---
tags: ccdc, CCDC2020
---
# Windows Scripts
## General Procedures
Firewall rules required for internet (Internet will not work after blockinbound,blockoutbound):
1. Outbound DNS Rules to DNS server for all programs
2. Outbound HTTP/HTTPS rules to anywhere on browser executable
Console Access Client Responsibilities (# = Comments)
### First 5-10 minutes Script
``` batch
#Run the following commands in administrative cli on every machine
#batch script for initial lockdown firewall
# If running more than one machine, write the next four lines on both machines first before going on
sc config mpssvc start= auto # If the network firewall service is disabled, this enables it
sc start mpssvc # If the network firewall service is stopped, this starts it
netsh advfirewall reset # Resets network firewall: deny inbound, allow outbound
netsh advfirewall firewall delete rule name=all # Deletes all rules
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound # Server:blockinbound
ipconfig # Show IP address for the next step. DHCP will break after the lease expires
ncpa.cpl # Right-click the interface, properties, uncheck ipv6, AND manually set IPv4 address (GUI)
netsh advfirewall firewall add rule name="CCSOUT" dir=out action=allow protocol=tcp remoteport=80 program="C:\CCS\CCSClient.exe" # Could be created in the GUI, but not as fast
gpresult /h %windir%\gpresult.html # Save record of misconfigured group policy
rd /s /q %windir%\System32\GroupPolicy # Removes any firewall related group policies
type %windir%\inf\defltbase.inf | findstr /v “__Members” >> default.inf # Fixes local users group
secedit /configure /db leedles.sdb /cfg default.inf # Import Default Group Policy from CWD
gpupdate /force
```
### Change Passwords Script
``` batch
# Change all user passwords:
set pwd=”<PASSWORD>” & cls
start /wait notepad cup.bat & cup.bat
#cup.bat script (Advisable not to share between machines if you forget to set the password above)
#Create your own admin account and set a UNIQUE password for both the admin and that user (jwong)
#Likely unnecessary, but you can exclude users by adding usernames (separated by spaces): "^$ Name kyah"
@echo off
for /f %%i in ('wmic useraccount get name ^| findstr /r /v /i "^$ Name"') do net user %%i %pwd%
set "pwd="
net user administrator *
net user jwong /add *
net localgroup administrators jwong /add
exit
```
## More in depth firewall
### base.bat Firewall rules for All Windows VM’s (will not work on XP/2003)
``` bash
auditpol.exe /set /category:* /failure:enable /success:enable
wmic share delete # Never run on a SMB server like the Active Directory Domain Controller
sc config mpssvc start= auto # Make sure there is no space before “=”
sc start mpssvc # shows error if already started, so disregard
sc config WinDefend start= auto
sc start WinDefend # shows error if already started, so disregard
sc config EventLog start= auto
sc start EventLog # shows error if already started, so disregard
```
``` bash
netsh advfirewall reset
netsh advfirewall firewall delete rule name=all
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
netsh advfirewall set allprofiles logging allowedconnections enable
netsh advfirewall set allprofiles logging droppedconnections enable
netsh advfirewall set allprofiles logging filename "%windir%\shortcut.lnk"
netsh advfirewall set allprofiles logging maxfilesize 16384
```
``` bash
for /f "tokens=14" %%i in (‘ipconfig ^| findstr IPv4’) do (
set ip=%%i
)
netsh advfirewall firewall add rule name="dnsOUT" dir=out action=allow protocol=udp localip=%ip% remoteip=<DNS1> remoteport=53
netsh advfirewall firewall add rule name="ftpOUT" dir=out action=allow protocol=tcp localip=%ip% remoteip=<FTP> remoteport=21
netsh advfirewall firewall add rule name="icmpv4out" dir=out action=allow protocol=icmpv4 localip=%ip% remoteip=1.1.1.1
netsh advfirewall firewall add rule name="icmpv4in" dir=in action=allow protocol=icmpv4 localip=%ip% remoteip=<allowed_nets>
netsh advfirewall firewall add rule name="adOUT" dir=out action=allow localip=%ip% remoteip=<AD>
#Allowing CCS Client Outbound
netsh advfirewall firewall add rule name="CCSOUT" dir=out action=allow protocol=tcp localip=%ip% remoteport=80 program="C:\CCS\CCSClient.exe" # May be stored somewhere else
#C:\Program Files\internet explorer\iexplore.exe
#C:\Program Files (x86)\Internet Explorer\iexplore.exe
#C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
#C:\Program Files\Mozilla Firefox\firefox.exe
#Opera should be installed for “all users”.
netsh advfirewall firewall add rule name="webOUT" dir=out action=allow protocol=tcp localip=%ip% remoteport=80,443 program="C:\Program Files (x86)\Internet Explorer\iexplore.exe"
netsh advfirewall firewall add rule name="logOUT" dir=out action=allow protocol=udp localip=%ip% remoteip=<LOG> remoteport=514 program="C:\Program Files (x86)\nxlog\nxlog.exe"
netsh advfirewall firewall add rule name="WU" dir=out action=allow protocol=tcp localip=%ip% remoteip=any remoteport=80,443 service=wuauserv
Pause
```
### Backup the firewall config
1. Export the firewall policy:
`netsh advfirewall export %userprofile%\settings.wfw`
2. Import into the Group Policy Editor’s Advance Firewall!
3. For all three profiles settings, select “No” for both options under “Rule Merging”
4. Run: `gpupdate /force`
## Enable UAC and set maximum security settings
## Disable All Scheduled Tasks (disableTasks.bat):
``` batch
for /f "tokens=1 delims=," %%i in (
'schtasks /Query /FO csv ^| find /V "Task name" ^| find /V "Disabled"'
) do (
schtasks /change /tn %%i /disable
)
```
## Record Initial User Info (userInfo.bat):
``` batch
#get account status (active/disabled), last login, and group memberships for all users:
@echo off
for /f %%i in ('wmic useraccount get name ^| findstr /r /i /v "^$ Name"') do (
echo %%i
net user %%i | findstr /i "Last Active Group"
echo -------------------------------------------------------
)
```
## Disable SMBv1
``` powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
```
## Credentials might be stored in memory (especially on Windows 7)
Install KB2871997-v2 (Wdigest) hotfix on Windows 7 and Server 2008 R2 and run registry queries on ALL Windows machines:
``` powershell
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0
```
## Opera offline installer(s):
https://ftp.opera.com/ftp/pub/opera/desktop/Windows XP/Server 2003:Opera_winxpvista_36.0.2130.80_Setup.exe
Windows Vista/Server 2008:Opera_winxpvista_36.0.2130.80_Setup.exe
Windows 2008 R2/7/8/10: Most recent versions will work (+60.0)
Need to hide/obscure a file?
In cmd, run “move sensitive_info.txt Firefox.lnk”
## Installing Updates from powershell or GUI:
Google “win-updates.ps1” (with quotes)
``` powershell
Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\win-updates.ps1
```
Sign in with Wallet
Connect another wallet