本批处理脚本的主要目的是对Windows系统进行安全性检查。检查了多个安全参数和设置,以确保系统符合特定的安全标准。当然也可能有些检查项不是很准确,需要根据实际环境再调试一下,以下是该脚本的详细描述和功能分析:
1. 脚本初始化
使用 @echo off 禁用命令回显,以便输出更清晰。
setlocal enabledelayedexpansion 启用延迟变量扩展,以便在循环中使用变量。
2. 变量设置
定义了一些变量用于计数:
totalChecks: 总检查项目数量(设为60),如果有新增或删减可以改变这个定量。
passCount: 通过检查的计数。
failCount: 未通过检查的计数。
skippedCount: 被跳过的检查计数。
3. 收集IP地址
通过ipconfig命令获取IPv4地址,特别是以192.168.开头的地址,并将其存储在变量ip中,用于输出确认我们在批量检查的时候知道这是那个主机的结果。
4. 导出安全策略
使用 secedit /export 导出安全策略到临时文件,并用PowerShell将其编码为UTF-8格式。便于一些检查安全策略的项目可以直接去导出的文件里面检索。
5. 安全检查
脚本接下来执行一系列安全检查,主要包括:
(1) 检查密码长度最小值:验证最小密码长度是否小于12。
(2) 检查是否已启用密码复杂性要求:确认密码复杂性设置是否启用。
(3) 检查是否已禁用来宾 (Guest) 帐户:检查来宾账户状态是否为禁用。
(4) 检查"强制密码历史"个数:验证密码历史的数量是否小于5。
(5) 检查已启用的本地用户的个数:确认本地启用用户是否少于2。
(6) 检查密码最长使用期限:验证密码最大有效期是否少于90天。
(7) 检查密码最长使用期限是否不为0:确认密码有效期是否为0。
(8) 检查帐户锁定阈值:验证帐户锁定阈值是否小于6。
(9) 检查帐户锁定阈值是否不为0:确认锁定阈值是否为0。
(10) 检查"取得文件或其它对象的所有权"的帐户和组:检查管理员组的配置。
(11) 检查可从远端关闭系统的帐户和组:同样检查管理员组的配置。
(12) 检查是否已禁止 SAM 帐户的匿名枚举:检查注册表设置。
(13) 检查是否已禁止 SAM 帐户和共享的匿名枚举:同样检查注册表设置。
(14) 检查可远程访问的注册表路径:检查注册表是否可远程访问。
(15) 检查可远程访问的注册表路径:再一次检查远程访问设置(重复检查,实际应为一个检查)。
(16) 检查可匿名访问的共享:检查是否有共享文件夹可以匿名访问。
(17) 检查可匿名访问的命名管道:检查命名管道的访问权限。
(18) 检查允许从网络访问此计算机的用户和组:检查网络访问权限设置。
(19) 检查允许本地登录的用户和组:检查本地登录权限设置。
(20) 检查应用程序日志文件达到最大大小时的动作:确认日志文件溢出处理设置。
(21) 检查应用程序日志文件最大大小:确认日志文件的最大大小设置。
(22) 检查"审核对象访问"级别:检查文件系统的审核策略。
(23) 检查"审核特权使用"级别:检查特权使用的审核策略。
(24) 检查"审核进程跟踪"级别:检查进程创建的审核策略。
(25) 检查"审核登录事件"级别:检查登录事件的审核策略。
(26) 检查"审核目录服务访问"级别:检查目录服务访问的审核策略。
(27) 检查"审核系统事件"级别:检查系统事件的审核策略。
(28) 检查"审核帐户登录事件"级别:检查帐户登录事件的审核策略。
(29) 检查"审核策略更改"级别:检查审核策略变更的审核策略。
(30) 检查"审核帐户管理"级别:检查用户账户管理的审核策略。
(31) 检查 Windows 防火墙状态:确认Windows防火墙是否启用。
(32) 检查远程桌面 (RDP) 服务端口:确认RDP端口是否为默认设置。
(33) 检查源路由配置:确认源路由是否被禁用。
(34) 检查 TCP 连接请求阈值:确认TCP连接请求阈值设置。
(35) 检查是否已启用 SYN 攻击保护:确认SYN攻击保护是否启用。
(36) 检查取消尝试响应 SYN 请求之前要重新传输 SYN-ACK 的次数:确认设置正确。
(37) 检查处于 SYN_RCVD 状态下的 TCP 连接阈值:确认连接阈值设置。
(38) 检查处于 SYN_RCVD 状态下,且至少已经进行了一次重新传输的 TCP 连接阈值:确认设置正确。
(39) 检查是否已删除 SNMP 服务的默认 public 团体:确认SNMP设置。
(40) 检查是否已启用 TCP 最大传输单元 (MTU) 大小自动探测:确认MTU探测设置。
(41) 检查 Remote Access Connection Manager 服务状态:确认该服务是否停止。
(42) 检查 Message Queuing 服务状态:确认该服务是否停止。
(43) 检查 DHCP Server 服务状态:确认该服务是否停止。
(44) 检查 DHCP Client 服务状态:确认该服务是否停止。
(45) 检查 Simple Mail Transport Protocol (SMTP) 服务状态:确认该服务是否停止。
