Microsoft Visual Basic Scripting Edition brings active scripting to a wide variety of environments, including Web client scripting in Microsoft Internet Explorer and Web server scripting in Microsoft Internet Information Service
If you already know Visual Basic or Visual Basic for Applications (VBA), VBScript will be very familiar. The basic concepts of VBScript are common to most programming languages.
VBScript talks to host applications using Windows Script. With Windows Script, browsers and other host applications do not require special integration code for each scripting component. Windows Script enables a host to compile scripts, obtain and call entry points, and manage the namespace available to the developer. With Windows Script, language vendors can create standard language run times for scripting. Microsoft will provide run-time support for VBScript. Microsoft is working with various Internet groups to define the Windows Script standard so that scripting engines can be interchangeable. Windows Script is used in Microsoft Internet Explorer and in Microsoft Internet Information Service.
As a developer, you can license VBScript source implementation at no charge for use in your products. Microsoft provides binary implementations of VBScript for the 32-bit Windows API, the 16-bit Windows API, and the Macintosh. VBScript is integrated with World Wide Web browsers. VBScript and Windows Script can also be used as a general scripting language in other applications.
The following sections explain how to use Visual Basic Scripting Edition (VBScript) and provide details about its language elements.
Essentially I needed to set all fail auditing attributes (Access Mask: 983551, AceType: 2 AceFlags: 131) to the "Everyone" group on a large number of files and folders on a lot of machines at our facility in order to meet DSS/NISPOM requirements. This saves a HUGE amount of time over clicking. I had to learn about SD's and how the DACL and SACL are just arrays of ACE objects. Then I had to figure out how to make a new ACE then get it added to an array object and set the SACL to that object. It seems that there are not a lot of examples of SACL and it wasn't until I figured out that DACL and SACL, while used for different purposes, are essentially the same thing that everything started to make sense.I'm sure it is pretty trivial to a lot of you more experienced folks but it was quite a challenge getting this to work starting from scratch. I had a bit of help all over the web on various pieces and I wanted to share my results. Later I may set it up to be a bit more robust but for now this does what I need it to do.
' WMI File/Folder Auditing
'
' Author: John T. Bates
' 2012-5-3
'
' Purpose:
' Comply with DSS NISPOM requirements for auditing on specific files and folders
'
' Notes:
' Essentially all File/Folder permissions including auditing are controlled via a Security Descriptor (SD)
' This script deals exclusively with setting auditing and is controlled by the System Access Control List (SACL)
' within the SD. It is important to understand that the SACL is an array of Access Control Entry (ACE) objects.
'
' The ACE
' This is the object that actually contains the information we need to either change or create if it doesn't
' already exist. Review link 2 for the format of the ACE. In our case we want to set the SACL to audit all
' possible audit failures. So the properties we need are as follows.
' AccessMask set to 983551 which is the sum total of all the AccessMask properties.
' AceFlags set to 131 derrived from 128 (FAILED_ACCESS_ACE_FLAG) + 2 (CONTAINER_INHERIT_ACE) + 1 (OBJECT_INHERIT_ACE) = 131
' AceType is set to 2 for AUDIT
' GuidInheritedObjectType - ignored for this script
' GuidObjectType - ignored for this script
' Trustee is an object of type Win32_Trustee and must be created prior to creating a new ACE
'
' The Trustee
' The Trustee object simply holds the identity of the user/group we are applying the ACE too. To create a Trustee
' object you must have both the binary SID and the String version of the SID for the desired user/group. In
' this case we want the "Everyone" group.' Links:
