Téléverser les fichiers vers "/"

setup.py

@@ -0,0 +1,224 @@
+# -*- coding: utf-8 -*-
+from setuphelpers import *
+import subprocess
+import winreg as reg
+
+
+LocalAdministrator = "LocalAdministrator"
+LocalGuest = "LocalGuest"
+LegalNoticeText = "Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi."
+LegalNoticeCaption = "Bienvenue sur un poste COMITARI"
+
+enable_rename_and_disable_user = False
+enable_set_password_requirements = False
+enable_configure_login_logout_features = False
+enable_configure_lanman_service = False
+enable_configure_uac_prompt_behavior = False
+enable_configure_external_device_settings = False
+enable_configure_windows_services = False
+enable_configure_windows_event_logging = False
+enable_configure_windows_settings = False
+enable_configure_network_settings = False
+
+
+def install():
+
+    #Trouver le compte Built-in Administrator
+    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
+    sid = win32security.GetBinarySid(locsid + "-500")
+    admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
+
+    #Trouver le compte Built-in Guest
+    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
+    sid = win32security.GetBinarySid(locsid + "-501")
+    guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
+
+
+    if enable_rename_and_disable_user is True :
+        rename_and_disable_user(admin_local_user, LocalAdministrator)
+        rename_and_disable_user(guest_local_user, LocalGuest)
+    if enable_set_password_requirements is True :
+        set_password_requirements()
+    if enable_configure_login_logout_features is True :
+        configure_login_logout_features()
+    if enable_configure_lanman_service is True :
+        configure_lanman_service()
+    if enable_configure_uac_prompt_behavior is True :
+        configure_uac_prompt_behavior()
+    if enable_configure_external_device_settings is True :
+        configure_external_device_settings()
+    if enable_configure_windows_services is True :
+        configure_windows_services()
+    if enable_configure_windows_event_logging is True :
+        if get_language() is "en" :
+            configure_windows_event_logging_en()
+        if get_language() is "fr" :
+            configure_windows_event_logging_fr()
+
+    if configure_windows_settings is True :
+        configure_windows_settings()
+    if configure_network_settings is True :
+        configure_network_settings()
+
+def rename_and_disable_user(old_name, new_name):
+    try:
+        run(f'wmic useraccount where name="{old_name}" rename {new_name}', check=True)
+        run(f'wmic useraccount where name="{new_name}" set disabled=true', check=True)
+    except subprocess.CalledProcessError:
+        pass
+
+
+def set_password_requirements():
+    run('net accounts /maxpwage:365')
+    run('net accounts /minpwage:1')
+    run('net accounts /minpwlen:14')
+    run('net accounts /forcelogoff:15')
+    run('net accounts /uniquepw:24')
+    run('net accounts /lockoutthreshold:5')
+    run('net accounts /lockoutduration:15')
+    run('net accounts /lockoutwindow:15')
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1)
+
+def configure_login_logout_features():
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', LegalNoticeText)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', LegalNoticeText)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900)
+
+def configure_lanman_service():
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '')
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1)
+
+    # Ensure the MSV1_0 key exists
+    msv_path = r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
+    if not reg.QueryValueEx(msv_path):
+        reg.CreateKey(reg.HKEY_LOCAL_MACHINE, msv_path)
+
+    registry_set(msv_path, 'NTLMMinClientSec', 537395200)
+    registry_set(msv_path, 'NTLMMinServerSec', 537395200)
+
+    # Ensure the Kerberos key exists
+    kerberos_path = r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
+    if not reg.QueryValueEx(kerberos_path):
+        reg.CreateKey(reg.HKEY_LOCAL_MACHINE, kerberos_path)
+
+    registry_set(HKEY_LOCAL_MACHINE,kerberos_path, 'SupportedEncryptionTypes', 2147483640)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1)
+
+def configure_uac_prompt_behavior():
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1)
+
+def configure_external_device_settings():
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10)
+
+def configure_windows_services():
+    services_to_disable = [
+        "BTAGService", "bthserv", "MapsBroker", "SharedAccess", "lltdsvc",
+        "LxssManager", "MSiSCSI", "PNRPsvc", "p2psvc", "p2pimsvc", "PNRPAutoReg",
+        "Spooler", "wercplsupport", "RasAuto", "SessionEnv", "UmRdpService",
+        "TermService", "RpcLocator", "LanmanServer", "upnphost", "SSDPSRV",
+        "WerSvc", "Wecsvc", "WMPNetworkSvc", "icssvc", "WpnService",
+        "PushToInstall", "WinRM", "XboxGipSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc"
+    ]
+
+    for service in services_to_disable:
+        run(f'sc config {service} start= disabled')
+        run(f'net stop {service}')
+
+def configure_windows_event_logging_en():
+    auditpol_commands = [
+        'auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Plug and Play Events" /success:enable',
+        'auditpol /set /subcategory:"Process Creation" /success:enable',
+        'auditpol /set /subcategory:"Account Lockout" /failure:enable',
+        'auditpol /set /subcategory:"Group Membership" /success:enable',
+        'auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Detailed File Share" /failure:enable',
+        'auditpol /set /subcategory:"File Share" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Other Object Access Events" /success:enable',
+        'auditpol /set /subcategory:"Removable Storage" /success:enable',
+        'auditpol /set /subcategory:"Authorization Policy Change" /success:enable',
+        'auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Other Policy Change Events" /failure:enable',
+        'auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Security System Extension" /success:enable',
+    ]
+
+    for command in auditpol_commands:
+        run(command)
+
+def configure_windows_event_logging_fr():
+    auditpol_commands = [
+        'auditpol /set /subcategory:"Validation des informations d’identification" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Gestion des groupes d’applications" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Gestion des groupes de sécurité" /success:enable',
+        'auditpol /set /subcategory:"Gestion des comptes d’utilisateur" /success:enable',
+        'auditpol /set /subcategory:"Événements Plug-and-Play" /success:enable',
+        'auditpol /set /subcategory:"Création du processus" /success:enable',
+        'auditpol /set /subcategory:"Verrouillage du compte" /failure:enable',
+        'auditpol /set /subcategory:"Appartenance à un groupe" /success:enable',
+        'auditpol /set /subcategory:"Ouvrir la session" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Fermer la session" /success:enable',
+        'auditpol /set /subcategory:"Autres événements d’ouverture/fermeture de session" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Ouverture de session spéciale" /success:enable',
+        'auditpol /set /subcategory:"Partage de fichiers détaillé" /failure:enable',
+        'auditpol /set /subcategory:"Partage de fichiers" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Autres événements d’accès à l’objet" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Stockage amovible" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Modification de la stratégie d’audit" /success:enable',
+        'auditpol /set /subcategory:"Modification de la stratégie d’authentification" /success:enable',
+        'auditpol /set /subcategory:"Modification de la stratégie d’autorisation" /success:enable',
+        'auditpol /set /subcategory:"Modification de la stratégie de niveau règle MPSSVC" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Autres événements de modification de stratégie" /failure:enable',
+        'auditpol /set /subcategory:"Utilisation de privilèges sensibles" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Pilote IPSEC" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Autres événements système" /success:enable /failure:enable',
+        'auditpol /set /subcategory:"Modification de l’état de la sécurité" /success:enable',
+        'auditpol /set /subcategory:"Extension système de sécurité" /success:enable',
+        'auditpol /set /subcategory:"Intégrité du système" /success:enable /failure:enable',
+    ]
+
+    for command in auditpol_commands:
+        run(command)
+
+def configure_windows_settings():
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4)
+
+def configure_network_settings():
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0)
+    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)
+