windows2003安全加固脚本

@echo off
title= Windwos/index.html' target='_blank'>Windows Security
echo.
echo *******************************************************************************
echo.              Common Security Configuration For Windows Server 2003
echo *******************************************************************************
echo.
echo.
rem 删除不必要的文件
del /Q /F C:WINDOWSWebprinters*.*
del /Q /F C:WINDOWSsystem32inetsrviisadmpwd*.*
rd C:WINDOWSWebprinters /S /Q
rd C:WINDOWShelpiishelp /S /Q
rem 设置脚本宿主
cscript //h:cscript
rem 安装windows install服务
msiexec /regserver
regsvr32 msxml3.dll /s
rem 设置每个磁盘分区的权限
cd
echo y | cacls C: /C /E /G administrators:F system:F
rem cacls /C D: /G administrators:F system:F
rem cacls /C E: /G administrators:F system:F
rem 设置关键目录的权限
echo y | cacls %SYSTEMROOT% /G administrators:F system:F users:C
echo y | cacls %SYSTEMROOT%Temp /G administrators:F system:F everyone:F
rem 清除关键目录everyone权限
echo y | cacls C:Docume~1 /E /R everyone
echo y | cacls C:Docume~1alluse~1 /E /R everyone
echo y | cacls C:Docume~1alluse~1applic~1 /E /R everyone
echo y | cacls C:Docume~1defaul~1 /E /R everyone
echo y | cacls %SYSTEMROOT%Installer /E /R everyone
echo y | cacls %SYSTEMROOT%PCHealth /E /R everyone
for %%i in (
%SYSTEMROOT%
egedit.exe
%SYSTEMROOT%system32net.exe
%SYSTEMROOT%system32	elnet.exe
%SYSTEMROOT%system32cmd.exe
%SYSTEMROOT%system32	ftp.exe
%SYSTEMROOT%system32
etstat.exe
%SYSTEMROOT%system32attrib.exe
%SYSTEMROOT%system32cacls.exe
%SYSTEMROOT%system32format.com
%SYSTEMROOT%system32
egsvr32.exe
%SYSTEMROOT%system32xcopy.exe
%SYSTEMROOT%system32wscript.exe
%SYSTEMROOT%system32cscript.exe
%SYSTEMROOT%system32ftp.exe
%SYSTEMROOT%system32arp.exe
%SYSTEMROOT%system32edlin.exe
%SYSTEMROOT%system32ping.exe
%SYSTEMROOT%system32
oute.exe
%SYSTEMROOT%system32finger.exe
%SYSTEMROOT%system32posix.exe
%SYSTEMROOT%system32atsvc.exe
%SYSTEMROOT%system32qbasic.exe
%SYSTEMROOT%system32
unonce.exe
%SYSTEMROOT%system32syskey.exe
%SYSTEMROOT%system32command.com
%SYSTEMROOT%system32edit.com
%SYSTEMROOT%system32tree.com
%SYSTEMROOT%system32at.exe
%SYSTEMROOT%system32find.exe
%SYSTEMROOT%system32fc.exe
%SYSTEMROOT%system32
btstat.exe
%SYSTEMROOT%system32
etsh.exe
%SYSTEMROOT%system32
otepad.exe
%SYSTEMROOT%system32	asklist.exe
