Windows XP operating system provides a powerful security mechanism, but setting these security configurations one by one is very time-consuming and laborious. Is there a way to quickly configure security options? The answer is yes, all security options can be quickly set in batches with security templates.
First, understand the security template.
A "security template" is a file representation that can define security policies. It can configure security settings for accounts and local policies, event logs, restricted groups, file systems, registries and system services. Security templates exist as text files in. Inf format, users can easily copy, paste, import or export some templates. In addition, the security template does not introduce new security parameters, but only organizes all existing security attributes in one place to simplify security management, and provides a method to quickly modify security options in batches.
The system predefines several security templates to help strengthen the system security. By default, these templates are stored in the "%Systemroot%SecurityTemplates" directory. They are:
1.Compatws.inf
Provide basic security policies and implement a less secure but more compatible environment. Relax the default file and registry permissions of user groups to meet the requirements of most unverified applications. The Super User group is usually used to run unauthenticated applications.
2.Hisec*。 Medium-range nuclear force
Providing high-security client policy templates and implementing advanced security environment is an extended set of security templates, which further limit the encryption and signature necessary for authentication, thus ensuring that data passes through a secure channel and is securely transmitted between SMB clients and servers.
3.Rootsec.inf
To ensure the security of the system root directory, you can specify the new root directory permissions introduced by Windows XP Professional. By default, Rootsec.inf defines these permissions for the root directory of the system drive. If you accidentally change the root permissions, you can use this template to reapply the root permissions, or you can apply the same root permissions to other volumes by modifying the template.
4. Safety *. Medium-range nuclear force
It defines enhanced security settings, which may at least affect the compatibility of applications, and also restricts the use of LAN Manager and NTLM authentication protocols by configuring clients to only send NTLMv2 responses and configuring servers to reject LAN Manager responses.
5.Setupsecurity.inf
Reapply the default settings. This is a template for a specific computer and represents the default security settings applied during the installation of the operating system. Its settings include the file permissions of the root directory of the system drive, which can be used for system disaster recovery.
These are predefined security templates. Users can use one of them or create their own new security templates.
Second, the management of safety template
1. Install the security template
Security template files are all text-based. Inf file, which can be edited by text opening. However, it is too complicated to edit the security template in this way. For convenience, you need to load the security template into the MMC console.
(1) Click "Start" and "Run" in turn, enter "mmc" and click "OK" to open the console node;
(2) Click Add/Remove Snap-in in the File menu, and click Add in the Independent tab in the open window;
(3) In the list of available independent snap-ins, select Security Template, then click Add, and finally click Close, so that the security template snap-in is added to the MMC console.
To avoid reloading every time you run MMC after exiting, you can click Save on the File menu to save the current settings.
2. Create and delete security templates
After installing the security template to the MMC console, you will see several security templates predefined by the system, or you can create new ones yourself.
First, open the Security Template in the Console Root Node list, right-click the folder where the security template file is stored, and select New Template from dan's shortcut menu, so that dan can create a new template window, type the name of the new template in Template Name, type the description of the new template in Description, and finally click OK. Therefore, a new security template has been successfully established.
Deleting a security template is very simple. Open Security Templates, find the template to delete in the console tree, right-click and select Delete.
Apply security template
After configuring the new security template, you can apply it. You must use the Security Configuration and Analysis snap-in to apply security template settings.
(1) First add the Security Configuration and Analysis snap-in, open the File menu of the MMC console, click Add/Delete snap-in, select Security Configuration and Analysis in the Add Independent snap-in list, and click Add, so that the Security Configuration and Analysis snap-in is added to the MMC console;
(2) In the console tree, right-click Security Configuration and Analysis, select Open Database, type a new database name in dan's window, and then click Open;
(3) In the security template list window, select the security template to import, and then click the "Open" button, so that the security template can be imported successfully;
(4) Right-click Security Configuration and Analysis in the console tree, and then select Configure Computer Now in the shortcut menu. Dan will open the error log file path window and click OK.
