| ➔ | Windows Server是企业IT环境中最重要的基础设施之一。合理的安全基线配置可以有效降低被攻击的风险。本文以Windows 11为例,介绍安全加固的核心要点。 |
▶一、账户安全配置
code
# 重命名内置管理员账户
$Computer = $env:COMPUTERNAME
$Admin = [ADSI]"WinNT://$Computer/Administrator"
$Admin.Rename("SecAdmin-" + (Get-Random -Min 1000 -Max 9999))
# 禁用来宾账户
Disable-LocalUser -Name "Guest"
▶二、组策略安全配置
通过 gpedit.msc 配置以下关键安全策略:
- ●拒绝从网络访问此计算机:加入非必要账户
- ●限制远程桌面连接数量:3
- ●设置客户端连接加密级别:高
- ●启用网络级认证(NLA)
▶三、安全基线配置
code
# 禁用SMBv1协议(高危漏洞)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# 启用SMB加密
Set-SmbServerConfiguration -EncryptData $true -Force
# 禁用LLMNR(避免NTLM中继攻击)
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -PropertyType DWORD
▶四、增强的审核策略
code
# 审核凭据验证
auditpol /set /subcategory:"凭据验证" /success:enable /failure:enable
# 审核敏感权限使用
auditpol /set /subcategory:"敏感权限使用" /success:enable /failure:enable
# 配置事件日志大小
wevtutil sl Security /ms:209715200 # 200MB
▶五、备份与恢复验证
安全加固前务必创建系统状态备份:
code
# 使用Windows Server Backup
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quiet
wbadmin get versions
▶六、Windows Defender应用控制
code
# 启用Windows Defender Application Control
# 仅允许可信应用运行
$PolicyPath = "$env:USERPROFILE\Desktop\AppControlPolicy.xml"
New-CIPolicy -FilePath $PolicyPath -ScanPath "C:\Program Files" -Level Auto
ConvertFrom-CIPolicy -XmlFilePath $PolicyPath -BinaryFilePath "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"
# 配置AppLocker(通过组策略或PowerShell)
Set-AppLockerPolicy -PolicyType Appx -XmlPolicy $xml -Merge
▶七、远程管理安全
code
# 配置WinRM安全
# 启用HTTPS监听器
$cert = New-SelfSignedCertificate -DnsName "$env:COMPUTERNAME" -CertStoreLocation Cert:\LocalMachine\My
New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{CertificateThumbprint=$cert.Thumbprint}
# 设置WinRM信任主机
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.0/24" -Concatenate
# 配置JEA (Just Enough Administration)
New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\JEASession.pssc
Register-PSSessionConfiguration -Name JEA -Path .\JEASession.pssc
▶八、定期安全评估
- ●使用Microsoft Security Compliance Toolkit检查安全基线
- ●运行Microsoft Defender for Cloud的漏洞评估
- ●配置Windows Server Update Services (WSUS) 管理补丁分发
- ●启用Azure Arc或System Center进行集中管理
- ●定期进行渗透测试和红队演练
2026-06-30
云上实践
合作伙伴意见反馈
