From 0355374ca8a5858fc1c0b4821991dbfca2766837 Mon Sep 17 00:00:00 2001
From: Dichgrem <128880743+Dichgrem@users.noreply.github.com>
Date: Sun, 26 May 2024 14:56:56 +0800
Subject: [PATCH] Add files via upload

---
 安全加固脚本.ps1 | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 安全加固脚本.ps1

diff --git a/安全加固脚本.ps1 b/安全加固脚本.ps1
new file mode 100644
index 0000000..fa044db
--- /dev/null
+++ b/安全加固脚本.ps1
@@ -0,0 +1,44 @@
+# 禁用自动更新
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name "AUOptions" -Value 1
+
+# 启用用户账户控制 (UAC)
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 1
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1
+
+# 启用Windows防火墙
+Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
+Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow
+
+# 禁用Remote Registry服务
+Set-Service -Name "RemoteRegistry" -StartupType Disabled
+Stop-Service -Name "RemoteRegistry"
+
+# 禁用Server服务
+Set-Service -Name "LanmanServer" -StartupType Disabled
+Stop-Service -Name "LanmanServer"
+
+# 启用登录失败审计
+auditpol /set /subcategory:"Logon" /failure:enable
+
+# 启用账户锁定审计
+auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
+
+# 禁用SMBv1
+Set-SmbServerConfiguration -EnableSMB1Protocol $false
+
+# 禁用不安全的TLS版本
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Force
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Force
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Force
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 0
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0
+
+# 设置最小密码长度为12
+net accounts /minpwlen:12
+
+# 设置密码过期时间为60天
+net accounts /maxpwage:60
+
+# 设置密码复杂性要求
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "PasswordComplexity" -Value 1