windows安全加固

背景

等保要求，做windows安全加固，为方便快捷，bat脚本安排。

适用

适用于windows server 2008 和windows server 2012，其他版本还没试过，有待调试。

脚本

win_security_hardening.bat：

@Rem 2020.04.26 windows安全加固V1
@Rem 2020.07.30 windows安全加固V2

@echo off
title Windows 安全加固脚本

echo [Unicode]>win.inf
echo Unicode=yes>>win.inf
echo [System Access]>>win.inf

@Rem for /f "delims=" %%i in ('type "win.ini"^| find /i "="') do set %%i



@Rem 配置密码长度最小值为minlen
echo **** 配置密码长度最小值为minlen
echo MinimumPasswordLength = 8 >>win.inf
echo=

@Rem 启用密码复杂度策略
echo **** 启用密码复杂度策略
echo PasswordComplexity = 1 >>win.inf
echo=

@Rem 配置“强制密码历史”
echo **** 记住N次已使用的密码
echo PasswordHistorySize = 5 >>win.inf
echo=

@Rem 配置密码最长使用期限（可选,缺省不配置）
echo **** 设置180天更改密码（可选）
echo MaximumPasswordAge = 90 >>win.inf
echo=

@Rem 配置密码最短使用期限（可选,缺省不配置）
echo **** 设置1天更改密码（可选）
echo MinimumPasswordAge = 1 >>win.inf
echo=



@Rem 配置帐户锁定时间
echo **** 设置帐户锁定时间为15分钟
echo LockoutDuration = 15 >>win.inf
echo=

@Rem 配置帐户锁定阈值为deny
echo **** 配置帐户锁定阈值为deny
echo LockoutBadCount = 5 >>win.inf

@Rem 配置“复位帐户锁定计数器”时间
echo **** 5分钟后重置帐户锁定计数器
echo ResetLockoutCount = 15 >>win.inf
echo=


@Rem 当登录时间用完后自动注销用户

@Rem 远程会话闲置一段时间后自动断开


@Rem 正确配置“提示用户在密码过期之前进行更改”策略
echo **** 配置在密码过期前30天提示更改密码
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning /t REG_DWORD /d 0x0000001e /f
echo=

@Rem 禁用“登录时无须按 Ctrl+Alt+Del”策略
echo **** “交互式登录: 无须(不需要)按 Ctrl+Alt+Del”，配置为“已禁用(停用)”
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System" /v disablecad /t REG_DWORD /d 0x00000000 /f
echo=


@Rem 删除可匿名访问的共享和命名管道
echo **** 将“网络访问: 可匿名访问的共享”、“网络访问: 可匿名访问的命名管道”，配置为空
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /f
echo=


@Rem 关闭远程访问注册表 


@Rem 删除或禁用高危账户
echo **** 禁用Guest用户
echo EnableGuestAccount = 0 >>win.inf
echo=


@Rem 更改管理员账户名称为admin
@Rem echo **** 更改管理员帐户名称为admin
@Rem echo NewAdministratorName = "admin" >>win.inf

@Rem 启用并正确配置屏幕保护程序
echo **** 启用屏幕保护程序，等待时间为5分钟，并设置在恢复时需要密码保护
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d C:\Windows\system32\scrnsave.scr /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 300 /f
echo=



@Rem 启用“关机清除虚拟内存页面文件”


@Rem 启用“不显示最后用户名”策略
echo **** 配置登录屏幕上不要显示上次登录的用户名
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 0x00000001 /f
echo=



@Rem 扩大系统tcp链接数，并减少tcp连接回收时间
netsh int ipv4 set dynamicport tcp start=5000 numberofports=60000
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v MaxUserPort /t REG_DWORD /d 0x0000fffe /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v TcpTimedWaitDelay /t REG_DWORD /d 0x0000000f /f
echo=


echo **** 禁用以下服务：Remote Access Connection Manager，Server，Shell Hardware Detection，Print Spooler   

@Rem 关闭Remote Access Connection Manager并禁用
@Rem wmic service where name="RasMan" call stopservice >nul 2>nul
@Rem sc config "RasMan" start= disabled >nul 2>nul

@Rem 关闭Server并禁用
wmic service where name="LanmanServer" call stopservice >nul 2>nul
sc config "LanmanServer" start= disabled >nul 2>nul

@Rem 关闭Shell Hardware Detection并禁用
wmic service where name="ShellHWDetection" call stopservice >nul 2>nul
sc config "ShellHWDetection" start= disabled >nul 2>nul

@Rem 关闭Print Spooler并禁用
wmic service where name="Spooler" call stopservice >nul 2>nul
sc config "Spooler" start= disabled >nul 2>nul

@Rem 关闭RemoteRegistry并禁用
wmic service where name="RemoteRegistry" call stopservice >nul 2>nul
sc config "RemoteRegistry" start= disabled >nul 2>nul


@Rem 关闭DHCP Client（若是自动获得ip，不能关闭dhcp client，另外“禁用DHCP Client服务”，Server 2012中Network Location Awareness服务和DHCP Client存在依存关系，禁用DHCP服务会导致网络配置失效）
@Rem wmic service where name="DHCP" call stopservice >nul 2>nul
@Rem sc config "DHCP" start= disabled >nul 2>nul

@Rem 禁止Windows自动登录
echo **** 禁止Windows自动登录
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
echo=



@Rem 启用Windows数据执行保护(DEP)
echo **** 设置仅为基本Windows程序和服务启用DEP
@Rem Server 2008:
bcdedit /set nx OptIn
@Rem Server 2003:
@Rem /noexecute=optin
echo=

echo [Event Audit]>>win.inf
@Rem 配置日志审核策略
echo **** 配置日志审核策略
@Rem 审核系统事件 成功、失败
echo AuditSystemEvents = 3 >>win.inf
@Rem 审核登录事件 成功、失败
echo AuditLogonEvents = 3 >>win.inf
@Rem 审核对象访问 成功、失败
echo AuditObjectAccess = 3 >>win.inf
@Rem 审核特权使用 成功、失败
echo AuditPrivilegeUse = 3 >>win.inf
@Rem 审核策略更改 成功、失败
echo AuditPolicyChange = 3 >>win.inf
@Rem 审核账户管理 成功、失败
echo AuditAccountManage = 3 >>win.inf
@Rem 审核过程追踪 成功、失败
echo AuditProcessTracking = 3 >>win.inf
@Rem 审核目录服务访问 成功、失败
echo AuditDSAccess = 3 >>win.inf
@Rem 审核账户登录事件 成功、失败
echo AuditAccountLogon = 3 >>win.inf
echo=

@Rem 正确配置Windows日志
echo **** 正确配置Windows日志（当日志文件大于128M时按需覆盖事件）
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x00000000 /f
echo=


echo [Version]>>win.inf
echo signature="$CHICAGO$">>win.inf
echo Revision=1 >>win.inf


secedit /configure /db win.sdb /cfg win.inf  /log win.log

del win.inf /q
del win.sdb /q

@Rem 删除所有安全策略
netsh ipsec static del all 
@Rem 创建安全策略名字
netsh ipsec static add policy name=deny_ports
@Rem 创建ip筛选器
netsh ipsec static add filterlist name=deny_ports
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=137 protocol=TCP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=137 protocol=UDP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=138 protocol=TCP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=138 protocol=UDP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=deny_ports srcaddr=Any dstaddr=Me dstport=445 protocol=UDP
@Rem 创建一个筛选器操作(permit or block)
netsh ipsec static add filteraction name=deny action=block
@Rem  加入规则到安全策略
netsh ipsec static add rule name=rule1 policy=deny_ports filterlist=deny_ports filteraction=deny
@Rem  激活这个策略 
netsh ipsec static set policy name=deny_ports assign=y 
@Rem 导出安全策略
@Rem netsh ipsec static import policy d:\ip.ipsec 
echo=
echo=
echo=
echo=
echo 【配置完成，部分配置重启系统后生效】
echo=
echo=
echo=
echo=
echo 按任意键退出
pause
goto exit