和光教程网

和光教程网

Windows安全检查脚本(电脑安全检查)

ladenna 0 33 次浏览 技术教程

安全检查脚本结果如下图:



脚本代码如下:

$cvsfile = @{"cvsfilec"=@()}
secedit /export /cfg wbl.cfg /quiet
Write-Host "*******************************************************************************"
Write-Host " Windows 安全基线检查 "
Write-Host " True 检查通过 "
Write-Host " Fail 检查失败或不通过 "
Write-Host " Manual 需手工检查 "
Write-Host "*******************************************************************************"
#初始化计数器
$call = 0
$ct = 0
$cf = 0
$cm = 0
#结果输出
echo "基线大类 安全基线项目名称 级别 标准值 检查值 符合性" >> checkresults.csv
echo "基线大类 安全基线项目名称 级别 标准值 检查值 符合性"
#账户策略
$call++
$MinimumPasswordLength = Get-content -path wbl.cfg | findstr MinimumPasswordLength
if($MinimumPasswordLength -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "MinimumPasswordLength "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if([INT]$wbl_line[1] -ge "8")
{
$ct++
$cvslog = @{"True"="账户策略 密码长度最小值 $checkdata True";}
echo "账户策略 密码长度最小值 必选 >=8 $checkdata True " >> checkresults.csv
echo "账户策略 密码长度最小值 必选 >=8 $checkdata True "
$cvsfile['cvsfilec']+=$cvslog
}
else
{
$cf++
$cvslog = @{"Fail"="账户策略 密码长度最小值 $checkdata Fail";}
echo "账户策略 密码长度最小值 必选 >=8 $checkdata Fail " >> checkresults.csv
echo "账户策略 密码长度最小值 必选 >=8 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 密码长度最小值 $checkdata Manual";}
echo "账户策略 密码长度最小值 必选 >=8 null Manual " >> checkresults.csv
echo "账户策略 密码长度最小值 必选 >=8 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call++
$PasswordComplexity = Get-content -path wbl.cfg | findstr PasswordComplexity
if($PasswordComplexity -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "PasswordComplexity "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if([INT]$wbl_line[1] -ge "1")
{
$ct++
$cvslog = @{"True"="账户策略 密码必须符合复杂性要求 $checkdata True";}
echo "账户策略 密码必须符合复杂性要求 必选 已启动 已启动 True " >> checkresults.csv
echo "账户策略 密码必须符合复杂性要求 必选 已启动 已启动 True "
$cvsfile['cvsfilec']+=$cvslog
}
else
{
$cf++
$cvslog = @{"Fail"="账户策略 密码复杂度 $checkdata Fail";}
echo "账户策略 密码必须符合复杂性要求 必选 已启动 已禁用 Fail " >> checkresults.csv
echo "账户策略 密码必须符合复杂性要求 必选 已启动 已禁用 Fail "
$cvsfile['cvsfilec']+=$cvslog
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 密码必须符合复杂性要求 $checkdata Manual";}
echo "账户策略 密码必须符合复杂性要求 必选 已启动 null Manual " >> checkresults.csv
echo "账户策略 密码必须符合复杂性要求 必选 已启动 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call++
$MaximumPasswordAge = Get-content -path wbl.cfg | findstr MaximumPasswordAge
if($MaximumPasswordAge -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "MaximumPasswordAge "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if([int]$wbl_line[1] -le 90)
{
$cvslog = @{"True"="账户策略 密码最长使用期限 <=90 $checkdata True";}
echo "账户策略 密码最长使用期限 必选 <=90 $checkdata True " >> checkresults.csv
echo "账户策略 密码最长使用期限 必选 <=90 $checkdata True "
$cvsfile['cvsfilec']+=$cvslog
$ct++
}
else
{
$cvslog = @{"Fail"="账户策略 密码最长使用期限 <=90 Fail";}
echo "账户策略 密码最长使用期限 必选 <=90 $checkdata Fail " >> checkresults.csv
echo "账户策略 密码最长使用期限 必选 <=90 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
$cf++
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 密码最长使用期限 <=90 Manual";}
echo "账户策略 密码最长使用期限 必选 <=90 null Manual " >> checkresults.csv
echo "账户策略 密码最长使用期限 必选 <=90 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call ++
$PasswordHistorySize = Get-content -path wbl.cfg | findstr PasswordHistorySize
if($PasswordHistorySize -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "PasswordHistorySize "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if([int]$wbl_line[1] -ge "5")
