批处理(Batch)
也称为批处理脚本。顾名思义,批处理就是对某对象进行批量的处理,通常被认为是一种简化的脚本语言,它应用于DOS和Windows系统中。批处理文件的扩展名为bat 。比较常见的批处理包含两类:DOS批处理和PS批处理。PS批处理是基于微软的强大的PowerShell的,用来批量处理一些任务的脚本;而DOS批处理则是基于DOS命令的,用来自动地批量地执行DOS命令以实现特定操作的脚本。更复杂的情况,需要使用if、for、goto等命令控制程式的运行过程,如同C、Basic等高级语言一样。如果需要实现更复杂的应用,利用外部程式是必要的,这包括系统本身提供的外部命令和第三方提供的工具或者软件。批处理程序虽然是在命令行环境中运行,但不仅仅能使用命令行软件,任何当前系统下可运行的程序都可以放在批处理文件中运行。
禁止文件夹联网.bat
对固定的文件夹禁止联网,可以限制某文件夹中所有 exe 文件的禁止入站、出站规则!这可以大大增大服务器的安全性。
@Echo Off
SetLocal
:begin
echo:
echo ****** 禁止文件夹联网 ******
echo:
set /p folder=请输入文件夹(退出请直接关闭窗口):
If Not Exist "%folder%\" Exit/B
If /I "%CD%" NEq "%folder%" PushD %folder%
Set "Cmnd=netsh advfirewall firewall add rule action=block"
echo:
For /R %%a In (*.exe) Do (For %%b In (in out) Do (
echo 创建禁止 %%b 规则【%%a】
%Cmnd% name="blocked %%a via script" dir=%%b program="%%a"))
echo:
echo 搞定了,%folder% 中所有 exe 文件的禁止入站、出站规则都已成功创建!
echo ----------------------------
echo:
goto begin一键修改3389为5678.bat
windows服务器的远程桌面连接,默认的端口是3389,现在很多的内网渗透和扫描都会默认扫描这个端口,如果一定要开启,那么安全方法肯定是:1.将3389端口修改;2.限制远程桌面连接访问的IP。
@echo off
:setup
set port=5678
set /p port=请输入新的远程桌面端口号并按回车确认:
REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\Rdpwd\Tds\Tcp" /v PortNumber /t REG_DWORD /d %port% /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d %port% /f
@echo 正在添加防火墙规则放行远程桌面端口
set firewallrulename=Allow Remote Desktop Port
netsh advfirewall firewall show rule name="%firewallrulename%" >nul
if not ERRORLEVEL 1 (
@echo 对不起,Firewall规则%firewallrulename%已经存在,将删除已存在相同名字的规则,重新创建Firewall规则放行远程桌面服务端口
netsh advfirewall firewall delete rule name="%firewallrulename%"
netsh advfirewall firewall add rule name="%firewallrulename%" dir=in protocol=tcp localport=%port% action=allow
) else (
@echo 新增Firewall放行远程桌面服务端口规则%firewallrulename%
netsh advfirewall firewall add rule name="%firewallrulename%" dir=in protocol=tcp localport=%port% action=allow
)
@echo 系统即将在10秒后重置远程桌面服务,将会断开远程连接,断开后请稍片刻然后使用新端口登陆
>nul ping 127.0.0.1 /n 10
net stop termservice /y && net start termservice >nul
@echo 远程端口已经修改完毕!请按任意键退出
pause一键屏蔽高危端口.bat
*+0:135:tcp #封TCP协议的135端口,与RPC有关。
*+0:135:udp #封UDP协议的135端口,与RPC有关
*+0:139:tcp #封TCP协议的139端口,可有效防御MS08-067溢出攻击,与共享有关
*+0:139:udp #封UDP协议的139端口,可有效防御MS08-067溢出攻击,与共享有关
*+0:445:tcp #封TCP协议的445端口,可有效防御MS08-067溢出攻击,与共享有关
*+0:445:udp #封UDP协议的445端口,可有效防御MS08-067溢出攻击,与共享有关
*+0:1443:tcp #禁止远程连接本机1443端口,与SQL有关
*+0:1443:udp #禁止远程连接本机1443端口,与SQL有关
*+0:1444:tcp #禁止远程连接本机1444端口,与SQL有关
*+0:1444:udp #禁止远程连接本机1444端口,与SQL有关
如果你的服务器上有其他业务软件、数据库等,则可以将相关的端口增加进去,一键禁用。
@echo off
title 禁止危险端口##
cls
::code by Sunward
sc query PolicyAgent|find /i "PolicyAgent"
if %errorlevel% == 1 (
sc create PolicyAgent binpath= "%windir%\system32\lsass.exe" type= share start= auto displayname= "IPSEC Services" depend= RPCSS/IPSec
)
sc config PolicyAgent start= auto
sc start PolicyAgent Services
ipseccmd -w REG -p "SUNWARD" -o -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block TCP/1443" -f *+0:1443:TCP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block TCP/1444" -f *+0:1444:TCP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block UDP/1443" -f *+0:1443:UDP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -r "Block UDP/1444" -f *+0:1444:UDP -n BLOCK -x >nul
ipseccmd -w REG -p "SUNWARD" -x >nul
cls
@echo 端口屏蔽完成!
