RpcSec-wmi-multi.vbs

作者: The Scripting Guys,Microsoft Corporation

這個指令碼會設定 RPC 安全性略過 Windows XP Service Pack 2 的新限制,並允許匿名回撥。這個指令碼使用「WMI 系統登錄」提供者來編輯登錄以執行這項工作。它可以在多部電腦上執行。

RpcSec-wmi-multi.vbs 對應於 RpcSec.vbs;RpcSec.vbs 是《Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2》(Windows XP Service Pack 2 應用程式相容性測試及緩和指南) 隨附的指令碼之一,並記錄在<附錄>中。您可以下載用來安裝該指南及其相關指令碼的 Windows Installer (.msi) 檔案,網址是:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9300BECF-2DEE-4772-ADD9-AD0EAF89C4A7&displaylang=en (英文)

這個指令碼的輸入來自一個逗號分隔文字檔 rpcsec-hosts.csv,這個檔案包含將執行指令碼的電腦名稱及其本身的參數。這個文字檔必須和指令碼位於相同的資料夾。每部電腦必須都能透過網路存取,而且指令碼用來執行的認證必須具有系統管理權限。

以下是參數 (RestrictRemoteClients) 的有效值:
0 = 略過新限制。
1 = 限制所有 RPC 介面的存取,不過允許匿名回撥。
2 = 限制所有 RPC 介面的存取,而且不允許匿名回撥。

輸入檔案的每一行必須包含一個電腦名稱、一個逗號,以及整數 0、1 或 2,在逗號的前後不能出現空格;例如:

client1,0 server1,1 client2,0 server2,2

確定最後一行後面沒有分行符號,因為指令碼會將它解譯為空字串。

若要使用指令碼,請複製程式碼並將它貼入「記事本」,再將指令碼儲存為 RpcSec-wmi-multi.vbs。若要執行指令碼,請將命令提示視窗開啟到指令碼的目錄,並輸入:

cscript rpcsec-wmi-multi.vbs

如果電腦上的預設指令碼裝載是 Cscript.exe,就可以省略開頭的 cscript。

指令碼


'******************************************************************************
'RpcSec-wmi-multi.vbs
'Author: Peter Costantini, the Microsoft Scripting Guys
'Date: 8/25/04
'Revision 1.0
'System requirement: Windows XP Service Pack 2.
'This script configures RPC security to bypass new restrictions in Windows XP
'Service Pack 2 and allow anonymous call back.
'It can be run against multiple local or remote computers.
'The multiple computers must be specified in a comma-delimited
'text file, rpcsec-hosts.csv, in the same directory as the script.
'Each line of rpcsec-hosts.csv must have a computer name followed by a comma,
'followed by an integer from 0 through 2.
'Do not add a newline to the end of the last line.
'Example (bypass on client1 & server1, restrict access but allow anon
'callbacks on client2, and restrict access and do not allow anon callbacks
'on server2):
'client1,0
'client2,1
'server1,0
'server2,2
'Valid RestrictRemoteClients values are as follows:
'0 = Bypasses new restrictions.
'1 = Restricts access to all RPC interfaces but allows anonymous callbacks.
'2 = Restricts access to all RPC interfaces and does not allow anonymous
'callbacks.
'******************************************************************************

On Error Resume Next

Const FOR_READING = 1
strFilename = "rpcsec-hosts.csv"

'If text file exists, read list of hosts and operation for each.
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(strFilename) Then
  Set objFile = objFSO.OpenTextFile(strFilename, FOR_READING)
Else
  WScript.Echo "Input file " & strFilename & " not found."
  WScript.Quit
End If
Do Until objFile.AtEndOfStream
  strHost = objFile.ReadLine
  arrHost = Split(strHost, ",")
'Get name of computer
  strComputer = arrHost(0)
'DWORD value of RestrictRemoteClients for this host.
  intValue = arrHost(1)
  Wscript.Echo VbCrLf & strComputer
  Wscript.Echo String(Len(strComputer), "-")
'Connect with WMI service and StdRegProv class.
  Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
   strComputer & "\root\default:StdRegProv")
  If Err = 0 Then
    SetValue
  Else
    WScript.Echo "Unable to connect to WMI StdRegProv on " & strComputer & "."
    WScript.Echo "  Error Number:" & Err.Number
    WScript.Echo "  Source:" & Err.Source
    WScript.Echo "  Description:" & Err.Description
  End If
  Err.Clear
Loop
objFile.Close

'******************************************************************************

Sub SetValue

Const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath = "SOFTWARE\Policies\Microsoft\Windows NT\RPC"
strEntryName = "RestrictRemoteClients"
intValue = 0

intReturn = objReg.CreateKey(HKEY_LOCAL_MACHINE, strKeyPath)
If intReturn = 0 Then
  WScript.Echo "Created registry subkey " & strKeyPath & _
   ". If it previously existed, did not overwrite existing values."
  intReturn = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE, strKeyPath, _
   strEntryName, intValue)
  If intReturn = 0 Then
    WScript.Echo "Changed value of " & strEntryName & " to " & intValue
  Else
    WScript.Echo "ERROR: Unable to change value of " & strEntryName
  End If
Else
  WScript.Echo "ERROR: Unable to create registry path " & _
   strKeyPath
End If

End Sub


如需線上對等支援,請加入 msnews.microsoft.com 新聞伺服器上的 microsoft.public.windows.server.scripting (英文) 社群。若您想要對範例指令碼或指令碼指南,提供意見、回報問題,請與 Microsoft TechNet (英文) 連絡。

免責聲明

此範例指令碼不支援任何 Microsoft 標準技術支援方案或服務。上述的範例指令碼係依「現況」提供,不附帶任何擔保。Microsoft 公司不提供任何的默示擔保,包括但不限於任何商業適售性及特定用途之適用性的默示擔保。您必須承擔此範例指令碼或文件所造成的一切風險。在任何情況下,無論是使用或無法使用此範例指令碼或文件所造成的損害 (包括但不限於營業之損失、營業之中斷、營業資訊之滅失及其他金錢損失),Microsoft 公司、作者群或此指令碼之創作、製造或散發有關之人員概不負責,即使 Microsoft 已經被告知損害發生之可能性亦同。

顯示: