Windows安全基线加固批量执行脚本

Windows操作系统默认情况确实不那么安全,本文所提供的脚本正是针对Windows进行基线加固,将以下脚本保存到bat文件中并执行即可。

:: 账号安全
@prompt # 
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 修改帐户密码最小长度为8
echo MinimumPasswordLength=8 >>account.inf
REM 开启帐户密码复杂性要求
echo PasswordComplexity=1 >>account.inf
REM 修改帐户密码最长留存期为90天
echo MaximumPasswordAge=90 >>account.inf
REM 修改强制密码历史为5次
echo PasswordHistorySize=5 >>account.inf
REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf
REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*

:: 认证安全
@prompt # 
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=1 >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核过程跟踪
echo AuditProcessTracking=3 >>audit.inf
开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf REM
REM 开启审核登陆事件
echo AuditLogonEvents=3 >>audit.inf
开启审核帐户登陆事件
echo AuditAccountLogon=3 >>audit.inf
echo AuditLog >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*

:: 权限设置
@prompt #
REM 授权配置
echo [version] >rightscfg.inf
echo signature="$CHICAGO$" >>rightscfg.inf
echo [Privilege Rights] >>rightscfg.inf
REM 从远端系统强制关机只指派给Administrators组
echo seremoteshutdownprivilege=Administrators >>rightscfg.inf
REM 关闭系统仅指派给Administrators组
echo seshutdownprivilege=Administrators >>rightscfg.inf
REM 取得文件或其它对象的所有权仅指派给Administrators
echo setakeownershipprivilege=Administrators >>rightscfg.inf
REM 在本地登陆权限仅指派给Administrators
echo seinteractivelogonright=Administrators >> rightscfg.inf
REM 只允许Administrators从网络访问
echo senetworklogonright=Administrators >>rightscfg.inf
secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet
del rightscfg.*

REM 禁用匿名访问命名管道和共享
@echo Windows Registry Editor Version 5.00>>nss.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg
@echo "NullSessionShares"=->>nss.reg
@regedit /s nss.reg
@del nss.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f

REM 禁用可远程访问的注册表路径和子路径
@echo Windows Registry Editor Version 5.00>>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@regedit /s aep.reg
@del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f

REM 修改自动登录的注册表
@echo Windows Registry Editor Version 5.00>>auto.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>auto.reg
@echo "AutoAdminLogon"=dword:0>>auto.reg
@regedit /s auto.reg
@del auto.reg

REM 源路由欺骗保护
@echo Windows Registry Editor Version 5.00>>route.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg
@echo "DisableIPSourceRouting"=dword:2>>route.reg
@regedit /s route.reg
@del route.reg

REM 碎片攻击保护
@echo Windows Registry Editor Version 5.00>>sp.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg
@echo "EnablePMTUDiscovery"=dword:1>>sp.reg
@regedit /s sp.reg
@del sp.reg

@prompt # 
@echo Windows Registry Editor Version 5.00>>SynAttack.reg 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg 
@echo "SynAttackProtect"=dword:2>>SynAttack.reg
@echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
@echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg
@echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg

@REM DDOS
@echo "EnableICMPRedirect"=dword:0>>SynAttack.reg

@regedit /s SynAttack.reg
@del SynAttack.reg

:: 系统日志
@prompt # 
echo [version] >logcfg.inf
echo signature="$CHICAGO$" >>logcfg.inf
REM 设置系统日志
echo [System Log] >>logcfg.inf
REM 设置系统日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用日志
echo RestrictGuestAccess=1 >>logcfg.inf
echo [Security Log] >>logcfg.inf REM 设置安全日志
REM 设置安全日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf 
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问安全日志
echo RestrictGuestAccess=1 >>logcfg.inf
echo [Application Log] >>logcfg.inf REM 设置应用程序日志
REM 设置应用程序日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用程序日志
echo RestrictGuestAccess=1 >>logcfg.inf
secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log
del logcfg.*

:: 删除默认共享,请自行增删盘符
@prompt # 
REM 删除当前默认共享
net share c$ /delete
net share d$ /delete
net share e$ /delete
net share admin$ /delete
sc stop browser
sc stop dfs
sc stop lanmanserver
sc config browser start= demand
sc config dfs start= demand
sc config lanmanserver start= demand

