等保三级整改加固之windows系统
[TOC]
windows系统
设置账号及密码过期属性
- 设置密码需要有一定的复杂度(同时包含数字、字母、特殊符号8位以上)
- 应重命名或删除默认账户,修改默认账户的默认口令,示例将 Administrator 改为 appadmin,密码改为 Admin_147
net user Administrator Admin_147
wmic useraccount where "Name='Administrator'" set PasswordExpires=True
wmic useraccount where "Name='Administrator'" rename appadmin
wmic useraccount get Disabled,Domain,Name,PasswordExpires,Status
- 应授予管理用户所需的最小权限,建议设置系统管理员、安全管理员以及审计管理员的账号,并根据角色的职责分配相应的权限
net user system_admin tB3Ru2udZ2n4x_bd /add /Y
net user security_admin MA6RuouuZZn4x_Hd /add /Y
net user audit_admin cf_rB1NKCzbaQuPH /add /Y
net localgroup administrators system_admin /add
- 取消勾选所有用户账号“常规”属性中的“密码永不过期”,建议部署密码到期提醒的监控
wmic useraccount set PasswordExpires=True
wmic useraccount where "Disabled='FALSE'" get Disabled,Domain,Name,PasswordExpires
- 账户权限最小化,查看属于 Administrators 组的用户是否必须,不存在权限分配不当的情况
net localgroup Administrators
- 应及时删除或停用多余的、过期的账户,避免共享账户的存在,示例 禁用 Guest(来宾)账号
net user Guest /active:no
设置本地安全策略
计算机配置-Window设置-安全设置
- 通过 secedit 配置组策略,其中 [System Access] 对应 帐户策略{密码策略,帐户锁定策略},[Event Audit] 对应 本地策略{审核策略},[Registry Values] 对应 本地策略{安全选项},[Privilege Rights] 对应 本地策略{用户权限分配},而 S-1-5-32-544 即 Administrators组 的SID
echo [Unicode] > c:\secpol.cfg
echo Unicode=yes >> c:\secpol.cfg
echo [System Access] >> c:\secpol.cfg
echo MinimumPasswordAge = 7 >> c:\secpol.cfg
echo MaximumPasswordAge = 90 >> c:\secpol.cfg
echo MinimumPasswordLength = 8 >> c:\secpol.cfg
echo PasswordComplexity = 1 >> c:\secpol.cfg
echo PasswordHistorySize = 5 >> c:\secpol.cfg
echo LockoutBadCount = 5 >> c:\secpol.cfg
echo ResetLockoutCount = 20 >> c:\secpol.cfg
echo LockoutDuration = 30 >> c:\secpol.cfg
echo RequireLogonToChangePassword = 0 >> c:\secpol.cfg
echo ForceLogoffWhenHourExpire = 1 >> c:\secpol.cfg
echo NewAdministratorName = "Administrator" >> c:\secpol.cfg
echo NewGuestName = "Guest" >> c:\secpol.cfg
echo ClearTextPassword = 0 >> c:\secpol.cfg
echo LSAAnonymousNameLookup = 0 >> c:\secpol.cfg
echo EnableAdminAccount = 1 >> c:\secpol.cfg
echo EnableGuestAccount = 0 >> c:\secpol.cfg
echo [Event Audit] >> c:\secpol.cfg
echo AuditSystemEvents = 3 >> c:\secpol.cfg
echo AuditLogonEvents = 3 >> c:\secpol.cfg
echo AuditObjectAccess = 3 >> c:\secpol.cfg
echo AuditPrivilegeUse = 3 >> c:\secpol.cfg
echo AuditPolicyChange = 3 >> c:\secpol.cfg
echo AuditAccountManage = 3 >> c:\secpol.cfg
echo AuditProcessTracking = 3 >> c:\secpol.cfg
echo AuditDSAccess = 3 >> c:\secpol.cfg
echo AuditAccountLogon = 3 >> c:\secpol.cfg
echo AuditSystemEvents = 3 >> c:\secpol.cfg
echo [Registry Values] >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,7 >> c:\secpol.cfg
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7, >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7, >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,31 >> c:\secpol.cfg
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 >> c:\secpol.cfg
echo [Privilege Rights] >> c:\secpol.cfg
echo SeShutdownPrivilege = *S-1-5-32-544 >> c:\secpol.cfg
echo SeRemoteShutdownPrivilege = *S-1-5-32-544 >> c:\secpol.cfg
echo SeSecurityPrivilege = *S-1-5-32-544 >> c:\secpol.cfg
echo SeLockMemoryPrivilege = *S-1-5-32-544 >> c:\secpol.cfg
echo SeManageVolumePrivilege = *S-1-5-32-544 >> c:\secpol.cfg
echo [Version] >> c:\secpol.cfg
echo signature="$CHICAGO$" >> c:\secpol.cfg
echo Revision=1 >> c:\secpol.cfg
secedit /export /cfg c:\bak.secpol.cfg /quiet
secedit /validate c:\secpol.cfg
secedit /configure /db c:\sec.sdb /cfg c:\secpol.cfg /quiet
gpupdate /force
