There are also endless optimization settings methods for Windows 7 (hereinafter referred to as Win7). Users often piece together things and have no clue. Moreover, it is difficult to distinguish the authenticity of these methods, and it is impossible to know the effect. In fact, by using the system group policy function of Win7, you can achieve system optimization of Win7. This article explains how to use Group Policy to make Win7 more secure.
Note: The Group Policy function is only available in Win7 Professional, Ultimate and Enterprise editions.
File confidentiality puts an invisibility cloak on the drive
Drives mainly include hard drives, optical drives and mobile devices, etc., and are mainly used to store data. Therefore, it is very necessary to limit the use of drives to effectively prevent the leakage of important and confidential information and block the intrusion of viruses and Trojans. Different drives have different throttling methods, and the same drive can have different throttling levels. Let's talk about hard disks. Generally, there are two levels: hidden and prohibited access. The hidden level is relatively basic and just makes the drive invisible. It is generally used to prevent children and novice users, while the forbidden access can completely prevent access to the drive. For mobile devices, you can choose to set read, write, and execute permissions, but viruses and Trojans generally spread by executing malicious programs, so disabling execution permissions is most effective.
Primary defense cannot be seen by ordinary users
There are some important files on the hard drive of your computer at home, and you don’t want others to see them. The easiest way is to hide the drive where the files are located. Click "Start" and enter "gpedit.msc" in the search box. After confirmation, the Group Policy Editor will open. Expand "User Configuration→Administrative Templates→Windows Components→Windows Explorer" in order. In the settings window on the right, Go to "Hide these specified drives in 'My Computer'", select "Enabled", select the drive that needs to be hidden in the drop-down list below, and then OK. Enter "Computer" again, and the drive icon you just selected will disappear.
Tip: This method only hides the drive icon. Users can still access the drive's contents using other methods, such as typing the directory path on the drive directly into the address bar. Additionally, this setting does not prevent users from using programs to access these drives or their contents.
Advanced Defense can only be used by privileged users
There are important system files in the system disk, which cannot be modified or moved by others. Especially when there are important files in some partitions, if you just hide the drive, others can still access it. This is of course not possible! The safest way is to protect the relevant drive and prohibit unauthorized users from accessing it.
Similarly, in the Group Policy Manager, expand "User Configuration → Administrative Templates → Windows Components → Windows Explorer", enter "Prevent drive access from 'My Computer'", select "Enabled", and select "Enabled" from the drop-down list below. Select the drive that needs to be blocked from access, and it will take effect after confirmation (as shown in Figure 1). When others want to access the relevant drive, a "restriction" prompt window will appear! When you need to check it yourself, just change the relevant policy settings from "Enabled" to "Not Configured".
.jpg)
There are also endless optimization settings methods for Windows 7 (hereinafter referred to as Win7). Users often piece together things and have no clue. Moreover, it is difficult to distinguish the authenticity of these methods, and it is impossible to know the effect. In fact, by using the system group policy function of Win7, you can achieve system optimization of Win7. This article explains how to use Group Policy to make Win7 more secure.
Note: The Group Policy function is only available in Win7 Professional, Ultimate and Enterprise editions.
File confidentiality puts an invisibility cloak on the drive
Drives mainly include hard drives, optical drives and mobile devices, etc., and are mainly used to store data. Therefore, it is very necessary to limit the use of drives to effectively prevent the leakage of important and confidential information and block the intrusion of viruses and Trojans. Different drives have different throttling methods, and the same drive can have different throttling levels. Let's talk about hard disks. Generally, there are two levels: hidden and prohibited access. The hidden level is relatively basic and just makes the drive invisible. It is generally used to prevent children and novice users, while the forbidden access can completely prevent access to the drive. For mobile devices, you can choose to set read, write, and execute permissions, but viruses and Trojans generally spread by executing malicious programs, so disabling execution permissions is most effective.
Primary defense cannot be seen by ordinary users
There are some important files on the hard drive of your computer at home, and you don’t want others to see them. The easiest way is to hide the drive where the files are located. Click "Start" and enter "gpedit.msc" in the search box. After confirmation, the Group Policy Editor will open. Expand "User Configuration→Administrative Templates→Windows Components→Windows Explorer" in order. In the settings window on the right, Go to "Hide these specified drives in 'My Computer'", select "Enabled", select the drive that needs to be hidden in the drop-down list below, and then OK. Enter "Computer" again, and the drive icon you just selected will disappear.
Tip: This method only hides the drive icon. Users can still access the drive's contents using other methods, such as typing the directory path on the drive directly into the address bar. Additionally, this setting does not prevent users from using programs to access these drives or their contents.
