(0) exportieren Drucken
Alle erweitern

Anhang F: Beispieltestskripts

Betrifft: Windows Server 2008,Windows Vista

Im Folgenden finden Sie den Inhalt der drei Beispieltestskripts, mit deren Hilfe Sie prüfen können, ob Ihre Active Directory-Konfiguration die Sicherung der Wiederherstellungsinformationen für BitLocker und das TPM-Besitzerkennwort für Active Directory unterstützt.

Informationen zur Verwendung erhalten Sie, indem Sie die einzelnen Skripts mit dem Parameter -? ausführen.

noteHinweis
Informationen zum Download dieser Dateien finden Sie (möglicherweise in englischer Sprache) unter http://go.microsoft.com/fwlink/?LinkId=78953.

List-ACEs.vbs

Dieses Skript erstellt eine Liste der in BitLocker konfigurierten Zugriffssteuerungseinträge (Access Control Entries, ACEs) und der TPM-Schemaobjekte für die Top-Level-Domäne oder entfernt diese Einträge. Sie können dieses Skript verwenden, um sicherzustellen, dass die erwarteten ACEs richtig hinzugefügt wurden, oder um beliebige zu BitLocker oder dem TPM gehörende ACEs zu entfernen.

noteHinweis
In einer abgeschlossenen Konfiguration ohne Delegierung von Berechtigungen sollte nur ein zum TPM gehörender ACE vorhanden sein.

Dateiinhalt

'=============================================================================== ' ' This script lists the access control entries (ACE's) configured on ' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema objects ' for the top-level domain. ' ' Use this script to check that the correct permissions have been set. ' Also use this script to remove TPM and BitLocker ACE's from the top-level domain. ' ' Reference: "Using Scripts to Manage Active Directory Security" ' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx ' and MSDN documentation. ' ' Last Updated: 1/30/2006 ' Microsoft Corporation ' ' Disclaimer ' ' The sample scripts are not supported under any Microsoft standard support program ' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages. ' '===============================================================================

' -------------------------------------------------------------------------------- ' Usage ' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: List-ACEs" Wscript.Echo "List access permissions for BitLocker and TPM schema objects" Wscript.Echo "" Wscript.Echo "USAGE: List-ACEs -remove" Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects" WScript.Quit End Sub


' -------------------------------------------------------------------------------- ' Parse Arguments ' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count
  
  Case 0 ' do nothing - checks for ACE's removeACE = False
      
  Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else If UCase(args(0)) = "-REMOVE" Then removeACE = True End If End If

  Case Else ShowUsage

End Select

' -------------------------------------------------------------------------------- ' Configuration of the filter to show/remove only ACE's for BDE and TPM objects ' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attribute SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- ms-FVE-RecoveryInformation object SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

' Use this filter to list/remove only ACEs related to TPM and BitLocker

aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _ SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)


' Note to script source reader: ' Uncomment the following line to turn off the filter and list all ACEs 'aceGuidFilter = Array()


' -------------------------------------------------------------------------------- ' Helper functions related to the list filter for listing or removing ACE's ' --------------------------------------------------------------------------------

Function IsFilterActive()

    If Join(aceGuidFilter) = "" Then IsFilterActive = False Else IsFilterActive = True End If

End Function


Function isAceWithinFilter(ace) 

    aceWithinFilter = False  ' assume first not pass the filte

    For Each guid In aceGuidFilter 

        If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then isAceWithinFilter = True End If Next

End Function

Sub displayFilter For Each guid In aceGuidFilter WScript.echo guid Next End Sub


' -------------------------------------------------------------------------------- ' Connect to Discretional ACL (DACL) for domain object ' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE") strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. dc=fabrikam,dc=com

Set domain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + domain.Get("distinguishedName") WScript.Echo ""

Set descriptor = domain.Get("ntSecurityDescriptor") Set dacl = descriptor.DiscretionaryAcl


' -------------------------------------------------------------------------------- ' Show Access Control Entries (ACE's) ' --------------------------------------------------------------------------------

