In this section, I'll give an overview and some examples of various command-line utilities that pertain to Windows security
that you can integrate into your scripts and programs.
1. SCWCMD
The Security Configuration Wizard (SCW) includes the Scwcmd.exe command-line tool
. This tool is versatile and can perform many tasks that you might want
to automate using scripts or batch files. Here, I'll briefly outline the
most common tasks you will want to perform using SCWCMD.
1.1. Configuring servers with a policy
The most basic use of the
command-line tool is to configure one or many servers with an
SCW-generated policy. You can apply a policy to the local machine, to a
remote machine using either its NetBIOS name or IP address, or to entire
organizational unit's worth of machines. For example, to apply the
machine.xml policy to the current computer, simply use this:
scwcmd configure /p:machine.xml
To apply the policy to all of the machines in the FileServers OU within company.com, you need to use the full LDAP name within the arguments of the command. It should look something like this:
Scwcmd configure /ou:OU=FileServers,DC=company,DC=com /p:machine.xml
1.2. Analyzing machines for policy compliance
You can also analyze a
machine, a list of servers, or an entire organizational unit with an
SCW-generated policy. For example, to analyze your SQL Server machine
with the sqlserver.xml policy, use the following:
scwcmd analyze /m:SQLservername /p:sqlserver.xml /u:administrator
Or, to
analyze the SQL Servers organizational unit, use the following: (Note
that the entire LDAP name needs to be used when specifying Active
Directory-based containers with this command.)
scwcmd analyze /ou:OU=SQLServers,DC=company,DC=com /p:sqlserver.xml /u:administrator
The results of running
this command are returned to an XML file generated by the wizard, which
you can view using another option in SCWCMD. I'll demonstrate that in a
bit.
1.3. Roll back SCW policies
If you make a mistake and
need to "undo" a policy application on either a local or remote machine,
you can use the command-line tool to get the machine back up quickly.
You can also use the /u switch to perform the operation using another user's credentials, if yours aren't sufficient on a remote machine.
For example, to rollback a policy on the machine R2B2SRV1, use the following:
scwcmd rollback /m:R2B2SRV1 /u:administrator
You can also use an IP address if you aren't sure of the friendly name of a machine:
scwcmd rollback /m:192.168.2.2 /u:localadmin
1.4. Viewing analysis results
You can use the scwcmd view
command to render the raw XML results file that the wizard generates
with an XML transform file that makes the results easier to read. The
directory %windir%\security\msscw\transformfiles contains .xsl transform
files which are applied to the .xml policy file for the rendering
process.
To view a policy file, use the following syntax:
scwcmd view /x:policyfile.xml /s:policyview.xsl
2. MBSACLI
The Microsoft Baseline
Security Analyzer has a command-line counterpart that will allow you to
perform local and remote security scans and display reports from scans
you conducted previously. You simply run MBSACLI from the directory in
which the MBSA is installed.
It's fairly simple to perform a full scan of a single computer:
Mbsacli /target computername
You can also scan the computer for updates only and create a report of the missing updates:
Mbsacli /target CORP\lj-wnxp-dsk /wa
There's a great deal
more syntax and options available, including the ability to create more
customized reports that can be graphically displayed, sending reports in
XML format for external parsing, scanning a list of computers, and
using a custom update catalog file. Issue this command to learn more:
Mbsacli /?
