Script story
Publisher THE Scripting Guys
If the script is illegal, only illegal users use scripts
To get a list of all script stories of the script column, please click here.
Microsoft's employee lives in the unreal world, which is one of the criticisms of Microsoft employees. It means that our Microsoft employees are only concerned about the various ideals and actual problems that really need to face for system administrators. This may apply to some Microsoft employees, but we don't know anything about the issues facing the system administrator, Scripting guys is comments. And there are many other colleagues agreed with our views. For example, on the way to work in the bus this morning, we said to the driver: "Bentley, do you think Scripting guys is living in the unreal world? Is it always helping when the system administrator needs? "I don't think so," Bentley said, "it is absolutely not the case."
After all, we think he said that. To be honest, because Jacuzzi sitting in the back row is too big, we are not very clear.
However, the problem is that scripting guys is just a matter of ordinary characters, and there is no difference between others. The "outstanding elite" that we returned to the kind of fireworks that did not eat the fireworks. We feel that we can do not fulfill their duty in an important area: Maybe - paying only, it is perhaps - when the system administrator encounters security issues, we don't have a good job in our work.
We admit that let Scripting Guys talk about security issues that may make you sound a bit funny, because there are many people think that there is no so much security issue if there is no script. Whenever a hacker attack or disrupting an attack and a new virus or worm, people will naturally hold the blanks to the script, and then expand to our people who work related to scripts. They will say, maybe we should have a comprehensive ban on scripts. Perhaps Microsoft should delete Windows Script Host from the operating system, and the macro function should be permanently disabled. Moreover, all Scripting Guys put into prisons and throw away the key, let them have no chance to see the day. (Interestingly, those who do not support prohibition of scripts have also strongly supported this penalty afterwards.)
In addition, we do not deny that scripts are indeed in some of these attacks. Yes, we have noticed Kak.hta, we have also seen the Iloveyou.vbs virus. (In fact, we are one of the people who have been attacked by them. If there is so many people who love us.) But imagine that if we really abandon the script writing, how is the situation becomes? Do these crazy moves will stop?
Ok, this is indeed a good idea, but it is also a very good idea by buying a magic ball lottery. It is also a very good idea, and the chances of the happening are also very similar (same as 0). Of course, worms and other viruses can indeed write a script, but they are also written into batch files. Do we also comprehensively ban batch files? They are also written as an executable, do we also ban in your computer to use executable files? Remove all the executables in your computer, then your computer doesn't have other uses in addition to it looks a bit cool.
Hey, don't we invent a Macintosh! (To macintosh, macintosh: joking.)
In fact, scripting is only makes worms and other viruses more easily, even if this is also debated (some viruses are very complicated). However, if we prohibit the use of scripts, the virus writer only needs to reply from the previous example to write with C or C language. But keep in mind that today, today, even if we eliminate all viruses through some way, the computer is not 100% safe when processing. Imagine if a computer user connected to the Internet shared his (her) throughout the hard disk. In this case, there is no need for any script when it is destroyed to the computer. Imagine that the computer can be set to whether you can log in to the operating system whether you open the machine; some people will set the password too simple because of the greed for the greed and some unsecured settings you can imagine. The essence of this problem is that as long as we use the computer, then some bad things may happen. This is the same as everything in life. For example, let people drive, there will be people who will hit the way to the road when they are red or reversing. We have no power for these accidents. What we can do is how people can safely use them safely, and provide safety facilities that can reduce damage during accidents.
This is the information we have to pass today. Can we let people stop spreading viruses? Can we make people renew their computer under the potential attack of others? Can we guarantee that the computer is 100% safe, eliminating all an error? No, we can't do it. We can't do it at least without unpluging all network adapters, disconnect all Internet connections and thoroughly isolate each computer user. (To all system administrators: We know that this sounds very attractive, but this is not formal recommendation for Scripting Guy.) However, we can still do something to help improve system vulnerability, prevent problems. Scripts can make our computer more secure, although this seems to be a bit crazy. (Yes, what we said is indeed safer. Please believe us.)
This page
Knowledge is the last thoughts of strength
knowledge is power
Ok, okay: Standing in the corridor to see, see those guys who master the power in the hands. We are sometimes difficult to understand, what is the right to contact the knowledge they have. Although the truth is, but try to master the knowledge and information you can get, it is not a bad thing after all, which is especially true for computer security. You know more about your computer and its settings, then you have more confidence. That's why computer security experts suggest that you have a phased safety inspection of your computer. Then there is a problem now: How to correct this phase of safety check?
