您现在的位置: 
改固件环境值:Administrators
生成系统策略: Administrators
以批处理作业登录:No one
4.事件查看器设置:
应用程序、系统和安全的日志空间都设为100MB
事件日志覆盖方式为:覆盖30天以前的日志
禁止匿名用户查看日志
5.注册表的值
KEY Type Value
MACHINESOFTWAREMicrosoftDataFactoryHandlerInfo
HandlerRequired REG_DWORD 1
MACHINESYSTEMCurrentControlSetControlFileSystem
NtfsDisable8dot3NameCreation REG_DWORD 1
MACHINESoftwareMicrosoftWindowsNTVersionWinlogonAllocateCDRoms REG_SZ 1
MACHINESystemCurrentControlSetControlLsaAuditBaseObjects
REG_DWORD 1
MACHINESystemCurrentControlSetControlLsaSu
MACHINESystemCurrentControlSetControlPrintProvidersLanMan
PrintServicesAddPrintDrivers REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdr
ParametersEnablePlainTextPassword REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoDisconnect REG_DWORD 15
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoShareWks REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoShareServer REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersEnableForcedLogOff REG_DWORD 1
MACHINESystemCurrentControlSetServicesLanManServer
ParametersRequireSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesLanManServer
ParametersEnableSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdrParameters
RequireSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdrParameters
EnableSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogon
ParametersRequireSignOrSeal REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogonParameters
SealSecureChannel REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogonParameters
SignSecureChannel REG_DWORD 1
MACHINESystemCurrentControlSetControlLsa RestrictAnonymous
REG_DWORD 1
MACHINESystemCurrentControlSetControlSession Manager
ProtectionMode REG_DWORD 1
MACHINESystemCurrentControlSetControlLsa LmCompatibilityLevel
REG_DWORD 2
MACHINESoftwareMicrosoftWindows
NTCurrentVersionWinlogonLegalNoticeText REG_SZ This is a
private system. Unauthorized use is prohibited.
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonLegalNoticeCaption REG_SZ CISD
MACHINESoftwareMicrosoftWindows
NTCurrentVersionWinlogonDontDisplayLastUserName REG_SZ 1
MACHINESystemCurrentControlSetControlLsaCrashOnAuditFail
REG_DWORD 1
MACHINESystemCurrentControlSetControlSession ManagerMemory
ManagementClearPageFileAtShutdown REG_DWORD 1
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonCachedLogonsCount REG_SZ 0
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonAllocateFloppies REG_SZ 1
MACHINESoftwareMicrosoftWindows NTCurrent bmitControl
REG_DWORD 0
MACHINESystemCurrentControlSetControlLsa
FullPrivilegeAuditing REG_BINARY 1
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonShutdownWithoutLogon REG_SZ 1
6.文件系统和注册表存取控制:
详见bastion.inf
7.管理员帐号:
bastion.inf将Administrator改名为root,
可以按照自己的需要更改这个名字,并使用强壮的密码
四、可选的注册表设置
1.删除 OS/2 和 POSIX 子系统:
删除如下目录的任何键:
HKEY_LOCAL_MACHINESOFTWARE MicrosoftOS/2 Subsystem for NT
删除如下的键:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerEnvironmentOs2LibPath
删除如下的键:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsOptional
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsPosix
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsOs2
删除如下目录:
c:winntsystem32os2
2.除去RDS漏洞:
删除如下的注册表项:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchRDSServer.DataFactory
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchAdvancedDataFactory
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchVbBusObj.VbBusObjCls
3.从网络服务中删除不必要的服务:
删除:Netbios接口,计算机浏览器,服务器,工作站
保留:RPC配置
五、保护许可
1. 保护Internet Guest 用户帐号:
在用户管理器中,将Internet Guest 帐号改为晦涩的名字,并使用强壮的密码
禁止guest帐号。
将改名后的Internet Guest 帐号从组“guests”中删除。
设置改名后的Internet Guest 帐号对所有卷的访问为“No Access”,为了保证IIS的正常运行,必须赋予改名后的
Internet Guest 帐号对以下目录的读取权限:
默认路径 环境变量
c: %SystemDrive%
c:winnt %SystemRoot%
d:InetPubwwwroot 你的IIS根目录
注意:在设置以上目录的权限时,不要选择替换子目录的权限!!
