Scripts running in the Windows Script Host are an essential part of Windows network administration. As you know and begin to realize, scripting in Windows is a world of its own. The scripting language has evolved to the point where a script is a sophisticated program that can be run in either graphic (intended for users) or character mode (administrative scripts). Running a script in either mode is controlled by the command you use to activate it:
wscript scriptname cscript scriptname
wherewscriptruns it in graphical mode andcscript
runs it in character mode.
With the coming of script viruses such as ILOVEYOU.vbs, you should make sure the scripts you run are secure. The best way to do so is to sign your scripts with a digital certificate. First you’ll need to obtain the certificate. This can be done from a third-party certificate authority, or it can be done by yourself if you decide to use your own certificate server (a server function available in Windows Server 2003). UseProcedure DC-11to do so.
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
SCRIPT CENTER
Signing a script with acertificate is a programmatic activity. Sample
signature addition and management scripts are available at the Microsoft TechNet Script Center at http://
www.microsoft.com/ technet/treeview/default.asp?url=/ technet/scriptcenter/monitor/default.asp?frame=true.
SECURITY SCAN You can also encode scripts toprotect them. You can find the Microsoft Script Encoder at http://msdn.microsoft.com/ scripting/vbscript/download/x86/sce10en.exe.
Every script you create and sign should be fully documented. This documentation should include all pertinent information on the script and should be reviewed and kept up-to-date on a weekly basis.
TIP
A sample Script Management Log can be found on the companion web site.SCRIPT CENTER
You can use a script todocument the contents of another script. Sample code is available at the Microsoft TechNet Script Center at http:// www.microsoft.com/technet/treeview/ default.asp?url=/technet/scriptcenter/other/ ScrOth03.asp?frame=true.
Writing scripts can be challenging when you aren’t familiar with either the Windows Management Instrumentation (WMI) or the Active Directory Services Interface (ADSI). This is why it is a great idea to use the Microsoft Scriptomatic utility to generate scripts for you. Scriptomatic is available from the Microsoft Download Center. Just search for Scriptomatic at www.microsoft.com/ downloads. In addition, a good scripting primer is available at http://msdn.microsoft.com/library/en-us/dnclinic/ html/scripting06112002.asp.
Installing Scriptomatic is simply a matter of unzipping the file from the downloaded compressed archive. You should store the scriptomatic.hta file in the C:\ToolKit folder. You can also use a Run As shortcut (seeProcedure GS-01) to execute Scriptomatic and place it in the Quick Launch Area.
To write a script with Scriptomatic:
1.Launchscriptomatic.htaor yourRun As shortcut. 2.In Scriptomatic, select the WMI class you want to
work with. Each class is named Win32_. You only need to pay attention to the last part of the class name. For example, to write a script that lets you view the status of every service, select the Win32_Service class. Scriptomatic automatically generates the proper script (see Figure 1-2). 3.ClickRun. Scriptomatic will launch a command
console to run the script.
4.ClickSaveto save the script to a file (VBS extention). You can use these scripts to perform administrative tasks and capture the output. To do so, use the following command:
cscript scriptname.vbs >filename.txt
Figure 1-2. To generate a script listing local groups on a computer, select the Win32 Group class in Scriptomatic.
wherescriptname.vbs is the name of the script you want to run andfilename.txt is the name of the output file you want to create. You can useProcedure GS-19to place this command in a scheduled task and run it on a regular basis. You can use Scriptomatic to help you generate your logon script. You may need to combine portions of a WMI script with portions of an ADSI script to generate a complete logon script. UseProcedure DC-31to do so.
In addition to a logon script, you may also want to display a pre-logon message to your users. This helps make sure users are forewarned of the legal consequences of the misuse of IT equipment and information. Once again, this is done through a GPO. UseProcedure DC-16to edit the appropriate GPO and modify the following settings to display a logon message:
• User Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive Logon: Message title for users attempting to log on
• User Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive Logon: Message text for users attempting to log on