diff --git a/apps.json b/apps.json index 76781ff..bd6fd8f 100644 --- a/apps.json +++ b/apps.json @@ -123,6 +123,10 @@ "Type": "FileCopy", "Source": "./assets/hosts", "Destination": "$env:SystemRoot\\System32\\drivers\\etc\\hosts" + }, + { + "Type": "Command", + "Command": "\"$PSScriptRoot\\config\\sys_config.bat\"" } ] } diff --git a/config/sys_config.bat b/config/sys_config.bat new file mode 100644 index 0000000..f6bf89b --- /dev/null +++ b/config/sys_config.bat @@ -0,0 +1,141 @@ +@echo off + +:: 关闭危险端口 +echo closing 135 port... +netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135 +netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135 + +echo closing 137 port... +netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137 +netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137 + +echo closing 138 port... +netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138 +netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138 + +echo closing 139 port... +netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139 +netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139 + +echo closing 445 port... +netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445 +netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445 + +echo closing 593 port... +netsh advfirewall firewall add rule name = "deny593" dir = in action = block protocol = TCP localport = 593 +echo closing 1025 port... +netsh advfirewall firewall add rule name = "deny1025" dir = in action = block protocol = TCP localport = 1025 +echo closing 2745 port... +netsh advfirewall firewall add rule name = "deny2745" dir = in action = block protocol = TCP localport = 2745 +echo closing 3127 port... +netsh advfirewall firewall add rule name = "deny3127" dir = in action = block protocol = TCP localport = 3127 +echo closing 3389 port... +netsh advfirewall firewall add rule name = "deny3389" dir = in action = block protocol = TCP localport = 3389 +echo closing 6129 port... +netsh advfirewall firewall add rule name = "deny6129" dir = in action = block protocol = TCP localport = 6129 + +echo Turn on firewall logging ... +netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log +netsh advfirewall set currentprofile logging maxfilesize 20480 +netsh advfirewall set currentprofile logging droppedconnections enable +netsh advfirewall set currentprofile logging allowedconnections enable + +echo Make sure firewall is turned on... +netsh advfirewall set allprofile state on + + +:: Computer Browser(关闭维护网络上计算机的更新列表) +net stop Browser /y +sc config Browser start= disabled +:: Workstation(关闭客户端网络与远程服务器的连接) +net stop LanmanWorkstation /y +sc config LanmanWorkstation start= disabled +:: 禁用TCP/IP的NetBOIS +net stop lmhosts /y 1>nul 2>nul +sc config lmhosts start= disabled 1>nul 2>nul + +echo closing feedback, search services... +::Connected User Experiences and Telemetry +net stop DiagTrack /y +sc config DiagTrack start= disabled +::SysMain +net stop SysMain /y +sc config SysMain start= disabled +::Windows Search +net stop WSearch /y +sc config WSearch start= disabled + +echo closing xbox services... +::Xbox Accessory Management Service +net stop XboxGipSvc /y +sc config XboxGipSvc start= disabled +net stop xbgm /y +sc config xbgm start= disabled +::Xbox Live 游戏保存 +net stop XblGameSave /y +sc config XblGameSave start= disabled +::Xbox Live 网络服务 +net stop XboxNetApiSvc /y +sc config XboxNetApiSvc start= disabled +::Xbox Live 身份验证管理器 +net stop XblAuthManager /y +sc config XblAuthManager start= disabled + +::Task Scheduler(关闭在此计算机上配置和计划自动任务) +net stop Schedule /y +sc config Schedule start= disabled +::关闭TeamViewer +net stop TeamViewer /y +sc config TeamViewer start= disabled +::关闭IP Helper +net stop iphlpsvc /y +sc config iphlpsvc start= disabled +::Application Layer Gateway Service(关闭为Internet连接共享提供第三方协议插件的支持) +net stop ALG /y +sc config ALG start= disabled +::Internet Connection Sharing (ICS) +net stop SharedAccess /y +sc config SharedAccess start= disabled + +::Application Management(关闭应用程序管理) +net stop AppMgmt /y +sc config AppMgmt start= disabled +::Distributed Link Tracking Client(关闭NTFS文件维护工具) +net stop TrkWks /y +sc config TrkWks start= disabled +::Print Spooler(关闭打印机的交互) +net stop Spooler /y +sc config Spooler start= disabled +::shell hardware detection(关闭自动播放的通知) +net stop ShellHWDetection /y +sc config ShellHWDetection start= disabled + + +:: 密码策略 +echo.[version]>gp.inf +echo.signature="$CHICAGO$">>gp.inf +echo.[System Access]>>gp.inf +echo.MinimumPasswordAge = 30 >>gp.inf +echo.MaximumPasswordAge = 180 >>gp.inf +echo.MinimumPasswordLength = 8 >>gp.inf +echo.PasswordComplexity = 1 >>gp.inf +echo.PasswordHistorySize = 3 >>gp.inf + +:: 账户锁定策略 +echo.LockoutBadCount = 10 >>gp.inf +echo.ResetLockoutCount = 15 >>gp.inf +echo.LockoutDuration = 30 >>gp.inf + +:: 开启全部审核策略 +echo [Event Audit] >>gp.inf +echo AuditSystemEvents=3 >>gp.inf +echo AuditObjectAccess=3 >>gp.inf +echo AuditPrivilegeUse=3 >>gp.inf +echo AuditPolicyChange=3 >>gp.inf +echo AuditAccountManage=3 >>gp.inf +echo AuditProcessTracking=3 >>gp.inf +echo AuditDSAccess=3 >>gp.inf +echo AuditAccountLogon=3 >>gp.inf +echo AuditLogonEvents=3 >>gp.inf +secedit /configure /db gp.sdb /cfg gp.inf /log gp.log /quiet +del gp.