分类目录归档:Windows

Windows

VeraCrypt

VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume. Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for VeraCrypt. For an illustration of how this is accomplished, see the following paragraph.

Let’s suppose that there is an .avi video file stored on a VeraCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the VeraCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type – typically a media player. The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, VeraCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types (not only for video files).

继续阅读

Block IP Addresses With Windows Firewall 2008, 2012

If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

  • Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
  • Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
  • Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.

继续阅读

File System Redirector

The %windir%\System32 directory is reserved for 64-bit applications. Most DLL file names were not changed when 64-bit versions of the DLLs were created, so 32-bit versions of the DLLs are stored in a different directory. WOW64 hides this difference by using a file system redirector.

In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64. Access to %windir%\lastgood\system32 is redirected to %windir%\lastgood\SysWOW64. Access to %windir%\regedit.exe is redirected to %windir%\SysWOW64\regedit.exe.

If the access causes the system to display the UAC prompt, redirection does not occur. Instead, the 64-bit version of the requested file is launched. To prevent this problem, either specify the SysWOW64 directory to avoid redirection and ensure access to the 32-bit version of the file, or run the 32-bit application with administrator privileges so the UAC prompt is not displayed. 继续阅读

Windows 事件命令行实用程序

Windows 事件命令行实用程序。

用于检索有关事件日志和发布者的信息,
安装和卸载事件清单,运行查询以及导出、存档和清除日志。

用法:

你可以使用短(如 ep /uni)或长(如
enum-publishers /unicode)形式的命令和选项名称。
命令、选项和选项值不区分大小写。

变量均使用大写形式。

wevtutil COMMAND [ARGUMENT [ARGUMENT] …] [/OPTION:VALUE [/OPTION:VALUE] …]

继续阅读

Modify an SMTP Service Property

ADSI:
strComputer = "LocalHost"

Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
objIIS.FullyQualifiedDomainName = "stmp.517sou.net"
objIIS.SetInfo

#Wscript.Echo "OK!"

cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set /Smtpsvc/1/FullyQualifiedDomainName "stmp.517sou.net"

PowerShell & WMI

Set-ExecutionPolicy RemoteSigned
function Configure-SMTPService ([string]$incomingEMailDomainName, [int]$incomingEMailMaxMessageSize)
{
       Write-Host -Foregroundcolor White ” -> Changing the start-up type of SMTP service to ‘Automatic’…”
       Set-Service “SMTPSVC” -StartupType Automatic -ErrorAction SilentlyContinue
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Successfully changed startup type.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to change startup type.”
             Exit
       }
       
       Write-Host -Foregroundcolor White ” -> Starting SMTP service…”
       Start-Service “SMTPSVC” -ErrorAction SilentlyContinue
       
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Service successfully started.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to start service.”
             Exit
       }
      
       # Ascriptomatic is a great tool to explorefor exploring WMI namespace is scriptomatic: 
       # http://www.microsoft.com/en-us/download/details.aspx?id=12028
       Write-Host -Foregroundcolor White ” -> CreatingCreate incoming SMTP domain…”
       
       # First create a new smtp domain. The path ‘SmtpSvc/1’ is the first virtual SMTP server. If you need to modify another virtual SMTP server
       # change the path accordingly.
       try
       {
             $smtpDomains = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomain’
             $newSMTPDomain = $smtpDomains.CreateInstance()
             $newSMTPDomain.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomain.Put()  | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully created incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to create incoming email domain.”
             Exit
       }
      
       Write-Host -Foregroundcolor White ” -> Configuring incoming SMTP domain…”
   
       try
       {
             # Configure the new smtp domain as alias domain
             $smtpDomainSettings = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomainSetting’
             $newSMTPDomainSetting = $smtpDomainSettings.CreateInstance()
 