In fact, Microsoft has released a small and practical tool - Microsoft Baseline Security Analyzer - it can help you complete this security check. (I hope that you have downloaded this free gadget. If you haven't, please click here to download.) This gadget is shown in its name: it can be a computer (if you like, you can also Taiwan to analyze, pointing out potential safety hazards, such as the local accounts that are too simple (even completely without password), such as the secure patch or password that is not installed. Although this software is small but is very useful, both at home or in the office is a must-have software.
Of course, now you may think: "Well, since security analysis is so easy to use, I decided to give it a mother as Christmas gift. But what is the relationship with the script? If Security Analyzer can provide me Everything, then what do I have to do? Scripting guys, what I said? "In fact, you are right: If Security Analyzer can do what you need, then you don't have to use a script. (Maybe you don't need those life buys, why not send it to Scripting Guys, let us take care of it.) But if Security Analyzer does not do what you need? Although Security Analyzer is very good in collecting information, it is not able to make any response to the information collected. For example, it can detect all 5,000 workstation computers, and whether the guest account on each machine has closed a detailed report (most organizations choose to close the guest account to avoid anonymous or unauthorized users login network) . Suppose you have 2,967 guest accounts in your network not shut down, then Security Analyzer reports this situation to you, but in the end, you still need you to handle each machine, manually turn off the guest accounts on these machines.
The latter is the land of the script. If you want to know if the guest account on the computer has been closed, you can write a piece of script to complete the above process, but if you just want to check the status of this account, what is meaningful? After all, Security Analyzer can help you check the state of your account, you don't have to write a script at all. But if you want to do it, it's not just to check the state of your account, but if you want to turn all open accounts? Single albrection is unable to complete the above steps, but you can do it by writing the script.
This is what we want to point out here. (If you have read the Adsi Scriptomatic Readme, it is difficult to believe it, but Scripting guys actually makes a little a little way). The script is a very useful tool because it can help you get information related to security, but it is an essential tool because it can process the collected information. This is what we have to show: We will show you information searching for Security Analyzer, and we also want you to show how to write scripts that can retrieve the same information. Then, when possible, we show you how to make it able to process the search information by modifying the script.
Completely announced. Ok, we may say a little exaggerated: Considering the reasons for the space, we don't plan to introduce all the features of the Security Analyzer here. So, we will skip some steps in the middle, such as checking the account password of the SQL server. I hope you have no comments; Bentley said he didn't have any problems.
By the way, we may explore the topics related to security in the later columns. For example, we will explain (or at least try to explain) the strange and mysterious world of the security identifier and how to control it through the script. We will also show you the role of scripts playing in management patches and security patches. But now we will put these contents aside. Now, let us not be disturbed, start explaining what security Analyzer does and how to achieve the same functionality through the script.
Note: Breasting again. In order to make our script fragment as short as possible, the scripts you see here are for a single machine (local single). The strength of Security Analyzer is that it can be used for multiple machines. Can the script also do? You guess; please refer to the previous script story column for more details. Wash your eyes and see how Runomatic is attached to the script center. What is RUNOMATIC? You don't want us to destroy the sense of surprise you find the answer, is it?
Task 1: Retrieve computer name
Honestly tell you, and retrieve the number of ways to the computer name through the script. However, because WMI will be a mainstream technology to retrieve information, what we demonstrated is a WMI script that returns the target computer name.
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts: //" & strComputer & "/ root / cimv2")
Set colcomputers = objwmiservice.execQuery_
("Select * from win32_computersystem")
For Each Objcomputer in Colcomputers
WScript.echo Objcomputer.name
NEXT
This seems to be a bit ridiculous, especially when this script is only for stand-alone running. But when its target computer has 100 sets, it can help us to distinguish each computer zone.
Task 2: Retrieve IP Address
Retrieving IP address through scripts is also very simple:
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts: //" & strComputer & "/ root / cimv2")
Set ipconfigset = objWMiservice.execQuery_
("Select ipaddress from win32_networkadapterconfiguration" _
"Where ienetabled = true")
For Each IPConfig in ipconfigset
IF not isnull (ipconfig.ipaddress) THEN
For Each Straddress in ipconfig.IPAddress
WScript.echo straddress
NEXT
END IF
NEXT
When determining the IP address of a computer, just pay attention to two points. First, WMI will consider all things including VPN and RAS connections to be part of the computer network adapter setting. To do this, we need to use the WHERE statement where ipenabled = true to limit the return information as information about the actual network adapter.
