碼上歡樂
相關內容    簡體    繁體

windows server 2016安全基線設置腳本

本文轉載自   查看原文   2020-08-18 19:59   874  
:: 賬號安全
@prompt # 
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 設置帳戶密碼最短為10
echo MinimumPasswordLength=10 >>account.inf
REM 開啟帳戶密碼復雜性要求
echo PasswordComplexity=1 >>account.inf
REM 設置帳戶密碼最長使用期限為120天
echo MaximumPasswordAge=120 >>account.inf
REM 禁用Guest帳戶
echo EnableGuestAccount=0 >>account.inf
REM 設定帳戶鎖定閥值為6次
echo LockoutBadCount=6 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*
 
:: 授權權限設置
@prompt #
REM 授權配置
echo [version] >rightscfg.inf
echo signature="$CHICAGO$" >>rightscfg.inf
echo [Privilege Rights] >>rightscfg.inf
REM 從遠端系統強制關機只指派給Administrators組
echo seremoteshutdownprivilege=Administrators >>rightscfg.inf
REM 關閉系統僅指派給Administrators組
echo seshutdownprivilege=Administrators >>rightscfg.inf
REM 取得文件或其它對象的所有權僅指派給Administrators
echo setakeownershipprivilege=Administrators >>rightscfg.inf
REM 在本地登陸權限僅指派給Administrators
echo seinteractivelogonright=Administrators >> rightscfg.inf
secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet
del rightscfg.*
 
:: 認證安全
@prompt # 
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 開啟審核系統事件
echo AuditSystemEvents=3 >>audit.inf
REM 開啟審核對象訪問
echo AuditObjectAccess=3 >>audit.inf
REM 開啟審核特權使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 開啟審核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 開啟審核帳戶管理
echo AuditAccountManage=3 >>audit.inf
REM 開啟審核過程跟蹤
echo AuditProcessTracking=2 >>audit.inf
REM 開啟審核目錄服務訪問
echo AuditDSAccess=3 >>audit.inf
REM 開啟審核登陸事件
echo AuditLogonEvents=3 >>audit.inf
REM 開啟審核帳戶登陸事件
echo AuditAccountLogon=3 >>audit.inf
echo AuditLog >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*
 
:: 系統日志
@prompt # 
echo [version] >logcfg.inf
echo signature="$CHICAGO$" >>logcfg.inf
REM 設置系統日志
echo [System Log] >>logcfg.inf
REM 設置系統日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 設置當達到最大的日志尺寸時按需要改寫事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 設置限制GUEST訪問應用日志
echo RestrictGuestAccess=1 >>logcfg.inf
REM 設置安全日志
echo [Security Log] >>logcfg.inf
REM 設置安全日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf 
REM 設置當達到最大的日志尺寸時按需要改寫事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 設置限制GUEST訪問安全日志
echo RestrictGuestAccess=1 >>logcfg.inf
echo [Application Log] >>logcfg.inf REM 設置應用程序日志
REM 設置應用程序日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 設置當達到最大的日志尺寸時按需要改寫事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 設置限制GUEST訪問應用程序日志
echo RestrictGuestAccess=1 >>logcfg.inf
secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log
del logcfg.*
 
REM 關閉自動播放
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
 
@Rem 啟用“不顯示最后用戶名”策略
echo **** 配置登錄屏幕上不要顯示上次登錄的用戶名
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
 
:: 刪除默認共享,請自行增刪盤符
@prompt # 
REM 刪除當前默認共享
net share c$ /delete
net share admin$ /delete
sc stop browser
sc stop dfs
sc stop lanmanserver
sc config browser start= demand
sc config dfs start= demand
sc config lanmanserver start= demand
 
REM 修改共享的注冊表
@echo Windows Registry Editor Version 5.00>>share.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>share.reg
@echo "AutoShareWks"=dword:0>>share.reg
@echo "AutoShareServer"=dword:0>>share.reg
@regedit /s share.reg
@del share.reg
 
REM 限制IPC共享(禁止SAM帳戶和共享的匿名枚舉)
@echo Windows Registry Editor Version 5.00>>ipc.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
@echo "RestrictAnonymous"=dword:1>>ipc.reg
@echo "restrictanonymoussam"=dword:1>>ipc.reg
@regedit /s ipc.reg
@del ipc.reg
 
@Rem 啟用並正確配置WSUS(自定義WSUS地址)
echo **** 啟用並正確配置WSUS(自動下載並通知安裝)
::--啟用策略組“配置自動更新”
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallDay /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallTime /t REG_DWORD /d 3 /f
::--啟用策略組(指定Intranet Microsoft更新服務位置)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /t REG_SZ /d http://10.10.100.10 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /t REG_SZ /d http://10.10.100.10 /f
 
 
@Rem 只允許運行帶網絡級身份驗證的遠程桌面的計算機連接
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
 
@Rem 啟用windows防火牆
netsh advfirewall set allprofiles state on
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
 
@Rem 防火牆入站規則啟用“回顯請求-ICMPv4-In”和“遠程桌面服務”
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f
 
::-------------上面為原基線配置END 
 
::-------------下面是新增部分
REM 禁用匿名訪問命名管道和共享
@echo Windows Registry Editor Version 5.00>>nss.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg
@echo "NullSessionShares"=->>nss.reg
@regedit /s nss.reg
@del nss.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f
 
REM 禁用可遠程訪問的注冊表路徑和子路徑
@echo Windows Registry Editor Version 5.00>>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@regedit /s aep.reg
@del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f
 
REM 源路由欺騙保護
@echo Windows Registry Editor Version 5.00>>route.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg
@echo "DisableIPSourceRouting"=dword:2>>route.reg
@regedit /s route.reg
@del route.reg
 
REM 碎片攻擊保護
@echo Windows Registry Editor Version 5.00>>sp.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg
@echo "EnablePMTUDiscovery"=dword:1>>sp.reg
@regedit /s sp.reg
@del sp.reg
 
REM 防syn洪水攻擊 
@prompt #
@echo Windows Registry Editor Version 5.00>>SynAttack.reg 
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg 
@echo "SynAttackProtect"=dword:2>>SynAttack.reg
@echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
@echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg
@echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg
@REM DDOS
@echo "EnableICMPRedirect"=dword:0>>SynAttack.reg
@regedit /s SynAttack.reg
@del SynAttack.reg
 
echo ">>更改完成 任意鍵退出!!!"
pause

 將上述代碼復制到xxx.bat文件運行即可。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Windows 2016/2019 安全基線檢查——安全加固 Windows Server 2016 基本設置 redis安全基線設置 Windows操作系統安全加固基線檢測腳本 mysql安全基線設置 安全配置基線 – 操作系統類 – Windows Server Windows Server 系統通用安全基線配置詳細 Linux安全基線檢查腳本 【轉】mysql安全基線設置 centos7安全基線設置
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM