Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Sunday,September4,2016 6:02PM
Lesson 1
To install the Windows Server Migration Tools feature using Windows PowerShell, use the following syntax:
InstallWindowsFeature Migration [ComputerName ]
ImportSmigServerSetting
ExportSmigServerSetting
ExportDhcpServerFileC:\exportdir\dhcpexport.xml
ImportDHCPServerFileC:\exportdir\dhcpexport.xml
Lesson 2
To convert a Windows Server 2012 Server Core installation to the full GUI option, use the following Windows
PowerShell command:
InstallWindowsFeature ServerGuiMgmtInfra, ServerGuiShell Restart
To convert a full GUI server installation to Server Core, use the following command:
UninstallWindowsFeature ServerGuiMgmtInfra, ServerGuiShell Restart
To manage NIC teaming with Windows PowerShell, you use the cmdlets in the NetLbfoTeam module. To create a new
NIC team, you use the NewNetLbfoTeam cmdlet with the following basic syntax:
NewNetLbfoTeam Name TeamMembers <NIC1, NIC2, .. >
[TeamingMode LACP|Static|SwitchIndependent]
[LoadBalancingAlgorithm TransportPorts|IPAddresses |MACAddresses|HyperVPort]
To use an exported configuration file to install roles and features on another computer running Windows Server 2012,
use the following command in a Windows PowerShell session with elevated privileges:
InstallWindowsFeature ConfigrationFilePath <ExportedConfig.xml>
Lesson 3: Configuring Local Storage
Lesson 6:
For the authentication to succeed, you must add the name of the workgroup server to the
TrustedHosts list on the computer running Server Manager, by using a Windows PowerShell
command with the following syntax:
Manage WinRM
To manage a remote server from the MMC, you need to enable the following INBOUND Windows Firewall rules on
the REMOTE SERVER:
COM+ Network Access DCOMIn Remote Event Log Management NPIn Remote Event Log Management
RPC Remote Event Log Management RPCEPMAP
To configure a test installation of the gateway application on a lab server, you can open an
elevated Windows PowerShell session and execute the following command:
InstallPswaWebApplication UseTestCertificate
Now, the gateway site is ready to accept client connections, using the default URL:
https://<server name>/pswa. You can change this default URL and other configuration settings
by altering the cmdlet parameters.
WebSiteName enables you to specify an alternative to the default site in which the
cmdlet installs the gateway application. By default, the cmdlet installs the gateway in the
Default Web Site site. Adding the WebSiteName mgmt parameter installs the gateway
to an existing IIS site called mgmt.
Lesson 7
Install HyperV
Create a New VM
Configuring VM Memory
VM Smart Paging
MoveVMStorage SmartPagingFilePath
SetVM SmartPagingFilePath
VM Resource Metering
Enable first:
EnableVMResourceMetering VMName <name> ComputerName
EnableVMResourceMetering ResourcePoolName ComputerName
EnableVMResourceMetering VM <VM Object>
NewVMResourcePool
Resetvmresourcemetering
Lesson 8
Lesson 9
Example 1
This example enables DHCP Guard on all the virtual network adapters of virtual machine Redmond. When DHCP
Guard enabled, if virtual machineRedmond replies to requests from DHCP clients, these replies are dropped.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameRedmondDhcpGuardOn
Example 2
This example enables port mirroring for all virtual network adapters on virtual machine Kirkland. When port mirroring
is enabled, every packet sent or received by this virtual machine is copied and sent to a monitoring virtual machine.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameKirklandPortMirroringSource
Example 3
This example configures the virtual network adapter named PM_Dest as the destination for port mirroring, which
configures the virtual machine namedBellevue to monitor network traffic. That is, a copy of every packet sent or
received by a monitored virtual machine connected to the same virtual switch is sent to virtual machine Bellevue
through virtual network adapter PM_Dest.
Windows PowerShell
PSC:\>SetVMNetworkAdapterVMNameBellevueNamePM_DestPortMirroringDestination
Example 4
This example enables VMQ and sets a weight of 100 on every virtual network adapter on the local host.
