• windows2003安全加固脚本


    @echo off
    title= Windwos/index.html' target='_blank'>Windows Security
    echo.
    echo *******************************************************************************
    echo.              Common Security Configuration For Windows Server 2003
    echo *******************************************************************************
    echo.
    echo.
    rem 删除不必要的文件
    del /Q /F C:WINDOWSWebprinters*.*
    del /Q /F C:WINDOWSsystem32inetsrviisadmpwd*.*
    rd C:WINDOWSWebprinters /S /Q
    rd C:WINDOWShelpiishelp /S /Q
    rem 设置脚本宿主
    cscript //h:cscript
    rem 安装windows install服务
    msiexec /regserver
    regsvr32 msxml3.dll /s
    rem 设置每个磁盘分区的权限
    cd
    echo y | cacls C: /C /E /G administrators:F system:F
    rem cacls /C D: /G administrators:F system:F
    rem cacls /C E: /G administrators:F system:F
    rem 设置关键目录的权限
    echo y | cacls %SYSTEMROOT% /G administrators:F system:F users:C
    echo y | cacls %SYSTEMROOT%Temp /G administrators:F system:F everyone:F
    rem 清除关键目录everyone权限
    echo y | cacls C:Docume~1 /E /R everyone
    echo y | cacls C:Docume~1alluse~1 /E /R everyone
    echo y | cacls C:Docume~1alluse~1applic~1 /E /R everyone
    echo y | cacls C:Docume~1defaul~1 /E /R everyone
    echo y | cacls %SYSTEMROOT%Installer /E /R everyone
    echo y | cacls %SYSTEMROOT%PCHealth /E /R everyone
    for %%i in (
    %SYSTEMROOT%
    egedit.exe
    %SYSTEMROOT%system32net.exe
    %SYSTEMROOT%system32	elnet.exe
    %SYSTEMROOT%system32cmd.exe
    %SYSTEMROOT%system32	ftp.exe
    %SYSTEMROOT%system32
    etstat.exe
    %SYSTEMROOT%system32attrib.exe
    %SYSTEMROOT%system32cacls.exe
    %SYSTEMROOT%system32format.com
    %SYSTEMROOT%system32
    egsvr32.exe
    %SYSTEMROOT%system32xcopy.exe
    %SYSTEMROOT%system32wscript.exe
    %SYSTEMROOT%system32cscript.exe
    %SYSTEMROOT%system32ftp.exe
    %SYSTEMROOT%system32arp.exe
    %SYSTEMROOT%system32edlin.exe
    %SYSTEMROOT%system32ping.exe
    %SYSTEMROOT%system32
    oute.exe
    %SYSTEMROOT%system32finger.exe
    %SYSTEMROOT%system32posix.exe
    %SYSTEMROOT%system32atsvc.exe
    %SYSTEMROOT%system32qbasic.exe
    %SYSTEMROOT%system32
    unonce.exe
    %SYSTEMROOT%system32syskey.exe
    %SYSTEMROOT%system32command.com
    %SYSTEMROOT%system32edit.com
    %SYSTEMROOT%system32tree.com
    %SYSTEMROOT%system32at.exe
    %SYSTEMROOT%system32find.exe
    %SYSTEMROOT%system32fc.exe
    %SYSTEMROOT%system32
    btstat.exe
    %SYSTEMROOT%system32
    etsh.exe
    %SYSTEMROOT%system32
    otepad.exe
    %SYSTEMROOT%system32	asklist.exe
    %SYSTEMROOT%system32	askkill.exe
    %SYSTEMROOT%system32dllcache
    egedit.exe
