files : hardening.bat
tasks : main.yml
# Windows OS Extra Hardening main.yml
# bat 파일 다운받아 실행
---
- name: Windows OS Extra Hardening
hosts: windows_srv, windows_ws
strategy: free
tasks:
- name: Copy files
win_copy:
src: ./extra_hardening
dest: ./
- name: Extra hardening
win_command: hardening.bat
args:
chdir: .\\extra_hardening
register: extra_hardening_out
- debug: var=extra_hardening_out.stdout_lines
# hardening.bat
@ECHO OFF
:: #1 Prevent Kerberos from using DES or RC4
:: #1-1. Kerberos 암호화 유형 제한 (DES/RC4 비활성화), 2147483640(0x7ffffff8) 값 설정하여 취약한 암호화 유형 차단
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters" /v SupportedEncryptionTypes /t REG_DWORD /d 2147483640 /f
:: #2-2. 로컬 네트워크 멀티캐스트 쿼리 차단(네트워크 스푸핑을 통한 NTLM 해시 탈취 방어)
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient" /v EnableMulticast /t REG_DWORD /d 1 /f
:: #2-3. DNS 서버 병렬 쿼리 기능 중지(DNS 쿼리 시간 단축)
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f
:: #2-4. Ipv4, Ipv6 에 대한 동시 쿼리 방지
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" /v DisableParallelAandAAAA /t REG_DWORD /d 1 /f
:: #2-5. IGMP 멀티캐스트 차단 (멀티캐스트 패킷 송수신 차단)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v IGMPLevel /t REG_DWORD /d 0 /f
:: #2-6. IPv4/IPv6 에 대한 라우팅 패킷 차단(경로 조작 공격 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
:: #2-7. ICMP 리다이렉트 메시지 무시(라우팅 테이블 조작 공격 방지, MITM 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
:: #2-8. SMv1 비혈성화 (구형 SMB 프토콜 사용 중지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
:: #2-9. 익명 접근 차단(Null 세션을 통한 익명 접근 차단)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 1 /f
:: #3 UAC 컨트롤
:: #3-1. UAC 활성화(관리자 권한 요청 시 승인 창 표시, 권한 상승 방지)
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v EnableLUA /t REG_DWORD /d 1 /f
:: #3-2. 가상화 기반 보안(VBS) 활성화, 커널 모드 공격 방지
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v EnableVirtualization /t REG_DWORD /d 1 /f
:: #3-3. 권한 상승 시, 보안된 데스크톱에서 동의 확인
:: reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f
:: #3-4. 다운로드한 파일에 대해 영역 정보 저장하여 파일 실행 차단
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" /v SaveZoneInformation /t REG_DWORD /d 2 /f
:: #4-1. 데이터 실행 방지(DEP) 활성화, 메모리 손상 공격 방지
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer" /v NoDataExecutionPrevention /t REG_DWORD /d 0 /f
:: #4-2. Heap 손상 시, 종료 방지
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer" /v NoHeapTerminationOnCorruption /t REG_DWORD /d 0 /f
:: #5-1. 웹 기반 프린터 드라이버 다운로드 차단
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers" /v DisableWebPnPDownload /t REG_DWORD /d 1 /f
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers" /v DisableHTTPPrinting /t REG_DWORD /d 1 /f
:: #5-2. 와이파이 자동 연결 제한
reg add "HKLM\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config" /v AutoConnectAllowedOEM /t REG_DWORD /d 0 /f
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy" /v fMinimizeConnections /t REG_DWORD /d 1 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 1 /f
:: #5-3. NTLM 트래픽 제한 (NTLM 인증 트래픽 제한)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0" /v RestrictReceivingNTLMTraffic /t REG_DWORD /d 2 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
:: Whitelist IPS for NTLM usage
:: Windows 시스템 인증 체계 강화 (HTLM 보안 강화 및 익명 접근 차단)
:: #6-1. NTLM 보안 강화(NTLMv2(0x00080000) + 128비트 암호화(0x20080000))
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0" /v NTLMMinServerSec /t REG_DWORD /d 537395200 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0" /v NTLMMinClientSec /t REG_DWORD /d 537395200 /f
:: #6-2. Null 세션 폴백 차단(NTLM 인증 실패 시 Null 세션(익명 접근)으로 폴백되는 것을 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\\MSV1_0" /v allownullsessionfallback /t REG_DWORD /d 0 /f
:: #6-3. 익명 사용자 접근 제한
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 0 /f
:: #6-4. 원격 SAM 접근을 관리자 계정만 허용
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v UseMachineId /t REG_DWORD /d 1 /f
:: #6-5. 빈 암호 사용 제한
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
:: #6-6. WPAD 자동 감지 비활성화
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad" /v WpadOverride /t REG_DWORD /d 1 /f
:: Enable SMB/LDAP Signing
:: SMB 서명 활성화(중간자공격 방지)
reg add "HKLM\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKLM\\System\\CurrentControlSet\\Services\\LanmanWorkStation\\Parameters" /v "EnableSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters" /v "EnableSecuritySignature" /t REG_DWORD /d 1 /f
:: 1- Negotiated; 2-Required
:: #7-1. LDAP 서버 서명 강제 적용(Domain Controller 대상), 중간자 공격 방지
reg add "HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters" /v "LDAPServerIntegrity" /t REG_DWORD /d 2 /f
:: #7-2. LDAP 클라이언트 서명 negotiatie signing (windows client 대상)
reg add "HKLM\\System\\CurrentControlSet\\Services\\ldap" /v "LDAPClientIntegrity " /t REG_DWORD /d 1 /f
:: Enforce NTLMv2 and refuse NTLM and LM authentication
:: NTLMv2 적용(NTLM 인증 보안 강화, NTLMv2외 인증 요청 거부)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
:: Prevent unencrypted passwords being sent to third-party SMB servers
:: Can impact access to consumer-grade file shares / NAS but it's a recommended setting
:: 평문 패스워드 전송 차단(암호화되지 않은 패스워드 전송 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" /v EnablePlainTextPassword /t REG_DWORD /d 0 /f
:: Prevent guest logons to SMB servers
:: Can impact access to consumer-grade file shares / NAS but it's a recommended setting
:: SMB 게스트 로그온 차단(Guest 계정을 통한 SMB 접근 차단)
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation" /v AllowInsecureGuestAuth /t REG_DWORD /d 0 /f
:: Prevent (remote) DLL Hijacking
:: #8-1. DLL 하이재킹 방지 설정(CWD를 DLL 검색 경로에서 제거, DLL이 로드되지 않음)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f
:: #8-2. DLL 검색 순서를 시스템 디렉토리 우선으로 변경(하이재킹 오더 공격 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" /v SafeDLLSearchMode /t REG_DWORD /d 1 /f
