Winbatch

Print

Security lock down script

Script

As always the code presented here is for instructional purposes. These scripts will most likely need to be modified to run in your environment. Also as I believe firmly in "re-usable code" you may find pieces of your scripts incorporated into mine. If so and you would like credit use the "email me" link and let me know. I'll be happy to add your name. Likewise if you use my code in a public forum please give me credit.

NOTE: You can copy and paste the code below to a text file, just change the extension to ".wbt" so it will run in Winbatch.

About This Script

This utility was written to use for locking down systems as they were being built and for engineers to use as they visited systems. It was written for NT and 2000 systems but can be easily updated for 2003. The security measures implemented are taken from the NSA's web site. This is more of an example of what cool things you can do to make your IT dept more efficient and automated.


Addextender("WWWNT34I.DLL")


:top
J=RegExistValue(@REGMACHINE,"System\CurrentControlSet\Control\LSA[LMCompatibilityLevel]")
If J==@TRUE
key1=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control\LSA")
NTLM=RegQueryValue(key1,"[LMCompatibilityLevel]")
endif

MyDialogFormat=`WWWDLGED,6.1`

MyDialogCaption=`Security LockDown by Chuck Arconi`
MyDialogX=143
MyDialogY=061
MyDialogWidth=416
MyDialogHeight=318
MyDialogNumControls=044
MyDialogProcedure=`DEFAULT`
MyDialogFont=`DEFAULT`
MyDialogTextColor=`DEFAULT`
MyDialogBackground=`DEFAULT,DEFAULT`
MyDialogConfig=0