(46) 检查 Windows Internet Name Service (WINS) 服务状态:确认该服务是否停止。
(47) 检查 Simple TCP/IP Services 服务状态:确认该服务是否停止。
(48) 检查 Windows 自动登录设置:确认自动登录是否禁用。
(49) 检查是否已安装青藤云主机安全 agent:确认TitanAgent是否安装。
(50) 检查共享文件夹的共享权限:确认共享文件夹权限设置。
(51) 检查所有磁盘分区的文件系统格式:确认所有磁盘是否为NTFS格式。
(52) 检查是否已对所有驱动器关闭 Windows 自动播放:确认自动播放设置。
(53) 检查是否已禁用 Windows 硬盘默认共享:确认硬盘共享设置。
(54) 检查服务器在暂停会话前所需的空闲时间量:确认设置是否正确。
(55) 检查是否正确配置 NTP 时间同步服务器:确认NTP服务器设置。
(56) 检查是否正确配置 DNS 服务器:确认DNS设置。
(57) 检查是否已关闭 IPv6 协议:确认IPv6是否禁用。
(58) 检查是否已开启数据 DEP 功能:确认DEP设置。
(59) 检查主机名是否已符合主机命名规范:确认主机名是否符合标准。
(60) 检查是否已开启 UAC 安全提示:确认UAC设置是否启用。
6. 输出结果
最后,脚本输出总的检查数量、通过的数量、未通过的数量和跳过的数量。
清理临时生成的文件。
脚本代码如下:
powershell
@echo off
setlocal enabledelayedexpansion
:: 初始化计数器
set totalChecks=60
set passCount=0
set failCount=0
set skippedCount=0
for /f "tokens=2 delims=:" %%f in ('ipconfig ^| findstr "IPv4 Address" ^| findstr "192.168."') do (
for /f "tokens=1" %%g in ("%%f") do (
set "ip=%%g"
)
)
echo IP:%ip%
:: 先执行一次PowerShell命令,导出安全策略到secpol.cfg
:: powershell -Command "secedit /export /areas SECURITYPOLICY /cfg C:\secpol.cfg > $null 2>&1"
secedit /export /areas SECURITYPOLICY /cfg C:\temp_secpol.cfg > nul 2>&1
powershell -Command "Get-Content C:\temp_secpol.cfg | Out-File -FilePath C:\secpol.cfg -Encoding utf8"
:: 1. 检查密码长度最小值
set minPwdLength=""
for /f "tokens=2 delims== " %%a in ('findstr /i "MinimumPasswordLength" C:\secpol.cfg') do set minPwdLength=%%a
if !minPwdLength! LSS 12 (
echo Not Pass: [1] MinimumPasswordLength is !minPwdLength!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 2. 检查是否已启用密码复杂性要求
set pwdComplexity=""
for /f "tokens=2 delims== " %%b in ('findstr /i "PasswordComplexity" C:\secpol.cfg') do set pwdComplexity=%%b
if /i "!pwdComplexity!" == "" (
echo Not Pass: [2] PasswordComplexity is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 3. 检查是否已禁用来宾 (Guest) 帐户
net user Guest | find "Account active" > result.txt
set /p guestStatus=<result.txt
if /i "!guestStatus!" == "Yes" (
echo Not Pass: [3] Guest account is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 4. 检查"强制密码历史"个数
set pwdHistorySize=""
for /f "tokens=2 delims== " %%c in ('findstr /i "PasswordHistorySize" C:\secpol.cfg') do set pwdHistorySize=%%c
