Windows基线自动化检查脚本

本批处理脚本的主要目的是对Windows系统进行安全性检查。检查了多个安全参数和设置，以确保系统符合特定的安全标准。当然也可能有些检查项不是很准确，需要根据实际环境再调试一下，以下是该脚本的详细描述和功能分析：

1. 脚本初始化
使用 @echo off 禁用命令回显，以便输出更清晰。
setlocal enabledelayedexpansion 启用延迟变量扩展，以便在循环中使用变量。
2. 变量设置
定义了一些变量用于计数：
totalChecks: 总检查项目数量（设为60），如果有新增或删减可以改变这个定量。
passCount: 通过检查的计数。
failCount: 未通过检查的计数。
skippedCount: 被跳过的检查计数。

3. 收集IP地址
通过ipconfig命令获取IPv4地址，特别是以192.168.开头的地址，并将其存储在变量ip中，用于输出确认我们在批量检查的时候知道这是那个主机的结果。

4. 导出安全策略
使用 secedit /export 导出安全策略到临时文件，并用PowerShell将其编码为UTF-8格式。便于一些检查安全策略的项目可以直接去导出的文件里面检索。

5. 安全检查
脚本接下来执行一系列安全检查，主要包括：
(1) 检查密码长度最小值：验证最小密码长度是否小于12。
(2) 检查是否已启用密码复杂性要求：确认密码复杂性设置是否启用。
(3) 检查是否已禁用来宾 (Guest) 帐户：检查来宾账户状态是否为禁用。
(4) 检查“强制密码历史”个数：验证密码历史的数量是否小于5。
(5) 检查已启用的本地用户的个数：确认本地启用用户是否少于2。
(6) 检查密码最长使用期限：验证密码最大有效期是否少于90天。
(7) 检查密码最长使用期限是否不为0：确认密码有效期是否为0。
(8) 检查帐户锁定阈值：验证帐户锁定阈值是否小于6。
(9) 检查帐户锁定阈值是否不为0：确认锁定阈值是否为0。
(10) 检查“取得文件或其它对象的所有权”的帐户和组：检查管理员组的配置。
(11) 检查可从远端关闭系统的帐户和组：同样检查管理员组的配置。
(12) 检查是否已禁止 SAM 帐户的匿名枚举：检查注册表设置。
(13) 检查是否已禁止 SAM 帐户和共享的匿名枚举：同样检查注册表设置。
(14) 检查可远程访问的注册表路径：检查注册表是否可远程访问。
(15) 检查可远程访问的注册表路径：再一次检查远程访问设置（重复检查，实际应为一个检查）。
(16) 检查可匿名访问的共享：检查是否有共享文件夹可以匿名访问。
(17) 检查可匿名访问的命名管道：检查命名管道的访问权限。
(18) 检查允许从网络访问此计算机的用户和组：检查网络访问权限设置。
(19) 检查允许本地登录的用户和组：检查本地登录权限设置。
(20) 检查应用程序日志文件达到最大大小时的动作：确认日志文件溢出处理设置。
(21) 检查应用程序日志文件最大大小：确认日志文件的最大大小设置。
(22) 检查“审核对象访问”级别：检查文件系统的审核策略。
(23) 检查“审核特权使用”级别：检查特权使用的审核策略。
(24) 检查“审核进程跟踪”级别：检查进程创建的审核策略。
(25) 检查“审核登录事件”级别：检查登录事件的审核策略。
(26) 检查“审核目录服务访问”级别：检查目录服务访问的审核策略。
(27) 检查“审核系统事件”级别：检查系统事件的审核策略。
(28) 检查“审核帐户登录事件”级别：检查帐户登录事件的审核策略。
(29) 检查“审核策略更改”级别：检查审核策略变更的审核策略。
(30) 检查“审核帐户管理”级别：检查用户账户管理的审核策略。
(31) 检查 Windows 防火墙状态：确认Windows防火墙是否启用。
(32) 检查远程桌面 (RDP) 服务端口：确认RDP端口是否为默认设置。
(33) 检查源路由配置：确认源路由是否被禁用。
(34) 检查 TCP 连接请求阈值：确认TCP连接请求阈值设置。
(35) 检查是否已启用 SYN 攻击保护：确认SYN攻击保护是否启用。
(36) 检查取消尝试响应 SYN 请求之前要重新传输 SYN-ACK 的次数：确认设置正确。
(37) 检查处于 SYN_RCVD 状态下的 TCP 连接阈值：确认连接阈值设置。
(38) 检查处于 SYN_RCVD 状态下，且至少已经进行了一次重新传输的 TCP 连接阈值：确认设置正确。
(39) 检查是否已删除 SNMP 服务的默认 public 团体：确认SNMP设置。
(40) 检查是否已启用 TCP 最大传输单元 (MTU) 大小自动探测：确认MTU探测设置。
(41) 检查 Remote Access Connection Manager 服务状态：确认该服务是否停止。
(42) 检查 Message Queuing 服务状态：确认该服务是否停止。
(43) 检查 DHCP Server 服务状态：确认该服务是否停止。
(44) 检查 DHCP Client 服务状态：确认该服务是否停止。
(45) 检查 Simple Mail Transport Protocol (SMTP) 服务状态：确认该服务是否停止。
(46) 检查 Windows Internet Name Service (WINS) 服务状态：确认该服务是否停止。
(47) 检查 Simple TCP/IP Services 服务状态：确认该服务是否停止。
(48) 检查 Windows 自动登录设置：确认自动登录是否禁用。
(49) 检查是否已安装青藤云主机安全 agent：确认TitanAgent是否安装。
(50) 检查共享文件夹的共享权限：确认共享文件夹权限设置。
(51) 检查所有磁盘分区的文件系统格式：确认所有磁盘是否为NTFS格式。
(52) 检查是否已对所有驱动器关闭 Windows 自动播放：确认自动播放设置。
(53) 检查是否已禁用 Windows 硬盘默认共享：确认硬盘共享设置。
(54) 检查服务器在暂停会话前所需的空闲时间量：确认设置是否正确。
(55) 检查是否正确配置 NTP 时间同步服务器：确认NTP服务器设置。
(56) 检查是否正确配置 DNS 服务器：确认DNS设置。
(57) 检查是否已关闭 IPv6 协议：确认IPv6是否禁用。
(58) 检查是否已开启数据 DEP 功能：确认DEP设置。
(59) 检查主机名是否已符合主机命名规范：确认主机名是否符合标准。
(60) 检查是否已开启 UAC 安全提示：确认UAC设置是否启用。

