The Microsoft Windows 2000 Resource Kit contains a set of tools designed to give administrators the ability to modify or enhance the security in Windows 2000. These tools include:
- System Scanner
Dsstore.exe: Directory Services Store
This tool assists in managing corporate public key integration. It includes functionality that is necessary for several deployment scenarios. You can use Dsstore to:
- List information about a given computer's certificates.
- List information about computer's objects on the domain.
- List information about Certificate Authorities in the organization.
- Add, remove, and display certificates from the directory services enterprise root store.
- Add and remove certificate revocation lists (CRLs) from directory services.
- Validate certificates from directory services public key infrastructure (PKI) locations.
- Pulse "autoenrollment" events to speed up various PKI processes.
- Add non-Windows 2000 Certificate Authorities or offline Certificate Authorities to the corporate PKI.
- Manage enterprise roots in directory services.
- Verify computer automatic enrollment and domain controller certificates from the Kerberos Key Distribution Center (KDC).
- Check on the status and validity of domain controller certificates.
- Check on the validity of smart card certificates.
dsstore DN_of_domain [-del] [-display] [-addcrl crl_filename CA_name computer_name] [-addroot crl_filename CA_name] [-?]
- DN_of_domain is the distinguished name of the target domain. You must specify this as the first parameter. For example, dsstore DC=dev,DC=microsoft,DC=com.
- -del presents a list of roots, from which you can choose one for deletion.
- -display displays enterprise roots.
- -addcrl crl_filename CA_name computer_name adds a certificate revocation list (.crl) file, a Certificate Authority name, and a computer name.
- -addroot crl_filename CA_name adds a certificate revocation list (.crl) file and a Certificate Authority name.
- -? displays a syntax screen at the command prompt.
Efsinfo.exe: Encrypting File System Information
This command-line tool displays information about files and folders encrypted with Encrypting File System (EFS) on partitions that use the NTFS file system.
EFS is a feature of Windows 2000 that you can use to encrypt and decrypt files. This helps users keep files safe from others who might gain unauthorized physical access to their sensitive data (for example, by stealing a laptop computer or external disk drive).
In EFS, users work with encrypted files and folders just as they do with any other files or folders: encryption is transparent. If the EFS user is the same person who encrypted the file or folder, Windows 2000 decrypts the file or folder when the user accesses it later. Unauthorized users are prevented from accessing any encrypted files or folders.
You can also encrypt or decrypt a file or folder with the command-line tool cipher, which is included with Windows 2000.
efsinfo [/u] [/r] [/c] [/i] [/y] [/s:dir] [pathname [...]] [/?]
- /u displays encryption information about the files and folders in the current folder. This is the default option. Running Efsinfo without switches produces the same output.
- /r displays Recovery agent information.
- /c displays certificate thumbnail information.
- /i continues performing the specified operation even after errors have occurred. By default, Efsinfo stops when an error is encountered.
- /y displays the current EFS certificate thumbnail on the local computer. The files specified might not be on this computer. If no items are returned, there are no encrypted files on the computer.
- /s:dir performs the specified operation on folders in the given folder and all subfolders.
- pathname [...] specifies the path of one or more files or folders for which to display encryption information.
- /? displays command-line Help.
This example displays the current EFS certificate:
Your current EFS certificate thumbnail information on the computer named COMPUTERNAME is:
BAAF 99CB 2B76 C49C E49C 6B17 C404 1030 E6BD BF3D
: This command returns no information if no encrypted files or folders have been created on the computer.
System Scanner for Windows is a security-assessment solution for Windows 2000, Microsoft Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98. It performs nearly 300 vulnerability checks, including:
- Extensive system baseline capabilities, including file, registry, and user checks.
- Browser-specific vulnerabilities.
- Comprehensive Microsoft Internet Information Services and Microsoft Personal Web Server checks.
- Checks for the presence of well-known TCP/IP-based services.
- NetBIOS checks.
- Java vulnerabilities.
- Microsoft Office vulnerabilities.
- Windows 95 Policy Editor configuration problems.
- Susceptibility to denial-of-service attacks.
- Configuration of virus scanners.
- Registry security checks.
- User policy configuration checks.
- Remote access checks and modem checks.
You can use System Scanner to define your own policies, as well as to schedule scans at specified times. Easy-to-use HTML reports provide detailed descriptions of vulnerabilities detected on your computer and information necessary to correct them.
Installing System Scanner
System Scanner is not installed during Windows 2000 Resource Kit installation. To install it:
- Insert the Windows 2000 Resource Kit companion CD-ROM in the CD-ROM drive
- When the Setup screen appears, click Explore the CD.
- In the CD-ROM_drive:\Apps\Systemscanner folder, double-click Sysscansetup.exe.
- Follow the directions that on the screen.
System Scanner is a separate tool that is not installed by the Windows 2000 Resource Kit installation program. The required files are located in the CD-ROM_drive
:\Apps\Systemscanner folder on your Windows 2000 Resource Kit companion CD-ROM. For more information, see the System Scanner Help file. After you install System Scanner, click Start
, point to Programs
, point to ISS
, and then click System Scanner Help