    %SYSTEMROOT%system32dllcachenet.exe
    %SYSTEMROOT%system32dllcache	elnet.exe
    %SYSTEMROOT%system32dllcachecmd.exe
    %SYSTEMROOT%system32dllcache	ftp.exe
    %SYSTEMROOT%system32dllcache
    etstat.exe
    %SYSTEMROOT%system32dllcacheattrib.exe
    %SYSTEMROOT%system32dllcachecacls.exe
    %SYSTEMROOT%system32dllcacheformat.com
    %SYSTEMROOT%system32dllcache
    egsvr32.exe
    %SYSTEMROOT%system32dllcachexcopy.exe
    %SYSTEMROOT%system32dllcachewscript.exe
    %SYSTEMROOT%system32dllcachecscript.exe
    %SYSTEMROOT%system32dllcacheftp.exe
    %SYSTEMROOT%system32dllcachearp.exe
    %SYSTEMROOT%system32dllcacheedlin.exe
    %SYSTEMROOT%system32dllcacheping.exe
    %SYSTEMROOT%system32dllcache
    oute.exe
    %SYSTEMROOT%system32dllcachefinger.exe
    %SYSTEMROOT%system32dllcacheposix.exe
    %SYSTEMROOT%system32dllcacheatsvc.exe
    %SYSTEMROOT%system32dllcacheqbasic.exe
    %SYSTEMROOT%system32dllcache
    unonce.exe
    %SYSTEMROOT%system32dllcachesyskey.exe
    %SYSTEMROOT%system32dllcachecommand.com
    %SYSTEMROOT%system32dllcacheedit.com
    %SYSTEMROOT%system32dllcachetree.com
    %SYSTEMROOT%system32dllcacheat.exe
    %SYSTEMROOT%system32dllcachefind.exe
    %SYSTEMROOT%system32dllcachefc.exe
    %SYSTEMROOT%system32dllcache
    btstat.exe
    %SYSTEMROOT%system32dllcache
    etsh.exe
    %SYSTEMROOT%system32dllcache
    otepad.exe
    %SYSTEMROOT%system32dllcache	asklist.exe
    %SYSTEMROOT%system32dllcache	askkill.exe
    ) do (
    if exist "%%i" (
    echo y | cacls %%i /G administrators:F system:F
    )
    )
    rem 保存当前服务启动状态
    net start > %systemroot%securityservices.txt
    rem 设置自动启动的服务
    sc config wuauserv start= auto
    sc config PolicyAgent start= auto
    sc config schedule start= auto
    sc config NSClientpp start= auto
    net start PolicyAgent
    net start wuauserv
    net start schedule
    net start NSClientpp
    net start winmgmt
    rem 设置手动启动的服务
    sc config winmgmt start= demand
    sc config msdtc start= demand
    rem 设置禁止启动的服务,停止启动的服务
    for %%i in (
    sharedaccess
    helpsvc
    Spooler
    audiosrv
    wmdmpmsn
    Alerter
    alg
    TrkWks
    seclogon
    ShellHWDetection
    lanmanserver
    dmserver
    Dhcp
    lanmanworkstation
    LmHosts
    WZCSVC
    RemoteRegistry
    AeLookupSrv
    Dnscache
    ERSvc
    Nla
    SCardSvr
    W32Time
    w3svc
    IISADMIN
    SMTPSVC
    TapiSrv
    WinRM
    dfs
    ntfrs
    CiSvc
    mnmsrvc
    clipsrv
    netdde
    NetDDEdsdm
    lmhosts
    tlntsvr
    ups
    themes
    HidServ
    Tssdis
    stisvc
    WmiApSrv
    awhost32
    fax
    Browser
    ) do (
    sc config %%i start= disabled
    net stop %%i
    )
    
