Shulou(Shulou.com)06/03 Report--

1. Requirements and functions

At present, the management of the server is inseparable from the topic of security. How long do you think it will take to check the security baseline of a windows server?

Our check mainly includes: current server performance check (CPU usage\ memory utilization\ disk utilization), security group policy hardening setting check, registry hardening setting check, system service hardening setting check, and so on. The existing settings are required to be recorded and compared with our required settings to determine whether the inspection results are in compliance with the safety specifications.

If the traditional way, a skilled windows administrator to check the above content, conservatively estimated to take 15 minutes each, if the inspection of 10 is more than 2 hours. Is there a more efficient way?

The answer is yes. Work reason, have used some manufacturer baseline check tools, for windows, the check content is similar, you can write a similar thing, you can define what you want to check, and the interface is concise. Anyway, you only need to hit the order during the inspection, then drink tea, wait for about 1 minute to complete the inspection, and check the results. For friends who need periodic security baseline checks, it can definitely save a lot of time. Including the pre-deployment time of no more than 3 minutes, once and for all after deployment, the future security baseline check only needs to hit a command. It may take 5 minutes to check 10 windows servers, because you can open multiple session on SecureCRT to run at the same time.

two。 Implementation principle and display 2.1 principle

The principle is to use the paramiko module in Python to verify the login information of windows through ssh protocol, and then

Call the PowerShell of windows to execute the window check command, then get the result, judge by shell, and output the result (including the result in htm format). Currently, windows server2008R2 and 2012R2 servers have been tested and can be executed normally. Of course, some problems will be encountered in the process of writing scripts, but there are ways to solve them. If you are interested in the script, you can discuss it.

2.2 show examples

After executing the script, enter the windows server information you need to check

The inspection results are output automatically and judged. Red is not conforming to the specification and green is conforming to the specification.

There are also results in HTM format, which will be automatically downloaded to your secureCRT save path through the sz command in the script.

The main contents of the check include checking the project compliance rate, server performance check (CPU utilization\ memory utilization\ disk utilization), security group policy hardening setting check, registry hardening setting check, system service hardening setting check, whether to install the latest patch, high-risk port check, etc.

3. Prepare 3.1a Centos system: my virtual machine centos6.6 (running on centos7 may report an error) is used to execute the script and then execute the windows command. Python is required (usually already installed)

3.2Software: can be downloaded from the freesshd official website, mainly installed on the managed windows server

4. The installation of freesshd:freesshd for each windows server is directly defaulted to the next step.

After the installation of freesshd, you need to make some settings, as shown in the figure:

Run freesshd for the first time as shown in the figure

Then click the freesshd icon in the lower right corner to make relevant settings. In the SSH tab, set Command shell to C:\ Windows\ System32\ WindowsPowerShell\ v1.0\ powershell.exe as shown below:

Click "Add …" in the Users tab.

Add the administrator account of the windows server in the pop-up window, and then type Shell as √ as shown in the figure:

Finally, you can choose whether to turn off automatic updates in Automatic updates. I usually choose to turn it off.

After setting up, type "services.msc" in start-run to restart the freesshd service.

Sshd is set up on the windows server.

Security settings (optional): configuring ipsec on each windows server only allows our centos server to connect to port 22 of sshd, thus avoiding other unauthorized ssh connections, which is recommended.

If the firewall is enabled, you also need to set in the firewall to allow freesshd programs to pass through the firewall. After the setting is completed, you can test whether the connection is OK by means of telnet X.X.X.X (windows server IP) 22 on the centos server, as shown in the figure:

4.3 script preparation

1) download the shell script later in this article

2) upload the script in the centos server, command rz, and then select the script to upload

4.4 run the script to start the check

5. Script download address

Follow-up: scripting ideas

Identify the content to be checked-collect the inspection results-take the required data from the inspection results-judge the data-generate the results

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.