windows server 2016安全基线设置脚本

:: 账号安全
@prompt # 
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 设置帐户密码最短为10
echo MinimumPasswordLength=10 >>account.inf
REM 开启帐户密码复杂性要求
echo PasswordComplexity=1 >>account.inf
REM 设置帐户密码最长使用期限为120天
echo MaximumPasswordAge=120 >>account.inf
REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf
REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*
 
:: 授权权限设置
@prompt #
REM 授权配置
echo [version] >rightscfg.inf
echo signature="$CHICAGO$" >>rightscfg.inf
echo [Privilege Rights] >>rightscfg.inf
REM 从远端系统强制关机只指派给Administrators组
echo seremoteshutdownprivilege=Administrators >>rightscfg.inf
REM 关闭系统仅指派给Administrators组
echo seshutdownprivilege=Administrators >>rightscfg.inf
REM 取得文件或其它对象的所有权仅指派给Administrators
echo setakeownershipprivilege=Administrators >>rightscfg.inf
REM 在本地登陆权限仅指派给Administrators
echo seinteractivelogonright=Administrators >> rightscfg.inf
secedit /configure /db rightscfg.sdb /cfg rightscfg.inf /log rightscfg.log /quiet
del rightscfg.*
 
:: 认证安全
@prompt # 
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=3 >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核过程跟踪
echo AuditProcessTracking=2 >>audit.inf
REM 开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf
REM 开启审核登陆事件
echo AuditLogonEvents=3 >>audit.inf
REM 开启审核帐户登陆事件
echo AuditAccountLogon=3 >>audit.inf
echo AuditLog >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*
 
:: 系统日志
@prompt # 
echo [version] >logcfg.inf
echo signature="$CHICAGO$" >>logcfg.inf
REM 设置系统日志
echo [System Log] >>logcfg.inf
REM 设置系统日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用日志
echo RestrictGuestAccess=1 >>logcfg.inf
REM 设置安全日志
echo [Security Log] >>logcfg.inf
REM 设置安全日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf 
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问安全日志
echo RestrictGuestAccess=1 >>logcfg.inf
echo [Application Log] >>logcfg.inf REM 设置应用程序日志
REM 设置应用程序日志文件最大8192KB
echo MaximumLogSize=8192 >>logcfg.inf
REM 设置当达到最大的日志尺寸时按需要改写事件
echo AuditLogRetentionPeriod=0 >>logcfg.inf
REM 设置限制GUEST访问应用程序日志
echo RestrictGuestAccess=1 >>logcfg.inf
secedit /configure /db logcfg.sdb /cfg logcfg.inf /log logcfg.log
del logcfg.*
 
REM 关闭自动播放
reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
 
@Rem 启用“不显示最后用户名”策略
echo **** 配置登录屏幕上不要显示上次登录的用户名
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
 
:: 删除默认共享，请自行增删盘符
@prompt # 
REM 删除当前默认共享
net share c$ /delete
net share admin$ /delete
sc stop browser
sc stop dfs
sc stop lanmanserver
sc config browser start= demand
sc config dfs start= demand
sc config lanmanserver start= demand
 
REM 修改共享的注册表
@echo Windows Registry Editor Version 5.00>>share.reg
@echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters]>>share.reg
@echo "AutoShareWks"=dword:0>>share.reg
@echo "AutoShareServer"=dword:0>>share.reg
@regedit /s share.reg
@del share.reg
 
REM 限制IPC共享(禁止SAM帐户和共享的匿名枚举)
@echo Windows Registry Editor Version 5.00>>ipc.reg
@echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]>>ipc.reg
@echo "RestrictAnonymous"=dword:1>>ipc.reg
@echo "restrictanonymoussam"=dword:1>>ipc.reg
@regedit /s ipc.reg
@del ipc.reg
 
@Rem 启用并正确配置WSUS（自定义WSUS地址）
echo **** 启用并正确配置WSUS（自动下载并通知安装）
::--启用策略组“配置自动更新”
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" /v AUOptions /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" /v NoAutoUpdate /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" /v ScheduledInstallDay /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" /v ScheduledInstallTime /t REG_DWORD /d 3 /f
::--启用策略组（指定Intranet Microsoft更新服务位置）
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" /v UseWUServer /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" /v WUServer /t REG_SZ /d http://10.10.100.10 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" /v WUStatusServer /t REG_SZ /d http://10.10.100.10 /f
 
 
@Rem 只允许运行带网络级身份验证的远程桌面的计算机连接
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
 
@Rem 启用windows防火墙
netsh advfirewall set allprofiles state on
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyPublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
 
@Rem 防火墙入站规则启用“回显请求-ICMPv4-In”和“远程桌面服务”
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%system32svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f
 
::-------------上面为原基线配置END 
 
::-------------下面是新增部分
REM 禁用匿名访问命名管道和共享
@echo Windows Registry Editor Version 5.00>>nss.reg
@echo [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters]>>nss.reg
@echo "NullSessionShares"=->>nss.reg
@regedit /s nss.reg
@del nss.reg
reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters" /v NullSessionShares /t REG_MULTI_SZ /d "" /f
 
REM 禁用可远程访问的注册表路径和子路径
@echo Windows Registry Editor Version 5.00>>aep.reg
@echo [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedExactPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@echo [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths]>>aep.reg
@echo "Machine"=->>aep.reg
@regedit /s aep.reg
@del aep.reg
reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f
 
REM 源路由欺骗保护
@echo Windows Registry Editor Version 5.00>>route.reg
@echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters]>>route.reg
@echo "DisableIPSourceRouting"=dword:2>>route.reg
@regedit /s route.reg
@del route.reg
 
REM 碎片攻击保护
@echo Windows Registry Editor Version 5.00>>sp.reg
@echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters]>>sp.reg
@echo "EnablePMTUDiscovery"=dword:1>>sp.reg
@regedit /s sp.reg
@del sp.reg
 
REM 防syn洪水攻击 
@prompt #
@echo Windows Registry Editor Version 5.00>>SynAttack.reg 
@echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices]>>SynAttack.reg 
@echo "SynAttackProtect"=dword:2>>SynAttack.reg
@echo "TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
@echo "TcpMaxHalfOpen"=dword:500>>SynAttack.reg
@echo "TcpMaxHalfOpenRetried"=dword:400>>SynAttack.reg
@REM DDOS
@echo "EnableICMPRedirect"=dword:0>>SynAttack.reg
@regedit /s SynAttack.reg
@del SynAttack.reg
 
echo ">>更改完成 任意键退出！！！"
pause

 将上述代码复制到xxx.bat文件运行即可。