Windows PowerShell
PSC:\>GetVMNetworkAdapterAll|SetVMNetworkAdapterVmqWeight100
Example 5
This example configures NIC Teaming for all virtual network adapters of the virtual machine named Redmond.
Windows PowerShell
PSC:\>GetVMRedmond|SetVMNetworkAdapterAllowTeamingOn
Example 6
This example sets the same minimum bandwidth weight for all virtual network adapters of three virtual machines:
Redmond, Kirkland, and Bellevue. This configuration shares bandwidth equally among all of the virtual network
adapters of these virtual machines.
Windows PowerShell
PSC:\>GetVMNetworkAdapterVMNameRedmond,Kirkland,Bellevue|SetVMNetworkAdapter
MinimumBandwidthWeight1
Other Switches:
AllowTeaming on|off
RouterGuard on|off
StaticMacAddress
DynamicMacAddress on|off
AllowMacAddressSpoofing on|off
Lesson 10
SengIPAddress
Set IP Address:
netsh interface ip set address name=Local Area Connection static 192.168.0.1 255.255.255.0 192.168.0.254
Uniquelocalunicastaddress(privateipv6):fd00::/8
Lesson 11
A DHCP server should not also be an active DHCP client. Before you install the DHCP Server role, be sure to configure
the target server with a static IP address.
Install DHCP
Authorize DHCP Server in DC
When you install the DHCP Server role on a computer that is a member of an AD DS domain,
the DHCP Server is automatically authorized to allocate IP address to clients that are also members
of the same domain. If the server is not a domain member when you install the role, and you join it
to a domain later, you must manually authorize the DHCP server in the domain. To do this, rightclick the server node
in the DHCP console and, from the context menu, select Authorize
AddDhcpServerInDCDnsNamedhcpserver.contoso.com
AddDHCPScope
ConfigureScopeOptions
TheWindowsDHCPserversupportstwokindsofoptions:
Scopeoptions:SuppliedonlytoDHCPclientsreceivingaddressesfroma
particularscope.
Serveroptions:SuppliedtoallDHCPclientsreceivingaddressesfromthe
server.
DHCPWDSConfiguration
TheWDSserverconfigurationprocedurediscussedearlierinthislessonassumesthatyou
have
installedDHCPonthesamecomputerasWindowsDeploymentServices.Inmanyinstances,
thisisnotthecase,however.
WhenyouareusinganexternalDHCPserver,youmustalsoconfigureitmanuallyto
includethecustomoptionthatprovidesWDSclientswiththenameoftheWDSserver.
ToconfigurethisoptiononaWindowsServer2008DHCPserver,usethefollowing
procedure.
CONFIGUREACUSTOMDHCPOPTION
GETREADY.LogontoWindowsServer2012,usinganaccountwithAdministrative
privileges.
1.IntheServerManagerwindow,clickToolsandthenclickDHCP.TheDHCPconsole
appears.
2.ExpandtheserverandIPv4nodes.
3.RightclicktheIPv4nodeand,fromthecontextmenu,selectSetPredefined
Options.ThePredefinedOptionsandValuesdialogboxappears
4.ClickAdd.TheOptionTypedialogboxappears,asshowninFigure1121.
5.IntheNametextbox,typePXEClient.
6.FromtheDatatypedropdownlist,selectString.
7.IntheCodetextbox,type060.
8.ClickOKtwicetoclosetheOptionTypeandPredefinedOptionsandValues
dialogboxes.
9.Inthescopepane,rightclicktheServerOptionsnodeand,fromthecontextmenu,
selectConfigureOptions.TheServerOptionsdialogboxappears.
10.IntheAvailableOptionslistbox,scrolldownandselectthe060PXEClientoptionyou
justcreated,asshowninFigure1122.
3.RightclicktheIPv4nodeand,fromthecontextmenu,selectSetPredefined
Options.ThePredefinedOptionsandValuesdialogboxappears,asshownin
Figure1120.
Figure1121
TheOptionTypedialogbox
DeployingandConfiguringtheDHCPService|323
ManyrouterscanfunctionasDHCPrelayagents,butinsituationswheretheycannot,you
canconfigureaWindowsServer2012computertofunctionasarelayagentbyusingthe
followingprocedure.