Second, the IP address is usually returned in the form of an array, so we need to get a true IP address with a For-Each loop. If we respond directly to the IP address attribute value, a "class match" error will occur.
Task 3: Reporting the Date and Time of Security Check
It is also very easy to implement this function, but given us that the vast majority of the security of the SecurityAnalyzer, the following is the code returns the date and time code:
Wscript.echo now
Do you think that the script is very high! In fact, it is so simple.
Task 4: Check the upgrade package
Ok, we admit: never has a perfect operating system. (Well, if anyone from Microsoft is asking, we will not say this. Do you understand?) Always find a variety of defects after the operating system is released. Unfortunately, we will also find a variety of security vulnerabilities and weakness of attacks. No one likes to find out the facts, but life is this. No one is willing to cut his finger, but in case you really cut your fingers, you won't sit, you will definitely turn out the first aid package and give the wound. Similarly, if an operating system requires similar measures, you should turn out the first aid kit to install the upgrade package. In other words, you'd better guarantee that your computer has the latest system patches. Security Analyzer can provide you with information about this, and you can also do it through the following scripts:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set coloperatingsystems = objWMiservice.execQuery_
("SELECT * from Win32_Operatingsystem")
For Each Objoteingsystem in coloperatingsystems
Wscript.echo objoteingsystem.servicePackmajorversion _
& "& objoteingsystem.servicePackminorVersion
NEXT
Before you start question, first stated: WMI does not display information about all upgrade package you installed, it will only tell you the latest upgrade package. But this should not be a problem, because the latest upgrade package contains the patches and upgrade programs in previous versions. If you have Service Pack 4 in Windows 2000, you installed more than just the content added in Service Pack 4, which also contains all content in Service Pack 1, 2, and 3. Or, as long as you know that your computer has installed Service Pack 4, you don't have to worry about whether your computer has installed Service Pack 1, 2 or 3. In fact, they are already installed all.
Task 5: Check Hot Fix
Do you know where is the true sorrowful place for recent viruses and worm attacks? In fact, many patches have been provided for a long time. If the user can use, it is possible to avoid attacks from the computer. But for a variety of reasons, people have not used these patches until the virus is looking for the door. The consequences I don't say everyone knows. What does I mean? Make sure you have the latest patches and hot fixes (please click here for more information on how to operate) and make sure your computer is installed.
But how do you know which hot fixes have been installed in the machine? It's really funny:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set colquickfixes = objwmiservice.execQuery_
("SELECT * WIN32_QUICKFIXENGINEERING") for Each Objquickfix in colquickfixes
WScript.echo "Description:" & objquickfix.description
WScript.echo "Hot Fix ID:" & objquickfix.hotfixid
NEXT
Note: If you are using a Windows 2000 operating system, some computers may have a crash when entering the Win32_quickengineering class. For more information on this known issue, please click here.
This script can work very well, but honestly say that the SECURITY Analyzer is still inferior. Because Security Analyzer does have some good performance: it not only tells you which hot repairs have been installed, and what is not installed. In other words, if there is no certain patch, it will prompt you.
So how do Security Analyzers tell what must be installed? When you run Security Analyzer, it will refer to a file (MSSecure.xml), which contains a key patch list and which patch you need to do.
Writing the mssecure.xml file beyond the scope of this column (although this is not impossible for those who master XML knowledge). However, in future columns, we will show some similar methods you can also perform a specific thermal patches and patches.
Task 6: Check the number of local administrators
People have more hands and feet, too many administrators will also be bad. More importantly, more administrators means that someone (administrator) makes a certain mistake to increase the possibility of computer exposure to others. You may give your neighbors a spare key, so that he is better looking at your things when you are not there. But you will not distribute your spare key to everyone encountered on the bus. (We are temporarily and assume you don't do this) the same, so you will limit the number of local administrators, because from the definition, they can do many things that are outside your expectations.
Like Security Analyzer, the script can also return all members of the local administrator group on the computer. In fact, the following code is to complete this feature:
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set objgroup = getObject ("Winnt: //" & strComputer & Strs
"/ Administrators, group")
For Each Objuser in Objgroup.members
Wscript.echo objuser.name
NEXT
These materials are very useful; when you have time, as long as you have time (assuming you can draw a time), you can take a closer study, if necessary, delete those who don't have to be an administrator at all.