' Loop through the existing ACEs, including all ACEs if the filter is not active

i = 1 ' global index c = 0 ' found count - relevant if filter is active

For Each ace In dacl

 If IsFilterActive() = False or isAceWithinFilter(ace) = True Then

    ' note to script source reader: ' echo i to show the index of the ACE
    
    WScript.echo ">            AceFlags: " & ace.AceFlags WScript.echo ">             AceType: " & ace.AceType WScript.echo ">               Flags: " & ace.Flags WScript.echo ">          AccessMask: " & ace.AccessMask WScript.echo ">          ObjectType: " & ace.ObjectType WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType WScript.echo ">             Trustee: " & ace.Trustee WScript.echo ""


    if IsFilterActive() = True Then c = c + 1

      ' optionally include this ACE in removal list if configured ' note that the filter being active is a requirement since we don't ' want to accidentially remove all ACEs

      If removeACE = True Then dacl.RemoveAce ace End If

    end if

  End If 

  i = i + 1

Next


' Display number of ACEs found

If IsFilterActive() = True Then

  WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _ & " related to BitLocker and TPM" 'note to script source reader: change this line if you configure your own filter

  ' note to script source reader: ' uncomment the following lines if you configure your own filter 'WScript.echo "" 'WScript.echo "The following filter was active: " 'displayFilter 'Wscript.echo ""

Else

  i = i - 1 WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")
  
End If 


' -------------------------------------------------------------------------------- ' Optionally remove ACE's on a filtered list ' --------------------------------------------------------------------------------

if removeACE = True and IsFilterActive() = True then

  descriptor.DiscretionaryAcl =  dacl domain.Put "ntSecurityDescriptor", Array(descriptor) domain.setInfo

  WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")

else 

  if removeACE = True then

    WScript.echo "You must specify a filter to remove ACEs from " & domain.Get("distinguishedName") 
 
 end if


end if

Get-TPMOwnerInfo.vbs

Mit diesem Skript wird das Abrufen von TPM-Wiederherstellungsinformationen für einen bestimmten Computer aus Active Directory veranschaulicht. Mit diesem Skript können Sie testen, ob ausschließlich Domänenadministratoren (oder delegierte Rollen) gesicherte TPM-Wiederherstellungsinformationen lesen können und ob die Informationen ordnungsgemäß gesichert wurden.

Dateiinhalt

'================================================================================= ' ' This script demonstrates the retrieval of Trusted Platform Module (TPM) ' recovery information from Active Directory for a particular computer. ' ' It returns the TPM owner information stored as an attribute of a ' computer object. ' ' Change History: '  1/30/2006 - Initial release '  5/15/2006 - Updated GetStrPathToComputer to search the global catalog. ' ' Microsoft Corporation ' ' Disclaimer ' ' The sample scripts are not supported under any Microsoft standard support program ' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages. ' '=================================================================================


' -------------------------------------------------------------------------------- ' Usage ' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.Quit End Sub

' -------------------------------------------------------------------------------- ' Parse Arguments ' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count
  
  Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName
    
  Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If
  
  Case Else ShowUsage

End Select


' -------------------------------------------------------------------------------- ' Get path to Active Directory computer object associated with the computer name ' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName) 

    ' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone

    Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    

    strBase = "<GC://" & namingContext & ">"
 
    Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection 

    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))" strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 

    objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False 

    ' Enumerate all objects found. 

    Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" &  strComputerName & "' cannot be found." WScript.Quit 1 End If

    ' Found object matching name

    Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop 


    ' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing 

End Function

' -------------------------------------------------------------------------------- ' Securely access the Active Directory computer object using Kerberos ' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:") strPath = GetStrPathToComputer(strComputerName)


WScript.Echo "Accessing object: " + strPath

Const ADS_SECURE_AUTHENTICATION = 1 Const ADS_USE_SEALING = 64 '0x40 Const ADS_USE_SIGNING = 128 '0x80

Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' -------------------------------------------------------------------------------- ' Get the TPM owner information from the Active Directory computer object ' --------------------------------------------------------------------------------

strOwnerInformation = objComputer.Get("msTPM-OwnerInformation") WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

Get-BitLockerRecoveryInfo.vbs

Mit diesem Skript wird das Abrufen aller BitLocker-Wiederherstellungsinformationen für einen bestimmten Computer aus Active Directory veranschaulicht. Mit diesem Skript können Sie sicherstellen, dass ausschließlich Domänenadministratoren (oder delegierte Rollen) in Active Directory gesicherte BitLocker-Wiederherstellungsinformationen lesen können und dass die Informationen ordnungsgemäß gesichert wurden.

