WEB服务器系统初状脚本
最近闲来没时做了一个WEB服务器系统初状脚本,没事发分享一下,水平有限,如果各位发现有什么错误请指出
先发父脚本(随便取的一个名称,大家不要较真)
@echo off
echo 本程序完成服务器初始安全设置,并安装必要的一些软件。如nod32、servU、金山ARP防火墙等。
echo 安装win2003后把远程桌面属性打上勾!检查是否已经安装好了iis,检查SP2补丁是否已经安装!改为每天3:00自动更新打补丁!在没有封好端口 之前不要连网!
pause
echo "打开win2003的防火墙功能,设置为只允许远程桌面,21,25,80,110等端口。并在高级里面>icmp>允许回显,这样允许 ping,方便调试!"
pause
echo "屏蔽端口,只允许21,80,1433,3389"
pause
md E:\bkup
md D:\wwwroot
md E:\bkup\logbkup
copy bat\bkup.bat E:\bkup
copy bat\path.txt E:\bkup
copy bat\webback.bks E:\bkup
echo 设置备份,并添加到计划任务
pause
echo 设置每周一运行网站目录的基本备份,备份文件包为backupA,并请输入管理员密码
schtasks /create /tn "WebbackA" /tr echo 设置每周二至周日凌晨1点30分执行网站目录增量备份,备份文件包为backupB,输入管理员密码
schtasks /create /tn "WebbackB" /tr echo 如需更换备份目录,请用记事本打开E:\bkup\webback.bks文件,可编辑网站目录
pause
echo 开始安装杀毒软件、ARP防火墙、WINRAR
exe\nod32.msi
exe\KAntiarp.exe
exe\WinRAR.exe
pause
echo "开始安装servU "
net user ftpu ssncn2008 /add
pause
exe\ServU.exe
exe\hx.exe
echo "设置注册表中HKLM\software\cat soft权限为servu完全控制,删除user,terimnal user对该项的控制.并将serv-u服务以ftpu身份运行,密码ssncn2008"
pause
echo 本程序完成服务器初始安全设置,并安装必要的一些软件。如nod32、servU、金山ARP防火墙等。
echo 安装win2003后把远程桌面属性打上勾!检查是否已经安装好了iis,检查SP2补丁是否已经安装!改为每天3:00自动更新打补丁!在没有封好端口 之前不要连网!
pause
echo "打开win2003的防火墙功能,设置为只允许远程桌面,21,25,80,110等端口。并在高级里面>icmp>允许回显,这样允许 ping,方便调试!"
pause
echo "屏蔽端口,只允许21,80,1433,3389"
pause
md E:\bkup
md D:\wwwroot
md E:\bkup\logbkup
copy bat\bkup.bat E:\bkup
copy bat\path.txt E:\bkup
copy bat\webback.bks E:\bkup
echo 设置备份,并添加到计划任务
pause
echo 设置每周一运行网站目录的基本备份,备份文件包为backupA,并请输入管理员密码
schtasks /create /tn "WebbackA" /tr echo 设置每周二至周日凌晨1点30分执行网站目录增量备份,备份文件包为backupB,输入管理员密码
schtasks /create /tn "WebbackB" /tr echo 如需更换备份目录,请用记事本打开E:\bkup\webback.bks文件,可编辑网站目录
pause
echo 开始安装杀毒软件、ARP防火墙、WINRAR
exe\nod32.msi
exe\KAntiarp.exe
exe\WinRAR.exe
pause
echo "开始安装servU "
net user ftpu ssncn2008 /add
pause
exe\ServU.exe
exe\hx.exe
echo "设置注册表中HKLM\software\cat soft权限为servu完全控制,删除user,terimnal user对该项的控制.并将serv-u服务以ftpu身份运行,密码ssncn2008"
pause
call bat\system.bat
echo 打开IP安全策略,导入WEB服务器安全策略.ipsec.并指派
pause
echo 基本安全配置完成
pause
exit
echo 打开IP安全策略,导入WEB服务器安全策略.ipsec.并指派
pause
echo 基本安全配置完成
pause
exit
下面是systemqx.bat
echo y|cacls.exe C:\ /p Administrators:f system:f
echo y|cacls.exe "C:\Program Files" /t /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Common Files" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows /p Administrators:f system:f
echo y|cacls.exe c:\windows\system32 /p Administrators:f system:f
echo y|cacls.exe C:\WINDOWS\system32\inetsrv /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Dimac" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Persits Software" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Software Artisans" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Documents and Settings" /p Administrators:f system:f
echo y|cacls.exe "C:\Documents and Settings\All Users" /t /p Administrator:f system:f everyone:r
echo y|cacls.exe c:\php /t /p Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows\temp /p everyone:f
echo y|cacls.exe D:\ /p Administrators:f system:f servU:f everyone:f
echo y|cacls.exe d:\tmp /p everyone:f
echo y|cacls.exe e:\ /p Administrators:f system:f
echo y|cacls.exe "C:\Program Files\Serv-U" /t /p Administrator:f servu:f
echo y|cacls.exe d:\download /p Administrators:f system:f
echo y|cacls.exe d:\wwwroot /p Administrators:f everyone:f
echo y|cacls.exe d:\serverUlog /p Administrators:f system:f servu:f
echo y|cacls.exe %systemroot%\system32\shell32.dll /p Administrators:f
echo y|cacls.exe %systemroot%\system32\wshom.ocx /p Administrators:f
echo y|cacls.exe c:\windows\system32\*.exe /p Administrators:f system:f
echo y|cacls.exe "c:\Documents and Settings\All Users" /e /g everyone:r
echo y|cacls.exe %systemroot%\system32\svchost.exe /e /g "network service":r
echo y|cacls.exe %systemroot%\system32\msdtc.exe /e /g "network service":r
echo y|cacls.exe %windir%\system32\mtxex.dll /e /g everyone:r
echo y|cacls.exe c:\windows\system32\cmd.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net1.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\sc.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\at.exe /p Administrator:f
echo y|cacls.exe %windir%\system32\dllhost.exe /e /g everyone:r