6. 输出结果
最后，脚本输出总的检查数量、通过的数量、未通过的数量和跳过的数量。
清理临时生成的文件。

脚本代码如下：

@echo off
setlocal enabledelayedexpansion:: 初始化计数器
set totalChecks=60
set passCount=0
set failCount=0
set skippedCount=0 for /f "tokens=2 delims=:" %%f in ('ipconfig ^| findstr "IPv4 Address" ^| findstr "192.168."') do (for /f "tokens=1" %%g in ("%%f") do (set "ip=%%g")
)
echo IP:%ip%:: 先执行一次PowerShell命令，导出安全策略到secpol.cfg
:: powershell -Command "secedit /export /areas SECURITYPOLICY /cfg C:\secpol.cfg > $null 2>&1"
secedit /export /areas SECURITYPOLICY /cfg C:\temp_secpol.cfg > nul 2>&1
powershell -Command "Get-Content C:\temp_secpol.cfg | Out-File -FilePath C:\secpol.cfg -Encoding utf8"
:: 1. 检查密码长度最小值
set minPwdLength=""
for /f "tokens=2 delims== " %%a in ('findstr /i "MinimumPasswordLength" C:\secpol.cfg') do set minPwdLength=%%a
if !minPwdLength! LSS 12 (echo Not Pass: [1] MinimumPasswordLength is !minPwdLength!set /a failCount+=1
) else (set /a passCount+=1
):: 2. 检查是否已启用密码复杂性要求
set pwdComplexity=""
for /f "tokens=2 delims== " %%b in ('findstr /i "PasswordComplexity" C:\secpol.cfg') do set pwdComplexity=%%b
if /i "!pwdComplexity!" == "" (echo Not Pass: [2] PasswordComplexity is not setset /a failCount+=1
) else (set /a passCount+=1
):: 3. 检查是否已禁用来宾 (Guest) 帐户
net user Guest | find "Account active" > result.txt
set /p guestStatus=<result.txt
if /i "!guestStatus!" == "Yes" (echo Not Pass: [3] Guest account is enabledset /a failCount+=1
) else (set /a passCount+=1
):: 4. 检查“强制密码历史”个数
set pwdHistorySize=""
for /f "tokens=2 delims== " %%c in ('findstr /i "PasswordHistorySize" C:\secpol.cfg') do set pwdHistorySize=%%c
if !pwdHistorySize! LSS 5 (echo Not Pass: [4] PasswordHistorySize is !pwdHistorySize!set /a failCount+=1
) else (set /a passCount+=1
):: 5. 检查已启用的本地用户的个数
for /f %%d in ('net user ^| find /c /v "-----"') do set enabledUsers=%%d
if !enabledUsers! LSS 2 (echo Not Pass: [5] Enabled local users count is !enabledUsers!set /a failCount+=1
) else (set /a passCount+=1
):: 6. 检查密码最长使用期限
set maxPwdAge=""
for /f "usebackq tokens=2 delims== " %%e in (`findstr /i "MaximumPasswordAge" C:\secpol.cfg ^| findstr /v "MACHINE"`) do (set maxPwdAge=%%erem 只取数字部分，确保没有其他字符影响set maxPwdAge=!maxPwdAge: =!rem 找到第一行后就退出循环goto :done
)
:done
if !maxPwdAge! LSS 90 (echo Not Pass: [6] MaximumPasswordAge is !maxPwdAge!set /a failCount+=1
) else (set /a passCount+=1
):: 7. 检查密码最长使用期限是否不为 0
if !maxPwdAge! == 0 (echo Not Pass: [7] MaximumPasswordAge is !maxPwdAge!set /a failCount+=1
) else (set /a passCount+=1
):: 8. 检查帐户锁定阈值
set lockoutBadCount=""
for /f "tokens=2 delims== " %%f in ('findstr /i "LockoutBadCount" C:\secpol.cfg') do set lockoutBadCount=%%f
if !lockoutBadCount! LSS 6 (echo Not Pass: [8] LockoutBadCount is !lockoutBadCount!set /a failCount+=1
) else (set /a passCount+=1
):: 9. 检查帐户锁定阈值是否不为 0
