dichgrem/script
1
0
Fork 0
mirror of https://github.com/Dichgrem/script.git synced 2025-02-22 13:48:36 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Dichgrem 2024-05-26 14:56:56 +08:00 committed by GitHub
parent 2e87a313f0
commit 0355374ca8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
安全加固脚本.ps1 Normal file
View File

@ -0,0 +1,44 @@
# 禁用自动更新
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name "AUOptions" -Value 1
# 启用用户账户控制 (UAC)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1
# 启用Windows防火墙
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow
# 禁用Remote Registry服务
Set-Service -Name "RemoteRegistry" -StartupType Disabled
Stop-Service -Name "RemoteRegistry"
# 禁用Server服务
Set-Service -Name "LanmanServer" -StartupType Disabled
Stop-Service -Name "LanmanServer"
# 启用登录失败审计
auditpol /set /subcategory:"Logon" /failure:enable
# 启用账户锁定审计
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
# 禁用SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false
# 禁用不安全的TLS版本
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Force
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Force
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0
# 设置最小密码长度为12
net accounts /minpwlen:12
# 设置密码过期时间为60天
net accounts /maxpwage:60
# 设置密码复杂性要求
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "PasswordComplexity" -Value 1