MyDialog001=`241,205,064,012,PUSHBUTTON,DEFAULT,"Run Tool",1,1,32,DEFAULT,DEFAULT,DEFAULT`
MyDialog002=`041,233,112,010,STATICTEXT,DEFAULT,"to anonymous users but will minimize leakage.",DEFAULT,2,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog003=`023,027,136,012,STATICTEXT,DEFAULT,"Set's the level for NTLM authentication that is allowed.",DEFAULT,3,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog004=`039,285,064,012,EDITBOX,reg2rst,"enter value 1 or 2",DEFAULT,4,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog005=`319,205,064,012,PUSHBUTTON,DEFAULT,"Exit",9,5,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog006=`035,223,140,008,STATICTEXT,DEFAULT,"1 will still permit certain information to be made available",DEFAULT,6,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog007=`021,015,056,012,CHECKBOX,Reg1,"NTLM Lockdown",1,7,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog008=`023,207,090,012,CHECKBOX,Reg2,"Prevent Null Session connection",2,8,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog009=`023,163,108,012,CHECKBOX,reg3,"Prevent the LM Hash from Being Stored",3,9,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog010=`227,015,088,012,CHECKBOX,reg4,"Prevent remote Registry access",4,10,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog011=`131,205,064,012,PUSHBUTTON,DEFAULT,"3. Read Desciption",3,11,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog012=`131,163,064,012,PUSHBUTTON,DEFAULT,"2. Read Desciption",2,12,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog013=`131,013,064,012,PUSHBUTTON,DEFAULT,"1. Read Description",5,13,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog014=`031,177,076,008,STATICTEXT,DEFAULT,"( Windows 2000 and XP only )",DEFAULT,14,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog015=`061,057,036,012,VARYTEXT,NTLM,"Current level",DEFAULT,15,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog016=`023,057,036,012,STATICTEXT,DEFAULT,"Current level:",DEFAULT,16,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog017=`023,073,158,012,STATICTEXT,DEFAULT,"0 - Send LM response and NTLM response; never use NTLMv2",DEFAULT,17,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog018=`023,085,158,012,STATICTEXT,DEFAULT,"1 - Use NTLMv2 session security if negotiated",DEFAULT,18,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog019=`023,097,158,012,STATICTEXT,DEFAULT,"2 - Send NTLM authentication only",DEFAULT,19,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog020=`023,109,158,012,STATICTEXT,DEFAULT,"3 - Send NTLMv2 authentication only",DEFAULT,20,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog021=`023,121,158,012,STATICTEXT,DEFAULT,"4 - DC refuses LM authentication",DEFAULT,21,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog022=`023,133,168,012,STATICTEXT,DEFAULT,"5 - DC refuses LM and NTLM authentication (accepts only NTLMv2",DEFAULT,22,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog023=`079,041,064,012,EDITBOX,NTLM00,"enter value 1 to 5",DEFAULT,23,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog024=`023,043,054,008,STATICTEXT,DEFAULT,"Set NTLM security to:",DEFAULT,24,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog025=`035,249,148,012,STATICTEXT,DEFAULT,"2 is for Windows 2000 and XP and will bar anonymous users",DEFAULT,25,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog026=`039,259,146,012,STATICTEXT,DEFAULT,"from all information where explicit access has not been grant-",DEFAULT,26,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog027=`039,269,086,012,STATICTEXT,DEFAULT,"-ed to them or the Everyone group.",DEFAULT,27,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog028=`325,015,064,012,PUSHBUTTON,DEFAULT,"4. Read Desciption",6,36,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog029=`229,047,072,012,CHECKBOX,reg5,"Run IIS Lockdown Tool",5,37,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog030=`229,075,084,012,CHECKBOX,reg6,"Change local admin account",6,40,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog031=`327,075,064,012,PUSHBUTTON,DEFAULT,"6. Read Description",8,42,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog032=`229,105,080,012,CHECKBOX,reg7,"Set auditing for base objects",9,43,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog033=`229,117,120,012,CHECKBOX,reg8,"Set auditing for backup and restore privileges",10,44,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog034=`327,103,064,012,PUSHBUTTON,DEFAULT,"7. Read Description",11,49,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog035=`229,145,090,012,CHECKBOX,reg9,"Restrict printer driver installation",13,50,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog036=`327,145,064,012,PUSHBUTTON,DEFAULT,"8. Read Description",12,52,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog037=`015,005,198,148,GROUPBOX,DEFAULT,"(1)",DEFAULT,28,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog038=`015,155,198,036,GROUPBOX,DEFAULT,"(2)",DEFAULT,31,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog039=`015,193,198,112,GROUPBOX,DEFAULT,"(3)",DEFAULT,33,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog040=`217,005,184,030,GROUPBOX,DEFAULT,"(4)",DEFAULT,45,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog041=`217,037,184,026,GROUPBOX,DEFAULT,"(5)",DEFAULT,46,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog042=`217,065,184,028,GROUPBOX,DEFAULT,"(6)",DEFAULT,39,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog043=`217,095,184,038,GROUPBOX,DEFAULT,"(7)",DEFAULT,41,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog044=`217,135,184,030,GROUPBOX,DEFAULT,"(8)",DEFAULT,38,DEFAULT,DEFAULT,DEFAULT,DEFAULT`

ButtonPushed=Dialog("MyDialog")



If ButtonPushed==3
runwait("notepad.exe","NullSession.txt")
goto top
endif
If ButtonPushed==5
runwait("notepad.exe","LMHashing.txt")
goto top
endif
If ButtonPushed==6
runwait("notepad.exe","RegistryAccess.txt")
goto top
endif
If ButtonPushed==2
runwait("notepad.exe","NoHashSave.txt")
goto top
endif
If ButtonPushed==8
message('Account Rename','This will rename the "Local Admin" account to "Joe user" and create a dummy administrator account.')
goto top
endif
If ButtonPushed==11
line1="Certain programming objects (i.e., base named objects) are not audited by default when auditing of object and file access is enabled."
line2="%@CRLF%Likewise, the Backup and Restore user rights are not audited by default when use of user rights auditing is enabled."
line3="%@CRLF%If you turn this auditing on, it will generate a large volume of event log entries when a backup or restore is done."
line4="%@CRLF%Adjust the size of your security event log if you enable this auditing."
line5="%@CRLF%"
line6="%@CRLF%WARNING: Making this change can result in a very large volume of event log messages, making it difficult for you to find legitimate events of interest."
line7="%@CRLF%Don't do this unless you think it's necessary to track an exposure."
line=Strcat(line1,line2,line3,line4,line5,line6,line7)
message("Auditing",line)
goto top
endif
If ButtonPushed==12
pline1="Restrict printer driver installation to Administrators only."
pline2="%@CRLF%Who can add printer drivers is controlled by the value of a registry entry."
pline3="%@CRLF%The value should be set to 1 to allow only administrators to install printer drivers on servers and domain controllers."
pline=Strcat(pline1,pline2,pline3)
message("Restrict Printer Driver",pline)
goto top
endif
If ButtonPushed==9 then EXIT
If Reg1==1 then gosub REG1
If Reg2==2 then gosub REG2
If Reg3==3 then gosub REG3
If Reg4==4 then gosub REG4
If Reg5==5 then gosub REG5
If Reg6==6 then gosub REG6
If Reg7==9 then gosub REG7
If Reg8==10 then gosub REG8
If Reg9==13 then gosub REG9
gosub deflts
filedelete("iislockd.exe")
message("SecureLockDown","Lock Down Completed")
EXIT