ping 127.0.0.1 -n 5 1>nul勒索病毒加固.bat
这个是绿盟科技的一款勒索病毒加固代码,可以一定限度上的提升勒索病毒的抵御,但对于勒索病毒还是要多措并举。
@echo off
mode con: cols=85 lines=30
:NSFOCUSXA
title WannaCry勒索病毒安全加固工具
color 0A
cls
echo.
echo.
echo ----------------------- WannaCry勒索病毒安全加固工具 --------------------------
echo.
echo.
echo * WannaCry勒索软件可加密硬盘文件,受害者必须支付高额赎金才有可能解密恢复,安
echo 全风险高,影响范围广!
echo.
echo * 网络层面:建议边界防火墙阻断445端口的访问,可通过IPS、防火墙相关安全设备配
echo 置相关阻断策略。
echo.
echo * 终端层面:暂时关闭Server服务,使用命令"netstat -ano | findstr ":445"",确保
echo 关闭445端口,建议在微软官网下载MS17-010补丁,选择对应的版本进行补丁安装,补
echo 丁下载地址:http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598。
echo.
echo * 必须以系统管理员身份运行,以下提供此工具所做的操作的介绍:
echo.
echo 1:WIN7加固 2:WIN10加固 3:WIN2003加固 4:WIN2008加固 5:WIN2012加固
echo 6.WIN2016加固
echo.
echo 7: 退出
echo 绿盟科技 V1.3
echo www.nsfocus.com
echo
echo ---------------------------------------------------------------------------------
echo.
set start=
set /p start= 输入(1 2 3 4 5 6)后按回车键:
if "%start%"=="1" goto WIN7
if "%start%"=="2" goto WIN10
if "%start%"=="3" goto WIN2003
if "%start%"=="4" goto WIN2008
if "%start%"=="5" goto WIN2012
if "%start%"=="6" goto WIN2016
if "%start%"=="7" goto quit
goto NSFOCUSXA
:WIN7
net stop server /Y > nul
sc config lanmanserver start= disabled
netsh advfirewall set currentprofile state on > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo * Windows 7系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN10
net stop server > nul
sc config lanmanserver start= disabled
netsh firewall set opmode enable > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo * Windows 10系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2003
net stop server > nul
net start sharedaccess > nul
sc config lanmanserver start= disabled
netsh firewall add portopening protocol = ALL port = 445 name = DenyEquationTCP mode = DISABLE scope = ALL profile = ALL > nul
echo ---------------------------------------------------------------------------------
echo * Windows Server 2003系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2008
net stop server /Y > nul
sc config lanmanserver start= disabled
netsh advfirewall set currentprofile state on > nul
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo * Windows Server 2008系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2012
net stop server > nul
net start MpsSvc > nul
sc config lanmanserver start= disabled
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo * Windows Server 2012系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA
:WIN2016
net stop server > nul
sc config lanmanserver start= disabled
netsh advfirewall firewall add rule name="DenyEquationTCP" dir=in action=block localport=445 remoteip=any protocol=tcp > nul
netsh advfirewall firewall add rule name="DenyEquationUDP" dir=in action=block localport=445 remoteip=any protocol=udp > nul
echo ---------------------------------------------------------------------------------
echo * Windows Server 2016系统加固命令执行完毕!
echo .
