those ports could become invaded channels. You can check the relevant dangerous port information online to make it ready. Below we use the 23 port of Telnet as an example to illustrate (the author's operating system is Windows XP).

First click "Run" in the box, enter "mmc" and press Enter to bring up the console window. We select “File” “Add/Remove Snap-in” “Click “Add” in the separate tab bar” “IP Security Policy Management” and finally follow the prompts. At this time, we have added the "IP security policy, on the local computer" (hereinafter referred to as "IP security policy") to the "console root node" (Figure 4). Now double-click on "IP Security Policy" to create a new management rule. Right-click "IP Security Policy", select "Create IP Security Policy" from the shortcut menu that pops up, open the IP Security Policy Wizard, click "Next" "Name defaults to 'New IP Security Policy'" "Next" "No Select 'Activate default response rule'. Note: When clicking “Next, you need to confirm that “Edit Attribute” is selected at this time, then select “Complete, the “New IP Security Policy Attribute” window appears (Figure 5), select "Add" and then click "Next" without having to select the "Use Add Wizard" option.


source address in the address bar should select "Any IP Address", target address select "My IP address" (do not have to select the image). In the Protocol tab, note that the type should be TCP, and set the IP protocol port from any port to this port 23, and finally click "OK". A "New IP Filter" will appear in the "IP Filter List", select it, switch to the "Filter Actions" tab, click "Add", "Name defaults to 'New Filter Action'" Add "Block" "Complete".

The new policy needs to be activated to work. The specific method is: right click on the "new IP security policy" and select "assign" the strategy just created.

Now, when we telnet from another computer to the fortified one, the system will report the login failure; scanning the machine with the scanning tool will find that port 23 is still providing services. In the same way, you can block any other suspicious ports, and let the uninvited guests scream "not good".

Strengthen password security

In "Security Settings", first locate in "Account Policy" "Password Policy", in the setting view on the right side, you can make corresponding settings as appropriate Make our system password relatively safe and not easy to crack. An important means of anti-hacking is to update the password regularly. You can set the following settings according to this: right click on the "last password retention period", select "Properties" in the pop-up menu, in the pop-up dialog box, everyone can Defines how long a password can be used (limited to between 1 and 999).

In addition, through Local Security Settings, you can also track user accounts, login attempts, system shutdowns or restarts, and similar events for accessing files or other objects by setting Audit Object Access. Security settings like this are not the same. In practical applications, people will gradually find that "local security settings" is indeed an indispensable system security tool.