等保加固Windows防火墙命令行配置指南

::开启防火墙服务
net start mpssvc
::配置远程桌面仅允许管理机远程
netsh advfirewall firewall add rule name=allow_rdp dir=in action=allow description="允许远程桌面策略" enable=yes profile=public,private,domain remoteip=192.168.11.42,192.168.11.44,192.168.10.250,192.168.168.249,192.168.168.252 localport=3389 protocol=tcp
netsh advfirewall firewall set rule name="远程桌面(TCP-In)" new enable=no
netsh advfirewall firewall set rule name="远程桌面 - 用户模式(TCP-In)" new enable=no
netsh advfirewall firewall set rule name="远程桌面 - 用户模式(UDP-In)" new enable=no
netsh advfirewall firewall set rule name="远程桌面 - RemoteFX (TCP-In)" new enable=no
::关闭135-139端口
netsh advfirewall firewall add rule name=deny_tcp_port dir=in action=block description="关闭风险端口" enable=yes profile=public,private,domain localport=135-139 protocol=tcp
netsh advfirewall firewall add rule name=deny_udp_port dir=in action=block description="关闭风险端口" enable=yes profile=public,private,domain localport=135-139 protocol=udp
::开放应用端口
netsh advfirewall firewall add rule name=allow_app_port dir=in action=allow description="开放应用端口" enable=yes profile=public,private,domain localport=1433,4899,8080-8088 protocol=tcp
::开放snmp端口
netsh advfirewall firewall add rule name=allow_snmp_port dir=in action=allow description="开放snmp端口" enable=yes profile=public,private,domain localport=161 protocol=udp
::关闭默认开启445的策略
netsh advfirewall firewall set rule name="Netlogon 服务(NP-In)" new enable=no
netsh advfirewall firewall set rule name="Telnet 远程管理(NP-In)" new enable=no
netsh advfirewall firewall set rule name="文件和打印机共享(SMB-In)" new enable=no
netsh advfirewall firewall set rule name="远程服务管理(NP-In)" new enable=no
netsh advfirewall firewall set rule name="远程事件日志管理(NP-In)" new enable=no
netsh advfirewall firewall set rule name="DFS 管理(SMB-In)" new enable=no
::对堡垒机开启445端口
netsh advfirewall firewall add rule name=allow_445_port dir=in action=allow description="对堡垒机开放445端口" enable=yes profile=public,private,domain remoteip=192.168.11.42 localport=445 protocol=tcp
::开启ping
netsh advfirewall firewall set rule name="文件和打印机共享(回显请求 - ICMPv4-In)" new enable=yes
::开放爱数备份柜程序
netsh advfirewall firewall add rule name=allow_EBackup_program dir=in action=allow description="开放爱数备份柜程序" enable=yes service=EBackupClient profile=public,private,domain remoteip=192.168.11.32 protocol=tcp

::启用防火墙
netsh advfirewall set allprofile state on

posted @ 2020-05-07 15:08  FlawlessM  阅读(1040)  评论(1编辑  收藏  举报