Shulou(Shulou.com)06/03 Report--

Experimental environment: three original clean virtual machines

Built DC server: IP address: 172.19.11.1

Equip a client that has joined the domain: IP address: 172.19.11.5, DNS: 172.19.11.1.

The domain created on DC is 17w2.com

The purpose of the experiment is to prohibit the lisi of jishubu from accessing notepad and the zhangsan of renshibu from accessing drawing tools in the domain environment.

The steps of the experiment:

First configure DC to select Active Directory users and computers in the administrative tools at the beginning, where DC is configured. Right-click the domain to select a new organizational unit and create a new jishubu. (if the "prevent containers from being accidentally deleted" check box is checked when creating the organizational unit, then the OU cannot be deleted at will).

And create a user lisi under the technical department, and click next.

Enter your password in the box below. In order to prevent the user from entering a new password the next time you log in, you can choose to check the password that will never expire, and then click next.

Right-click the domain to select a new organizational unit, create a new renshibu, and create a new user zhangsan in the personnel department, as shown above.

After the creation is complete, at start-> Administrative tools-- > Open Group Policy Management, as shown in the following figure.

Right-click on the Group Policy object to create a new GOP named test, and click OK.

You can then hold down the left button and drag the GPO on the organizational unit jishubu, and the group policy will take effect on the corresponding object.

First, set up jishubu, right-click test and select Edit to enter the Group Policy Management Editor shown in the figure below.

8. Expand user configuration-- > policies-- > Windows Settings-- > Security Settings-- > Software restriction policies, and right-click on the software restriction policy to select the create Software restriction Policy command.

Then there will be two more items "Security level" and "other rules" below. Right-click "other rules" and you can choose to create different software restriction rules in 4 (the most commonly used are path rules and hash rules).

Jishubu We restrict the software by path rules. Enter the path C:\ Windows\ System32\ notepad.exe of the notepad program you want to restrict in the open dialog box, and the security level is set to "not allowed". Click OK.

Then log in to the client as jishubu employee lisi to verify, and a warning prompt appears when notepad is opened. Notepad was successfully banned.

Set up renshibu, right-click on the Group Policy object to create a new GOP named tes1t, and click OK.

You can then hold down the left button and drag the GPO on the organizational unit renshibu, and the group policy will take effect on the corresponding object.

Right-click test1, select Edit, then expand user configuration-- > policies-- > Windows Settings-- > Security Settings-- > Software restriction Policy, right-click on the software restriction policy and select the create Software restriction Policy command, and then there will be more Security levels and other rules below. Right-click other rules and select a new hash rule.

15. Click "Browse" to find the mspaint.exe to be disabled, the system will automatically generate its hash value, the security level is not allowed, click apply.

16. After the rule is set successfully, then on the client as renshibu employee zhangsan

Login authentication, and when you open the drawing tool, a warning appears, and the drawing tool is successfully disabled.

The experiment is over.

Matters needing attention in the experiment:

There is a delay in the execution of the policy, and the length of the delay is uncertain.

So the way to slow down the delay strategy: (1) enforce the policy (on the server side),

(2) refresh policy, execute gpudate/force.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.