DEPLOYADHCPRELAYAGENT
GETREADY.LogontoWindowsServer2012,usinganaccountwithAdministrativeprivileges.
1.IntheServerManagerwindow,clickManageandthenclickAddRolesandFeatures.
TheAddRolesandFeaturesWizardappears,displayingtheBeforeyoubeginpage.
ployingaDHCPRelayAgent
THEBOTTOMLINE
IfyouopttocreateacentralizedorhybridDHCPinfrastructure,youneedaDHCPrelay
agentoneverysubnetthatdoesnothaveaDHCPserveronit.
CERTIFICATIONREADY
ConfigureDHCPrelay
agent.
Objective4.2
Figure1122
TheServerOptionsdialogbox
11.IntheStringvaluetextbox,typethenameorIPaddressofyourWDSserver.Then,
clickOK.
CLOSEtheDHCPconsole.
Thisprocedureaddsthe060customoptionvalueyoudefinedtoalltheDHCPOFFER
packetstheDHCPserversendsouttoclients.Whenaclientcomputerbootsfromalocal
device,suchasaharddriveorCDROM,the060optionhasnoeffect.However,whena
clientperformsanetworkbootafterreceivingandacceptinganofferedIPaddressfromthe
DHCPserver,itconnectstotheWDSserverspecifiedinthe060PXEClientoptionanduses
ittoobtainthebootimagefileitneedstostart.
Lesson12
DNS
GlobalQueryBlockList:Listofprotocolswhicharen'tallowedtobeupdatedviaDynamicDNSupdate;
SetDnsServerGlobalQueryBlockList
GetDnsServerGlobalQueryBlockList
dnscmd[<ServerName>]/info/globalqueryblocklist
WindowsServer2012includesanewWindowsPowerShellmodulethat,forthefirsttime,enables
youto
manageDNSserversfromthecommandlinewithoutusingelaborateWindowsManagement
Information
(WMI)scripts.AfterinstallingtheDNSServerroleusingtheInstallWindowsFeaturescmdlet,
youcan
createazoneontheDNSserverusingtheAddDnsServerPrimaryZonecmdletwiththefollowing
basicsyntax:
ADDPRIMARYZONE
AddDnsServerPrimaryZoneName<name>
ReplicationScopeForest|Domain|Legacy|Custom
[DynamicUpdateNone|Secure|NonSecureAndSecure]
Forexample,tocreateazonecalledParisintheadatum.comdomain,youwouldusethe
followingcommand:
AddDnsServerPrimaryZoneNameParis.adatum.com
ReplicationScopeForest
ADDRESOURCERECORDA
TocreateanAddressresourcerecordwithWindowsPowerShell,youusethe
AddDnsServerResourceRecordAcmdlet,usingthefollowingsyntax:
AddDnsServerResourceRecordAName<name>
ZoneName<name>IPv4Address<address>
Forexample,tocreatearesourcerecordforahostcalledClient1,usethefollowing
command:
AddDnsServerResourceRecordANameClient1
ZoneNameparis.adatum.comIPv4Address192.168.4.76
DNSFORWARDER
GetDNSServerForwarder
SetDNSServerForwarderIPAddress
(replacesDNSServerForwardingtoIPspecied)
RemoveDNSServerForwarderIPAddress
AddDNSServerForwarderIPAddressipaddresstoforwardto
ADDCONDITIONALFORWARDER
AddDNSServerCondionalForwarderZoneNameTailspintoys.comMasterServersParentDomainDNSIPReplicaonScope
"Forest
TricktopreventDNSfromresolvinginternethostnames:
Createaprimaryzonenamed"."
Thisconvertstheservertoarootserver.
https://support.microsoft.com/enus/kb/231794
Lesson13
InstallADDS
installwindowsfeatureaddomainservices
InstallNewForest
Installaddsforest
AddNewDomainController
Installaddsdomaincontroller
AddNewDomaintoexistingforest
InstallADDSDomain
IFMInstallFromMedia
CreateIFMMediafirstonDC:
TocreateInstallFromMedia(IFM)media,youmustruntheNtdsutil.exeprogram
onadomaincontrollerrunningthesameversionofWindowsthatyouintendtodeploy.