- 由于修改组策略就是在修改注册表中的配置,所以上述 [Registry Values] 中的策略依次对应如下:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ShutdownWithoutLogon /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\setup\recoveryconsole" /v SecurityLevel /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\setup\recoveryconsole" /v setcommand /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning /t REG_DWORD /d 7 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v disablecad /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymoussam /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v disabledomaincreds /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v everyoneincludesanonymous /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths" /v Machine /t REG_MULTI_SZ /d "" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v restrictnullsessaccess /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v MaximumPasswordAge /t REG_DWORD /d 31 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v DisablePasswordChange /t REG_DWORD /d 0 /f
计算机配置-管理模板-Windows组件-远程桌面服务
- [暂无脚本支持] 远程桌面会话主机-安全,找到“设置客户端连接加密级别”,启用并设置为 高级别
- [暂无脚本支持] 远程桌面会话主机-安全,找到“远程(RDP)连接要求使用指定的安全层”,启用并设置安全层为 SSL
- [暂无脚本支持] 远程桌面会话主机-安全,找到“要求使用网络级别的身份验证对远程连接的用户进行身份验证”,启用之
- [暂无脚本支持] 远程桌面会话主机-会话时间限制,找到“设置活动但空闲的远程桌面服务会话的时间限制”,启用并设置空闲会话限制 15分钟
屏幕保护
- [暂无脚本支持] 启用屏幕保护程序,若操作系统未激活则无法配置
#.手动配置
路径:桌面右键-个性化-锁屏界面-屏幕保护程序设置
设置:屏幕保护设置:气泡,等待:10分钟,勾选:在恢复时显示登录屏幕
rem 以下脚本部分生效...
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600 /f
reg add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "C:\Windows\system32\Bubbles.scr" /f
日志保存时间设置
- 开启日志审计服务
net start EventLog /yes
sc config EventLog start= auto
- 应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等,示例 调整Windows日志最大64MB,可以保证180天留存
wevtutil set-log security /maxsize:67108864
wevtutil set-log system /maxsize:67108864
wevtutil set-log application /maxsize:67108864
wevtutil set-log setup /maxsize:67108864
wevtutil gl application
copy /y c:\System32\Winevt\Logs\Application.evtx c:\Application.%date:~0,4%%date:~5,2%%date:~8,2%.evtx
copy /y c:\System32\Winevt\Logs\Security.evtx c:\Security.%date:~0,4%%date:~5,2%%date:~8,2%.evtx
copy /y c:\System32\Winevt\Logs\Setup.evtx c:\Setup.%date:~0,4%%date:~5,2%%date:~8,2%.evtx
copy /y c:\System32\Winevt\Logs\System.evtx c:\System.%date:~0,4%%date:~5,2%%date:~8,2%.evtx
- [可选] 建议修改“常规”下的“日志路径”,存储路径更改为非系统分区(注:更改日志默认存储路径,需注销或重启生效)
入侵防范
- 确认操作系统已激活,并及时更新补丁
slmgr /dli
wmic qfe get hotfixid | findstr "KB2696020 KB2699817"
- 卸载不需要的应用程序,建议根据如下命令返回的应用程序名称自查:
wmic product get Name,InstallDate,Version,Vendor
appwiz.cpl
- 删除不需要的默认共享
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
net share c$ /delete
net share d$ /delete
net share e$ /delete
net share f$ /delete
net share g$ /delete
net share ipc$ /delete
net share admin$ /delete
net share
- 启用必要的服务,配置时间同步
net start BITS /yes
sc config BITS start= auto
net start wuauserv /yes
sc config wuauserv start= auto
net start W32Time /yes
sc config W32Time start= auto
w32tm /config /manualpeerlist:ntp.aliyun.com /syncfromflags:manual /reliable:yes /update
w32tm -resync
- 禁用不需要的系统服务
net stop Browser /yes
sc config Browser start= disabled
net stop WinHttpAutoProxySvc /yes
sc config WinHttpAutoProxySvc start= disabled
net stop RemoteRegistry /yes
sc config RemoteRegistry start= disabled
net stop SCardSvr /yes
sc config SCardSvr start= disabled
net stop SCPolicySvc /yes
sc config SCPolicySvc start= disabled
net stop Spooler /yes
sc config Spooler start= disabled
net stop RemoteAccess /yes
sc config RemoteAccess start= disabled
net stop Dhcp /yes
sc config Dhcp start= disabled
net stop W3SVC /yes
sc config W3SVC start= disabled
net stop SMTP /yes
sc config SMTP start= disabled
net stop RasMan /yes
sc config RasMan start= disabled
net stop LanmanServer /yes
sc config LanmanServer start= disabled
net stop PhoneSvc /yes
sc config PhoneSvc start= disabled
net stop WerSvc /yes
sc config WerSvc start= disabled
net stop FontCache /yes