But if your institution has developed policies related to administrator qualifications, what should be implemented? For example, assuming that ordinary users cannot be an administrator, and the qualified administrator can only be a local administrator user account and domain administrator account (we assume you in this example in Fabrikam.com). In this case, what you ask for scripting does not return how many external accounts, but it hopes that it can delete the external accounts, leaving only Administrator and Fabrikam / Administrator account. This is cool, isn't it? Ok, if this is really what you think, why not admit it? This script lists all members of the administrator group. If it finds that some administrator is nor a Fabrikam / Administrator account, you will use the delete method to remove this account from the group.
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set objgroup = getObject ("Winnt: //" & strComputer & Strs
"/ Administrators, group")
For Each Objuser in Objgroup.members
If Objuser.name <> "administrator" and objuser.name <> _
"fabrikam / administrator" "
Objgroup.remove (Objuser.adspath)
END IF
NEXT
Yes: This is how to use the script to enhance the typical example of the Security Analyzer feature.
Task 7: Check the unexpected password
If there is anything that users will don't like it, then the password expired by the timed is determined. After all, when you haven't remember it, it has already need to be replaced. So, since users have expired the password when users have timely, then do you want to use them? (We don't mean countless cup coffee on the keyboard and mouse when you want to password.
However, the truth is hateful when the hate is hateful when it is hate. Imagine a hacker wants to conduct a dictionary attack. He or she might have already excluded Aardvark to be the password, and this time the user just changes AARDVARK to the system password when the attack is half. Even if the hacker really guess the password, then this victory is also temporary. Maybe when a hacker guess the password, the user immediately changed it to another. Changing the system password often is one of the ways to effectively improve security, and the best way to change the password is to make the password expire.
Because of a certain security weakness, if the Security Analyzer finds that any account is not used, it will report this. Maybe you have guessed, we happen to have a corresponding script to complete this same function:
Const ADS_UF_DONT_EXPIRE_PASSWD = & H10000
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set colaccounts = getObject ("Winnt: //" & strComputer & ")
Colaccounts.Filter = Array ("User" for Each Objuser in Colaccounts
Set usr = getObject ("Winnt: //" & strComputer & "/" & _
Objuser.name & "User")
Flag = usr.get ("Userflags")
IF flag and ads_uf_dont_expire_passwd dam
Wscript.echo usr.name & ": Password does not expire."
Else
Wscript.echo usr.name & ": Password expires."
END IF
NEXT
And you also set all the passwords through the following script:
Const ADS_UF_DONT_EXPIRE_PASSWD = & H10000
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set colaccounts = getObject ("Winnt: //" & strComputer & ")
Colaccounts.Filter = array ("user")
For Each Objuser in Colaccounts
Set usr = getObject ("Winnt: //" & strComputer & "/" & _
Objuser.name & "User")
Flag = usr.get ("Userflags")
IF flag and ads_uf_dont_expire_passwd dam
USR.Userflags = flag xor ads_uf_dont_expire_passwd
USr.setInfo
END IF
NEXT
Task 8: Testing local account password test
Worm and viruses are widely concerned about everyone, this can be understood, but some of the simplest things that truly cause computer security threats, such as mental message note. In the office, employees often record passwords on the message note and attach them on the display. Now, you have to ban this approach, or you can severely punish the guys who have stocked this kind of message strip, causing another problem (we don't mean the use of smuggling note). Why do people record their passwords? Because these passwords are too difficult. If users don't record these passwords, they will tend to use their simpler passwords that they do not need to record - such as Password.
Even a amateur hacker or unreholding person can invade the computer using a password password. Although Security Analyzer does not detect if there is a note on the display, it can check if there is a local user account:
• Using an empty password • Use the same password as the username • Use the same password as the computer name • Use Password as a password • Use the word admin or administrator as a password
How does Security Analyzer make such cool tests? After all, it cannot retrieve the user's password. Otherwise, this has become a safe breakthrough. Ok, tell you the answer, don't know if we don't know. But we suspect that it is tested using the ADSI ChangePassword method (or some equivalent API) and modify the user password. Why is CHANGEPASSWORD? Because when using this method, if you don't know the current user's password, you can't achieve this feature smoothly, you need to provide the current password and new passwords. Because Security Analyzer does not really change the password, we suspect that it is just simply providing the same password (such as Password) to simultaneously use the current password and new password, or similar to it: Objuser.ChangePassword "Password", "password"
If the current password is not Password, this method will not pass, the system will report an error. If the current password is Password, this method will succeed and will not generate any errors, then the password will be changed to Password. Of course, the net effect of this process is that the password has not changed, but the system now knows the current password is Password. This seems to be a bit confusing, but look at this script and see what it does. Thoughts are actually very simple.