if !lockoutBadCount! == 0 (echo Not Pass: [9] LockoutBadCount is !lockoutBadCount!set /a failCount+=1
) else (set /a passCount+=1
):: 10. 检查“取得文件或其它对象的所有权”的帐户和组
whoami /groups | findstr /i "Administrators" > result.txt
set /p adminGroups=<result.txt
set excludeGroups=NT AUTHORITY\Local:: 检查是否包含排除项
echo "!adminGroups!" | findstr /i "!excludeGroups!" >nul
if not errorlevel 1 (set /a skippedCount+=1
) else (if /i "!adminGroups!" NEQ "Administrators" (echo Not Pass: [10] Other groups found: !adminGroups!set /a failCount+=1) else (set /a passCount+=1)
):: 11. 检查可从远端关闭系统的帐户和组
whoami /groups | findstr /i "Administrators" > result.txt
set /p adminRemoteGroups=<result.txt
set excludeRemoteGroups=NT AUTHORITY\Local:: 检查是否包含排除项
echo "!adminRemoteGroups!" | findstr /i "!excludeRemoteGroups!" >nul
if not errorlevel 1 (set /a skippedCount+=1
) else (if /i "!adminRemoteGroups!" NEQ "Administrators" (echo Not Pass: [11] Other groups found: !adminRemoteGroups!set /a failCount+=1) else (set /a passCount+=1)
):: 12. 检查是否已禁止 SAM 帐户的匿名枚举
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymous" | findstr /i "0x1" > result.txt
if errorlevel 1 (echo Not Pass: [12] RestrictAnonymous is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 13. 检查是否已禁止 SAM 帐户和共享的匿名枚举
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSam" | findstr /i "0x1" > result.txt
if errorlevel 1 (echo Not Pass: [13] RestrictAnonymousSam is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 14. 检查可远程访问的注册表路径
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v RemoteRegistry > result.txt 2>&1
set /p remoteRegistry=<result.txt
if errorlevel 1 (set /a passCount+=1
) else (if "!remoteRegistry!" NEQ "" (echo Not Pass: [14] RemoteRegistry is accessibleset /a failCount+=1) else (set /a passCount+=1)
):: 15. 检查可远程访问的注册表路径
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v RemoteRegistry > result.txt 2>&1
set /p remoteRegistryPath=<result.txt
if errorlevel 1 (set /a passCount+=1
) else (if "!remoteRegistryPath!" NEQ "" (echo Not Pass: [15] RemoteRegistry is accessibleset /a failCount+=1) else (set /a passCount+=1)
):: 16. 检查可匿名访问的共享
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "NullSessionShares" > result.txt
set /p nullSessionShares=<result.txt
if "!nullSessionShares!" NEQ "" (echo Not Pass: [16] NullSessionShares is accessibleset /a failCount+=1
) else (set /a passCount+=1
):: 17. 检查可匿名访问的命名管道
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "NullSessionPipes" > result.txt 2>&1
set /p nullSessionPipes=<result.txt
if errorlevel 1 (set /a passCount+=1
) else (if "!nullSessionPipes!" NEQ "" (echo Not Pass: [17] NullSessionPipes is accessibleset /a failCount+=1) else (set /a passCount+=1)
):: 18. 检查允许从网络访问此计算机的用户和组
whoami /priv | findstr /i "SeRemoteInteractiveLogonRight" > result.txt
