windows基线整改方法

windows基线整改方法

来源 https://mp.weixin.qq.com/s/BwjKk3PMyYtQnNh2TRssGg

 

前言

配置安全基线是网络、基础设备安全维护的基础，基线合规可以有效的防护大部分已知的攻击手段

本次介绍的整改步骤采用以下方式执行

• 将整块命令贴在txt，将后缀从txt改为bat，右键管理员权限执行

基线配置涉及多项功能的开启/关闭切勿在已投产机器上执行，以免影响正常使用

基线整改

账号口令

1> 配置启用密码复杂性要求、密码长度大于等于8

2> 配置密码最长使用期限（90天）

3> 配置强制要求密码不能为历史近5次设置过的密码

4> 配置帐户锁定阈值，错误6次即锁定

5> 禁用来宾(Guest)帐户

@echo off

echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf

REM 修改帐户密码最小长度为8，开启帐户密码复杂性要求
echo MinimumPasswordLength=8 >>account.inf
echo PasswordComplexity=1 >>account.inf

REM 修改帐户密码最长留存期为90天
echo MaximumPasswordAge=90 >>account.inf

REM 强制密码历史为5
echo PasswordHistorySize=5 >>account.inf

REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf

REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf

secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*

认证授权

1> 限制匿名用户连接(SAM帐户和共享的匿名枚举)

2> 删除可远程访问的注册表路径和子路径

@echo off

REM 限制匿名用户连接(SAM帐户和共享的匿名枚举)
echo Windows Registry Editor Version 5.00>>ipc.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
echo"RestrictAnonymous"=dword:1>>ipc.reg
echo"restrictanonymoussam"=dword:1>>ipc.reg
regedit /s ipc.reg
del ipc.reg

REM 删除可远程访问的注册表路径和子路径
echo Windows Registry Editor Version 5.00>>aep.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
echo"Machine"=->>aep.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
echo"Machine"=->>aep.reg
regedit /s aep.reg
del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f

日志审计

1> 开启审核特权使用

2> 开启审核系统事件

3> 开启审核进程跟踪

4> 开启审核策略更改

5> 开启审核帐户登录事件

6> 开启审核目录服务访问

7> 开启审核帐户管理

8> 开启审核对象访问

9> 开启审核登录事件

@echo off

echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核过程跟踪
echo AuditProcessTracking=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户登陆事件
echo AuditAccountLogon=3 >>audit.inf
REM 开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=3 >>audit.inf
REM 开启审核登陆事件
echo AuditLogonEvents=3 >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*

其它安全

1> 关闭DHCP Client

2> 禁用Windows硬盘默认共享

3> 关闭Windows自动播放

@echo off

REM 禁用dhcp client
net stop "DHCP Client" /y
sc config Dhcp start= disabled

REM 删除当前默认共享
sc config LanmanServer start= disabled
netshare ipc$ /del
net share c$ /del
net share admin$ /del
echo Windows Registry Editor Version 5.00>>s.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\LanmanServer\Parameters]>>s.reg
echo"AutoShareServer"=dword:0>>s.reg
echo"AutoShareWks"=dword:0>>s.reg
regedit /s s.reg
del s.reg

REM 关闭自动播放
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f

注：关闭dhcp-client需要重启生效，如之前主机使用的dhcp获取地址，务必先将获取到的IP地址、网关、DNS设置为静态，再操作重启！

协议安全

1> 开启Windows防火墙

2> 修改默认的远程桌面服务端口

3> 配置源路由攻击保护

4> 配置SYN攻击保护

5> 配置TCP碎片攻击保护

@echo off

REM 启用windows防火墙
netsh advfirewall set allprofiles state on
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f


REM  修改远程服务端口为23389、并在防火墙入站规则启用“回显请求-ICMPv4-In”和“远程桌面服务”
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=23389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=23389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD  /d 23389 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD  /d 23389 /f
netsh advfirewall firewall add rule name="Remote PortNumber" dir=in action=allow protocol=TCP localport="23389"

REM 源路由欺骗保护
echo Windows Registry Editor Version 5.00>>route.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg
echo"DisableIPSourceRouting"=dword:2>>route.reg
regedit /s route.reg
del route.reg

REM 防SYN洪水攻击 
echo Windows Registry Editor Version 5.00>>SynAttack.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>SynAttack.reg 
echo"SynAttackProtect"=dword:1>>SynAttack.reg
echo"TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
echo"TcpMaxHalfOpen"=dword:01f4>>SynAttack.reg
echo"TcpMaxConnectResponseRetransmissions"=dword:2>>SynAttack.reg
echo"TcpMaxHalfOpenRetried"=dword:190>>SynAttack.reg
REM DDOS
echo"EnableICMPRedirect"=dword:0>>SynAttack.reg
regedit /s SynAttack.reg
del SynAttack.reg

REM 碎片攻击保护
echo Windows Registry Editor Version 5.00>>sp.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg
echo"EnablePMTUDiscovery"=dword:1>>sp.reg
regedit /s sp.reg
del sp.reg

注：示例为修改远程服务端口为23389，如果需要改成其他，遍历搜索23389并逐一修改

 

========= End