安全设置【转】

---不知道出处了

 

为了减轻SA们设置主机安全的工作，写了个批处理，这里是主要部分，需要用到2个文件，secedit.inf和policy.ipsec，这里就不提供了

其实就是设置好的本地安全策略和ipsec规则然后导出来的。
其中有一部分的地方不知道如何实现，就是不知道在命令行下如何添加TCP/IP筛选，如TCP的只允许80等端口
 
:Policy
::*********************本地安全策略设置************************
copy secedit.inf %system%"security"templates"secedit.inf
secedit /configure /db %systemroot%"security"database"secedit2.sdb /cfg %system%"security"templates"secedit.inf /overwrite /log secedit.log /quiet
gpupdate
choice /C GQ /M "本地安全策略设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :SERVICE
if errorlevel 2 goto :QUIT
 

:SERVICE
::*********************处理服务********************************
::保存服务修改前设置...
@sc query stype= service > service.txt
 
::禁用Computer Browser服务...
@sc stop Browser
@sc config Browser start= disabled
echo 禁用Computer Browser服务 > service.log
 
::禁用DHCP Client服务...
@sc stop dhcp
@sc config dhcp start= disabled
 
::禁用TCP/IP NetBIOS Helper服务...
@sc stop LmHosts
@sc config LmHosts start= disabled
 
::禁用Help and Support服务...
@sc stop helpsvc
@sc config helpsvc start= disabled
 
::禁用Remote Registry服务...
@sc stop RemoteRegistry
@sc config RemoteRegistry start= disabled
 
::禁用Task Sechedule服务...
@sc stop Schedule
@sc config Schedule start= disabled
 
::禁用Print and Spooler服务...
@sc stop Spooler
@sc config Spooler start= disabled
 
::禁用Wireless Configuration服务...
@sc stop WZCSVC
@sc config WZCSVC start= disabled
 
::禁用Shell Hardware Detection服务...
@sc stop ShellHWDetection
@sc config ShellHWDetection start= disabled
 
::禁用Server服务
@sc stop lanmanserver
@sc config lanmanserver start= disabled
 
::禁用WorkStation服务
@sc stop lanmanworkstation
@sc config lanmanworkstation start= disabled
::*****************服务处理完毕********************************
choice /C GQ /M "服务设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :DISKACL
if errorlevel 2 goto :QUIT
 
 
 
:DISKACL
::*******************设置磁盘根目录权限***********************
for /F %%d in ('wmic logicaldisk where "MediaType=12" get DeviceID ^| find /V "DeviceID"') do (
    if exist %%d"nul (
     cacls %%d /E /R "everyone"
     cacls %%d /E /R "users"
     cacls %%d /E /R "CREATOR OWNER"
    )
)
choice /C GQ /M "磁盘根目录权限设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :DirectoryACL
if errorlevel 2 goto :QUIT
 
 
 
:DirectoryACL
REM ****************** 设置重要目录权限*************************
cacls "%SystemDrive%"Documents and Settings" /E /R "Everyone"
cacls "%SystemDrive%"Documents and Settings" /E /R "Power Users"
cacls "%SystemDrive%"Documents and Settings" /E /R "Users"
::If exist %SystemDrive%"Inetpub"nul
echo Y|cacls "%ProgramFiles%" /T /G system:F
cacls "%ProgramFiles%" /T /E /C /G administrators:F
choice /C GQ /M "重要目录权限设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :FileACL
if errorlevel 2 goto :QUIT
 

:FileACL
::***************** 设置重要文件权限**************************
echo Y|cacls "%SystemRoot%"system32"at.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"cmd.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"cscript.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"ftp.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"net.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"net1.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"netsh.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"netstat.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"runas.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"reg.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"telnet.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"tftp.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"tlntadmn.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"wscript.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"attrib.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"tasklist.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"taskkill.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"tskill.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"route.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"finger.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"runonce.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"regsvr.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"sc.exe" /T /G administrators:F
echo Y|cacls "%SystemRoot%"system32"format.com" /T /G administrators:F
choice /C GQ /M "重要文件权限设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :TcpIPFilter
if errorlevel 2 goto :QUIT
 
:TcpIPFilter
::****************TCP/IP筛选配置*****************************
 
choice /C GQ /M "TCP/IP筛选设置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :SecPol
if errorlevel 2 goto :QUIT
 

:SecPol
::****************IPSEC策略配置******************************
netsh ipsec static importpolicy  policy.ipsec
netsh ipsec static set policy name=ipsec assign=y
choice /C GQ /M "IPSEC策略配置完毕.继续请按G,退出请按Q.10秒后默认继续" /T 10 /D G
if errorlevel 1 goto :FireWallSet
if errorlevel 2 goto :QUIT
 
:FireWallSet
::**************** Windows 防火墙设置************************
sc config SharedAccess start= auto
sc start SharedAccess
netsh firewall set opmode ENABLE
....................这里会有设置防火墙规则部分................
............................................................
goto :QUIT