:: #8-3. KnownDLLs 목록에 등록된 DLL만 시스템 디렉토리에서 로드(신뢰할 수 없는 DLL 로드 방지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" /v ProtectionMode /t REG_DWORD /d 1 /f
:: Disable (c|w)script.exe to prevent the system from running VBS scripts
:: Windows Script Host(WSH) 비활성화
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" /v ActiveDebugging /t REG_SZ /d 1 /f
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" /v DisplayLogo /t REG_SZ /d 1 /f
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" /v SilentTerminate /t REG_SZ /d 0 /f
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" /v UseWINSAFER /t REG_SZ /d 1 /f
:: Harden lsass to help protect against credential dumping (Mimikatz)
:: Configures lsass.exe as a protected process and disables wdigest
:: Enables delegation of non-exported credentials which enables support for Restricted Admin Mode or Remote Credential Guard
:: #9-1. LSASS 보안강화(시스템 자격 증명 보호 강화), Mimikatz 툴 방지
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /f
:: #9-2. WDigest 비활성화(평문 패스워드 메모리 저장 중지)
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" /v Negotiate /t REG_DWORD /d 0 /f
:: #9-3. 원격 데스크톱 자격 증명 보호(자격 증명 재사용 방지)
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
:: OUTBOUND FW rules
:: Enable Windows Firewall and configure some advanced options
:: Block Win32/64 binaries (LOLBins) from making net connections when they shouldn't
:: netsh 명령어로 Windows 방화벽 활성화, 특정 LOLBins의 아웃바운드 네트워크 연결 차단
:: #10-1. 방화벽 기본 설정 ON
netsh Advfirewall set allprofiles state on
:: #10-2. LOLBins 아웃바운드 연결 차단 규칙 시작
netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\\Program Files (x86)\\Microsoft Office\\root\\client\\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\\system32\\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\\system32\\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\\system32\\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\\system32\\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\\system32\\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\\system32\\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\\system32\\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\\system32\\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\\system32\\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\\system32\\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\\system32\\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\\system32\\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\\system32\\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\\system32\\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\\system32\\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\\system32\\print.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\\system32\\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\\system32\\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\\system32\\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\\system32\\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\\system32\\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\\system32\\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\\system32\\wbem\\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\\system32\\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\\system32\\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\\system32\\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\\SysWOW64\\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\\SysWOW64\\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\\SysWOW64\\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\\SysWOW64\\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\\SysWOW64\\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\\SysWOW64\\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\\SysWOW64\\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\\SysWOW64\\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\\SysWOW64\\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\\SysWOW64\\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\\SysWOW64\\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\\SysWOW64\\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\\SysWOW64\\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\\SysWOW64\\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\\SysWOW64\\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\\SysWOW64\\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\\SysWOW64\\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\\SysWOW64\\print.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\\SysWOW64\\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\\SysWOW64\\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block rpcping.exe netconns" program="%systemroot%\\SysWOW64\\rpcping.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\\SysWOW64\\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\\SysWOW64\\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\\SysWOW64\\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\\SysWOW64\\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\\SysWOW64\\wbem\\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any
netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\\SysWOW64\\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
:: #10-2. LOLBins 아웃바운드 연결 차단 규칙 종료
:: #11-1. 고급 감사 정책 강제 적용, GPO 정책 적용 위해서 필요한 값. 기본으로 1 설정안하면 적용X
# 그룹 정책의 Security Settings > Local Policies > Audit Policy에서 설정한 레거시 정책은 무시됨
# 감사 정책 어떻게 하는지 확인 필요
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1 /f
:: #11-2. 파워쉘 로깅 활성화
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
::Disable AutoRun
:: #12-1. 자동 실행(AutoRun) 완전 비활성화, 모든 드라이브 유형에서 오토런 기능 비활성화, 윈도우 재시작해야 적용
reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
