热门标签
热门文章
- 1OpenNJet : 下一代云原生应用引擎_opennjet竞品
- 2【NLP】文本分类
- 3【路径规划】(4) 蚁群算法,附python完整代码_蚁群算法旅行商问题python
- 4哪个学校计算机每年招不满,211院校有每年考研招不满的情况吗?
- 5新手如何开始学习自动化测试?_新手小白能做自动化测试吗
- 6[独有源码]springboot音乐推荐系统_ttibt借鉴他人经验,找到适合自己的毕业设计_音乐推荐系统框架图
- 7【Java】轻松掌握栈的基本操作_java 栈
- 8https错误ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- 9【Git】如何进行Git的配置、用户名密码缓存和清除(总结)_清除git config credential.helper store的数据
- 10NoSQL数据库(林子雨慕课课程)_林子雨nosql 和关系数据库的操作比较
当前位置: article > 正文
Windows安全基线加固-无SMB配置-无NTP配置脚本_windows2019server 安全加固脚本
作者:我家自动化 | 2024-05-23 04:51:39
赞
踩
windows2019server 安全加固脚本
详情见脚本内容,可自行修改
主要涉及如下安全加固内容:
1.账号安全
2.密码安全
3.系统日志
4.认证审核
5.网络安全
6.注册表安全
7.系统安全
8远程安全
SMB及NTP脚本在我另外一篇文章运维小脚本里面
https://blog.csdn.net/qq_35700085/article/details/128247802?spm=1001.2014.3001.5501
:: 账号安全
@prompt #
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 修改帐户密码最小长度为14
echo MinimumPasswordLength=14 >>account.inf
REM 开启帐户密码复杂性要求
echo PasswordComplexity=1 >>account.inf
REM 修改帐户密码最长留存期为90天
echo MaximumPasswordAge=90 >>account.inf
REM 修改强制密码历史为5次
echo PasswordHistorySize=5 >>account.inf
REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf
REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf
REM 账户锁定时间
echo ResetLockoutCount=30 >>account.inf
REM 复位账户锁定计数器
echo LockoutDuration=30 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*
:: 系统日志
@prompt #
echo [version] >logcfg.inf
echo signature="$CHICAGO$" >>logcfg.inf
REM 设置系统日志
echo [System Log] >>logcfg.inf
REM 设置系统日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用日志
echo RestrictGuestAccess=1 >>logcfg.inf
REM 设置安全日志
echo [Security Log] >>logcfg.inf
REM 设置安全日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问安全日志
echo RestrictGuestAccess=1 >>logcfg.inf
REM 设置应用程序日志
echo [Application Log] >>logcfg.inf
REM 设置应用程序日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用程序日志
echo RestrictGuestAccess=1 >>logcfg.inf
secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log
del logcfg.*
:: 认证安全
REM 禁用SCENoApplyLegacyAuditPolicy
@echo Windows Registry Editor Version 5.00>>aud.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>aud.reg
@echo "SCENoApplyLegacyAuditPolicy"=dword:00000000>>aud.reg
@regedit /s aud.reg
@del aud.reg
@prompt #
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=3 >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核进程跟踪
echo AuditProcessTracking=3 >>audit.inf
REM 开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf
REM 开启审核登录事件
echo AuditLogonEvents=3 >>audit.inf
REM 开启审核帐户登录事件
echo AuditAccountLogon=3 >>audit.inf
echo AuditLog >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*
:: 权限设置
@prompt #
REM 授权配置
echo [version] >rightscfg.inf
echo signature="$CHICAGO$" >>rightscfg.inf
echo [Privilege Rights] >>rightscfg.inf
REM 从远端系统强制关机只指派给Administrators组
echo seremoteshutdownprivilege=Administrators >>rightscfg.inf
REM 关闭系统仅指派给Administrators组
echo seshutdownprivilege=Administrators >>rightscfg.inf
REM 取得文件或其它对象的所有权仅指派给Administrators
echo setakeownershipprivilege=Administrators >>rightscfg.inf
REM 在本地登陆权限仅指派给Administrators
echo seinteractivelogonright=Administrators >> rightscfg.inf
REM 只允许Administrators从网络访问
REM echo senetworklogonright=Administrators >>rightscfg.inf
secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet
del rightscfg.*
REM 禁用匿名访问命名管道和共享
@echo Windows Registry Editor Version 5.00>>nss.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg
@echo "NullSessionShares"=->>nss.reg
@regedit /s nss.reg
@del nss.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f
REM 禁用可远程访问的注册表路径和子路径
@echo Windows Registry Editor Version 5.00>>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@regedit /s aep.reg
@del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f
REM 修改自动登录的注册表
@echo Windows Registry Editor Version 5.00>>auto.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>auto.reg
@echo "AutoAdminLogon"=dword:0>>auto.reg
@regedit /s auto.reg
@del auto.reg
REM 源路由配置 欺骗保护
@echo Windows Registry Editor Version 5.00>>route.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>route.reg
@echo "DisableIPSourceRouting"=dword:2>>route.reg
@regedit /s route.reg
@del route.reg
REM 启用TCP最大传输单元(MTU)大小自动探测 碎片攻击保护
