Click here for a screen shot of the GUI in this script.

Addextender("WWWNT34I.DLL")

:top
J=RegExistValue(@REGMACHINE,"System\CurrentControlSet\Control\LSA[LMCompatibilityLevel]")
If J==@TRUE
key1=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control\LSA")
NTLM=RegQueryValue(key1,"[LMCompatibilityLevel]")
endif

MyDialogFormat=`WWWDLGED,6.1`

MyDialogCaption=`Security LockDown by Chuck Arconi`
MyDialogX=143
MyDialogY=061
MyDialogWidth=416
MyDialogHeight=318
MyDialogNumControls=044
MyDialogProcedure=`DEFAULT`
MyDialogFont=`DEFAULT`
MyDialogTextColor=`DEFAULT`
MyDialogBackground=`DEFAULT,DEFAULT`
MyDialogConfig=0

MyDialog001=`241,205,064,012,PUSHBUTTON,DEFAULT,"Run Tool",1,1,32,DEFAULT,DEFAULT,DEFAULT`
MyDialog002=`041,233,112,010,STATICTEXT,DEFAULT,"to anonymous users but will minimize leakage.",DEFAULT,2,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog003=`023,027,136,012,STATICTEXT,DEFAULT,"Set's the level for NTLM authentication that is allowed.",DEFAULT,3,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog004=`039,285,064,012,EDITBOX,reg2rst,"enter value 1 or 2",DEFAULT,4,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog005=`319,205,064,012,PUSHBUTTON,DEFAULT,"Exit",9,5,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog006=`035,223,140,008,STATICTEXT,DEFAULT,"1 will still permit certain information to be made available",DEFAULT,6,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog007=`021,015,056,012,CHECKBOX,Reg1,"NTLM Lockdown",1,7,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog008=`023,207,090,012,CHECKBOX,Reg2,"Prevent Null Session connection",2,8,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog009=`023,163,108,012,CHECKBOX,reg3,"Prevent the LM Hash from Being Stored",3,9,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog010=`227,015,088,012,CHECKBOX,reg4,"Prevent remote Registry access",4,10,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog011=`131,205,064,012,PUSHBUTTON,DEFAULT,"3. Read Desciption",3,11,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog012=`131,163,064,012,PUSHBUTTON,DEFAULT,"2. Read Desciption",2,12,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog013=`131,013,064,012,PUSHBUTTON,DEFAULT,"1. Read Description",5,13,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog014=`031,177,076,008,STATICTEXT,DEFAULT,"( Windows 2000 and XP only )",DEFAULT,14,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog015=`061,057,036,012,VARYTEXT,NTLM,"Current level",DEFAULT,15,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog016=`023,057,036,012,STATICTEXT,DEFAULT,"Current level:",DEFAULT,16,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog017=`023,073,158,012,STATICTEXT,DEFAULT,"0 - Send LM response and NTLM response; never use NTLMv2",DEFAULT,17,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog018=`023,085,158,012,STATICTEXT,DEFAULT,"1 - Use NTLMv2 session security if negotiated",DEFAULT,18,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog019=`023,097,158,012,STATICTEXT,DEFAULT,"2 - Send NTLM authentication only",DEFAULT,19,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog020=`023,109,158,012,STATICTEXT,DEFAULT,"3 - Send NTLMv2 authentication only",DEFAULT,20,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog021=`023,121,158,012,STATICTEXT,DEFAULT,"4 - DC refuses LM authentication",DEFAULT,21,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog022=`023,133,168,012,STATICTEXT,DEFAULT,"5 - DC refuses LM and NTLM authentication (accepts only NTLMv2",DEFAULT,22,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog023=`079,041,064,012,EDITBOX,NTLM00,"enter value 1 to 5",DEFAULT,23,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog024=`023,043,054,008,STATICTEXT,DEFAULT,"Set NTLM security to:",DEFAULT,24,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog025=`035,249,148,012,STATICTEXT,DEFAULT,"2 is for Windows 2000 and XP and will bar anonymous users",DEFAULT,25,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog026=`039,259,146,012,STATICTEXT,DEFAULT,"from all information where explicit access has not been grant-",DEFAULT,26,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog027=`039,269,086,012,STATICTEXT,DEFAULT,"-ed to them or the Everyone group.",DEFAULT,27,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog028=`325,015,064,012,PUSHBUTTON,DEFAULT,"4. Read Desciption",6,36,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog029=`229,047,072,012,CHECKBOX,reg5,"Run IIS Lockdown Tool",5,37,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog030=`229,075,084,012,CHECKBOX,reg6,"Change local admin account",6,40,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog031=`327,075,064,012,PUSHBUTTON,DEFAULT,"6. Read Description",8,42,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog032=`229,105,080,012,CHECKBOX,reg7,"Set auditing for base objects",9,43,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog033=`229,117,120,012,CHECKBOX,reg8,"Set auditing for backup and restore privileges",10,44,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog034=`327,103,064,012,PUSHBUTTON,DEFAULT,"7. Read Description",11,49,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog035=`229,145,090,012,CHECKBOX,reg9,"Restrict printer driver installation",13,50,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog036=`327,145,064,012,PUSHBUTTON,DEFAULT,"8. Read Description",12,52,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog037=`015,005,198,148,GROUPBOX,DEFAULT,"(1)",DEFAULT,28,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog038=`015,155,198,036,GROUPBOX,DEFAULT,"(2)",DEFAULT,31,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog039=`015,193,198,112,GROUPBOX,DEFAULT,"(3)",DEFAULT,33,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog040=`217,005,184,030,GROUPBOX,DEFAULT,"(4)",DEFAULT,45,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog041=`217,037,184,026,GROUPBOX,DEFAULT,"(5)",DEFAULT,46,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog042=`217,065,184,028,GROUPBOX,DEFAULT,"(6)",DEFAULT,39,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog043=`217,095,184,038,GROUPBOX,DEFAULT,"(7)",DEFAULT,41,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog044=`217,135,184,030,GROUPBOX,DEFAULT,"(8)",DEFAULT,38,DEFAULT,DEFAULT,DEFAULT,DEFAULT`