%SYSTEMROOT%system32	askkill.exe
%SYSTEMROOT%system32dllcache
egedit.exe
%SYSTEMROOT%system32dllcachenet.exe
%SYSTEMROOT%system32dllcache	elnet.exe
%SYSTEMROOT%system32dllcachecmd.exe
%SYSTEMROOT%system32dllcache	ftp.exe
%SYSTEMROOT%system32dllcache
etstat.exe
%SYSTEMROOT%system32dllcacheattrib.exe
%SYSTEMROOT%system32dllcachecacls.exe
%SYSTEMROOT%system32dllcacheformat.com
%SYSTEMROOT%system32dllcache
egsvr32.exe
%SYSTEMROOT%system32dllcachexcopy.exe
%SYSTEMROOT%system32dllcachewscript.exe
%SYSTEMROOT%system32dllcachecscript.exe
%SYSTEMROOT%system32dllcacheftp.exe
%SYSTEMROOT%system32dllcachearp.exe
%SYSTEMROOT%system32dllcacheedlin.exe
%SYSTEMROOT%system32dllcacheping.exe
%SYSTEMROOT%system32dllcache
oute.exe
%SYSTEMROOT%system32dllcachefinger.exe
%SYSTEMROOT%system32dllcacheposix.exe
%SYSTEMROOT%system32dllcacheatsvc.exe
%SYSTEMROOT%system32dllcacheqbasic.exe
%SYSTEMROOT%system32dllcache
unonce.exe
%SYSTEMROOT%system32dllcachesyskey.exe
%SYSTEMROOT%system32dllcachecommand.com
%SYSTEMROOT%system32dllcacheedit.com
%SYSTEMROOT%system32dllcachetree.com
%SYSTEMROOT%system32dllcacheat.exe
%SYSTEMROOT%system32dllcachefind.exe
%SYSTEMROOT%system32dllcachefc.exe
%SYSTEMROOT%system32dllcache
btstat.exe
%SYSTEMROOT%system32dllcache
etsh.exe
%SYSTEMROOT%system32dllcache
otepad.exe
%SYSTEMROOT%system32dllcache	asklist.exe
%SYSTEMROOT%system32dllcache	askkill.exe
) do (
if exist "%%i" (
echo y | cacls %%i /G administrators:F system:F
)
)
rem 保存当前服务启动状态
net start > %systemroot%securityservices.txt
rem 设置自动启动的服务
sc config wuauserv start= auto
sc config PolicyAgent start= auto
sc config schedule start= auto
sc config NSClientpp start= auto
net start PolicyAgent
net start wuauserv
net start schedule
net start NSClientpp
net start winmgmt
rem 设置手动启动的服务
sc config winmgmt start= demand
sc config msdtc start= demand
rem 设置禁止启动的服务,停止启动的服务
for %%i in (
sharedaccess
helpsvc
Spooler
audiosrv
wmdmpmsn
Alerter
alg
TrkWks
seclogon
ShellHWDetection
lanmanserver
dmserver
Dhcp
lanmanworkstation
LmHosts
WZCSVC
RemoteRegistry
AeLookupSrv
Dnscache
ERSvc
Nla
SCardSvr
W32Time
w3svc
IISADMIN
SMTPSVC
TapiSrv
WinRM
dfs
ntfrs
CiSvc
mnmsrvc
clipsrv
netdde
NetDDEdsdm
lmhosts
tlntsvr
ups
themes
HidServ
Tssdis
stisvc
WmiApSrv
awhost32
fax
Browser
) do (
sc config %%i start= disabled
net stop %%i
)