:REG1 ;NTLM Level
RegSetEx(@REGMACHINE,"System\CurrentControlSet\Control\LSA[LMCompatibilityLevel]",NTLM00, "", 4)
return

:REG2 ;Restrict anonymous access / Null Session
RegSetEx(@REGMACHINE,"System\CurrentControlSet\Control\LSA[RestrictAnonymous]",reg2rst, "", 4)
return

:REG3 ;LM Hashing
key3=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control\LSA")
RegSetValue(@REGMACHINE,"System\CurrentControlSet\Control\LSA[NoLMHash]","1")
RegCloseKey(key3)
return

:REG4 ; NO remote Registry Access
key4=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control")
key41=RegCreateKey(key4,"SecurePipeServers")
key42=RegCreateKey(key41,"winreg")
RegSetValue(@REGMACHINE, "System\CurrentControlSet\Control\SecurePipeServers\winreg[Description]","Registry Server")
RegCloseKey(key4)
RegCloseKey(key41)
RegCloseKey(key42)
return

:REG5 ;IIS Lock Down Tool
RunWait("iislockd.exe","/Q")
return

:REG6 ;Change local admin account
Addextender("WWWNT34I.DLL")
wntUserRename("","administrator","defaultuser")
wntUserAddDat("name", "Administrator")
wntUserAddDat("full_name", "Administrator")
wntUserAddDat("flags", 1)
wntUserAddDat("acct_expires", "0000:00:00:00:00:00")
wntUserAddDat("password", "yourPassword")
wntUserAdd("")
return

:REG7 ;Set auditing (if enabled) for base objects and for backup and restore
;To set auditing for base objects:
key10=RegSetEx(@REGMACHINE,"SYSTEM\CurrentControlSet\Control\Lsa[AuditBaseObjects]","1", "", 4)
return

:REG8 ;Set auditing (if enabled) for base objects and for backup and restore
;To set auditing for backup and restore privileges:
key11=RegSetEx(@REGMACHINE,"SYSTEM\CurrentControlSet\Control\Lsa[FullPrivilegeAuditing]","1", "", 4)
return

:REG9
;***Restrict printer driver installation to Administrators only ***
key6=RegSetEx(@REGMACHINE,"system\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers[AddPrintDrivers]","1", "", 4)
return

:DEFLTS
;***Remove Shutdown button from logon dialog ***
key5=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[ShutdownWithoutLogon]","0", "", 4)

;***Restrict untrusted users' ability to plant Trojan horse programs ***
;RegHandle=RegOpenKey(@RegCurrent,"system\CurrentControlSet\Control\LSA")
;Ok=wntAccessAdd("",RegHandle,"RestrictAnonymous",401,"Reg:Full")
;RegCloseKey(RegHandle)

;***Set the paging file to be cleared at system shutdown ***
key7=RegSetEx(@REGMACHINE,"system\CurrentControlSet\Control\Session Manager\Memory Management[ClearPageFileAtShutdown]","1", "", 4)

;***Restrict floppy drive and CD-ROM drive access to the interactive user only ***
key8=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[AllocateFloppies]","1", "", 1)
key9=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[AllocateCdRoms]","1", "", 1)

;***Hide the name of the last logged-in user ***
key12=RegSetEx(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\winlogon[DontDisplayLastUserName]","1", "", 1)

return