Moreover, yes, this is also a test of hackers. We are now borrowing hacker methods to do a matter.
Here is a script for detecting whether the password used by the account is PASSWORD. This script can also make simple modifications to detect the password used by the account or use the login name as a password, or others.
ON Error ResMe next
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Strpassword = "password"
Set colaccounts = getObject ("Winnt: //" & strComputer & ")
Colaccounts.Filter = array ("user")
For Each Objuser in Colaccounts
Objuser.changepassword strpassword, strpassword
IF err = 0 or err = -2147023569 THEN
Wscript.echo objuser.name & "IS sale the password" & _
Strpassword & "."
END IF
Err.clear
NEXT
Note: You may notice if our script detects an error (Err = 0); if there is no error, the password has been changed, which means that the password we know this account is Password. But we also detect if there is an error - 2147023569. If the current password is Password but this password cannot be changed, because since the last password changes, there is no longer long time, then the above error will be generated. (According to the default setting, the password can be changed once every 14 days).
Task 9: Detect file system
If the computer is running Windows NT, Windows 2000, Windows XP, or Windows 2003 operating systems, it is very important to use the hard disk into NTFS file systems. (Perhaps there are very few users will be exceptions, we don't care here.) Unless you like to expose your hard drive to the outside world, you need to bring your hard disk format into NTFS format, then you can enjoy the NTFS security mechanism. It is like this to be the safety of the family: unless you think other people or their dogs can freely go to your home, and you should use the things in the house, you should lock on the door, and when you are not there Lock lock. So how do you detect what file system installed on your hard disk? There is a very simple method here:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
SET COLDISKS = Objwmiservice.execQuery_
("SELECT * from Win32_LogicalDisk Where DriveType = 3")
For Each ObjDisk in Coldisks
WScript.echo "Disk Drive:" & objDisk.DeviceID & "-" & objDisk.filesystem
NEXT
In the aforementioned WQL query, you may have discovered that we just queried the DRIVETYPE equal to 3 logical disk. Why do you do this? Because DriveType is equal to 3 represents a hard disk, by limiting the return data on the hard disk, you can save our time spent on the floppy disk, CD-ROM drive, and other drives that will not (nor possible) to install the NTFS file system. .
Task 10: Detect automatic login
You can set Windows to automatically use the registered username and password to log in whenever boot. This sounds very convenient, but it does not apply to computers that always keep connecting to the Internet or in the information kiosk. However, from the other hand, this is a little suspicion of security vulnerabilities, at least you can say this. After all, it allows anyone who opens the computer to log in to the username and password stored in the registry. Because of this, one check in Security Analyzer is to check if the auto login function of the computer is turned on. Similarly, you can also use the script to complete this check:
Const hkey_local_machine = & h80000002
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "Software / Microsoft / Windows NT / CurrentVersion / Winlogon"
Strvaluename = "autoadminlogon"
Objreg.getdwordValue HKEY_LOCAL_MACHINE, STRKEYPATH, STRVALUENAME,
DWValue
IF dwvalue = 1 THEN
WScript.echo "Auto Logon is enabled."
Else
WScript.echo "Auto Logon is disabled." End IF
Similarly, you must not want to open automatic login on your computer. So why don't you close the automatic login feature without a piece of script rather than StruRynlyzer, just just prompting the status of the function of the automatic login function. You can use the following scripts:
Const hkey_local_machine = & h80000002
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "Software / Microsoft / Windows NT / CurrentVersion / Winlogon"
Strvaluename = "autoadminlogon"
DWValue = 0
Oreg.SetdWordValue HKEY_LOCAL_MACHINE, STRKEYPATH, STRVALUENAME,
DWValue
Task 11: Check the state of the guest account
This problem depends on how you look at it, the guest account provides a way to log in to your computer without confirming the identity (we assume the only exception, this guest does not refer to Christopher Guest). Because of this, the Bokey account is closed under the default condition in Windows XP and Windows 2003, and it should also be closed in Windows 2000 and Windows NT 4.0. This is a script that reports the status of the guest account on the local computer:
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set objuser = getObject ("Winnt: //" & strComputer & "/ Guest")
IF Objuser.accountdisabled then
WScript.echo "The Guest Accent is disabled."