Dateiinhalt

'=============================================================================== ' ' This script demonstrates the retrieval of BitLocker Drive Encryption (BDE) ' recovery information from Active Directory for a particular computer. ' ' It returns all recovery passwords and associated GUIDs for a particular ' computer object. ' ' Change History: '  1/30/2006 - Initial release '  5/15/2006 - Added ConvertOctetGuidToHexString to remove dependency to ADs.DLL '              and converted GUID to correct byte order before printing. '            - Updated GetStrPathToComputer to search the global catalog. ' ' Microsoft Corporation ' ' Disclaimer ' ' The sample scripts are not supported under any Microsoft standard support program ' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages. ' '===============================================================================


' -------------------------------------------------------------------------------- ' Usage ' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: Get-BitLockerRecoveryInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.Quit End Sub

' -------------------------------------------------------------------------------- ' Parse Arguments ' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count
  
  Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName
    
  Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If
  
  Case Else ShowUsage

End Select

' -------------------------------------------------------------------------------- ' Helper function: Convert the octet GUID string (byte array) to a hex string ' --------------------------------------------------------------------------------

'Reference: http://blogs.msdn.com/ericlippert/archive/2004/05/25/141525.aspx

Function HexByte(b) HexByte = Right("0" & Hex(b), 2) End Function 

Function ConvertOctetGuidToHexString(ByteArray) Dim Binary, S Binary = CStr(ByteArray)

  On Error Resume Next

  S = "{" S = S & HexByte(AscB(MidB(Binary, 4, 1))) S = S & HexByte(AscB(MidB(Binary, 3, 1))) S = S & HexByte(AscB(MidB(Binary, 2, 1))) S = S & HexByte(AscB(MidB(Binary, 1, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 6, 1))) S = S & HexByte(AscB(MidB(Binary, 5, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 8, 1))) S = S & HexByte(AscB(MidB(Binary, 7, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 9, 1))) S = S & HexByte(AscB(MidB(Binary, 10, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 11, 1))) S = S & HexByte(AscB(MidB(Binary, 12, 1))) S = S & HexByte(AscB(MidB(Binary, 13, 1))) S = S & HexByte(AscB(MidB(Binary, 14, 1))) S = S & HexByte(AscB(MidB(Binary, 15, 1))) S = S & HexByte(AscB(MidB(Binary, 16, 1))) S = S & "}"

  On Error GoTo 0

  ConvertOctetGuidToHexString = S End Function 


' -------------------------------------------------------------------------------- ' Get path to Active Directory computer object associated with the computer name ' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName) 

    ' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone

    Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    

    strBase = "<GC://" & namingContext & ">"
 
    Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection 

    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))" strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 

    objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False 

    ' Enumerate all objects found. 

    Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" &  strComputerName & "' cannot be found." WScript.Quit 1 End If

    ' Found object matching name

    Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop 


    ' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing 

End Function


' -------------------------------------------------------------------------------- ' Securely access the Active Directory computer object using Kerberos ' --------------------------------------------------------------------------------


Set objDSO = GetObject("LDAP:") strPathToComputer = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPathToComputer

Const ADS_SECURE_AUTHENTICATION = 1 Const ADS_USE_SEALING = 64 '0x40 Const ADS_USE_SIGNING = 128 '0x80


' -------------------------------------------------------------------------------- ' Get all BitLocker recovery information from the Active Directory computer object ' --------------------------------------------------------------------------------

' Get all the recovery information child objects of the computer object

Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

objFveInfos.Filter = Array("msFVE-RecoveryInformation")

' Iterate through each recovery information object 

For Each objFveInfo in objFveInfos

   strName = objFveInfo.Get("name")

   strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid") strRecoveryGuid = ConvertOctetGuidToHexString(strRecoveryGuidOctet)

   strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")

   WScript.echo WScript.echo "name: " + strName WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword
   

   If len(strRecoveryGuid) <> 38 Then WScript.echo "WARNING: '" & strRecoveryGuid & "' does not appear to be a valid GUID." End If 

Next

WScript.Quit

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

Anzeigen:
© 2014 Microsoft