You can first log in to the Windows system as an administrator, refer to the following items to make the corresponding settings, and then open a guest account or create a new ordinary user account (not an administrator, but a restricted user) to let others Use this account to log in to the system, then you can rest assured that your computer will be messed with by others.
1. Restrict user access to files
If the disk partition file system where the program is located is in NTFS format, the administrator account can use the file and folder security provided by the NTFS file system. Options control user access to programs and files. Normally, after an application is installed on the system, all accounts on the local computer can access and run the application. If you revoke access to the application or folder from a specified user, that user loses the ability to run the application.
For example, to prevent restricted users from running the Outlook Express application, you can perform the following operations:
(1) Log in to the system with the administrator account, if simple files are enabled on the current system *** sharing option, this option needs to be turned off. The specific method is to click "Folder Options" under the "Tools" menu in the Windows browser window, click the "View" option page, cancel the selection of the "Use simple file sharing" option, and click "OK".
(2). Open the Program Files folder, select the Outlook Express folder, right-click, and select "Properties".
(3). Click the "Security" option page. You can see that users in the Users group have read and run permissions for the folder. Click "Advanced".
(4). Uncheck the option "Inherit from parent those permission items that can be applied to child objects, including those items that are explicitly defined again". In the pop-up prompt message dialog box, click "Copy" ”, you can see that the permissions owned by the user are changed to non-inherited.
(5). Click "OK" to return to the properties window. In the "User or Group Name" list, select the Users item, click "Delete", and click "OK" to complete the permission settings.
To remove a specified user's access restrictions to a file or program, you need to add the specified user or group to the file or folder and grant corresponding access permissions.
This approach allows administrators to restrict each user's ability to access and run specific applications. But this requires a very important premise, that is, the partition where the application is located must be formatted as NTFS, otherwise, everything will be impossible.
For FAT/FAT32 formatted partitions, the security options for files and folders cannot be applied. We can set the computer's policy to prohibit the running of specified applications.
2. Enable the "Do not run specified Windows applications" policy
There is a policy named "Do not run specified Windows applications" in Group Policy. By enabling this policy And by adding corresponding applications, you can restrict users from running these applications. The setting method is as follows:
(1) Execute the gpedit.msc command in "Start" and "Run" to start the Group Policy Editor, or run the mmc command to start the console and manage the "Group Policy" The unit is loaded into the console;
(2) Expand "'Local Computer' Policy", "User Settings" and "Administrative Templates" in order, click "System", double-click "Do not run" in the right pane Specified Windows Applications" policy, select the "Enabled" option, and click "Show".
(3). Click "Add", enter the name of the application that is not allowed to run, such as command prompt cmd.exe, and click "OK". At this time, the specified application name is added to "Prohibited from running" in the program list.
(4). Click "OK" to return to the Group Policy Editor, click "OK" to complete the settings.
When the user attempts to run an application that is included in the list of programs that are not allowed to run, the system will prompt a warning message. Copying applications that are not allowed to run to other directories and partitions will still not allow them to run. To restore the ability of specified restricted programs to run, you can set the "Don't run specified Windows applications" policy to "Not configured" or "Disabled" or remove the specified applications from the disallowed list (this Request that the list will not become empty after deletion).
This method only prevents users from running programs started from Windows Explorer. It does not prohibit the running of programs started by system processes or other processes. This method prohibits the running of the application. The scope of its user object is all users, not just restricted users. Accounts in the Administrators group and even the built-in administrator account will be restricted, thus bringing problems to the administrator. Certain inconvenience.
When an administrator needs to execute an application that is included in the disallowed run list, he or she needs to first delete the application from the do not run list through the Group Policy Editor. After the program is run, add the program to the do not run list. in the list of allowed programs. It should be noted that do not add the Group Policy Editor (gpedit.msc) to the list of prohibited programs, otherwise it will cause the Group Policy to self-lock, and no user will be able to start the Group Policy Editor, and will not be able to modify the settings. Policy changes.
