windows 2003 自动安全设置

标签：des   io   ar   os   sp   for   strong   文件   on   

@echo off
echo.
echo.
echo.
echo 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
echo.
echo.
echo windows 2003 自动安全设置程序
echo.
echo "为走过的路做纪念,希望你能记得"
echo.
echo 注： 不要放在根目录执行
echo *请用名为administrator的账号运行
echo. *执行完成后只能用超级管理员登陆*
echo.
echo.
echo.
echo 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
pause
cls

echo.
echo.
echo.
echo 内容包括：
echo 更改GUTEST和SUPPORT_388945a0的密码
echo 注消危险组件
echo 取消显示上次登陆用户名
echo 防御TELNET登陆
echo 限制一些险的端口的访问，如135，137，138,139,445
echo 限制RADMIN应用
echo 防御密码记录工具NTPass及类似
echo 关闭一些不常用的服务
echo 优化系统和优化组策略安全
echo 设置超级管理员账号并限制只有这个账号能远程
echo 加强DDOS防御能力
echo 禁用cmd
echo 删除SQL2000危险的存储过程
echo 系统磁盘盘权限设定
echo WEB权限安全设置
echo 系统垃圾清理
echo.
echo.
echo.

cls
echo .
echo ---------------------------------------------------
echo 请先替操作系统打上所有更新补丁!特别是SP2这样的
echo 安全设置后打有可能会打不上，请注意
echo ---------------------------------------------------
echo .
pause
set lb=%cd%

cls
echo .
echo ---------------------------------------------------
echo 是否要更改GUTEST和SUPPORT_388945a0的密码
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要更改请按 Y，否请按 N。"
if %errorlevel% equ 2 goto firstgo
net user guest SDFse7%6$3
net user SUPPORT_388945a0 g@#!hao(^$875
:firstgo

cls
echo .
echo ---------------------------------------------------
echo 是否要注消危险组件
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要注消请按 Y，否请按 N。"
if %errorlevel% equ 2 goto secgo
regsvr32 /u /s %SystemRoot%\System32\wshom.ocx
regsvr32 /u /s %SystemRoot%\system32\shell32.dll
regsvr32 /u /s %SystemRoot%\system32\npptools.dll
reg copy "HKEY_CLASSES_ROOT\Shell.Application" "HKEY_CLASSES_ROOT\Shell.Application_sfqas" /s /f
reg delete "HKEY_CLASSES_ROOT\Shell.Application" /f
reg delete "HKEY_CLASSES_ROOT\Shell.Application_sfqas\CLSID" /f
reg add HKEY_CLASSES_ROOT\Shell.Application_sfqas\CLSID /v (默认) /t REG_SZ /d
reg copy "HKEY_CLASSES_ROOT\Shell.Application.1" "HKEY_CLASSES_ROOT\Shell.Application.1_sfqas" /s /f
reg delete "HKEY_CLASSES_ROOT\Shell.Application.1" /f
reg delete "HKEY_CLASSES_ROOT\Shell.Application.1_sfqas\CLSID" /f
reg add HKEY_CLASSES_ROOT\Shell.Application.1_sfqas\CLSID /v (默认) /t REG_SZ /d
:secgo

cls
echo .
echo ---------------------------------------------------
echo 是否取消显示上次登陆用户名
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要取消请按 Y，否请按 N。"
if %errorlevel% equ 2 goto thirdgo
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t reg_dword /d 00000001 /f
:thirdgo

cls
echo .
echo ---------------------------------------------------
echo 是否防御TELNET登陆
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要防御请按 Y，否请按 N。"
if %errorlevel% equ 2 goto sixgo
echo exit>>%SystemRoot%\system32\login.cmd
:sixgo

cls
echo .
echo ---------------------------------------------------
echo 是否限制一些险的端口的访问，如135，137，138,139,
echo 445，593,1025,2745,3127,4489,6129
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要限制请按 Y，否请按 N。"
if %errorlevel% equ 2 goto sevengo
echo 名字为sfqas的安全策略
netsh ipsec static add policy name=sfqas的安全策略
netsh ipsec static add filterlist name=允许列表
netsh ipsec static add filterlist name=拒绝列表
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=135
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=593
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=1025
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=2745
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=3127
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=4489
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我特定访问 protocol=tcp mirrored=yes dstport=6129
netsh ipsec static add filteraction name=充许 action=permit
netsh ipsec static add filteraction name=拒绝 action=block
netsh ipsec static add rule name=拒绝规则 policy=sfqas的安全策略 filterlist=拒绝列表 filteraction=拒绝
netsh ipsec static set policy name=sfqas的安全策略 assign=y
:sevengo

