LAB 2 TO LOCAL POLICY V LOCAL SECURITY POLICY Trong cng tc qun tr mng vic ng dng Policy vo cng vic

c l iu khng th thiu i vi bt c nh qu tr mng no. Vi Policy ta c th ty bin Windows theo ch m vi ngi s dng thng thng khng th lm c. Phn 1 : To Local Policy 1/Mc tiu to Local Policy : To cc chnh sch cho User 2/Cc bc thc hin: Bc 1: Khi ng Windows 2003 vi quyn Administrator . Chn Start Run g lnh Mmc OK Bc 2 : Xut hin mn hnh Console 1 Chn File Add/ Remove Snap-in Trong mn hnh Add Standalone Snap-in tm mc Group Policy Object Editor Add Finish. Bc 3: Chn Close ng mn hnh Add Standalone Snap-in OK ng mn hnh Add/ Remove Snap-in. Bc 4: mn hnh Console1chn File Save trong mc Save in chn Desktop trong mc File Name nhp vo Local Policy Save. Trn mn hnh Desktop s xut hin biu tng Local Policy. Bi tp ng dng 1 : Thc thi Policy trn User Lm bin mt Control Panel. +Vo Local Policy trn mn hnh Desktop Local PolicyLocal Computer PolicyUser ConfigurationAdministrative Templatescontrol Panel Chn Prohibit Access to the Control Panel click right trn Prohibit Access to the Control Panel Properties click Enables Apply OK. +Thc hin active policy va cu hnh c hiu lc. +Chn Start Run g cmd OK nhp vo gpupdate /force (bm Enter) . +Khi , policy va to s c tc dng. +Lu : sau mi ln iu chnh policy cn phi thc hin lnh gpupdate /force policy c hiu lc. +Thc hin kim tra . Chn Start Settinggs. By gi s khng cn thy Control Panel.

Bi tp ng dng 2: Thc thi Policy trn Computer Lm n cc option ca Tab Automatic Updates. +Kim tra cc option ca Tab Automatic Update trc khi thc hin Policy . Click Right My ComputerProperties Chn Tab Automatic Updates cc Option cho php chnh sa . +Cc bc thc hin p policy ln Computer . +Trn mn hnh Desktop Local PolicyLocal Computer Policy computer Configuration Administrative Templates Windows Components Windows Update Configure Automatic Update Click Right Configure Automatic Update PropertyEnabledApplyOK +Active policy : StartRunnhp cmdOK nhp gpupdate /force . +Kim tra cc option ca tab Automatic Update, chng ta thy cc option ny iu b n, khng th chnh sa c. Bi tp ng dng 3 : Xy dng chnh sch cho Account Account Policy. a/ Yu cu t password phc tp . Thc hin : Local policy Local Computer PolicyWindows SettingsAccount Policies Password Policy Password Password must meet complexity requirmnts. Bt Enabled th password nhp vo phi phc tp (v d: @then@123) th h thng mi chp nhn . b/ Thc hin p policy tng t vi cc mc :
# Password must meet complexity : khi t password cho wins phi c phc tp.(hoa, thng, s, k t c bit) Mc nh tnh nng ny s b disable, gia tng ch bo mt bn nn Enable n ln # Minimum password age: mc nh gi tr ny l 0 nu ta thay n bng con s khc 0 VD l 3 chng hn th user ch c quyn thay i password 3 ngy mt ln m thi. # Minimum password length: gia tng ch bo mt bn nn Enable tnh nng ny ln vi gi tr >8 cho di ca password user lun mc an ton cao. # Enforce password history: nh bao nhiu password khng cho t trng. # Store password using reversible : m ho password.

c/ Account lockout policy:

# Account lockout threshold: kho account khi ng nhp sai. Bn nn cho gi tr ny l 3 trnh tnh trng hacker c gng d tm password ca bn, v nu hacker d pass sai qu 3 ln account ny s b lock trong vng 30 pht. Nu user ng nhp sai qu 3 ln dn n account user ny b lock bn c th unlock cho account ny ngay tc th bng cch ng nhp vo vi quyn Administrator sau chn Computer Management -> Local user and group -> User Sau double click vo account b lock b chn mc Account is locked out. # Account lockout duration: kho account trong 30 pht khi ang nhp sai. # Reset account lockout counter after: xo b nh nh pass.

