Shulou(Shulou.com)06/03 Report--

Local policy, domain policy

I. Overview of local security policy

1. Local security policy: local security policy affects the security settings of the local computer

2. Open method:

Control Panel → Management tools → Local Security Policy → runs the secpol.msc command

3. Classification of local security policies

Local security policy mainly includes: account policy and local policy.

4. Account policy

(1) password policy

① passwords must meet the complexity requirements: the third is the case of English letters, numbers, and special symbols.

Minimum ② password length: set the range from 0 to 14, and set it to 0 to indicate that no password is required.

The maximum age of the ③ password: the default is 42 days. Setting it to 0 means that the password will never expire. Set the value between 0 and 999 days.

Minimum duration of ④ password: set to 0 means to change the password at any time

⑤ mandatory password history: recently used passwords are no longer allowed. Set Fan 0-24. Default 0 means to use passwords used in the past at will.

(2) account lockout policy

① account lockout threshold: after entering several wrong passwords, the user account is locked. The range is 0-999. the default value is 0, which means the account is not locked.

② account lockout time: how long after the account is locked, it will be unlocked automatically (in minutes). The setting range is 0-999999. 0 means it must be manually unlocked by the administrator.

③ resets the account lockout counter: the user enters a password error to start the timing, and after that time, the counter is reset to 0. This time must be less than or equal to the account lockout time. Note: the account lockout policy is not valid for local administrator accounts.

5. Local policy

(1) Audit strategy

(2) user rights assignment

Common policies for user rights assignment:

① shuts down the system; ② changes the system time; ③ refuses local login and allows local login (computers as servers cannot allow ordinary users to log in interactively

User rights assignment | double-click "allow login locally" to delete "Users")

(3) Security options

Common policies for security options

Message title, message text when the user tries to log in

Sharing and security mode for network access to local accounts (classic and guest only)

Local accounts with blank passwords are only allowed for console login

Note: run gpupdate to make the local security policy effective or restart the computer

Gpupdate / force forced refresh policy

II. Local group policy

1. Group Policy: a collection of policies

2. Group Policy: including computer configuration and user configuration

3. Run gpedit.msc to open the local group policy

4. Local group policy configuration:

(1) reasons for blocking and shutting down Windows Server 2012

Win + R-- gpedit.msc-- run-Click computer configuration-manage templates-system-display "close time Tracker"-Select disabled-OK

(2) remove shutdown, restart, sleep and hibernation from the start menu

Win + R-- gpedit.msc-- run-- Click user configuration-- manage templates-- start menu and taskbar-- double-click the delete on the right and block access to shutdown, restart, sleep and hibernation commands

-- Select enabled

(3) remove the Security and links tab in the Internet options of browser Internet Explorer

Win + R-- gpedit.msc-- run-- Click user configuration-- manage templates-- Windows components-- Internet Explorer-- Internet Control Panel-- double-click disable connection page and disable security page-Select enabled

(4) hide the Windows firewall in the control panel

Win + R-- gpedit.msc-- run-Click user configuration-manage templates-Control Panel-double click to hide the specified control panel item-Select enabled-Show-add Windows Firewall

III. Overview of domain group policy

1. The role of group policy

(1) Group Policy: a collection of policies (independent of a group)

(2) the role of group policy:

① can uniformly modify the system and set up programs.

② adjusts the desktop environment, security settings, automated scripting, software distribution

③ sets group policies for the entire domain, which can affect the work environment of all member computers and domain users

④ sets group policies on OU, which can affect the working environment of all computers and domain users under that OU

⑤ reduces the total cost of arranging users and computer environment, and facilitates the implementation of the company's computer usage norms and security policies.

(3) advantages of group policy

① reduces management costs. It only needs to be set once, and the corresponding computer or user can apply it.

② reduces the possibility of individual configuration errors

③ can set specific policy user computers for specific objects

(4) Group Policy object

The specific settings of ① group policy are saved in GPO

A special object in the AD that stores all configuration information for a group policy

② default two GPO (Group Policy)

Default Domain Policy (Default Domain Policy)

Default Domain Controller Policy (Default Domain Controllers Policy)

GPO links can only be linked to sites, domains, and OU

(5) the Group Policy Editor contains:

Computer configuration-takes effect only for computers in the container.

User configuration-takes effect only for users in the container.

(6) simple application of group policy

① forbids users from modifying desktop background

Control Panel → Management tools "→ Local Security Policy → run secpol.msc command-user configuration-Administrative templates-Control Panel-personalization-double-click to prevent changes to desktop wallpaper-enabled-OK

Start-run-gpupdate / force (force refresh policy)

(7) the application rules of group policy

Inheritance and blocking of ① policies

A subordinate container can inherit or prevent the GPO settings of its parent container from being applied

② policy is enforced

Causes the subordinate container to enforce the GPO settings of its parent container

Prohibit modification of personal home page: user configuration-Administrative templates-Windows component-Internet Explorer- disable changing home page settings.

Accumulation and conflict of ③ policies

Multiple GPO settings accumulate without conflict, such as post-conflict application.

④ Group Policy Application order: LSDOU

-first local group policy object (Local)

-if there is a site Group Policy (Site), apply it

-then apply the domain group policy object (Domain)

-if the current computer or user belongs to an OU, apply it

-if the current computer or user belongs to a sub-OU, then apply it

Local Group Policy site domain OU

If the OU conflicts with the child OU, the child OU takes effect.

4. Filter group policy settings

The purpose of filtering: to prevent users or computers in a container from applying their GPO settings

In the Group Policy management interface-click the specified GPO- and select delegation-Advanced-add user-check deny read and apply Group Policy in the right window.

Permission and deny to read and apply group policy

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.