2023年12月21日发(作者:)
组策略命令全集(Group policy commands)
Group policy is an important means to establish Windows
security environment, especially in Windows domain environment.
A good system administrator, should be able to skillfully
master and apply group strategy. Access group policy at window
interface with , command line with .
First look at the secedit command syntax:
Secedit /analyze
Secedit /configure
Secedit /export
Secedit /validate
Secedit /refreshpolicy
The functions of the 5 commands are the analysis group policy,
the configuration group policy, the export group policy, the
validation template syntax and the update group policy. Among
them, secedit /refreshpolicy is replaced by gpupdate in XP/2003.
The specific syntax of these commands is checked by the command
line.
Unlike accessing the registry only with the reg file, the access
group policy needs a secure database file (SDB) in addition to
having a template file (or inf). To modify group policy, you
must first import the template into the security database, and
then refresh the group policy by applying the security database.
Here's an example:
Suppose I want to set the minimum password length to 6, and
enable the password must conform to the complexity requirements,
then write a template like this:
[version]
Signature= "$CHICAGO$""
[System Access]
MinimumPasswordLength = 6
PasswordComplexity = 1
Save as , and then import:
Secedit /configure /db /cfg /quiet
When the command is finished, it will produce a in the
current directory, which is "intermediate product", and you can
delete it.
The /quiet parameter indicates "quiet mode" and does not
generate logs. But according to my test, the parameter doesn't
seem to work at XP, and it's normal under 2000sp4. The log is
always saved in%windir%. You can
also specify the log yourself so you can delete it later. For
example:
Secedit /configure /db /cfg /log
Del gp.*
In addition, you can also analyze whether the syntax is correct
before importing the template:
Secedit /validate
So, how do you know the concrete syntax? Sure, look for it in
MSDN. There is also a lazy way, because the system comes with
some security templates, in the%windir%securitytemplates
directory. Open these templates, basically contains the
commonly used security settings syntax, a glance understand.
For another example - close all audit policies". The event that
it audits will be recorded in the event viewer's "security".
Echo edition:
Echo [version] >
Echo signature= "$CHICAGO$" >>
Echo [Event Audit] >>
Echo AuditSystemEvents=0 >>
Echo AuditObjectAccess=0 >>
Echo AuditPrivilegeUse=0 >>
Echo AuditPolicyChange=0 >>
Echo AuditAccountManage=0 >>
Echo AuditProcessTracking=0 >>
Echo AuditDSAccess=0 >>
Echo AuditAccountLogon=0 >>
Echo AuditLogonEvents=0 >>
Secedit /configure /db /cfg /log /quiet
Del 1.*
Maybe someone would say: is the group policy not saved in the
registry? Why not modify the registry directly? Because not all
group policies are saved in the registry. For example, "audit
strategy" is not. You can use regsnap to compare the changes
in the registry before and after the policy. The result of my
test is that nothing has changed. Only the management template,
which is entirely based on the registry. Moreover, knowing the
specific location, which method is not complicated.
For example,
XP and 2003's "local policy" - "security options" adds a "local
account sharing and security model" policy. The default setting
for XP is "only guests."". That's why the ipc$that connects to
XP with administrator accounts still has only Guest permissions.
You can modify it as classic by importing the reg file":
Echo Windows Registry Editor Version 5 >
Echo
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa] >>
Echo "forceguest" =dword:00000000 >>
Regedit /s
Del
And the corresponding use of inf should be:
Echo [version] >
Echo signature= "$CHICAGO$" >>
Echo [Registry Values] >>
Echo
MACHINESystemCurrentControlSetControlLsaForceGuest=4,0 >>
Secedit /configure /db /cfg /log
Del 1.*
The problem of reading group policy under command line.
The default security database for the system is located
at%windir% and exported to the
inf file:
Secedit /export /cfg /log
Specifying the database without using the /db parameter is the
default. Then look at .
However, this is only part of the group strategy (that is,
"Windows settings"). Moreover, if a policy is not configured,
it will not be exported. For example, renaming system
administrator accounts is only defined when
NewAdministratorName= "XXX" appears in the inf file". Other
group policies that cannot be exported are obtained only by
accessing the registry.