In this way, the imported security template was successfully applied.
Third, establish a safety template.
1. Set account policy
Account policies include password policies, account locking policies and security settings of Kerberos policies. Password policy provides a standard method to modify password complexity and password rules to meet the password requirements in a high-security environment. The account lockout policy can track failed login attempts and lock the corresponding accounts if necessary. Kerberos policies are used for domain users' accounts, and they determine Kerberos-related settings, such as the term and execution of bills.
(1) password policy
Here you can configure five settings related to password characteristics, namely "Mandatory Password History", "Maximum Password Life", "Minimum Password Life", "Minimum Password Length" and "Password must meet complexity requirements".
① Mandatory password history: determine the number of different new passwords. Users must have used so many passwords before reusing old passwords. The setting value can be between 0 and 24.
② Maximum service life of password: determine the number of days that users can use before asking them to change their passwords. Its value is between 0 and 999; If this value is set to 0, the password will never expire;
③ Minimum service life of passwords: determine the number of days that these new passwords must be kept before users can change them. This setting is intended to be used with the "Enforce Password History" setting, so that users cannot quickly reset the required passwords and change them back to the old ones. The setting value can be between 0 and 999; If set to 0, the user can change the new password immediately. It is recommended to set this value to 2 days;
④ Minimum password length: determine how many characters the password can have at least. The setting value is between 0 and 14 characters. If set to 0, users are allowed to use blank passwords. It is recommended to set this value to 8 characters;
⑤ Passwords must meet the requirements of complexity: after this item is enabled, all new passwords will be checked to ensure that they meet the basic requirements of complex passwords. If you enable this setting, the user password must meet certain requirements, such as at least 6 characters, and the password must not contain three or more characters in the user account name.
(2) account locking strategy
Here, you can set the number of login attempts allowed by the user account within a specified time, and the lock time of the account after login failure.
① Account Lock Time: This setting determines the time that must pass before an account is unlocked and allowed to log in again, that is, the time when the locked user cannot log in. The unit of this time is minutes. If the time is set to 0, the account will be permanently locked until the administrator unlocks the account;
② Account Locking Threshold: Lock the user account after determining the number of login failures. The account cannot be reused unless the administrator resets the account or the lock-up period of the account has expired. The number of failed login attempts can be set to a value between 1 and 999. If set to 0, the account will never be locked.
2. Set local policies
The local policy includes three security settings: audit policy, user rights assignment and security options. Among them, the audit policy determines whether to record security events in the computer's security log. User rights assignment determines which users or groups have the right or privilege to log on to the computer; Security options determine whether to enable or disable security settings for your computer.
(1) audit strategy
After auditing is enabled, the system will collect all events of the audited object in the audit log, such as application, system and security-related information, so auditing is very important to ensure the security of the domain. The values under the audit policy can be divided into three types: success, failure and non-audit. By default, auditing is not performed. If you want to enable auditing, you can double-click an item to open the Properties window. First select Define these policy settings in the template, and then select Success or Failure as required.
Audit strategies include audit account login events, audit policy changes, audit account management, audit login events, audit system events, etc. , the following are introduced respectively.
