WIN2008 自动部署安全BAT

@echo off  
color 0a  
@echo  请选择要服务操作类型:  
@echo       1.安装IIS  
@echo       2.更改远程端口  
@echo       3.停止无用服务  
@echo       4.操作防火墙规则限制无用端口  
@echo       5.重置防火墙(慎重使用,请确保远程端口为3389)  
@echo       6.关闭防火墙  
@echo       7.ADD 静态路由表  
@echo       8.退出  
  
set/p a=请选择服务操作类型:  
goto start%a%        
  
:start1  
title IIS7自动安装程序 – iHackSoft.com  
echo.  
  
echo 正在添加IIS功能,这可能需要几分钟时间…  
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-  
HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-  
ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-  
ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-  
ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-  
Performance;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-  
IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;WAS-WindowsActivationService;WAS-  
ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI  
echo IIS已添加成功!  
@pause  
cls  
goto :start  
:start2  
echo 请输入要修改的远程端口号:  
set /p var=  
echo 开始修改  
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /f  
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t REG_DWORD /d %var% /f  
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /f  
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d %var% /f  
echo 修改成功,下面是添加防火墙规则  
netsh firewall add portopening TCP %var% %var%  
@pause  
cls  
goto :start  
  
:start3  
echo 停止Distributed linktracking client   用于局域网更新连接信息  
net start TrkWks  
echo 停止PrintSpooler  打印服务  
net stop Spooler  
echo 停止Remote Registry  远程修改注册表  
net stop RemoteRegistry  
echo 停止Server 计算机通过网络的文件、打印、和命名管道共享  
net stop LanmanServer  
echo 停止TCP/IP NetBIOS Helper  提供 TCP/IP (NetBT) 服务上的 NetBIOS 和网络上客户端的 NetBIOS 名称解析的支持  
net stop lmhosts  
echo 停止Computer Browser 维护网络计算机更新 默认已经禁用  
net stop Browser  
echo 停止Net Logon   域控制器通道管理 默认已经手动  
net stop Netlogon  
echo 停止Remote Procedure Call (RPC) Locator   RpcNs*远程过程调用 (RPC) 默认已经手动  
net stop RpcLocator  
@pause  
cls  
goto :start  
  
:start4  
echo 启用桌面防火墙  
netsh advfirewall set allprofiles state on  
echo 设置默认输入和输出策略  
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound  
echo 关闭tcp协议的139端口  
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block  
echo 关闭udp协议的139端口  
netsh advfirewall firewall add rule name="deny udp 139" dir=in protocol=udp localport=139 action=block  
echo 关闭tcp协议的445端口  
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block  
echo 关闭udp协议的445端口  
netsh advfirewall firewall add rule name="deny udp 445″ dir=in protocol=udp localport=445 action=block  
echo 使用相同的方法,依次关闭TCP协议的21、22、23、137、138、5800、5900端口。  
netsh advfirewall firewall add rule name= "deny tcp 21" dir= in protocol=tcp localport=21 action=block   
netsh advfirewall firewall add rule name= "deny tcp 22" dir=in protocol=tcp localport=22 action=block  
netsh advfirewall firewall add rule name= "deny tcp 23" dir=in protocol=tcp localport=23 action=block  
netsh advfirewall firewall add rule name= "deny tcp 5800" dir=in protocol=tcp localport=5800 action=block  
netsh advfirewall firewall add rule name= "deny tcp 5900" dir=in protocol=tcp localport=5900 action=block  
netsh advfirewall firewall add rule name= "deny tcp 137" dir=in protocol=tcp localport=137 action=block  
netsh advfirewall firewall add rule name= "deny tcp 138" dir=in protocol=tcp localport=138 action=block  
@pause  
cls  
goto :start  
  
:start5  
echo 恢复初始配置  
netsh advfirewall reset  
@pause  
cls  
goto :start  
  
:start6  
echo 关闭防火墙  
netsh advfirewall set allprofiles state off  
@pause  
cls  
goto :start  
  
:start7  
echo 加静态路由表  
route -p add 192.168.0.0 mask 255.255.255.0 192.168.12.1  
route -p add 192.168.11.0 mask 255.255.255.0 192.168.12.1  
route -p add 192.168.100.0 mask 255.255.255.0 192.168.12.1  
@pause  
cls  
goto :start  
  
:start8  
goto end  
:end

 


数据运维技术 » WIN2008 自动部署安全BAT