惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
P
Palo Alto Networks Blog
T
ThreatConnect
Apple Machine Learning Research
Apple Machine Learning Research
博客园_首页
T
True Tiger Recordings
P
Privacy & Cybersecurity Law Blog
B
Blog
IT之家
IT之家
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
C
Comments on: Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
博客园 - 【当耐特】
N
News and Events Feed by Topic
NISL@THU
NISL@THU
腾讯CDC
雷峰网
雷峰网
Security Latest
Security Latest
李成银的技术随笔
M
Microsoft Research Blog - Microsoft Research
L
LangChain Blog
L
Lohrmann on Cybersecurity
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Check Point Blog
Y
Y Combinator Blog
Recent Announcements
Recent Announcements
博客园 - Franky
N
News | PayPal Newsroom
V
V2EX
A
About on SuperTechFans
The Register - Security
The Register - Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google Online Security Blog
Google Online Security Blog
MyScale Blog
MyScale Blog
Cisco Talos Blog
Cisco Talos Blog
Vercel News
Vercel News
WordPress大学
WordPress大学
C
Cyber Attacks, Cyber Crime and Cyber Security
The Hacker News
The Hacker News
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
爱范儿
爱范儿
A
Arctic Wolf
L
LINUX DO - 最新话题
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

博客园 - lsgxeva

OpenSpec OPSX 完整指南 Claude Skill Creator 2.0 完整上手攻略 Auto-Memory + CLAUDE.md Conductor 完整上手攻略 GitNexus 完整上手攻略 code-review-graph 完整上手攻略 Claude Code Hooks 完整开发者指南 Openwrt switch vlan配置 llm-course Claude Code 入门教程 MT5专业交易面板 routeros RB750GR3 配置双WAN口 Quectel Modem Wiki sdxlemur 高通5G平台(SDX55\SDX62\SDX65):ping包异常问题排查指南 - lsgxeva - 博客园 高通SDX62平台 MBIM搜网、查询信号等功能异常 Win11数字许可证激活 BirdSat VS100K info wireshark筛选语句详解 linux基线整改方法 NanoPi_R5C ArcBox Config win10远程桌面其他电脑出现如下错误,由于数据加密错误,这个会话讲结束,请重新连接到远程计算机 如何评价杨立昆认为大模型只是对海量文本的模式进行复杂拟合,根本不懂意义? IQ200Board default access problem Win10 输入法卡顿 adaptive_relaxed_optimized 如何下载安装App Store应用旧版本教程 小米澎湃OS 关闭广告 Scrum 模型
windows基线整改方法
lsgxeva · 2026-03-06 · via 博客园 - lsgxeva

windows基线整改方法

来源 https://mp.weixin.qq.com/s/BwjKk3PMyYtQnNh2TRssGg

前言

配置安全基线是网络、基础设备安全维护的基础,基线合规可以有效的防护大部分已知的攻击手段

本次介绍的整改步骤采用以下方式执行

  • 将整块命令贴在txt,将后缀从txt改为bat,右键管理员权限执行

基线配置涉及多项功能的开启/关闭切勿在已投产机器上执行,以免影响正常使用

基线整改

账号口令

1> 配置启用密码复杂性要求、密码长度大于等于8

2> 配置密码最长使用期限(90天)

3> 配置强制要求密码不能为历史近5次设置过的密码

4> 配置帐户锁定阈值,错误6次即锁定

5> 禁用来宾(Guest)帐户

@echo off
echo [version] >account.inf
echo signature="$CHICAGO$" >>account.inf
echo [System Access] >>account.inf
REM 修改帐户密码最小长度为8,开启帐户密码复杂性要求
echo MinimumPasswordLength=8 >>account.inf
echo PasswordComplexity=1 >>account.inf
REM 修改帐户密码最长留存期为90天
echo MaximumPasswordAge=90 >>account.inf
REM 强制密码历史为5
echo PasswordHistorySize=5 >>account.inf
REM 设定帐户锁定阀值为6次
echo LockoutBadCount=6 >>account.inf
REM 禁用Guest帐户
echo EnableGuestAccount=0 >>account.inf
secedit /configure /db account.sdb /cfg account.inf /log account.log /quiet
del account.*

认证授权

1> 限制匿名用户连接(SAM帐户和共享的匿名枚举)

2> 删除可远程访问的注册表路径和子路径

@echo off
REM 限制匿名用户连接(SAM帐户和共享的匿名枚举)
echo Windows Registry Editor Version 5.00>>ipc.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>ipc.reg
echo"RestrictAnonymous"=dword:1>>ipc.reg
echo"restrictanonymoussam"=dword:1>>ipc.reg
regedit /s ipc.reg
del ipc.reg
REM 删除可远程访问的注册表路径和子路径
echo Windows Registry Editor Version 5.00>>aep.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths]>>aep.reg
echo"Machine"=->>aep.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths]>>aep.reg
echo"Machine"=->>aep.reg
regedit /s aep.reg
del aep.reg
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f

