Batch File for New Windows Server


I use this batch file to deploy new servers, whether it be 2003, 2008 or 2012. I run it after the initial Windows install and before joining a domain. It includes various ‘fixes’ such as disabling all SSL versions and weak ciphers for IIS, Installs the Telnet client for 2008 and above, allows joining to a single label domain, properly disables the Windows firewall, etc.

Updated to restrict more weak cipher suites and enable TLS1.0 through TLS1.2.

Modify 1.1.1.1 IPs to preference.

@echo off
echo:
echo ======================================================================
echo DO NOT RUN THIS SCRIPT ON A DOMAIN MEMBER SERVER!
echo USE WSUS-REINSTALL SCRIPTS INSTEAD TO RESET WSUS CLIENT.
echo ======================================================================
PAUSE
echo:
:: Install Telnet client
echo Installing Telnet client...
pkgmgr /iu:"TelnetClient"

echo:
:: Allow single label domain name (i.e., domain vs domain.com)
echo ----------------------------------------------------------------------
echo Setting 'Allow single label domain name'...
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v "AllowSingleLabelDnsDomain" /t reg_dword /d 00000001 /f

echo:
:: Disable subcategory logging for event IDs 5156, 5757, 4963
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

echo:
:: Set Windows Firewall to OFF for all profiles - only if behind hardware firewall
echo ----------------------------------------------------------------------
echo Disabling Windows Firewall...
net start MpsSvc
netsh advfirewall set allprofiles state off
sc config "MpsSvc" start= demand

echo:
:: Set RDP to enabled from its default setting of not allowed
echo ----------------------------------------------------------------------
echo Enabling RDP...
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t reg_dword /d 00000000 /f

echo:
:: Set NTP client - for non-domain servers only
echo ----------------------------------------------------------------------
echo Syncing with NTP server...
sc config w32time start= auto
net start w32time
tzutil /s "Central Standard Time"
RunDLL32.exe shell32.dll,Control_RunDLL timedate.cpl,,/Z Central Standard Time
w32tm /config /manualpeerlist:"1.1.1.1" /syncfromflags:manual /update
net stop w32time && net start w32time
w32tm /resync

echo:
:: Enable Telnet and SNMP
echo ----------------------------------------------------------------------
dism /online /enable-feature /featurename:TelnetClient /featurename:SNMP /featurename:Server-RSAT-SNMP

echo:
:: Reinstall WSUS client and clear potentially corrupt files
echo ----------------------------------------------------------------------
echo Setting up WSUS client...
net stop bits && net stop wuauserv
ipconfig /flushdns
del "C:\Users\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
del "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonTime" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonType" /f
net start wuauserv
net stop bits && net stop wuauserv
regsvr32 wuaueng.dll /s
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUStatusServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroupEnabled" /t reg_dword /d 00000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroup" /t reg_sz /d "WSUS Servers" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "UseWUServer" /t reg_dword /d 0000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "NoAutoUpdate" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "AUOptions" /t reg_dword /d 00000002 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallDay" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallTime" /t reg_dword /d 00000003 /f
net start bits && net start wuauserv
wuauclt.exe /detectnow

echo:
:: Set ArpRetryCount registry entry for IP conflict issue on 2008
echo ----------------------------------------------------------------------
echo Setting ArpRetryCount registry entry...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ArpRetryCount" /t reg_dword /d 00000000 /f

echo:
echo ----------------------------------------------------------------------
echo Disabling weak SSL ciphers...

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" /v "EventLogging" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\NULL" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/56" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 64/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\Triple DES 168" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable PCT 1.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv3
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Enable TLS1.0, TLS1.1, TLS1.2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "Enabled" /t reg_dword /d 00000001 /f

echo:
:: Rename default Administrator account, rename & disable Guest account
echo ----------------------------------------------------------------------
echo Renaming Administrator and Guest accounts...
wmic useraccount where name='Guest' call rename name='NewGuest'
wmic useraccount where name='NewGuest' set disabled='True'
wmic useraccount where name='Administrator' set passwordexpires='False'
wmic useraccount where name='Administrator' call rename name='NewAdmin'
net accounts /maxpwage:90
echo ======================================================================
echo If Admin account was renamed, log out before making further changes.
echo ======================================================================
set ask==none
set /p ask=Log out now? Type YES, NO or hit ENTER to exit:
if %ask%==y goto logoff
if %ask%==yes goto logoff
if %ask%==YES goto logoff
if %ask%==n goto exit
if %ask%==no goto exit
if %ask%==NO goto exit
if %ask%==none goto exit
:logoff
echo Logging off...
logoff
:exit
echo ======================================================================
echo Remember to log off if Admin account has been renamed.
echo ======================================================================
timeout 5 > nul
exit