set /p remoteInteractiveLogonRight=<result.txt
if /i "!remoteInteractiveLogonRight!" NEQ "SeRemoteInteractiveLogonRight" (if defined remoteInteractiveLogonRight (echo Not Pass: [18] Other users found: !remoteInteractiveLogonRight!set /a failCount+=1) else (set /a passCount+=1)
) else (set /a passCount+=1
):: 19. 检查允许本地登录的用户和组
whoami /priv | findstr /i "SeInteractiveLogonRight" > result.txt
set /p interactiveLogonRight=<result.txt
if /i "!interactiveLogonRight!" NEQ "SeInteractiveLogonRight" (if defined interactiveLogonRight (echo Not Pass: [19] Other users found: !interactiveLogonRight!set /a failCount+=1) else (set /a passCount+=1)
) else (set /a passCount+=1
):: 20. 检查应用程序日志文件达到最大大小时的动作
wevtutil get-log Application /format:xml | findstr /i "OverflowAction" > result.txt
set /p overflowAction=<result.txt
if "!overflowAction!" == "" (set /a passCount+=1
) else (echo Not Pass: [20] OverflowAction found: !overflowAction!set /a failCount+=1
):: 21. 检查应用程序日志文件最大大小
wevtutil get-log Application /format:xml | findstr /i "maxSize" > result.txt
set /p maxSize=<result.txt
if "!maxSize!" == "" (echo Not Pass: [21] maxSize is not setset /a failCount+=1
) else (set /a passCount+=1
):: 22. 检查“审核对象访问”级别
auditpol /get /subcategory:"File System" > result.txt
set /p fileSystemAuditPolicy=<result.txt
if "!fileSystemAuditPolicy!" == "" (echo Not Pass: [22] File System audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 23. 检查“审核特权使用”级别
auditpol /get /subcategory:"Sensitive Privilege Use" > result.txt
set /p sensitivePrivilegeUseAuditPolicy=<result.txt
if "!sensitivePrivilegeUseAuditPolicy!" == "" (echo Not Pass: [23] Sensitive Privilege Use audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 24. 检查“审核进程跟踪”级别
auditpol /get /subcategory:"Process Creation" > result.txt
set /p processCreationAuditPolicy=<result.txt
if "!processCreationAuditPolicy!" == "" (echo Not Pass: [24] Process Creation audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 25. 检查“审核登录事件”级别
auditpol /get /subcategory:"Logon" > result.txt
set /p logonAuditPolicy=<result.txt
if "!logonAuditPolicy!" == "" (echo Not Pass: [25] Logon audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 26. 检查“审核目录服务访问”级别
auditpol /get /subcategory:"Directory Service Access" > result.txt
set /p directoryServiceAccessAuditPolicy=<result.txt
if "!directoryServiceAccessAuditPolicy!" == "" (echo Not Pass: [26] Directory Service Access audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 27. 检查“审核系统事件”级别
auditpol /get /subcategory:"Other System Events" > result.txt
set /p otherSystemEventsAuditPolicy=<result.txt
if "!otherSystemEventsAuditPolicy!" == "" (echo Not Pass: [27] Other System Events audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 28. 检查“审核帐户登录事件”级别
auditpol /get /subcategory:"Credential Validation" > result.txt