cls
echo .
echo ---------------------------------------------------
echo 是否限制RADMIN应用
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要限制请按 Y，否请按 N。"
if %errorlevel% equ 2 goto eightgo
if exist %SystemRoot%\system32\r_server.exe echo " 如果有RADMIM，删除"
r_server.exe /stop
r_server /uninstall /silence
del %SystemRoot%\system32\r_server.exe
del %SystemRoot%\system32\admdll.dll
del %SystemRoot%\system32\radbrv.dll
:eightgo

cls
echo .
echo ---------------------------------------------------
echo 是否防御密码记录工具NTPass及类似
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要防御请按 Y，否请按 N。"
if %errorlevel% equ 2 goto ninego
if exist %SystemRoot%\system32\ntpass.dll ehco "如果有密码记录器NTPass，删除"
echo you are a bitch>%systemroot%\system32\eulagold.txt
rundll32 NTPass.dll,Remove
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/eulagold.txt /t /e /c /r administrators
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /d service /c
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /d batch /c
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /d interactive /c
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /d system /c
echo y| cacls %SystemRoot%/system32/eulagold.txt /e /d users /c
attrib +R +A +S +H %SystemRoot%/system32/eulagold.txt
if exist %SystemRoot%\system32\GinaPwd.txt ehco "如果有密码记录器GinaPwd，删除"
echo you are a bitch>%systemroot%\system32\GinaPwd.txt
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /t /e /c /r administrators
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /d service /c
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /d batch /c
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /d interactive /c
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /d system /c
echo y| cacls %SystemRoot%/system32/GinaPwd.txt /e /d users /c
attrib +R +A +S +H %SystemRoot%/system32/GinaPwd.txt
:ninego

cls
echo .
echo ---------------------------------------------------
echo 是否关闭一些不常用的服务
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要关闭请按 Y，否请按 N。"
if %errorlevel% equ 2 goto eightgo
sc config Alerter start= disabled
sc stop Alerter
sc config dfs start= demand
sc stop Browser
sc config messenger start= disabled
sc stop messenger
sc config tlntsvr start= disabled
sc stop tlntsvr
sc config Browser start= DISABLED
sc stop Browser
sc config Spooler start= DISABLED
sc stop Spooler
sc config RemoteRegistry start= DISABLED
sc stop RemoteRegistry
sc config lanmanserver start= DISABLED
sc stop lanmanserver
sc config LmHosts start= DISABLED
sc stop LmHosts
sc config WZCSVC start= DISABLED
sc stop WZCSVC
sc config lanmanworkstation start= DISABLED
sc stop lanmanworkstation
sc config SysmonLog start= disabled
:eightgo

cls
echo .
echo ---------------------------------------------------
echo 是否优化系统和优化组策略安全
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要优化请，*（注意优化后只能用超级管理员登陆）按 Y，否请按 N。"
if %errorlevel% equ 2 goto tengo
echo 优化系统
reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
reg add "HKCU\Control Panel\Desktop" /v HungAppTimeout /d 50 /f
reg add "HKCU\Control Panel\Desktop" /v WaitToKillAppTimeout /d 200 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 4294967197 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPer1_0Server /t REG_DWORD /d 8 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPerServer /t REG_DWORD /d 8 /f
reg add HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer /v Link /t REG_BINARY /d 00000000 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoLowDiskSpaceChecks /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v ConfigFileAllocSize /t REG_DWORD /d 500 /f
reg add HKCU\Console /v LoadConIme /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v AutoReboot /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v CrashDumpEnabled /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v DumpFile /t REG_EXPAND_SZ /d %SystemRoot%\MEMORY.DMP /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v LogEvent /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v MinidumpDir /t REG_EXPAND_SZ /d %SystemRoot%\Minidump /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v Overwrite /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\ControlSet001\Control\CrashControl /v SendAlert /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting /v DoReport /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting /v ShowUI /t REG_DWORD /d 0 /f
echo 优化组策略安全
cd /d %lb%