* /q diff --git a/config/sys_optimize.reg b/config/sys_optimize.reg index c5f342b..18483b2 100644 --- a/config/sys_optimize.reg +++ b/config/sys_optimize.reg @@ -10,31 +10,116 @@ Windows Registry Editor Version 5.00 ; 仅搜索图标 "SearchboxTaskbarMode"=dword:00000001 -; === 1. 设置“更多固定项”布局 (Win11) === [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +; === 设置“更多固定项”布局 (Win11) === "Start_Layout"=dword:00000001 - -; === 2. 关闭“显示最近添加的应用” (通过策略禁用) === -[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer] -"HideRecentlyAddedApps"=dword:00000001 - -; === 3. 关闭“显示最常用的应用” === -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +; === 关闭“显示最常用的应用” === "Start_TrackProgs"=dword:00000000 - -; === 4. 关闭“在开始菜单中显示推荐的文件/跳转列表” === -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +; === 关闭“在开始菜单中显示推荐的文件/跳转列表” === "Start_TrackDocs"=dword:00000000 - -; === 5. 关闭“显示提示、应用促销等建议” === -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] -"SubscribedContent-338388Enabled"=dword:00000000 - -; === 6. 关闭“显示与帐户相关的通知” (Win11 新特性) === -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +; === 关闭“显示浏览历史记录中的网站” === +"Start_RecoPersonalizedSites"=dword:00000000 +; === 关闭“显示有关提示、快捷方式、新应用等的建议” === +"Start_IrisRecommendations"=dword:00000000 +; === 关闭“显示与帐户相关的通知” (Win11 新特性) === "Start_AccountNotifications"=dword:00000000 ; === 微软拼音输入法设置 === [HKEY_CURRENT_USER\Software\Microsoft\InputMethod\Settings\CHS] ; 关闭“尝试必应的文本建议” (也就是云候选项/Web文本建议) "EnableCloudCandidate"=dword:00000000 + + +; 关闭 IPv6 +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters] +"DisabledComponents"=dword:000000ff + +; 关闭快速存取和最近使用过的档案 +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer] +"ShowFrequent"=dword:00000000 +"ShowRecent"=dword:00000000 + +; 关闭自动播放 +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers] +"DisableAutoplay"=dword:00000001 + +; UAC级别设置为最高 +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] +"ConsentPromptBehaviorAdmin"=dword:00000002 +"EnableLUA"=dword:00000001 +"PromptOnSecureDesktop"=dword:00000001 + +; 关闭远程协助 +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] +"fAllowToGetHelp"=dword:00000000 +"fAllowUnsolicited"=dword:00000000 +"fDenyTSConnections"=dword:00000001 + +; 关闭 隐私-常规 +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo] +"Enabled"=dword:00000000 + +[HKEY_CURRENT_USER\Control Panel\International\User Profile] +"HttpAcceptLanguageOptOut"=dword:00000001 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] +"SubscribedContent-338393Enabled"=dword:00000000 +"SubscribedContent-353694Enabled"=dword:00000000 +"SubscribedContent-353696Enabled"=dword:00000000 + +; 关闭 隐私-语音识别 +[HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy] +"HasAccepted"=dword:00000000 + +; 关闭 隐私-墨迹书写和键入个性化 +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings] +"AcceptedPrivacyPolicy"=dword:00000000 + +; 关闭 隐私-诊断与意见反馈 +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection] +"AllowTelemetry"=dword:00000001 +[HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC] +"Enabled"=dword:00000000 +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy] +"TailoredExperiencesWithDiagnosticDataEnabled"=dword:00000000 +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey] +"EnableEventTranscript"=dword:00000000 +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection] +"DisableDeviceDelete"=- +[HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules] +"NumberOfSIUFInPeriod"=dword:00000000 + +; 关闭 隐私-活动历史记录 +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] +"PublishUserActivities"=dword:00000000 +"UploadUserActivities"=dword:00000000 +"EnableActivityFeed"=dword:00000000 + +; 关闭 其他隐私(除麦克风和摄像头) +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy] +"LetAppsAccessLocation"=dword:00000002 +"LetAppsAccessNotifications"=dword:00000002 +"LetAppsAccessAccountInfo"=dword:00000002 +"LetAppsAccessContacts"=dword:00000002 +"LetAppsAccessCalendar"=dword:00000002 +"LetAppsAccessCallHistory"=dword:00000002 +"LetAppsAccessEmail"=dword:00000002 +"LetAppsAccessTasks"=dword:00000002 +"LetAppsAccessMessaging"=dword:00000002 +"LetAppsAccessRadios"=dword:00000002 +"LetAppsSyncWithDevices"=dword:00000002 +"LetAppsGetDiagnosticInfo"=dword:00000002 + +; 关闭 隐私-后台应用程序 +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications] +"GlobalUserDisabled"=dword:00000001 + +; 关闭 隐私-文档/图片/视频/文件系统 +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary] +"Value"="Deny" +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary] +"Value"="Deny" +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary] +"Value"="Deny" +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess] +"Value"="Deny" diff --git a/main.ps1 b/main.ps1 index e0e2445..273cdc2 100644 --- a/main.ps1 +++ b/main.ps1 @@ -125,5 +125,5 @@ foreach ($app in $apps) { } } -Write-Host "`n=== Done ===" -ForegroundColor Green +Write-Host "`n=== Done. Need restart ===" -ForegroundColor Green Pause