@echo Windows Registry Editor Version 5.00>>sp.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>sp.reg
@echo "EnablePMTUDiscovery"=dword:0>>sp.reg
@regedit /s sp.reg
@del sp.reg
REM SYN攻击保护
@prompt #
@echo Windows Registry Editor Version 5.00>>SynAttack.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg
REM 启用SYN攻击保护
@echo "SynAttackProtect"=dword:2>>SynAttack.reg
REM 设定TCP连接请求阈值:5
@echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
REM 设定处于SYN_RCVD 状态下的 TCP 连接阈值:500
@echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg
REM 设定处于SYN_RCVD 状态下,且至少已经进行了一次重新传输的TCP连接阈值:400
@echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg
REM 设定取消尝试响应 SYN 请求之前要重新传输 SYN-ACK 的次数:2
@echo "TcpMaxConnectResponseRetransmissions"=dword:2>>SynAttack.reg
REM DDOS 在收到 ICMP 重定向数据包时禁止创建高成本的主机路由
@echo "EnableICMPRedirect"=dword:0>>SynAttack.reg
@regedit /s SynAttack.reg
@del SynAttack.reg
REM 限制IPC共享(禁止SAM帐户和共享的匿名枚举)
@echo Windows Registry Editor Version 5.00>>ipc.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
@echo "RestrictAnonymous"=dword:1>>ipc.reg
@echo "restrictanonymoussam"=dword:1>>ipc.reg
@regedit /s ipc.reg
@del ipc.reg
REM 启用屏幕保护程序
@echo Windows Registry Editor Version 5.00>>scrsave.reg
@echo [HKEY_CURRENT_USER\Control Panel\Desktop]>>scrsave.reg
@echo "ScreenSaveActive"="1">>scrsave.reg
@echo "ScreenSaverIsSecure"="1">>scrsave.reg
@echo "ScreenSaveTimeOut"="900">>scrsave.reg
@regedit /s scrsave.reg
@del scrsave.reg
REM “Microsoft网络服务器”设置为“在挂起会话之前所需的空闲时间”为15分钟
@echo Windows Registry Editor Version 5.00>>lanmanautodisconn.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>lanmanautodisconn.reg
@echo "autodisconnect"=dword:0000000f>>lanmanautodisconn.reg
@regedit /s lanmanautodisconn.reg
@del lanmanautodisconn.reg
REM 关闭自动播放
@reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /f
@reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
@echo Windows Registry Editor Version 5.00>>closeautorun.reg
@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]>>closeautorun.reg
@echo. >>closeautorun.reg
@echo "NoDriveTypeAutoRun"=dword:000000ff>>closeautorun.reg
@regedit /s closeautorun.reg
@del closeautorun.reg
:: 网络安全
ECHO ON
REM WEB安全
echo> web.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
echo>>web.reg "SynAttackProtect"=dword:1
echo>>web.reg "DisableIPSourceRouting"=dword:2
echo>>web.reg "TcpMaxConnectResponseRetransmissions"=dword:2
regedit /s web.reg
del web.reg
:: 修改远程桌面默认端口
@prompt #
@echo off
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD /d 4488 /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 4488 /f
REM 增加防火墙RDP规则
netsh advfirewall firewall add rule name="RDP-4488" protocol=TCP dir=in localport=4488 action=allow
netsh advfirewall firewall add rule name="RDP-4488" protocol=TCP dir=out localport=4488 action=allow
:: 关闭ipv6
@echo Windows Registry Editor Version 5.00>>ipv6.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]>>ipv6.reg
@echo "DisabledComponents"=dword:ffffffff>>ipv6.reg
@regedit /s ipv6.reg
@del ipv6.reg
:: 关闭风险服务
::关闭Remote Access Connection Manager服务
sc stop RasMan
sc config RasMan start= disabled
echo 关闭Remote Access Connection服务成功
::关闭Message Queuing服务
sc stop MSMQ
sc config MSMQ start= disabled
echo 关闭Message Queuing服务成功
REM ::关闭DHCP Server服务
REM sc stop DHCPServer
REM sc config DHCPServer start= disabled
REM echo 关闭DHCPServer服务成功
REM ::关闭DHCP Client服务
REM sc stop Dhcp
REM sc config Dhcp start= disabled
REM echo 关闭Dhcp服务成功
::关闭SMTP服务
sc stop SMTP
sc config SMTP start= disabled
echo 关闭SMTP服务成功
::关闭WINS服务
sc stop WINS
sc config WINS start= disabled
echo 关闭WINS服务成功
::关闭simptcp服务
sc stop simptcp
sc config simptcp start= disabled
echo 关闭simptcp服务成功
::关闭SNMP服务
sc stop SNMP
sc config SNMP start= disabled
echo 关闭SNMP服务成功
::检查是否已开启数据DEP功能
bcdedit.exe/set {current} nx AlwaysOn
echo 开启数据DEP功能成功
::检查是否已开启UAC安全提示
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 1
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v PromptOnSecureDesktop /t REG_DWORD /d 0
echo 开启UAC安全提示成功
echo Update completed, press any key to exit...
pause >nul
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/611416
推荐阅读
相关标签
