Windows 7 local security policy. Resetting local group policies in Windows

In my previous articles on Group Policy, I talked about the principles of the snap-in. Some nodes of the current snap-in were considered, as well as the functionality of multiple group policy. Starting with this article, you will be able to learn about managing security settings on a local computer as well as in a domain environment. Nowadays, ensuring security is an integral part of the work both for system administrators in large and even small enterprises, and for home users who are faced with the task of setting up a computer. Inexperienced administrators and home users may think that after installing antivirus and firewall, their operating systems are reliably protected, but this is not entirely true. Of course, these computers will be protected from many attacks, but what will save them from the human factor? Nowadays, the security capabilities of operating systems are very great. There are thousands of security settings that enable services, network security, restricting access to specific registry keys and settings, managing BitLocker Drive Encryption Recovery Agents, controlling application access, and much, much more.

Due to the large number of security settings in Windows Server 2008 R2 and Windows 7, it is not possible to configure all computers using the same set of parameters. In the article "User Account Control Group Policy Settings in Windows 7", we discussed methods for fine-tuning UAC in Windows operating systems, and this is just a small part of what you can do with security policies. In this series of articles on local security policies, I will try to cover as many security mechanisms as possible with examples that can help you in your future work.

Configuring Security Policies

A security policy is a collection of settings that regulates the security of a computer and is controlled by a local GPO. You can configure these policies using the snap-in "Local Group Policy Editor" or snap. Rigging "Local Security Policy" is used to change account policy and local policy on the local computer, and account policies bound to the Active Directory domain can be configured using the snap-in "Group Policy Management Editor"... You can go to local security policies in the following ways.

A security policy is a set of parameters for regulating PC security by applying them to a specific object or to a group of objects of the same class. Most users rarely make changes to these settings, but there are situations when it needs to be done. Let's see how to perform these steps on computers with Windows 7.

First of all, it should be noted that, by default, the security policy is configured optimally for the daily tasks of an ordinary user. It is necessary to make manipulations in it only if it becomes necessary to solve a specific issue that requires adjusting these parameters.

The security settings we are examining are governed by a GPO. In Windows 7, you can do this using the tools or Local Group Policy Editor... A prerequisite is to log into the system profile with administrator privileges. We'll look at both of these options below.

Method 1: Using the Local Security Policy Tool

First of all, we will study how to solve the problem with the help of the tool "Local Security Policy".

  1. To launch the specified snap-in, click "Start" and go to "Control Panel".

  2. Next, open the section "System and Security".

  3. Click "Administration".

  4. From the proposed set of system tools, select the option "Local Security Policy".

    Also, the snap-in can be launched through the window "Run"... To do this, type Win + R and enter the following command:

    Then click "OK".

  5. The above steps will launch the graphical interface of the desired tool. In the overwhelming majority of cases, it becomes necessary to adjust the parameters in the folder "Local Policies"... Then you need to click on the element with this name.

  6. There are three folders in this directory.

    In the directory the powers of individual users or user groups are determined. For example, you can specify whether to prohibit or allow certain individuals or categories of users to perform specific tasks; determine who is allowed local access to the PC, and who only over the network, etc.

    In the catalog "Audit policy" specifies the events to be recorded in the security log.

    In folder "Security Options" a variety of administrative settings are specified that determine the behavior of the OS when entering it both locally and through the network, as well as interaction with various devices. It is not worth changing these parameters without special need, since most of the corresponding tasks can be solved through standard account settings, parental controls and NTFS permissions.

  7. For further actions on the problem we are solving, click on the name of one of the above catalogs.

  8. A list of policies for the selected directory will open. Click on the one you want to change.

  9. This will open the policy editing window. Its type and the actions that need to be performed differ significantly from which particular category it belongs to. For example, for objects from the folder "Assigning user rights" in the window that opens, add or remove the name of a specific user or user group. Adding is done by pressing the button "Add user or group ...".

    If you need to remove an element from the selected policy, then select it and click "Delete".

  10. After completing the manipulations in the policy editing window, to save the adjustments made, do not forget to click the buttons Apply and "OK" otherwise the changes will not take effect.

We described changing security settings using the example of actions in the folder "Local Policies", but by the same analogy, you can perform actions in other directories of the snap-in, for example, in the directory "Account Policies".

Method 2: Using the Local Group Policy Editor tool

You can also configure the local policy using the snap-in Local Group Policy Editor... True, this option is not available in all editions of Windows 7, but only in Ultimate, Professional and Enterprise.

  1. Unlike the previous snap-in, this tool cannot be launched via "Control Panel"... It can only be activated by entering a command into the window "Run" or in Command line... Dial Win + R and enter the following expression in the field:

    Then click "OK".

Local Group Policy Editor (gpedit.msc) is a handy and really powerful utility through which you can customize Windows in detail. Unfortunately, it is not available in the Home Basic and Home Extended versions. But Microsoft did not remove this tool, it only "hid" it in the windows \ winsxs and windows \ SysWOW64 folders.

With our solution, the process will become much easier and more reliable. You run the free installer and wait for it to complete. However, we must admit that our convenient method also has a small drawback: Windows displays commands in the editor menu in Russian, and the settings themselves, as well as their descriptions, are listed in English. If that's not a problem for you, there is nothing to stop you from enjoying the versatile tuning tool anymore.

How to do it:

1. Download the editor

Go to drudger.deviantart.com/art/Add-GPEDIT-msc-215792914. Click on the small Download button to download the ZIP file. Attention! Big buttons are sponsored links.

2. Unpack and install

Open your downloads folder and unpack the ZIP archive you downloaded. Now, double-click to run the Setup.exe file located in it and wait until the work is completed. Then close the installation program by clicking Finish.

3. Copy 64-bit files

If you are running a 64-bit version of Windows, open the Windows \ SysWOW64 folder in Explorer. From there, copy the GroupPolicy and GroupPolicyUsers directories and the gpedit.msc file to the Windows \ System32 folder.

4. Launch the editor

Press the key combination "Win + R" and enter "gpedit.msc". In the User Account Control message box, click on "Yes". This should open the Local Group Policy Editor.

5. Editing the batch file

If after starting the editor you receive the message "Management Console (MMC) cannot create snap-in”, Repeat the steps of step 2, but this time do not click“ Finish ”. Instead, open the Windows \ Temp \ gpedit folder and right-click on x86.bat (32-bit Windows) or x64.bat (64-bit Windows). In the context menu, select the "Change" item.

6. Fixing the snap-in error

In the top third of the code, you will see six entries containing the "% username%: f" element. Supplement it with quotation marks as follows: ""% username% ": f" and save the file. Now right click on the saved batch file and select "Run as administrator". If you now run the Local Group Policy Editor as described in step 4, the snap-in error should be gone.

7. Working with group policy

In total, the Group Policy Editor offers you about 3000 settings that are really easy to apply. Example: if you want your antivirus to automatically scan every attachment, select “User Configuration | Administrative Templates | Windows Components | Attachment Manager ". In the right half of the window, you will see several entries. Double click on "Notify antivirus programs when opening attachments". In the window that appears, select "Enabled" and then click on "OK".

8. Hide outdated settings

If the Local Group Policy Editor seems overly confusing to you, hide any settings that do not exactly apply to your system. To do this, go to the menu to “View | Filtering "and check the box in front of the" Filter by Requirements Information "option. In any case, uncheck the boxes in front of all entries related to Windows 2000. The XP settings work in Windows 7 too, so don't touch them. After selecting, click on "OK". You will immediately see only the options you want.

Photo: manufacturing companies

I got fired up with this idea of ​​security and decided to try to do the same for myself.

Since I have Windows 7 Professional, the first idea was to use AppLocker "a, but it quickly became clear that he did not want to work in my edition of Windows, and required Ultimate or Enterprise. Due to the licensing of my Windows and the emptiness of my wallet, the option with AppLocker" ohm disappeared.

The next attempt was to configure group policies for software restriction. Since AppLocker is a "pumped-over" version of this mechanism, it is logical to try the policies, especially since they are free for Windows users :)

We go into the settings:
gpedit.msc -> Computer Configuration -> Windows Configuration -> Security Options -> Software Restriction Policies

If there are no rules, the system will offer to generate automatic rules that allow launching programs from the Windows folder and Program Files. We will also add a deny rule for the path * (any path). As a result, we want to be able to run programs only from protected system folders. And what?
Yes, we will get this, but here's just a small misfortune - shortcuts and http links do not work. You can still score on links, but it's not good to live without labels.
If you allow the launch of files using the * .lnk mask, we will be able to create a shortcut for any executable file, and launch it using the shortcut, even if it is not in the system folder. Lousy.
A request to Google leads to such decisions: either allow launching shortcuts from a custom folder, or use third-party bars with shortcuts. No other way. Personally, I don't like this option.

As a result, we are faced with the situation that * .lnk is, from the point of view of Windows, not a link to an executable file, but an executable file. Crazy, but what can you do ... I would like Windows to check not the location of the shortcut, but the location of the file to which it refers.

And then I accidentally came across the settings for the list of extensions that are executable from the point of view of Windows (gpedit.msc -> Computer Configuration -> Windows Configuration -> Security Options -> Assigned File Types). We remove LNK from there and at the same time HTTP and re-login. We get fully working shortcuts and a check for the location of the executable file.
There was a doubt whether it would be possible to pass parameters through shortcuts - it is possible, so everything is ok.

As a result, we got the implementation of the idea described in the article "Windows computer without antivirus software" without any inconvenience to the user.

Also for those who like to shoot themselves in the foot, you can create a folder in Program Files and drop a shortcut for it on the desktop, calling it, for example, "Sandbox". This will allow you to run programs from there without disabling policies, using protected storage (protection through UAC).

I hope the described method will be useful and new for someone. At least I have not heard of this from anyone and have not seen it anywhere.


The Group Policy Editor is absent in Windows 7 Home, but in other versions of this OS version it is present and ready to use.

Launching the Group Policy Editor

It is very easy to launch this editor. To do this, press on the keyboard Win + R, write in the field gpedit.msc and click " OK».

The editor's interface is identical to the rest of the administration tools: relying on the left tree-like panel, you can get information on each section and make settings.

As you can see in the screenshot, on the left side, all settings are divided into two parts:

Computer configuration;
user configuration.

Each of these parts has three identical sections:

Program configuration;
Windows configuration;
administrative templates.

Program configuration responsible for the parameters of applications installed on the PC.
Windows configuration responsible for various system parameters: its settings, security settings, etc.
Administrative Templates contain configuration from and are a more convenient editor than the registry itself.

Working with the editor

Configuring limits and various parameters is fairly straightforward here. Let's take a look at a setup example: follow the path User config >Administrative Templates > System, where the last item does not need to be expanded - just click on the word with the left mouse button.

Here you can see several parameters for customization, among which there are such settings as:

Disallow the use of the command line;
deny access to registry editing tools;
do not run the specified Windows applications;
run only specified Windows applications;
automatic Windows update.

To edit these and other parameters, you can double-click on each of them with the left mouse button. The screenshot shows that changing the state of the parameter by setting it the value “ Included" or " Disabled».

How Group Policy Works

Let's say you have disabled the use of the command line. Now, when the user decides to run it, he will receive the following error message:

The user will receive such messages whenever he tries to perform a prohibited action. In the event that a decision is made to simplify the use of the PC, for example, disable " User Account Control: Elevation Request Behavior for Administrator”, The window about starting the program that makes changes in the system will no longer be displayed.

All parameters can be customized to your liking, resulting in increased productivity and safety when working on a PC with other users.

Fitting © 2021 Tech Look - Gadgets. Android device. Antiviruses. Security. Graphics. Internet. Mobile devices