    rem 设置每天3点自动重启
    rem schtasks /create /ru system /sc daily /tn "restart" /st 03:00:00 /tr "shutdown -r -f -t 30"
    rem 设置环境变量
    rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v JAVA_HOME /t REG_SZ /d C:jdk /f
    rem reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v Path /t REG_EXPAND_SZ /d "%JAVA_HOME%in;%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;" /f
    echo 开启远程桌面
    reg add "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f
    rem 修改远程桌面端口为9999
    rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWds
    dpwdTds	cp"   /v PortNumber /t reg_dword /d 9999 /f
    rem reg add "HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v PortNumber /t reg_dword /d 9999 /f
    echo 关闭CD-ROM自动运行
    reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoDriveTypeAutoRun /t reg_dword /d 255 /f
    echo 显示文件扩展名
    reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v HideFileExt /t reg_dword /d 0 /f
    echo 修改windows update为自动更新
    reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" /v AUOptions /t reg_dword /d 1 /f
    echo 华生医生设置为转储线程上下文
    reg add HKLMSOFTWAREMicrosoftDrWatson /v AppendToLogFile /t reg_dword /d 0 /f
    reg add HKLMSOFTWAREMicrosoftDrWatson /v CreateCrashDump /t reg_dword /d 0 /f
    reg add HKLMSOFTWAREMicrosoftDrWatson /v WaveFile /t REG_EXPAND_SZ /d "" /f
    echo 设置自动重新启动不发送管理警报
    reg add HKLMSYSTEMControlSet001ControlCrashControl /v AutoReboot /t reg_dword /d 1 /f
    reg add HKLMSYSTEMControlSet001ControlCrashControl /v SendAlert /t reg_dword /d 0 /f
    echo 设置写入调试信息为无
    reg add HKLMSYSTEMCurrentControlSetControlCrashControl /v CrashDumpEnabled /t reg_dword /d 0 /f
    echo 禁用错误报告
    reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v DoReport /t reg_dword /d 0 /f
    reg add HKLMSOFTWAREMicrosoftPCHealthErrorReporting /v ShowUI /t reg_dword /d 0 /f
    echo 关机清理虚拟内存
    reg add "HKLMSystemCurrentControlSetControlSession ManagerMemory Management" /v ClearPageFileAtShutdown /t reg_dword /d 1 /f
    echo 不显示上次登录用户名
    reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v dontdisplaylastusername /t reg_dword /d 1 /f
    echo 关闭445端口
    reg add HKLMSYSTEMCurrentControlSetServicesNetBTParameters /v SMBDeviceEnabled   /t reg_dword /d 0 /f
    echo 防止小规模ddos攻击
    reg add HKLMSYSTEMCurrentControlSetServicesTcpipParameters /v SynAttackProtect   /t reg_dword /d 1 /f
    echo 禁止建立空连接
    reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymous /t reg_dword /d 1 /f
    echo 禁止SAM 账户和共享的匿名枚举
    reg add HKLMSYSTEMCurrentControlSetControlLsa /v restrictanonymoussam /t reg_dword /d 1 /f
    echo 禁止系统自动管理共享
    reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareWks /t reg_dword /d 0 /f
    echo 禁止系统自动共享
    reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /v AutoShareServer /t reg_dword /d 0 /f
    rem 自动关闭无响应程序
    rem reg add "HKCUControl PanelDesktop" /v AutoEndTasks /t reg_sz /d 1 /f
    echo 设置无法关闭程序等待时间
    reg add "HKCUControl PanelDesktop" /v WaitToKillAppTimeout /t reg_sz /d 100 /f
    reg add "HKCUControl PanelDesktop" /v HungAppTimeout /t reg_sz /d 500 /f
    reg add HKLMSystemCurrentControlSetControl /v WaitToKillServiceTimeout /t reg_sz /d 100 /f
    echo 不需要按ctrl+alt+del
    reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem /v DisableCAD /t reg_dword /d 1 /f
    echo 把显示“关闭事件跟踪程序” 更改为已禁用
    reg add "HKLMSOFTWAREPoliciesMicrosoftWindows NTReliability" /v ShutdownReasonOn /t reg_dword /d 0 /f
    echo 禁止自动更新后不断的提示重启
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowswindowsUpdate /v RebootRelaunchTimeoutEnabled /t reg_DWORD /d 1 /f
    echo 禁止屏保
    reg add "hkcuSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" /v ScreenSaveActive /t REG_SZ /d 0 /f
    echo 是否起用WSUS服务器
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v UseWUServer /t REG_DWORD /d 1 /f
    echo WSUS服务器设置
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUServer /t REG_SZ /d http://61.135.177.110 /f
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate /v WUStatusServer /t REG_SZ /d http://61.135.177.110  /f
    echo 重新计划自动更新计划后的等待时间
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v RescheduleWaitTime /t REG_DWORD /d 10 /f
    echo 自动更新安装后是否重新启动
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoRebootWithLoggedOnUsers /t REG_DWORD /d 0 /f
    echo 是否启用自动更新
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoUpdate /t REG_DWORD /d 0 /f
    echo 配置自动更新
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v AUOptions /t REG_DWORD /d 4 /f
    echo 计划安装日期
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallDay /t REG_DWORD /d 0 /f
    echo 计划安装时间
    reg add HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU /v ScheduledInstallTime /t REG_DWORD /d 3 /f
    rem 重命名管理员以及来宾帐户名称
    rem wmic useraccount where name='Administrator' call Rename admin
    echo 禁用帐户
    net user SQLDebugger /active:no
    net user TsInternetUser /active:no
    echo 设置当前目录为桌面
    if exist %USERPROFILE%桌面 (
    cd/D %USERPROFILE%桌面
    ) else (
    cd/D %USERPROFILE%desktop
    )
    echo 生成windows组策略安全设置
    if exist secinit.inf del secinit.inf /f
    echo [Unicode] >secinit.inf
    echo. >>secinit.inf
    echo [Event Audit] >>secinit.inf
    echo AuditSystemEvents = 3 >>secinit.inf
    echo AuditLogonEvents = 3 >>secinit.inf
    echo AuditObjectAccess = 2 >>secinit.inf
    echo AuditPrivilegeUse = 2 >>secinit.inf
    echo AuditPolicyChange = 3 >>secinit.inf
    echo AuditAccountManage = 3 >>secinit.inf
    echo AuditProcessTracking = 0 >>secinit.inf
    echo AuditDSAccess = 2 >>secinit.inf
    echo AuditAccountLogon = 3 >>secinit.inf
    
