secedit 보안 로그인 보안 관련

[동우]

https://docs.microsoft.com/ko-kr/windows/security/identity-protection/access-control/security-identifiers  

https://github.com/defendthehoneypot/Server-GPOs/blob/master/Server%20Computer%20Security%20v1.0/%7B3E18C7F8-B3E3-4866-BBDC-F56F4F93A60C%7D/DomainSysvol/GPO/Machine/microsoft/windows%20nt/SecEdit/GptTmpl.inf   

https://cafe.daum.net/candan/AurF/106 감사실패 관련 알수 없는 로그인 하는 경우.

echo 내보내기 
md d:\secedit 
secedit /export /cfg d:\secedit\cfg.ini > nul

tar -cvzf secedit.zip d:\secedit
echo 만약을 위해 압축 하기

notepad d:\secedit\cfg.ini
echo 수정하기

SeDenyNetworkLogonRight = Guest
SeDenyInteractiveLogonRight = Guest

echo 로컬 로그인 차단 SeDenyInteractiveLogonRight

SeDenyBatchLogonRight = Guest
SeDenyServiceLogonRight = Guest
SeDenyRemoteInteractiveLogonRight = Guest
echo 없다면 삽입 해주기

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins,DenyNetworkAccess
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,Enterprise Admins,Domain Admins

echo 구차니즘 2개 지우면서 5개 등록 하기.

메이핑 에러가난다 ㅠ

SeInteractiveLogonRight    S-1-5-32-546 

echo 로컬 로그인 허용에서 게스트 제거 "S-1-5-32-546" 게스트를 의미함

echo 적용하기
secedit /configure /db test.sdb /cfg d:\secedit\cfg.ini
echo 입력 하기는 안됨 -_-;; 아쉽게.. 이건 됨. db는 그냥 아무거나 적으면 된다. 없다면

SeDenyRemoteInteractiveLogonRight


S-1-5-113
로컬

S-1-5-14
원격 대화형 로그온

S-1-5-17
기본 인터넷 정보 서비스(IIS) 사용자

S-1-5-32-555
Remote Desktop 사용자

S-1-5-32-568
IIS
Builtin

S-1-5-32-575
RDS 원격 엑센스

S-1-5-32-576
RDS 엔드포인트 서버

S-1-5-32-577
Builtin\RDS 관리 서버

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577

*S-1-5-9
도메인 컨트롤러 Enterpri*Se

*S-1-5-domain-513**
*S-1-5-domain-514**
*S-1-5-domain-515**
*S-1-5-domain-516**
*S-1-5-root domain-518**
*S-1-5-root domain-519**
*S-1-5-domain-520**
*S-1-5-domain-553**


*S-1-5-9,*S-1-5-domain-513**,*S-1-5-domain-514**,*S-1-5-domain-515**,*S-1-5-domain-516**,*S-1-5-root domain-518**,*S-1-5-root domain-519**,*S-1-5-domain-520**,*S-1-5-domain-553**

echo 딱 하나만 등록 된다 ㅋ 

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9,*S-1-5-32-544

*S-1-5-32-544

관리자

https://docs.microsoft.com/ko-kr/windows/security/threat-protection/security-policy-settings/modify-an-object-label   

SeRelabelPrivilege = 

정의되어 있지 않습니다.

Not defined

아무것도 적지 않으면 모두 허용 하는 것을 의미 한다.

그러무로 적어 주어야 하는 것 같다.

echo 모든 사용자 *S-1-1-0
*S-1-1-0
*S-1-2-0
*S-1-2-1
*S-1-5-80-0

*S-1-1-0,*S-1-2-0,*S-1-2-1,*S-1-5-80-0

SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9,*S-1-5-32-544,*S-1-1-0,*S-1-2-0,*S-1-2-1,*S-1-5-80-0

https://docs.microsoft.com/ko-kr/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network
SeDenyNetworkLogonRight 
네트워크 관련 열거 문제
    익명 로그온
    기본 제공 로컬 관리자 계정
    로컬 게스트 계정
    모든 서비스 계정

*S-1-5-7

익명

*S-1-5-113
로컬 

*S-1-5-80-0
모든 서비스

*S-1-5-113,*S-1-5-80-0

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9,*S-1-5-113,*S-1-5-80-0
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,*S-1-5-14,*S-1-5-17,*S-1-5-32-555,*S-1-5-32-568,*S-1-5-32-575,*S-1-5-32-576,*S-1-5-32-577,*S-1-5-9,*S-1-5-32-544,*S-1-1-0,*S-1-2-0,*S-1-2-1,*S-1-5-80-0

https://cafe.daum.net/candan/BLQD/58  신뢰 자격 증명

wmic.exe useraccount where "localaccount=true" get name,sid,disabled

Administrator ??-500

어드민만 등록 해주기

SeTrustedCredManAccessPrivilege = *S-1-5-21-27797481-235746463-772742770-500

[동우]

SeDenyRemoteInteractiveLogonRight = *S-1-1-0
이렇게 모든 사용자 등록 해도 될듯 ㅎㅎ..

[동우]

SeDenyBatchLogonRight
*S-1-5-3
일괄 로그인 bach 이건 등록 하면 안된다. 백그라운드 앱이 오류가 남 실패로 나옴