윈도우11 시작 23 레지스트 권한 변경 RDP 차단해보기 icacls 파이어 폭스

[동우]

REM "PowerShell 파워쉘 해킹 시도?"
REM "%windir%\System32\WindowsPowerShell\SAM 아쉽게 이 경로는 안된다 %windir%\System32\WindowsPowerShell 이렇게 해야 한다고" 
icacls "%windir%\System32\WindowsPowerShell" 
takeown /F "%windir%\System32\WindowsPowerShell" /A /R /D Y
icacls "%windir%\System32\WindowsPowerShell" /grant Administrators:F /t
icacls "%windir%\System32\WindowsPowerShell" /save d:\WindowsPowerShell.txt /t
REM icacls "%windir%\System32\WindowsPowerShell" /setintegritylevel H /t
icacls "%windir%\System32\WindowsPowerShell" /deny "NETWORK SERVICE":(OI)(CI)F "GUEST":(OI)(CI)F "IIS_IUSRS":(OI)(CI)F "REMOTE INTERACTIVE LOGON":(OI)(CI)F "*S-1-5-32-546:(OI)(CI)F" "*S-1-0-0:(OI)(CI)F" "*S-1-5-7:(OI)(CI)F" "*S-1-5-13:(OI)(CI)F" /t /inheritance:e
icacls "%windir%\System32\WindowsPowerShell" /setowner "NT SERVICE\TrustedInstaller" /t
icacls "%windir%\System32\WindowsPowerShell" /grant:r Administrators:RX /t
icacls "%windir%\System32\WindowsPowerShell"

REM icacls "%windir%\System32\WindowsPowerShell" /deny "*S-1-5-13":F"
REM 터미널 사용자 서버 "*S-1-5-13":F 

REM "복구 할때"
REM icacls "%windir%\System32\WindowsPowerShell" /reset /t
REM icacls /restore "%windir%\System32" d:\WindowsPowerShell.txt

https://cafe.daum.net/candan/GGFN/500

REM "파이어 폭스 권한 보안.. 이걸 안하면 이걸로 들어 와서 해킹 하려고함 ㅋㅋ 심지어 참고로 프로세스를 생성 해서 해킹 시도 한 로그를 보이더라는"

https://cafe.daum.net/candan/BLQD/111 게스트 해킹하는 놈 있다 ㅠ 

---

echo 제한된 파워쉘 https://4sysops.com/archives/mitigating-powershell-risks-with-constrained-language-mode/ https://cafe.daum.net/candan/ASdB/426
setx /m __PSLockDownPolicy 4

echo 보호 안함 기본값으로 하기 파워쉘 명령어 주어야 할때.    파워쉘이 실행 안되고 에러가 나면 이걸 해제 해야 한다.
setx /m __PSLockDownPolicy 0

$acl = Get-Acl "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications"

$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule(
"ANONYMOUS LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule2 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUEST", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule3 = New-Object System.Security.AccessControl.RegistryAccessRule(
"IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule4 = New-Object System.Security.AccessControl.RegistryAccessRule(
"REMOTE INTERACTIVE LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule5 = New-Object System.Security.AccessControl.RegistryAccessRule(
"Remote Management Users", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule6 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUESTS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule7 = New-Object System.Security.AccessControl.RegistryAccessRule(
"TERMINAL SERVER USER", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$acl.SetAccessRule($rule1)
$acl.SetAccessRule($rule2)
$acl.SetAccessRule($rule3)
$acl.SetAccessRule($rule4)
$acl.SetAccessRule($rule5)
$acl.SetAccessRule($rule6)
$acl.SetAccessRule($rule7)

$acl | Set-Acl -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications"

---

REM "게스트 이름 변경 하기 이름을 20자 까지 할수 있다고 하네요 다시 부팅 해야 변경됨"

REM "https://soohyunet.com/fullname%EC%A0%84%EC%B2%B4%EC%9D%B4%EB%A6%84-%EB%B3%80%EA%B2%BD%ED%95%98%EB%8A%94-%EB%B0%A9%EB%B2%95-4%EA%B0%80%EC%A7%80/"
REM powershell -command "-join ((35..38) + (48..57) + (65..90) + (97..122)|get-random -count 20| % {[char]$_})"
REM net user Guest /fullname:"홍길동"

---

# 바이러스가 모니터 해킹 하는거 차단 해보기 자기를 등록 해서 해킹 하는 것 같다.

$acl = Get-Acl "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers"

$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule(
"ANONYMOUS LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule2 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUEST", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule3 = New-Object System.Security.AccessControl.RegistryAccessRule(
"IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule4 = New-Object System.Security.AccessControl.RegistryAccessRule(
"REMOTE INTERACTIVE LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule5 = New-Object System.Security.AccessControl.RegistryAccessRule(
"Remote Management Users", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule6 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUESTS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule7 = New-Object System.Security.AccessControl.RegistryAccessRule(
"TERMINAL SERVER USER", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule8 = New-Object System.Security.AccessControl.RegistryAccessRule(
"NT AUTHORITY\NETWORK SERVICE", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$acl.SetAccessRule($rule1)
$acl.SetAccessRule($rule2)
$acl.SetAccessRule($rule3)
$acl.SetAccessRule($rule4)
$acl.SetAccessRule($rule5)
$acl.SetAccessRule($rule6)
$acl.SetAccessRule($rule7)
$acl.SetAccessRule($rule8)

$acl | Set-Acl -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers"

---

# 삼바 보호 해보기

$acl = Get-Acl "Registry::HKEY_LOCAL_MACHINE\SAM"

$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule(
"ANONYMOUS LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule2 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUEST", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule3 = New-Object System.Security.AccessControl.RegistryAccessRule(
"IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule4 = New-Object System.Security.AccessControl.RegistryAccessRule(
"REMOTE INTERACTIVE LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule5 = New-Object System.Security.AccessControl.RegistryAccessRule(
"Remote Management Users", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule6 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUESTS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule7 = New-Object System.Security.AccessControl.RegistryAccessRule(
"TERMINAL SERVER USER", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule8 = New-Object System.Security.AccessControl.RegistryAccessRule(
"NT AUTHORITY\NETWORK SERVICE", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$acl.SetAccessRule($rule1)
$acl.SetAccessRule($rule2)
$acl.SetAccessRule($rule3)
$acl.SetAccessRule($rule4)
$acl.SetAccessRule($rule5)
$acl.SetAccessRule($rule6)
$acl.SetAccessRule($rule7)
$acl.SetAccessRule($rule8)

$acl | Set-Acl -Path "Registry::HKEY_LOCAL_MACHINE\SAM"

---

echo 제한된 파워쉘 https://4sysops.com/archives/mitigating-powershell-risks-with-constrained-language-mode/ https://cafe.daum.net/candan/ASdB/426
setx /m __PSLockDownPolicy 4

echo 보호 안함 기본값으로 하기 파워쉘 명령어 주어야 할때.    파워쉘이 실행 안되고 에러가 나면 이걸 해제 해야 한다.
setx /m __PSLockDownPolicy 0

---

# 수상한 RDP 서버 삭제 하기 S-1-5-32-577  Builtin\RDS Management Servers

# https://learn.microsoft.com/en-gb/windows-server/identity/ad-ds/manage/understand-security-identifiers

# 레지스트리 경로에서 ACL 가져오기
$acl = Get-Acl -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

# S-1-5-32-577 권한을 가진 액세스 규칙 찾기
$ruleToRemove = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "S-1-5-32-577" }

# 찾은 규칙을 제거
if ($ruleToRemove) {
    foreach ($rule in $ruleToRemove) {
        $acl.RemoveAccessRule($rule)
    }
    $acl | Set-Acl -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
}

---

 
# 원격 사용 해킹 차단 해보기
$acl = Get-Acl "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

$rule1 = New-Object System.Security.AccessControl.RegistryAccessRule(
"ANONYMOUS LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule2 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUEST", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule3 = New-Object System.Security.AccessControl.RegistryAccessRule(
"IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule4 = New-Object System.Security.AccessControl.RegistryAccessRule(
"REMOTE INTERACTIVE LOGON", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule5 = New-Object System.Security.AccessControl.RegistryAccessRule(
"Remote Management Users", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule6 = New-Object System.Security.AccessControl.RegistryAccessRule(
"GUESTS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule7 = New-Object System.Security.AccessControl.RegistryAccessRule(
"TERMINAL SERVER USER", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")

$rule8 = New-Object System.Security.AccessControl.RegistryAccessRule(
"NT AUTHORITY\NETWORK SERVICE", "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny")


$acl.SetAccessRule($rule1)
$acl.SetAccessRule($rule2)
$acl.SetAccessRule($rule3)
$acl.SetAccessRule($rule4)
$acl.SetAccessRule($rule5)
$acl.SetAccessRule($rule6)
$acl.SetAccessRule($rule7)
$acl.SetAccessRule($rule8)


$acl | Set-Acl -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

---

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "S-1-5-32-577" /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v EveryoneIncludesAnonymous /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v GuestAccess /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v GuestsAccess /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v IIS_IUSRSAccess /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v RemoteInteractiveLogonAccess /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v RemoteManagementUsersAccess /t REG_DWORD /d 0 /f

---

# 수상한 키보드 제거 

Remove-Item -Path "Registry::HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\KeyboardType Mapping\*" -Recurse -Force

# 엑센스 거부 되어 수정 불가능 하다 ㅠ 직접 수동으로 삭제 해야 한다

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ConnectionHandler

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TerminalTypes

Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ConnectionHandler\*" -Recurse -Force
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TerminalTypes\*" -Recurse -Force

[동우]

게스트 이름 변경 안되면 gpedit.msc 에서 로컬 보안 쪽에서 변경 하면 된다.
gpedit.msc
컴퓨터 구성 -> Windows 설정 -> 보안 설정 -> 로컬 정책 -> 보안 옵션 -> "계정: 게스트 계정 이름 바꾸기"의 정책 값을 "Guest"가 아닌 다른 이름으로 구성합니다.