Else
WScript.echo "The Guest Accent is enabled."
END IF
Look, cool. But assuming that you decide that the guest account on all computers should be turned off. You can modify this feet to make it more than one or two other things outside the guest account. If the guest account has been turned off, it only needs to report status facts; but if the guest account is turned on, it further closes this account:
Set ObjNetwork = CreateObject ("wscript.network")
Strcomputer = ObjNetwork.computername
Set objuser = getObject ("Winnt: //" & strComputer & "/ Guest")
IF Objuser.accountdisabled then
WScript.echo "The Guest Accent is already diskled."
Else
Objuser.accountDisabled = true
Objuser.setInfo
WScript.echo "The Guest Accent Has Been Disabled." End IF
Task 12: Check anonymous login
Under the default setting, the unauthorized user is unable to connect to any Windows computer to obtain the domain username and shared name list. What does it mean? Ok, hacker is logged in as your ID: Your username and your password. He can simply get your username by connecting a laptop to your online and then to the nearest computer query, so you get half of the information you need to attack the account. (Thank you, no one invented wireless Internet note, although we know that some people are studying this technology.)
So how do you know if your computer is sending information like a branch of Halloween candies? You can use Security Analyzer or you can also use the following script:
Const hkey_local_machine = & h80000002
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "System / CurrentControlset / Control / LSA"
Strvaluename = "restrictanonymous"
Objreg.getdwordValue HKEY_LOCAL_MACHINE, STRKEYPATH, STRVALUENAME, DWVALUE
IF dwvalue = 0 THEN
Wscript.echo "Anonymous Access is enabled."
Else
Wscript.echo "Anonymous Access is disabled."
END IF
You asked very interesting; there is a way to turn off anonymous login on your computer:
Const hkey_local_machine = & h80000002
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "System / CurrentControlset / Control / LSA"
Strvaluename = "restrictanonymous"
DWVALUE = 1
Oreg.SetdWordValue HKEY_LOCAL_MACHINE, STRKEYPATH, STRVALUENAME,
DWValue
Task 13: List the installed service
I know what service is running on the computer is useful. After all, some sinister viruses will pretend to be in the form of services, so you have to know if this virus is running on your computer. But see if the legal service is running on a computer. By the way, we know that you told you that users don't run the website server or FTP server on their machine, but how do you know if they are obedient? The following script will tell you:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set colrunningservices = objwmiservice.execQuery_
("Select * from win32_service")
For Each ObjService in ColrunningServices
Wscript.echo objservice.displayName, ObjService.State
NEXT
So what if you find that someone runs when you don't want to run? We can get inspiration from the script of the host service of the device host service (stop them):
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set colrunningservices = objwmiservice.execQuery_
("Select * from win32_service where name = 'upnhost'")
For Each ObjService in ColrunningServices
ObjService.StopService ()
NEXT
Task 14: Check shared files and shared permissions
Don't you know: How important you are in your entire life, you are notified to share with others, but now we find shares (at least from the computer perspective), it is not necessarily a good thing.
The functions of shared files are definitely striking. File sharing allows users to collaborate in a work without administrators help and do not occupy file server storage space. However, unfortunately, it also allows people to share some files that should not be shared (eg, the MP3 file of the infringement). In addition, network sharing provides a convenient channel to enter your computer. If you share a folder without setting sharing permissions correctly, then ....
So can the script prompt to have a shared file on your computer? Guess it:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set colshares = objwmiservice.execQuery ("SELECT * WIN32_SHARE")
For Each Objshare in colshares
Wscript.echo "name:" & objshare.name
Wscript.echo "Path:" & objshare.path
Wscript.echo "Type:" & objshare.type
NEXT
Of course, many institutions choose to completely do not share files, at least on the client machine. If you have done the same decision, then you will find that scripts will be useful on this issue. Security Analyzer will tell you if you find a shared file on your computer; however, in the end, you still need to connect to each computer to cancel each shared file. The script not only recognizes the shared folder, which can also cancel the sharing of these folders at the same time. For example, there is a piece of file sharing that can cancel all types of 0 (we will explain this later):
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts: //" & strComputer & "/ root / cimv2")
Set colshares = objwmiservice.execQuery_
("SELECT * from Win32_share where type = 0")
For Each Objshare in colshares
Objshare.delete
NEXT
Note: Don't panic, although this method is called delete, but it just deletes shared features (that is, it just stops sharing this folder on the network). Although we think that it is completely deleted, it is also forbidden to share them on the network, but it will not really delete any content in the folder or folder.
