Windows的一键安检脚本
2024-05-20 01:25:15
批量处理服务器的运维人员可以自己改改用。
1、这个批处理依赖Sysinternals的两个小工具,以及windows自带的WMIC。
用于检测启动项的autorunsc64.exe: https://docs.microsoft.com/zh-cn/sysinternals/downloads/autoruns
用于检查文件数字签名的sigcheck64.exe: https://docs.microsoft.com/zh-cn/sysinternals/downloads/sigcheck
2、执行完后,文件都拷贝到c:\tool目录,c:\tool\backup中会留下原始记录,便于后续来查看。
::查询用户(Administrator是否改名、是否有其他启用的Administrators组用户)
::查询启动项(是否有非系统默认的启动项)
::查询进程(是否有非白名单进程)
::查询防火墙(是否开启,是否屏蔽了某些特殊端口,仅对必要的ip开放)
::查询TCP监听(是否仅监听了必要的端口)
::密码和日志审计策略设置
::--------------------------------------------------------
::input: null
::output: Success|Failed\r\nReason
::-------------------------------------------------------- ::关闭命令回显,执行时不显示每条命令的命令行,@表示本行也不显示
@echo off
if not exist "c:\tool\backup\" (mkdir c:\tool\backup\)
del /f /q c:\tool\securitycheck.lock > nul 2>&1ver | find "5.2" > nul
if %ERRORLEVEL% == 0 goto ver_2003
ver | find "6.1" >nul
if %ERRORLEVEL% == 0 goto ver_2008
ver | find "6.2" > nul
if %ERRORLEVEL% == 0 goto ver_2012
ver | find "6.3" > nul
if %ERRORLEVEL% == 0 goto ver_2012R2
goto warnthenexit::--------------------------------------------------------
::-- Function section starts below here
::-------------------------------------------------------- :echofail
if not exist "c:\tool\securitycheck.lock" (echo Failedecho 1 > c:\tool\securitycheck.lock
)
goto:eof:checksign
::检查文件签名
::call:checksign "c:\windows\system32\notepad.exe" buff
::return: unsigned | microsoft signed
if not exist "c:\tool\sigcheck64.exe" (copy sigcheck64.exe c:\tool\ >nul)set "filepath=%~f1"if not "%filepath%" EQU "" (if exist "%filepath%" (for /f "usebackq tokens=2,4 delims=," %%i in (`c:\tool\sigcheck64.exe /accepteula /c /nobanner "%filepath%" ^| find /i "signed"`) do (if %%i EQU "Signed" (if /i %%j EQU "Microsoft Corporation" (set "%2=microsoft signed"goto:eof)if /i %%j EQU "Microsoft Windows" (set "%2=microsoft signed"goto:eof)if /i %%j EQU "Microsoft" (set "%2=microsoft signed"goto:eof)) else (set "%2=unsigned"goto:eof))) else ( set "%2=file not exist" ))
goto:eof:checkuser
::查询用户(Administrator是否改名、Guest是否禁用、是否有其他启用的Administrators组用户)
setlocal enabledelayedexpansion
set flag=0
::因为wmic输出的是unicode格式,其他命令输出ASCII的,两个放一块就乱码了。
wmic useraccount list full | more >> c:\tool\backup\backup.log
for /f "tokens=1 delims= " %%i in ('wmic useraccount list status^|find "OK"') do (set domainusername=%%iset username=!domainusername:*\=!::echo !username!if /i "!username!" EQU "administrator" (call:echofailecho you should rename administrator exit /b 1)if /i "!username!" EQU "guest" (call:echofailecho you should deny guestexit /b 1)for /f "usebackq tokens=1 delims= " %%a in (`net user !username!^|find /i "Administrator"`) do (if "%%a" NEQ "" (set flag=!flag!+1))
)
if !flag! GTR 1 (call:echofailecho not only one adminexit /b 1
)
setlocal disabledelayedexpansion
goto:eof:checkstartup
::查询启动项(是否有非系统默认的启动项)
setlocal enabledelayedexpansion
set flag=0
if not exist "c:\tool\autorunsc64.exe" (copy autorunsc64.exe c:\tool\ >nul)
c:\tool\autorunsc64.exe /accepteula /m /s /nobanner | more>> c:\tool\backup\backup.log
for /f "tokens=10 delims=," %%i in ('c:\tool\autorunsc64.exe /accepteula /m /s /nobanner /c^| find /i "exe" ^| find /v "winvnc.exe" ^| find /v "rdpclip.exe"^| find /v "WinMail.exe" ^|find /v "AlternateShell"') do (if "%%i" GTR "" (if !flag! EQU 0 (set /A flag=1call:echofail)echo startup NOT in whitelist: %%i)
)
if !flag! EQU 1 (exit /b 1
)
setlocal disabledelayedexpansion
goto:eof:ProcessWhiteList
::保存进程白名单,并且与传入的进程名进行对比,增加需要修改list[]和list_length
set list[0]=c:\SSHD\bin\cygrunsrv.exe
set list[1]=C:\SSHD\sbin\sshd.exe
set list[2]=C:\Program Files\GCloud\gcloudagent.exe