{
$cvslog = @{"True"="账户策略 强制密码历史 >=5 $checkdata True";}
echo "账户策略 强制密码历史 必选 >=5 $checkdata True " >> checkresults.csv
echo "账户策略 强制密码历史 必选 >=5 $checkdata True "
$cvsfile['cvsfilec']+=$cvslog
$ct++
}
else
{
$cvslog = @{"Fail"="账户策略 强制密码历史 >=5 $checkdata Fail";}
echo "账户策略 强制密码历史 必选 >=5 $checkdata Fail " >> checkresults.csv
echo "账户策略 强制密码历史 必选 >=5 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
$cf++
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 强制密码历史 >=5 $checkdata Manual";}
echo "账户策略 强制密码历史 必选 >=5 $checkdata Manual " >> checkresults.csv
echo "账户策略 强制密码历史 必选 >=5 $checkdata Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call ++
$LockoutBadCount = Get-Content -path wbl.cfg | findstr LockoutBadCount
if($LockoutBadCount -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "LockoutBadCount "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if(([int]$wbl_line[1] -eq "5"))
{
$cvslog = @{"True"="账户策略 帐户锁定时间 >=5 $checkdata True";}
echo "账户策略 帐户锁定时间 必选 >=5 $checkdata True " >> checkresults.csv
echo "账户策略 帐户锁定时间 必选 >=5 $checkdata True "
$ct++
$cvsfile['cvsfilec']+=$cvslog
}
else
{
$cvslog = @{"Fail"="账户策略 帐户锁定时间 >=5 $checkdata Fail";}
echo "账户策略 帐户锁定时间 必选 >=5 $checkdata Fail " >> checkresults.csv
echo "账户策略 帐户锁定时间 必选 >=5 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
$cf++
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 帐户锁定时间 >=5 $checkdata Manual";}
echo "账户策略 帐户锁定时间 必选 >=5 null Manual " >> checkresults.csv
echo "账户策略 帐户锁定时间 必选 >=5 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call++
$ResetLockoutCount = Get-Content -path wbl.cfg | findstr ResetLockoutCount
if($ResetLockoutCount -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "ResetLockoutCount "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if(([int]$wbl_line[1] -ge "5"))
{
$cvslog = @{"True"="账户策略 帐户锁定阈值 >=5 $checkdata True";}
echo "账户策略 帐户锁定阈值 必选 >=5 $checkdata True " >> checkresults.csv
echo "账户策略 帐户锁定阈值 必选 >=5 $checkdata True "
$cvsfile['cvsfilec']+=$cvslog
$ct++
}
else
{
$cvslog = @{"Fail"="账户策略 帐户锁定阈值 >=5 $checkdata Fail";}
echo "账户策略 帐户锁定阈值 必选 >=5 $checkdata Fail " >> checkresults.csv
echo "账户策略 帐户锁定阈值 必选 >=5 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
$cf++
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 帐户锁定阈值 >=5 $checkdata Manual";}
echo "账户策略 帐户锁定阈值 必选 >=5 null Manual " >> checkresults.csv
echo "账户策略 帐户锁定阈值 必选 >=5 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}
$call ++
$LockoutDuration = Get-Content -path wbl.cfg | findstr LockoutDuration
if($LockoutDuration -ne $null){
$wbl = Get-Content -path wbl.cfg
for ($i=0; $i -lt $wbl.Length; $i++)
{
$wbl_line = $wbl[$i] -split "="
if(($wbl_line[0] -eq "LockoutDuration "))
{
$wbl_line[1] = $wbl_line[1].Trim(' ')
$checkdata = $wbl_line[1]
if(([int]$wbl_line[1] -eq "5"))
{
$cvslog = @{"True"="账户策略 重置帐户锁定计数器 5 $checkdata True";}
echo "账户策略 重置帐户锁定计数器 可选 5 $checkdata True " >> checkresults.csv
echo "账户策略 重置帐户锁定计数器 可选 5 $checkdata True "
$cvsfile['cvsfilec']+=$cvslog
$ct++
}
else
{
$cvslog = @{"Fail"="账户策略 重置帐户锁定计数器 5 $checkdata Fail";}
echo "账户策略 重置帐户锁定计数器 可选 5 $checkdata Fail " >> checkresults.csv
echo "账户策略 重置帐户锁定计数器 可选 5 $checkdata Fail "
$cvsfile['cvsfilec']+=$cvslog
$cf++
}
}
}
}
else{
$cvslog = @{"Manual"="账户策略 重置帐户锁定计数器 5 $checkdata Manual";}
echo "账户策略 重置帐户锁定计数器 可选 5 null Manual " >> checkresults.csv
echo "账户策略 重置帐户锁定计数器 可选 5 null Manual "
$cvsfile['cvsfilec']+=$cvslog
$cm++
}

其他检查项目,可参考以上代码添加。检查项参考secedti 输出的文件内容

原文链接:,转发请注明来源!
和光教程网 技术教程 Windows安全检查脚本(电脑安全检查)