Learning Windows Server 2003

2017-07-07 02:10:07

7.7. Command-Line Utilities

In this section, I'll give an overview and some examples of various command-line utilities that pertain to Windows security that you can integrate into your scripts and programs.

7.7.1. SCWCMD

The Security Configuration Wizard (SCW) includes the Scwcmd.exe command-line tool . This tool is versatile and can perform many tasks that you might want to automate using scripts or batch files. Here, I'll briefly outline the most common tasks you will want to perform using SCWCMD.

7.7.1.1. Configuring servers with a policy

The most basic use of the command-line tool is to configure one or many servers with an SCW-generated policy. You can apply a policy to the local machine, to a remote machine using either its NetBIOS name or IP address, or to entire organizational unit's worth of machines. For example, to apply the machine.xml policy to the current computer, simply use this:

scwcmd configure /p:machine.xml

To apply the policy to all of the machines in the FileServers OU within company.com, you need to use the full LDAP name within the arguments of the command. It should look something like this:

Scwcmd configure /ou:OU=FileServers,DC=company,DC=com /p:machine.xml

7.7.1.2. Analyzing machines for policy compliance

You can also analyze a machine, a list of servers, or an entire organizational unit with an SCW-generated policy. For example, to analyze your SQL Server machine with the sqlserver.xml policy, use the following:

scwcmd analyze /m:SQLservername /p:sqlserver.xml /u:administrator

Or, to analyze the SQL Servers organizational unit, use the following: (Note that the entire LDAP name needs to be used when specifying Active Directory-based containers with this command.)

scwcmd analyze /ou:OU=SQLServers,DC=company,DC=com /p:sqlserver.xml /u:administrator

The results of running this command are returned to an XML file generated by the wizard, which you can view using another option in SCWCMD. I'll demonstrate that in a bit.

7.7.1.3. Roll back SCW policies

If you make a mistake and need to "undo" a policy application on either a local or remote machine, you can use the command-line tool to get the machine back up quickly. You can also use the /u switch to perform the operation using another user's credentials, if yours aren't sufficient on a remote machine.

For example, to rollback a policy on the machine R2B2SRV1, use the following:

scwcmd rollback /m:R2B2SRV1 /u:administrator

You can also use an IP address if you aren't sure of the friendly name of a machine:

scwcmd rollback /m:192.168.2.2 /u:localadmin

7.7.1.4. Viewing analysis results

You can use the scwcmd view command to render the raw XML results file that the wizard generates with an XML transform file that makes the results easier to read. The directory %windir%\security\msscw\transformfiles contains .xsl transform files which are applied to the .xml policy file for the rendering process.

To view a policy file, use the following syntax:

scwcmd view /x:policyfile.xml /s:policyview.xsl

7.7.2. MBSACLI

The Microsoft Baseline Security Analyzer has a command-line counterpart that will allow you to perform local and remote security scans and display reports from scans you conducted previously. You simply run MBSACLI from the directory in which the MBSA is installed.

It's fairly simple to perform a full scan of a single computer:

Mbsacli /target computername

You can also scan the computer for updates only and create a report of the missing updates:

Mbsacli /target CORP\lj-wnxp-dsk /wa

There's a great deal more syntax and options available, including the ability to create more customized reports that can be graphically displayed, sending reports in XML format for external parsing, scanning a list of computers, and using a custom update catalog file. Issue this command to learn more:

Mbsacli /?