set /p credentialValidationAuditPolicy=<result.txt
if "!credentialValidationAuditPolicy!" == "" (echo Not Pass: [28] Credential Validation audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 29. 检查“审核策略更改”级别
auditpol /get /subcategory:"Audit Policy Change" > result.txt
set /p auditPolicyChange=<result.txt
if "!auditPolicyChange!" == "" (echo Not Pass: [29] Audit Policy Change audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 30. 检查“审核帐户管理”级别
auditpol /get /subcategory:"User Account Management" > result.txt
set /p userAccountManagementAuditPolicy=<result.txt
if "!userAccountManagementAuditPolicy!" == "" (echo Not Pass: [30] User Account Management audit policy is not setset /a failCount+=1
) else (set /a passCount+=1
):: 31. 检查 Windows 防火墙状态
netsh advfirewall show allprofiles | findstr /i "State" | findstr /i "ON" > result.txt
if errorlevel 1 (echo Not Pass: [31] Windows Firewall is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 32. 检查远程桌面 (RDP) 服务端口
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber"') do set PortNumber=%%a
if "!PortNumber!" NEQ "0x1188" (echo Not Pass: [32] RDP port is not setset /a failCount+=1
) else (set /a passCount+=1
):: 33. 检查源路由配置
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableIPSourceRouting"') do set DisableIPSourceRouting=%%a
if "!DisableIPSourceRouting!" NEQ "0x2" (echo Not Pass: [33] IP Source Routing is enabledset /a failCount+=1
) else (set /a passCount+=1
):: 34. 检查 TCP 连接请求阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxPortsExhausted"') do set TcpMaxPortsExhausted=%%a
if "!TcpMaxPortsExhausted!" NEQ "0x5" (echo Not Pass: [34] TcpMaxPortsExhausted is not set correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 35. 检查是否已启用 SYN 攻击保护
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect') do set SynAttackProtect=%%a
if "!SynAttackProtect!" NEQ "0x1" (echo Not Pass: [35] SynAttackProtect is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 36. 检查取消尝试响应 SYN 请求之前要重新传输 SYN-ACK 的次数
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxConnectResponseRetransmissions') do set TcpMaxConnectResponseRetransmissions=%%a
if "!TcpMaxConnectResponseRetransmissions!" NEQ "0x2" (echo Not Pass: [36] TcpMaxConnectResponseRetransmissions is not set correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 37. 检查处于 SYN_RCVD 状态下的 TCP 连接阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen') do set TcpMaxHalfOpen=%%a
set TcpMaxHalfOpen=!TcpMaxHalfOpen: =!
if "!TcpMaxHalfOpen!" NEQ "0x1f4" (echo Not Pass: [37] TcpMaxHalfOpen is not set correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 38. 检查处于 SYN_RCVD 状态下，且至少已经进行了一次重新传输的 TCP 连接阈值
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried') do set TcpMaxHalfOpenRetried=%%a
set TcpMaxHalfOpenRetried=!TcpMaxHalfOpenRetried: =!
