服务器初装安全脚本(windows下,基于WEB服务器)

最近闲来没时做了一个WEB服务器系统初状脚本,没事发分享一下,水平有限,如果各位发现有什么错误请指出

先发父脚本(随便取的一个名称,大家不要较真)

 

@echo off
echo  本程序完成服务器初始安全设置，并安装必要的一些软件。如nod32、servU、金山ARP防火墙等。
echo 安装win2003后把远程桌面属性打上勾！检查是否已经安装好了iis,检查SP2补丁是否已经安装！改为每天3:00自动更新打补丁！在没有封好端口之前不要连网!
pause
echo "打开win2003的防火墙功能，设置为只允许远程桌面,21,25,80,110等端口。并在高级里面>icmp>允许回显，这样允许ping，方便调试！"
pause
echo "屏蔽端口,只允许21,80,1433,3389"
pause
md E:\bkup
md D:\wwwroot
md E:\bkup\logbkup
copy bat\bkup.bat E:\bkup
copy bat\path.txt E:\bkup
copy bat\webback.bks E:\bkup
echo 设置备份,并添加到计划任务
pause
echo 设置每周一运行网站目录的基本备份,备份文件包为backupA,并请输入管理员密码
schtasks /create /tn "WebbackA" /tr echo 设置每周二至周日凌晨1点30分执行网站目录增量备份,备份文件包为backupB,输入管理员密码
schtasks /create /tn "WebbackB" /tr echo 如需更换备份目录，请用记事本打开E:\bkup\webback.bks文件，可编辑网站目录
pause
echo 开始安装杀毒软件、ARP防火墙、WINRAR
exe\nod32.msi
exe\KAntiarp.exe
exe\WinRAR.exe
pause
echo "开始安装servU "
net user ftpu ssncn2008 /add
pause
exe\ServU.exe
exe\hx.exe
echo "设置注册表中HKLM\software\cat soft权限为servu完全控制，删除user,terimnal user对该项的控制.并将serv-u服务以ftpu身份运行，密码ssncn2008"
pause

call bat\system.bat
echo 打开IP安全策略,导入WEB服务器安全策略.ipsec.并指派
pause
echo 基本安全配置完成
pause
exit

 

 

下面是systemqx.bat

 

echo y|cacls.exe C:\ /p Administrators:f system:f
echo y|cacls.exe "C:\Program Files" /t /p Administrators:f system:f everyone:r
echo y|cacls.exe  "C:\Program Files\Common Files" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows /p Administrators:f system:f
echo y|cacls.exe c:\windows\system32 /p Administrators:f system:f
echo y|cacls.exe C:\WINDOWS\system32\inetsrv /p Administrators:f system:f everyone:r
echo y|cacls.exe  "C:\Program Files\Dimac" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe  "C:\Program Files\Persits Software" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe  "C:\Program Files\Software Artisans" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Documents and Settings" /p Administrators:f system:f
echo y|cacls.exe "C:\Documents and Settings\All Users" /t /p Administrator:f system:f everyone:r
echo y|cacls.exe c:\php /t /p Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows\temp /p everyone:f
echo y|cacls.exe D:\ /p Administrators:f system:f servU:f everyone:f
echo y|cacls.exe d:\tmp /p everyone:f
echo y|cacls.exe e:\ /p Administrators:f system:f
echo y|cacls.exe "C:\Program Files\Serv-U" /t /p Administrator:f servu:f
echo y|cacls.exe d:\download /p Administrators:f system:f
echo y|cacls.exe d:\wwwroot /p Administrators:f everyone:f
echo y|cacls.exe d:\serverUlog /p Administrators:f system:f servu:f
echo y|cacls.exe %systemroot%\system32\shell32.dll /p Administrators:f
echo y|cacls.exe %systemroot%\system32\wshom.ocx /p Administrators:f
echo y|cacls.exe c:\windows\system32\*.exe /p Administrators:f system:f
echo y|cacls.exe "c:\Documents and Settings\All Users" /e /g everyone:r
echo y|cacls.exe %systemroot%\system32\svchost.exe /e /g "network service":r
echo y|cacls.exe %systemroot%\system32\msdtc.exe /e /g "network service":r
echo y|cacls.exe %windir%\system32\mtxex.dll /e /g everyone:r
echo y|cacls.exe c:\windows\system32\cmd.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net1.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\sc.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\at.exe /p Administrator:f
echo y|cacls.exe %windir%\system32\dllhost.exe /e /g everyone:r
echo y|cacls.exe c:\windows\system32\netsh.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\echo y|cacls.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\cmdkey.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\ftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\tftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\reg.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regedt32.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regini.exe /p Administrator:f
echo y|cacls.exe %windir%\assembly /e /t /g "network service":r
echo y|cacls.exe %windir%\Microsoft.NET /e /t /g everyone:r
echo y|cacls.exe "%windir%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /g everyone:f
echo y|cacls.exe %windir%\system32\mscoree.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\ws03res.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\msxml*.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\urlmon.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\mlang.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\TAPI32.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\WININET.dll /e /g everyone:r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\WINDOWS /e /g "network service":r
if exist c:\windows  cacls c:\windows /e /g "network service":r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\ /e /g "network service":r
cacls d:\ /e /g "network service":r
cacls c:\windows\system32 /e /g "network service":r
cacls c:\windows\system32\rasapi32.dll /e /g "network service":r
del c:\inetpub
pause

 

serviceskill.bat(这里我只例举了一些,大家实际运用中可以自行添加删除)

 

echo "禁用未用系统服务,"
pause
net stop Browser
sc config Browser start= disabled
net stop lanmanserver
sc config lanmanserver start= disabled
net stop Dhcp
sc config Dhcp start= disabled
net stop Spooler
sc config Spooler start= disabled
net stop RemoteAccess
sc config RemoteAccess start= disabled
net stop Telnet
sc config telnet start= disabled
net stop HTTPFilter
sc config HTTPFilter start= disabled
net stop WZCSVC
sc config WZCSVC start= disabled
net stop Dfs
sc config Dfs start= disabled
net stop TrkSvr
sc config TrkSvr start= disabled
net stop ERSvc
sc config ERSvc start= disabled
net stop lanmanworkstation
sc config lanmanworkstation start= disabled

 

特别要说明的是这个服务名称,最开始我也以为服务列表里显示是什么就是什么,还闹了个笑话,看真实服务名称要点开服务属性,里面显示的[服务名称]才是真实名称,如果添加那个[显示名称]起不了作用,脚本还会报错

另外还有一些注册表的项

删除默认共享:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000

 

洪水***防护(不是绝对能防:P)

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"AllowUnqualifiedQuery"=dword:00000000
"PrioritizeRecordData"=dword:00000001
"ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\
00,00,00,00
"SynAttackProtect"=dword:00000002
"EnablePMTUDiscovery"=dword:00000000
"NoNameReleaseOnDemand"=dword:00000001
"EnableDeadGWDetect"=dword:00000000
"KeepAliveTime"=dword:00300000
"PerformRouterDiscovery"=dword:00000000
"EnableICMPRedirects"=dword:00000000

 

禁用NETBIOS:

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000004

禁止远程注册表访问:

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004

禁用WebDAV:

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV"=dword:00000001

 

如果大家觉得一个一个导麻烦,再编个批处理,用regedit /s来一起性搞定

 

发文章只要五分钟,做这个东东用了我一天时间,虽然一方面是我技术差,但也说明我是很用心做的哈,大家提意见就可以了,不要骂

转载于:https://blog.51cto.com/sgchen/67301