echo [Unicode] >sfqas.inf
echo Unicode=yes >>sfqas.inf
echo [System Access] >>sfqas.inf
echo MinimumPasswordAge = 2 >>sfqas.inf
echo MaximumPasswordAge = 42 >>sfqas.inf
echo MinimumPasswordLength = 0 >>sfqas.inf
echo PasswordComplexity = 0 >>sfqas.inf
echo PasswordHistorySize = 24 >>sfqas.inf
echo LockoutBadCount = 5 >>sfqas.inf
echo ResetLockoutCount = 3 >>sfqas.inf
echo LockoutDuration = 3 >>sfqas.inf
echo RequireLogonToChangePassword = 0 >>sfqas.inf
echo ForceLogoffWhenHourExpire = 0 >>sfqas.inf
echo NewGuestName = "MyGuestOne" >>sfqas.inf
echo ClearTextPassword = 0 >>sfqas.inf
echo LSAAnonymousNameLookup = 0 >>sfqas.inf
echo EnableAdminAccount = 1 >>sfqas.inf
echo EnableGuestAccount = 0 >>sfqas.inf
echo [Event Audit] >>sfqas.inf
echo AuditSystemEvents = 3 >>sfqas.inf
echo AuditLogonEvents = 3 >>sfqas.inf
echo AuditObjectAccess = 0 >>sfqas.inf
echo AuditPrivilegeUse = 3 >>sfqas.inf
echo AuditPolicyChange = 3 >>sfqas.inf
echo AuditAccountManage = 3 >>sfqas.inf
echo AuditProcessTracking = 0 >>sfqas.inf
echo AuditDSAccess = 0 >>sfqas.inf
echo AuditAccountLogon = 3 >>sfqas.inf
echo [Registry Values] >>sfqas.inf
echo MACHINE\Software\Microsoft\Driver Signing\Policy=3,1 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,"0" >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0" >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,"0" >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10" >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0" >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 >>sfqas.inf
echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0 >>sfqas.inf
echo MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7, >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7, >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7, >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 >>sfqas.inf
echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 >>sfqas.inf
echo [Privilege Rights] >>sfqas.inf
echo SeNetworkLogonRight = IUSR_%COMPUTERNAME%,IWAM_%COMPUTERNAME%,ASPNET,Guests,everyone >>sfqas.inf
echo SeRemoteShutdownPrivilege = Administrators >>sfqas.inf
echo SeIncreaseBasePriorityPrivilege = Administrators >>sfqas.inf
echo SeLoadDriverPrivilege = administrator >>sfqas.inf
echo SeSecurityPrivilege = Administrators >>sfqas.inf
echo SeSystemEnvironmentPrivilege = Administrators >>sfqas.inf
echo SeSystemProfilePrivilege = Administrators >>sfqas.inf
echo SeTakeOwnershipPrivilege = Administrators >>sfqas.inf
echo SeDenyNetworkLogonRight = Administrators >>sfqas.inf
echo SeManageVolumePrivilege = Administrators >>sfqas.inf
echo SeRemoteInteractiveLogonRight = administrator >>sfqas.inf
echo [Version] >>sfqas.inf
echo signature="$CHICAGO$" >>sfqas.inf
echo Revision=1 >>sfqas.inf
secedit /configure /db sfqas.sdb /cfg sfqas.inf /log sfqas.log /overwrite /quiet
del sfqas.*

:tengo

cls
echo .
echo ---------------------------------------------------
echo 是否加强DDOS防御能力
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要加强请按 Y，否请按 N。"
if %errorlevel% equ 2 goto elego
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpTimedWaitDelay /t reg_dword /d 00000030 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect /t reg_dword /d 00000002 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen /t reg_dword /d 00000200 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried /t reg_dword /d 00000096 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxConnectResponseRetransmissions /t reg_dword /d 00000003 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxDataRetransmissions /t reg_dword /d 00000005 /f
:elego

cls
echo ---------------------------------------------------
echo 是否启用服务器的网络共享?(共享服务可提供网络文件共享实现远程备份,比如NAS备份)
echo 如果前面限制了端口请不指派sfqas的安全策略并删除该策略
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "是请按Y，否请按N。"
echo .
echo ---------------------------------------------------
if %errorlevel% equ 2 goto noshare
reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /d Y /f
reg add HKLM\SOFTWARE\Microsoft\Rpc /v "DCOM Protocols" /t REG_MULTI_SZ /d ncacn_ip_tcp\0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters /v SMBDeviceEnabled /t REG_DWORD /d 1 /f
sc config MSDTC start= AUTO
sc config lanmanworkstation start= AUTO
sc config lanmanserver start= AUTO
sc config Browser start= AUTO
echo y| cacls %SystemRoot%\system32\activeds.dll /G administrators:F SYSTEM:F IIS_WPG:R
sc start MSDTC
sc start lanmanworkstation
sc start lanmanserver
sc start Browser
:noshare