2. 锁住组“Users”:
设置NT内建组“Users”对所有卷的访问权为“No Access”,因为新用户会自动加入组“Users”中,所以新用户缺省将不能访问任何卷。
生成系统策略: Administrators
以批处理作业登录:No one
4.事件查看器设置:
应用程序、系统和安全的日志空间都设为100MB
事件日志覆盖方式为:覆盖30天以前的日志
禁止匿名用户查看日志
5.注册表的值
KEY Type Value
MACHINESOFTWAREMicrosoftDataFactoryHandlerInfo
HandlerRequired REG_DWORD 1
MACHINESYSTEMCurrentControlSetControlFileSystem
NtfsDisable8dot3NameCreation REG_DWORD 1
MACHINESoftwareMicrosoftWindowsNTVersionWinlogonAllocateCDRoms REG_SZ 1
MACHINESystemCurrentControlSetControlLsaAuditBaseObjects
REG_DWORD 1
MACHINESystemCurrentControlSetControlLsaSu
MACHINESystemCurrentControlSetControlPrintProvidersLanMan
PrintServicesAddPrintDrivers REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdr
ParametersEnablePlainTextPassword REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoDisconnect REG_DWORD 15
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoShareWks REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersAutoShareServer REG_DWORD 0
MACHINESystemCurrentControlSetServicesLanManServer
ParametersEnableForcedLogOff REG_DWORD 1
MACHINESystemCurrentControlSetServicesLanManServer
ParametersRequireSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesLanManServer
ParametersEnableSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdrParameters
RequireSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesRdrParameters
EnableSecuritySignature REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogon
ParametersRequireSignOrSeal REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogonParameters
SealSecureChannel REG_DWORD 1
MACHINESystemCurrentControlSetServicesNetlogonParameters
SignSecureChannel REG_DWORD 1
MACHINESystemCurrentControlSetControlLsa RestrictAnonymous
REG_DWORD 1
MACHINESystemCurrentControlSetControlSession Manager
ProtectionMode REG_DWORD 1
MACHINESystemCurrentControlSetControlLsa LmCompatibilityLevel
REG_DWORD 2
MACHINESoftwareMicrosoftWindows
NTCurrentVersionWinlogonLegalNoticeText REG_SZ This is a
private system. Unauthorized use is prohibited.
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonLegalNoticeCaption REG_SZ CISD
MACHINESoftwareMicrosoftWindows
NTCurrentVersionWinlogonDontDisplayLastUserName REG_SZ 1
MACHINESystemCurrentControlSetControlLsaCrashOnAuditFail
REG_DWORD 1
MACHINESystemCurrentControlSetControlSession ManagerMemory
ManagementClearPageFileAtShutdown REG_DWORD 1
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonCachedLogonsCount REG_SZ 0
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonAllocateFloppies REG_SZ 1
MACHINESoftwareMicrosoftWindows NTCurrent bmitControl
REG_DWORD 0
MACHINESystemCurrentControlSetControlLsa
FullPrivilegeAuditing REG_BINARY 1
MACHINESoftwareMicrosoftWindows NTCurrentVersion
WinlogonShutdownWithoutLogon REG_SZ 1
6.文件系统和注册表存取控制:
详见bastion.inf
7.管理员帐号:
bastion.inf将Administrator改名为root,
可以按照自己的需要更改这个名字,并使用强壮的密码
四、可选的注册表设置
1.删除 OS/2 和 POSIX 子系统:
删除如下目录的任何键:
HKEY_LOCAL_MACHINESOFTWARE MicrosoftOS/2 Subsystem for NT
删除如下的键:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerEnvironmentOs2LibPath
删除如下的键:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsOptional
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsPosix
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystemsOs2
删除如下目录:
c:winntsystem32os2
2.除去RDS漏洞:
删除如下的注册表项:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchRDSServer.DataFactory
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchAdvancedDataFactory
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVC
ParametersADCLaunchVbBusObj.VbBusObjCls
3.从网络服务中删除不必要的服务:
删除:Netbios接口,计算机浏览器,服务器,工作站
保留:RPC配置
五、保护许可
1. 保护Internet Guest 用户帐号:
在用户管理器中,将Internet Guest 帐号改为晦涩的名字,并使用强壮的密码
禁止guest帐号。
将改名后的Internet Guest 帐号从组“guests”中删除。
设置改名后的Internet Guest 帐号对所有卷的访问为“No Access”,为了保证IIS的正常运行,必须赋予改名后的
Internet Guest 帐号对以下目录的读取权限:
默认路径 环境变量
c: %SystemDrive%
c:winnt %SystemRoot%
d:InetPubwwwroot 你的IIS根目录
注意:在设置以上目录的权限时,不要选择替换子目录的权限!!
2. 锁住组“Users”:
设置NT内建组“Users”对所有卷的访问权为“No Access”,因为新用户会自动加入组“Users”中,所以新用户缺省将不能访问任何卷。
