下载文档原格式
在win2003的域环境下,组策略的使用让我们能更方便的管理域内的共享资源以及域内用户的使用权限等诸多问题,使管理员的日常维护效率大大提高,但世间万物皆有利弊,同样人也一样会犯错误,在日常的维护工作中,由于管理员的疏忽操作导致的各种问题比比皆是。
下面我们就来讨论一种看似比较棘手的情况。
在win2003中,当某个域中的用户或本地用户被策略拒绝了本地登陆的权限,当这个用户在域中的计算机登陆时会被提示“此系统的本地策略不允许您采用交互式登录”,使得用户无法登陆本地计算机,同样也不能登陆域,通常遇到这种问题,我们的解决办法是,用管理员账号登陆域控制器,修改一下策略,把此用户从“拒绝本地登录”列表中删除即可,但如果由于人为的操作失误,管理员把所以用户的本地登陆权限都禁止了,导致了域中所有用户都不能本地登陆域内计算机(包括域管理员以及本地管理员),这种情况就比较棘手了,我们用什么方法能解决这看似不能解决的问题呢?通过查询相关资料以及测试,我们知道所有策略的设置都保存在域控制器(DC)的windows文件夹下的sysvol文件夹下,以GUID为文件夹名,其中安全设置部分保存在DC的windows\sysvol\sysvol\域名\policies\策略的GU ID\MACHINE\Microsoft\windows NT\SecEdit\GptTmpl.inf 这个文件中,这是一个文本文件,能通过记事本编辑,要解除对所有用户本地登录限制,我们只需修改这个文本文件,把拒绝登陆的相关信息删除就OK了,而在默认情况下,存放策略设置的sysvol这个文件夹在DC上是被共享的,那我们能不能用一台计算机通过网络连接到DC的sysvol共享文件夹,远程修改GptTmpl.inf文件,从而解除本地登陆限制呢,下面我们就用虚拟机来做个实验,来模拟一下这样的网络环境,看看能不能达到我们预想的效果。
通过查询资料得知:➢默认域的策略的GUID为31B2F340-016D-11D2-945F-00C04FB984F9➢默认域控制器的策略的GUID为6AC1786C-016F-11D2-945F-00C04FB984F9实验的拓扑环境如下:先部署一个域 ,用物理机做DNS,IP为192.168.11.1域中有两台计算机,Florence为DC,Berlin为加入域的一台成员服务器,Perth为一台工作站。
运行命令集winver---------------检查Windows版本wmimgmt.msc----打开windows管理体系结构(WMI) wupdmgr-----------windows更新程序wscript--------------windows脚本宿主设置write-----------------写字板winmsd--------------系统信息awiaacmgr-----------扫描仪和照相机向导winchat-------------XP自带局域网聊天mem.exe-----------显示内存使用情况Msconfig.exe------系统配置实用程序mplayer2------------简易widnows media player mspaint--------------画图板mstsc----------------远程桌面连接mplayer2------------媒体播放机magnify--------------放大镜实用程序mmc------------------打开控制台mobsync------------同步命令dxdiag---------------检查DirectX信息drwtsn32------ ---系统医生devmgmt.msc--- 设备管理器dfrg.msc------------磁盘碎片整理程序diskmgmt.msc----磁盘管理实用程序dcomcnfg----------打开系统组件服务ddeshare-----------打开DDE共享设置dvdplay-------------DVD播放器net stop messenger-----停止信使服务net start messenger----开始信使服务notepad-----------打开记事本nslookup----------网络管理的工具向导ntbackup---------系统备份和还原narrator------------屏幕“讲述人”ntmsmgr.msc----移动存储管理器ntmsoprq.msc---移动存储管理员操作请求netstat -an----(TC)命令检查接口syncapp-----------创建一个公文包sysedit------------系统配置编辑器sigverif------------文件签名验证程序sndrec32---------录音机shrpubw----------创建共享文件夹secpol.msc-------本地安全策略syskey-------------系统加密,一旦加密就不能解开,保护windows xp系统的双重密码services.msc-----本地服务设置Sndvol32---------音量控制程序sfc.exe------------系统文件检查器sfc /scannow---windows文件保护tsshutdn----------60秒倒计时关机命令tourstart----------xp简介(安装完成后出现的漫游xp程序)taskmgr------------任务管理器tasklist /SVC-----查看进程详细信息eventvwr---------事件查看器eudcedit----------造字程序explorer-----------打开资源管理器packager---------对象包装程序perfmon.msc----计算机性能监测程序progman----------程序管理器regedit.exe------注册表rsop.msc----------组策略结果集regedt32---------注册表编辑器rononce -p -----15秒关机regsvr32 /u *.dll----停止dll文件运行regsvr32 /u zipfldr.dll------取消ZIP支持rundll32.exe shell32.dll,Control_RunDLL ---------------------------显示控制面板rundll32.exe shell32.dll,Control_RunDLL access.cpl,,1----------显示辅助功能选项rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1-----打开系统属性rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1------删除或添加程序rundll32.exe syncui.dll,Briefcase_Create--------------------桌面上建立公文包rundll32.exe diskcopy.dll,DiskCopyRunDll-------------------复制软盘驱动器rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,0--显示时间属性rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0----显示桌面墙纸属性rundll32.exe shell32.dll,Control_RunDLL joy.cpl,,0-----游戏控制器rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0---音频属性cmd.exe----------CMD命令提示符chkdsk.exe------Chkdsk磁盘检查certmgr.msc-----证书管理实用程序calc----------------启动计算器charmap----------启动字符映射表cliconfg-----------SQL