① Audit policy change: it is mainly used to decide whether to audit every event that changes the user rights allocation policy, audit policy or trust policy. Suggested settings are "Success" and "Failure";
② Audit login event: used to decide whether to audit every instance of a user logging in to a computer, logging out of the computer or establishing a network connection with the computer. If it is set to audit successfully, it can be used to judge which user successfully logs in to which computer; If it is set as audit failure, it can be used to detect intrusion, but the huge login failure log generated by the attacker will cause a denial of service (DoS) state. The recommended setting is "Success";
③ Audit object access: determine whether to audit the user's access to an object, such as files, folders, registry keys, printers, etc. They all specify their own system access control list (SACL) events. The recommended setting is Failed;
④ Audit process tracking: decide whether to audit the detailed tracking information of events, such as program activation, process exit, indirect object access, etc. If you suspect that the system has been attacked, you can enable this item, but after enabling it, a large number of events will be generated. Under normal circumstances, it is recommended to set it as "No Audit";
⑤ Audit directory service access: determine whether to audit users' access to ActiveDirectory objects with their own system access control list (SACL). When enabled, a large number of audit entries will be generated in the security log of the domain controller, so you should only enable the created information if you really want to use it. It is recommended to set it as "No Audit";
⑥ Audit Permission Usage: This item is used to decide whether to audit every instance where users exercise user permissions, except skipping traversal check, debugging programs, creating label objects, replacing process-level labels, generating security audits, backing up files and directories, and restoring files and directories. It is recommended to set it as "No Audit";
⑦ Audit system events: used to determine whether to audit when the user restarts or shuts down the computer, or when events affecting the system security or security log occur. These event information are very important, and it is recommended to set them as "Success" and "Failure";
⑧ Audit account login event: This setting is used to determine whether to audit when users log in to other computers (used to verify accounts in other computers) or log out. Suggested settings are "Success" and "Failure";
9 Audit account management: used to decide whether to audit every account management event on the computer, such as renaming, disabling or enabling user accounts, creating, modifying or deleting user accounts or managing events. The recommended settings are Success and Failure.
(2) User rights allocation
The assignment of user rights is mainly to decide which users or groups are allowed to do what. The specific setting method is:
(1) Double-click a policy, and in the "Properties" window where Dan exits, first select "Define these policy settings in the template";
(2) Click "Add User or Group" to open the window of "Select User or Group". First click "Object Type" to select the object type, then click "Location" to select the location to be searched, and finally enter the name of the user or group in the blank column under "Enter the name of the object to be selected". After losing it, click the "Check Name" button to check whether the name is correct;
(3) Finally, click OK to add the input object to the user list.
(3) security options
Here, you can enable or disable computer security settings, such as digital signature of data, names of administrator and guest accounts, floppy disk drive and CD-ROM drive access, driver installation behavior and login prompt. Here are several settings suitable for the average user.
① Prevent users from installing printer drivers. For computers that want to print to a network printer, the driver for the network printer must be installed on the local printer. This security setting determines who is allowed to install printer drivers when adding a network printer. Use this setting to prevent unauthorized users from downloading and installing untrusted printer drivers.
Double-click "Device: Prevent users from installing printer drivers" and the properties window will open. First select Define this policy setting in the template, then select Enable, and finally click OK. In this way, only administrators and super users can install printer drivers as part of adding network printers;
② Install unsigned drivers without prompting. When trying to install a device driver that is not released by the Windows Hardware Quality Laboratory (WHQL), the system will display a warning window by default, and then let the user choose whether to install it. This is very troublesome and can be set to be installed directly without prompting.
Double-click the item "device: installation operation of unsigned drivers", select the item "Define this policy setting in template" in the property window that appears, then click the drop-down button at the back, select "Default installation", and finally click "OK";
③ Display message text when logging in. Specifies the text message displayed when the user logs in. Through this warning message setting, users can be warned not to abuse company information in any way, otherwise their operations may be audited, thus better protecting system data.
Double-click "jiao interactive login: message text when the user tries to log in" to enter the properties window. First select "Define this policy setting in the template", then enter the message text in the blank input box below, with a maximum of 5 12 characters, and finally click "OK". In this way, users will see this warning message dialog box before logging in to the console.
3. Set the event log
This security template defines properties related to application, security, and system logs, such as maximum log size, access rights to each log, and retention settings and methods. Among them, the application log is responsible for recording the events generated by the program; The security log records security events according to the audited object; System logs record operating system events.
(1) Log Retention Days
This option sets the number of days that application, security, and system logs can be retained. It should be noted that this value should be set only when the logs are archived at a predetermined time interval, and ensure that the maximum log size is large enough to meet this time interval. This number of days can be any day from 1 to 365 days, and users can set it according to their own needs. The recommended setting is 14 days.
