Linux运维 Windows Server ·

Windows Server 注册表安全优化

Windows Registry Editor Version 5.00;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;检查是否禁止显示上次登录用户名[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"DontDisplayLastUserName"=dword:00000001;禁用粘滞快键方式[HKEY_USERS\S-1-5-21-1514517536-298980120-1535418980-500\Control Panel\Accessibility\StickyKeys]"Flags"="506";135端口主要用于使用远程过程调用,服务器上般不建议开启[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]"EnableDCOM"="N"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc]"DCOM Protocols"=hex(7):00,00[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Ole]"EnableDCOM"="N"[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Rpc]"DCOM Protocols"=hex(7):;445端口控制在局域网中轻松访问各种共享文件夹或共享打印机,服务器上一般不建议开启[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters]"SMBDeviceEnabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]"SMBDeviceEnabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl]"CrashDumpEnabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"CrashDumpEnabled"=dword:00000000;禁止远程修改注册表[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg]"RemoteRegAccess"=dword:00000001;限制处于TIME. WAIT状态的最长时间,使运行的应用程序更快速释放和创建新连接。[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters]"TcpTimedWaitDelay"=dword:0000001e[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"TcpTimedWaitDelay"=dword:0000001e;配置Backlog,提高网络并发性及网络的的处理能力[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AFD\Parameters]"EnableDynamicBacklog"=dword:00000001"MaximumDynamicBacklog"=dword:00004e20"MinimumDynamicBacklog"=dword:00000014[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]"EnableDynamicBacklog"=dword:00000001"MaximumDynamicBacklog"=dword:00004e20"MinimumDynamicBacklog"=dword:00000014;通过优化该选项可提高系统防御SYN攻击的能力,建议优化[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services]"EnableDeadGWDetect"=dword:00000000"SynAttackProtect"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"SynAttackProtect"=dword:00000002"TCPMaxPortsExhausted"=dword:00000005[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]"EnableDeadGWDetect"=dword:00000000"SynAttackProtect"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"SynAttackProtect"=dword:00000002"TCPMaxPortsExhausted"=dword:00000005;通过优化设置SYN-ACK等待时间,可提高系统的网络性能[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnableICMPRedirects"=dword:00000000"TcpMaxConnectResponseRetransmissions"=dword:00000002[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnableICMPRedirects"=dword:00000000"TcpMaxConnectResponseRetransmissions"=dword:00000002;抵御SNMP攻击,检查无效网关,以便优化网络[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnableDeadGWDetect"=dword:00000000"TcpMaxConnectResponseRetransmissions"=dword:00000002[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnableDeadGWDetect"=dword:00000000"TcpMaxConnectResponseRetransmissions"=dword:00000002;抵御ICMP攻击,检查有可能用以攻击的ICMP重定向报文[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnableICMPRedirects"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnableICMPRedirects"=dword:00000000;检查TCPIP协议栈IGMP堆栈溢出本地拒绝服务攻击[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"IGMPLevel"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"IGMPLevel"=dword:00000000;检查是否禁止IP源路由,建议丢弃所有接受的源路由包[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"DisableIPSourceRouting"=dword:00000002[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"DisableIPSourceRouting"=dword:00000002;禁止路由发现功能,ICMP路由通告报文可以被用来增加路由表纪录,可以导致攻击[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"PerformRouterDiscovery"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces]"PerformRouterDiscovery"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"PerformRouterDiscovery"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]"PerformRouterDiscovery"=dword:00000000;更改ping命令返回的默认TTL值。黑客可通过此值判断操作系统类型。[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"DefaultTTL"=dword:000000f0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"DefaultTTL"=dword:000000f0;优化计算机在收到名称释放请求时是否释放其NETBIOS名称,使计算机免受恶意的名称释放攻击[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters]"NoNameReleaseOnDemand"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]"NoNameReleaseOnDemand"=dword:00000001;优化TCP闲置链接检查时间,提升网络性能[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"KeepAliveTime"=dword:000493e0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"KeepAliveTime"=dword:000493e0;禁止进行最大包长度路径检测。如开启该功能,攻击者可能将数据包强制分段,这会使堆栈不堪重负[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnablePMTUDiscovery"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnablePMTUDiscovery"=dword:00000000;优化TCP半连接数相关参数值,提升网络性能[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"TcpMaxHalfOpen"=dword:000001f4"TcpMaxHalfOpenRetried"=dword:00000190[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"TcpMaxHalfOpen"=dword:000001f4"TcpMaxHalfOpenRetried"=dword:00000190;设置TCP重传单个数据段的次数。缺省项值为5 ,缺省这过程消耗时间240秒。微软站点安全推荐为3[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"TcpMaxDataRetransmissions"=dword:00000002[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"TcpMaxDataRetransmissions"=dword:00000002;禁止转发IP多播数据包。多提数据包可能被多台主机响应.从而导致响应淹没网络[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnableMulticastForwarding"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnableMulticastForwarding"=dword:00000000;屏蔽网络拓扑结构细节↓防止攻击者利用主机响应来了解内部网络情况[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]"EnableAddrMaskReply"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"EnableAddrMaskReply"=dword:00000000;IPC空连接可以使连接者与目标主机建立一个空的连接而无需用户名与密码,存在风险建议关闭[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]"restrictanonymous"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"restrictanonymous"=dword:00000001;系统自动启服务共享 如:(C:$ D:$ Admin$)[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters]"AutoShareServer"=dword:00000000"AutoShareWks"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]"AutoShareServer"=dword:00000000"AutoShareWks"=dword:00000000;Windows Time服务无法启动而造成的时间无法同步问题[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]@="6""1"="time.windows.com""2"="time.nist.gov""3"="time-nw.nist.gov""4"="time-a.nist.gov""5"="time-b.nist.gov""6"="210.72.145.44"[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.Application\CurVer]

评论已关闭