SERVER 客户端网络实用程序Clipbrd-------------剪贴板查看器conf---------------启动netmeetingcompmgmt.msc---计算机管理cleanmgr---------垃圾整理ciadv.msc--------索引服务程序control userpasswords2----------用户帐户程序osk----------------打开屏幕键盘odbcad32-------ODBC数据源管理器oobe/msoobe /a----检查XP是否激活lusrmgr.msc----本机用户和组logoff-------------注销命令iexpress---------木马捆绑工具,系统自带ipconfig ---------查看当前所有IP地址Nslookup--------IP地址侦测器fsmgmt.msc---共享文件夹管理器utilman----------辅助工具管理器gpedit.msc-----组策略。
gpedit.msc-----组策略2. sndrec32-------录音机3. Nslookup-------IP地址侦测器4. explorer-------打开资源管理器5. logoff---------注销命令6. tsshutdn-------60秒倒计时关机命令7. lusrmgr.msc----本机用户和组8. services.msc---本地服务设置9. oobe/msoobe /a----检查XP是否激活10. notepad--------打开记事本A11. cleanmgr-------垃圾整理12. net start messenger----开始信使服务13. compmgmt.msc---计算机管理14. net stop messenger-----停止信使服务15. conf-----------启动netmeeting16. dvdplay--------DVD播放器17. charmap--------启动字符映射表18. diskmgmt.msc---磁盘管理实用程序19. calc-----------启动计算器20. dfrg.msc-------磁盘碎片整理程序21. chkdsk.exe-----Chkdsk磁盘检查22. devmgmt.msc--- 设备管理器23. regsvr32 /u *.dll----停止dll文件运行24. drwtsn32------ 系统医生25. rononce -p ----15秒关机26. dxdiag---------检查DirectX信息27. regedt32-------注册表编辑器28. Msconfig.exe---系统配置实用程序29. rsop.msc-------组策略结果集30. mem.exe--------显示内存使用情况31. regedit.exe----注册表32. winchat--------XP自带局域网聊天33. progman--------程序管理器34. winmsd---------系统信息35. perfmon.msc----计算机性能监测程序36. winver---------检查Windows版本37. sfc /scannow-----扫描错误并复原38. taskmgr-----任务管理器(2000/xp/200339. winver---------检查Windows版本40. wmimgmt.msc----打开windows管理体系结构(WMI)41. wupdmgr--------windows更新程序42. wscript--------windows脚本宿主设置43. write----------写字板44. winmsd---------系统信息45. wiaacmgr-------扫描仪和照相机向导46. winchat--------XP自带局域网聊天47. mem.exe--------显示内存使用情况48. Msconfig.exe---系统配置实用程序49. mplayer2-------简易widnows media player50. mspaint--------画图板51. mstsc----------远程桌面连接52. mplayer2-------媒体播放机53. magnify--------放大镜实用程序54. mmc------------打开控制台55. mobsync--------同步命令56. dxdiag---------检查DirectX信息57. drwtsn32------ 系统医生58. devmgmt.msc--- 设备管理器59. dfrg.msc-------磁盘碎片整理程序60. diskmgmt.msc---磁盘管理实用程序61. dcomcnfg-------打开系统组件服务62. ddeshare-------打开DDE共享设置63. dvdplay--------DVD播放器64. net stop messenger-----停止信使服务65. net start messenger----开始信使服务66. notepad--------打开记事本67. nslookup-------网络管理的工具向导68. ntbackup-------系统备份和还原69. narrator-------屏幕“讲述人”70. ntmsmgr.msc----移动存储管理器71. ntmsoprq.msc---移动存储管理员操作请求72. netstat -an----(TC)命令检查接口73. syncapp--------创建一个公文包74. sysedit--------系统配置编辑器75. sigverif-------文件签名验证程序76. sndrec32-------录音机77. shrpubw--------创建共享文件夹78. secpol.msc-----本地安全策略79. syskey---------系统加密,一旦加密就不能解开,保护windows xp 系统的双重密码80. services.msc---本地服务设置81. Sndvol32-------音量控制程序82. sfc.exe--------系统文件检查器83. sfc /scannow---windows文件保护84. tsshutdn-------60秒倒计时关机命令85. tourstart------xp简介(安装完成后出现的漫游xp程序)86. taskmgr--------任务管理器87. eventvwr-------事件查看器88. eudcedit-------造字程序89. explorer-------打开资源管理器90. packager-------对象包装程序91. perfmon.msc----计算机性能监测程序92. progman--------程序管理器93. regedit.exe----注册表94. rsop.msc-------组策略结果集95. regedt32-------注册表编辑器96. rononce -p ----15秒关机97. regsvr32 /u *.dll----停止dll文件运行98. regsvr32 /u zipfldr.dll------取消ZIP支持99. cmd.exe--------CMD命令提示符100. chkdsk.exe-----Chkdsk磁盘检查101. certmgr.msc----证书管理实用程序102. calc-----------启动计算器103. charmap--------启动字符映射表104. cliconfg-------SQL SERVER 客户端网络实用程序105. Clipbrd--------剪贴板查看器106. conf-----------启动netmeeting107. compmgmt.msc---计算机管理108. cleanmgr-------垃圾整理109. ciadv.msc------索引服务程序110. osk------------打开屏幕键盘111. odbcad32-------ODBC数据源管理器112. oobe/msoobe /a----检查XP是否激活113. lusrmgr.msc----本机用户和组114. logoff---------注销命令115. iexpress-------木马捆绑工具,系统自带116. Nslookup-------IP地址侦测器117. fsmgmt.msc-----共享文件夹管理器118. utilman--------辅助工具管理器。