Theprogramisinteractive,requiringyoutoenterasequenceofcommandssuchas
thefollowing:
Ntdsutillaunchestheprogram.
ActivateinstancentdsfocusestheprogramontheinstalledADDSinstance.
IfmswitchestheprogramintoIFMmode.
CreateFull|RODC<pathname>createsmediaforeitherafullread/writedomain
controllerorareadonlydomaincontrollerandsavesittothefolderspecifiedbythe
pathnamevariable.
Ntdsutil>activateinstancentds>Ifm>CreateFullc:\ifm
TransferIFMmediatocomputeryouwanttoinstallon.
DEMOTEDC(Removingadomaincontroller)
UninstallADDSDomainControllerForceRemoval
LocalAdminisdtratorPassword<password>Force
GlobalCatalogConfig
ActiveDirectorySitesandServicesDefaultFirstSiteName>Servers>ServerA>
RightclickNTDSsettingsnode,properties
TestifDomainisRegisteredinDNS
dcdiag/test:registerindns/dnsdomain:<domainname>/v
FSMOROLES
ForestWideRoles:
SchemaMaster
TheschemaissharedbetweeneveryTreeandDomaininaforestandmustbeconsistentbetweenall
objects.Theschemamastercontrolsallupdatesandmodificationstotheschema.
DomainNaming
WhenanewDomainisaddedtoaforestthenamemustbeuniquewithintheforest.TheDomain
namingmastermustbeavailablewhenaddingorremovingaDomaininaforest.
DomainWideRoles:
RelaveID(RID)Master
AllocatesRIDstoDCswithinaDomain.Whenanobjectsuchasauser,grouporcomputeriscreated
inADitisgivenaSID.TheSIDconsistsofaDomainSID(whichisthesameforallSIDscreatedin
thedomain)andaRIDwhichisuniquetotheDomain.
WhenmovingobjectsbetweendomainsyoumuststartthemoveontheDCwhichistheRIDmaster
ofthedomainthatcurrentlyholdstheobject.
PDCEmulator
ThePDCemulatoractsasaWindowsNTPDCforbackwardscompatibility,itcanprocessupdatestoa
BDC.
Itisalsoresponsiblefortimesynchronisingwithinadomain.
Itisalsothepasswordmaster(forwantofabetterterm)foradomain.Anypasswordchangeis
replicatedtothePDCemulatorassoonasispractical.Ifalogonrequestfailsduetoabadpassword
thelogonrequestispassedtothePDCemulatortocheckthepasswordbeforerejectingthelogin
request.
InfrastructureMaster
Theinfrastructuremasterisresponsibleforupdatingreferencesfromobjectsinitsdomaintoobjects
inotherdomains.Theglobalcatalogueisusedtocomparedataasitreceivesregularupdatesforall
objectsinalldomains.
NOTE:RIDMASTERISREQUIREDTOBEONLINEFORDOMAINJOINS.IFRIDMASTERDCISOFFLINE,
COMPUTERSCANNOTJOINDOMAIN
TransferringFSMOROLES
Incommandline(>meanspressenter)
Ntdsutil>
roles>
connections>
connecttoserverservername(nameofserveryouaretransferringrolestocanbetheserver
youareonrightnow)>
q>
transferrole(rolename)>
q>
q>
Listofrolenamesforntdsutil:
Ridmaster
Schemamaster
Domainnamingmaster
Pdc
Infrastructuremaster
(totransferpdcemulator,typetransferpdc,NOTtransferpdcemulator)
Lesson14
AddingUsers:
Dsadd.exeUser
"CN=ElizabethAndersen,OU=Research,DC=adatum,DC=local"
samid"eander"
fn"Elizabeth"
ln"Andersen"
disabledno
mustchpwdyes
pwd"Pa$$w0rd"
newADUser
Name"ElizabethAndersen"
SamAccountName"eander"
GivenName"Elizabeth"
SurName"Andersen"
path'OU=Research,DC=adatum,dc=local'
Enabled$true
AccountPassword"Pa$$w0rd"
ChangePasswordAtLogon$true
FilterUsersbyLogonDate
$logonDate = NewObject System.DateTime2007, 1, 1
GetADUser filter { lastLogon le $logonDate }
ImportCSVusersFinance.csv|foreach
{NewADUserSamAccountName$_.SamAccountName
Name$_.NameSurname$_.Surname
GivenName$_.GivenNamePath
"OU=Research,DC=adatum,DC=COM"AccountPassword
Pa$$w0rdEnabled$true}
AddingComputer
dsaddcomputer<ComputerDN>
newADComputerName<computername>path<distinguishedname>
JoiningComputertoDomain
netdomjoin<computername>/Domain:<DomainName>
[/UserD:<User>/PasswordD:<UserPassword>][/OU:OUDN]
Addcomputerdomainname
Limithowmanyadobjectssomeonecanadd:
dsaddquota
JoiningaDomainWhileOine
Inthesecases,itispossibletoperformanoinedomainjoin,byusinga
commandlineprogramcalledDjoin.exe.