Advanced Defense can only be used by privileged users
There are important system files in the system disk, which cannot be modified or moved by others. Especially when there are important files in some partitions, if you just hide the drive, others can still access it. This is of course not possible! The safest way is to protect the relevant drive and prohibit unauthorized users from accessing it.
Similarly, in the Group Policy Manager, expand "User Configuration → Administrative Templates → Windows Components → Windows Explorer", enter "Prevent drive access from 'My Computer'", select "Enabled", and select "Enabled" from the drop-down list below. Select the drive that needs to be blocked from access, and it will take effect after confirmation (as shown in Figure 1). When others want to access the relevant drive, a "restriction" prompt window will appear! When you need to check it yourself, just change the relevant policy settings from "Enabled" to "Not Configured".
.jpg)
Tip: When this policy setting is enabled, users will not be able to set a default homepage, so if necessary, users must specify a default homepage before modifying the settings.
Freeze IE settings
As mentioned above, once the system is infected with a virus or Trojan horse, in addition to the IE homepage being tampered with, other IE settings may also be tampered with. Therefore, it is very necessary to add a protective cover to IE settings. Especially once the IE settings are set, they may not change for a long time, so it is better to freeze them completely!
Expand "User Configuration→Administrative Templates→Windows Components→Internet Explorer→Internet Control Panel" in order. The right pane has "Disable Advanced Page", "Disable Connection Page", "Disable Content Page", "Disable General Page", "Disable "Privacy Page", "Disable Program Page" and "Disable Security Page" respectively correspond to the seven tabs in the "Internet Options" in IE (as shown in Figure 3). If all are enabled, the "Restrictions" error dialog box will appear when opening "Internet Options", which completely prevents modification of IE browser settings.
.jpg)
Tip: Enabling "Disable General Page" will delete the "General" tab in "Internet Options". If you enable this policy, users cannot view and change settings for the homepage, cache, history, page appearance, and accessibility. Because this policy removes the General tab, if you set this policy, you do not need to set the following Internet Explorer policies - "Disable changing home page settings", "Disable changing temporary Internet files settings", "Disable changing history settings", "Disable changing color settings", "Disable changing link color settings", "Disable changing font settings", "Disable changing language settings" and "Disable changing accessibility settings".
Permission management gives the system a sharp eye
Nowadays, some software is really rogue. For example, a lot of software claims to be for the convenience of others, but will maliciously bundle some programs or package some web pages during the process of software packaging or greening. The method is generally very low-level and is nothing more than batch files and manual injection of registry information. Therefore, we can use group policy to prohibit some dangerous types of files from running. In addition, in some public places (such as offices, etc.), many software are not allowed to be used (such as chat software, etc.), so managers can also use group policies to achieve effective management.
Prevent dangerous files from running
Some types of files (such as ".reg" registry files and ".bat" batch files) are rarely used by ordinary users, and they are easily exploited by viruses or Trojans. Therefore, disabling the operation of these types of files can be done in Ensure computer security to a certain extent.
Expand "Computer Configuration→Windows Settings→Security Settings→Software Restriction Policy" in sequence, select "Create Software Restriction Policy" on the pop-up right-click menu, and "Security Level", "Other Rules", "Enforcement", "Specify" will be automatically generated. File Types" and "Trusted Publishers". Enter the properties window of "Specified File Types", leaving only the file types that need to be banned, such as "bat batch file", and delete all other file types. If the type is not in the list, just enter the file type to be disabled in the "File extension" text box below and add it. Then enter "Security Level → Not Allowed" and click the "Set as Default" button, and this policy will take effect. When you run any batch file again, execution will be blocked.
Disable the program, put on the vest, I know you too
In addition, many companies do not allow the use of chat software. Take QQ as an example. If you uninstall QQ directly, users may reinstall it or install the software to other locations. At this point, you might as well use Group Policy to easily get it done.
Expand "Computer Configuration → Windows Settings → Security Settings → Software Restriction Policy → Other Rules" and select "New Hash Rule" (as shown in Figure 4). Click "Browse" to select QQ's executable file "QQ.exe". The first line under "File Information" is the generated hash value. This value is unique. The basic information of the file, "Security Level" will also be displayed below. Select "Do not allow". After confirming, logging out, and logging in again, the settings will take effect.
.jpg)
Tip: The advantage of using hash rules is that no matter the program is renamed or moved or any other operation is performed, as long as the hash value is verified to be consistent, the restriction will not expire! Therefore, it can effectively restrict the operation of certain software.