' 1) Security Descriptor Class Definition: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394402(v=vs.85).aspx
' 2) Access Control Entry Class Definition: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394063(v=vs.85).aspx
' 3) Trustee Class Definition: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394501(v=vs.85).aspx
' 4) Creating a new SACL: http://www.tech-archive.net/Archive/Scripting/microsoft.public.scripting.vbscript/2004-03/1636.html '-----------------------------------------------------------------------------------
'SECTION 1 : CREATE RESULTS TXT FILE
'------------------------------------------------------------------------------------
'Get Windows Directory
set shell = WScript.CreateObject("WScript.Shell")
windowsdir = shell.ExpandEnvironmentStrings("%windir%")
set shell = Nothing'Get path to desktop
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.folderExists(Path & "C:\IA") then
Path ="C:\IA"
else
Path ="C:\temp"
end if If objFSO.fileExists(Path & "\setAuditLog.txt") then
objFSO.DeleteFile(Path & "\setAuditLog.txt")
End if
'Create text file
Const ForWriting = 2
Set fso = CreateObject("Scripting.FileSystemObject")Set objFSO = CreateObject("Scripting.FileSystemObject") checklistname = "setAuditLog.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.CreateTextFile(Path & "\" & checklistname, True) ts.writeline "- Folders -------------------------------------------------------------------------"setAudit (windowsdir &"\Registration\CRMLog")
setAudit ("c:\program files\Common Files\Symantec Shared")
setAudit ("c:\program files\SAV")
setAudit ("c:\program files\Symantec AntiVirus")
setAudit ("c:\program files\Symantec")
setAudit (windowsdir &"\repair")
setAudit (windowsdir &"\system32\config")
setAudit ("c:\ia")
setAudit ("c:\eventlogs")
setAudit ("c:\scripting\testfolder")
ts.writeline " "
ts.writeline "- EXEs ---------------------------------------------------------------------------"
'EXE Files
setAudit (windowsdir &"\system32\arp.exe")
setAudit (windowsdir &"\system32\at.exe")
setAudit (windowsdir &"\system32\attrib.exe")
setAudit (windowsdir &"\system32\cacls.exe")
setAudit (windowsdir &"\system32\debug.exe")
setAudit (windowsdir &"\system32\edlin.exe")
setAudit (windowsdir &"\system32\eventcreate.exe")
setAudit (windowsdir &"\system32\eventtriggers.exe")
setAudit (windowsdir &"\system32\ftp.exe")
setAudit (windowsdir &"\system32\nbtstat.exe")
setAudit (windowsdir &"\system32\net.exe")
setAudit (windowsdir &"\system32\net1.exe")
setAudit (windowsdir &"\system32\netsh.exe")
setAudit (windowsdir &"\system32\netstat.exe")
setAudit (windowsdir &"\system32\nslookup.exe")
setAudit (windowsdir &"\system32\ntbackup.exe")
setAudit (windowsdir &"\system32\rcp.exe")
setAudit (windowsdir &"\system32\reg.exe")
setAudit (windowsdir &"\system32\regedit.exe")
setAudit (windowsdir &"\system32\regedt32.exe")
setAudit (windowsdir &"\system32\regini.exe")
setAudit (windowsdir &"\system32\regsvr32.exe")
setAudit (windowsdir &"\system32\rexec.exe")
setAudit (windowsdir &"\system32\route.exe")
setAudit (windowsdir &"\system32\rsh.exe")
setAudit (windowsdir &"\system32\sc.exe")
setAudit (windowsdir &"\system32\secedit.exe")
setAudit (windowsdir &"\system32\subst.exe")
setAudit (windowsdir &"\system32\systeminfo.exe")
setAudit (windowsdir &"\system32\telnet.exe")
setAudit (windowsdir &"\system32\tftp.exe")
setAudit (windowsdir &"\system32\tlntsvr.exe")
setAudit (windowsdir &"\setupapi.log")
ts.writeline " "
ts.writeline "- DLLs ---------------------------------------------------------------------------"
'DLL Files
setAudit (windowsdir &"\system32\activeds.dll")
setAudit (windowsdir &"\system32\adsldpc.dll")
setAudit (windowsdir &"\system32\advapi32.dll")
setAudit (windowsdir &"\system32\advpack.dll")
setAudit (windowsdir &"\system32\apphelp.dll")
setAudit (windowsdir &"\system32\atl.dll")
setAudit (windowsdir &"\system32\authz.dll")
setAudit (windowsdir &"\system32\bootvid.dll")
setAudit (windowsdir &"\system32\browseui.dll")
setAudit (windowsdir &"\system32\cabinet.dll")
setAudit (windowsdir &"\system32\cdfview.dll")
setAudit (windowsdir &"\system32\certcli.dll")
setAudit (windowsdir &"\system32\cfgmgr32.dll")
setAudit (windowsdir &"\system32\clusapi.dll")
setAudit (windowsdir &"\system32\comctl32.dll")