cls
echo .
echo ---------------------------------------------------
echo 是否禁用注册表工具
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要禁用请按 Y，否请按 N。"
if %errorlevel% equ 2 goto fourthgo
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /f
:fourthgo

cls
echo .
echo ---------------------------------------------------
echo 是否禁用cmd
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要禁用请按 Y，否请按 N。"
if %errorlevel% equ 2 goto fifthgo
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t reg_dword /d 00000001 /f
:fifthgo

cls
echo .
echo ---------------------------------------------------
echo 是否开启WINDOWS防火墙，并只开放3389.FTP.80,和自己的远程端口，允许PING
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "要开启请按 Y，否请按 N。"
if %errorlevel% equ 2 goto firewallgo
sc config ShareAccess start= auto
sc start ShareAccess
netsh firewall set opmode mode = ENABLE
netsh firewall set icmpsetting 8
netsh firewall set portopening tcp 3389
netsh firewall set portopening tcp 21 sfqas_ftplink
netsh firewall set portopening tcp 20 sfqas_ftpdata
netsh firewall set portopening tcp 80 sfqas_web
echo .
CHOICE /C YN /M "远程端口是不是3389,要设置请按 Y，否请按 N。"
if %errorlevel% equ 2 goto firewallgo1
set mstscnumb1=
:numnogo
cls
set /p mstscnumb1=你的远程端口号：
if not defined mstscnumb1 goto numnogo
echo 你的远程端口号是：%mstscnumb1%
netsh firewall set portopening tcp %mstscnumb1% sfqas_mstsc
:firewallgo1
:firewallgo

cls
echo .
echo ---------------------------------------------------
echo 是否删除SQL2000危险的存储过程(如无安装SQL请不要运行!)
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "删除请按 Y，否请按 N。"
if %errorlevel% equ 2 goto ynono
echo ---------------------------------------------------
echo 请在弹出窗口内点击上方的绿色三角运行里面的代码才生效！准备好请按y
echo ---------------------------------------------------
if %errorlevel% equ 2 goto nono
echo use master
echo exec sp_dropextendedproc ‘xp_cmdshell‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_enumgroups‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_loginconfig‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regaddmultistring‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regdeletekey‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regdeletevalue‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regread‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regremovemultistring‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regwrite‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_enumerrorlogs‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_getfiledetails‘ >>sql.sql
echo go >>sql.sql
echo exec sp_dropextendedproc ‘xp_regenumvalues‘ >>sql.sql
echo go >>sql.sql
copy /Y sql.sql "C:\Documents and Settings\All Users\「开始」菜单\程序\Microsoft SQL Server\sql.sql"
start /d "C:\Documents and Settings\All Users\「开始」菜单\程序\Microsoft SQL Server" 查询分析器 -d master -E -f "C:\Documents and Settings\All Users\「开始」菜单\程序\Microsoft SQL Server\sql.sql"
echo ---------------------------------------------------
echo 请在弹出窗口内点击上方的绿色三角运行里面的代码才生效！你点了么？请按任意键继续. . .
echo ---------------------------------------------------
pause
del sql.sql
del "%systemdrive%\Documents and Settings\All Users\「开始」菜单\程序\Microsoft SQL Server\sql.sql"

:ynono
:nono

cls
echo 系统磁盘盘权限设定
echo 删除C盘的根目录的权限
echo y| Cacls %systemdrive%\ /e /c /r everyone
echo y| Cacls %systemdrive%\ /e /c /r "creator owner"
echo y| Cacls %systemdrive%\ /e /c /r users
echo y| Cacls "%systemdrive%\Documents and Settings\All Users\Documents" /e /c /r "creator owner"
echo y| Cacls "%systemdrive%\Documents and Settings\All Users\Documents" /e /c /r "power users"
echo y| Cacls "%systemdrive%\Documents and Settings\All Users\Documents" /e /c /r users
echo y| Cacls "%systemdrive%\Documents and Settings" /e /c /r everyone
echo y| Cacls "%systemdrive%\Documents and Settings\Administrator\「开始」菜单\程序\启动" /e /c /r administrators
echo y| Cacls "%systemdrive%\Documents and Settings\Administrator\「开始」菜单\程序\启动" /e /c /r system
echo y| Cacls "%systemdrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" /e /c /r system
echo y| Cacls "%systemdrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" /e /c /r administrators

