@echo off :: 关闭危险端口 echo closing 135 port... netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135 netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135 echo closing 137 port... netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137 netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137 echo closing 138 port... netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138 netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138 echo closing 139 port... netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139 netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139 echo closing 445 port... netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445 netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445 echo closing 593 port... netsh advfirewall firewall add rule name = "deny593" dir = in action = block protocol = TCP localport = 593 echo closing 1025 port... netsh advfirewall firewall add rule name = "deny1025" dir = in action = block protocol = TCP localport = 1025 echo closing 2745 port... netsh advfirewall firewall add rule name = "deny2745" dir = in action = block protocol = TCP localport = 2745 echo closing 3127 port... netsh advfirewall firewall add rule name = "deny3127" dir = in action = block protocol = TCP localport = 3127 echo closing 3389 port... netsh advfirewall firewall add rule name = "deny3389" dir = in action = block protocol = TCP localport = 3389 echo closing 6129 port... netsh advfirewall firewall add rule name = "deny6129" dir = in action = block protocol = TCP localport = 6129 echo Turn on firewall logging ... netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log netsh advfirewall set currentprofile logging maxfilesize 20480 netsh advfirewall set currentprofile logging droppedconnections enable netsh advfirewall set currentprofile logging allowedconnections enable echo Make sure firewall is turned on... netsh advfirewall set allprofile state on :: Computer Browser(关闭维护网络上计算机的更新列表) net stop Browser /y sc config Browser start= disabled :: Workstation(关闭客户端网络与远程服务器的连接) net stop LanmanWorkstation /y sc config LanmanWorkstation start= disabled :: 禁用TCP/IP的NetBOIS net stop lmhosts /y 1>nul 2>nul sc config lmhosts start= disabled 1>nul 2>nul echo closing feedback, search services... ::Connected User Experiences and Telemetry net stop DiagTrack /y sc config DiagTrack start= disabled ::SysMain net stop SysMain /y sc config SysMain start= disabled ::Windows Search net stop WSearch /y sc config WSearch start= disabled echo closing xbox services... ::Xbox Accessory Management Service net stop XboxGipSvc /y sc config XboxGipSvc start= disabled net stop xbgm /y sc config xbgm start= disabled ::Xbox Live 游戏保存 net stop XblGameSave /y sc config XblGameSave start= disabled ::Xbox Live 网络服务 net stop XboxNetApiSvc /y sc config XboxNetApiSvc start= disabled ::Xbox Live 身份验证管理器 net stop XblAuthManager /y sc config XblAuthManager start= disabled ::Task Scheduler(关闭在此计算机上配置和计划自动任务) net stop Schedule /y sc config Schedule start= disabled ::关闭TeamViewer net stop TeamViewer /y sc config TeamViewer start= disabled ::关闭IP Helper net stop iphlpsvc /y sc config iphlpsvc start= disabled ::Application Layer Gateway Service(关闭为Internet连接共享提供第三方协议插件的支持) net stop ALG /y sc config ALG start= disabled ::Internet Connection Sharing (ICS) net stop SharedAccess /y sc config SharedAccess start= disabled ::Application Management(关闭应用程序管理) net stop AppMgmt /y sc config AppMgmt start= disabled ::Distributed Link Tracking Client(关闭NTFS文件维护工具) net stop TrkWks /y sc config TrkWks start= disabled ::Print Spooler(关闭打印机的交互) net stop Spooler /y sc config Spooler start= disabled ::shell hardware detection(关闭自动播放的通知) net stop ShellHWDetection /y sc config ShellHWDetection start= disabled :: 密码策略 echo.[version]>gp.inf echo.signature="$CHICAGO$">>gp.inf echo.[System Access]>>gp.inf echo.MinimumPasswordAge = 30 >>gp.inf echo.MaximumPasswordAge = 180 >>gp.inf echo.MinimumPasswordLength = 8 >>gp.inf echo.PasswordComplexity = 1 >>gp.inf echo.PasswordHistorySize = 3 >>gp.inf :: 账户锁定策略 echo.LockoutBadCount = 10 >>gp.inf echo.ResetLockoutCount = 15 >>gp.inf echo.LockoutDuration = 30 >>gp.inf :: 开启全部审核策略 echo [Event Audit] >>gp.inf echo AuditSystemEvents=3 >>gp.inf echo AuditObjectAccess=3 >>gp.inf echo AuditPrivilegeUse=3 >>gp.inf echo AuditPolicyChange=3 >>gp.inf echo AuditAccountManage=3 >>gp.inf echo AuditProcessTracking=3 >>gp.inf echo AuditDSAccess=3 >>gp.inf echo AuditAccountLogon=3 >>gp.inf echo AuditLogonEvents=3 >>gp.inf secedit /configure /db gp.sdb /cfg gp.inf /log gp.log /quiet del gp.* /q