(2) Log retention method
Here, you can set the processing method of reaching the set maximum log file. * * There are three ways: rewriting events by days, rewriting events on demand, and not rewriting events (manually clearing logs). If you want to archive the application log, you should select "Overwrite events as needed"; If you want to archive logs at predetermined intervals, you can select "Overwrite events by day"; If you need to keep all the events in the log, you can choose "Do not overwrite the events (manually clear the log)", in which case, when the maximum log size is reached, the new event log will be discarded.
(3) Restrict local guest groups from accessing logs
Here you can set whether to restrict visitors' access to the application, security and system event logs. The default setting is to allow guest users and empty connections to view system logs, but to prohibit access to security logs.
(4) Maximum logarithmic value
You can set the maximum and minimum values of the log file here. The available values range from 64KB to 4 194240KB. If the setting value is too small, the log will often be filled, so it is necessary to clean and save the log frequently; If the setting value is too large, it will take up a lot of hard disk space, so you must set it according to your own needs.
4. Set up a restricted group
Here, administrators can be allowed to define "members" and "member groups" for security-sensitive groups, where "members" define which users belong to which users do not belong to restricted groups; Membership groups define which other groups the restricted group belongs to. With this policy, you can control the membership in the group. All members not specified in this policy will be deleted, and users who are not currently members of this group will be added.
(1) Create a restricted group
First, right-click Restricted Groups in the console tree and select Add Group. Then enter the name of the restricted policy group in the Add Group window, or click Browse in the open Select Group window to find the group to operate, and finally click OK. At this point, you will find that a new group has been created successfully.
If you want to copy all the restricted group items in one template to another template, you can right-click Restricted Group in the console tree, select Copy in dan's shortcut menu, right-click Restricted Group in another template, and select Paste in dan's shortcut menu.
(2) Add users
First, in the details pane, find the group to which you want to add users, then right-click the group and select "Properties" in dan's shortcut menu to open the group's properties window. Click the Add button to the right of the Members of this Group list box, and then type the members you want to add. Repeat this step to add more members.
Similarly, if you want to add this group as a member of any other group, please click the "Add" button on the right side of the "This group belongs to" list box, then type the group name in the window where Dan appears, and finally click "OK".
5. Set up system services
Here, you can define the startup mode and access rights of all system services. The startup modes include automatic, manual and disabled, in which automatic means automatic startup when the computer is restarted; Manual means to start only when someone starts it; Disabling means that the service cannot be started. Access right refers to the user's operations of reading, writing, deleting, starting, pausing and stopping the service. With this security template, you can easily set which user or group accounts have the right to read, write and delete, or have the right to perform inheritance settings or audit and ownership. It should be noted that disabling some services may cause the system to fail to start, so if you want to disable the services of the system, please test it in a non-production system first.
So how do you configure system service settings?
(1) Double-click the service to be configured to display the service properties dialog box.
(2) Select the item "Define this policy configuration in the template". If this policy has never been configured before, the security setting dialog box will automatically appear. If it does not appear automatically, you need to click the "Edit Security Settings" button to bring up the dialog box;
(3) Click the "Add" button and add the user you want to operate to the list according to the steps of adding users or groups;
(4) In the list under "Group or User Name", select a user or group, and all editable permissions will be listed in the permission list below. According to actual needs, choose whether to allow or deny a permission. If you want to edit special permissions or advanced settings, click the Advanced button, and then click the OK button after editing.
⑤ In the Properties window, under Select Service Start Mode, select Automatic, Manual or Deactivated.
6. Set up the registry
Here, administrators can define access rights for registry keys (about DACL) and audit settings (about SACL).
DACL is an arbitrary access control list, which is part of the object security descriptor and is used to grant or deny specific users or groups access to the object. Only the owner of the object can change the permissions granted or denied in DACL, so that the owner of the object can freely access the object. SACL is a system access control list, which represents a list of security descriptors of some objects and specifies which event of each user or group will be audited. Examples of audit events include file access, login attempts, and system shutdown.