windows常用的100个命令Windows操作系统是目前最常用的操作系统之一,它提供了丰富的命令行工具,方便用户进行各种操作和管理。
本文将介绍Windows 常用的100个命令,并对每个命令进行详细解释和应用场景说明。
1. ping命令:用于测试与指定主机之间的网络连通性。
2. ipconfig命令:显示当前网络配置信息,如IP地址、子网掩码等。
3. tracert命令:用于跟踪数据包在网络中的路径。
4. netstat命令:显示当前网络连接和监听状态。
5. nslookup命令:查询指定域名的IP地址。
6. arp命令:显示或修改本地ARP缓存表。
7. route命令:用于配置和显示IP路由表。
8. telnet命令:用于远程登录到其他主机。
9. ftp命令:用于在本地和远程主机之间传输文件。
10. net命令:管理本地计算机的用户、组、共享资源等。
11. tasklist命令:显示当前正在运行的进程列表。
12. taskkill命令:结束指定的进程。
13. shutdown命令:用于关闭或重启计算机。
14. sfc命令:扫描并修复系统文件。
15. chkdsk命令:检查并修复硬盘上的错误。
16. format命令:格式化磁盘。
17. diskpart命令:用于管理磁盘分区。
18. defrag命令:对硬盘进行碎片整理。
19. cacls命令:修改文件或文件夹的访问控制列表。
20. attrib命令:修改文件或文件夹的属性。
21. copy命令:复制文件或文件夹。
22. move命令:移动文件或文件夹。
23. rename命令:重命名文件或文件夹。
24. del命令:删除文件。
25. rmdir命令:删除空文件夹。
26. mkdir命令:创建新文件夹。
27. type命令:显示文本文件的内容。
28. find命令:在文本文件中查找指定字符串。
29. sort命令:对文本文件进行排序。
30. start命令:启动一个新的窗口来运行指定的程序或命令。
组策略—把客户端用户加入本地Power Users组中对于客户端用户都属于Domain Users 组的时候,登陆域后没有权限安装AD组策略分发下来的软件,那么我们要做的就是把Domain Users组加入到客户端本地的Power Users组中去。
1、我建了一个OU2的OU把所有的客户端计算机都放入到了这个OU里面。
在DC上新建一条组策略针对OU2这个OU的;2、编辑这条组策略,找到“计算机配置”——“Windows设置“——”安全设置“——“受限制的组”,按鼠标右键,选择”添加组“;3、输入Power Users,点击”确定“4、在Power Users属性中点击添加,弹出添加成员对话框的时候点击浏览:5、弹出选择用户或组的对话框的时候选择高级按钮。
6、接下来点击立即查找—在搜索结果中找到Domain Users 选中它—再点击确定按钮7、点击确定。
8、继续点击确定9、点击应用按钮,这样就把Domain Users组添加到Power Users组中去了。
10、添加好后如下图,可以在Power Users组中看到它的成员中有LONG这个域中的Domain Users组了。
11、接下来用gpupdate /force命令刷新组策略。
12、重新启动客户端计算机,再验证策略是否成功,看下图客户端已经成功。
这样就可以在客户端正常安装软件了。
等所有客户端软件安装完成以后,为了安全起见再把Domain Users组从客户端本地Power Users组中移除,具体步骤:找到算机配置—Windows 设置—安全设置—受限制的组—在右边选中Power Users 组—右键单击—属性—选中Domain Users组—删除接下来点击应用。
看到Power Users组的成员为空的时候,那么Domain Users组就已经从Power Users组中移除了。
再接下来就是在命令行下用gpupdate /force命令刷新组策略,重启客户端计算机,整个过程就到此结束了。
DOS来修改组策略对于Windows 2000域来说,如果你想让新修改的计算机策略立即生效的话,可以依次单击“开始”/“运行”命令,打开系统运行对话框,并在其中输入字符串命令“cmd ”,单击“确定”按钮后,将Windows系统切换到Ms-DOS工作模式下;接着在DOS命令提示符下,输入字符串命令“secedit /refreshpolicy machine_policy /enforce”,单击回车键后,新修改的安全策略将会立即生效;如果你想让新修改的用户策略立即生效的话,只要在DOS命令提示符下,执行字符串命令“secedit /refreshpolicy user_policy /enforce”就可以了。
对于Windows 2003域来说,如果你想让新修改的计算机策略立即生效的话,可以依次单击“开始”/“运行”命令,打开系统运行对话框,并在其中输入字符串命令“cmd ”,单击“确定”按钮后,将Windows系统切换到Ms-DOS工作模式下;接着在DOS命令提示符下,输入字符串命令“gpupdate /target:computer”,单击回车键后,新修改的安全策略将会立即生效;如果你想让新修改的用户策略立即生效的话,只要在DOS命令提示符下,执行字符串命令“gpupdate /target:user”就可以了。
如果你想对计算机策略和用户策略同时进行更新的话,那你可以直接执行字符串命令“gpupdate”就行了。
当然要想立即更新策略的话请用“gpupdate /force”,呵呵-273.5℃回答采纳率:19.2% 2010-03-06 16:22组策略是建立Windows安全环境的重要手段,尤其是在Windows域环境下。
一个出色的系统管理员,应该能熟练地掌握并应用组策略。
在窗口界面下访问组策略用gpedit.msc,命令行下用secedit.exe。
先看secedit命令语法:secedit /analyzesecedit /configuresecedit /exportsecedit /validatesecedit /refreshpolicy5个命令的功能分别是分析组策略、配置组策略、导出组策略、验证模板语法和更新组策略。