TheoinedomainjoinprocedurerequiresyoutoruntheDjoin.exeprogramtwice,onceon
acomputerwithaccesstoadomaincontroller,andthenagainonthecomputertobejoined.
Whenconnectedtothedomaincontroller,theprogramgatherscomputeraccountmetadata
forthesystemtobejoinedandsavesittoale.Thesyntaxforthisphaseoftheprocessisas
follows:
djoin/provision/domain<domainname>
/machine<computername>/savele<lename.txt>
djoin/requestODJ/loadle<lename.txt>
/windowspath%SystemRoot%/localos
DjoinrequestsanoinedomainjoinAFTERacomputerrestarts
AssigningUserRights
UserrightsareGroupPolicysengsthatprovideuserswiththecapabilitytoperformcertainsystemrelatedtasks.
Forexample,loggingonlocallytoadomaincontrollerrequiresthatauserhastheLogOnLocallyrightassignedto
hisorheraccountorbeamemberoftheAccountOperators,Administrators,BackupOperators,PrintOperators,or
ServerOperatorsgrouponthedomaincontroller.Othersimilarsengsincludedinthiscolleconarerelatedto
userrightsassociatedwithsystemshutdown,takingownershipprivilegesoflesorobjects,restoringlesand
directories,andsynchronizingdirectoryservicedata.Formoreinformaononuserrightsassignment,referto
Objecve6.2,CongureSecurityPolicies,inLesson17
DisableorEnableUserAccount
DisableADAccountIdenty<accountname>
EnableADAccountIdenty<accountname>
Lesson15
AddNewOU
NewADOrganizationalUnitNameUserAccountsPath"DC=FABRIKAM,DC=COM"
CreangNewGroups
dsaddgroup"CN=Sales,DC=adatum,DC=com"member
"CN=Administrator,CN=Users,DC=adatum,DC=com
TocreateanewgroupobjectbyusingWindowsPowerShell,youusetheNewADGroupcmdlet,withthe
followingsyntax:
NewADGroup
Name<groupname>
SamAccountName<SAMname>
GroupCategoryDistribuon|Category
GroupScopeDomainLocal|Global|Universal
Path<disnguishedname>
Forexample,tocreateaglobalsecuritygroupcalledSalesintheChicagoOU,youusethefollowingcommand:
NewADGroupNameSalesSamAccountNameSales
GroupCategorySecurityGroupScopeGlobal
PathOU=Chicago,DC=Adatum,DC=Com
RestrictedGroupsPolicies
WhenyoucreateRestrictedGroupspolicies,youcanspecifythemembershipforagroupandenforceit,sothat
noonecanaddorremovemembers.Youcanmodifymembershipwithothertools,butnextmegpupdatehappens,group
membershiplistwillbeoverwrienbythepolicy.
