4. Working with the SCRegEdit Script
Microsoft has begun using a new scripting file format called the Windows Scripting File (WSF). The SCRegEdit.WSF
file on your system is just one of many WSF files you should expect to
see at some point. The purpose of this script is to make it easier to
perform certain types of registry edits. The following sections detail
the kinds of registry edits you can perform and the command line
switches you use to perform the tasks.
4.1. Setting Automatic Updates
This feature of the
SCRegEdit script lets you set the automatic update feature for Windows
without relying on the GUI. This script feature uses the following syntax:
/AU [/v][1 | 4]
The following list describes each of the command line arguments:
/v
Displays the current Automatic Update settings.
1
Disables the Automatic Update feature.
4
Enables the Automatic Update feature.
4.2. Enabling Terminal Services
Because Server Core lacks a
GUI, it's often helpful to use Remote Desktop to administer the server.
Using this approach lets you combine the benefits of both the command
line and the GUI to get work done faster.
There are two
forms of this particular script feature. The first form is for newer
versions such as Vista. This form provides additional security not
provided with previous versions of Windows, so it's more secure, but
also limits connectivity. This script feature uses the following syntax:
/AR [/v][0 | 1]
The following list describes each of the command line arguments:
/v
Displays the Terminal Services connection settings.
0
Enables the Terminal Services connection.
1
Disables the Terminal Services connection.
The second form
lets older versions of Windows make a connection to Server Core. Except
for the amount of security provided, this form works just like the other
form of this feature. When working in secure mode, Terminal Services
relies on the Credential Security Support Provider (CredSSP) to provide
security. Read more about CredSSP at http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/25/724271.aspx. You may also want to review the group policy settings for this feature at https://msdn2.microsoft.com/en-us/library/bb204773.aspx. This script feature uses the following syntax:
/CS [/v][0 | 1]
The following list describes each of the command line arguments:
/v
Displays the CredSSP setting.
0
Allows previous versions of Windows to connect to the server using non-CredSSP techniques.
1
Requires that all Terminal Services remote connections use CredSSP.
4.3. Configuring the IP Security (IPSec) Monitor
You may need to
provide remote management capability for the IPSec feature of Windows.
Use this script feature to modify the remote management capability as
needed. This script feature uses the following syntax:
NOTE
The
Internet Engineering Task Force (IETF) created the Internet Protocol
(IP) Security Protocol Working Group to look at the problems of IP
security, such as the inability to encrypt data at the protocol level.
It's currently working on a wide range of specifications that will
ultimately result in more secure IP transactions. For example, IPSec is
used in a variety of object-based group policy schemes. Windows
currently uses IPSec for network-level authentication, data integrity
checking, and encryption.
/IM [/v][0 | 1]
The following list describes each of the command line arguments:
/v
Displays the IPSec Monitoring setting.
0
Prevents remote management of IPSec Monitoring.
1
Allows remote management of IPSec Monitoring.
4.4. Managing DNS Service Priority and Weight
The Domain Name System
(DNS) service is one of the more important features of Windows because
it helps set the addresses for each node on the network. In fact, the
services provided are standardized across all operating systems as part
of RFC 2782 (see http://www.faqs.org/rfcs/rfc2782.html
for details). You'll normally use this script feature on domain
controllers only. The DNS Service (SRV) records have both a priority and
a weight. The priority affects the LdapSrvPriority registry setting
(see http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/55945.mspx
for details). When two DNS servers have the same priority setting,
Windows relies on the weight setting to determine which server to use.
You set the priority using the /DP command line switch. This script feature uses the following syntax:
/DP [/v][Value]
The following list describes each of the command line arguments:
/v
Displays the current DNS SRV priority setting.
Value
A value between 0 and 65,535 that defines the server priority. Microsoft recommends a value of 200.
When two DNS servers have the same priority,
Windows relies on the weight value to determine which server to use. Use
the /DW command line switch to modify
the DNS SRV record weight. This setting affects the LdapSrvWeight
registry setting. You can read more about the LdapSrvWeight setting at http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/55945.mspx. This script feature uses the following syntax:
/DW [/v][value]
The following list describes each of the command line arguments:
/v
Displays the current DNS SRV weight setting.
Value
A value between 0 and 65,535 that defines the server weight. Microsoft recommends a value of 50.
4.5. Using the Command Line Reference
The SCRegEdit script
also includes a command line reference for performing some common
command line tasks. This script feature uses the following syntax:
/CLI
When you type CScript SCRegEdit.WSF /CLI and press Enter, you'll see a display similar to the one shown in Figure 2.
The command line information tells you how to perform common tasks
using the current version of the server. Since Microsoft will likely
keep this file updated as it provides revisions, you should refer to
this information when it appears that an update has made an older
configuration technique incomplete. Unfortunately, the information only
tells you how to perform the most basic tasks and not in any particular
order.
5. Scripting Registry Entries with the RegIni Utility
The RegIni utility lets
you perform registry manipulations that involve security or other
configurations. You can also use it to perform a list of registry
modifications as a script, rather than individually using RegEdit. The
most common use of this utility is to modify the security settings for
the registry as explained by the Knowledge Base article at http://support.microsoft.com/?kbid=245031. The Knowledge Base article at http://support.microsoft.com/?kbid=237607
has additional information on using this utility for security purposes.
You can find a more complete discussion of how to use RegIni, including
creating scripts using a number of techniques, on the Windows IT
Library site at http://www.windowsitlibrary.com/Content/237/2.html. This utility uses the following syntax:
RegIni [-m \\computername] scriptname
The following list describes each of the command line arguments:
scriptname
Specifies the name of the file containing the registry script.
-m \\
computername
Specifies the name of the computer on which to perform the modifications. The default is the local computer.
