win2003权限.doc

首先，配置系统盘下（如：c盘）的权限（已经将IIS的默认文件夹删除）1系统盘：选中系统盘，属性，安全选项卡，删掉除了administrators和system组的其他组或者用户。2Program Files ：右键文件夹-选择属性-选择“安全”选项卡-点击“高级”选项-选中“允许父项”和“用在此显示”-点击“复制”-点击确定，退出高级安全设置-把安全选项卡中除了administrators和system组之外的组或者用户删除高级安全设置效果如下：3Program Files/Common File/users : 进入到program files下的common file文件夹下面，找到system添加users，默认的权限即可。所谓默认权限就是你添加这个用户系统自动授予这个用户对于操作文件夹或者文件的权限。（可能有人要问为什么要给这个文件夹设置users的权限？答：这个部分里面有一些dll文件是asp中createobject的时候需要的）4Documents and Settings：进入系统盘，选中Documents and Settings文件夹右键，删除掉除了administrator、system、power users组之外的其他用户或者组。进入到Documents and Settings文件夹里面，administrator这个文件夹的权限无需设置。ALL users文件夹，进入到高级选项选择“用在此显示的可以应用到子对象的目录替代所有子对象的权限项目”，确定，到安全选项卡下面删掉除了 administrator和system之外的其他用户组和用户，点击确定。Default users文件夹，进入到高级选项选择“用在此显示的可以应用到子对象的目录替代所有子对象的权限项目”，确定，到安全选项卡下面删掉除了 administrator、system、power users之外的其他用户组和用户，点击确定。5Windows : 右键文件夹-选择属性-选择“安全”选项卡-删除掉除了administrator和system之外的用户-点击确定。6Windows/temp : 右键文件夹-选择属性-选择“安全”选项卡-添加users组-设置users组只具有读取、写入的权限。7其他根目录下的文件夹：右键文件夹-选择属性-选择“安全”选项卡-点击“高级”选项-选中“允许父项”和“用在此显示”-点击“复制”-点击确定，退出高级安全设置-把“安全”选项卡中除了administrators和system组之外的组或者用户删除8批处理：接下来的是一些特殊文件夹、文件的权限，一些服务的修改，危险组件的删除。批处理的部分最后附上下面的保存为*.bat或者直接从我提供的下载的地方下载即可。复制代码 代码如下:echo off ECHO. ECHO. ECHO. ECHo. ECHo windows2003NTFS加固脚本 ECHo. ECHO. ECHO. ECHO. ECHO. - ECHo 请按提示操作备份好注册表,否则修改后无法还原,本人不负责. ECHO. ECHO YES=next set NO=exit (this time 30 Second default for n) ECHO. - CHOICE /T 30 /C yn /D n if errorlevel 2 goto end if errorlevel 1 goto next :next if EXIST backup (echo.)else md backup if EXIST temp (rmdir /s/q temp|md temp) else md temp if EXIST backupbackupkey.reg (move backupbackupkey.reg backupbackupkey_old.reg ) else goto run :run regedit /e tempbackup-reg1.key1 HKEY_LOCAL_MACHINESYSTEMCurrentControlSet regedit /e tempbackup-reg2.key2 HKEY_CLASSES_ROOT copy /b /y /v tempbackup-reg1.key1+tempbackup-reg2.key2 backupbackupkey.reg if exist backupwshom.ocx (echo 备份已存在) else copy /v/y %SystemRoot%System32wshom.ocx backupwshom.ocx if exist backupshell32.dll (echo 备份已存在) else copy /v/y %SystemRoot%system32shell32.dll backupshell32.dll ECHO 备份已经完成 ECHO. goto next2 :next2 ECHO. ECHO. - ECHo 修改权限system32目录中不安全的几个exe文件,改为只有Administrators才有权限运行 ECHO YES=next set NO=this set ignore (this time 30 Second default for y) ECHO. - CHOICE /T 30 /C yn /D y if errorlevel 2 goto next3 if errorlevel 1 goto next21 :next21 echo y|cacls.exe %SystemRoot%system32net.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32net1.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32cmd.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32tftp.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32netstat.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32regedit.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32at.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32attrib.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32cacls.exe /g Administrators:F echo y|cacls.exe %SystemRoot% /g Administrators:F echo y|cacls.exe %SystemDrive%boot.ini /g Administrators:F echo y|cacls.exe %SystemDrive%AUTOEXEC.BAT /g Administrators:F echo y|cacls.exe %SystemRoot%/system32ftp.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32secedit.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32gpresult.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32gpupdate.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32logoff.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32shutdown.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32telnet.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32wscript.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32doskey.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32help.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32ipconfig.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32nbtstat.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32print.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32debug.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32regedt32.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32reg.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32register.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32replace.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32nwscript.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32share.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32ping.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32ipsec6.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32netsh.exe /g Administrators:F echo y|cacls.exe %SystemRoot% /g Administrators:F echo y|cacls.exe %SystemRoot%system32route.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32tracert.