ButtonPushed=Dialog("MyDialog")



If ButtonPushed==3
runwait("notepad.exe","NullSession.txt")
goto top
endif
If ButtonPushed==5
runwait("notepad.exe","LMHashing.txt")
goto top
endif
If ButtonPushed==6
runwait("notepad.exe","RegistryAccess.txt")
goto top
endif
If ButtonPushed==2
runwait("notepad.exe","NoHashSave.txt")
goto top
endif
If ButtonPushed==8
message('Account Rename','This will rename the "Local Admin" account to "Joe user" and create a dummy administrator account.')
goto top
endif
If ButtonPushed==11
line1="Certain programming objects (i.e., base named objects) are not audited by default when auditing of object and file access is enabled."
line2="%@CRLF%Likewise, the Backup and Restore user rights are not audited by default when use of user rights auditing is enabled."
line3="%@CRLF%If you turn this auditing on, it will generate a large volume of event log entries when a backup or restore is done."
line4="%@CRLF%Adjust the size of your security event log if you enable this auditing."
line5="%@CRLF%"
line6="%@CRLF%WARNING: Making this change can result in a very large volume of event log messages, making it difficult for you to find legitimate events of interest."
line7="%@CRLF%Don't do this unless you think it's necessary to track an exposure."
line=Strcat(line1,line2,line3,line4,line5,line6,line7)
message("Auditing",line)
goto top
endif
If ButtonPushed==12
pline1="Restrict printer driver installation to Administrators only."
pline2="%@CRLF%Who can add printer drivers is controlled by the value of a registry entry."
pline3="%@CRLF%The value should be set to 1 to allow only administrators to install printer drivers on servers and domain controllers."
pline=Strcat(pline1,pline2,pline3)
message("Restrict Printer Driver",pline)
goto top
endif
If ButtonPushed==9 then EXIT
If Reg1==1 then gosub REG1
If Reg2==2 then gosub REG2
If Reg3==3 then gosub REG3
If Reg4==4 then gosub REG4
If Reg5==5 then gosub REG5
If Reg6==6 then gosub REG6
If Reg7==9 then gosub REG7
If Reg8==10 then gosub REG8
If Reg9==13 then gosub REG9
gosub deflts
filedelete("iislockd.exe")
message("SecureLockDown","Lock Down Completed")
EXIT

