On This PageIntroductionThis appendix contains a brief description of the scripts and other support files supplied with the solution. Although fully functional and tested with the solution, the scripts have not been through an extensive quality control process. They are intended to illustrate techniques and provide the basis for your own administrative scripts. You should fully test the scripts in your environment before deploying them in production. DisclaimerThe sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. Listing of Files in the SolutionThe following table lists all the files supplied with the solution. These are installed from the MSSWLANTools.msi Windows Installer file. Table D.1: List of Files Supplied with the Solution Main CMD Files | | MSSSetup.cmd MSSTools.cmd | These are the batch files that provide the interface to the Microsoft Windows Scripting Host (WSH) files and simplify the syntax. They allow different jobs to run by specifying the job name as a single parameter on the command line. The syntax is as follows: msssetupJobName [/param:value] msstools JobName [/param:value] Where JobName is the name of the operation. If you run this script without a JobName, all available jobs will be listed along with a simple description of each job's function. | WSH XML files | | msssetup.wsf msstools.wsf | These are WSH XML files, which specify the individual jobs available. The jobs defined in the WSF files call procedures defined in the VBS files. The syntax is as follows: Cscript //job:JobName msstools.wsf [/param:value] If you run this script without a JobName, all available jobs in the WSF file will be listed along with a simple description of each job's function. | VBScript Files | | ias_setup.vbs | Routines used during the setup of Internet Authentication Service (IAS). | ias_tools.vbs | Routines used during the operation and monitoring of IAS. | Gen_setup.vbs | Routines that are not specific to IAS or Certificate services and were used during the implementation. | ca_setup.vbs | Routines used during the setup of the certification authority (CA). | ca_monitor.vbs | Routines used by the CA monitoring functions. | constants.vbs | Constants used by the other VBS files. | helper.vbs | Generic routines used by the other VBS files. | pkiparams.vbs | Constants used to define many of the setup parameters for the CA. | Miscellaneous Files | | InstCAPICOM.cmd | CMD file to simplify installation of CAPICOM. | CreateShortCut.cmd | CMD file that calls a routine from the VBS file to create a shortcut on the user's desktop. The shortcut starts CMD.EXE with the current directory set to the script installation folder. | ComputerCerts.msc | Predefined management console to view certificates in computer store. | AddRADIUSClient.exe | Utility to add RADIUS clients to IAS from the command line. (Note: This tool requires the .NET Framework to be installed.) | Interop.SDOIASLib.dll | Support library required by AddRADIUSClient.exe. | Source | Folder containing the source code for the AddRADIUSClient tool. | Group Policy Files | | MSSWLANGPOs | This folder contains the XML definition file and data files for the two predefined Group Policy objects (GPOs) supplied with this solution. | Documents | | Securing Wireless LANs.rtf | Readme file containing the same text as this chapter. |
Structure of the ScriptsThe Microsoft Visual Basic Scripting Edition (VBScript) files require some explanation to understand how they work together. Unlike many VBScript examples, the script files included with the solution contain multiple, often independent functions. To provide access to these different functions, these scripts use the "job" functionality of WSH. This allows several independent program functions to be contained in, and called from the same file by specifying a job name as a parameter to the script. There are two Windows Script (.wsf) files, which contain the user interface to all of the different script operations. The .wsf files call a set of .vbs files which contain the code that actually does the work for a particular job. You can call the job using the following syntax: cscript //job:JobNameWScriptFile.wsf Where JobName is the name of the operation and WScriptFile is the name of the XML interface file for the script. An excerpt from one of the .wsf files, where the job ConfigureCA is defined, is as follows:
<?xml version="1.0" encoding="utf-8" ?>
<package xmlns="Windows Script Host">
<job id="ConfigureCA">
<description>Configures the CA registry parameters</description>
<script language="VBScript" src="constants.vbs" />
<script language="VBScript" src="pkiparams.vbs" />
<script language="VBScript" src="helper.vbs" />
<script language="VBScript" src="ca_setup.vbs" />
<script language="VBScript">
<![CDATA[
Initialize True, True
ConfigureCA
CloseDown
]]>
</script>