ModifyingGroups
dsmodgroup<GroupDN>[parameters]
Canadd,removemembers;
Changegrouptypeandscope
ThemostcommonlyusedcommandlineparametersforDsmod.exeareasfollows:
secgrpyes|nosetsthegrouptypetosecuritygroup(yes)ordistribuongroup(no).
scopel|g|usetsthegroupscopetodomainlocal(l),global(g),oruniversal(u).
addmbr<members>addsmemberstothegroup.ReplacememberswiththeDNsof
oneormoreobjects.
rmmbr<members>removesmembersfromthegroup.Replacememberswiththe
DNsofoneormoreobjects.
chmbr<members>replacesthecompletelistofgroupmembers.Replacemembers
withtheDNsofoneormoreobjects.
Forexample,toaddtheAdministratorusertotheGuestsgroup,youusethefollowing
command:
dsmodgroup"CN=Guests,CN=Builn,DC=adatum,DC=com"
addmbr"CN=Administrator,CN=Users,DC=adatum,DC=com"
Lesson16
CentralStore
Bydefault,GPOles(ADMandADMXles)arestoreoneachcomputer.Thiscreatedunnecessarybloat.CentralStorexesthis
bystoringGPOlesondomaincontrollersandhavingcomputersaccessthose.
Tousea
CentralStore,however,youmustcreatetheappropriatefolderintheSYSVOLvolumeon
adomaincontroller.
Bydefault,toolssuchastheGroupPolicyManagementconsolesavetheADMX
lestothe\%systemroot%\PolicyDenionsfolder,whichonmostcomputersis
C:\Windows\PolicyDenions.TocreateaCentralStore,youmustcopytheenre
PolicyDenionsfoldertothesamelocaonastheGroupPolicytemplates,thatis,
%systemroot%\SYSVOL\sysvol\<domainname>\Policies,or,inUNCnotaon,
\\<domainname>\SYSVOL\<domainname>\Policies.
NewGPO
NewGPOName<name>Domain<name>StarterGpoName<name>
WhenyouruntheNewGPOcmdlet,thecmdletreturnsthenameofthenewlycreatedG
pipethatnametotheNewGPLinkcmdlet,whichlinkstheGPOtothedomain,site,orOU
usingthefollowingsyntax:
NewGPLinkName<linkname>Target<LDAPpath>
Forexample,tocreateanewGPOcalledTest1andlinkittotheadatum.comdomain,you
followingcommand:
NewGPONameTest1|NewGPLinkTarget"dc=adatum,dc=com"
Enforce
ConguringtheEnforcesengonanindividualGPOlinkforcesaparcularGPOssengs
toowdownthroughtheADDShierarchy,withoutbeingblockedbychildOUs.
Becausechildcontainersengs
canoverwritethesengsthatwereinvokedataparentcontainer,youcanassigntheEnforce
aributetoaGPOlinktoforceaparentseng,prevenngitfrombeingoverwrienbya
conicngchildseng.TheEnforceopondeniesthecapabilityofchildobjectstoapply
theBlockPolicyInheritanceseng.
LoopbackProcessing
Asthenameimplies,LoopbackProcessingenablestheGroupPolicyprocessingorderto
circlebackandreapplythecomputerpoliciesaeralluserpoliciesandlogonscriptsrun.
Whenyouenableloopbackprocessing,youcanchoosetheMergeoponortheReplace
opon.WhenyouselecttheMergeopon,aeralluserpoliciesrunthesystemreapplies
thecomputerpolicysengs,whichenablesallcurrentGPOsengstomergewiththe
reappliedcomputerpolicysengs.Ininstanceswhereconictsarisebetweencomputer
andusersengs,thecomputerpolicysupersedestheuserpolicy.Thisoccursbeforethe
desktopispresentedtotheuser.Thesystemsimplyappendsthesengstothosethatwere
alreadyprocessed.MergingmightnotoverwriteallthesengsimplementedbytheUser
Conguraonsengs.
Lesson17
ImportGPO
importgpoBackupGpoNameTestGPOTargetNameTestGPOpathc:\backups
OPTIMIZINGGROUPPOLICYPROCESSING
WhenyoucreateaGPOthatcontainscomputerorusersengs,butnotboth,youcandis
ablethesengareathatisnotconguredforfasterprocessing.Forexample,tocongure
acomputerpolicythatappliestoallcomputerswithinanOU,youshoulddisabletheUser
Conguraonnodesengssothatthepolicyprocessingisfaster.Whenonepartofthe
policyisdisabled,systemsignorethatseconanddisregardthesengsinit.