set list_length=3set list_index=0
:loopstart
if !list_index! EQU !list_length! (::循环匹配白名单结束,检查签名开始set buff=call:checksign "%~f1" buffif "!buff!" EQU "microsoft signed" (set buff=goto:eof)::签名也不是微软的,报错吧set buff=process NOT in whitelist: "%~f1"set /A list_index=0goto:eof
)
for /f "usebackq tokens=2 delims==" %%a in (`set list[!list_index!]`) do (if /i "%~f1" == "%%~fa" (::echo process in whitelist: "%~f1"set buff=set /A list_index=0goto:eof )
)
set /A list_index=!list_index!+1
goto:loopstart:checkprocess
::查询进程(是否有非白名单进程)
setlocal enabledelayedexpansion
set flag=0
wmic process get ExecutablePath | more >> c:\tool\backup\backup.log
for /f "usebackq tokens=* delims= " %%i in (`wmic process get ExecutablePath^|findstr -v "ExecutablePath"`) do (set "name=%%i"set "name=!name:~,-1!"if /i not "!name!" == "" (set "name=%%~fi"call :ProcessWhiteList "!name!"if not "!buff!" == "" (if !flag! EQU 0 (set /A flag=1call:echofail)echo !buff!set buff=))
)
if !flag! EQU 1 (exit /b 1
)
setlocal disabledelayedexpansion
goto:eof:checkfirewall
::查询防火墙(是否开启,某些端口是否做了IP限制)
setlocal enabledelayedexpansion
set flag=0
netsh advfirewall firewall show rule name=all dir=in type=dynamic status=enabled >> c:\tool\backup\backup.log
for /f "usebackq tokens=1,2 delims= " %%i in (`netsh advfirewall show currentprofile ^| findstr "状态.*启用"`) do (::英文系统会有问题if not "%%j"=="启用" (set /A flag=1 )
)
for /f "usebackq tokens=1,2,3 delims= " %%i in (`netsh advfirewall firewall show rule name^=all dir^=in type^=dynamic status^=enabled ^| findstr "IP"`) do (::批处理的坑是如果findstr没找到内容,是不执行for循环内的代码的echo %%k | findstr "8.8.8.8 !!!这里换成你的公司出口ip!!!" >nul && set "a=yes" || set "a=no"if "!a!" EQU "yes" (set /A flag=2 )
)
if !flag! EQU 1 (call:echofailecho firewall is offexit /b 1
)
if !flag! EQU 0 (call:echofailecho firewall config errorexit /b 1
)
setlocal disabledelayedexpansion
goto:eof:PortWhiteList
set "portwhitelist=135 445 3389 47001 end"
set tmp=!portwhitelist!
:tcploop
::循环匹配白名单
for /f "tokens=1,*" %%m in ("!tmp!") do (if "%%m" EQU "%~1" (set buff=goto:eof) set tmp=%%n
)
if not "!tmp!" EQU "end" goto tcploop
::动态或私有端口:49152to65535或1025to103X只能checksign,微软的签名就不管,不是微软签名的就报出来
set "pid=%2"
for /f "usebackq tokens=*" %%a in (`wmic process where processid^=!pid! get ExecutablePath /value`) do (set "line=%%a"set "line=!line:~,-1!"if "!line!" GTR "" ((echo !line!|findstr -i "ExecutablePath">nul)&&(set "filepath=!line:~15!")if "!filepath!" GTR "" (set buff=call:checksign !filepath! buffif "!buff!" EQU "microsoft signed" (set buff=goto:eof)))
)
set buff=port NOT in whitelist: %~1
goto:eof:checktcp
::查询TCP监听(是否仅监听了必要的端口)
setlocal enabledelayedexpansion
set flag=0
netstat -ano | find "LISTEN" | find "0.0.0.0" | find /v "127.0.0.1" >> c:\tool\backup\backup.log
for /f "usebackq tokens=2,5 delims= " %%i in (`netstat -ano ^| find "LISTEN" ^| find "0.0.0.0" ^| find /v "127.0.0.1"`) do (set "port=%%i" set "port=!port:*:=!"set "pid=%%j"call :PortWhiteList !port! !pid!if not "!buff!" == "" (if !flag! EQU 0 (set /A flag=1call:echofail)echo !buff!set buff=)
)
if !flag! EQU 1 (exit /b 1
)
setlocal disabledelayedexpansion
goto:eof:secedit
::密码和日志审计策略设置
setlocal enabledelayedexpansion
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v MaxUserPort /t REG_DWORD /d 65534 /f >nul
if not exist "c:\tool\celue.inf" (copy celue.inf c:\tool\ >nul)
secedit /configure /db c:\tool\celue.sdb /CFG c:\tool\celue.inf >nul
setlocal disabledelayedexpansion
goto:eof::--------------------------------------------------------
::-- System section starts below here
::-------------------------------------------------------- :ver_2012
::Run Windows Server 2012 specific commands here.
