windows server 2016安全基線設定指令碼
阿新 • • 發佈:2020-08-18
:: 賬號安全 @prompt # echo [version] >account.inf echo signature="$CHICAGO$" >>account.inf echo [System Access] >>account.inf REM 修改帳戶密碼最小長度為8 echo MinimumPasswordLength=8 >>account.inf REM 開啟帳戶密碼複雜性要求 echo PasswordComplexity=1 >>account.inf REM 修改帳戶密碼最長留存期為180天 echo MaximumPasswordAge=180 >>account.inf REM 禁用Guest帳戶 echo EnableGuestAccount=0 >>account.inf REM 設定帳戶鎖定閥值為6次 echo LockoutBadCount=6 >>account.inf secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet del account.* :: 授權許可權設定 @prompt # REM 授權配置 echo [version] >rightscfg.inf echo signature="$CHICAGO$" >>rightscfg.inf echo [Privilege Rights] >>rightscfg.inf REM 從遠端系統強制關機只指派給Administrators組 echo seremoteshutdownprivilege=Administrators >>rightscfg.inf REM 關閉系統僅指派給Administrators組 echo seshutdownprivilege=Administrators >>rightscfg.inf REM 取得檔案或其它物件的所有權僅指派給Administrators echo setakeownershipprivilege=Administrators >>rightscfg.inf REM 在本地登陸許可權僅指派給Administrators echo seinteractivelogonright=Administrators >> rightscfg.inf secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet del rightscfg.* :: 認證安全 @prompt # echo [version] >audit.inf echo signature="$CHICAGO$" >>audit.inf echo [Event Audit] >>audit.inf REM 開啟稽核系統事件 echo AuditSystemEvents=3 >>audit.inf REM 開啟稽核物件訪問 echo AuditObjectAccess=3 >>audit.inf REM 開啟稽核特權使用 echo AuditPrivilegeUse=3 >>audit.inf REM 開啟稽核策略更改 echo AuditPolicyChange=3 >>audit.inf REM 開啟稽核帳戶管理 echo AuditAccountManage=3 >>audit.inf REM 開啟稽核過程跟蹤 echo AuditProcessTracking=2 >>audit.inf REM 開啟稽核目錄服務訪問 echo AuditDSAccess=3 >>audit.inf REM 開啟稽核登陸事件 echo AuditLogonEvents=3 >>audit.inf REM 開啟稽核帳戶登陸事件 echo AuditAccountLogon=3 >>audit.inf echo AuditLog >>audit.inf secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet del audit.* :: 系統日誌 @prompt # echo [version] >logcfg.inf echo signature="$CHICAGO$" >>logcfg.inf REM 設定系統日誌 echo [System Log] >>logcfg.inf REM 設定系統日誌檔案最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 設定當達到最大的日誌尺寸時按需要改寫事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 設定限制GUEST訪問應用日誌 echo RestrictGuestAccess=1 >>logcfg.inf REM 設定安全日誌 echo [Security Log] >>logcfg.inf REM 設定安全日誌檔案最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 設定當達到最大的日誌尺寸時按需要改寫事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 設定限制GUEST訪問安全日誌 echo RestrictGuestAccess=1 >>logcfg.inf echo [Application Log] >>logcfg.inf REM 設定應用程式日誌 REM 設定應用程式日誌檔案最大8192KB echo MaximumLogSize=8192 >>logcfg.inf REM 設定當達到最大的日誌尺寸時按需要改寫事件 echo AuditLogRetentionPeriod=0 >>logcfg.inf REM 設定限制GUEST訪問應用程式日誌 echo RestrictGuestAccess=1 >>logcfg.inf secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log del logcfg.* REM 關閉自動播放 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f @Rem 啟用“不顯示最後使用者名稱”策略 echo **** 配置登入螢幕上不要顯示上次登入的使用者名稱 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f :: 刪除預設共享,請自行增刪碟符 @prompt # REM 刪除當前預設共享 net share c$ /delete net share admin$ /delete sc stop browser sc stop dfs sc stop lanmanserver sc config browser start= demand sc config dfs start= demand sc config lanmanserver start= demand REM 修改共享的登錄檔 @echo Windows Registry Editor Version 5.00>>share.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>share.reg @echo "AutoShareWks"=dword:0>>share.reg @echo "AutoShareServer"=dword:0>>share.reg @regedit /s share.reg @del share.reg REM 限制IPC共享(禁止SAM帳戶和共享的匿名列舉) @echo Windows Registry Editor Version 5.00>>ipc.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg @echo "RestrictAnonymous"=dword:1>>ipc.reg @echo "restrictanonymoussam"=dword:1>>ipc.reg @regedit /s ipc.reg @del ipc.reg @Rem 啟用並正確配置WSUS(自定義WSUS地址) echo **** 啟用並正確配置WSUS(自動下載並通知安裝) ::--啟用策略組“配置自動更新” reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallDay /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallTime /t REG_DWORD /d 3 /f ::--啟用策略組(指定Intranet Microsoft更新服務位置) reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /t REG_SZ /d http://10.10.100.10 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /t REG_SZ /d http://10.10.100.10 /f @Rem 只允許執行帶網路級身份驗證的遠端桌面的計算機連線 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f @Rem 啟用windows防火牆 netsh advfirewall set allprofiles state on reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f @Rem 防火牆入站規則啟用“回顯請求-ICMPv4-In”和“遠端桌面服務” reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|[email protected],-28543|[email protected],-28547|[email protected],-28502|" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|[email protected],-28753|[email protected],-28756|[email protected],-28752|" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|[email protected],-28853|[email protected],-28856|[email protected],-28852|" /f ::-------------上面為原基線配置END ::-------------下面是新增部分 REM 禁用匿名訪問命名管道和共享 @echo Windows Registry Editor Version 5.00>>nss.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters]>>nss.reg @echo "NullSessionShares"=->>nss.reg @regedit /s nss.reg @del nss.reg reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f REM 禁用可遠端訪問的登錄檔路徑和子路徑 @echo Windows Registry Editor Version 5.00>>aep.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg @echo "Machine"=->>aep.reg @echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg @echo "Machine"=->>aep.reg @regedit /s aep.reg @del aep.reg reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f REM 源路由欺騙保護 @echo Windows Registry Editor Version 5.00>>route.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg @echo "DisableIPSourceRouting"=dword:2>>route.reg @regedit /s route.reg @del route.reg REM 碎片攻擊保護 @echo Windows Registry Editor Version 5.00>>sp.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg @echo "EnablePMTUDiscovery"=dword:1>>sp.reg @regedit /s sp.reg @del sp.reg REM 防syn洪水攻擊 @prompt # @echo Windows Registry Editor Version 5.00>>SynAttack.reg @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynAttack.reg @echo "SynAttackProtect"=dword:2>>SynAttack.reg @echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg @echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg @echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg @REM DDOS @echo "EnableICMPRedirect"=dword:0>>SynAttack.reg @regedit /s SynAttack.reg @del SynAttack.reg echo ">>更改完成 任意鍵退出!!!" pause