So why is the type of 0 file? In WMI, a shared file of 0 is representative of a normal old shared file. Of course there are other shared files, the most common is the management level sharing file (such as C $). The aforementioned script can stop sharing a normal folder while retaining other shared files (such as the management level sharing file), respectively. If you want to stop all shared files, you just don't include the where statement is in the query statement:
Set colshares = objwmiservice.execQuery ("SELECT * WIN32_SHARE")
Note: What is the sharing of permissions? As mentioned above, we will discuss in future columns.
Task 15: Check your Windows version
What does it mean in installed service pack?? If you run Windows XP, then you will follow the steps of the times, but if you use Windows 2000, you will explain that you have already lost. (Windows 2000 has now developed to Service Pack 4). This shows that if you don't know what Windows version is running, some of the information returned by the script is meaningless. This is a piece of script description this:
StrComputer = "."
Set objWMiservice = getObject ("WinMgmts: //" & strComputer & Strs
"/ root / cimv2")
Set coloperatingsystems = objWMiservice.execQuery_
("SELECT * from Win32_Operatingsystem")
For Each Objoteingsystem in coloperatingsystems
Wscript.echo objoteingsysystem.caption, objoteingsystem.version
NEXT
Task 16: Check the security of Office Macros
Microsoft Office allows users to determine how to run macros in embedded files. you can choose:
•high. Only the macro from the trusted source is allowed. All other signed and unsigned macros will be disabled. •in. You can choose whether to run macros that may not safe. •low. Allow all macros to run.
In the case where the macro security is set to high, you can block the automatic running macros in other time (when you open a document or run a program, the macro running automatically) is not good for your computer. Best. There is no doubt that set the Office to high security is a good idea at the beginning. If you can check if high security is still running better. Checking macro security levels may be a bit flexible, because the registration value you want to change may differ greatly because of the version of Office installed. We have no energy to discuss how to judge the version of the Office (prompt: using the WIN32_Product of the WMI group) and then determine the appropriate registry path, but at least one can retrieve the macro security level from Outlook 2000. You should be able to easily improve this script based on your needs and installed office version:
Const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "Software / Microsoft / Office / 10.0 / Outlook / Security"
Strvaluename = "level"
Objreg.getdwordValue HKEY_CURRENT_USER, STRKEYPATH, STRVALUENAME,
DWValue
IF dwvalue = 3 THEN
Wscript.echo "Outlook Macro Security Is Set to High."
Elseif dwvalue = 2 THEN
Wscript.echo "Outlook Macro Security is set to medium."
Else
Wscript.echo "Outlook Macro Security Is Set To Low."
END IF
The above script is used to detect the macro security level of Outlook. So what should I do if you want to detect Word, Excel, PowerPoint or Access's macro level? Ok, you just need to change the registry path as needed:
strkeypath = "Software / Microsoft / Office / 10.0 / Word / Security"
StrKeyPath = "Software / Microsoft / Office / 10.0 / Excel / Security"
StrKeyPath = "Software / Microsoft / Office / 10.0 / PowerPoint / Security"
StrKeyPath = "Software / Microsoft / Office / 10.0 / Access / Security"
Task 17: Check the IE security area
To protect users from malicious sites, Internet Explorer uses security zones to manage behaviors that may complete or fail when you access a website (such as run scripts, install ActiveX controls, etc.). In the default settings, these security areas provide different security levels: You can execute programs that cannot be performed in the restricted website area in the local internal network area (such as run scripts).
If you want to learn more about the security zone, we recommend that you read the Internet Explorer Enhance Security Settings White Paper (This white paper is written for Windows 2003, but the content is equally applicable to other Windows versions.) Here, we There is a script that can report the security level of the local internal network area (area 1): const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
strkeypath = "Software / Microsoft / Windows / CurrentVersion / Internet
Settings / zones / 1 "
Strvaluename = "currentlevel"
Objreg.getdwordValue HKEY_CURRENT_USER, STRKEYPATH, STRVALUENAME, DWVALUE
Select Case DWValue
Case 73728
WScript.echo "The Security Zone is set to high security."
Case 69632
WScript.echo "The Security Zone is set to medium security."
Case 66816
WScript.echo "The Security Zone is set to medium-low security."
Case 65536
Wscript.echo "The Security Zone is set to low security."
Case Else
WScript.echo "The Security Zone is set to custom security."
