发现在网上的很多关于安全加固的脚本都不是很全,这里在此总结了一下,有不对或缺少的欢迎大家建言。废话不多说,直接上干货,下面是bat脚本。
rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
rem 测试记录:
rem windows sever 2008 R2 standard 64bit–ok
rem Windows Server 2008 Enterprise SP2 64bit –ok
rem Windows Server 2012 Enterprise SP2 64bit –ok
rem Windows Server 2012 R2 Datacenter 64bit –ok
rem windows 7 旗舰版 –ok
rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
echo 脚本执行后,请在当前目录的log_ok.txt,查看日志
@ echo.
@ echo 3秒后开始执行…..
ping /n 3 127.1 >nul
rem pause > nul
@ cls
@ echo.
rem ============生成gp.inf安全策略模板文件====================
echo [Unicode] > gp.inf
echo Unicode=yes >>gp.inf
echo [System Access] >>gp.inf
rem ;重命名系统管理员帐户,自行改名,并删除前面的分号;
echo NewAdministratorName = “administrator” >>gp.inf
rem ;————-密码策略——————————
echo ;Account Policies – Password Policy >>gp.inf
echo MinimumPasswordAge = 0 >>gp.inf
echo MaximumPasswordAge = 0>>gp.inf
echo MinimumPasswordLength = 10 >>gp.inf
echo PasswordComplexity = 1 >>gp.inf
echo PasswordHistorySize = 5 >>gp.inf
echo LockoutBadCount = 5 >>gp.inf
echo ResetLockoutCount = 10 >>gp.inf
echo LockoutDuration = 10 >>gp.inf
echo ClearTextPassword = 0 >>gp.inf
rem ;不允许SAM帐户的匿名枚举
echo LSAAnonymousNameLookup = 1 >>gp.inf
rem ;guest禁用
echo EnableGuestAccount = 0 >>gp.inf
rem ;下次登录必须更改密码
echo RequireLogonToChangePassword = 0 >>gp.inf
rem ;强制过期
echo ForceLogoffWhenHourExpire = 0 >>gp.inf
rem Local Policies\Audit Policy
echo [Event Audit] >>gp.inf
echo AuditSystemEvents = 2 >>gp.inf
echo AuditObjectAccess = 0 >>gp.inf
echo AuditPrivilegeUse = 0 >>gp.inf
echo AuditPolicyChange = 3 >>gp.inf
echo AuditAccountManage = 3 >>gp.inf
echo AuditProcessTracking = 0 >>gp.inf
echo AuditDSAccess = 0 >>gp.inf
echo AuditAccountLogon = 3 >>gp.inf
echo AuditLogonEvents = 3 >>gp.inf
echo [Registry Values] >> gp.inf
rem ;交互式登录
rem ;建议设置不显示上次登录的用户名 已启用;
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 >>gp.inf
rem ;不需要按Ctrl+Alt+Del 已禁用;
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 >>gp.inf
rem ;在密码到期前提示用户更改密码建议最小设置 14天,默认不启用
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 >>gp.inf
rem ;rem 开机安全提示
rem echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=0,”主机使用安全建议” >>gp.inf
rem echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,0.系统密码/应用系统密码/数据库密码一定要足够复杂,2.端口除业务必须(如80/443/3389)外其他一律禁止外网访问”,”特别要禁止数据库端口如3306/1433/1521/6379等,3.WEB应用系统上线前须做渗透测试,防止组件/WEB漏洞被黑客利用,4.关注安全预警”,”定期打补丁”,”确保安全漏洞能及时修复 >>gp.inf
rem 网络安全: 基于 NTLM SSP 的(包括安全 RPC)服务器/客户端的最小会话安全
echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200 >>gp.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200 >>gp.inf
rem 网络访问: 可远程访问的注册表路径,网络访问: 可远程访问的注册表路径和子路径
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,0 >>gp.inf
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,0 >>gp.inf
rem 网络访问: 可匿名访问的命名管道,网络访问: 可匿名访问的共享
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 >>gp.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7, >>gp.inf
rem 清除虚机内存
echo MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1 >>gp.inf
rem ;rem 会话超时设置15分钟
rem ;echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 >>gp.inf
echo [Privilege Rights] >>gp.inf
rem 授权用户从网络访问设置,删除Everyone组
echo SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 >>gp.inf
rem 本地、远端系统强制关机只指派给Administrators组
echo SeShutdownPrivilege = *S-1-5-32-544 >>gp.inf
rem 在本地安全设置中取得文件或其它对象的所有权仅指派给Administrators组
echo SeTakeOwnershipPrivilege = *S-1-1-0,*S-1-5-32-544 >>gp.inf
echo [Version] >>gp.inf
echo signature=”$CHICAGO$” >>gp.inf
echo Revision=1 >>gp.inf
rem ==============删除默认共享================
net share IPC$ /DEL
net share ADMIN$ /DEL
net share C$ /DEL
net share D$ /DEL
net share E$ /DEL
net share F$ /DEL
net share G$ /DEL
net share H$ /DEL
net share I$ /DEL
net share J$ /DEL
net share K$ /DEL
net share L$ /DEL
net share M$ /DEL
net share N$ /DEL
@ echo.
rem =============禁止不需要的服务============
echo 脚本执行结果记录: >log_ok.txt
echo 停止不必要的服务列表。>>log_ok.txt
echo ++++++++++++++++++++++++++++++++++++++++++++++++ >> log_ok.txt
echo 1.停止服务Messenger,并设为禁用 >>log_ok.txt
net stop Messenger >>log_ok.txt
sc config Messenger start= disabled >>log_ok.txt
@ echo.
echo 2.停止服务Remote Registry,并设为禁用 >>log_ok.txt
net stop RemoteRegistry >>log_ok.txt
sc config RemoteRegistry start= disabled >>log_ok.txt
@ echo.
