Automatic import of local Group Policy and security policy
http://blog.csdn.net/wzsy/article/details/5754894
Received a request yesterday because the company requires the server to deploy some of the required security policies, but for non-domain-joined servers you want to have a convenient deployment method.
First, extract the items that you want to deploy in a policy that can be implemented through Group Policy or security policy, as shown in the table (partial demo):
Serial number |
Requirements |
1 |
"Password must meet complexity requirements" select "Started" |
2 |
"Maximum password Age" is set to "90 days" |
3 |
"Account lockout threshold" is set to less than or equal to 6 times |
4 |
"Force shutdown from remote system" set to "assign only to Administrtors group" |
5 |
"Shut down system" is set to "Assign only to Administrators group" |
6 |
"Take ownership of a file or other object" is set to "Assign only to Administrators group" |
7 |
Audit logon events, set to both success and failure auditing. |
8 |
Audit policy change is set to success and failure are audited |
9 |
Audit object access is set to success and failure are audited |
10 |
Audit directory server access is set to success and failure are audited |
11 |
Audit directory server access is set to success and failure are audited |
12 |
Audit system events is set to success and failure are audited |
13 |
Audit account management is set to success and failure are audited |
14 |
Audit process tracking set to failed requires auditing |
15 |
The Microsoft network server is set to 15 minutes of idle time before suspending the session. |
16 |
Enable the screen saver, set the wait time to 5 minutes, and enable password protection on recovery. |
17 |
All drives "Turn off AutoPlay" |
The top 15 items in the preceding table are security policies, the 16th item belongs to the Computer Configuration policy in Group Policy, and the 17th item belongs to the User Configuration policy. The following is an analysis and testing of the operations of the Windows 2003 platform only.
One, for security policy, you can use the following steps for application deployment:
:: On the test machine, use Gpedit.msc to manually change the policy (such as the first 15 sides of the table), and then export the current policy with the following command
Secedit/export/cfg Sec.inf
:: Edit the Sec.inf file with a text editor to remove content that does not need to be adjusted, leaving only the policy to be customized
The contents of the INF file for the 15 policy in the table are as follows:
[Unicode] Unicode=yes [Version] Signature= "$CHICAGO $" Revision=1 [System Access] MaximumPasswordAge = 90 passwordcomplexity = 1 Lockoutbadcount = 6 [Event Audit] Auditsystemevents = 3 Auditlogonevents = 3 Auditobjectaccess = 3 Auditprivilegeuse = 3 Auditpolicychange = 3 Auditaccountmanage = 3 Auditprocesstracking = 2 Auditdsaccess = 3 [Registry Values] machine/system/currentcontrolset/services/lanmanserver/parameters/autodisconnect=4,15 [Privilege Rights] SeRemoteShutdownPrivilege = *s-1-5-32-544 SeShutdownPrivilege = *s-1-5-32-544 SeTakeOwnershipPrivilege = *s-1-5-32-544 |
:: Generate a SDB file with a command
secedit/configure/db sec.sdb/cfg Sec.inf
:: Update the custom policy to the target server with the command, cannot use the/overwrite parameter, otherwise the policy other than the custom policy is lost
secedit/configure/db Sec.sdb
:: Refresh Group Policy
Gpupdate/force
Second, the application of other Group Policy
I have studied the use of Gpcvreg and Gpscript command-line programs to apply Group Policy, and have written the UDF autoit3 script, this time can be exploited.
Use Gpedit.msc to modify the 16/172 policy in the test machine, and use Regedit to view the hkey_current_user/software/microsoft/windows/without closing the Gpedit.msc Currentversion/group Policy objects, the analysis of the corresponding settings coexist into a reg file
Machine.reg, disable AutoPlay for all drives
[Hkey_local_machine/software/microsoft/windows/currentversion/policies/explorer] "NoDriveTypeAutoRun" =dword:000000ff |
User.reg, customizing screen protection settings
[Hkey_current_user/software/policies/microsoft/windows/control Panel/desktop] "ScreenSaverIsSecure" = "1" "ScreenSaveActive" = "1" "ScreenSaveTimeOut" = "300" "Scrnsave. EXE "=" SCRNSAVE.SCR " |
Third, Batch application script
With the Sec.sdb, Machine.reg, and User.reg files, and then using the previously written Poledit.au3 UDF, only the following scripts can be used to automatically apply the policies listed earlier.
#RequireAdmin
#NoTrayIcon
#include "Poledit.au3"
If fileexists ("Sec.sdb") then runwait (@ComSpec & "/C" & "secedit/configure/db Sec.sdb", @ScriptDir, @SW_HI DE)
_regwritetopol ("Machine.reg", "Machine", 1)
_regwritetopol ("User.reg")
_gpupdate ()
Automatic import of local Group Policy and security policy