rem 设置每天3点自动重启
rem schtasks /create /ru system /sc daily /tn "restart" /st 03:00:00 /tr "shutdown -r -f -t 30"
rem 设置环境变量
rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v JAVA_HOME /t REG_SZ /d C:jdk /f
rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v Path /t REG_EXPAND_SZ /d "%JAVA_HOME%in;%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;" /f
echo 开启远程桌面
reg add "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f
rem 修改远程桌面端口为9999
rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWds
dpwdTds	cp"   /v PortNumber /t reg_dword /d 9999 /f
rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v PortNumber /t reg_dword /d 9999 /f
echo 关闭CD-ROM自动运行
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoDriveTypeAutoRun /t reg_dword /d 255 /f
echo 显示文件扩展名
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v HideFileExt /t reg_dword /d 0 /f
echo 修改windows update为自动更新
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" /v AUOptions /t reg_dword /d 1 /f
echo 华生医生设置为转储线程上下文
reg add HKLMSOFTWAREMicrosoftDrWatson /v AppendToLogFile /t reg_dword /d 0 /f
reg add HKLMSOFTWAREMicrosoftDrWatson /v CreateCrashDump /t reg_dword /d 0 /f
reg add HKLMSOFTWAREMicrosoftDrWatson /v WaveFile /t REG_EXPAND_SZ /d "" /f
echo 设置自动重新启动不发送管理警报
reg add HKLMSYSTEMControlSet001ControlCrashControl /v AutoReboot /t reg_dword /d 1 /f
reg add HKLMSYSTEMControlSet001ControlCrashControl /v SendAlert /t reg_dword /d 0 /f
echo 设置写入调试信息为无
reg add HKLMSYSTEMCurrentControlSetControlCrashControl /v CrashDumpEnabled /t reg_dword /d 0 /f
echo 禁用错误报告
reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v DoReport /t reg_dword /d 0 /f
reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v ShowUI /t reg_dword /d 0 /f
echo 关机清理虚拟内存
reg add "HKLMSystemCurrentControlSetControlSession ManagerMemory Management" /v ClearPageFileAtShutdown /t reg_dword /d 1 /f
echo 不显示上次登录用户名
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v dontdisplaylastusername /t reg_dword /d 1 /f
echo 关闭445端口
reg add HKLMSYSTEMCurrentControlSetServicesNetBTParameters /v SMBDeviceEnabled   /t reg_dword /d 0 /f
echo 防止小规模ddos攻击
reg add HKLMSYSTEMCurrentControlSetServicesTcpipParameters /v SynAttackProtect   /t reg_dword /d 1 /f
echo 禁止建立空连接
reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymous /t reg_dword /d 1 /f
echo 禁止SAM 账户和共享的匿名枚举
reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymoussam /t reg_dword /d 1 /f
echo 禁止系统自动管理共享
reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareWks /t reg_dword /d 0 /f
echo 禁止系统自动共享
reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareServer /t reg_dword /d 0 /f
rem 自动关闭无响应程序
rem reg add "HKCUControl PanelDesktop" /v AutoEndTasks /t reg_sz /d 1 /f
echo 设置无法关闭程序等待时间
reg add "HKCUControl PanelDesktop" /v WaitToKillAppTimeout /t reg_sz /d 100 /f
reg add "HKCUControl PanelDesktop" /v HungAppTimeout /t reg_sz /d 500 /f
reg add HKLMSystemCurrentControlSetControl /v WaitToKillServiceTimeout /t reg_sz /d 100 /f
echo 不需要按ctrl+alt+del
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem /v DisableCAD /t reg_dword /d 1 /f
echo 把显示“关闭事件跟踪程序” 更改为已禁用
reg add "HKLMSOFTWAREPoliciesMicrosoftWindows NTReliability" /v ShutdownReasonOn /t reg_dword /d 0 /f
echo 禁止自动更新后不断的提示重启
reg add HKLMSOFTWAREPoliciesMicrosoftWindowswindowsUpdate /v RebootRelaunchTimeoutEnabled /t reg_DWORD /d 1 /f
echo 禁止屏保
reg add "hkcuSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" /v ScreenSaveActive /t REG_SZ /d 0 /f
echo 是否起用WSUS服务器
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v UseWUServer /t REG_DWORD /d 1 /f
echo WSUS服务器设置
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUServer /t REG_SZ /d http://61.135.177.110 /f
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUStatusServer /t REG_SZ /d http://61.135.177.110  /f
echo 重新计划自动更新计划后的等待时间
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v RescheduleWaitTime /t REG_DWORD /d 10 /f
echo 自动更新安装后是否重新启动
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoRebootWithLoggedOnUsers /t REG_DWORD /d 0 /f
echo 是否启用自动更新
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoUpdate /t REG_DWORD /d 0 /f
echo 配置自动更新
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v AUOptions /t REG_DWORD /d 4 /f
echo 计划安装日期
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallDay /t REG_DWORD /d 0 /f
echo 计划安装时间
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallTime /t REG_DWORD /d 3 /f
rem 重命名管理员以及来宾帐户名称
rem wmic useraccount where name='Administrator' call Rename admin
echo 禁用帐户
net user SQLDebugger /active:no
net user TsInternetUser /active:no
echo 设置当前目录为桌面
if exist %USERPROFILE%桌面 (
cd/D %USERPROFILE%桌面
) else (
cd/D %USERPROFILE%desktop
)
echo 生成windows组策略安全设置
if exist secinit.inf del secinit.inf /f
echo [Unicode] >secinit.inf
echo. >>secinit.inf
echo [Event Audit] >>secinit.inf
echo AuditSystemEvents = 3 >>secinit.inf
echo AuditLogonEvents = 3 >>secinit.inf
echo AuditObjectAccess = 2 >>secinit.inf
echo AuditPrivilegeUse = 2 >>secinit.inf
echo AuditPolicyChange = 3 >>secinit.inf
echo AuditAccountManage = 3 >>secinit.inf
echo AuditProcessTracking = 0 >>secinit.inf
echo AuditDSAccess = 2 >>secinit.inf
echo AuditAccountLogon = 3 >>secinit.inf