attrib +R +A +S +H %systemdrive%\wmpub
echo y| Cacls %systemdrive%\wmpub /e /c /r "creator owner"
echo y| Cacls %systemdrive%\wmpub /e /c /r "power users"
echo y| Cacls %systemdrive%\wmpub /e /c /r users
echo y| Cacls %systemdrive%\wmpub /e /c /r administrators
echo y| Cacls %systemdrive%\wmpub /e /c /r system
echo y| Cacls %systemdrive%\wmpub /e /c /r administrators
echo y| Cacls %systemdrive%\wmpub /e /c /r system

attrib +R +A +S +H %systemdrive%\WINDOWS\addins
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r "creator owner"
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r "power users"
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r users
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r administrators
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r system
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r administrators
echo y| Cacls %systemdrive%\WINDOWS\addins /e /c /r system

echo .
echo ---------------------------------------------------
echo 如果你的WEB以前用的USERS或是everyone权限，下面的操作可能会导致无权限访问，是否操作？
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "是请按 Y，否请按 N。"
if %errorlevel% equ 2 goto confirm1
echo "删除D盘的根目录的权限"
echo y| Cacls D:\ /t /e /c /r everyone
echo y| Cacls D:\ /t /e /c /r "creator owner"
echo y| Cacls D:\ /t /e /c /r users
echo "删除E盘的根目录的权限"
echo y| Cacls E:\ /t /e /c /r everyone
echo y| Cacls E:\ /t /e /c /r "creator owner"
echo y| Cacls E:\ /t /e /c /r users
echo "删除F盘的根目录的权限"
echo y| Cacls F:\ /t /e /c /r everyone
echo y| Cacls F:\ /t /e /c /r "creator owner"
echo y| Cacls F:\ /t /e /c /r users
echo "删除G盘的根目录的权限"
echo y| Cacls G:\ /t /e /c /r everyone
echo y| Cacls G:\ /t /e /c /r "creator owner"
echo y| Cacls G:\ /t /e /c /r users
echo "删除H盘的根目录的权限"
echo y| Cacls H:\ /t /e /c /r everyone
echo y| Cacls H:\ /t /e /c /r "creator owner"
echo y| Cacls H:\ /t /e /c /r users
echo "删除I盘的根目录的权限"
echo y| Cacls I:\ /t /e /c /r everyone
echo y| Cacls I:\ /t /e /c /r "creator owner"
echo y| Cacls I:\ /t /e /c /r users
:confirm1

echo "2003减少C盘的危险文件的访问权限"
attrib +R +A +S +H %SystemRoot%/system32/shell32.dll
echo y| cacls %SystemRoot%/system32/shell32.dll /e /d guests /c
attrib +R +A +S +H %SystemRoot%/system32/wshom.ocx
echo y| cacls %SystemRoot%/system32/wshom.ocx /e /d guests /c
attrib +R +A +S +H %SystemRoot%/system32/npptools.dll
echo y| cacls %SystemRoot%/system32/npptools.dll /e /d users /c

attrib +R +A +S +H %SystemRoot%/system32/Cmd.exe
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /d telnetclients /c
echo y| cacls %SystemRoot%/system32/Cmd.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/net.exe
echo y| cacls %SystemRoot%/system32/net.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/net.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/net.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/net.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/net.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/net.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/net.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/net.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/reg.exe
echo y| cacls %SystemRoot%/system32/reg.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/reg.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/reg.exe /e /d system:r /c

attrib +R +A +S +H %SystemRoot%/system32/netsh.exe
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/netsh.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/sc.exe
echo y| cacls %SystemRoot%/system32/sc.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/sc.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/sc.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/sc.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/sc.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/sc.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/sc.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/net1.exe
echo y| cacls %SystemRoot%/system32/net1.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/net1.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/net1.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/netstat.exe
echo y| cacls %SystemRoot%/system32/netstat.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/netstat.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/netstat.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/netstat.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/netstat.exe /e /d batch /c