This method is invalid under XP and 2003 - can be exported, but
the content is basically empty. Unknown cause. According to
official data, XP and 2003 display group policies use RSoP
(group policy result set). The corresponding command line tool
is gpresult. However, it obtains group policies that are
appended (from domain) when the system is started, and the
stand-alone test results are still empty". So, if you want to
know if some group policy is set, only write a inf, and then
secedit /analyze, and then look at the log.
network configuration
Windows comes with a lot of command line tools on the network,
such as you are familiar with Ping, tracert, ipconfig, Telnet,
FTP, TFTP, netstat, there are not familiar with nbtstat,
pathping, NSLOOKUP, finger, route,
These commands can be divided into three categories: network
detection (such as ping), network connections (such as telnet)
and network configuration (such as Netsh). The first two are
relatively simple, and this article only introduces two network
configuration tools.
Netsh
The use of Netsh in remote shell first solves an interactive
problem. As mentioned earlier, many shell can't redirect output
anymore, so you can't use command line tools such as FTP
interactively in this environment. The solution is that the
general interactive tools allow scripts (or reply files). Such
as FTP -s:filename. Netsh is the same: Netsh -f filename.
Netsh commands have many functions, which can configure IAS,
DHCP, RAS, WINS, NAT server, TCP/IP protocol, IPX protocol,
routing and so on. We are not administrators. We don't need to
know so much. We only need Netsh to understand the network
configuration information of the target host.
1, TCP/IP configuration
Echo interface IP >s
Echo show config >>s
Netsh -f s
Del s
From this, you can see that the host has multiple network cards
and IP, whether it is dynamically assigned IP (DHCP), and how
much IP is in the network (if any).
This command is similar to ipconfig /all.
Notice that the following command requires the target host to
start the remoteaccess service. If it is disabled,
Please start by importing the registry, and then
Net start remoteaccess
2, ARP
Echo interface IP >s
Echo show ipnet >>s
Netsh -f s
Del s
This is more information than the ARP -a command.
3, TCP/UDP connection
Echo interface IP >s
Echo show tcpconn >>s
Echo show udpconn >>s
Netsh -f s
Del s
This command is the same as netstat -an.
4, network card information
If the Netsh command has other commands to replace, what else
does it have to do? This one can't be replaced.
Echo interface IP >s
Echo show interface >>s
Netsh -f s
Del s
Other functions of Netsh, such as modifying IP, are generally
not necessary. (otherwise, if the IP is not connected, it is
called "the sky should not be called"), so all of them are
skipped.
IPSec
The first thing to point out is that IPSec and TCP/IP screens
are different things, so don't mix them up. The function of
TCP/IP screening is very limited, far less flexible and
powerful than IPSec. Here's how to control IPSec under the
command line.
XP system with ipseccmd, 2000 with ipsecpol. Unfortunately,
none of them comes with the system. Ipseccmd in XP system
installation disk , ipsecpol in 2000
Resource Kit. Moreover, to use ipsecpol, you must also bring
two additional files: and . Three
files, a total of 119KB.
IPSec can be controlled by group policy, but I've searched for
MSDN, and I haven't found the syntax for the corresponding
security templates. The configured IPSec policy can not be
exported as a template. So, the group strategy doesn't work this
way. IPSec settings are saved in the registry
(HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsIPSecPolicyLocal), in theory, you can configure the IPSec by
modifying the registry. But a lot of information is stored in
binary form, and it's hard to read and modify. By contrast,
uploading command line tools is more convenient.
About ipsecpol and ipseccmd, can be found online a lot, so we
will not dwell on, just some practical examples.
In setting the IPSec policy, the syntax of the ipseccmd command
is almost exactly the same as that of ipsecpol, so only ipsecpol
is used as an example:
1, defending against rpc-dcom attacks
Ipsecpol -p myfirewall -r rpc-dcom -f *+0:135:tcp -x
*+0:135:udp *+0:137:udp *+0:138:udp *+0:139:tcp *+0:445:tcp
*+0:445:udp -n BLOCK -w reg
This command closes the TCP135139445 and udp5 ports
of the local host.
The specific meaning is as follows:
-p myfirewall specifies the policy named myfirewall
-r rpc-dcom specifies the rule named rpc-dcom
-f...... Create 7 filters. * represents any address (source);
0 denotes the local address (target); + denotes mirror
(bidirectional) filtering. See ipsecpol - syntax in detail
-n BLOCK specifies that the filter operation is "blocking"".