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32powercfg.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32nslookup.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32arp.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32rsh.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32netdde.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32mshta.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32mountvol.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32setx.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32find.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32where.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32finger.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32regsvr32.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32sc.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32shadow.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32runas.exe /g Administrators:F echo y|cacls.exe %SystemRoot%PCHealthHelpCtrBinariesmsconfig.exe /g Administrators:F echo y|cacls.exe %SystemRoot%notepad.exe /g Administrators:F echo y|cacls.exe %SystemRoot%regedit.exe /g Administrators:F echo y|cacls.exe %SystemRoot%winhelp.exe /g Administrators:F echo y|cacls.exe %SystemRoot%winhlp32.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32edlin.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32posix.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32atsvc.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32qbasic.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32runonce.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32syskey.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32cscript.exe /g Administrators:F echo y|cacls.exe %SystemRoot%system32sethc.exe /g Administrators:F echo C盘权限设定 cacls %SystemRoot%/Registration /r everyone /e echo 删除C盘的windows目录下的create owner的权限 cd/ cacls %SystemRoot%/repair /r create owner /e cacls %SystemRoot%/system32 /r create owner /e cacls %SystemDrive%/system32/config /r create owner /e cacls %SystemRoot%/system32/wbem /r create owner /e echo 删除WINDOWS文件夹下面的power users的权限 cacls %SystemRoot%/repair /r Power Users /e cacls %SystemRoot%/system32 /r Power Users /e cacls %SystemDrive%/system32/config /r Power Users /e cacls %SystemRoot%/system32/wbem /r Power Users /e echo 删除WINDOWS下users的访问权限 cacls %SystemRoot%/addins /r users /e cacls %SystemRoot%/AppPatch /r users /e cacls %SystemRoot%/Connection Wizard /r users /e cacls %SystemRoot%/Debug /r users /e cacls %SystemRoot%/Driver Cache /r users /e cacls %SystemRoot%/Help /r users /e cacls %SystemRoot%/IIS Temporary Compressed Files /r users /e cacls %SystemRoot%/java /r users /e cacls %SystemRoot%/msagent /r users /e cacls %SystemRoot%/mui /r users /e cacls %SystemRoot%/repair /r users /e cacls %SystemRoot%/Resources /r users /e cacls %SystemRoot%/security /r users /e cacls %SystemRoot%/system /r users /e cacls %SystemRoot%/TAPI /r users /e cacls %SystemRoot%/Temp /r users /e cacls %SystemRoot%/twain_32 /r users /e cacls %SystemRoot%/Web /r users /e cacls %SystemRoot%/system32/3com_dmi /r users /e cacls %SystemRoot%/system32/administration /r users /e cacls %SystemRoot%/system32/Cache /r users /e cacls %SystemRoot%/system32/CatRoot2 /r users /e cacls %SystemRoot%/system32/Com /r users /e cacls %SystemRoot%/system32/config /r users /e cacls %SystemRoot%/system32/dhcp /r users /e cacls %SystemRoot%/system32/drivers /r users /e cacls %SystemRoot%/system32/export /r users /e cacls %SystemRoot%/system32/icsxml /r users /e cacls %SystemRoot%/system32/lls /r users /e cacls %SystemRoot%/system32/LogFiles /r users /e cacls %SystemRoot%/system32/MicrosoftPassport /r users /e cacls %SystemRoot%/system32/mui /r users /e cacls %SystemRoot%/system32/oobe /r users /e cacls %SystemRoot%/system32/ShellExt /r users /e cacls %SystemRoot%/system32/wbem /r users /e goto next3 :next3 ECHO. ECHO. ECHO. - ECHo 禁止不必要的服务,如果要退出请按Ctrl+C ECHO YES=next set NO=this set ignore (this time 30 Second default for y) ECHO. - CHOICE /T 30 /C yn /D y if errorlevel 2 goto next4 if errorlevel 1 goto next31 :next31 echo Windows Registry Editor Version 5.00 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanworkstation tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAlerter tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBrowser tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDfs tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesScheduler tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLmHosts tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTlntSvr tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccess tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtmsSvc tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteRegistry tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkWks tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMessenger tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogon tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogon tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetDDE tempServices.reg echo Start=dword:00000004 tempServices.