@echo off
color 0a
title  @@ 使用ipsec双向禁止137,139,445端口，更改远程端口 @@
echo ******************************************************************
echo * 请确保没有安全软件或权限拦截 ，使用ipsec双向禁止137,139,445端口*
echo ******************************************************************
echo.
@ netsh ipsec static add filteraction block action=block
@ netsh ipsec static add policy BAN-135-137-139-445 assign=yes

@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=TCP dstport=135
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=TCP dstport=137
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=TCP dstport=139
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=TCP dstport=445
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=UDP dstport=135
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=UDP dstport=137
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=UDP dstport=139
@ netsh ipsec static add filter filterlist=137and139and445 srcaddr=any dstaddr=any protocol=UDP dstport=445
@ netsh ipsec static add rule name=BAN-137-139-445 policy=BAN-137-139-445 filterlist=137and139and445 filteraction=block
echo.
echo 现在已经禁止135,137,139,445端口
echo.
echo 按任意键更改远程端口，如无需更改请右上角关闭本窗口
pause>nul
echo *******************************************************************************
echo * 请确保没有安全软件或权限拦截，端口推荐范围：10000-65535，不能与其他端口冲突 *
echo *******************************************************************************
echo.
set /p port=请输入端口号：
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber /t reg_dword /d %port% /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t reg_dword /d %port% /f
echo.
echo ***************************
echo * 远程端口需重启服务器生效*
echo ***************************
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f
echo.
echo 按任意键退出...
pause>nul
exit