Notice that BLOCK must be capitalized.
-w reg writes the configuration to the registry and is valid
after restarting.
-x immediately activates this strategy.
2, prevent being Ping
Ipsecpol -p myfirewall -r antiping -f *+0:: ICMP -n BLOCK -w
reg -x
If the policy named myfirewall already exists, then the
antiping rule is added to it.
Notice that the rule also prevents the host from Ping others.
3, IP restrictions on the back door
Suppose you installed DameWare Mini Remote Control on a host
computer. In order to protect it from breaking passwords or
overflows, access to its service port 6129 should be limited.
Ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK
-w reg
ipsecpol P myfw R dwmrc_pass_me F 123.45.67.89 + 0:6129:TCP
N通关于X
这样就只有123.45.67.89可以访问该主机的6129端口了。
如果你是动态IP,IP分配的范围设置规则比如应该根据:
ipsecpol P myfw R dwmrc_block_all F * + 0:6129:TCP N块W REG
ipsecpol P myfw R dwmrc_pass_me F 123.45.67。* + 0:6129:TCP
N通-关于X
这样就允许123.45.67.1至123.45.67.254的IP访问6129端口。
在写规则的时候,应该特别小心,不要把自己也阻塞了。如果你不确定某个规则的效果是否和预想的一样,可以先用计划任务”留下后路例如”:
NET启动时间表
任务调度服务正在启动..
任务调度服务已经启动成功。
时间/ T
12:34
C: >在39 ipsecpol P myfw Y W REG
新加了一项作业,其作业ID = 1
然后,你有5分钟时间设置一个myfw策略并测试它。5分钟后计划任务将停止该策略。
如果测试结果不理想,就删除该策略。
C:“ipsecpol P myfw O W REG
注意,删除策略前必须先确保它已停止。不停止它的话,即使删除也会在一段时间内继续生效。持续时间取决于策略的刷新时间,默认是180分钟。
如果测试通过,那么就启用它。
C:“ipsecpol P myfw x W REG
最后说一下查看IPSec策略的办法。
对于XP很简单,一条命令搞定-- ipseccmd显示过滤器
而ipsecpol没有查询的功能。需要再用一个命令行工具netdiag。它位于2000系统安装盘的支持工具支持。驾驶室中。(已经上传了三个文件,也就不在乎多一个了。^ _ ^)
服务的支持所以先启动该服务netdiag需要远程注册表操作:
启动远程注册表服务
不启动远程注册表服务就会得到一个错误:
[致命]未能获取该机器的系统信息。
这个工具功能十分强大netdiag,与网络有关的信息都可以获取!不过,输出的信息有时过于详细,超过命令行控制台cmd. exe的输出缓存,而不是每个远程cmd shell都可以用更命令来分页的。
查看IPSec策略的命令是:
netdiag /调试/测试:IPSec
然后是一长串输出信息IPSec策略位于最后。
软件安装
一个软件/工具的安装过程,一般来说只是做两件事:拷贝文件到特
定目录和修改注册表。只要搞清楚具体的内容,那么就可以自己在命令行下实现了(不考虑安装后需要注册激活等情况)。
WinPcap是个很常用的工具,但必须在窗口界面下安装。在网上也可以找到不用GUI的版本(但还是有版权页),其实我们完全可以自己做一个。
以WinPcap 3.0a为例通过比较安装前后的文件系统和注册表快照,很容易了解整个安装过程。
除去反安装的部分,关键的文件有三个:wpcap的dll,dll包。和NPF。系统前面两个文件位于system32目录下,第三个在system32 司机下。而注册表的变化是增加了一个系统服务NPF。注意,是系统服务(即驱动)不是Win32服务。
作为系统服务,不但要在hkey_local_machine 系统
CurrentControlSet 服务下增加主键,
Adding primary keys under
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot. The
latter defaults that only SYSTEM identities can be modified.
Fortunately, you don't need to add it manually, and when WinPcap
is called, it automatically takes care of it. You don't even
have to manually modify the registry, all the things WinPcap
will do by yourself, just need to copy three files to the
appropriate location on the line.
As an example, or demonstrate how to modify the registry: using
the previous INF file to achieve.