In this excerpt, the job definition specifies that the .vbs files namely, constants.vbs, pkiparams.vbs, helper.vbs, and ca_setup.vbs contain functions, subroutines, or data required by this job; therefore, they need to be loaded. The final section specifies the top–level functions to be executed to start the job; in this case, these functions include Initialize (which sets up logging), ConfigureCA (which performs the main job of configuring the CA), and CloseDown (which closes the log). In each of the .wsf files, the first job is defined to list the names (IDs) and descriptions of all of the jobs contained in the file. Thus, if the .wsf file is run without requesting a specific job, this default job runs and displays a short help screen with the names and descriptions of all available jobs in the file. The following table lists the jobs available in each of the .wsf files supplied with the solution. Table D.2: List of Jobs in MSSSetup.wsf ListJobs | Lists all jobs in the WSF file. | ConfigureCA | Configures the CA registry parameters. | ConfigureTemplates | Configures CA certificate templates. | CheckCAEnvironment | Checks environment prior to CA installation. | InstallCA | Installs Certificate services. | CreateShortcut | Creates shortcut to MSS WLAN Tools on desktop. | ImportSecurityGPO | Imports GPO with server security settings into domain. | ImportAutoEnrollGPO | Imports GPO with certificate autoenrollment settings into domain. | ImportWLANClientGPO* | Imports WLAN settings GPO | CheckDomainNativeMode | Checks to see if domain is in native mode. | VerifyCAInstall | Verifies that the CA installation was successful. | VerifyCAConfig | Verifies that the CA configuration was successful | CheckIASEnvironment | Checks the environment prior to installing IAS. | InstallIAS | Installs the Internet Authentication Services on server. | CreateWLANGroups | Creates security groups in Active Directory. | AddWLANGroupMembers | Populates security groups with correct memberships. |
Note: The jobs marked with an asterisk (*) are not used in this solution. Table D.3: List of Jobs in MSSTools.wsf ListJobs | Lists all jobs in the WSF file. | AddRADIUSClient | Interactive procedure to add a RADIUS client to IAS (parameters: [/path:OutputFileName]). | AddSecRADIUSClients | Interactive procedure to add a RADIUS client to IAS (parameters: [/path:InputFileName]). | GenRADIUSPwd | Generates RADIUS client entry and secret (parameters: /client:ClientName /ip:ClientIPAddress [/path:OutputFile]). | ExportIASSettings | Exports IAS Server configuration to files (parameters: [/path:FolderToSaveSettingsFiles]). | ImportIASSettings | Imports IAS Server configuration from files (parameters: [/path:FolderWithFilesToImport]). | ExportIASClients | Exports IAS RADIUS clients to file (parameters: [/path:FolderToSaveClientsFile]). | ImportIASClients | Imports IAS RADIUS clients from file (parameters: [/path:FolderWithClientsFileToImport]). | BackupIAS | Back up all IAS settings to file (parameters: [/path:FolderToSaveBackupFile]). | RestoreIAS | Restore all IAS settings from file (parameters: [/path:FolderFileToRestore]). | CheckIAS | Check that the IAS server is responding (parameters: [/verbose]). | CheckCA | Check that the CA service is responding and certificate revocation list (CRL) is valid (parameters: [/verbose]). | EnableIASLockout* | Enable account lockout for IAS (parameters: [/maxdenials:10] [/lockouttime:2880 (secs)]). | DisableIASLockout* | Disable account lockout for IAS. | ShowLockedOutAccounts* | Show locked out accounts (and accounts with failed authorizations). | ResetLockedOutAccount* | Reset a locked out account (parameters: /account:DomainName:AccountName). |
Note: The jobs marked with an asterisk (*) are not used in this solution. Job OutputMost of the scripts log progress information to a console window and, in many cases, also to a log file. This information may include error information if the script encountered problems during execution. The monitoring scripts are the exception to this because they are designed to run as non–interactive scheduled jobs and not to send output to a console window. The scripts use a simple scrollable window to display their output. At the completion of each script, you are prompted to choose whether you want to keep the window open (for reference) or close it. For most of the setup procedures, the output is also logged to a file called %SystemRoot%\debug\MSSWLAN-Setup.log. Most regular operational tasks are not logged; however, the tasks that might have a significant security or operational impact, such as the import of IAS configuration, are logged. Tasks that could result in sensitive information being written to the log, such as adding RADIUS clients and generating RADIUS client secrets, are also not logged. Executing the JobsAlthough the scripts can be executed directly, there are two command shell batch (.cmd) files that help simplify the syntax. The syntax for executing the .wsf files directly is as follows: Cscript //job:JobName MssSetup.wsf Instead, you can use the .cmd files with the following simpler syntax: MssSetupJobName Running the .cmd file without specifying a job causes the first job (ListJobs) in the .wsf file to run; this job lists the IDs and descriptions of each job in the .wsf file. Certain jobs also take additional parameters. The syntax for running these jobs and the information on additional parameters are covered in the relevant chapters of this solution. The general syntax for specifying additional parameters is: MssSetupJobName /ParamName:ParamValue ParamName is the name of the parameter (for example "path" or "client") and ParamValue is the setting for that parameter (for example "C:\MyFile.txt" or "MyComputer"). Parameter values that contain embedded spaces must be enclosed in quotation marks (").
|