echo y|cacls.exe c:\windows\system32\netsh.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\echo y|cacls.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\cmdkey.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\ftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\tftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\reg.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regedt32.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regini.exe /p Administrator:f
echo y|cacls.exe %windir%\assembly /e /t /g "network service":r
echo y|cacls.exe %windir%\Microsoft.NET /e /t /g everyone:r
echo y|cacls.exe "%windir%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /g everyone:f
echo y|cacls.exe %windir%\system32\mscoree.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\ws03res.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\msxml*.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\urlmon.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\mlang.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\TAPI32.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\WININET.dll /e /g everyone:r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\WINDOWS /e /g "network service":r
if exist c:\windows cacls c:\windows /e /g "network service":r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\ /e /g "network service":r
cacls d:\ /e /g "network service":r
cacls c:\windows\system32 /e /g "network service":r
cacls c:\windows\system32\rasapi32.dll /e /g "network service":r
del c:\inetpub
pause
echo y|cacls.exe "C:\Program Files" /t /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Common Files" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows /p Administrators:f system:f
echo y|cacls.exe c:\windows\system32 /p Administrators:f system:f
echo y|cacls.exe C:\WINDOWS\system32\inetsrv /p Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Dimac" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Persits Software" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Software Artisans" /t /g Administrators:f system:f everyone:r
echo y|cacls.exe "C:\Documents and Settings" /p Administrators:f system:f
echo y|cacls.exe "C:\Documents and Settings\All Users" /t /p Administrator:f system:f everyone:r
echo y|cacls.exe c:\php /t /p Administrators:f system:f everyone:r
echo y|cacls.exe c:\windows\temp /p everyone:f
echo y|cacls.exe D:\ /p Administrators:f system:f servU:f everyone:f
echo y|cacls.exe d:\tmp /p everyone:f
echo y|cacls.exe e:\ /p Administrators:f system:f
echo y|cacls.exe "C:\Program Files\Serv-U" /t /p Administrator:f servu:f
echo y|cacls.exe d:\download /p Administrators:f system:f
echo y|cacls.exe d:\wwwroot /p Administrators:f everyone:f
echo y|cacls.exe d:\serverUlog /p Administrators:f system:f servu:f
echo y|cacls.exe %systemroot%\system32\shell32.dll /p Administrators:f
echo y|cacls.exe %systemroot%\system32\wshom.ocx /p Administrators:f
echo y|cacls.exe c:\windows\system32\*.exe /p Administrators:f system:f
echo y|cacls.exe "c:\Documents and Settings\All Users" /e /g everyone:r
echo y|cacls.exe %systemroot%\system32\svchost.exe /e /g "network service":r
echo y|cacls.exe %systemroot%\system32\msdtc.exe /e /g "network service":r
echo y|cacls.exe %windir%\system32\mtxex.dll /e /g everyone:r
echo y|cacls.exe c:\windows\system32\cmd.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net1.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\sc.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\at.exe /p Administrator:f
echo y|cacls.exe %windir%\system32\dllhost.exe /e /g everyone:r
echo y|cacls.exe c:\windows\system32\netsh.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\net.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\echo y|cacls.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\cmdkey.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\ftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\tftp.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\reg.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regedt32.exe /p Administrator:f
echo y|cacls.exe c:\windows\system32\regini.exe /p Administrator:f
echo y|cacls.exe %windir%\assembly /e /t /g "network service":r
echo y|cacls.exe %windir%\Microsoft.NET /e /t /g everyone:r
echo y|cacls.exe "%windir%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /g everyone:f
echo y|cacls.exe %windir%\system32\mscoree.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\ws03res.dll /e /g everyone:r
