Safety Tip: Group Policy to protect shared directory security – network security
In everyday office applications, in order to use the convenience, we used some of his computer, documents, directories shared out, so call others.
But for shared Folder Often unable to do so will turn it off after use, so, certain people with ulterior motives may share our File To destroy, in this case, we can share through group policy to protect the contents.
A ban sharing space password Windows by default, allowing remote users can use the empty way of access to the network users to connect a computer shared resources list and all the account name. This feature is open, it's easy for non-blank password or not users are sharing the password brute force to achieve the purpose of invasive shared directory.
This case, we can first close the SAM accounts and shares anonymous enumeration function. Open the Start menu "Run" Window, enter "gpedit.msc" to open the Group Policy Editor, in the left turn to find "computer configuration"? "Windows Settings"? "Security Settings"? "Local strategy"? "Security selection items ", double-click on the right of" Network access: SAM does not allow anonymous enumeration of accounts and shared "entry in the popup window select the" Enabled "option and finally click" OK "button to save your settings. After such a setting, the unauthorized users can not directly share information and a list of the accounts.
2, prohibiting anonymous SID / Name translation
In front of us has direct access to accounts against unauthorized users list, but unlawful users can still use the administrator account's SID to obtain the default administrator's real name. In this regard, we need to open the Group Policy "Computer Configuration"? "Windows Settings"? "Security Settings"? "Local strategy"? "Security Options" and then modify the "Network access: Allow anonymous SID / Name translation" as , "disabled." But doing so, may result in lower version of the user on the network to access shared resources on some issues. Therefore, there are several versions of the system network to be used with caution to the configuration.
3, modify anonymous access to object
From a safety point of view and practical point of view, WindowsXP many default settings do not meet the needs of users for network access for anonymous access settings, including sharing, named pipes, and registry paths.
This, we need to enter the Group Policy Editor, select the "Computer Configuration"? "Windows Settings"? "Security Settings"? "Local strategy"? "Security Options", double-click "Network access: can be accessed anonymously sharing ", in the open window to delete all the items, then according to their actual needs, some of the really need to let all users to add long-term access to the folder you can come. Note that when adding the shared folder, you must begin making their NTFS permissions operation. When setting permissions, must follow the principle of minimum competence. Minimum principles are not to grant extra permissions account, do not grant permission for the extra account.
Similarly, in the modified good can be shared anonymous access, you need to double click open the "Network access: Named pipes can be accessed anonymously" and "Network access: Remotely accessible registry paths" all excess items deleted.
4, prohibit unauthorized access Order to comply with the principle of minimum competence, we can access the account on the network to be strictly controlled. In the Open Group Policy Editor, choose the "Computer Configuration"? "Windows Settings"? "Security Settings"? "Local strategy"? "User Rights Assignment", double-click the right "Access this computer from the network" and then will have to use the network access account to add in, and then such as Everyone, Guest of the type of account deletion. If the administrator does not need remote access, can also be deleted, leaving only the authorization for access to the shared directory account; and then re-open the "Deny access to this computer from the network", the same reasoning will be used only to access a shared directory authorized account added in, other users will be deleted.
5, set the correct access modes
For shared file access, WindowsXP offers guests classic and only two different modes. For ease of use, many people choose the "Guest only" mode, so that all of the log will automatically use the Guest Account to access the shared directory that all persons are free to access, this can not be precise on the shared resources of access control.
Therefore, we suggest that you in the "Security Options" list on the right double-click "Network access: Sharing and security of local accounts Mode", set it to "Classic – local users authenticate users" keys. Remember, though, is to use the classic mode, though you need to know before they can access the local account name, but not as many user account password, it is still unsafe, and must set a password to protect the local account.
6, an extension of preventive EveryOny group permissions
Many people think that anonymous user's permissions and group permissions for Everyone is the same as, in fact this view is terribly wrong. While some of competence between the two is the same, but it is not entirely consistent. By default, the Everyone group permissions to be more than anonymous users. However, in WindowsXP, but allows "Everyone" group permissions apply to anonymous users.
This we need to prohibit it. Open the Group Policy "Security Options", then double-click on the right "Network access: Let Everyone permissions apply to anonymous users", set it to "disabled" can be. However, although we will have set the disabled, but we still do not recommend users to directly grant too much authority Everyone group, because it does not meet the minimum principle to grant permission.
7, prohibit an interactive logon password is not empty
Order to prevent the administrator account did not add a password, and there is no password on local accounts were authorized to access. This, we can prohibit blank passwords to access local accounts for interactive logon shared directory.
In the "Security Options" under the double-click the "Account: local account use of blank passwords to console logon only" set it to "Enabled." Meanwhile, in order to prevent the administrator sets the password is too simple, but also in the Group Policy Editor "security settings", select "Account Policy"? "Password Policy" and then set the "password length
We are high quality suppliers, our products such as Slurry Pump EHM manufacturer , Sludge Pump EZG for oversee buyer. To know more, please visits Mortar pump.
Processing your request, Please wait....
