windows2003 系统安全设置

大部分站长建站使用的大部分都是windows 2003 系统,系统安全问题不容忽视,服务器被入侵也是大家头疼的问题,为了解决大家的困扰,我总结了之前工作和学习中碰见的问题,写了一个批处理程序,只需要复制一下代码,然后保存为后缀名为bat的文件,在系统下直接运行即可,运行后服务器会自动重启.代码如下:

@echo off    

echo 此程序会自动加固您的系统 …………………    

cacls        C:\ /t /c /g administrators:F system:F  

cacls        D:\ /t /c /g administrators:F system:F

cacls        E:\ /t /c /g administrators:F system:F  

cacls        F:\ /t /c /g administrators:F system:F    

Cacls       "C:\Program Files\Common Files" /t /e /c /g everyone:R    

Cacls       "C:\WINDOWS\IIS Temporary Compressed Files" /t /e /c /g everyone:c    

Cacls        C:\WINDOWS\Microsoft.Net /t /e /c /g everyone:R    

Cacls       "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /t /e /c /g everyone:c    

Cacls       "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" /t /e /c /g everyone:c    

Cacls        C:\WINDOWS\Registration /t /e /c /g everyone:R    

Cacls        C:\WINDOWS\Temp /t /e /c /g everyone:c    

Cacls        C:\WINDOWS\assembly /t /e /c /g everyone:R    

Cacls        C:\WINDOWS\WinSxS /t /e /c /g everyone:R    

Cacls        C:\WINDOWS\Fonts /t /e /c /g everyone:R    

Cacls        C:\WINDOWS\System32 /t /e /c /g everyone:R    

Cacls        C:\windows\system32\msdtc /t /e /c /g networkservice:c    

Cacls       "C:\WINDOWS\system32\inetsrv\ASP Compiled Templates" /t /e /c /g everyone:c    

Cacls        C:\WINDOWS\System32\*.exe /e /c /r everyone    

Cacls        C:\WINDOWS\System32\cmd.exe        /e /c /r system    

Cacls        C:\WINDOWS\System32\net.exe        /e /c /r system    

Cacls        C:\WINDOWS\System32\net1.exe /e /c /r system    

Cacls        C:\WINDOWS\System32\msdtc.exe /e /c /g everyone:R    

Cacls        C:\WINDOWS\System32\dllhost.exe /e /c /g everyone:R    

Cacls        C:\WINDOWS\System32\svchost.exe /e /c /g everyone:R

Cacls        C:\WINDOWS\System32\systeminfo.exe /e /c /r system

Cacls        C:\WINDOWS\System32\ftp /e /c /r system

Cacls        C:\WINDOWS\System32\wscript.exe /e /c /r system

Cacls        C:\WINDOWS\System32\whoami.exe /e /c /r system

Cacls        C:\WINDOWS\System32\netstat.exe /e /c /r system

Cacls        C:\WINDOWS\System32\activeds.tlb /e /c /r system

Cacls        C:\WINDOWS\System32\sethc.exe /e /c /r system

Cacls        C:\WINDOWS\System32\tasklist.exe /e /c /r system

Cacls        C:\WINDOWS\System32\sethc.exe /e /c /r system

Cacls        C:\WINDOWS\System32\for.exe /e /c /r system

Cacls        C:\WINDOWS\System32\shell32.dll /e /c /r system

Cacls        C:\WINDOWS\System32\wshom.ocx /e /c /r system

cd \

@echo off

echo 删除默认共享

net share c$ /del

net share d$ /del

net share e$ /del

net share f$ /del

net share ipc$ /del

net share admin$ /del

@echo off

echo加入ipsec

netsh ipsec static add policy name=blockport

netsh ipsec static add filterlist name=bplist

echo 拒绝6129端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=6129

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=6129

echo 拒绝3127端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=3127

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=3127

echo 拒绝2745端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=2745

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=2745

echo 拒绝2513端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=2513

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=2513

echo 拒绝1900端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=1900

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=1900

echo 拒绝1025端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=1025

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=1025

echo 拒绝593端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=593

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=593

echo 拒绝445端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=445

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=445

echo 拒绝139端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=139

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=139

echo 拒绝138端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=138

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=138

echo 拒绝137端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=137

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=137

echo 拒绝135端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=135

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=135

echo 拒绝43958端口

netsh ipsec static add filter filterlist=bplist srcaddr=any dstaddr=me protocol=tcp dstport=43958

netsh ipsec static add filter filterlist=bplist srcaddr=me dstaddr=any protocol=udp dstport=43958

netsh ipsec static add filteraction name=bpblock action=block

netsh ipsec static add rule name=bprule policy=blockport filterlist=bplist filteraction=bpblock

netsh ipsec static set policy name=blockport assign=yes

echo 设置ipsec完成

@echo off

echo 现在对您的服务器服务启动类型加以设置

rem server    

sc config LanmanServer start= disabled

rem remote registry    

sc config RemoteRegistry start= disabled    

rem TCP/IP NetBIOS Helper  

sc config LmHosts start= disabled    

rem Print Spooler  

sc config Spooler start= disabled    

rem Computer Browser (计算机浏览器)        

sc config Browser start= disabled

rem Shell Hardware Detection        

sc config ShellHWDetection    start= disabled    

rem Secondary Logon

sc config seclogon start= disabled    

rem Wireless Configuration

sc config WZCSVC start= disabled

rem Distributed Link Tracking Client

sc config TrkWks start= disabled

rem Distributed Link Tracking Server

sc config TrkSvr start= disabled

rem Distributed Transaction Coordinator

sc config MSDTC start= disabled

rem Cryptographic Services

sc config CryptSvc start= disabled

rem DHCP Client (DHCP 客户端)    

sc config Dhcp start= disabled    

rem Help and Support      

sc config helpsvc start= disabled

rem Workstaion

sc config LanmanWorkstation  start= disabled

@echo off

echo 现在此程序对您服务器的组件进行设置

rem 卸载W.Shell 组件和卸载Shell.application 组件    

regsvr32 /u /s wshom.ocx    

regsvr32 /u /s shell32.dll

@echo off

echo 您的计算机即将重启

shutdown /r /f /t  0

  • 39 用户发现这个很有用
此文章对您是否有帮助?

相关文章

windows2003远程修改密码技巧

远程桌面后同时按Ctrl+alt+delete三个组合键时,跳出的是本地电脑的任务管理器。若只是想修改密码,则应该操作方法是开始->windows安全性->这样就相当于在远程桌面同时...

针对dedecms网站的一些安全设置,站长必看

网上有很多CMS开源程序,dede现在貌似很火,大部门网站都是用的dedecms,但是也带来了一些问题,因为此cms经常为爆出一些高危漏洞,那些不经常维护的站长就会因为疏于管理而被黑客攻击。任何...