if !pwdHistorySize! LSS 5 (
echo Not Pass: [4] PasswordHistorySize is !pwdHistorySize!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 5. 检查已启用的本地用户的个数
for /f %%d in ('net user ^| find /c /v "-----"') do set enabledUsers=%%d
if !enabledUsers! LSS 2 (
echo Not Pass: [5] Enabled local users count is !enabledUsers!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 6. 检查密码最长使用期限
set maxPwdAge=""
for /f "usebackq tokens=2 delims== " %%e in (`findstr /i "MaximumPasswordAge" C:\secpol.cfg ^| findstr /v "MACHINE"`) do (
set maxPwdAge=%%e
rem 只取数字部分,确保没有其他字符影响
set maxPwdAge=!maxPwdAge: =!
rem 找到第一行后就退出循环
goto :done
)
:done
if !maxPwdAge! LSS 90 (
echo Not Pass: [6] MaximumPasswordAge is !maxPwdAge!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 7. 检查密码最长使用期限是否不为 0
if !maxPwdAge! == 0 (
echo Not Pass: [7] MaximumPasswordAge is !maxPwdAge!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 8. 检查帐户锁定阈值
set lockoutBadCount=""
for /f "tokens=2 delims== " %%f in ('findstr /i "LockoutBadCount" C:\secpol.cfg') do set lockoutBadCount=%%f
if !lockoutBadCount! LSS 6 (
echo Not Pass: [8] LockoutBadCount is !lockoutBadCount!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 9. 检查帐户锁定阈值是否不为 0
if !lockoutBadCount! == 0 (
echo Not Pass: [9] LockoutBadCount is !lockoutBadCount!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 10. 检查"取得文件或其它对象的所有权"的帐户和组
whoami /groups | findstr /i "Administrators" > result.txt
set /p adminGroups=<result.txt
set excludeGroups=NT AUTHORITY\Local
:: 检查是否包含排除项
echo "!adminGroups!" | findstr /i "!excludeGroups!" >nul
if not errorlevel 1 (
set /a skippedCount+=1
) else (
if /i "!adminGroups!" NEQ "Administrators" (
echo Not Pass: [10] Other groups found: !adminGroups!
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 11. 检查可从远端关闭系统的帐户和组
whoami /groups | findstr /i "Administrators" > result.txt
set /p adminRemoteGroups=<result.txt
set excludeRemoteGroups=NT AUTHORITY\Local
:: 检查是否包含排除项
echo "!adminRemoteGroups!" | findstr /i "!excludeRemoteGroups!" >nul
if not errorlevel 1 (
set /a skippedCount+=1
) else (
if /i "!adminRemoteGroups!" NEQ "Administrators" (
echo Not Pass: [11] Other groups found: !adminRemoteGroups!