[Version]
Signature= "$WINDOWS NT$""
[es]
AddService=NPF, winpcap_svr
[winpcap_svr]
DisplayName=Netgroup Packet Filter
ServiceType=0x1
StartType=3
ErrorControl=1
ServiceBinary=%12%
Save the above contents as _wpcap_.inf files.
Write a batch _wpcap_.bat again:
setupapi, InstallHinfSection DefaultInstall
128%CD%_wpcap_.inf
Del _wpcap_.inf
If /i%CD%==%SYSTEMROOT%system32 goto COPYDRV
Copy %SYSTEMROOT%system32
Copy %SYSTEMROOT%system32
Del
Del
: COPYDRV
If /i%CD%==%SYSTEMROOT%system32drivers goto END
Copy %SYSTEMROOT%system32drivers
Del
: END
Del%0
Then all the files with WinRAR (5) packaged as a self extracting
exe, and "advanced SFX options" - > "after decompression
operation" is set to _wpcap_.bat, the command line WinPcap
installation package has completed.
Note that the last line of the batch does not have carriage
returns. Otherwise, you can't delete yourself because you are
running.
All software installation, basically can apply this idea. But
there are exceptions, that is, the installation of system
patches.
Because the system patch is likely to replace files that are
being executed or accessed, it is not possible to use the copy
command.
Fortunately, the Windows patch supports command-line
installation.
For example:
-n -z -q
-n does not reserve backups
-z does not restart
-q quiet mode
If you have a bunch of patches to play, then use RAR to package
it into a self extracting file, plus a batch processing.
For%%f in (KB..exe) do%%f -n -z -q
For%%f in () do del%%f
Del%0
Windows script
A lot of things are very neat with feet. Here are some echo
versions of common scripts.
1, display system version
@echo for each PS in GetObject > _
@echo
("winmgmts:.rootcimv2:win32_operatingsystem").Instances_ >>
@echo n^& "" ^&n:next >>
Cscript //nologo & del
2, list process
@echo for each PS in GetObject > _
@echo
("winmgmts:.rootcimv2:win32_process").Instances_ >>
@echo
^&vbtab^&^&vbtab^&ablepath:next >>
Cscript //nologo & del
3, terminate the process
@echo for each PS in GetObject > _
@echo
("winmgmts:.rootcimv2:win32_process").Instances_ >>
@echo if =nts (0) then
ate:end if:next >>
To terminate the PID 123 process, use the following syntax:
Cscript 123
If a 0 is shown, the termination is successful.
Then:
Del
4, restart the system
@echo for each OS in GetObject > _
@echo ("winmgmts:{(shutdown)},
.rootcimv2:win32_operatingsystem").Instances_ >>
@echo 32shutdown (2): next >> & cscript //nologo
& del
5, list self starting services
@echo for each SC in GetObject
("winmgmts:.rootcimv2:win32_service").Instances_ >
s
@echo if ode= "Auto" then ^& "-"
^&me >>
@echo next >> & cscript //nologo & del
6, list the running services
@echo for each SC in GetObject
("winmgmts:.rootcimv2:win32_service").Instances_ >
@echo if = "Running" then ^& "-"
^&me >>
@echo next >> & cscript //nologo & del
7, display the last boot time of the system
@echo for each OS in GetObject > _
@echo
("winmgmts:.rootcimv2:win32_operatingsystem").Instances_ >>
@echo otuptime:next >> & cscript
//nologo & del
The format of the result is displayed:
YyyymmddHHMMSSxxxxxxZZZZ
_ _ 11 years _ _ seconds microsecond time zone
8, display system running time
@echo for each OS in GetObject > _
@echo
("winmgmts:.rootcimv2:win32_perfrawdata_perfos_system").Instances_ >>
@echo s=amp_sys100ns:l=len (s): s=left (s, l-7): for
i=1 to l-7 >>
@echo t=t^&mid (s, I, 1): d=t86400:r=r^&d:t=t mod
86400:next >>
@echo cint (R) shall "d" ^&t3600^& "H" ^&t60 mod
60^& "m" ^&t mod 60^& "s": next >>
Cscript //nologo & del
This run time is the 64 bit integer obtained from the
performance counter, which does not appear to overflow 49.7
days later.
发布评论