Listing #1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows ("run=" line)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows ("run=" value)
Listing #2
@echo off
REM The 'delims' parameter of PULLINFO1 and PULLINFO2 should be a single TAB.
for /f "tokens=1 delims=[]" %%I in ('reg query HKLM\SYSTEM\CurrentControlSet\Services') do call :PULLINFO1 %%I
set START_TYPE=
goto :EOF
:PULLINFO1
for /f "tokens=3 delims= " %%I in ('reg query HKLM\SYSTEM\CurrentControlSet\Services\%1 ^| findstr "Start" ') do call :PULLINFO2 %1 %%I
goto :EOF
:PULLINFO2
for /f "tokens=3,4 delims= " %%I in ('reg query HKLM\SYSTEM\CurrentControlSet\Services\%1 ^| findstr "ImagePath" ') do call :SHOWINFO %1 %2 %%I %%J
goto :EOF
:SHOWINFO
if /i {%2}=={0} set START_TYPE=Boot
if /i {%2}=={1} set START_TYPE=System
if /i {%2}=={2} set START_TYPE=Automatic
if /i {%2}=={3} set START_TYPE=Disabled
if not "%4" == "" (echo %1 -%START_TYPE%- %3\%4) else (echo %1 -%START_TYPE%- %3)
goto :EOF
Listing #3
@echo off
for /f "tokens=1,2 delims=:" %%I in ( 'netstat -an ^| findstr "0.0.0.0:[1-9]"' ) do call :CLEAN %%I %%J
goto :EOF
:CLEAN
set X=0
for /f "tokens=1,2,3 delims=TAB " %%A in ( 'findstr /I "\<%3/%1\>" port-numbers.txt' ) do call :SETUP %%A %%C %3 %1
if %X% == 0 echo %3/%1 ***UNKNOWN***
goto :EOF
:SETUP
echo %3/%4 %1 %2
set X=1;
goto :EOF
Listing #4
@echo off
REM This script is an example to enforce better NTFS security on the file system.
REM Copyright 1998 Carnegie Mellon University
REM August 1998
REM
REM v0.91 Sept 04, 1998
REM Note that the %SystemRoot%\yes.txt is just a text file at c:\winnt\yes.txt that
REM simply contains a 'y' and then a hard return in it. CACLS asks if you are sure
REM all the time. The piping of the yes.txt will answer yes to that prompt.
REM
REM xcacls is used for a few items. It is part of the NT Resource Kit, but not
REM in the default install of NT.
REM Set the files on the Root Directories to read only for users
REM =================================================================
C:
cd \
cacls.exe . /G administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe * /C /G administrators:f system:f users:r <%SystemRoot%\yes.txt
REM Prevent general users to access the boot files...
REM ==================================================================
C:
cd \
cacls.exe boot.ini /G administrators:f system:f <%SystemRoot%\yes.txt
cacls.exe ntbootdd.sys /G administrators:f system:f <%SystemRoot%\yes.txt
cacls.exe ntdetect.com /G administrators:f system:f <%SystemRoot%\yes.txt
cacls.exe ntldr /G administrators:f system:f <%SystemRoot%\yes.txt
REM Program Files directories...
REM ===================================================================
REM First recurse through and just give read access to everyone to everything
REM in Program Files on C: and all files on the D:.
C:
cd \
cacls.exe "Program Files" /c /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
REM The TEMP directories....
REM ====================================================================
REM change permission on temp directory to allow additions from normal users...
REM
REM It would be best to give dir-rwx and file-none for the everyone group, but cacls.exe
REM isn't that specific. You can use the GUI or xcacls from the resource kit.
xcacls.exe c:\Temp /c /t /g "creator owner":cop administrators:f system:f users:exw /y
REM To prevent non-admins from deleting the temp directories...(put a locked file in it)
copy %SystemRoot%\yes.txt c:\Temp\secure.dir
cacls.exe c:\Temp\secure.dir /g administrators:f system:f <%SystemRoot%\yes.txt
attrib +h c:\Temp\secure.dir
REM The System Directory....(C:\winnt)
REM ======================================================================
C:
cd %SystemRoot%
cacls.exe * /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
xcacls.exe . /g "creator owner":cop administrators:f system:f users:exw /y
cacls.exe config /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe cursors /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe help /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe forms /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe inf /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe java /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe media /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe ShellNew /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe system /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe system32 /t /c /g administrators:f system:f users:r <%SystemRoot%\yes.txt
xcacls.exe SendTo /c /t /g "creator owner":cop administrators:f system:f users:exw /y
REM The profiles tree need to stay the same...
cacls.exe profiles /g administrators:f system:f "creator owner":c everyone:r <%SystemRoot%\yes.txt
REM Give access to .inf files, .exe files and .hlp files under system...consider using
REM just X (execute) for the com and exe files.
cacls.exe *.inf /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.hlp /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.txt /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.com /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.cpl /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.exe /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
cacls.exe *.dll /t /g administrators:f system:f users:r <%SystemRoot%\yes.txt
REM Exceptions to the rules....Nothing is simple.
REM ================================================================================
C:
cd %SystemRoot%
xcacls.exe system32 /e /g "creator owner":cop users:exw /y
xcacls.exe help /e /g "creator owner":cop users:exw /y
xcacls.exe forms /e /g "creator owner":cop users:exw /y
cacls.exe cookies /t /c /g administrators:f system:f "creator owner":c <%SystemRoot%\yes.txt
cacls.exe history /t /c /g administrators:f system:f "creator owner":c <%SystemRoot%\yes.txt
cacls.exe occache /t /c /g administrators:f system:f "creator owner":c <%SystemRoot%\yes.txt
cacls.exe repair /t /c /g administrators:f system:f <%SystemRoot%\yes.txt
cacls.exe system32\viewers /t /c /e /g users:r <%SystemRoot%\yes.txt
REM do printers
REM cacls.exe system32\spool\printers /t /c /e /g "creator owner":c <%SystemRoot%\yes.txt
REM cacls.exe system32\spool\drivers /t /c /e /g "creator owner":c <%SystemRoot%\yes.txt
REM allow write in the "Temporary Internet Files"
cacls.exe "Temporary Internet Files" /t /c /e /g administrators:f system:f "creator owner":c <%SystemRoot%\yes.txt