if "!TcpMaxHalfOpenRetried!" NEQ "0x190" (echo Not Pass: [38] TcpMaxHalfOpenRetried is not set correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 39. 检查是否已删除 SNMP 服务的默认 public 团体
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" > result.txt 2>&1
if %errorlevel% NEQ 0 (set /a passCount+=1
) else (echo Not Pass: [39] SNMP ValidCommunities is setset /a failCount+=1
):: 40. 检查是否已启用 TCP 最大传输单元 (MTU) 大小自动探测
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnablePMTUDiscovery') do set EnablePMTUDiscovery=%%a
if "!EnablePMTUDiscovery!" NEQ "0x0" (echo Not Pass: [40] EnablePMTUDiscovery is enabledset /a failCount+=1
) else (set /a passCount+=1
):: 41. 检查 Remote Access Connection Manager 服务状态
sc query "RemoteAccess" | find "STATE" > result.txt
set /p remoteAccessStatus=<result.txt
if /i "!remoteAccessStatus!" NEQ "STOPPED" (echo Not Pass: [41] RemoteAccess service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 42. 检查 Message Queuing 服务状态
sc query "MSMQ" | find "STATE" > result.txt
set /p msmqStatus=<result.txt
if /i "!msmqStatus!" NEQ "STOPPED" (echo Not Pass: [42] MSMQ service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 43. 检查 DHCP Server 服务状态
sc query "DHCPServer" | find "STATE" > result.txt
set /p dhcpServerStatus=<result.txt
if /i "!dhcpServerStatus!" NEQ "STOPPED" (echo Not Pass: [43] DHCPServer service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 44. 检查 DHCP Client 服务状态
sc query "Dhcp" | find "STATE" > result.txt
set /p dhcpClientStatus=<result.txt
if /i "!dhcpClientStatus!" NEQ "STOPPED" (echo Not Pass: [44] Dhcp service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 45. 检查 Simple Mail Transport Protocol (SMTP) 服务状态
sc query "SMTPSVC" | find "STATE" > result.txt
set /p smtpStatus=<result.txt
if /i "!smtpStatus!" NEQ "STOPPED" (echo Not Pass: [45] SMTPSVC service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 46. 检查 Windows Internet Name Service (WINS) 服务状态
sc query "WINS" | find "STATE" > result.txt
set /p winsStatus=<result.txt
if /i "!winsStatus!" NEQ "STOPPED" (echo Not Pass: [46] WINS service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 47. 检查 Simple TCP/IP Services 服务状态
sc query "SimpleTCP" | find "STATE" > result.txt
set /p simpleTcpStatus=<result.txt
if /i "!simpleTcpStatus!" NEQ "STOPPED" (echo Not Pass: [47] SimpleTCP service is runningset /a failCount+=1
) else (set /a passCount+=1
):: 48. 检查 Windows 自动登录设置
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon > result.txt 2>&1
if %errorlevel% NEQ 0 (set /a passCount+=1
) else (for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon') do (if "%%a" NEQ "0x0" (echo Not Pass: [48] AutoAdminLogon is enabledset /a failCount+=1) else (set /a passCount+=1))
):: 49. 检查是否已安装青藤云主机安全 agent
tasklist | findstr TitanAgent.exe > result.txt
if not exist result.txt (echo Not Pass: [49] TitanAgent is not installedset /a failCount+=1
) else (set /a passCount+=1
):: 50. 检查共享文件夹的共享权限
sc query "server" | find "RUNNING" >nul
if errorlevel 1 (REM 如果服务没有运行，算作符合条件set /a passCount+=1
) else (REM 如果服务在运行，检查共享文件夹for /f "tokens=1" %%a in ('net share') do (set "shareName=%%a"if not "!shareName!"=="" (echo Checking share: !shareName!set "foundEveryone=0"for /f "tokens=*" %%b in ('net share !shareName! ^| find "Everyone"') do (if not "%%b"=="" (echo Not Pass: [50] !shareName! contains "Everyone"set /a failCount+=1set "foundEveryone=1"))if !foundEveryone!==0 (set /a passCount+=1)))
):: 51. 检查所有磁盘分区的文件系统格式
wmic logicaldisk get name, filesystem > result.txtREM 定义一个变量来保存所有文件系统格式
set "filesystems="REM 处理结果文件
for /f "skip=1" %%c in (result.txt) do (if "%%c"=="" (set /a skippedCount+=1) else (set "line=%%c"REM 解析驱动器和文件系统for /f "tokens=1,2" %%d in ("!line!") do (set "filesystem=%%e"REM 添加文件系统到列表if not "!filesystem!"=="" (set "filesystems=!filesystems! !filesystem!")))