组策略命令全集(Group policy commands)Group policy is an important means to establish Windows security environment, especially in Windows domain environment.A good system administrator, should be able to skillfully master and apply group strategy. Access group policy at window interface with gpedit.msc, command line with secedit.exe.First look at the secedit command syntax:Secedit /analyzeSecedit /configureSecedit /exportSecedit /validateSecedit /refreshpolicyThe functions of the 5 commands are the analysis group policy, the configuration group policy, the export group policy, the validation template syntax and the update group policy. Among them, secedit /refreshpolicy is replaced by gpupdate in XP/2003. The specific syntax of these commands is checked by the command line.Unlike accessing the registry only with the reg file, the access group policy needs a secure database file (SDB) in addition to having a template file (or inf). To modify group policy, you must first import the template into the security database, and then refresh the group policy by applying the security database.Here's an example:Suppose I want to set the minimum password length to 6, and enable the password must conform to the complexity requirements, then write a template like this:[version]Signature= "$CHICAGO$""[System Access]MinimumPasswordLength = 6PasswordComplexity = 1Save as gp.inf, and then import:Secedit /configure /db gp.sdb /cfg gp.inf /quietWhen the command is finished, it will produce a gp.sdb in the current directory, which is "intermediate product", and you can delete it.The /quiet parameter indicates "quiet mode" and does not generate logs. But according to my test, the parameter doesn't seem to work at XP, and it's normal under 2000sp4. The log is always saved in%windir%\security\logs\scesrv.log. You can also specify the log yourself so you can delete it later. For example:Secedit /configure /db gp.sdb /cfg gp.inf /log gp.logDel gp.*In addition, you can also analyze whether the syntax is correct before importing the template:Secedit /validate gp.infSo, how do you know the concrete syntax? Sure, look for it in MSDN. There is also a lazy way, because the system comes with some security templates, in the%windir%\security\templates directory. Open these templates, basically contains the commonly used security settings syntax, a glance understand.For another example - close all audit policies". The event that it audits will be recorded in the event viewer's "security".Echo edition:Echo [version] >1.infEcho signature= "$CHICAGO$" >>1.infEcho [Event Audit] >>1.infEcho AuditSystemEvents=0 >>1.infEcho AuditObjectAccess=0 >>1.infEcho AuditPrivilegeUse=0 >>1.infEcho AuditPolicyChange=0 >>1.infEcho AuditAccountManage=0 >>1.infEcho AuditProcessTracking=0 >>1.infEcho AuditDSAccess=0 >>1.infEcho AuditAccountLogon=0 >>1.infEcho AuditLogonEvents=0 >>1.infSecedit /configure /db 1.sdb /cfg 1.inf /log 1.log /quietDel 1.*Maybe someone would say: is the group policy not saved in the registry? Why not modify the registry directly? Because not all group policies are saved in the registry. For example, "audit strategy" is not. You can use regsnap to compare the changes in the registry before and after the policy. The result of my test is that nothing has changed. Only the management template, which is entirely based on the registry. Moreover, knowing the specific location, which method is not complicated.For example,XP and 2003's "local policy" - "security options" adds a "local account sharing and security model" policy. The default setting for XP is "only guests."". That's why the ipc$that connects toXP with administrator accounts still has only Guest permissions. You can modify it as classic by importing the reg file":Echo Windows Registry Editor Version 5 >1.regEcho[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] > >1.regEcho "forceguest" =dword:00000000 >>1.regRegedit /s 1.regDel 1.regAnd the corresponding use of inf should be:Echo [version] >1.infEcho signature= "$CHICAGO$" >>1.infEcho [Registry Values] >>1.infEchoMACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>1.infSecedit /configure /db 1.sdb /cfg 1.inf /log 1.logDel 1.