日志审计

1> 开启审核特权使用

2> 开启审核系统事件

3> 开启审核进程跟踪

4> 开启审核策略更改

5> 开启审核帐户登录事件

6> 开启审核目录服务访问

7> 开启审核帐户管理

8> 开启审核对象访问

9> 开启审核登录事件

@echo off
echo [version] >audit.inf
echo signature="$CHICAGO$" >>audit.inf
echo [Event Audit] >>audit.inf
REM 开启审核特权使用
echo AuditPrivilegeUse=3 >>audit.inf
REM 开启审核系统事件
echo AuditSystemEvents=3 >>audit.inf
REM 开启审核过程跟踪
echo AuditProcessTracking=3 >>audit.inf
REM 开启审核策略更改
echo AuditPolicyChange=3 >>audit.inf
REM 开启审核帐户登陆事件
echo AuditAccountLogon=3 >>audit.inf
REM 开启审核目录服务访问
echo AuditDSAccess=3 >>audit.inf
REM 开启审核帐户管理
echo AuditAccountManage=3 >>audit.inf
REM 开启审核对象访问
echo AuditObjectAccess=3 >>audit.inf
REM 开启审核登陆事件
echo AuditLogonEvents=3 >>audit.inf
secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet
del audit.*

其它安全

1> 关闭DHCP Client

2> 禁用Windows硬盘默认共享

3> 关闭Windows自动播放

@echo off
REM 禁用dhcp client
net stop "DHCP Client" /y
sc config Dhcp start= disabled
REM 删除当前默认共享
sc config LanmanServer start= disabled
netshare ipc$ /del
net share c$ /del
net share admin$ /del
echo Windows Registry Editor Version 5.00>>s.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\LanmanServer\Parameters]>>s.reg
echo"AutoShareServer"=dword:0>>s.reg
echo"AutoShareWks"=dword:0>>s.reg
regedit /s s.reg
del s.reg
REM 关闭自动播放
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v DisableAutoplay /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f

注:关闭dhcp-client需要重启生效,如之前主机使用的dhcp获取地址,务必先将获取到的IP地址、网关、DNS设置为静态,再操作重启!

协议安全

1> 开启Windows防火墙

2> 修改默认的远程桌面服务端口

3> 配置源路由攻击保护

4> 配置SYN攻击保护

5> 配置TCP碎片攻击保护

@echo off
REM 启用windows防火墙
netsh advfirewall set allprofiles state on
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 1 /f
REM  修改远程服务端口为23389、并在防火墙入站规则启用“回显请求-ICMPv4-In”和“远程桌面服务”
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v FPS-ICMP4-ERQ-In /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=23389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v RemoteDesktop-UserMode-In-TCP /t REG_SZ /d "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=23389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28853|Desc=@FirewallAPI.dll,-28856|EmbedCtxt=@FirewallAPI.dll,-28852|" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD  /d 23389 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD  /d 23389 /f
netsh advfirewall firewall add rule name="Remote PortNumber" dir=in action=allow protocol=TCP localport="23389"
REM 源路由欺骗保护
echo Windows Registry Editor Version 5.00>>route.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>route.reg
echo"DisableIPSourceRouting"=dword:2>>route.reg
regedit /s route.reg
del route.reg
REM 防SYN洪水攻击 
echo Windows Registry Editor Version 5.00>>SynAttack.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>SynAttack.reg 
echo"SynAttackProtect"=dword:1>>SynAttack.reg
echo"TcpMaxPortsExhausted"=dword:5>>SynAttack.reg
echo"TcpMaxHalfOpen"=dword:01f4>>SynAttack.reg
echo"TcpMaxConnectResponseRetransmissions"=dword:2>>SynAttack.reg
echo"TcpMaxHalfOpenRetried"=dword:190>>SynAttack.reg
REM DDOS
echo"EnableICMPRedirect"=dword:0>>SynAttack.reg
regedit /s SynAttack.reg
del SynAttack.reg
REM 碎片攻击保护
echo Windows Registry Editor Version 5.00>>sp.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]>>sp.reg
echo"EnablePMTUDiscovery"=dword:1>>sp.reg
regedit /s sp.reg
del sp.reg

注:示例为修改远程服务端口为23389,如果需要改成其他,遍历搜索23389并逐一修改

========= End

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。