:: #13-1. 위험 확장자 파일 실행 차단 (.bat, .cmd, .js, .jse, .hta, .chm 등 스크립트 파일 확장자를 notepad.exe로 연결)
ftype batfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype chmfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype cmdfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype htafile="%systemroot%\\system32\\notepad.exe" "%1"
ftype jsefile="%systemroot%\\system32\\notepad.exe" "%1"
ftype jsfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype vbefile="%systemroot%\\system32\\notepad.exe" "%1"
ftype vbsfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype wscfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype wsffile="%systemroot%\\system32\\notepad.exe" "%1"
ftype wsfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype wshfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype sctfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype urlfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype regfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype wcxfile="%systemroot%\\system32\\notepad.exe" "%1"
ftype mscfile="%systemroot%\\system32\\notepad.exe" "%1"
:: #14-1. 윈도우즈의 자동 시작 프로그램 레지스트리 항목 삭제(악성코드 지속성 차단)
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /va /f
reg delete HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components /va /f
reg delete HKCU\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Windows\\load /va /f
#로그인 문제 발생 가능
#로그인 시 문제 없는지 확인 필요
reg delete HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\Userinit /va /f
#정상 서비스, 프로그램 자동 실행 삭제 가능
#정상/비정상 구분, 정상(필수) 등록된 것 있으면 신규 등록 제한하는 것으로 변경 필요(백신에서 신규 등록하는 경우도 있음)
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce /va /f
reg delete HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run /va /f
reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run /va /f
# 참고- 작년도 outbound 방화벽 정책, 타부서와 회의 후 필요시 지정
:: OUTBOUND FW rules
:: Enable Windows Firewall and configure some advanced options
:: Block Win32/64 binaries (LOLBins) from making net connections when they shouldn't
@REM netsh Advfirewall set allprofiles state on
@REM netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\\Program Files (x86)\\Microsoft Office\\root\\client\\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\\system32\\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\\system32\\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\\system32\\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\\system32\\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\\system32\\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\\system32\\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\\system32\\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\\system32\\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\\system32\\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\\system32\\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\\system32\\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\\system32\\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\\system32\\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\\system32\\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\\system32\\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\\system32\\print.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\\system32\\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\\system32\\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\\system32\\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\\system32\\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\\system32\\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\\system32\\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\\system32\\wbem\\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\\system32\\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\\system32\\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\\system32\\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\\SysWOW64\\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\\SysWOW64\\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\\SysWOW64\\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\\SysWOW64\\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\\SysWOW64\\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\\SysWOW64\\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\\SysWOW64\\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\\SysWOW64\\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\\SysWOW64\\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\\SysWOW64\\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\\SysWOW64\\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\\SysWOW64\\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\\SysWOW64\\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\\SysWOW64\\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\\SysWOW64\\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\\SysWOW64\\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\\SysWOW64\\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\\SysWOW64\\print.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\\SysWOW64\\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\\SysWOW64\\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block rpcping.exe netconns" program="%systemroot%\\SysWOW64\\rpcping.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\\SysWOW64\\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\\SysWOW64\\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\\SysWOW64\\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\\SysWOW64\\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\\SysWOW64\\wbem\\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any
@REM netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\\SysWOW64\\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any