*The problem of reading group policy under command line.The default security database for the system is locatedat%windir%\security\database\secedit.sdb and exported to the inf file:Secedit /export /cfg gp.inf /log 1.logSpecifying the database without using the /db parameter is the default. Then look at gp.inf.However, this is only part of the group strategy (that is, "Windows settings"). Moreover, if a policy is not configured, it will not be exported. For example, renaming system administrator accounts is only defined when NewAdministratorName= "XXX" appears in the inf file". Other group policies that cannot be exported are obtained only by accessing the registry.This method is invalid under XP and 2003 - can be exported, but the content is basically empty. Unknown cause. According to official data, XP and 2003 display group policies use RSoP (group policy result set). The corresponding command line tool is gpresult. However, it obtains group policies that are appended (from domain) when the system is started, and the stand-alone test results are still empty". So, if you want to know if some group policy is set, only write a inf, and then secedit /analyze, and then look at the log.network configurationWindows comes with a lot of command line tools on the network, such as you are familiar with Ping, tracert, ipconfig, Telnet, FTP, TFTP, netstat, there are not familiar with nbtstat, pathping, NSLOOKUP, finger, route, netsh......These commands can be divided into three categories: network detection (such as ping), network connections (such as telnet) and network configuration (such as Netsh). The first two are relatively simple, and this article only introduces two network configuration tools.NetshThe use of Netsh in remote shell first solves an interactive problem. As mentioned earlier, many shell can't redirect output anymore, so you can't use command line tools such as FTP interactively in this environment. The solution is that the general interactive tools allow scripts (or reply files). Such as FTP -s:filename. Netsh is the same: Netsh -f filename.Netsh commands have many functions, which can configure IAS, DHCP, RAS, WINS, NAT server, TCP/IP protocol, IPX protocol, routing and so on. We are not administrators. We don't need to know so much. We only need Netsh to understand the network configuration information of the target host.1, TCP/IP configurationEcho interface IP >sEcho show config >>sNetsh -f sDel sFrom this, you can see that the host has multiple network cards and IP, whether it is dynamically assigned IP (DHCP), and how much IP is in the network (if any).This command is similar to ipconfig /all.Notice that the following command requires the target host to start the remoteaccess service. If it is disabled,Please start by importing the registry, and thenNet start remoteaccess2, ARPEcho interface IP >sEcho show ipnet >>sNetsh -f sDel sThis