Tip: If the "Command Prompt" program is not prohibited from running, the user can run the prohibited program from the "Command Prompt" through the cmd command, for example, change the Notepad program (notepad.exe) When added to the do not run list, running the program through the XP desktop is restricted, but running the notepad command under the "Command Prompt" can successfully start the Notepad program. Therefore, to completely prohibit a program from running, you must first add cmd.exe to the disallowed list.
3. Set the software restriction policy
The software restriction policy is a component of the local security policy. The administrator sets this policy to identify files and programs and classify them into There are two types: trustworthy and untrustworthy. Control of program operation is achieved by assigning corresponding security levels. This measure is very effective in solving the problem of controlled execution of unknown and untrusted code. Software settings policies use two aspects of settings to restrict programs: security levels and other rules.
Security levels are divided into "not allowed" and "unrestricted". Among them, "not allowed" will prohibit the running of the program regardless of the user's permissions; "unrestricted" allows the logged-in user to use the permissions he has to run the program.
Other rules, that is, the administrator identifies a specified batch or a file and program by formulating rules and assigns them an "unallowed" or "unrestricted" security level. In this section, administrators can formulate four types of rules, which according to priority are: hash rules, certificate rules, path rules and Internet zone rules. These rules will provide maximum access to files and the operation of programs. Authorization level.
Settings of software restriction policies
1. Access software restriction policies
As part of the local security policy, the software restriction policy is also included in the group policy. To set these policies, you must log in to the system as an administrator account or a member of the Administrators group. There are two ways to access software restriction policies:
(1) Run secpol.msc in "Start" and "Run" to start the local security policy editor, which can be seen under "Security Settings" "Software Restriction Policy" project.
(2). Run gpedit.msc in "Start" and "Run", start the Group Policy Editor, and you can see "Software Restrictions" under "Computer Settings", "Windows Settings" and "Security Settings" Strategy".
2. Create a new software restriction policy
When you open the "Software Restriction Policy" for the first time, the project is empty. Policies need to be added manually by the administrator. The method is to click "Software Restriction Policy" to select it, and click the "New Policy" item under the "Action" menu in the editor window. At this time, you can see that "Security Level" and "Security Level" have been added under "Software Restriction Policy". Other rules" and three attributes, as shown in Figure 2. Once a new policy operation is performed, the operation cannot be performed again, and the policy cannot be deleted.
3. Set the default security level
After creating a new software restriction policy, the default security level of the policy is "unrestricted". If you want to change the default security level, you need to Set in "Security Level", the method is as follows:
(1) Open "Security Level", in the right pane, you can see two settings, the icon with a small The settings with the check mark are the default settings;
(2). Click on the setting that is not the default value, right-click and select the "Set as Default" item. When setting "Not Allowed" as the default value, the system will display a prompt message dialog box, click "OK".
This step can also be done by double-clicking the non-default setting, and in the pop-up properties window, click "Set as Default".
4. Set the scope and objects of the policy
Through the "mandatory" attribute of the policy, you can set whether the software files to which the policy is applied include library files and whether the objects to which the policy applies include administrator accounts. . Normally, in order to avoid unnecessary problems in the system and to facilitate system management, the scope of the policy should be set to all software files that do not include library files, and the scope of the policy should be set to all users except local administrators. The setting method is as follows:
(1), click "Software Restriction Policy", double-click the "Force" property item in the right pane;
(2), select " Remove all software files except library files (such as Dll files)" option and "All users except local administrators" option, click "OK".
5. Formulate rules
Obviously, it is not possible to control files and programs well only by setting the security level. Reasonable rules must be formulated to identify those that are prohibited or allowed. Run files and programs, and then achieve flexible control of these files and programs. As mentioned above, there are four types of rules that can be formulated: hash rules, certificate rules, path rules and Internet zone rules. The methods they use to identify files and formulate rules are as follows:
Hash rules: Use a hashing algorithm to calculate the hash of a specified file. This hash is a series of fixed-length bytes that uniquely identify the file. After the hashing rules are formulated, when a user accesses or runs a file, the software restriction policy will allow or prevent access to or execution of the file based on the file's hash and security level. When a file is moved or renamed, the file's hash is not affected, and the software restriction policy remains in effect for the file. The formulation method is as follows:
(1) Click "Other Rules" under "Software Restriction Policy", right-click on "Other Rules", or right-click on the blank area of ??the right pane , select New Hash Rule.
(2) Click "Browse" and specify the file or program to be identified, such as cmd.exe. After confirmation, you can see the calculated hash in the file hash, in the "Security Level" "Select "Not Allowed" or "Unrestricted", click "OK", and in "Other Rules" you can see that a new rule of type Hash has been added.
Certificate rules: Identification using the signing certificate associated with the file or program. Certificates required by certificate rules can be self-signed, issued by a certification authority (CA), or issued by a Windows 2000 public key authority. Certificate rules do not apply to EXE files and DLL files, it mainly applies to scripts and Windows installer packages. When a file is identified by its associated signing certificate, when the file is run, the software restriction policy determines whether it can run based on the file's security level. Moving and renaming files will not affect the application of certificate rules. When formulating certificate rules, you need to be able to access the certificate file used to identify the file. The extension of the certificate file is .CER. The creation method is the same as the hash rule.
Path rules: Use the path of a file or program to identify. This rule can target a specified file, a type of file represented by wildcards, or all files and subfolders under a certain path. document. Since identification is done by paths, path rules lose their effect when files are moved or renamed. In path rules, priority levels vary depending on the size of the path range. The larger the range, the lower the priority. Usually the priority of the path from high to low is: the specified file, a type of file with a path represented by a wildcard, a type of file represented by a wildcard, a path, and an upper-level path. The creation method is the same as the hash rule.
Internet zone rules: Use the Internet zone where the application is downloaded for identification. The areas mainly include: Internet, local intranet, local computer, restricted sites, and trusted sites. This rule mainly applies to Windows installation packages. The creation method is the same as the hash rule.
6. Maintain the file types of executable code
No matter what kind of rule it is, the file types it affects are only those types listed in the "Assigned File Type" attribute. These types are shared by all rules. In some cases, the administrator may need to delete or add a certain type of file so that the rule can lose or have an effect on such files, which requires us to maintain the "Assigned File Type" attribute. The method is as follows:
(1), click "Software Restriction Policy", double-click the "Assigned File Type" property item in the right pane;
(2), if To add a new file type, enter the added extension in "File Extension" and click "Add"; if you want to delete a file type, click the specified type in the list and click "Delete".
7. Use the priority of rules to flexibly control the operation of the program
The priorities of the four rules from high to high are: hash rules, certificate rules, path rules, and Internet zones rule. If more than one rule applies to the same program at the same time, the security level set by the rule with the highest priority will determine whether the program can run. If more than one rule of the same type applies to the same program, the most restrictive rule of the type will apply. This provides us with a way to flexibly control the operation of the program. Although the effect of a single rule is comprehensive, it also limits those parts we need. The comprehensive effect of compound rules will produce effects such as "except for what we need/don't need, everything else is not allowed/unrestricted." , this may be the level of security we really need.
Tip: For the software restriction policy to take effect, you need to log out and log in again. If a rule with a security level of "Unrestricted" is set for a program in the software restriction policy, and this program is included in the list of disallowed programs in the "Do not run specified Windows applications" policy, then in the end this program It is not allowed to run.
To cancel restrictions on a program, you need to delete the relevant rules: In the rule list in "Other Rules", right-click on the rule to be deleted and select "Delete".
The above three measures to restrict program operation have their own characteristics. From the perspective of the implementation method and effect of restrictions, restricting user access permissions to files allows administrators to control the permissions of all users as the Administrator account. The scope of effect can be all types of files and folders, but this method Limited by the application environment. Taking policy-based measures, whether it is enabling the "Do not run specified Windows applications" policy or setting a software restriction policy, the scope of the user objects to be restricted is user groups and cannot be set for specific users, or All users, or all users except the Administrators group. However, these measures do not have high requirements on the system environment and can be implemented in the XP system. In addition, policy-based settings allow for more flexible management of computers. In particular, software restriction policies allow administrators to identify programs in a variety of ways, giving them high control over the running of programs.