attrib +R +A +S +H %SystemRoot%/system32/ftp.exe
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/ftp.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/ftp.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/at.exe
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/at.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/at.exe
echo y| cacls %SystemRoot%/system32/at.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/at.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/at.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/at.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/at.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/at.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/at.exe /e /d system /c

attrib +R +A +S +H cacls %SystemRoot%/system32/dllcache/utilman.exe
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/utilman.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/utilman.exe
echo y| cacls %SystemRoot%/system32/utilman.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/utilman.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/utilman.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/utilman.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/utilman.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/utilman.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/utilman.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/sethc.exe
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/sethc.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/sethc.exe
echo y| cacls %SystemRoot%/system32/sethc.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/sethc.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/sethc.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/sethc.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/sethc.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/sethc.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/sethc.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/magnify.exe
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/magnify.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/magnify.exe
echo y| cacls %SystemRoot%/system32/magnify.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/magnify.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/magnify.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/magnify.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/magnify.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/magnify.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/magnify.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/osk.exe
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/osk.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/osk.exe
echo y| cacls %SystemRoot%/system32/osk.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/osk.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/osk.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/osk.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/osk.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/osk.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/osk.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/cacls.exe
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/cacls.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/cacls.exe
echo y| cacls %SystemRoot%/system32/cacls.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/cacls.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/cacls.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/cacls.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/cacls.exe /e /d batch /c

attrib +R +A +S +H %SystemRoot%/system32/dllcache/attrib.exe
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/dllcache/attrib.exe /e /d system /c

attrib +R +A +S +H %SystemRoot%/system32/attrib.exe
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /g administrator:f /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/attrib.exe /e /d system /c

echo y| cacls %SystemRoot%/system32/secedit.exe /e /g administrator:f /c
cls
echo .
echo ---------------------------------------------------
echo 是否要修改administrator名字，是按Y，否按N？
echo ---------------------------------------------------
echo .
if %errorlevel% equ 2 goto confirml
set username1=
:usernogo
cls
echo 设置超级管理员账号并只允许此账号远程
set /p username1=请输入新的administrator名字：
if not defined username1 goto usernogo
echo 你设置的超级管理员用户名是：%username1%

echo [version] >sfqas.inf
echo signature="$CHICAGO$" >>sfqas.inf
echo Revision=1 >>sfqas.inf
echo [System Access] >>sfqas.inf
echo NewAdministratorName = "%username1%" >>sfqas.inf
secedit /configure /db sfqas.sdb /cfg sfqas.inf /log sfqas.log /overwrite /quiet
del sfqas.*
:confirml

attrib +R +A +S +H %SystemRoot%/system32/secedit.exe
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d guests /c
echo y| cacls %SystemRoot%/system32/secedit.exe /e /r administrators
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d interactive /c
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d service /c
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d batch /c
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d users /c
echo y| cacls %SystemRoot%/system32/secedit.exe /e /d system /c

cls
echo .
echo ---------------------------------------------------
echo 如果你是虚拟主机系统，如hz，此步请选N？
echo ---------------------------------------------------
echo .
CHOICE /C YN /M "不是请按 Y，是请按 N。"
if %errorlevel% equ 2 goto confirm2
echo y| cacls %SystemRoot%/system32/cacls.exe /e /d system /c
echo y| cacls %SystemRoot%/system32/cacls.exe /e /d interactive /c
:confirm2

cls
@echo 索引系统垃圾列表中....
del /f /s /q %systemdrive%\*.tmp
del /f /s /q %systemdrive%\*._mp
del /f /s /q %systemdrive%\*.log
del /f /s /q %systemdrive%\*.gid
del /f /s /q %systemdrive%\*.chk
del /f /s /q %systemdrive%\*.old
del /f /s /q %systemdrive%\recycled\*.*
del /f /s /q %windir%\*.bak
del /f /s /q %windir%\prefetch\*.*
del /s /q %windir%\temp\*.*
del /f /q %userprofile%\cookies\*.*
del /f /q %userprofile%\recent\*.*
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
del /f /s /q "%userprofile%\Local Settings\Temp\*.*"
del /f /s /q "%userprofile%\recent\*.*"
@echo 系统垃圾清理完毕!

windows 2003 自动安全设置

标签：des   io   ar   os   sp   for   strong   文件   on   

原文地址：http://www.cnblogs.com/networking/p/4117308.html