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 12. 检查是否已禁止 SAM 帐户的匿名枚举
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymous" | findstr /i "0x1" > result.txt
if errorlevel 1 (
echo Not Pass: [12] RestrictAnonymous is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 13. 检查是否已禁止 SAM 帐户和共享的匿名枚举
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSam" | findstr /i "0x1" > result.txt
if errorlevel 1 (
echo Not Pass: [13] RestrictAnonymousSam is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 14. 检查可远程访问的注册表路径
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v RemoteRegistry > result.txt 2>&1
set /p remoteRegistry=<result.txt
if errorlevel 1 (
set /a passCount+=1
) else (
if "!remoteRegistry!" NEQ "" (
echo Not Pass: [14] RemoteRegistry is accessible
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 15. 检查可远程访问的注册表路径
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v RemoteRegistry > result.txt 2>&1
set /p remoteRegistryPath=<result.txt
if errorlevel 1 (
set /a passCount+=1
) else (
if "!remoteRegistryPath!" NEQ "" (
echo Not Pass: [15] RemoteRegistry is accessible
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 16. 检查可匿名访问的共享
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "NullSessionShares" > result.txt
set /p nullSessionShares=<result.txt
if "!nullSessionShares!" NEQ "" (
echo Not Pass: [16] NullSessionShares is accessible
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 17. 检查可匿名访问的命名管道
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "NullSessionPipes" > result.txt 2>&1
set /p nullSessionPipes=<result.txt
if errorlevel 1 (
set /a passCount+=1
) else (
if "!nullSessionPipes!" NEQ "" (
echo Not Pass: [17] NullSessionPipes is accessible
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 18. 检查允许从网络访问此计算机的用户和组
whoami /priv | findstr /i "SeRemoteInteractiveLogonRight" > result.txt
set /p remoteInteractiveLogonRight=<result.txt
if /i "!remoteInteractiveLogonRight!" NEQ "SeRemoteInteractiveLogonRight" (
if defined remoteInteractiveLogonRight (
echo Not Pass: [18] Other users found: !remoteInteractiveLogonRight!
set /a failCount+=1
) else (
set /a passCount+=1
)
) else (
set /a passCount+=1
)
:: 19. 检查允许本地登录的用户和组
whoami /priv | findstr /i "SeInteractiveLogonRight" > result.txt
set /p interactiveLogonRight=<result.txt
if /i "!interactiveLogonRight!" NEQ "SeInteractiveLogonRight" (
if defined interactiveLogonRight (
echo Not Pass: [19] Other users found: !interactiveLogonRight!
set /a failCount+=1
) else (
set /a passCount+=1
)
) else (
set /a passCount+=1
)
:: 20. 检查应用程序日志文件达到最大大小时的动作
wevtutil get-log Application /format:xml | findstr /i "OverflowAction" > result.txt
set /p overflowAction=<result.txt
if "!overflowAction!" == "" (
set /a passCount+=1
) else (
echo Not Pass: [20] OverflowAction found: !overflowAction!
set /a failCount+=1
)
:: 21. 检查应用程序日志文件最大大小
wevtutil get-log Application /format:xml | findstr /i "maxSize" > result.txt
set /p maxSize=<result.txt
if "!maxSize!" == "" (
echo Not Pass: [21] maxSize is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 22. 检查"审核对象访问"级别
auditpol /get /subcategory:"File System" > result.txt
set /p fileSystemAuditPolicy=<result.txt
if "!fileSystemAuditPolicy!" == "" (
echo Not Pass: [22] File System audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 23. 检查"审核特权使用"级别
auditpol /get /subcategory:"Sensitive Privilege Use" > result.txt
set /p sensitivePrivilegeUseAuditPolicy=<result.txt
if "!sensitivePrivilegeUseAuditPolicy!" == "" (
echo Not Pass: [23] Sensitive Privilege Use audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 24. 检查"审核进程跟踪"级别
auditpol /get /subcategory:"Process Creation" > result.txt
set /p processCreationAuditPolicy=<result.txt
if "!processCreationAuditPolicy!" == "" (