echo [System Access] >>secinit.inf
echo MinimumPasswordAge = 0 >>secinit.inf
echo MaximumPasswordAge = 42 >>secinit.inf
echo MinimumPasswordLength = 12 >>secinit.inf
echo PasswordComplexity = 1 >>secinit.inf
echo PasswordHistorySize = 0 >>secinit.inf
echo LockoutBadCount = 5 >>secinit.inf
echo ResetLockoutCount = 20 >>secinit.inf
echo LockoutDuration = 20 >>secinit.inf
echo RequireLogonToChangePassword = 0 >>secinit.inf
echo ForceLogoffWhenHourExpire = 0 >>secinit.inf
echo ClearTextPassword = 0 >>secinit.inf
echo LSAAnonymousNameLookup = 0 >>secinit.inf
echo EnableAdminAccount = 1 >>secinit.inf
echo EnableGuestAccount = 0 >>secinit.inf

echo [System Log]    >> secinit.inf
echo MaximumLogSize = 16384  >> secinit.inf
echo AuditLogRetentionPeriod = 1 >> secinit.inf
echo RetentionDays = 30  >> secinit.inf

echo [Security Log]  >> secinit.inf
echo MaximumLogSize = 16384  >> secinit.inf
echo AuditLogRetentionPeriod = 1 >> secinit.inf
echo RetentionDays = 30  >> secinit.inf

echo [Application Log]   >> secinit.inf
echo MaximumLogSize = 16384  >> secinit.inf
echo AuditLogRetentionPeriod = 1 >> secinit.inf
echo RetentionDays = 30  >> secinit.inf

echo [File Security]     >> secinit.inf
echo "c:oot.ini",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "c:
tdetect.com",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "c:
tldr",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "c:
tbootdd.sys",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "c:autoexec.bat",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "c:config.sys",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
echo "%ProgramFiles%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)(A;;GXGR;;;WD)" >> secinit.inf
echo "%SystemRoot%explorer.exe",2,"D:(A;;GXGR;;;WD)" >> secinit.inf
echo "%SystemRoot%CSC",1,"D:AR" >> secinit.inf
echo "%SystemRoot%debug",1,"D:AR" >> secinit.inf
echo "%SystemRoot%Offline Pages",1,"D:AR" >> secinit.inf
echo "%SystemRoot%Profiles",1,"D:AR" >> secinit.inf
echo "%SystemRoot%Registration",1,"D:AR" >> secinit.inf
echo "%SystemRoot%
epair",2,"D:P(A;CI;GXGR;;;BU)(A;CI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%Tasks",1,"D:AR" >> secinit.inf
echo "%SystemRoot%Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CI;0x100026;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%addins",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%Connection Wizard",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%Driver Cache",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%java",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%msagent",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%security",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%speech",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%	wain_32",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
echo "%SystemRoot%Web",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf

echo [Registry Values] >>secinit.inf
echo MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLastUserName=4,1   >> secinit.inf
echo MACHINESystemCurrentControlSetControlLsaRestrictAnonymous=4,1  >> secinit.inf

echo [Privilege Rights] >>secinit.inf
echo SeNetworkLogonRight = Administrators  >> secinit.inf
echo SeShutdownPrivilege = Administrators >> secinit.inf
echo SeRemoteShutdownPrivilege = Administrators >> secinit.inf
echo SeRemoteInteractiveLogonRight = Administrators >> secinit.inf
echo Seinteractivelogonright = Administrators >> secinit.inf

echo [Version] >>secinit.inf
echo signature="$CHICAGO$" >>secinit.inf
echo Revision=1 >>secinit.inf
cls
echo 运行安全设置
move /y secinit.inf %systemroot%security	emplatessecinit.inf
echo y|secedit /configure /cfg %systemroot%security	emplatessecinit.inf /db %systemroot%securitydatabasesecinit.db /overwrite /log %systemroot%securitylogssecinit.log
regsvr32 /s scecli.dll
echo 关闭默认共享
net share c$ /del
net share d$ /del
net share e$ /del
net share ipc$ /del
net share admin$ /del
del secinit.inf /f