Firewall and IP security policy configuration

One 、 1、 It can't be realized , Third party solutions are required 2、Windows The system does not have this function , Third party software may , For example, the requirement that shared folders do not allow any form of file removal has been billed to Microsoft , Microsoft can't , Third party software solutions such as https://cloud.tencent.com/developer/article/1871398 Two 、 Ordinary users cannot configure administrator users Remote users and remote user groups are required Users who can change the system configuration plus the administrator group The server has limited functions , Third party security software , For example, the server security dog （https://www.safedog.cn/about.html） There are multidimensional security policies , For example, the host name of the client computer is used to set the permission / prohibit 1、 Group policy configures the device and resource redirection policy that prohibits the Remote Desktop Session host 2、 Specify user join remote desktop users Group , Users who are not in this group cannot be remote , It is forbidden to access all external networks through IP The security policy can realize 3、 Access designation IP adopt IP Security policy implementation 4、 Users who are not allowed to modify the system configuration （ Non administrator ） It can't be modified , Including but not limited to restart / Shut down the machine 、 Run the command as an administrator 、 Modify registry 、 Modify group strategy 、 Modify the firewall 、 modify IP The security policy 、 Modify the configuration of local users and groups , Ordinary user permission is enough A firewall 、IP Description of security policy configuration ： 1、 Clear the firewall / Inbound rules 、 Keep the firewall open , yes ： Inbound prohibit all 、 Exit and release all

2、 The release port is released in the firewall inbound rule ,IP The scope is IP The security policy controls 3、IP The security policy (secpol.msc) Configuration skills ： ① First match IP Range （ In or out direction IP、 agreement 、 port ） and action （ allow / prohibit ） ② establish IP The security policy （ Select... During creation ① Created in the IP Range , And for the selected IP Scope application ① Actions created in ） ③ application IP The security policy give an example ： Only allowed 221.218.140.195、111.206.145.0/24 Segment's client access server 3389 port , And only the server is allowed to follow 115.159.148.149 Of 80 port 、221.218.140.195 and 111.206.145.0/24 All ports interact with each other , All other prohibitions 1、 Make sure windows firewall A service is a running state , It works like this wf.msc Before firewall rules can be operated . function wf.msc, Then use the mouse and shift Key to select all enabled rules , Right click to disable all rules （ It is equivalent to clearing rules ）, Then create release 3389 Inbound rule for , Don't care when creating IP Range , Simply configure the local ALL、 long-range ALL that will do ,

2、 After configuration , Turn on the firewall , step ： ① function services.msc find windows firewall service , Check whether it is running , If it is not open ; If not in operation 、 And it is forbidden , First adjust to the automatic state , Then open it .

If not in operation 、 It is automatic , Firewall startup alarm “ Error code 87”, It needs to be deleted HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall .

If not in operation 、 It is automatic , Firewall startup alarm " error 1068: Dependent service or group cannot start ", Please check Base Filtering Engine（ namely BFE） Is it running , If not, start BFE, Then view the system log , If it is a related driver problem , Fix the driver problem before starting the firewall , If the driver service （mpsdrv） Registry and corresponding driver file （‪C:\Windows\System32\drivers\mpsdrv.sys） No problem , But still report this mistake , Then we can only use sfc /scannow Try it ,sfc If you can't fix it, it's almost impossible , You can only reinstall the system after backing up the data .

Find out mpsdrv.sys The path of seems to be wrong , Compare with normal system , It is found that the normal system is like this , But compared with other services, it is found that , There are differences , The environmental variables verify that there is no change , Try to change it to %systemroot%\system32\drivers\mpsdrv.sys try , The same error is reported when the machine is restarted after the change

Execute as Administrator sfc /scannow The system file is found to be damaged , Compare it with the normal system carefully , Find out C:\Windows There are many folders missing from the directory , And found This document The problem described , function Different .msc command , Some are normal , Some report mistakes 【MMC Unable to create snap in This snap in may not be installed correctly 】, There is an error report interface CLSID:FX:{GUID}, The solution is to verify C:\windows\assembly Whether this directory exists , If it doesn't exist , Buy a new machine with the same public image , Package and unzip the directory to the same location of the problem machine , The damaged .msc The command is restored , But the firewall service keeps reporting errors , I don't know which files are damaged , Anyway, these commands recommended by Microsoft can't be fixed , but , Finally, you can only back up the data and reinstall the system .

sfc /scannow

DISM.exe /Online /Cleanup-image /Scanhealth

DISM.exe /Online /Cleanup-image /Checkhealth

DISM.exe /Online /Cleanup-image /Restorehealth

Assume that there is no problem starting the firewall service , Or the problem is fixed , This is the premise of enabling firewall rules .

② function firewall.cpl Turn on the firewall rule switch

3、 Refer to the foregoing IP Security policy configuration skill configuration IP The security policy , stay IP Fine control over the range ①IP Groups and actions

there IP Group has 4 individual , The screenshot is as follows

② application IP Groups and actions to create IP The security policy

③ Right click on the application IP The security policy