Lesson18
SOFTWARERESTRICTIONPOLICIES
HashRules
Creangahashruleforan
applicaonexecutablepreventstheapplicaonfromrunningifthehashvalueisnotcorrect.
Becausethehashvalueisbasedontheleitself,youcanmovethelefromonelocaon
toanotheranditwillsllfuncon.Iftheexecutableleisalteredinanyway,suchasifit
ismodiedorreplacedbyawormorvirus,thehashruleinthesowarerestriconpolicy
preventsthelefromrunning.
CERTIFICATERULES
Acercateruleusesthedigitalcercateassociatedwithanapplicaontoconrm
itslegimacy.Youcanusecercaterulestoenablesowarefromatrustedsourcetorun
ortopreventsowarethatdoesnotcomefromatrustedsourcefromrunning.Youcanalso
usecercaterulestorunprogramsindisallowedareasoftheoperangsystem.
PATHRULES
Apathruleidenessowarebyspecifyingthedirectorypathwheretheapplicaonis
storedinthelesystem.
Pathrulescanspecifyeitheralocaoninthelesystemwhereapplicaonlesarelocatedora
registrypathseng.Registrypathrulesprovideassurancethattheapplicaonexecutableswill
befoundeveniftheapplicaonismovedtoadierentfolder.
NETWORKZONERULES
NetworkzonerulesapplyonlytoWindowsInstallerpackagesthataempttoinstallfrom
aspeciedzone,suchasalocalcomputer,alocalintranet,trustedsites,restrictedsites,or
theInternet.YoucancongurethistypeofruletoenableWindowsInstallerpackagestobe
installedonlyiftheycomefromatrustedareaofthenetwork.Forexample,anInternetzone
rulecanrestrictWindowsInstallerpackagesfrombeingdownloadedandinstalledfromthe
Internetorothernetworklocaons.
APPLOCKER
YoucanuseWindowsPowerShelltocreateanewAppLockerpolicy,usingacombinaonofthe
GetAppLockerFileInformaon
and
NewAppLockerPolicycmdlets.
TheGetAppLockerFileInformaoncmdletreturnstheinformaonaboutale(orles)neededtocreatethe
policy,includingthepublisherinformaon,thelehash,andthelepath,asshowninFigure1824.
YoucanpipetheresultsoftheGetAppLockerFileInformaoncmdletdirectlytotheNewAppLockerPolicycmdlettocreatethe
policy,usingthefollowingsyntax:
GetAppLockerFileInformaon<path>
|NewAppLockerPolicyRuleTypePublisher|Hash|Path
User<securityprincipal>
Forexample,tocreateanewAppLockerpolicyfortheWindowsCalculatorapplicaon,youcanusethe
followingcommand:
GetAppLockerFileInformaonC:\Windows\System32\Calc.exe
|NewAppLockerPolicyRuleTypeHash
UserEveryone
Lesson19Firewall
ChangeNetworkProle
PSC:\>$Profile=GetNetConnectionProfileInterfaceAliasEthernet1
PSC:\>$Profile.NetworkCategory="Private"
PSC:\>SetNetConnectionProfileInputObject$Profile
CreateFirewallRulesusingPowerShell
YoucancreatenewWindowsFirewallruleswithWindowsPowerShellbyusingtheNew
NetFirewallRulecmdlet
withthefollowingbasicsyntax:
NewNetFirewallRuleDisplayName<name>
DirectionInbound|OutboundActionBlock|Allow
LocalPort<number>ProtocolTCP|UDPProgram<name>
Forexample,tocreatearulethatblocksallinboundtrafficthroughTCPport80
NewNetFirewallRuleDisplayName"Block80"
DirectionInboundActionBlock
LocalPort80ProtocolTCP
Firewallcmds:
Netshadvfirewall
(lookuponlineforexamples,listtooextensive)
ImportandExportfirewallrules:
netsh advfirewall export "c:\advfirewallpolicy.wfw"
netsh advfirewall import "c:\advfirewallpolicy.wfw"