echo y|cacls.exe %windir%\system32\msxml*.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\urlmon.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\mlang.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\TAPI32.dll /e /g everyone:r
echo y|cacls.exe C:\WINDOWS\system32\WININET.dll /e /g everyone:r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\WINDOWS /e /g "network service":r
if exist c:\windows cacls c:\windows /e /g "network service":r
cacls c:\windows\assembly /e /t /p "network service":r
cacls c:\windows\Microsoft.NET /e /t /p "network service":r
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" /e /t /p "network service":f
cacls "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" /e /t /p "network service":f
cacls C:\WINDOWS\system32\mscoree.dll /e /g everyone:r
cacls C:\WINDOWS\system32\ws03res.dll /e /g everyone:r
cacls c:\ /e /g "network service":r
cacls d:\ /e /g "network service":r
cacls c:\windows\system32 /e /g "network service":r
cacls c:\windows\system32\rasapi32.dll /e /g "network service":r
del c:\inetpub
pause
serviceskill.bat(这里我只例举了一些,大家实际运用中可以自行添加删除)
echo "禁用未用系统服务,"
pause
net stop Browser
sc config Browser start= disabled
net stop lanmanserver
sc config lanmanserver start= disabled
net stop Dhcp
sc config Dhcp start= disabled
net stop Spooler
sc config Spooler start= disabled
net stop RemoteAccess
sc config RemoteAccess start= disabled
net stop Telnet
sc config telnet start= disabled
net stop HTTPFilter
sc config HTTPFilter start= disabled
net stop WZCSVC
sc config WZCSVC start= disabled
net stop Dfs
sc config Dfs start= disabled
net stop TrkSvr
sc config TrkSvr start= disabled
net stop ERSvc
sc config ERSvc start= disabled
net stop lanmanworkstation
sc config lanmanworkstation start= disabled
pause
net stop Browser
sc config Browser start= disabled
net stop lanmanserver
sc config lanmanserver start= disabled
net stop Dhcp
sc config Dhcp start= disabled
net stop Spooler
sc config Spooler start= disabled
net stop RemoteAccess
sc config RemoteAccess start= disabled
net stop Telnet
sc config telnet start= disabled
net stop HTTPFilter
sc config HTTPFilter start= disabled
net stop WZCSVC
sc config WZCSVC start= disabled
net stop Dfs
sc config Dfs start= disabled
net stop TrkSvr
sc config TrkSvr start= disabled
net stop ERSvc
sc config ERSvc start= disabled
net stop lanmanworkstation
sc config lanmanworkstation start= disabled
特别要说明的是这个服务名称,最开始我也以为服务列表里显示是什么就是什么,还闹了个笑话,看真实服 务名称要点开服务属性,里面显示的[服务名称]才是真实名称,如果添加那个[显示名称]起不了作用,脚本还会报错
另外还有一些注册表的项
删除默认共享:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
洪水攻击防护(不是绝对能防:P)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"AllowUnqualifiedQuery"=dword:00000000
"PrioritizeRecordData"=dword:00000001
"ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\
00,00,00,00
"SynAttackProtect"=dword:00000002
"EnablePMTUDiscovery"=dword:00000000
"NoNameReleaseOnDemand"=dword:00000001
"EnableDeadGWDetect"=dword:00000000
"KeepAliveTime"=dword:00300000
"PerformRouterDiscovery"=dword:00000000
"EnableICMPRedirects"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"AllowUnqualifiedQuery"=dword:00000000
"PrioritizeRecordData"=dword:00000001
"ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\
00,00,00,00
"SynAttackProtect"=dword:00000002
"EnablePMTUDiscovery"=dword:00000000
"NoNameReleaseOnDemand"=dword:00000001
"EnableDeadGWDetect"=dword:00000000
"KeepAliveTime"=dword:00300000
"PerformRouterDiscovery"=dword:00000000
"EnableICMPRedirects"=dword:00000000
禁用NETBIOS:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000004
禁止远程注册表访问:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
禁用WebDAV:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV"=dword:00000001
我编写的备份计划任务没有完整的代码
echo 设置每周一运行网站目录的基本备份,备份文件包为backupA,并请输入管理员密码
schtasks /create /tn "WebbackA" /tr "C:\WINDOWS\system32\ntbackup.exe backup "@E:\bkup\webback.bks" /a /v:no /r:no /rs:no /hc:off /m normal /j "aaaaa" /l:s /f "E:\bkup\BackupA.bkf"" /sc weekly /mo 1 /d MON /st 01:30:00
echo 设置每周二至周日凌晨1点30分执行网站目录增量备份,备份文件包为backupB,输入管理员密码
schtasks /create /tn "WebbackB" /tr "C:\WINDOWS\system32\ntbackup.exe backup "@E:\bkup\webback.bks" /a /v:no /r:no /rs:no /hc:off /m incremental /j "aaaaa" /l:s /f "E:\bkup\BackupB.bkf"" /sc weekly /mo 1 /d TUE,WED,THU,FRI,SAT,SUN /st 01:30:00
echo 如需更换备份目录,请用记事本打开E:\bkup\webback.bks文件,可编辑网站目录