Bi tp ng dng 4 : Cc tnh nng Local policy # Vo Local Policy (c to v lu li trn desktop trong bi trc) Local Computer Policy Computer Configuration Security Settings Local Policies :
a/ User rights assignment: # Deny logon locally: chn user khng cho ng nhp vo my tnh. # Change the system time: nhng ngi c thay i gi h thng. # Shutdown the system: nhng ngi c quyn tt my. v cn nhiu tnh nng khc ,cc bn c th tm hiu v thc hin tng t nh trn. b/ Sercurity options: # Interactive logon: Do not display last user name: Khi user logout my ca s ng nhp s khng ghi li account user va logon. # Interactive logon: Message text for users attempting to log on: Bn c th nhn gi mt ni dung no ti cc user trc khi h logon vo my vi ni dung nhn gi y. # Interactive logon: Message title for users attempting to log on: Bn nhp tiu ca hp ni dung nhn gi vo y. Bi tp ng dng 5 : Administrative Templates * Vo Administrative Templates a/ System # Turns off Autoplay: vi tu chn l Enable (All drivers) bn s gim nguy c ly lan virus do cc thit b ngoi vi nh USB, CD Lu : Sau khi tu chnh trong Group Policy thc thi cc thay i bn phi tin hnh logoff my hoc vo Start chn Run nhp lnh gpupdate /force V cn nhiu tnh nng khc na v Local Policy & Local Sercurity Policy , cc bn c th t tm hiu v thc hin tng t nh cc bc trn Cc ng dng trong Local Policy & Local Sercurity Policy ca Windows Vista , windows XP cng tng t nh trong Windows Server 2003, nhng v Windows Vista , XP l mt win Client nn khi ta truy cp vo mt my Vista th n lun hiu rng bn l Guest cho d bn ng nhp vi bt c quyn hn g. Do bn phi vo Local Policies chn Sercurity Options # Accounts: Limit local account use of blank passwords to console logon only: Gii hn ti khon user c password trng ng nhp Bn Disable n i

Bi tp ng dng 5: To mt s Local policy thng dng Remove My Computer icon on the Desktop Cc bc thc hin : Local Policy Local Computer Policy User Configuration Administrative Templates Desktop. Bt chc nng Enable th s n biu tng My Computer trn mn hnh Desktop ca user . Thc hin gpupdate /force , kim tra

vic n icon My Computer trn my tnh. Cn Disable v Not Configure th khng n icon My Computer trn mn hnh desktop. Hide and Disable all item on the Desktop Cc bc thc hin : Local Policy Local Computer Policy User Configuration Administrative Templates Desktop Dont Display the Getting Started Wellcome Screen at the Logon v ch p dng trn WinXP Pro v Win 2000 Cc bc thc hin : Local Policy Local Computer Policy Computer Configuration Administrative Templates System logon. Nu bt Enabled th lm n i mn hnh Wellcome khi user logon vo h thng. Cn Disable v Not Configue th ngc li Display Shutdown Event Tracker Cc bc thc hin : Local Policy Local Computer Policy Computer Configuration Administrative Templates System. Nu bt Enabled th mi ln Shutdown my s khng hin th mn hnh Shutdown Event Tracker yu cu nhp l do Shutdown my . Cn Disable v Not Configue th ngc li

Phn 2 : To Local Security Policy 1/Mc tiu to Local Security Policy : Thit lp chnh sch bo mt trn ton b Computer 2/Cc bc thc hin : Chun b : Mt my tnh windows 2003, to user c tn athena . t password : @thena@123 Bi tp ng dng 1: Thit lp chnh sch cho user Athena c quyn shutdown h thng .( bn kim tra xem user athena c quyn shutdown h thng hay khng ?) Thc hin : Start Programs Administrative Tools Local Security Policy Local Policies User Right Assignment Click Right trn Shutdown the Systems Property Add user and Groups Advanced Find Now tm user AthenaOKApplyOK Thc hin lnh : gpupdate/ force Kim tra : Logon on vi user Athena , chng ta s thy cho php shutdown h thng. 3/ Mt s Security Policy thng dng thng gp Do not require CTRAL ALT- DEL (local policies Security Option) : Khng cho xut hin mn hnh yu cu n Ctral- Alt Delete Message Text for user attempting to log on (local policies Security Option): Hin th mt on text khi user logon vo h thng Change the system time(local policies User Rights Assignment): Cho php user no c quyn thay i gi ca h thng Rename Guest Account (local policies Security Option) : Thay i tn ca user Guest