:REG1 ;NTLM Level
RegSetEx(@REGMACHINE,"System\CurrentControlSet\Control\LSA[LMCompatibilityLevel]",NTLM00, "", 4)
return

:REG2 ;Restrict anonymous access / Null Session
RegSetEx(@REGMACHINE,"System\CurrentControlSet\Control\LSA[RestrictAnonymous]",reg2rst, "", 4)
return

:REG3 ;LM Hashing
key3=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control\LSA")
RegSetValue(@REGMACHINE,"System\CurrentControlSet\Control\LSA[NoLMHash]","1")
RegCloseKey(key3)
return

:REG4 ; NO remote Registry Access
key4=RegOpenkey(@REGMACHINE,"System\CurrentControlSet\Control")
key41=RegCreateKey(key4,"SecurePipeServers")
key42=RegCreateKey(key41,"winreg")
RegSetValue(@REGMACHINE, "System\CurrentControlSet\Control\SecurePipeServers\winreg[Description]","Registry Server")
RegCloseKey(key4)
RegCloseKey(key41)
RegCloseKey(key42)
return

:REG5 ;IIS Lock Down Tool
RunWait("iislockd.exe","/Q")
return

:REG6 ;Change local admin account
Addextender("WWWNT34I.DLL")
wntUserRename("","administrator","defaultuser")
wntUserAddDat("name", "Administrator")
wntUserAddDat("full_name", "Administrator")
wntUserAddDat("flags", 1)
wntUserAddDat("acct_expires", "0000:00:00:00:00:00")
wntUserAddDat("password", "yourPassword")
wntUserAdd("")
return

:REG7 ;Set auditing (if enabled) for base objects and for backup and restore
;To set auditing for base objects:
key10=RegSetEx(@REGMACHINE,"SYSTEM\CurrentControlSet\Control\Lsa[AuditBaseObjects]","1", "", 4)
return

:REG8 ;Set auditing (if enabled) for base objects and for backup and restore
;To set auditing for backup and restore privileges:
key11=RegSetEx(@REGMACHINE,"SYSTEM\CurrentControlSet\Control\Lsa[FullPrivilegeAuditing]","1", "", 4)
return

:REG9
;***Restrict printer driver installation to Administrators only ***
key6=RegSetEx(@REGMACHINE,"system\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers[AddPrintDrivers]","1", "", 4)
return

:DEFLTS
;***Remove Shutdown button from logon dialog ***
key5=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[ShutdownWithoutLogon]","0", "", 4)

;***Restrict untrusted users' ability to plant Trojan horse programs ***
;RegHandle=RegOpenKey(@RegCurrent,"system\CurrentControlSet\Control\LSA")
;Ok=wntAccessAdd("",RegHandle,"RestrictAnonymous",401,"Reg:Full")
;RegCloseKey(RegHandle)

;***Set the paging file to be cleared at system shutdown ***
key7=RegSetEx(@REGMACHINE,"system\CurrentControlSet\Control\Session Manager\Memory Management[ClearPageFileAtShutdown]","1", "", 4)

;***Restrict floppy drive and CD-ROM drive access to the interactive user only ***
key8=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[AllocateFloppies]","1", "", 1)
key9=RegSetEx(@REGMACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[AllocateCdRoms]","1", "", 1)

;***Hide the name of the last logged-in user ***
key12=RegSetEx(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\winlogon[DontDisplayLastUserName]","1", "", 1)

return