             # Set the type of the domain to “Alias”
             $newSMTPDomainSetting.RouteAction = 16
 
             # Map the settings to the domain we created in the first step
             $newSMTPDomainSetting.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomainSetting.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure incoming e-mail domain.”
             Exit
       }
       Write-Host -Foregroundcolor White ” -> Configuring virtual SMTP server…”

       try
       {
             $virtualSMTPServer = Get-WmiObject IISSmtpServerSetting -namespace “ROOT\MicrosoftIISv2” | Where-Object { $_.name -like “SmtpSVC/1” }
             
             # Set maximum message size (in bytes)
             $virtualSMTPServer.MaxMessageSize = ($incomingEMailMaxMessageSize * 1024)

             # Disable session size limit
             $virtualSMTPServer.MaxSessionSize = 0

             # Set maximum number of recipients
             $virtualSMTPServer.MaxRecipients = 0

             
             # Set maximum messages per connection
             $virtualSMTPServer.MaxBatchedMessages = 0
             $virtualSMTPServer.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured virtual SMTP server.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure virtual SMTP server.”
             Exit
       }
}
Configure-SMTPService “sp.mydomain.local” 10240

Puppet部署:
configWinSMTPSVC.vbs

strComputer = "LocalHost"
 
Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
Wscript.Echo "FullyQualifiedDomainName(Before): " & objIIS.FullyQualifiedDomainName
strFQDN = Trim(objIIS.FullyQualifiedDomainName)
If Instr(strFQDN,"517sou.net") = 0 Then
	objIIS.FullyQualifiedDomainName = "smtp.517sou.net"
	objIIS.SetInfo
End If
Wscript.Echo "FullyQualifiedDomainName(After): " & objIIS.FullyQualifiedDomainName
class configWinSMTPSVC {
    file { 'C:/Windows/Temp/configWinSMTPSVC.vbs':
    ensure => 'file',
	alias  => "configWinSMTPSVCvbs",
    source_permissions  => ignore,
    group  => 'Administrators',
	source => "puppet://puppet.zzy.com/files/windows/smtpsvc/configWinSMTPSVC.vbs",
  }
  exec { 'exec-configWinSMTPSVC':
    path      => $::path,
    command   => 'cmd.exe /c cscript.exe //Nologo C:/Windows/Temp/configWinSMTPSVC.vbs',
	require   => File['configWinSMTPSVCvbs'],
  }
}

获取Windows管理员用户名及对应的SID

GetAdminName.vbs:

'''''Code Start '''''
Wscript.Echo GetAdminName

Function GetAdminName 
	Set objNetwork = CreateObject("Wscript.Network") 	'get the current computer name
	objComputerName = objNetwork.ComputerName

	Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
	qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 'set query, making sure to only look at local computer

	For Each Admin in objwmi.ExecQuery(qry)
		if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 	'look for admin sid
			GetAdminName = admin.name
		end if
	next
End Function

'''''Code End'''''

在.bat中获取.vbs返回值
GetAdminName.bat

@echo off
for /f "delims=" %%x in ('cscript //nologo t.vbs') do (
    set sFileName=%%x
)
echo %sFileName%
REM pause.

命令行查询用户对应的SID

C:\Users\Administrator>wmic useraccount where "SID like 'S-1-5-%-500'" get sid
SID
S-1-5-21-2837057897-1460117072-2570820871-500

E:\temp>wmic useraccount where "SID like 'S-1-5-%-%'" get caption,sid
Caption SID
SHANE-WORKPLACE\Administrator S-1-5-21-4246277841-3966888941-2683127511-500
SHANE-WORKPLACE\DefaultAccount S-1-5-21-4246277841-3966888941-2683127511-503
SHANE-WORKPLACE\Guest S-1-5-21-4246277841-3966888941-2683127511-501
SHANE-WORKPLACE\Shane.Wan S-1-5-21-4246277841-3966888941-2683127511-1001