echo Not Pass: [24] Process Creation audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 25. 检查"审核登录事件"级别
auditpol /get /subcategory:"Logon" > result.txt
set /p logonAuditPolicy=<result.txt
if "!logonAuditPolicy!" == "" (
echo Not Pass: [25] Logon audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 26. 检查"审核目录服务访问"级别
auditpol /get /subcategory:"Directory Service Access" > result.txt
set /p directoryServiceAccessAuditPolicy=<result.txt
if "!directoryServiceAccessAuditPolicy!" == "" (
echo Not Pass: [26] Directory Service Access audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 27. 检查"审核系统事件"级别
auditpol /get /subcategory:"Other System Events" > result.txt
set /p otherSystemEventsAuditPolicy=<result.txt
if "!otherSystemEventsAuditPolicy!" == "" (
echo Not Pass: [27] Other System Events audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 28. 检查"审核帐户登录事件"级别
auditpol /get /subcategory:"Credential Validation" > result.txt
set /p credentialValidationAuditPolicy=<result.txt
if "!credentialValidationAuditPolicy!" == "" (
echo Not Pass: [28] Credential Validation audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 29. 检查"审核策略更改"级别
auditpol /get /subcategory:"Audit Policy Change" > result.txt
set /p auditPolicyChange=<result.txt
if "!auditPolicyChange!" == "" (
echo Not Pass: [29] Audit Policy Change audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 30. 检查"审核帐户管理"级别
auditpol /get /subcategory:"User Account Management" > result.txt
set /p userAccountManagementAuditPolicy=<result.txt
if "!userAccountManagementAuditPolicy!" == "" (
echo Not Pass: [30] User Account Management audit policy is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 31. 检查 Windows 防火墙状态
netsh advfirewall show allprofiles | findstr /i "State" | findstr /i "ON" > result.txt
if errorlevel 1 (
echo Not Pass: [31] Windows Firewall is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 32. 检查远程桌面 (RDP) 服务端口
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber"') do set PortNumber=%%a
if "!PortNumber!" NEQ "0x1188" (
echo Not Pass: [32] RDP port is not set
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 33. 检查源路由配置
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableIPSourceRouting"') do set DisableIPSourceRouting=%%a
if "!DisableIPSourceRouting!" NEQ "0x2" (
echo Not Pass: [33] IP Source Routing is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 34. 检查 TCP 连接请求阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxPortsExhausted"') do set TcpMaxPortsExhausted=%%a
if "!TcpMaxPortsExhausted!" NEQ "0x5" (
echo Not Pass: [34] TcpMaxPortsExhausted is not set correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 35. 检查是否已启用 SYN 攻击保护
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect') do set SynAttackProtect=%%a
if "!SynAttackProtect!" NEQ "0x1" (
echo Not Pass: [35] SynAttackProtect is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 36. 检查取消尝试响应 SYN 请求之前要重新传输 SYN-ACK 的次数
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxConnectResponseRetransmissions') do set TcpMaxConnectResponseRetransmissions=%%a
if "!TcpMaxConnectResponseRetransmissions!" NEQ "0x2" (
echo Not Pass: [36] TcpMaxConnectResponseRetransmissions is not set correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 37. 检查处于 SYN_RCVD 状态下的 TCP 连接阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen') do set TcpMaxHalfOpen=%%a
set TcpMaxHalfOpen=!TcpMaxHalfOpen: =!
if "!TcpMaxHalfOpen!" NEQ "0x1f4" (
echo Not Pass: [37] TcpMaxHalfOpen is not set correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 38. 检查处于 SYN_RCVD 状态下,且至少已经进行了一次重新传输的 TCP 连接阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried') do set TcpMaxHalfOpenRetried=%%a
set TcpMaxHalfOpenRetried=!TcpMaxHalfOpenRetried: =!