sc config FontCache start= disabled
net stop WinRM /yes
sc config WinRM start= disabled
net stop lmhosts /yes
sc config lmhosts start= disabled
net stop iphlpsvc /yes
sc config iphlpsvc start= disabled
- 启用防火墙,禁用高危端口,示例仅开放了 80、443、3389、13149 端口(全开放),请根据实际情况调整
netsh advfirewall set allprofiles state off
netsh advfirewall firewall set rule name=all dir=in new enable=no
netsh advfirewall firewall set rule name=all dir=out new enable=no
netsh advfirewall firewall add rule name="permit_ping_echo_request" protocol=ICMPv4 dir=in action=allow
netsh advfirewall firewall add rule name="permit_http_tcp_80" protocol=TCP dir=in localport=80 action=allow
netsh advfirewall firewall add rule name="permit_https_tcp_443" protocol=TCP dir=in localport=443 action=allow
netsh advfirewall firewall add rule name="permit_mstsc_3389" protocol=TCP dir=in localport=3389 action=allow
netsh advfirewall firewall add rule name="permit_mstsc_13149" protocol=TCP dir=in localport=13149 action=allow
netsh advfirewall firewall add rule name="block_in_tcp_135_137_138_139_445" protocol=TCP dir=in localport=135,137,138,139,445 action=block
netsh advfirewall firewall add rule name="block_in_udp_135_137_138_139_445" protocol=UDP dir=in localport=135,137,138,139,445 action=block
netsh advfirewall firewall add rule name="block_out_tcp_135_137_138_139_445" protocol=TCP dir=out localport=135,137,138,139,445 action=block
netsh advfirewall firewall add rule name="block_out_udp_135_137_138_139_445" protocol=UDP dir=out localport=135,137,138,139,445 action=block
netsh advfirewall set allprofiles state on
- 调整远端桌面的连接选项,并修改远端桌面端口,示例将远端桌面端口由默认的 3389 改为 13149,若为公有云服务器则需要调整安全组及防火墙
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD /d 13149 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 13149 /f
- 建议安装主机层面的入侵检测系统,例如 免费的Snort
- 建议安装恶意代码防护软件进行病毒防护,例如 火绒、360 等杀毒软件
双因素验证
- 应采用口令、密码技术、生物技术等两种或两种以上组合的鉴别技术对用户进行身份鉴别,建议使用堡垒机进行机器的远程管理
数据安全
- 禁用telnet等明文传输服务,采用安全的数据传输服务
- 重要信息进行加密存储,保证保密性
- 建议对服务器及重要数据设置备份机制,比如快照、整机备份、异地备份、移动硬盘保存等
- 建议对重要的数据处理系统尽量采用冗余方式部署
基线检查整改参考
- 删除hosts文件下可疑的静态DNS解析,确认程序没有使用hosts绑定域名
copy /y C:\Windows\system32\drivers\etc\hosts c:\bak.hosts.%date:~0,4%%date:~5,2%%date:~8,2%
type NUL > C:\Windows\system32\drivers\etc\hosts
type C:\Windows\system32\drivers\etc\hosts
- 删除MRU并禁用SMBDevice和IPv6
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f
reg add "HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters" /v SMBDeviceEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters" /v DisabledComponents /t REG_DWORD /d 17 /f
- 启用 TLS 1.2 / 1.3,禁用 TLS 1.0 / 1.1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
taskkill /im explorer.exe /f
start C:\WINDOWS\explorer.exe
- 以下是基线检查整改所涉及的部分脚本,仅供参考:
echo 禁用ICMP重定向
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
echo Syn flood 攻击保护
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxPortsExhausted /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen /t REG_DWORD /d 500 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried /t REG_DWORD /d 400 /f
echo 关闭自动播放
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
echo 禁止产生dump文件
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0 /f
echo 检查对注册表信息更新
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v KeepAliveTime /t REG_DWORD /d 300000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v PerformRouterDiscovery /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxDataRetransmissions /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableDeadGWDetect /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxConnectResponseRetransmissions /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUDiscovery /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 0 /f