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetDDEdsdm tempServices.reg echo Start=dword:00000004 tempServices.reg regedit /s tempServices.reg ECHO. goto next4 :next4 ECHO. ECHO. - ECHo 防止人侵和攻击. 如果要退出请按Ctrl+C ECHO YES=next set NO=this set ignore (this time 30 Second default for y) ECHO. - CHOICE /T 30 /C yn /D y if errorlevel 2 goto next5 if errorlevel 1 goto next41 :next41 echo Windows Registry Editor Version 5.00 tempskyddos.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters tempskyddos.reg echo EnableDeadGWDetect=dword:00000000 tempskyddos.reg echo EnableICMPRedirects=dword:00000000 tempskyddos.reg echo PerformRouterDiscovery=dword:00000000 tempskyddos.reg echo NoNameReleaseOnDemand=dword:00000001 tempskyddos.reg echo KeepAliveTime=dword:000493e0 tempskyddos.reg echo EnablePMTUDiscovery=dword:00000000 tempskyddos.reg echo SynAttackProtect=dword:00000002 tempskyddos.reg echo TcpMaxHalfOpen=dword:00000064 tempskyddos.reg echo TcpMaxHalfOpenRetried=dword:00000050 tempskyddos.reg echo TcpMaxConnectResponseRetransmissions=dword:00000001 tempskyddos.reg echo TcpMaxDataRetransmissions=dword:00000003 tempskyddos.reg echo TCPMaxPortsExhausted=dword:00000005 tempskyddos.reg echo DisableIPSourceRouting=dword:0000002 tempskyddos.reg echo TcpTimedWaitDelay=dword:0000001e tempskyddos.reg echo EnableSecurityFilters=dword:00000001 tempskyddos.reg echo TcpNumConnections=dword:000007d0 tempskyddos.reg echo TcpMaxSendFree=dword:000007d0 tempskyddos.reg echo IGMPLevel=dword:00000000 tempskyddos.reg echo DefaultTTL=dword:00000016 tempskyddos.reg echo 删除IPC$(Internet Process Connection)是共享“命名管道”的资源 echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa tempskyddos.reg echo restrictanonymous=dword:00000001 tempskyddos.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterfaces tempskyddos.reg echo PerformRouterDiscovery=dword:00000000 tempskyddos.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters tempskyddos.reg echo BacklogIncrement=dword:00000003 tempskyddos.reg echo MaxConnBackLog=dword:000003e8 tempskyddos.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAfdParameters tempskyddos.reg echo EnableDynamicBacklog=dword:00000001 tempskyddos.reg echo MinimumDynamicBacklog=dword:00000014 tempskyddos.reg echo MaximumDynamicBacklog=dword:00002e20 tempskyddos.reg echo DynamicBacklogGrowthDelta=dword:0000000a tempskyddos.reg echo HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters tempskyddos.reg echo autoshareserver=dword:00000000 tempskyddos.reg regedit /s tempskyddos.reg ECHO. ECHO. goto next5 :next5 ECHO. ECHO. - ECHo 防止ASP木马运行 卸除WScript.Shell, Shell.application, WScript.Network ECHO YES=next set NO=this set ignore (this time 30 Second default for y) ECHO. - CHOICE /T 30 /C yn /D y if errorlevel 2 goto next6 if errorlevel 1 goto next51 :next51 echo Windows Registry Editor Version 5.00 tempdel.reg echo -HKEY_CLASSES_ROOTShell.Application tempdel.reg echo -HKEY_CLASSES_ROOTShell.Application.1 tempdel.reg echo -HKEY_CLASSES_ROOTCLSID13709620-C279-11CE-A49E-444553540000 tempdel.reg echo -HKEY_CLASSES_ROOTADODB.CommandCLSID tempdel.reg echo -HKEY_CLASSES_ROOTCLSID00000566-0000-0010-8000-00AA006D2EA4 tempdel.reg regedit /s tempdel.reg regsvr32 /u %SystemRoot%system32wshom.ocx del /f/q %SystemRoot%System32wshom.ocx regsvr32 /u %SystemRoot%system32shell32.dll del /f/q %SystemRoot%System32shell32.dll rmdir /q/s temp ECHO. goto next6 :next6 ECHO. ECHO. ECHO. - ECHo 设置已经完成重启后才能生效. ECHO YES=reboot server NO=exit (this time 60 Second default for y) ECHO. - CHOICE /T 30 /C yn /D y if errorlevel 2 goto end if errorlevel 1 goto reboot :reboot shutdown /r /t 0 :end if EXIST temp (rmdir /s/q temp|exit) else exit一、系统的安装、按照Windows2003安装光盘的提示安装，默认情况下2003没有把IIS6.0安装在系统里面。、IIS6.0的安装开始菜单控制面板添加或删除程序添加/删除Windows组件应用程序 ASP.NET（可选）|启用网络 COM+ 访问（必选）|Internet 信息服务(IIS)Internet 信息服务管理器（必选） |公用文件（必选） |万维网服务Active Server pages（必选） |Internet 数据连接器（可选） |WebDAV 发布（可选） |万维网服务（必选） |在服务器端的包含文件（可选）然后点击确定下一步安装。（具体见本文附件1）、系统补丁的更新点击开始菜单所有程序Windows Update按照提示进行补丁的安装。、备份系统用GHOST备份系统。、安装常用的软件例如：杀毒软件、解压缩软件等；安装完毕后,配置杀毒软件,扫描系统漏洞,安装之后用GHOST再次备份系统。6、先关闭不需要的端口 开启防火墙 导入IPSEC策略在” 网络连接”里，把不需要的协议和服务都删掉，这里只安装了基本的Internet协议（TCP/IP），由于要控制带宽流量服务，额外安装了Qos数据包计划程序。在高级tcp/ip设