# -*- coding: utf-8 -*- from setuphelpers import * import subprocess import winreg as reg LocalAdministrator = "LocalAdministrator" LocalGuest = "LocalGuest" LegalNoticeText = "Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi." LegalNoticeCaption = "Bienvenue sur un poste COMITARI" enable_rename_and_disable_user = False enable_set_password_requirements = False enable_configure_login_logout_features = False enable_configure_lanman_service = False enable_configure_uac_prompt_behavior = False enable_configure_external_device_settings = False enable_configure_windows_services = False enable_configure_windows_event_logging = False enable_configure_windows_settings = False enable_configure_network_settings = False def install(): #Trouver le compte Built-in Administrator locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] sid = win32security.GetBinarySid(locsid + "-500") admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) #Trouver le compte Built-in Guest locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] sid = win32security.GetBinarySid(locsid + "-501") guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) if enable_rename_and_disable_user is True : rename_and_disable_user(admin_local_user, LocalAdministrator) rename_and_disable_user(guest_local_user, LocalGuest) if enable_set_password_requirements is True : set_password_requirements() if enable_configure_login_logout_features is True : configure_login_logout_features() if enable_configure_lanman_service is True : configure_lanman_service() if enable_configure_uac_prompt_behavior is True : configure_uac_prompt_behavior() if enable_configure_external_device_settings is True : configure_external_device_settings() if enable_configure_windows_services is True : configure_windows_services() if enable_configure_windows_event_logging is True : configure_windows_event_logging() if configure_windows_settings is True : configure_windows_settings() if configure_network_settings is True : configure_network_settings() def rename_and_disable_user(old_name, new_name): try: run(f'wmic useraccount where name="{old_name}" rename {new_name}', check=True) run(f'wmic useraccount where name="{new_name}" set disabled=true', check=True) except subprocess.CalledProcessError: pass def set_password_requirements(): run('net accounts /maxpwage:365') run('net accounts /minpwage:1') run('net accounts /minpwlen:14') run('net accounts /forcelogoff:15') run('net accounts /uniquepw:24') run('net accounts /lockoutthreshold:5') run('net accounts /lockoutduration:15') run('net accounts /lockoutwindow:15') registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1) def configure_login_logout_features(): registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', LegalNoticeText) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', LegalNoticeText) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900) def configure_lanman_service(): registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '') registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1) # Ensure the MSV1_0 key exists msv_path = r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' if not reg.QueryValueEx(msv_path): reg.CreateKey(reg.HKEY_LOCAL_MACHINE, msv_path) registry_set(msv_path, 'NTLMMinClientSec', 537395200) registry_set(msv_path, 'NTLMMinServerSec', 537395200) # Ensure the Kerberos key exists kerberos_path = r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' if not reg.QueryValueEx(kerberos_path): reg.CreateKey(reg.HKEY_LOCAL_MACHINE, kerberos_path) registry_set(HKEY_LOCAL_MACHINE,kerberos_path, 'SupportedEncryptionTypes', 2147483640) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1) def configure_uac_prompt_behavior(): registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1) def configure_external_device_settings(): registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10) def configure_windows_services(): services_to_disable = [ "BTAGService", "bthserv", "MapsBroker", "SharedAccess", "lltdsvc", "LxssManager", "MSiSCSI", "PNRPsvc", "p2psvc", "p2pimsvc", "PNRPAutoReg", "Spooler", "wercplsupport", "RasAuto", "SessionEnv", "UmRdpService", "TermService", "RpcLocator", "LanmanServer", "upnphost", "SSDPSRV", "WerSvc", "Wecsvc", "WMPNetworkSvc", "icssvc", "WpnService", "PushToInstall", "WinRM", "XboxGipSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc" ] for service in services_to_disable: run(f'sc config {service} start= disabled') run(f'net stop {service}') def configure_windows_event_logging(): auditpol_commands = [ 'auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /failure:enable', 'auditpol /set /subcategory:{0CCE9249-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /failure:enable', 'auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /failure:enable', 'auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', 'auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable', 'auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', ] for command in auditpol_commands: run(command) def configure_windows_settings(): registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1) registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4) def configure_network_settings(): registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)