142 lines
5.4 KiB
Batchfile
142 lines
5.4 KiB
Batchfile
@echo off
|
|
|
|
:: 关闭危险端口
|
|
echo closing 135 port...
|
|
netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
|
|
netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
|
|
|
|
echo closing 137 port...
|
|
netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
|
|
netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
|
|
|
|
echo closing 138 port...
|
|
netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
|
|
netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
|
|
|
|
echo closing 139 port...
|
|
netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
|
|
netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
|
|
|
|
echo closing 445 port...
|
|
netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
|
|
netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
|
|
|
|
echo closing 593 port...
|
|
netsh advfirewall firewall add rule name = "deny593" dir = in action = block protocol = TCP localport = 593
|
|
echo closing 1025 port...
|
|
netsh advfirewall firewall add rule name = "deny1025" dir = in action = block protocol = TCP localport = 1025
|
|
echo closing 2745 port...
|
|
netsh advfirewall firewall add rule name = "deny2745" dir = in action = block protocol = TCP localport = 2745
|
|
echo closing 3127 port...
|
|
netsh advfirewall firewall add rule name = "deny3127" dir = in action = block protocol = TCP localport = 3127
|
|
echo closing 3389 port...
|
|
netsh advfirewall firewall add rule name = "deny3389" dir = in action = block protocol = TCP localport = 3389
|
|
echo closing 6129 port...
|
|
netsh advfirewall firewall add rule name = "deny6129" dir = in action = block protocol = TCP localport = 6129
|
|
|
|
echo Turn on firewall logging ...
|
|
netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
|
|
netsh advfirewall set currentprofile logging maxfilesize 20480
|
|
netsh advfirewall set currentprofile logging droppedconnections enable
|
|
netsh advfirewall set currentprofile logging allowedconnections enable
|
|
|
|
echo Make sure firewall is turned on...
|
|
netsh advfirewall set allprofile state on
|
|
|
|
|
|
:: Computer Browser(关闭维护网络上计算机的更新列表)
|
|
net stop Browser /y
|
|
sc config Browser start= disabled
|
|
:: Workstation(关闭客户端网络与远程服务器的连接)
|
|
net stop LanmanWorkstation /y
|
|
sc config LanmanWorkstation start= disabled
|
|
:: 禁用TCP/IP的NetBOIS
|
|
net stop lmhosts /y 1>nul 2>nul
|
|
sc config lmhosts start= disabled 1>nul 2>nul
|
|
|
|
echo closing feedback, search services...
|
|
::Connected User Experiences and Telemetry
|
|
net stop DiagTrack /y
|
|
sc config DiagTrack start= disabled
|
|
::SysMain
|
|
net stop SysMain /y
|
|
sc config SysMain start= disabled
|
|
::Windows Search
|
|
net stop WSearch /y
|
|
sc config WSearch start= disabled
|
|
|
|
echo closing xbox services...
|
|
::Xbox Accessory Management Service
|
|
net stop XboxGipSvc /y
|
|
sc config XboxGipSvc start= disabled
|
|
net stop xbgm /y
|
|
sc config xbgm start= disabled
|
|
::Xbox Live 游戏保存
|
|
net stop XblGameSave /y
|
|
sc config XblGameSave start= disabled
|
|
::Xbox Live 网络服务
|
|
net stop XboxNetApiSvc /y
|
|
sc config XboxNetApiSvc start= disabled
|
|
::Xbox Live 身份验证管理器
|
|
net stop XblAuthManager /y
|
|
sc config XblAuthManager start= disabled
|
|
|
|
::Task Scheduler(关闭在此计算机上配置和计划自动任务)
|
|
net stop Schedule /y
|
|
sc config Schedule start= disabled
|
|
::关闭TeamViewer
|
|
net stop TeamViewer /y
|
|
sc config TeamViewer start= disabled
|
|
::关闭IP Helper
|
|
net stop iphlpsvc /y
|
|
sc config iphlpsvc start= disabled
|
|
::Application Layer Gateway Service(关闭为Internet连接共享提供第三方协议插件的支持)
|
|
net stop ALG /y
|
|
sc config ALG start= disabled
|
|
::Internet Connection Sharing (ICS)
|
|
net stop SharedAccess /y
|
|
sc config SharedAccess start= disabled
|
|
|
|
::Application Management(关闭应用程序管理)
|
|
net stop AppMgmt /y
|
|
sc config AppMgmt start= disabled
|
|
::Distributed Link Tracking Client(关闭NTFS文件维护工具)
|
|
net stop TrkWks /y
|
|
sc config TrkWks start= disabled
|
|
::Print Spooler(关闭打印机的交互)
|
|
net stop Spooler /y
|
|
sc config Spooler start= disabled
|
|
::shell hardware detection(关闭自动播放的通知)
|
|
net stop ShellHWDetection /y
|
|
sc config ShellHWDetection start= disabled
|
|
|
|
|
|
:: 密码策略
|
|
echo.[version]>gp.inf
|
|
echo.signature="$CHICAGO$">>gp.inf
|
|
echo.[System Access]>>gp.inf
|
|
echo.MinimumPasswordAge = 30 >>gp.inf
|
|
echo.MaximumPasswordAge = 180 >>gp.inf
|
|
echo.MinimumPasswordLength = 8 >>gp.inf
|
|
echo.PasswordComplexity = 1 >>gp.inf
|
|
echo.PasswordHistorySize = 3 >>gp.inf
|
|
|
|
:: 账户锁定策略
|
|
echo.LockoutBadCount = 10 >>gp.inf
|
|
echo.ResetLockoutCount = 15 >>gp.inf
|
|
echo.LockoutDuration = 30 >>gp.inf
|
|
|
|
:: 开启全部审核策略
|
|
echo [Event Audit] >>gp.inf
|
|
echo AuditSystemEvents=3 >>gp.inf
|
|
echo AuditObjectAccess=3 >>gp.inf
|
|
echo AuditPrivilegeUse=3 >>gp.inf
|
|
echo AuditPolicyChange=3 >>gp.inf
|
|
echo AuditAccountManage=3 >>gp.inf
|
|
echo AuditProcessTracking=3 >>gp.inf
|
|
echo AuditDSAccess=3 >>gp.inf
|
|
echo AuditAccountLogon=3 >>gp.inf
|
|
echo AuditLogonEvents=3 >>gp.inf
|
|
secedit /configure /db gp.sdb /cfg gp.inf /log gp.log /quiet
|
|
del gp.* /q
|