if "!TcpMaxHalfOpenRetried!" NEQ "0x190" (
echo Not Pass: [38] TcpMaxHalfOpenRetried is not set correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 39. 检查是否已删除 SNMP 服务的默认 public 团体
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" > result.txt 2>&1
if %errorlevel% NEQ 0 (
set /a passCount+=1
) else (
echo Not Pass: [39] SNMP ValidCommunities is set
set /a failCount+=1
)
:: 40. 检查是否已启用 TCP 最大传输单元 (MTU) 大小自动探测
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUDiscovery') do set EnablePMTUDiscovery=%%a
if "!EnablePMTUDiscovery!" NEQ "0x0" (
echo Not Pass: [40] EnablePMTUDiscovery is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 41. 检查 Remote Access Connection Manager 服务状态
sc query "RemoteAccess" | find "STATE" > result.txt
set /p remoteAccessStatus=<result.txt
if /i "!remoteAccessStatus!" NEQ "STOPPED" (
echo Not Pass: [41] RemoteAccess service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 42. 检查 Message Queuing 服务状态
sc query "MSMQ" | find "STATE" > result.txt
set /p msmqStatus=<result.txt
if /i "!msmqStatus!" NEQ "STOPPED" (
echo Not Pass: [42] MSMQ service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 43. 检查 DHCP Server 服务状态
sc query "DHCPServer" | find "STATE" > result.txt
set /p dhcpServerStatus=<result.txt
if /i "!dhcpServerStatus!" NEQ "STOPPED" (
echo Not Pass: [43] DHCPServer service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 44. 检查 DHCP Client 服务状态
sc query "Dhcp" | find "STATE" > result.txt
set /p dhcpClientStatus=<result.txt
if /i "!dhcpClientStatus!" NEQ "STOPPED" (
echo Not Pass: [44] Dhcp service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 45. 检查 Simple Mail Transport Protocol (SMTP) 服务状态
sc query "SMTPSVC" | find "STATE" > result.txt
set /p smtpStatus=<result.txt
if /i "!smtpStatus!" NEQ "STOPPED" (
echo Not Pass: [45] SMTPSVC service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 46. 检查 Windows Internet Name Service (WINS) 服务状态
sc query "WINS" | find "STATE" > result.txt
set /p winsStatus=<result.txt
if /i "!winsStatus!" NEQ "STOPPED" (
echo Not Pass: [46] WINS service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 47. 检查 Simple TCP/IP Services 服务状态
sc query "SimpleTCP" | find "STATE" > result.txt
set /p simpleTcpStatus=<result.txt
if /i "!simpleTcpStatus!" NEQ "STOPPED" (
echo Not Pass: [47] SimpleTCP service is running
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 48. 检查 Windows 自动登录设置
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon > result.txt 2>&1
if %errorlevel% NEQ 0 (
set /a passCount+=1
) else (
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon') do (
if "%%a" NEQ "0x0" (
echo Not Pass: [48] AutoAdminLogon is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
)
)
:: 49. 检查是否已安装青藤云主机安全 agent
tasklist | findstr TitanAgent.exe > result.txt
if not exist result.txt (
echo Not Pass: [49] TitanAgent is not installed
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 50. 检查共享文件夹的共享权限
sc query "server" | find "RUNNING" >nul
if errorlevel 1 (
REM 如果服务没有运行,算作符合条件
set /a passCount+=1
) else (
REM 如果服务在运行,检查共享文件夹
for /f "tokens=1" %%a in ('net share') do (
set "shareName=%%a"
if not "!shareName!"=="" (
echo Checking share: !shareName!
set "foundEveryone=0"
for /f "tokens=*" %%b in ('net share !shareName! ^| find "Everyone"') do (
if not "%%b"=="" (
echo Not Pass: [50] !shareName! contains "Everyone"
set /a failCount+=1
set "foundEveryone=1"
)
)
if !foundEveryone!==0 (
set /a passCount+=1
)
)
)
)
:: 51. 检查所有磁盘分区的文件系统格式
wmic logicaldisk get name, filesystem > result.txt
REM 定义一个变量来保存所有文件系统格式
set "filesystems="
REM 处理结果文件
for /f "skip=1" %%c in (result.txt) do (
if "%%c"=="" (
set /a skippedCount+=1
) else (
set "line=%%c"
REM 解析驱动器和文件系统
for /f "tokens=1,2" %%d in ("!line!") do (
set "filesystem=%%e"
REM 添加文件系统到列表
if not "!filesystem!"=="" (
set "filesystems=!filesystems! !filesystem!"