REM 修改共享的注册表
@echo Windows Registry Editor Version 5.00>>share.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>share.reg
@echo "AutoShareWks"=dword:0>>share.reg
@echo "AutoShareServer"=dword:0>>share.reg
@regedit /s share.reg
@del share.reg

REM 限制IPC共享(禁止SAM帐户和共享的匿名枚举)
@echo Windows Registry Editor Version 5.00>>ipc.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
@echo "RestrictAnonymous"=dword:1>>ipc.reg
@echo "restrictanonymoussam"=dword:1>>ipc.reg
@regedit /s ipc.reg
@del ipc.reg

REM 启用屏幕保护程序
@echo Windows Registry Editor Version 5.00>>scrsave.reg 
@echo [HKEY_CURRENT_USER\Control Panel\Desktop]>>scrsave.reg 
@echo "ScreenSaveActive"="1">>scrsave.reg
@echo "ScreenSaverIsSecure"="1">>scrsave.reg
@echo "ScreenSaveTimeOut"="300">>scrsave.reg
@regedit /s scrsave.reg
@del scrsave.reg

REM “Microsoft网络服务器”设置为“在挂起会话之前所需的空闲时间”为15分钟
@echo Windows Registry Editor Version 5.00>>lanmanautodisconn.reg 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>lanmanautodisconn.reg 
@echo "autodisconnect"=dword:0000000f>>lanmanautodisconn.reg 
@regedit /s lanmanautodisconn.reg
@del lanmanautodisconn.reg

REM 关闭自动播放
@reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /f
@reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
@echo Windows Registry Editor Version 5.00>>closeautorun.reg
@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]>>closeautorun.reg
@echo. >>closeautorun.reg
@echo "NoDriveTypeAutoRun"=dword:000000ff>>closeautorun.reg
@regedit /s closeautorun.reg
@del closeautorun.reg

:: 网络安全
ECHO ON
REM WEB Security
echo> web.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
echo>>web.reg "SynAttackProtect"=dword:1
echo>>web.reg "EnableDeadGWDetect"=dword:0
echo>>web.reg "KeepAliveTime"=dword:300000
echo>>web.reg "DisableIPSourceRouting"=dword:2
echo>>web.reg "TcpMaxConnectResponseRetransmissions"=dword:2
echo>>web.reg "TcpMaxDataRetransmissions"=dword:3
echo>>web.reg "PerformRouterDiscovery"=dword:0
regedit /s web.reg"
del web.reg"

@prompt #
@echo off
echo Windows Registry Editor Version 5.00 >> tcpipfilter.reg
echo. >> tcpipfilter.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] >> tcpipfilter.reg
echo "EnableSecurityFilters"=dword:00000001 >> tcpipfilter.reg
echo. >> tcpipfilter.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters] >> tcpipfilter.reg
echo "EnableSecurityFilters"=dword:00000001 >> tcpipfilter.reg
echo. >> tcpipfilter.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] >> tcpipfilter.reg
echo "EnableSecurityFilters"=dword:00000001 >> tcpipfilter.reg
regedit /s tcpipfilter.reg
del tcpipfilter.reg

:: 登录安全
ECHO ON
REM WEB Securyt
echo> other.inf [Unicode]
echo>>other.inf Unicode=yes
echo>>other.inf [System Access]
echo>>other.inf ForceLogoffWhenHourExpire = 1
echo>>other.inf [Registry Values]
echo>>other.inf MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1
echo>>other.inf MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1"
echo>>other.inf MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
echo>>other.inf MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
echo>>other.inf MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
echo>>other.inf [Version]
echo>>other.inf signature="$CHICAGO$"
echo>>other.inf Revision=1
secedit /configure /db other.sdb /cfg other.inf /log other.log /quiet
del other.*

:: 修改远程桌面默认端口
@prompt #
@echo off
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD /d 9833 /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 9833 /f

:: 修改administrator别名
@prompt #
@echo off 
set /p nickname=请输入administrator 要更改的别名:
wmic useraccount where name='administrator' call Rename %nickname% 
echo 更改完成 任意键退出!!! 
pause >nul

注意:请根据实际需求进行增删改。

赞 (0) 打赏

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

感谢您的支持与帮助

支付宝扫一扫打赏

微信扫一扫打赏