(1) Set registry security
(1) In the console tree, right-click the "Registry" node and select "Add Registry Key" from the shortcut menu of dan;
(2) In the "Select Registry Key" dialog box, select the registry key to add, and then click "OK" button;
(3) in the "database security settings" dialog box, select the appropriate permissions for the registry key, and then click "OK" button;
(4) In the "Template Security Policy Settings" dialog box, select the required inheritance rights, and finally click "OK" button.
(2) modify the permissions of the registry key
① In the detailed list of registry keys, double-click the registry key to be modified;
(2) In the "Template Security Policy Settings" window displayed by dan, select "Configure this key, and then". There are two items below: the item "Distribute inheritance rights to all subkeys" means that all subkeys inherit the newly set rights from the set keys; The item "Replace existing permissions on all subitems with inheritable permissions" means that all subitems will apply the newly set permissions. Choose one according to your own needs.
(3) Click the "Edit Security Settings" button, and then click the "Advanced" button in the dialog box displayed by Dan to enter the advanced security settings window;
(4) In the "Advanced Security Settings" window, click the "Add" button to add or delete users, so as to achieve the recommended setting standards;
⑤ Select the user or group to operate, and then click the "Edit" button to make dan exit the permission setting dialog box. First, select the correct settings in the drop-down button after "Apply to", such as only this item, this item and subitems. Then select the permission you want to use in the Permission list, and finally click OK to complete the setting.
7. Set up the file system
File system refers to the overall structure of file naming, storage and organization. Windows XP supports three file systems: FAT, FAT32 and NTFS. When installing Windows, formatting an existing volume, or installing a new hard disk, you can choose a file system. Each file system has its own advantages and limitations, among which NTFS file system can provide performance, security and reliability that other file systems do not have. For example, NTFS can ensure volume consistency by using standard transaction recording and recovery techniques. If the system fails, NTFS will use log files and checkpoint information to restore the consistency of the file system. In Windows XP operating system, NTFS can also provide advanced functions such as file and folder permissions, encryption, disk quota and compression.
(1) View file system security settings.
To view the permissions of a specific file or folder manually, please refer to the following:
First, open Windows Explorer, right-click the file or folder you want to view, and select Properties from the shortcut menu displayed by dan. Then in the properties window, enter the "Security" tab, and finally click the "Advanced" button to view the permission information related to files or folders in the opened window.
(2) Set file system security for files
(1) Right-click the "File System" node in the console number and click the "Add File" button in the dan shortcut menu;
(2) In the "Add File or Folder" dialog box, find the file or folder for which you want to add security, and then click "OK" button;
(3) in the "database security settings" dialog box to configure the appropriate permissions, and then click "OK" button;
(4) Return to the "Template Security Policy Settings" dialog box and click "OK" to complete the settings.
(3) Modify the file system security settings
It is a waste of time and energy to manually modify the permission settings of each file and folder. You can quickly set up in batches through the security template.
① In the panel on the right side of the window, double-click the file or folder to be changed;
(2) In the "Template Security Policy Settings" window, there are two options, in which "Spreading the inherited permissions to all subfolders and files" means that the subfolders and files of this folder are reconfigured and all inherit the new permissions; "Replace existing permissions on all subfolders and files with inherited permissions" means that new permissions will be applied regardless of whether these subfolders have inheritance rights, and the new permissions will be inherited from the configured items. Select one as needed, and then click the Edit Security Settings button.
(3) In the Security Settings window, click the Advanced button;
(4) In the Advanced Security Settings window, if there is no permission to inherit from the parent, you need to ensure that "Inherit those permission items that can be applied to child objects from the parent, including those explicitly defined here" is not selected, then click Add to modify the users or groups that will be affected by the permission, and finally select the group or user to be configured and click Edit;
(5) In the folder permission project window, click the drop-down button after "Apply to" and select a suitable application location, such as only subfolders and only this folder, and then you can configure permissions in the "Permissions" list. Finally, click OK to apply the configured permissions.