End SELECT
You can also retrieve security information about the trusted site (zone 2), Internet (area 3), and restricted sites (area 4). Simply change the registry path accordingly:
Software / Microsoft / Windows / CurrentVersion / Internet Settings / Zones / 2
Software / Microsoft / Windows / CurrentVersion / Internet Settings / Zones / 3
Software / Microsoft / Windows / CurrentVersion / Internet Settings / Zones / 4
In most cases, this method can provide you with the information you need. The only problem that will encounter is whether the user has changed one or more settings for the security zone. In such cases, the security level will be reported as "user-defined", but you have no security levels that know this new user-defined security is more stringent than the original default level. This is where the script will be sent again: You can use a script to determine (or configure) security settings in each security zone. For more information on this, see Internet Explorer Enhanced Security Setting white paper or polishing your eyes to see Tweakomatic. (No, this is not spelling error. We really will have a thing named Tweakomatic. You must believe that we will do this sooner or later.)
Task 18: Checking Outlook Security Area Microsoft Outlook also uses Internet Explorer's security zone to determine whether to run scripts and activity content from HTML format information. To avoid scripts that are embedded on HTML information on your computer, you need to do two things:
• Make sure that the function running scripts in the Internet Explorer security zone has been disabled (especially within the restricted site area). • Make sure Outlook uses that security zone
Outlook Security Area Record in the registry; similarly, the exact path to that registry value depends on the Office version you installed on your computer. If you use Office 2000, you can use the following scripts to determine the security area of Outlook:
Const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "Software / Microsoft / Office / 10.0 / Outlook / Options / General"
Strvaluename = "security zone"
Objreg.getdwordValue HKEY_CURRENT_USER, STRKEYPATH, STRVALUENAME, DWVALUE
Select Case DWValue
Case 4
WScript.echo _
"Outlook Is Using Settings from The Restricted Sites Zone."
Case 3
Wscript.echo "Outlook is use settings from the internet
"
Case 2
Wscript.echo "Outlook is use settings from the trusted site
"
Case 1
Wscript.echo "Outlook is use settings from the local intranet
"
Case Else
Wscript.echo "The Outlook Security Zone Could Not Be
"DETERMINED."
End SELECT
On the vast majority of computers, the restricted site area has the most stringent security restrictions. Because of this, you may further configure Outlook settings for all users to ensure that Outlook uses restricted sites safely on HTML. Here is just a script that implements the above features:
Const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
StrKeyPath = "Software / Microsoft / Office / 10.0 / Outlook / Options / General"
Strvaluename = "security zone"
DWValue = 4
Objreg.SetdWordValue HKEY_CURRENT_USER, STRKEYPATH, STRVALUENAME, DWVALUE Back to top
Last thoughts
Here we want to emphasize again: If Security Analyzer meets your needs, you don't have to write scripts that are the same functionality and Security Analyzer. (Scripting guys absolutely insists that you don't have to do things that you don't have to do at all.) But from another aspect, Security Analyzer can only implement it to write a design function is its limitations. The reason why you feel that there are other important security checks, and these checks cannot be done by Security Analyzer. For example, maybe you want to determine if all users use a password-protected screen saver. Can Security Analyzer do it? No, but you can achieve it by writing a very simple script:
Const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
strkeypath = "Control Panel / Desktop"
Valuename = "Screensaverissecure"
Objreg.getstringValue HKEY_CURRENT_USER, STRKEYPATH, VALUENAME,
Strvalue
IF strval = "1" THEN
Wscript.echo "The Screen Saver is Password Protected."
Else
Wscript.echo "The screen saver is not password protected."
END IF
Then, of course, you can further protect the screensaver program:
Const hkey_current_user = & h80000001
StrComputer = "."
Set objreg = getObject ("WinMgmts: //" & strComputer & STRComputer & Stripe
"/ root / default: stdregprov")
strkeypath = "Control Panel / Desktop"
Valuename = "Screensaverissecure"
STRVALUE = "1"
Objreg.setstringValue HKEY_CURRENT_USER, STRKEYPATH, VALUENAME,
Strvalue
So, maybe you use Security Analyzer to complete some tasks using the script to complete other tasks. The key to the problem is that you should not use it to see security issues in this respect: not using Security Analyzer is by writing scripts. On the contrary, no matter which one can play a good effect. After all, the script is usually used to assist the tools that have been used rather than completely replace these tools. Choose your work you should do.
Or, at least do things that can make your housekeeper do.