is more information than the ARP -a command.3, TCP/UDP connectionEcho interface IP >sEcho show tcpconn >>sEcho show udpconn >>sNetsh -f sDel sThis command is the same as netstat -an.4, network card informationIf the Netsh command has other commands to replace, what else does it have to do? This one can't be replaced.Echo interface IP >sEcho show interface >>sNetsh -f sDel sOther functions of Netsh, such as modifying IP, are generally not necessary. (otherwise, if the IP is not connected, it is called "the sky should not be called"), so all of them are skipped.IPSecThe first thing to point out is that IPSec and TCP/IP screens are different things, so don't mix them up. The function of TCP/IP screening is very limited, far less flexible and powerful than IPSec. Here's how to control IPSec under the command line.XP system with ipseccmd, 2000 with ipsecpol. Unfortunately, none of them comes with the system. Ipseccmd in XP system installation disk SUPPORT\TOOLS\SUPPORT.CAB, ipsecpol in 2000 Resource Kit. Moreover, to use ipsecpol, you must also bring two additional files: ipsecutil.dll and text2pol.dll. Three files, a total of 119KB.IPSec can be controlled by group policy, but I've searched for MSDN, and I haven't found the syntax for the corresponding security templates. The configured IPSec policy can not be exported as a template. So, the group strategy doesn't work this way. IPSec settings are saved in the registry(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPS ec\Policy\Local), in theory, you can configure the IPSec by modifying the registry. But a lot of information is stored in binary form, and it's hard to read and modify. By contrast, uploading command line tools is more convenient.About ipsecpol and ipseccmd, can be found online a lot, so we will not dwell on, just some practical examples.In setting the IPSec policy, the syntax of the ipseccmd command is almost exactly the same as that of ipsecpol, so only ipsecpolis used as an example:1, defending against rpc-dcom attacksIpsecpol -p myfirewall -r rpc-dcom -f *+0:135:tcp -x*+0:135:udp *+0:137:udp *+0:138:udp *+0:139:tcp *+0:445:tcp *+0:445:udp -n BLOCK -w regThis command closes the TCP135139445 and udp135137138445 ports of the local host.The specific meaning is as follows:-p myfirewall specifies the policy named myfirewall-r rpc-dcom specifies the rule named rpc-dcom-f...... Create 7 filters. * represents any address (source);0 denotes the local address (target); + denotes mirror (bidirectional) filtering. See ipsecpol - syntax in detail-n BLOCK specifies that the filter operation is "blocking"". Notice that BLOCK must be capitalized.-w reg writes the configuration to the registry and is valid after restarting.-x immediately activates this strategy.2, prevent being PingIpsecpol -p myfirewall -r antiping -f *+0:: ICMP -n BLOCK -w reg -xIf the policy named myfirewall already exists, then the antiping rule is added to it.Notice that the rule also prevents the host from Ping others.3, IP restrictions on the back doorSuppose you installed DameWare Mini Remote Control on a host computer. In order to protect it from breaking passwords or overflows, access to its service port 6129 should be limited.Ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK -w regipsecpol P myfw R dwmrc_pass_me F 123.45.67.89 + 0:6129:TCP N通关于X这样就只有123.45.67.89可以访问该主机的6129端口了。
