283 lines
19 KiB
Python
283 lines
19 KiB
Python
# -*- coding: utf-8 -*-
|
|
from setuphelpers import *
|
|
|
|
LocalAdministrator = "LocalAdministrator"
|
|
LocalGuest = "LocalGuest"
|
|
LegalNoticeText = "Bienvenue sur un poste COMITARI, Toute personne non autorisée à se connecter à la machine sera poursuivie."
|
|
LegalNoticeCaption = "Bienvenue sur un poste COMITARI"
|
|
|
|
enable_rename_and_disable_user = False
|
|
enable_set_password_requirements = False
|
|
enable_configure_login_logout_features = False
|
|
enable_configure_lanman_service = False
|
|
enable_configure_uac_prompt_behavior = False
|
|
enable_configure_external_device_settings = False
|
|
enable_configure_windows_services = False
|
|
enable_configure_windows_event_logging = False
|
|
enable_configure_windows_settings = False
|
|
enable_configure_network_settings = False
|
|
|
|
|
|
def install():
|
|
|
|
#Trouver le compte Built-in Administrator
|
|
locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
|
|
sid = win32security.GetBinarySid(locsid + "-500")
|
|
admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
|
|
|
|
#Trouver le compte Built-in Guest
|
|
locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
|
|
sid = win32security.GetBinarySid(locsid + "-501")
|
|
guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
|
|
|
|
|
|
if enable_rename_and_disable_user is True :
|
|
rename_and_disable_user(admin_local_user, LocalAdministrator)
|
|
rename_and_disable_user(guest_local_user, LocalGuest)
|
|
if enable_set_password_requirements is True :
|
|
set_password_requirements()
|
|
if enable_configure_login_logout_features is True :
|
|
configure_login_logout_features()
|
|
if enable_configure_lanman_service is True :
|
|
configure_lanman_service()
|
|
if enable_configure_uac_prompt_behavior is True :
|
|
configure_uac_prompt_behavior()
|
|
if enable_configure_external_device_settings is True :
|
|
configure_external_device_settings()
|
|
if enable_configure_windows_services is True :
|
|
configure_windows_services()
|
|
if enable_configure_windows_event_logging is True :
|
|
configure_windows_event_logging()
|
|
if configure_windows_settings is True :
|
|
configure_windows_settings()
|
|
if configure_network_settings is True :
|
|
configure_network_settings()
|
|
|
|
def audit():
|
|
successful_checks = 0
|
|
failed_checks = 0
|
|
verify_settings()
|
|
nb_checks = successful_checks + failed_checks
|
|
ratio = nb_checks / failed_checks
|
|
print(f"\nNombre de vérifications réussies : {successful_checks}")
|
|
print(f"Nombre de vérifications échouées : {failed_checks}")
|
|
print(f"Pourcentage de checks mauvais = {ratio}")
|
|
|
|
def rename_and_disable_user(old_name, new_name):
|
|
try:
|
|
run(f'wmic useraccount where name="{old_name}" rename {new_name}', check=True)
|
|
run(f'wmic useraccount where name="{new_name}" set disabled=true', check=True)
|
|
except subprocess.CalledProcessError:
|
|
pass
|
|
|
|
def set_password_requirements():
|
|
run('net accounts /maxpwage:365')
|
|
run('net accounts /minpwage:1')
|
|
run('net accounts /minpwlen:14')
|
|
run('net accounts /forcelogoff:15')
|
|
run('net accounts /uniquepw:24')
|
|
run('net accounts /lockoutthreshold:5')
|
|
run('net accounts /lockoutduration:15')
|
|
run('net accounts /lockoutwindow:15')
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1)
|
|
|
|
def configure_login_logout_features():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', LegalNoticeText)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', LegalNoticeText)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900)
|
|
|
|
def configure_lanman_service():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '')
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1)
|
|
|
|
# Ensure the MSV1_0 key exists
|
|
msv_path = r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
|
|
if not reg.QueryValueEx(msv_path):
|
|
reg.CreateKey(reg.HKEY_LOCAL_MACHINE, msv_path)
|
|
|
|
registry_set(msv_path, 'NTLMMinClientSec', 537395200)
|
|
registry_set(msv_path, 'NTLMMinServerSec', 537395200)
|
|
|
|
# Ensure the Kerberos key exists
|
|
kerberos_path = r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
|
|
if not reg.QueryValueEx(kerberos_path):
|
|
reg.CreateKey(reg.HKEY_LOCAL_MACHINE, kerberos_path)
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE,kerberos_path, 'SupportedEncryptionTypes', 2147483640)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1)
|
|
|
|
def configure_uac_prompt_behavior():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1)
|
|
|
|
def configure_external_device_settings():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10)
|
|
|
|
def configure_windows_services():
|
|
services_to_disable = [
|
|
"BTAGService", "bthserv", "MapsBroker", "SharedAccess", "lltdsvc",
|
|
"LxssManager", "MSiSCSI", "PNRPsvc", "p2psvc", "p2pimsvc", "PNRPAutoReg",
|
|
"Spooler", "wercplsupport", "RasAuto", "SessionEnv", "UmRdpService",
|
|
"TermService", "RpcLocator", "LanmanServer", "upnphost", "SSDPSRV",
|
|
"WerSvc", "Wecsvc", "WMPNetworkSvc", "icssvc", "WpnService",
|
|
"PushToInstall", "WinRM", "XboxGipSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc"
|
|
]
|
|
|
|
for service in services_to_disable:
|
|
run(f'sc config {service} start= disabled')
|
|
run(f'net stop {service}')
|
|
|
|
def configure_windows_event_logging():
|
|
auditpol_commands = [
|
|
'auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9249-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
'auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable',
|
|
'auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable',
|
|
]
|
|
|
|
for command in auditpol_commands:
|
|
run(command)
|
|
|
|
def configure_windows_settings():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4)
|
|
|
|
def configure_network_settings():
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0)
|
|
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)
|
|
|
|
def registry_readstring(hive, path, name):
|
|
try:
|
|
with reg.OpenKey(hive, path) as key:
|
|
value, _ = reg.QueryValueEx(key, name)
|
|
return value
|
|
except FileNotFoundError:
|
|
return None
|
|
|
|
def check_reg_value(hive, path, name, expected_value):
|
|
actual_value = registry_readstring(hive, path, name)
|
|
if actual_value == expected_value:
|
|
print(f"[OK] {path}\\{name} = {actual_value}")
|
|
successful_checks += 1
|
|
else:
|
|
print(f"[FAIL] {path}\\{name} = {actual_value} (expected: {expected_value})")
|
|
failed_checks += 1
|
|
|
|
def verify_settings():
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1)
|
|
|
|
# Login/logout features
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', 'Authorized users only.')
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', 'Warning')
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900)
|
|
|
|
# LANMAN service configuration
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '')
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1)
|
|
|
|
# Ensure the MSV1_0 key exists
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0', 'NTLMMinClientSec', 537395200)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0', 'NTLMMinServerSec', 537395200)
|
|
|
|
# Ensure the Kerberos key exists
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters', 'SupportedEncryptionTypes', 2147483640)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1)
|
|
|
|
# UAC prompt behavior
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1)
|
|
|
|
# External device settings
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10)
|
|
|
|
# Windows settings
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4)
|
|
|
|
# Network settings
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0)
|
|
check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)
|