Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Secure Endpoint with Group Policy
Group Policy is an important mechanism in the network security process. Here are some very useful settings to block network access.
Set up mobile storage control
Universal Serial Bus (USB) storage devices pose a major threat to the security of workstations. These devices make it easy for crooks to steal information or install unauthorized software on the network.
Although no tools in Group Policy help control access to these USB storage devices, there are some settings that prevent users from using these devices.
One method involves the process of creating a customized administrative template containing a Group Policy Template, providing access to an installation that can be used to turn off the USB port.
Import this template into Group Policy as a .adm file.
To create the .adm file, download the .msi file containing the .adm files here, then double-click the .msi file to install.
Note: Select the appropriate .msi download for the system.
Enable local security policy
Windows Mobile
Set up mobile storage control
Universal Serial Bus (USB) storage devices pose a major threat to the security of workstations. These devices make it easy for crooks to steal information or install unauthorized software on the network.
Although no tools in Group Policy help control access to these USB storage devices, there are some settings that prevent users from using these devices.
One method involves the process of creating a customized administrative template containing a Group Policy Template, providing access to an installation that can be used to turn off the USB port.
Import this template into Group Policy as a .adm file.
CLASS MACHINE
CATEGORY !! category
CATEGORY !! categoryname
POLICY !! policynameusb
KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR"
EXPLAIN !! explaintextusb
PART !! labeltextusb DROPDOWNLIST REQUIRED
"Start" VALUENAME
ITEMLIST
NAME !! Disabled VALUE NUMERIC 3 DEFAULT
NAME !! Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !! policynamecd
KEYNAME "SYSTEMCurrentControlSetServicesCdrom"
EXPLAIN !! explaintextcd
PART !! labeltextcd DROPDOWNLIST REQUIRED
"Start" VALUENAME
ITEMLIST
NAME !! Disabled VALUE NUMERIC 1 DEFAULT
NAME !! Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !! policynameflpy
KEYNAME "SYSTEMCurrentControlSetServicesFlpydisk"
EXPLAIN !! explaintextflpy
PART !! labeltextflpy DROPDOWNLIST REQUIRED
"Start" VALUENAME
ITEMLIST
NAME !! Disabled VALUE NUMERIC 3 DEFAULT
NAME !! Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !! policynamels120
KEYNAME "SYSTEMCurrentControlSetServicesSfloppy"
EXPLAIN !! explaintextls120
PART !! labeltextls120 DROPDOWNLIST REQUIRED
"Start" VALUENAME
ITEMLIST
NAME !! Disabled VALUE NUMERIC 3 DEFAULT
NAME !! Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category = "Custom Policy Settings"
categoryname = "Restrict Drives"
policynameusb = "Disable USB"
policynamecd = "Disable CD-ROM"
policynameflpy = "Disable Floppy"
policynamels120 = "Disable High Capacity Floppy"
explaintextusb = "Disables the USB ports by disabling the usbstor.sys driver"
explaintextcd = "Disables the CD-ROM computers Drive by disabling the cdrom.sys driver"
explaintextflpy = "Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120 = "Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb = "Disable USB Ports"
labeltextcd = "Disable CD-ROM Drive"
labeltextflpy = "Disable Floppy Drive"
labeltextls120 = "Disable High Capacity Floppy Drive"
Enabled = "Enabled"
Disabled = "Disabled"
(Source Microsoft).
To create the .adm file, download the .msi file containing the .adm files here, then double-click the .msi file to install.
Note: Select the appropriate .msi download for the system.
In addition, USB storage devices may be turned off with software restriction policies. When a user connects a USB drive to the system, Windows will download the diver % SystemRoot% InfUSBSTOR.INF file . A Hash Rule can be created to block access to this file as shown in the image below.
Block the USB drive from accessing the USBSTOR.INF file.
Although this is not a policy-based approach, this is a fairly simple method to use NT system file permissions to deny access to the USBSTOR.INF file.
In addition, third-party tools, such as GFI EndPoint Security, can provide more control over mobile storage devices than Windows built-in tools.
In addition, third-party tools, such as GFI EndPoint Security, can provide more control over mobile storage devices than Windows built-in tools.
Enable local security policy
Local security policies provide many of the same settings as network-level policies, but they are designed to protect the system when it is not authenticated in a domain. Therefore, a computer will not appear weak if someone finds a local login method.
These privacy policies are often ignored because they cannot be centrally managed, so it is difficult to update.
Furthermore, each computer on the network needs a local security policy with important settings enabled. If this policy becomes outdated, network policy settings will override local policy settings when users are online. When a user does not log on to the network, the local security policies protect the system. There is the protection of an outdated policy that is better protected anyway.
These privacy policies are often ignored because they cannot be centrally managed, so it is difficult to update.
Furthermore, each computer on the network needs a local security policy with important settings enabled. If this policy becomes outdated, network policy settings will override local policy settings when users are online. When a user does not log on to the network, the local security policies protect the system. There is the protection of an outdated policy that is better protected anyway.
Windows Mobile
Typically, Endpoint Security is often focused on desktops or laptops and servers. Mobile devices are often left open because they are used very little and their capabilities are limited. However, now things have changed.
Smart phones that can perform computer functions appear more and more often, leading to widespread mobile phone applications.
The result is an insecure mobile device that can cause network security problems like an unsecured laptop. If a user wants to use a mobile device to hack into the network, there will be an application that serves as an effective assistant. In fact, now we have heard a lot of information about virus spreads on mobile devices.
Group Policy settings can be used to block mobile devices similar to when locking a desktop system. However, not all mobile devices are compatible with Group Policy platform security.
Smart phones that can perform computer functions appear more and more often, leading to widespread mobile phone applications.
The result is an insecure mobile device that can cause network security problems like an unsecured laptop. If a user wants to use a mobile device to hack into the network, there will be an application that serves as an effective assistant. In fact, now we have heard a lot of information about virus spreads on mobile devices.
Group Policy settings can be used to block mobile devices similar to when locking a desktop system. However, not all mobile devices are compatible with Group Policy platform security.
Network-level Group Policy settings can only be applied to domain members. Therefore, only devices that can join the domain will be secured by Group Policy. Currently, only mobile devices that use Windows Mobile 6.1 and 6.5 can join the domain.
Group Policy settings for mobile devices are not included in Windows Server. To get the necessary administrative templates, we need to install System Center Mobile Device Manager. This tool adds about 125 Group Policy settings, accessible via Group Policy Object Editor at Administrative Templates / Windows Mobile Settings .
In short, just using some of the existing Group Policy settings, we can block Endpoint for added security.
Group Policy settings for mobile devices are not included in Windows Server. To get the necessary administrative templates, we need to install System Center Mobile Device Manager. This tool adds about 125 Group Policy settings, accessible via Group Policy Object Editor at Administrative Templates / Windows Mobile Settings .
In short, just using some of the existing Group Policy settings, we can block Endpoint for added security.
4 ★ | 1 Vote
Samuel DanielYou should read it
- Top 5 trends in endpoint security for 2018
- 8 'tweak' Windows Group Policy any Admin should know
- Use Group Policy Filtering to create a NAP DHCP enforcement policy - Part 1
- How to reset Local Group Policy settings on Windows 10
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- Endpoint Detection and Response threats, an emerging security technology
- Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 2
- Top 5 security settings in Group Policy of Windows Server 2008
May be interested
- 10 important Windows Group Policy settings need to be done immediately
configure the 10 group policy below carefully and enjoy better windows security for your computer. - How to use Local Group Policy Editor to tweak your computerthis article will show you how to use local group policy editor to make computer changes.
- 11 tips to open Local Group Policy Editor on Windowson local group policy editor, you can set up deletion of notification history, set up account lock to limit the number of login times, etc. in the article below, tipsmake.com.com will introduce to you a several ways to open local group policy editor on windows.
- Cannot open Local Group Policy Editor, quick fixto change configuration and important windows policies, windows 11 users will use local group policy editor. in case you cannot open the local group policy editor, immediately refer to the information in tipsmake's article!
- How to install the Microsoft Edge Group Policy template on Windows 10on windows 10, you can download and install group policy templates to manage microsoft edge settings, and this guide will show you the process.
- Learn about terminal security (endpoint security)the world of modern information technology brings many benefits but also favorable conditions for bad guys to make use of.
- Control Wifi access using Group Policyusers can create a group policy setting that blocks workstations connected to any wi-fi network outside the specified network.
- Top 5 trends in endpoint security for 2018endpoint security is a type of security that is growing rapidly.
- How to Edit Group Policy in Windows XPdiscussed herein are ways through which a pc user can be able to utilize the group policy snap-in to develop or edit the lists of applications that load automatically when you log into a pc running on windows xp. this option is utilized...
- Endpoint Detection and Response threats, an emerging security technologyendpoint threat detection and response (etdr) is a term first introduced by security expert anton chuvakin from gartner in 2013 to refer to the tools mainly focus on detecting and investigating suspicious activities (as well as traces of other phenomena that don't always happen) on the server or endpoint.
Computer security
- Wi-Fi security with advanced techniques
- Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4
- Configure Hyper-V security using Authorization Manager - Part 2
- Update Adobe Reader against zero-day errors
- Keep it private on Facebook in 7 steps
- Prevent 11 types of hard-to-detect security crimes
Wi-Fi security with advanced techniques
Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4
Configure Hyper-V security using Authorization Manager - Part 2
Update Adobe Reader against zero-day errors
Keep it private on Facebook in 7 steps
Prevent 11 types of hard-to-detect security crimes