pause
goto NSFOCUSXA服务器安全一键设置.bat
以下只可作为参考,非一键之后就可高枕无忧。
@color 0a
@title 服务器安全机制一键设置批处理
@pause
:: 禁用WS命令行组件
regsvr32 /s wshom.ocx
:: 防止WINDOWS漏洞[粘滞键]的"变态入侵之有史以来最酷的Windows后门sethc.exe"
cscript.exe xcacls.vbs "%SystemRoot%/system32/sethc.exe" /D Everyone:M /E
cscript.exe xcacls.vbs "%SystemRoot%/ServicePackFiles/i386/sethc.exe" /D Everyone:M /E
:: 删除system32 pptools.dll,新建npptools.dll设为只读,权限上限制 可防止所有arp病毒
del %SystemRoot%system32 pptools.dll /A/F/Q
dir %SystemRoot%system32com > %SystemRoot%system32 pptools.dll
attrib +R +S +H %SystemRoot%system32 pptools.dll
cscript.exe xcacls.vbs "%SystemRoot%/system32/npptools.dll" /D Everyone:M /E
:: 删除system32packet.dll,新建packet.dll设为只读,权限上限制 可防止所有arp病毒
del %SystemRoot%system32packet.dll /A/F/Q
dir %SystemRoot%system32com > %SystemRoot%system32packet.dll
attrib +R +S +H %SystemRoot%system32packet.dll
cscript.exe xcacls.vbs "%SystemRoot%/system32/packet.dll" /D Everyone:M /E
:: 删除system32pthreadVC.dll,新建pthreadVC.dll设为只读,权限上限制 可防止所有arp病毒
del %SystemRoot%system32pthreadVC.dll /A/F/Q
dir %SystemRoot%system32com > %SystemRoot%system32pthreadVC.dll
attrib +R +S +H %SystemRoot%system32pthreadVC.dll
cscript.exe xcacls.vbs "%SystemRoot%/system32/pthreadVC.dll" /D Everyone:M /E
:: 删除system32wpcap.dll,新建wpcap.dll设为只读,权限上限制 可防止所有arp病毒
del %SystemRoot%system32wpcap.dll /A/F/Q
dir %SystemRoot%system32com > %SystemRoot%system32wpcap.dll
attrib +R +S +H %SystemRoot%system32wpcap.dll
cscript.exe xcacls.vbs "%SystemRoot%/system32/wpcap.dll" /D Everyone:M /E
:: 删除system32 pf.sys,新建npf.sys设为只读,权限上限制 可防止所有arp病毒
del %SystemRoot%system32drivers pf.sys /A/F/Q
dir %SystemRoot%system32com > %SystemRoot%system32drivers pf.sys
attrib +R +S +H %SystemRoot%system32 pf.sys
cscript.exe xcacls.vbs "%SystemRoot%/system32/drivers/npf.sys" /D Everyone:M /E
Echo 禁用通过重启重命名方式加载启动项
:: 重启重命名的执行优先级比传统的自启动(一般指HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows CurrentVersionRun)要高, 启动完成后又将自己删除或改名回去. 这种方式自启动极为隐蔽,现有的安全工具都无法检测的出来.
:: 病毒通过重启重命名方式加载,位于注册表HKEY_LOCAL_MACHINESYSTEMControlSet001Control BackupRestoreKeysNotToRestore下的Pending Rename Operations字串。
reg delete "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager" /v PendingFileRenameOperations /f
:: 关闭事件跟踪程序
REG ADD "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTReliability" /v ShutdownReasonOn /t REG_DWORD /d"00000000" /f
:: 防止 Windows 运行您在这个设置中指定的程序。
:: 如果启用这个设置,用户则无法运行添加到不允许的应用程序列表的程序。
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v DisallowRun /t REG_DWORD /d"00000001" /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v login.scr /t REG_SZ/d login.scr /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v xsiff.exe /t REG_SZ/d xsiff.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v xsniff.exe /t REG_SZ /d xsniff.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v sethc.exe /t REG_SZ/d sethc.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v WinPcap.exe /t REG_SZ /d WinPcap.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v nc.exe /t REG_SZ /dnc.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v sql.exe /t REG_SZ/d sql.exe /f
REG ADD "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun" /v su.exe /t REG_SZ /d
su.exe /f
regsvr32 /s /u wshom.ocx
Echo 应用软件限制组策略,进一步加强服务器安全性能!
c:
cd
cd "%SystemRoot%/system32/GroupPolicy/Machine"
copy Registry.pol Registry.old /y
copy Registry.pol "%SystemRoot%/system32/GroupPolicy/Machine" /y
gpupdate /force
Echo 应用软件限制组策略设置完毕
PAUSE >nul
exit
