@echo off title= Windwos/index.html' target='_blank'>Windows Security echo. echo ******************************************************************************* echo. Common Security Configuration For Windows Server 2003 echo ******************************************************************************* echo. echo. rem 删除不必要的文件 del /Q /F C:WINDOWSWebprinters*.* del /Q /F C:WINDOWSsystem32inetsrviisadmpwd*.* rd C:WINDOWSWebprinters /S /Q rd C:WINDOWShelpiishelp /S /Q rem 设置脚本宿主 cscript //h:cscript rem 安装windows install服务 msiexec /regserver regsvr32 msxml3.dll /s rem 设置每个磁盘分区的权限 cd echo y | cacls C: /C /E /G administrators:F system:F rem cacls /C D: /G administrators:F system:F rem cacls /C E: /G administrators:F system:F rem 设置关键目录的权限 echo y | cacls %SYSTEMROOT% /G administrators:F system:F users:C echo y | cacls %SYSTEMROOT%Temp /G administrators:F system:F everyone:F rem 清除关键目录everyone权限 echo y | cacls C:Docume~1 /E /R everyone echo y | cacls C:Docume~1alluse~1 /E /R everyone echo y | cacls C:Docume~1alluse~1applic~1 /E /R everyone echo y | cacls C:Docume~1defaul~1 /E /R everyone echo y | cacls %SYSTEMROOT%Installer /E /R everyone echo y | cacls %SYSTEMROOT%PCHealth /E /R everyone for %%i in ( %SYSTEMROOT% egedit.exe %SYSTEMROOT%system32net.exe %SYSTEMROOT%system32 elnet.exe %SYSTEMROOT%system32cmd.exe %SYSTEMROOT%system32 ftp.exe %SYSTEMROOT%system32 etstat.exe %SYSTEMROOT%system32attrib.exe %SYSTEMROOT%system32cacls.exe %SYSTEMROOT%system32format.com %SYSTEMROOT%system32 egsvr32.exe %SYSTEMROOT%system32xcopy.exe %SYSTEMROOT%system32wscript.exe %SYSTEMROOT%system32cscript.exe %SYSTEMROOT%system32ftp.exe %SYSTEMROOT%system32arp.exe %SYSTEMROOT%system32edlin.exe %SYSTEMROOT%system32ping.exe %SYSTEMROOT%system32 oute.exe %SYSTEMROOT%system32finger.exe %SYSTEMROOT%system32posix.exe %SYSTEMROOT%system32atsvc.exe %SYSTEMROOT%system32qbasic.exe %SYSTEMROOT%system32 unonce.exe %SYSTEMROOT%system32syskey.exe %SYSTEMROOT%system32command.com %SYSTEMROOT%system32edit.com %SYSTEMROOT%system32tree.com %SYSTEMROOT%system32at.exe %SYSTEMROOT%system32find.exe %SYSTEMROOT%system32fc.exe %SYSTEMROOT%system32 btstat.exe %SYSTEMROOT%system32 etsh.exe %SYSTEMROOT%system32 otepad.exe %SYSTEMROOT%system32 asklist.exe %SYSTEMROOT%system32 askkill.exe %SYSTEMROOT%system32dllcache egedit.exe %SYSTEMROOT%system32dllcachenet.exe %SYSTEMROOT%system32dllcache elnet.exe %SYSTEMROOT%system32dllcachecmd.exe %SYSTEMROOT%system32dllcache ftp.exe %SYSTEMROOT%system32dllcache etstat.exe %SYSTEMROOT%system32dllcacheattrib.exe %SYSTEMROOT%system32dllcachecacls.exe %SYSTEMROOT%system32dllcacheformat.com %SYSTEMROOT%system32dllcache egsvr32.exe %SYSTEMROOT%system32dllcachexcopy.exe %SYSTEMROOT%system32dllcachewscript.exe %SYSTEMROOT%system32dllcachecscript.exe %SYSTEMROOT%system32dllcacheftp.exe %SYSTEMROOT%system32dllcachearp.exe %SYSTEMROOT%system32dllcacheedlin.exe %SYSTEMROOT%system32dllcacheping.exe %SYSTEMROOT%system32dllcache oute.exe %SYSTEMROOT%system32dllcachefinger.exe %SYSTEMROOT%system32dllcacheposix.exe %SYSTEMROOT%system32dllcacheatsvc.exe %SYSTEMROOT%system32dllcacheqbasic.exe %SYSTEMROOT%system32dllcache unonce.exe %SYSTEMROOT%system32dllcachesyskey.exe %SYSTEMROOT%system32dllcachecommand.com %SYSTEMROOT%system32dllcacheedit.com %SYSTEMROOT%system32dllcachetree.com %SYSTEMROOT%system32dllcacheat.exe %SYSTEMROOT%system32dllcachefind.exe %SYSTEMROOT%system32dllcachefc.exe %SYSTEMROOT%system32dllcache btstat.exe %SYSTEMROOT%system32dllcache etsh.exe %SYSTEMROOT%system32dllcache otepad.exe %SYSTEMROOT%system32dllcache asklist.exe %SYSTEMROOT%system32dllcache askkill.exe ) do ( if exist "%%i" ( echo y | cacls %%i /G administrators:F system:F ) ) rem 保存当前服务启动状态 net start > %systemroot%securityservices.txt rem 设置自动启动的服务 sc config wuauserv start= auto sc config PolicyAgent start= auto sc config schedule start= auto sc config NSClientpp start= auto net start PolicyAgent net start wuauserv net start schedule net start NSClientpp net start winmgmt rem 设置手动启动的服务 sc config winmgmt start= demand sc config msdtc start= demand rem 设置禁止启动的服务,停止启动的服务 for %%i in ( sharedaccess helpsvc Spooler audiosrv wmdmpmsn Alerter alg TrkWks seclogon ShellHWDetection lanmanserver dmserver Dhcp lanmanworkstation LmHosts WZCSVC RemoteRegistry AeLookupSrv Dnscache ERSvc Nla SCardSvr W32Time w3svc IISADMIN SMTPSVC TapiSrv WinRM dfs ntfrs CiSvc mnmsrvc clipsrv netdde NetDDEdsdm lmhosts tlntsvr ups themes HidServ Tssdis stisvc WmiApSrv awhost32 fax Browser ) do ( sc config %%i start= disabled net stop %%i ) rem 设置每天3点自动重启 rem schtasks /create /ru system /sc daily /tn "restart" /st 03:00:00 /tr "shutdown -r -f -t 30" rem 设置环境变量 rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v JAVA_HOME /t REG_SZ /d C:jdk /f rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v Path /t REG_EXPAND_SZ /d "%JAVA_HOME%in;%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;" /f echo 开启远程桌面 reg add "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f rem 修改远程桌面端口为9999 rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWds dpwdTds cp" /v PortNumber /t reg_dword /d 9999 /f rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v PortNumber /t reg_dword /d 9999 /f echo 关闭CD-ROM自动运行 reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoDriveTypeAutoRun /t reg_dword /d 255 /f echo 显示文件扩展名 reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v HideFileExt /t reg_dword /d 0 /f echo 修改windows update为自动更新 reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" /v AUOptions /t reg_dword /d 1 /f echo 华生医生设置为转储线程上下文 reg add HKLMSOFTWAREMicrosoftDrWatson /v AppendToLogFile /t reg_dword /d 0 /f reg add HKLMSOFTWAREMicrosoftDrWatson /v CreateCrashDump /t reg_dword /d 0 /f reg add HKLMSOFTWAREMicrosoftDrWatson /v WaveFile /t REG_EXPAND_SZ /d "" /f echo 设置自动重新启动不发送管理警报 reg add HKLMSYSTEMControlSet001ControlCrashControl /v AutoReboot /t reg_dword /d 1 /f reg add HKLMSYSTEMControlSet001ControlCrashControl /v SendAlert /t reg_dword /d 0 /f echo 设置写入调试信息为无 reg add HKLMSYSTEMCurrentControlSetControlCrashControl /v CrashDumpEnabled /t reg_dword /d 0 /f echo 禁用错误报告 reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v DoReport /t reg_dword /d 0 /f reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v ShowUI /t reg_dword /d 0 /f echo 关机清理虚拟内存 reg add "HKLMSystemCurrentControlSetControlSession ManagerMemory Management" /v ClearPageFileAtShutdown /t reg_dword /d 1 /f echo 不显示上次登录用户名 reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v dontdisplaylastusername /t reg_dword /d 1 /f echo 关闭445端口 reg add HKLMSYSTEMCurrentControlSetServicesNetBTParameters /v SMBDeviceEnabled /t reg_dword /d 0 /f echo 防止小规模ddos攻击 reg add HKLMSYSTEMCurrentControlSetServicesTcpipParameters /v SynAttackProtect /t reg_dword /d 1 /f echo 禁止建立空连接 reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymous /t reg_dword /d 1 /f echo 禁止SAM 账户和共享的匿名枚举 reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymoussam /t reg_dword /d 1 /f echo 禁止系统自动管理共享 reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareWks /t reg_dword /d 0 /f echo 禁止系统自动共享 reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareServer /t reg_dword /d 0 /f rem 自动关闭无响应程序 rem reg add "HKCUControl PanelDesktop" /v AutoEndTasks /t reg_sz /d 1 /f echo 设置无法关闭程序等待时间 reg add "HKCUControl PanelDesktop" /v WaitToKillAppTimeout /t reg_sz /d 100 /f reg add "HKCUControl PanelDesktop" /v HungAppTimeout /t reg_sz /d 500 /f reg add HKLMSystemCurrentControlSetControl /v WaitToKillServiceTimeout /t reg_sz /d 100 /f echo 不需要按ctrl+alt+del reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem /v DisableCAD /t reg_dword /d 1 /f echo 把显示“关闭事件跟踪程序” 更改为已禁用 reg add "HKLMSOFTWAREPoliciesMicrosoftWindows NTReliability" /v ShutdownReasonOn /t reg_dword /d 0 /f echo 禁止自动更新后不断的提示重启 reg add HKLMSOFTWAREPoliciesMicrosoftWindowswindowsUpdate /v RebootRelaunchTimeoutEnabled /t reg_DWORD /d 1 /f echo 禁止屏保 reg add "hkcuSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" /v ScreenSaveActive /t REG_SZ /d 0 /f echo 是否起用WSUS服务器 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v UseWUServer /t REG_DWORD /d 1 /f echo WSUS服务器设置 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUServer /t REG_SZ /d http://61.135.177.110 /f reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUStatusServer /t REG_SZ /d http://61.135.177.110 /f echo 重新计划自动更新计划后的等待时间 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v RescheduleWaitTime /t REG_DWORD /d 10 /f echo 自动更新安装后是否重新启动 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoRebootWithLoggedOnUsers /t REG_DWORD /d 0 /f echo 是否启用自动更新 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoUpdate /t REG_DWORD /d 0 /f echo 配置自动更新 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v AUOptions /t REG_DWORD /d 4 /f echo 计划安装日期 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallDay /t REG_DWORD /d 0 /f echo 计划安装时间 reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallTime /t REG_DWORD /d 3 /f rem 重命名管理员以及来宾帐户名称 rem wmic useraccount where name='Administrator' call Rename admin echo 禁用帐户 net user SQLDebugger /active:no net user TsInternetUser /active:no echo 设置当前目录为桌面 if exist %USERPROFILE%桌面 ( cd/D %USERPROFILE%桌面 ) else ( cd/D %USERPROFILE%desktop ) echo 生成windows组策略安全设置 if exist secinit.inf del secinit.inf /f echo [Unicode] >secinit.inf echo. >>secinit.inf echo [Event Audit] >>secinit.inf echo AuditSystemEvents = 3 >>secinit.inf echo AuditLogonEvents = 3 >>secinit.inf echo AuditObjectAccess = 2 >>secinit.inf echo AuditPrivilegeUse = 2 >>secinit.inf echo AuditPolicyChange = 3 >>secinit.inf echo AuditAccountManage = 3 >>secinit.inf echo AuditProcessTracking = 0 >>secinit.inf echo AuditDSAccess = 2 >>secinit.inf echo AuditAccountLogon = 3 >>secinit.inf echo [System Access] >>secinit.inf echo MinimumPasswordAge = 0 >>secinit.inf echo MaximumPasswordAge = 42 >>secinit.inf echo MinimumPasswordLength = 12 >>secinit.inf echo PasswordComplexity = 1 >>secinit.inf echo PasswordHistorySize = 0 >>secinit.inf echo LockoutBadCount = 5 >>secinit.inf echo ResetLockoutCount = 20 >>secinit.inf echo LockoutDuration = 20 >>secinit.inf echo RequireLogonToChangePassword = 0 >>secinit.inf echo ForceLogoffWhenHourExpire = 0 >>secinit.inf echo ClearTextPassword = 0 >>secinit.inf echo LSAAnonymousNameLookup = 0 >>secinit.inf echo EnableAdminAccount = 1 >>secinit.inf echo EnableGuestAccount = 0 >>secinit.inf echo [System Log] >> secinit.inf echo MaximumLogSize = 16384 >> secinit.inf echo AuditLogRetentionPeriod = 1 >> secinit.inf echo RetentionDays = 30 >> secinit.inf echo [Security Log] >> secinit.inf echo MaximumLogSize = 16384 >> secinit.inf echo AuditLogRetentionPeriod = 1 >> secinit.inf echo RetentionDays = 30 >> secinit.inf echo [Application Log] >> secinit.inf echo MaximumLogSize = 16384 >> secinit.inf echo AuditLogRetentionPeriod = 1 >> secinit.inf echo RetentionDays = 30 >> secinit.inf echo [File Security] >> secinit.inf echo "c:oot.ini",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "c: tdetect.com",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "c: tldr",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "c: tbootdd.sys",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "c:autoexec.bat",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "c:config.sys",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf echo "%ProgramFiles%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)(A;;GXGR;;;WD)" >> secinit.inf echo "%SystemRoot%explorer.exe",2,"D:(A;;GXGR;;;WD)" >> secinit.inf echo "%SystemRoot%CSC",1,"D:AR" >> secinit.inf echo "%SystemRoot%debug",1,"D:AR" >> secinit.inf echo "%SystemRoot%Offline Pages",1,"D:AR" >> secinit.inf echo "%SystemRoot%Profiles",1,"D:AR" >> secinit.inf echo "%SystemRoot%Registration",1,"D:AR" >> secinit.inf echo "%SystemRoot% epair",2,"D:P(A;CI;GXGR;;;BU)(A;CI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%Tasks",1,"D:AR" >> secinit.inf echo "%SystemRoot%Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CI;0x100026;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%addins",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%Connection Wizard",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%Driver Cache",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%java",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%msagent",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%security",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%speech",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot% wain_32",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo "%SystemRoot%Web",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf echo [Registry Values] >>secinit.inf echo MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLastUserName=4,1 >> secinit.inf echo MACHINESystemCurrentControlSetControlLsaRestrictAnonymous=4,1 >> secinit.inf echo [Privilege Rights] >>secinit.inf echo SeNetworkLogonRight = Administrators >> secinit.inf echo SeShutdownPrivilege = Administrators >> secinit.inf echo SeRemoteShutdownPrivilege = Administrators >> secinit.inf echo SeRemoteInteractiveLogonRight = Administrators >> secinit.inf echo Seinteractivelogonright = Administrators >> secinit.inf echo [Version] >>secinit.inf echo signature="$CHICAGO$" >>secinit.inf echo Revision=1 >>secinit.inf cls echo 运行安全设置 move /y secinit.inf %systemroot%security emplatessecinit.inf echo y|secedit /configure /cfg %systemroot%security emplatessecinit.inf /db %systemroot%securitydatabasesecinit.db /overwrite /log %systemroot%securitylogssecinit.log regsvr32 /s scecli.dll echo 关闭默认共享 net share c$ /del net share d$ /del net share e$ /del net share ipc$ /del net share admin$ /del del secinit.inf /f