::echo 2012
set flag=0
::buff全局变量 用来接收各种函数的返回值
set buff=call:checkuser
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)
call:checkstartup
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)
call:checkprocess
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)
call:checkfirewall
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)
call:checktcp
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)
call:secedit
if %ERRORLEVEL% GTR 0 (set /A flag=%flag%+1)if %flag% GTR 0 goto exit
goto succ:ver_2012R2
::Run Windows Server 2012 R2 specific commands here.
goto:ver_2012
echo Failed
echo Win2012R2
goto exit:ver_2008
::Run Windows Server 2008 specific commands here.
goto:ver_2012
echo Failed
echo Win2008
goto exit:ver_2003
::Run Windows Server 2003 specific commands here.
echo Failed
echo Win2003
goto exit::--------------------------------------------------------
::-- END!
::--------------------------------------------------------
:warnthenexit
echo Failed
echo system unknown
goto exit:succ
echo Success
goto end:exit
del /f /q c:\tool\securitycheck.lock > nul 2>&1
goto end:endWindows的一键安检脚本相关推荐
- 大数据生态(六)zookeeper集群部署(Linux和Windows[含一键启动脚本])
目录 前言 1.解压安装Zookeeper到/e3base/zookeeper目录下 2 .创建$E3_INFO_HOME/zookeeper目录 3 .创建数据目录和日志目录 4.配置环境变量 4. ...
- 【PC工具】windows批处理脚本一键bat脚本编辑器,bat转exe工具使用方法,附helloworld参考例程...
今天给大家分享一个windows的批处理文件(.bat文件)转exe可执行文件的工具.先感谢开源大神们为我们提供这些NB的软件(下边那个F..K..的名字好像是作者哈) 先向大神致敬,感谢大神的辛苦付 ...
- Frps一键安装脚本,带Frpc Windows便捷启动脚本
说明:Frp估计很多人都用过,一个高性能的内网穿透工具,支持tcp.udp.http.https协议,安装和使用教程可以直接查看官方中文文档→传送门,写的超详细.这里博主分享个某大佬写的Frps一键脚 ...
- windows截图保存自动化脚本以及设置快捷键一键运行
1. 获取需截图区域的左上(x1, y1)和右下(x2, y2)两个点的坐标 import pyautogui as pag x,y = pag.position() 2. 截图自动保存(img_sa ...
- windows系统一键关停系统的脚本
背景 在windows系统使用的程序如果分组件的话,肯定需要一键启动,一键杀死,本文内容就来聊聊一键杀死系统的组件,从而实现关停系统. 参考资料 https://jingyan.baidu.com/a ...
- *** Python版一键安装脚本
本脚本适用环境: 系统支持:CentOS 6,7,Debian,Ubuntu 内存要求:≥128M 日期:2018 年 02 月 07 日 关于本脚本: 一键安装 Python 版 *** 的最新版. ...
- 源码编译安装Apache-附一键部署脚本
1.进入apache官网https://www.apache.org/,点击Download 2.如图选择 3.选择httpd 4.下载两个包,2.2为CentOS6使用,2.4为CentOS7使用 ...
- [转] *** 一键安装脚本(四合一)
[from] https://teddysun.com/486.html 本脚本适用环境 系统支持:CentOS 6+,Debian 7+,Ubuntu 12+ 内存要求:≥128M 日期 :2017 ...
- You-Get, Annie 视频下载器 一键安装脚本
受限于 CSDN 的审核,本文章以后不再跟进更新.最后编辑于 2020-04-10 . 视频下载器 一键配置脚本 (Windows) 快速配置和使用 You-Get , *******-dl , An ...
最新文章
- Objective-C语言中对象相等性与指针相等分析。
- python 周末大作业之2
- javascript怎么监听 form.submit事件
- 南卫理公会大学计算机科学,南卫理公会大学哪个专业好?
- rabbitmq文档
- 写一个公用的gpio口驱动
- PL/SQL Developer中文版下载以及使用图解(绿色版)
- RocketMQ架构
- SQL Server 新增数据表数据
- GO语言学习之路14
- css3中的box-sizing的用法
- ARCHPR4.54破解版
- xp系统做无盘服务器,锐起无盘网吧系统无盘XP系统特点
- JS中三个点(...)是什么鬼?
- 嵌入式硬件-读懂原理图
- 记录uni-app的时间选择器
- 亚马逊AWS云服务器 ubuntu系统登陆教程
- Mac Mounty正常卸载方法(mount failed异常解决)
- 密码的自动生成器:密码由大写字母/小写字母/数字组成,生成12位随机密码
- c语言程序设计(西安理工大学),C语言程序设计-西安理工大学三电实验教学中心!.doc...