Windows PowerShell – 在 PowerShell 中编写 Windows 服务

Windows 服务通常就是编译的程序用 C、 c + +、 C# 或其他 Microsoft 基于.NET Framework 的语言,编写并调试此类服务可能会相当困难。在几个月前,通过允许编写服务作为简单的 shell 脚本,其他操作系统启发我开始想知道是否有可能会更简单的方法以及在 Windows 中,创建它们。

这篇文章介绍了此项工作成果的最终结果 ︰ 新颖简便的方法来创建 Windows 服务,通过在 Windows PowerShell 脚本语言中编写它们。没有更多的编译,就可以在任何系统上,而不仅仅是开发人员自己完成一个快速的编辑测试周期。

我提供一个称为 PSService.ps1,以便您可以创建并以分钟为单位,与只是记事本等文本编辑器中测试新的 Windows 服务的通用服务脚本模板。此技术可以保存任何人如想尝试使用 Windows 服务的很大的时间和开发工作量,或甚至提供针对 Windows 的实际服务时不考虑性能的关键因素。可以从下载 PSService.ps1 bit.ly/1Y0XRQB继续阅读

Windows Server 2012 R2 同一用户多会话登陆策略设置

1、Win+R,输入:Gpedit.msc,回车;
2、打开”计算机配置” > “管理模板” > “Windows组件” > “远程桌面服务” > “远程桌面会话主机” > “连接”;
3、禁用”将远程桌面服务用户限制到单独的远程桌面服务会话”;启用”限制连接的数量”,填入同时连接的数量。

HOW TO:如何在 Windows 中配置 IPSec 隧道

您可以在隧道模式中使用“IP 安全”(IPSec) 来封装“Internet 协议”(IP) 数据包,而且可以选择将它们加密。在 Windows Server 2003 中使用 IPSec 隧道模式(有时称为“纯 IPSec 隧道”)的主要原因是为了能够与那些不支持“第 2 层隧道协议”(L2TP)/IPSec 或 PPTP 虚拟专用网络 (***) 隧道技术的非 Microsoft 路由器或网关进行互操作。
Windows Server 2003 在隧道的两个终结点都有静态 IP 地址的情况下支持 IPSec 隧道。这主要适用于网关到网关的情形。不过,它也可以在网关或路由器与服务器之间的专用网络安全方案中使用。(例如,一个 Windows Server 2003 路由器,它从其外部接口将通信流路由到一台基于 Windows Server 2003 的内部计算机,该计算机通过建立一条到为外部客户端提供服务的内部服务器的 IPSec 隧道来保护内部路径的安全)。

不支持将 Windows Server 2003 IPSec 隧道用于客户端远程访问 ***,因为目前“Internet 工程任务组 (IETF) IPSec 请求注释 (RFC)”没有在“Internet 密钥交换”(IKE) 协议中为客户端到网关的连接提供远程访问解决方案。IETF RFC 2661“第 2 层隧道协议”(L2TP) 是由 Cisco、Microsoft 和其他公司为提供客户端远程访问 *** 连接而专门开发的。在 Windows Server 2003 中,使用自动生成的 IPSec 策略来保护客户端远程访问 *** 连接,此策略在 L2TP 隧道类型被选中时使用 IPSec 传输模式(不是隧道模式)。

Windows Server 2003 IPSec 隧道也不支持协议和端口特定的隧道。虽然 Microsoft 管理控制台 (MMC) IPSec 策略管理单元十分通用,并且允许您将任何类型的筛选器与隧道关联,但您还是要确保在为隧道规则指定筛选器时只使用地址信息。

继续阅读

New Clustering Utility – Remote Desktop Connection Manager

Hi Cluster Fans,

We wanted to let you know about a new tool which will significantly help you manage your cluster deployments.  Remote Desktop Connection Manager is actually not cluster-specific, but it allows you to logically group server remote desktop connections – ideal if you are working with clusters for easy access to all the nodes within the cluster. 继续阅读