)
)
)
)
REM 删除多余空格
set "filesystems=!filesystems: =!"
REM 检查所有文件系统是否都是 NTFS
set "allNTFS=true"
for %%f in (!filesystems!) do (
if /i "%%f" neq "NTFS" (
set "allNTFS=false"
)
)
REM 判断所有检查是否符合条件
if "!allNTFS!"=="true" (
set /a passCount+=1
) else (
set /a failCount+=1
echo Not Pass: [51] Some drives are not NTFS or empty.
)
:: 52. 检查是否已对所有驱动器关闭 Windows 自动播放
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun > result.txt 2>&1
if %errorlevel% NEQ 0 (
set /a passCount+=1
) else (
for /f "tokens=3" %%a in ('reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun') do set noDriveTypeAutoRun=%%a
if "!noDriveTypeAutoRun!" NEQ "0xff" (
echo Not Pass: [52] NoDriveTypeAutoRun is not correctly set
set /a failCount+=1
) else (
set /a passCount+=1
)
)
:: 53. 检查是否已禁用 Windows 硬盘默认共享
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer') do set autoShareServer=%%a
if "!autoShareServer!" NEQ "0x0" (
echo Not Pass: [53] AutoShareServer is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 54. 检查服务器在暂停会话前所需的空闲时间量
for /f "tokens=3" %%a in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "autodisconnect"') do set autodisconnect=%%a
if "!autodisconnect!" NEQ "0xf" (
echo Not Pass: [54] autodisconnect is not set correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 55. 检查是否正确配置 NTP 时间同步服务器
w32tm /query /configuration | findstr "NtpServer" > result.txt
set /p ntpServer=<result.txt
if /i "!ntpServer!" == "" (
echo Not Pass: [55] NtpServer is not configured
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 56. 检查是否正确配置 DNS 服务器
netsh interface ip show config | findstr "DNS" > result.txt
set dnsConfigured=0
for /f "tokens=*" %%h in (result.txt) do (
echo %%h | findstr "114.114.114.114" >nul && set dnsConfigured=1
echo %%h | findstr "114.114.114.115" >nul && set dnsConfigured=1
)
if !dnsConfigured! == 0 (
echo Not Pass: [56] DNS server is not configured correctly
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 57. 检查是否已关闭 IPv6 协议
netsh interface ipv6 show interfaces > result.txt
if !errorlevel! NEQ 0 (
echo Not Pass: [57] IPv6 is enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 58. 检查是否已开启数据 DEP 功能
bcdedit | find "nx" > result.txt
set /p depStatus=<result.txt
if "!depStatus!" == "" (
echo Not Pass: [58] DEP is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 59. 检查主机名是否已符合主机命名规范
hostname > result.txt
set /p hostname=<result.txt
if /i "!hostname!" NEQ "cn-lotus" (
echo Not Pass: [59] Hostname is incorrect: !hostname!
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 60. 检查是否已开启 UAC 安全提示
for /f "tokens=3" %%a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"') do set EnableLUA=%%a
if "!EnableLUA!" NEQ "0x1" (
echo Not Pass: [60] UAC is not enabled
set /a failCount+=1
) else (
set /a passCount+=1
)
:: 输出结果
echo Total checks: !totalChecks!
echo Total passes: !passCount!
echo Total failures: !failCount!
echo Total skippedCount: !skippedCount!
del "C:\temp_secpol.cfg" /q
del "C:\secpol.cfg" /q
del "C:\result.txt" /q
endlocal
pause执行示例:
