windows server 2016安全基线设置脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
:: 账号安全
@prompt #
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 设置帐户密码最短为10
echo MinimumPasswordLength=10 >>account.inf
REM 开启帐户密码复杂性要求
echo PasswordComplexity=1 >>account.inf
REM 设置帐户密码最长使用期限为120天
echo MaximumPasswordAge=120 >>account.inf
REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf
REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*
  
:: 授权权限设置
@prompt #
REM 授权配置
echo [version] >rightscfg.inf
echo signature="$CHICAGO$" >>rightscfg.inf
echo [Privilege Rights] >>rightscfg.inf
REM 从远端系统强制关机只指派给Administrators组
echo seremoteshutdownprivilege=Administrators >>rightscfg.inf
REM 关闭系统仅指派给Administrators组
echo seshutdownprivilege=Administrators >>rightscfg.inf
REM 取得文件或其它对象的所有权仅指派给Administrators
echo setakeownershipprivilege=Administrators >>rightscfg.inf
REM 在本地登陆权限仅指派给Administrators
echo seinteractivelogonright=Administrators >> rightscfg.inf
secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet
del rightscfg.*
  
:: 认证安全
@prompt #
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=3 >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核过程跟踪
echo AuditProcessTracking=2 >>audit.inf
REM 开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf
REM 开启审核登陆事件
echo AuditLogonEvents=3 >>audit.inf
REM 开启审核帐户登陆事件
echo AuditAccountLogon=3 >>audit.inf
echo AuditLog >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*
  
:: 系统日志
@prompt #
echo [version] >logcfg.inf
echo signature="$CHICAGO$" >>logcfg.inf
REM 设置系统日志
echo [System Log] >>logcfg.inf
REM 设置系统日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用日志
echo RestrictGuestAccess=1 >>logcfg.inf
REM 设置安全日志
echo [Security Log] >>logcfg.inf
REM 设置安全日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问安全日志
echo RestrictGuestAccess=1 >>logcfg.inf
echo [Application Log] >>logcfg.inf REM 设置应用程序日志
REM 设置应用程序日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用程序日志
echo RestrictGuestAccess=1 >>logcfg.inf
secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log
del logcfg.*
  
REM 关闭自动播放
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
  
@Rem 启用“不显示最后用户名”策略
echo **** 配置登录屏幕上不要显示上次登录的用户名
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
  
:: 删除默认共享,请自行增删盘符
@prompt #
REM 删除当前默认共享
net share c$ /delete
net share admin$ /delete
sc stop browser
sc stop dfs
sc stop lanmanserver
sc config browser start= demand
sc config dfs start= demand
sc config lanmanserver start= demand
  
REM 修改共享的注册表
@echo Windows Registry Editor Version 5.00>>share.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>share.reg
@echo "AutoShareWks"=dword:0>>share.reg
@echo "AutoShareServer"=dword:0>>share.reg
@regedit /s share.reg
@del share.reg
  
REM 限制IPC共享(禁止SAM帐户和共享的匿名枚举)
@echo Windows Registry Editor Version 5.00>>ipc.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
@echo "RestrictAnonymous"=dword:1>>ipc.reg
@echo "restrictanonymoussam"=dword:1>>ipc.reg
@regedit /s ipc.reg
@del ipc.reg
  
@Rem 启用并正确配置WSUS(自定义WSUS地址)
echo **** 启用并正确配置WSUS(自动下载并通知安装)
::--启用策略组“配置自动更新”
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallDay /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallTime /t REG_DWORD /d 3 /f
::--启用策略组(指定Intranet Microsoft更新服务位置)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /t REG_SZ /d http://10.10.100.10 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /t REG_SZ /d http://10.10.100.10 /f
  
  
@Rem 只允许运行带网络级身份验证的远程桌面的计算机连接
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
  
@Rem 启用windows防火墙
netsh advfirewall set allprofiles state on
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
  
@Rem 防火墙入站规则启用“回显请求-ICMPv4-In”和“远程桌面服务”
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f
  
::-------------上面为原基线配置END
  
::-------------下面是新增部分
REM 禁用匿名访问命名管道和共享
@echo Windows Registry Editor Version 5.00>>nss.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg
@echo "NullSessionShares"=->>nss.reg
@regedit /s nss.reg
@del nss.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f
  
REM 禁用可远程访问的注册表路径和子路径
@echo Windows Registry Editor Version 5.00>>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@regedit /s aep.reg
@del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f
  
REM 源路由欺骗保护
@echo Windows Registry Editor Version 5.00>>route.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg
@echo "DisableIPSourceRouting"=dword:2>>route.reg
@regedit /s route.reg
@del route.reg
  
REM 碎片攻击保护
@echo Windows Registry Editor Version 5.00>>sp.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg
@echo "EnablePMTUDiscovery"=dword:1>>sp.reg
@regedit /s sp.reg
@del sp.reg
  
REM 防syn洪水攻击
@prompt #
@echo Windows Registry Editor Version 5.00>>SynAttack.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg
@echo "SynAttackProtect"=dword:2>>SynAttack.reg
@echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
@echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg
@echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg
@REM DDOS
@echo "EnableICMPRedirect"=dword:0>>SynAttack.reg
@regedit /s SynAttack.reg
@del SynAttack.reg
  
echo ">>更改完成 任意键退出!!!"
pause

 将上述代码复制到xxx.bat文件运行即可。

posted @   AdairHpn  阅读(1964)  评论(0编辑  收藏  举报
努力加载评论中...
点击右上角即可分享
微信分享提示