这是一个针对Windows操作系统的安全加固脚本,旨在通过自动化配置,强化系统的安全性。该脚本涵盖了禁用不必要的账户和服务、配置强密码策略、加强审计日志记录、关闭不必要的共享和协议等一系列安全加固措施。通过执行此脚本,可以有效减少系统暴露的安全风险,提高防御能力,确保操作系统在面对潜在攻击时具备更强的抗压性和韧性。
@echo off
title check and consolidate(v3.1)
@echo off
rem ------------- 作者信息 -------------
rem Author: codeWu
rem Date: 2024-12-4 13:54
rem ------------- 脚本开始 ---------------
rem --------------------A1 禁用管理员账户--------------------
echo Disabling Administrator account...
net user Administrator /active:no
rem --------------------A2 设置密码策略--------------------
echo Enforcing strong password policy...
net accounts /minpwlen:12 /maxpwage:30 /minpwage:7 /passwordreq:yes
rem --------------------A3 禁用 guest 账户--------------------
echo Disabling Guest account...
net user guest /active:no
rem --------------------A4 强制用户修改密码策略--------------------
echo Enforcing password expiration policy...
net accounts /maxpwage:30
rem --------------------A5 启用密码复杂性要求--------------------
echo Enabling password complexity requirement...
secpol.msc /import
rem --------------------A6 禁用不必要的服务--------------------
echo Disabling unnecessary services...
net stop telnet
net stop ftp
net stop spooler
rem --------------------A7 禁用 SMBv1--------------------
echo Disabling SMBv1...
sc config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc config lanmanserver depend= bowser/mrxsmb20/nsi
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
rem --------------------A8 强制启用防火墙--------------------
echo Enabling Windows firewall...
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles defaultinboundaction block
netsh advfirewall set allprofiles defaultoutboundaction allow
rem --------------------A9 启用 IPsec--------------------
echo Enabling IPsec encryption...
netsh ipsec static add policy name=default-policy
netsh ipsec static add rule name=default-rule policy=default-policy filterlist=allfilters filteraction=allow
rem --------------------A10 强制日志记录--------------------
echo Enabling security audit logging...
auditpol /set /subcategory:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
rem --------------------A11 禁用 Windows Installer 自动运行--------------------
echo Disabling Windows Installer Auto Run...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f
rem --------------------A12 禁用 AutoPlay--------------------
echo Disabling AutoPlay...
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000FF /f
rem --------------------A13 启用 BitLocker 加密--------------------
echo Enabling BitLocker encryption...
manage-bde -on C: -RecoveryPassword
rem --------------------A14 禁用远程桌面--------------------
echo Disabling Remote Desktop...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
rem --------------------A15 禁用 USB 存储设备--------------------
echo Disabling USB storage...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
rem --------------------A16 启用自动更新--------------------
echo Enabling automatic updates...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f
rem --------------------A17 禁用弱加密算法--------------------
echo Disabling weak encryption algorithms...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft RSA SChannel Cryptographic Provider" /v Disabled /t REG_DWORD /d 1 /f
rem --------------------A18 启用强密码策略--------------------
echo Enforcing strong password expiration policy...
net accounts /maxpwage:60
rem --------------------A19 禁用不必要的共享文件夹--------------------
echo Disabling unnecessary shared folders...
net share Admin$ /delete
net share C$ /delete
rem --------------------A20 启用文件加密功能--------------------
echo Enabling Windows File Encryption...
cipher /e C:\
rem --------------------A21 禁用 WScript 执行--------------------
echo Disabling WScript execution...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f
rem --------------------A22 禁用 Windows 注册表远程访问--------------------
echo Disabling remote registry access...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" /v Start /t REG_DWORD /d 4 /f
rem --------------------A23 禁用 LLMNR--------------------
echo Disabling LLMNR...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
rem --------------------A24 启用文件和打印机共享--------------------
echo Enabling File and Printer Sharing...
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
rem --------------------A25 强化 UAC 策略--------------------
echo Enforcing User Account Control (UAC) settings...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
rem --------------------A26 启用密码保护的屏幕保护程序--------------------
echo Enabling screen saver password protection...
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_DWORD /d 600 /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_DWORD /d 1 /f
rem --------------------A27 禁用 SMBv1--------------------
echo Disabling SMBv1...
sc config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc config lanmanserver depend= bowser/mrxsmb20/nsi
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
rem --------------------A28 启用 Windows 防火墙--------------------
echo Enabling Windows firewall...
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles defaultinboundaction block
netsh advfirewall set allprofiles defaultoutboundaction allow
rem --------------------A29 启用 BitLocker 硬盘加密--------------------
echo Enabling BitLocker encryption...
manage-bde -on C: -RecoveryPassword
rem --------------------A30 禁用 Windows Installer Auto Run--------------------
echo Disabling Windows Installer Auto Run...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f
rem --------------------A31 禁用 AutoPlay--------------------
echo Disabling AutoPlay...
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000FF /f
rem --------------------A32 启用安全审计日志--------------------
echo Enabling Security Audit Logs...
auditpol /set /subcategory:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
rem --------------------A33 设置强制密码过期策略--------------------
echo Enabling strong password expiration policy...
net accounts /maxpwage:60
rem --------------------A34 启用 IPsec--------------------
echo Enabling IPsec...
netsh ipsec static add policy name=default-policy
netsh ipsec static add rule name=default-rule policy=default-policy filterlist=allfilters filteraction=allow
rem --------------------A35 禁用远程桌面--------------------
echo Disabling Remote Desktop...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
rem --------------------A36 禁用 USB 存储设备--------------------
echo Disabling USB storage...
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
rem --------------------A37 启用自动更新--------------------
echo Enabling automatic updates...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0 /f
rem ------------- 脚本结束 ---------------
echo Security hardening complete!
pause