add system config bat and others

config/sys_config.bat

@@ -0,0 +1,141 @@
+@echo off
+
+:: 关闭危险端口
+echo closing 135 port...
+netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
+netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
+
+echo closing 137 port...
+netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
+netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
+
+echo closing 138 port...
+netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
+netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
+
+echo closing 139 port...
+netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
+netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
+
+echo closing 445 port...
+netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
+netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
+
+echo closing 593 port...
+netsh advfirewall firewall add rule name = "deny593" dir = in action = block protocol = TCP localport = 593
+echo closing 1025 port...
+netsh advfirewall firewall add rule name = "deny1025" dir = in action = block protocol = TCP localport = 1025
+echo closing 2745 port...
+netsh advfirewall firewall add rule name = "deny2745" dir = in action = block protocol = TCP localport = 2745
+echo closing 3127 port...
+netsh advfirewall firewall add rule name = "deny3127" dir = in action = block protocol = TCP localport = 3127
+echo closing 3389 port...
+netsh advfirewall firewall add rule name = "deny3389" dir = in action = block protocol = TCP localport = 3389
+echo closing 6129 port...
+netsh advfirewall firewall add rule name = "deny6129" dir = in action = block protocol = TCP localport = 6129
+
+echo Turn on firewall logging ...
+netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
+netsh advfirewall set currentprofile logging maxfilesize 20480
+netsh advfirewall set currentprofile logging droppedconnections enable
+netsh advfirewall set currentprofile logging allowedconnections enable
+
+echo Make sure firewall is turned on...
+netsh advfirewall set allprofile state on
+
+
+:: Computer Browser(关闭维护网络上计算机的更新列表)
+net stop Browser /y
+sc config Browser start= disabled
+:: Workstation(关闭客户端网络与远程服务器的连接)
+net stop LanmanWorkstation /y
+sc config LanmanWorkstation start= disabled
+:: 禁用TCP/IP的NetBOIS 
+net stop lmhosts /y 1>nul 2>nul
+sc config lmhosts start= disabled 1>nul 2>nul
+
+echo closing feedback, search services...
+::Connected User Experiences and Telemetry
+net stop DiagTrack /y
+sc config DiagTrack start= disabled
+::SysMain
+net stop SysMain /y
+sc config SysMain start= disabled
+::Windows Search
+net stop WSearch /y
+sc config WSearch start= disabled
+
+echo closing xbox services...
+::Xbox Accessory Management Service
+net stop XboxGipSvc /y
+sc config XboxGipSvc start= disabled
+net stop xbgm /y
+sc config xbgm start= disabled
+::Xbox Live 游戏保存
+net stop XblGameSave /y
+sc config XblGameSave start= disabled
+::Xbox Live 网络服务
+net stop XboxNetApiSvc /y
+sc config XboxNetApiSvc start= disabled
+::Xbox Live 身份验证管理器
+net stop XblAuthManager /y
+sc config XblAuthManager start= disabled
+
+::Task Scheduler(关闭在此计算机上配置和计划自动任务)
+net stop Schedule /y
+sc config Schedule start= disabled
+::关闭TeamViewer
+net stop TeamViewer /y
+sc config TeamViewer start= disabled
+::关闭IP Helper
+net stop iphlpsvc /y
+sc config iphlpsvc start= disabled
+::Application Layer Gateway Service(关闭为Internet连接共享提供第三方协议插件的支持)
+net stop ALG /y
+sc config ALG start= disabled
+::Internet Connection Sharing (ICS)
+net stop SharedAccess /y
+sc config SharedAccess start= disabled
+
+::Application Management(关闭应用程序管理)
+net stop AppMgmt /y
+sc config AppMgmt start= disabled
+::Distributed Link Tracking Client(关闭NTFS文件维护工具)
+net stop TrkWks /y
+sc config TrkWks start= disabled
+::Print Spooler(关闭打印机的交互)
+net stop Spooler /y
+sc config Spooler start= disabled
+::shell hardware detection(关闭自动播放的通知)
+net stop ShellHWDetection /y
+sc config ShellHWDetection start= disabled
+
+
+:: 密码策略
+echo.[version]>gp.inf
+echo.signature="$CHICAGO$">>gp.inf
+echo.[System Access]>>gp.inf
+echo.MinimumPasswordAge = 30 >>gp.inf
+echo.MaximumPasswordAge = 180 >>gp.inf
+echo.MinimumPasswordLength = 8 >>gp.inf
+echo.PasswordComplexity = 1 >>gp.inf
+echo.PasswordHistorySize = 3 >>gp.inf
+
+:: 账户锁定策略
+echo.LockoutBadCount = 10 >>gp.inf
+echo.ResetLockoutCount = 15 >>gp.inf
+echo.LockoutDuration = 30 >>gp.inf
+
+:: 开启全部审核策略
+echo [Event Audit] >>gp.inf
+echo AuditSystemEvents=3 >>gp.inf
+echo AuditObjectAccess=3 >>gp.inf
+echo AuditPrivilegeUse=3 >>gp.inf
+echo AuditPolicyChange=3 >>gp.inf
+echo AuditAccountManage=3 >>gp.inf
+echo AuditProcessTracking=3 >>gp.inf
+echo AuditDSAccess=3 >>gp.inf
+echo AuditAccountLogon=3 >>gp.inf
+echo AuditLogonEvents=3 >>gp.inf
+secedit /configure /db gp.sdb /cfg gp.inf /log gp.log /quiet
+del gp.* /q