@ echo.
rem echo 13.停止服务Themes,并设为禁用 >>log_ok.txt
rem net stop Themes >>log_ok.txt
rem sc config Themes start= disabled >>log_ok.txt
@ echo.
rem echo 14.停止服务Telephony,并设为禁用 >>log_ok.txt
rem net stop Telephony >>log_ok.txt
rem sc config TapiSrv start= disabled >>log_ok.txt
@ echo.
echo 3.停止服务TCP/IP NetBIOS Helper,并设为禁用 >>log_ok.txt
net stop LmHosts >>log_ok.txt
sc config LmHosts start= disabled >>log_ok.txt
@ echo.
echo 4.停止服务Wireless Configuration,并设为禁用 >>log_ok.txt
net stop WZCSVC >>log_ok.txt
sc config WZCSVC start= disabled >>log_ok.txt
@ echo.
echo 5.停止服务Error Reporting Service,并设为禁用 >>log_ok.txt
net stop ERSvc >>log_ok.txt
sc config ERSvc start= disabled >>log_ok.txt
@ echo.
echo 6.停止服务Help and Support,并设为禁用 >>log_ok.txt
rem 启用在此计算机上运行帮助和支持中心。
net stop helpsvc >>log_ok.txt
sc config helpsvc start= disabled >>log_ok.txt
@ echo.
echo 7.停止服务Telnet,并设为禁用 >>log_ok.txt
net stop TlntSvr >>log_ok.txt
sc config TlntSvr start= disabled >>log_ok.txt
@ echo.
echo 8.停止服务Print Spooler,并设为禁用 >>log_ok.txt
net stop Spooler >>log_ok.txt
sc config Spooler start= disabled >>log_ok.txt
@ echo.
rem ;echo 9.停止服务Computer Browser,并设为禁用 >>log_ok.txt
rem ;net stop Browser >>log_ok.txt
rem ;sc config Browser start= disabled >>log_ok.txt
@ echo.
echo ++++++++++++++++++++++++++++++++++++++++++++++++ >> log_ok.txt
rem ===================密码策略secpol.msc=======================
rem 备份当前策略模板到C盘根目录
if not exist C:\backup md C:\backup
set “name=%date:~0,4%%date:~5,2%%date:~8,2%%time:~0,2%%time:~3,2%%time:~6,2%”
secedit /export /cfg c:\backup\secpol_bakcup%name%.inf /quiet >>log_ok.txt
rem 安全策略, 文件夹中的gp.inf为模板,请不要删除
echo 执行密码策略…
secedit /configure /db gp.sdb /cfg gp.inf /areas SECURITYPOLICY /quiet >>log_ok.txt
ping /n 1 127.1 >nul
rem 删除产生的中间文件gp.sdb
echo 删除临时文件 >> log_ok.txt
del /s/f gp.inf >>log_ok.txt
del /s/f gp.sdb >>log_ok.txt
echo ok. >>log_ok.txt
@ echo.
@ echo.
rem ===========禁止IPC$空连接============================
rem 禁止IPC$空连接(修改注册表)
echo Windows Registry Editor Version 5.00 >ipc.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>ipc.reg
echo “restrictanonymous”=dword:00000001 >>ipc.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] >>ipc.reg
echo “AutoShareServer”=dword:00000000 >>ipc.reg
echo “AutoShareWks”=dword:00000000 >>ipc.reg
rem 修改安全日志存储
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security] >>ipc.reg
echo “MaxSize”=dword:c800000 >> ipc.reg
echo “Retention”=dword:0 >> ipc.reg
rem 显示上次登录用户信息
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] >>ipc.reg
echo “DisplayLastLogonInfo”=dword:00000000 >>ipc.reg
rem 桌面10分钟不操作锁定,win2008-R2-ST,
echo [HKEY_CURRENT_USER\Control Panel\Desktop] >>ipc.reg
rem echo “SCRNSAVE.EXE”=”C:\\Windows\\system32\\scrnsave.scr” >>ipc.reg
echo “ScreenSaveTimeOut”=”600” >>ipc.reg
echo “ScreenSaverIsSecure”=”1” >>ipc.reg
rem 先备份注册表
echo Windows Registry Editor Version 5.00 > C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” /v restrictanonymous >> C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters” /v AutoShareServer >> C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters” /v AutoShareWks >> C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security” /v MaxSize >> C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security” /v Retention >> C:\backup\reg_backup%name%.txt
reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v DisplayLastLogonInfo >> C:\backup\reg_backup%name%.txt
reg query “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveTimeOut >> C:\backup\reg_backup%name%.txt
reg query “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaverIsSecure >> C:\backup\reg_backup%name%.txt
rem sleep 1s
ping /n 2 127.1 >nul
rem 更新注册表
regedit -s ipc.reg
del /s/f ipc.reg >>log_ok.txt
@ echo.
@ echo.
echo ++++++++++++++++++++++++++++++++++++++++++++++++ >> log_ok.txt
echo 策略备份文件在C:\backup 目录 >>log_ok.txt
@ echo.
echo 脚本执行完毕….3秒后窗口关闭
ping /n 3 127.1 >nul
rem pause > nul
来源:freebuf.com 2020-07-15 10:03:27 by: zhaogangme
请登录后发表评论
注册