windows server 2016安全基线设置脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 | :: 账号安全 @prompt # echo [version] >account.inf echo signature= "$CHICAGO$" >>account.inf echo [System Access] >>account.inf REM 设置帐户密码最短为10 echo MinimumPasswordLength=10 >>account.inf REM 开启帐户密码复杂性要求 echo PasswordComplexity=1 >>account.inf REM 设置帐户密码最长使用期限为120天 echo MaximumPasswordAge=120 >>account.inf REM 禁用Guest帐户 echo EnableGuestAccount=0 >>account.inf REM 设定帐户锁定阀值为6次 echo LockoutBadCount=6 >>account.inf secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet del account.* :: 授权权限设置 @prompt # REM 授权配置 echo [version] >rightscfg.inf echo signature= "$CHICAGO$" >>rightscfg.inf echo [Privilege Rights] >>rightscfg.inf REM 从远端系统强制关机只指派给Administrators组 echo seremoteshutdownprivilege=Administrators >>rightscfg.inf REM 关闭系统仅指派给Administrators组 echo seshutdownprivilege=Administrators >>rightscfg.inf REM 取得文件或其它对象的所有权仅指派给Administrators echo setakeownershipprivilege=Administrators >>rightscfg.inf REM 在本地登陆权限仅指派给Administrators echo seinteractivelogonright=Administrators >> rightscfg.inf secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet del rightscfg.* :: 认证安全 @prompt # echo [version] >audit.inf echo signature= "$CHICAGO$" >>audit.inf echo [Event Audit] >>audit.inf REM 开启审核系统事件 echo AuditSystemEvents=3 >>audit.inf REM 开启审核对象访问 echo AuditObjectAccess=3 >>audit.inf REM 开启审核特权使用 echo AuditPrivilegeUse=3 >>audit.inf REM 开启审核策略更改 echo AuditPolicyChange=3 >>audit.inf REM 开启审核帐户管理 echo AuditAccountManage=3 >>audit.inf REM 开启审核过程跟踪 echo AuditProcessTracking=2 >>audit.inf REM 开启审核目录服务访问 echo AuditDSAccess=3 >>audit.inf REM 开启审核登陆事件 echo AuditLogonEvents=3 >>audit.inf REM 开启审核帐户登陆事件 echo AuditAccountLogon=3 >>audit.inf echo AuditLog >>audit.inf secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet del audit.* :: 系统日志 @prompt # echo [version] >logcfg.inf echo signature= "$CHICAGO$" >>logcfg.inf REM 设置系统日志 echo [System Log] >>logcfg.inf REM 设置系统日志文件最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 设置当达到最大的日志尺寸时按需要改写事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 设置限制GUEST访问应用日志 echo RestrictGuestAccess=1 >>logcfg.inf REM 设置安全日志 echo [Security Log] >>logcfg.inf REM 设置安全日志文件最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 设置当达到最大的日志尺寸时按需要改写事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 设置限制GUEST访问安全日志 echo RestrictGuestAccess=1 >>logcfg.inf echo [Application Log] >>logcfg.inf REM 设置应用程序日志 REM 设置应用程序日志文件最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 设置当达到最大的日志尺寸时按需要改写事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 设置限制GUEST访问应用程序日志 echo RestrictGuestAccess=1 >>logcfg.inf secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log del logcfg.* REM 关闭自动播放 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f @Rem 启用“不显示最后用户名”策略 echo **** 配置登录屏幕上不要显示上次登录的用户名 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f :: 删除默认共享,请自行增删盘符 @prompt # REM 删除当前默认共享 net share c$ /delete net share admin$ /delete sc stop browser sc stop dfs sc stop lanmanserver sc config browser start= demand sc config dfs start= demand sc config lanmanserver start= demand REM 修改共享的注册表 @echo Windows Registry Editor Version 5.00>>share.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>share.reg @echo "AutoShareWks" =dword:0>>share.reg @echo "AutoShareServer" =dword:0>>share.reg @regedit /s share.reg @del share.reg REM 限制IPC共享(禁止SAM帐户和共享的匿名枚举) @echo Windows Registry Editor Version 5.00>>ipc.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg @echo "RestrictAnonymous" =dword:1>>ipc.reg @echo "restrictanonymoussam" =dword:1>>ipc.reg @regedit /s ipc.reg @del ipc.reg @Rem 启用并正确配置WSUS(自定义WSUS地址) echo **** 启用并正确配置WSUS(自动下载并通知安装) ::--启用策略组“配置自动更新” reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallDay /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallTime /t REG_DWORD /d 3 /f ::--启用策略组(指定Intranet Microsoft更新服务位置) reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /t REG_SZ /d http: //10.10.100.10 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /t REG_SZ /d http: //10.10.100.10 /f @Rem 只允许运行带网络级身份验证的远程桌面的计算机连接 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f @Rem 启用windows防火墙 netsh advfirewall set allprofiles state on reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f @Rem 防火墙入站规则启用“回显请求-ICMPv4-In”和“远程桌面服务” reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f ::-------------上面为原基线配置END ::-------------下面是新增部分 REM 禁用匿名访问命名管道和共享 @echo Windows Registry Editor Version 5.00>>nss.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg @echo "NullSessionShares" =->>nss.reg @regedit /s nss.reg @del nss.reg reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f REM 禁用可远程访问的注册表路径和子路径 @echo Windows Registry Editor Version 5.00>>aep.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg @echo "Machine" =->>aep.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg @echo "Machine" =->>aep.reg @regedit /s aep.reg @del aep.reg reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f REM 源路由欺骗保护 @echo Windows Registry Editor Version 5.00>>route.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg @echo "DisableIPSourceRouting" =dword:2>>route.reg @regedit /s route.reg @del route.reg REM 碎片攻击保护 @echo Windows Registry Editor Version 5.00>>sp.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg @echo "EnablePMTUDiscovery" =dword:1>>sp.reg @regedit /s sp.reg @del sp.reg REM 防syn洪水攻击 @prompt # @echo Windows Registry Editor Version 5.00>>SynAttack.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg @echo "SynAttackProtect" =dword:2>>SynAttack.reg @echo "TcpMaxPortsExhausted" =dword:5>>SynAttack.reg @echo "TcpMaxHalfOpen" =dword:500>>SynAttack.reg @echo "TcpMaxHalfOpenRetried" =dword:400>>SynAttack.reg @REM DDOS @echo "EnableICMPRedirect" =dword:0>>SynAttack.reg @regedit /s SynAttack.reg @del SynAttack.reg echo ">>更改完成 任意键退出!!!" pause |
将上述代码复制到xxx.bat文件运行即可。
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步