    echo [System Access] >>secinit.inf
    echo MinimumPasswordAge = 0 >>secinit.inf
    echo MaximumPasswordAge = 42 >>secinit.inf
    echo MinimumPasswordLength = 12 >>secinit.inf
    echo PasswordComplexity = 1 >>secinit.inf
    echo PasswordHistorySize = 0 >>secinit.inf
    echo LockoutBadCount = 5 >>secinit.inf
    echo ResetLockoutCount = 20 >>secinit.inf
    echo LockoutDuration = 20 >>secinit.inf
    echo RequireLogonToChangePassword = 0 >>secinit.inf
    echo ForceLogoffWhenHourExpire = 0 >>secinit.inf
    echo ClearTextPassword = 0 >>secinit.inf
    echo LSAAnonymousNameLookup = 0 >>secinit.inf
    echo EnableAdminAccount = 1 >>secinit.inf
    echo EnableGuestAccount = 0 >>secinit.inf
    
    echo [System Log]    >> secinit.inf
    echo MaximumLogSize = 16384  >> secinit.inf
    echo AuditLogRetentionPeriod = 1 >> secinit.inf
    echo RetentionDays = 30  >> secinit.inf
    
    echo [Security Log]  >> secinit.inf
    echo MaximumLogSize = 16384  >> secinit.inf
    echo AuditLogRetentionPeriod = 1 >> secinit.inf
    echo RetentionDays = 30  >> secinit.inf
    
    echo [Application Log]   >> secinit.inf
    echo MaximumLogSize = 16384  >> secinit.inf
    echo AuditLogRetentionPeriod = 1 >> secinit.inf
    echo RetentionDays = 30  >> secinit.inf
    
    echo [File Security]     >> secinit.inf
    echo "c:oot.ini",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "c:
    tdetect.com",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "c:
    tldr",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "c:
    tbootdd.sys",2,"D:P(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "c:autoexec.bat",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "c:config.sys",2,"D:P(A;;GXGR;;;BU)(A;;GXGR;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)" >> secinit.inf
    echo "%ProgramFiles%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)(A;;GXGR;;;WD)" >> secinit.inf
    echo "%SystemRoot%explorer.exe",2,"D:(A;;GXGR;;;WD)" >> secinit.inf
    echo "%SystemRoot%CSC",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%debug",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%Offline Pages",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%Profiles",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%Registration",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%
    epair",2,"D:P(A;CI;GXGR;;;BU)(A;CI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%Tasks",1,"D:AR" >> secinit.inf
    echo "%SystemRoot%Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CI;0x100026;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%addins",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%Connection Wizard",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%Driver Cache",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%java",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%msagent",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%security",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%speech",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%	wain_32",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    echo "%SystemRoot%Web",2,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" >> secinit.inf
    
    echo [Registry Values] >>secinit.inf
    echo MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLastUserName=4,1   >> secinit.inf
    echo MACHINESystemCurrentControlSetControlLsaRestrictAnonymous=4,1  >> secinit.inf
    
    echo [Privilege Rights] >>secinit.inf
    echo SeNetworkLogonRight = Administrators  >> secinit.inf
    echo SeShutdownPrivilege = Administrators >> secinit.inf
    echo SeRemoteShutdownPrivilege = Administrators >> secinit.inf
    echo SeRemoteInteractiveLogonRight = Administrators >> secinit.inf
    echo Seinteractivelogonright = Administrators >> secinit.inf
    
    echo [Version] >>secinit.inf
    echo signature="$CHICAGO$" >>secinit.inf
    echo Revision=1 >>secinit.inf
    cls
    echo 运行安全设置
    move /y secinit.inf %systemroot%security	emplatessecinit.inf
    echo y|secedit /configure /cfg %systemroot%security	emplatessecinit.inf /db %systemroot%securitydatabasesecinit.db /overwrite /log %systemroot%securitylogssecinit.log
    regsvr32 /s scecli.dll
    echo 关闭默认共享
    net share c$ /del
    net share d$ /del
    net share e$ /del
    net share ipc$ /del
    net share admin$ /del
    del secinit.inf /f
  • 相关阅读:
    HDU1285-确定比赛名次(拓扑排序)
    ftp sftp
    Python with 用法
    odoo 非root用户运行不成功
    linux 删除软连接
    vscode wsl php
    WSL 修改默认登录用户为root
    WSL ssh服务自启动
    odoo 获取model的所有字段
    odoo 在"动作"("Action")菜单中添加子菜单, 点击子菜单弹窗自定义form
  • 原文地址:https://www.cnblogs.com/milantgh/p/3603164.html
Copyright © 2020-2023  润新知