)REM 删除多余空格
set "filesystems=!filesystems: =!"REM 检查所有文件系统是否都是 NTFS
set "allNTFS=true"for %%f in (!filesystems!) do (if /i "%%f" neq "NTFS" (set "allNTFS=false")
)REM 判断所有检查是否符合条件
if "!allNTFS!"=="true" (set /a passCount+=1
) else (set /a failCount+=1echo Not Pass: [51] Some drives are not NTFS or empty.
):: 52. 检查是否已对所有驱动器关闭 Windows 自动播放
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun > result.txt 2>&1
if %errorlevel% NEQ 0 (set /a passCount+=1
) else (for /f "tokens=3" %%a in ('reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun') do set noDriveTypeAutoRun=%%aif "!noDriveTypeAutoRun!" NEQ "0xff" (echo Not Pass: [52] NoDriveTypeAutoRun is not correctly setset /a failCount+=1) else (set /a passCount+=1)
):: 53. 检查是否已禁用 Windows 硬盘默认共享
for /f "tokens=3" %%a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer') do set autoShareServer=%%a
if "!autoShareServer!" NEQ "0x0" (echo Not Pass: [53] AutoShareServer is enabledset /a failCount+=1
) else (set /a passCount+=1
):: 54. 检查服务器在暂停会话前所需的空闲时间量
for /f "tokens=3" %%a in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "autodisconnect"') do set autodisconnect=%%a
if "!autodisconnect!" NEQ "0xf" (echo Not Pass: [54] autodisconnect is not set correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 55. 检查是否正确配置 NTP 时间同步服务器
w32tm /query /configuration | findstr "NtpServer" > result.txt
set /p ntpServer=<result.txt
if /i "!ntpServer!" == "" (echo Not Pass: [55] NtpServer is not configuredset /a failCount+=1
) else (set /a passCount+=1
):: 56. 检查是否正确配置 DNS 服务器
netsh interface ip show config | findstr "DNS" > result.txt
set dnsConfigured=0
for /f "tokens=*" %%h in (result.txt) do (echo %%h | findstr "114.114.114.114" >nul && set dnsConfigured=1echo %%h | findstr "114.114.114.115" >nul && set dnsConfigured=1
)
if !dnsConfigured! == 0 (echo Not Pass: [56] DNS server is not configured correctlyset /a failCount+=1
) else (set /a passCount+=1
):: 57. 检查是否已关闭 IPv6 协议
netsh interface ipv6 show interfaces > result.txt
if !errorlevel! NEQ 0 (echo Not Pass: [57] IPv6 is enabledset /a failCount+=1
) else (set /a passCount+=1
):: 58. 检查是否已开启数据 DEP 功能
bcdedit | find "nx" > result.txt
set /p depStatus=<result.txt
if "!depStatus!" == "" (echo Not Pass: [58] DEP is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 59. 检查主机名是否已符合主机命名规范
hostname > result.txt
set /p hostname=<result.txt
if /i "!hostname!" NEQ "cn-lotus" (echo Not Pass: [59] Hostname is incorrect: !hostname!set /a failCount+=1
) else (set /a passCount+=1
):: 60. 检查是否已开启 UAC 安全提示
for /f "tokens=3" %%a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"') do set EnableLUA=%%a
if "!EnableLUA!" NEQ "0x1" (echo Not Pass: [60] UAC is not enabledset /a failCount+=1
) else (set /a passCount+=1
):: 输出结果
echo Total checks: !totalChecks!
echo Total passes: !passCount!
echo Total failures: !failCount!
echo Total skippedCount: !skippedCount!del "C:\temp_secpol.cfg" /q
del "C:\secpol.cfg" /q
del "C:\result.txt" /qendlocal
pause

执行示例：