setAudit (windowsdir &"\system32\comdlg32.dll")
setAudit (windowsdir &"\system32\comres.dll")
setAudit (windowsdir &"\system32\credui.dll")
setAudit (windowsdir &"\system32\crypt32.dll")
setAudit (windowsdir &"\system32\cryptdll.dll")
setAudit (windowsdir &"\system32\cryptui.dll")
setAudit (windowsdir &"\system32\cscdll.dll")
setAudit (windowsdir &"\system32\dbghelp.dll")
setAudit (windowsdir &"\system32\devmgr.dll")
setAudit (windowsdir &"\system32\dhcpcsvc.dll")
setAudit (windowsdir &"\system32\dnsapi.dll")
setAudit (windowsdir &"\system32\drivers\ksecdd.sys")
setAudit (windowsdir &"\system32\DRIVERS\ntfs.sys")
setAudit (windowsdir &"\system32\duser.dll")
setAudit (windowsdir &"\system32\efsadu.dll")
setAudit (windowsdir &"\system32\esent.dll")
setAudit (windowsdir &"\system32\eventlog.dll")
setAudit (windowsdir &"\system32\gdi32.dll")
setAudit (windowsdir &"\system32\hal.dll")
setAudit (windowsdir &"\system32\imagehlp.dll")
setAudit (windowsdir &"\system32\imm32.dll")
setAudit (windowsdir &"\system32\inetcomm.dll")
setAudit (windowsdir &"\system32\iphlpapi.dll")
setAudit (windowsdir &"\system32\kerberos.dll")
setAudit (windowsdir &"\system32\kernel32.dll")
setAudit (windowsdir &"\system32\linkinfo.dll")
setAudit (windowsdir &"\system32\loadperf.dll")
setAudit (windowsdir &"\system32\lsasrv.dll")
setAudit (windowsdir &"\system32\lsass.exe")
setAudit (windowsdir &"\system32\lz32.dll")
setAudit (windowsdir &"\system32\mfc42u.dll")
setAudit (windowsdir &"\system32\mlang.dll")
setAudit (windowsdir &"\system32\mobsync.dll")
setAudit (windowsdir &"\system32\mpr.dll")
setAudit (windowsdir &"\system32\mprapi.dll")
setAudit (windowsdir &"\system32\mprui.dll")
setAudit (windowsdir &"\system32\msgina.dll")
setAudit (windowsdir &"\system32\mshtml.dll")
setAudit (windowsdir &"\system32\msi.dll")
setAudit (windowsdir &"\system32\msimg32.dll")
setAudit (windowsdir &"\system32\msoert2.dll")
setAudit (windowsdir &"\system32\msrating.dll")
setAudit (windowsdir &"\system32\mssign32.dll")
setAudit (windowsdir &"\system32\msv1_0.dll")
setAudit (windowsdir &"\system32\msvbvm60.dll")
setAudit (windowsdir &"\system32\msvcp60.dll")
setAudit (windowsdir &"\system32\msvcrt.dll")
setAudit (windowsdir &"\system32\mswsock.dll")
setAudit (windowsdir &"\system32\nddeapi.dll")
setAudit (windowsdir &"\system32\netapi32.dll")
setAudit (windowsdir &"\system32\netcfgx.dll")
setAudit (windowsdir &"\system32\netman.dll")
setAudit (windowsdir &"\system32\netplwiz.dll")
setAudit (windowsdir &"\system32\netrap.dll")
setAudit (windowsdir &"\system32\netshell.dll")
setAudit (windowsdir &"\system32\netui0.dll")
setAudit (windowsdir &"\system32\netui1.dll")
setAudit (windowsdir &"\system32\netui2.dll")
setAudit (windowsdir &"\system32\ntdll.dll")
setAudit (windowsdir &"\system32\ntdsapi.dll")
setAudit (windowsdir &"\system32\ntlanman.dll")
setAudit (windowsdir &"\system32\ntoskrnl.exe")
setAudit (windowsdir &"\system32\odbc32.dll")
setAudit (windowsdir &"\system32\ole32.dll")
setAudit (windowsdir &"\system32\oleacc.dll")
setAudit (windowsdir &"\system32\oleaut32.dll")
setAudit (windowsdir &"\system32\oledlg.dll")
setAudit (windowsdir &"\system32\olepro32.dll")
setAudit (windowsdir &"\system32\pautoenr.dll")
setAudit (windowsdir &"\system32\powrprof.dll")
setAudit (windowsdir &"\system32\printui.dll")
setAudit (windowsdir &"\system32\psapi.dll")
setAudit (windowsdir &"\system32\query.dll")
setAudit (windowsdir &"\system32\rasapi32.dll")
setAudit (windowsdir &"\system32\rasdlg.dll")
setAudit (windowsdir &"\system32\rasman.dll")
setAudit (windowsdir &"\system32\regapi.dll")
setAudit (windowsdir &"\system32\rpcrt4.dll")
setAudit (windowsdir &"\system32\rtutils.dll")
setAudit (windowsdir &"\system32\samlib.dll")
setAudit (windowsdir &"\system32\samsrv.dll")
setAudit (windowsdir &"\system32\scecli.dll")
setAudit (windowsdir &"\system32\secur32.dll")
setAudit (windowsdir &"\system32\security.dll")
setAudit (windowsdir &"\system32\setupapi.dll")
setAudit (windowsdir &"\system32\sfc.dll")
setAudit (windowsdir &"\system32\sfcfiles.dll")
setAudit (windowsdir &"\system32\shdocvw.dll")
setAudit (windowsdir &"\system32\shlwapi.dll")
setAudit (windowsdir &"\system32\shsvcs.dll")
setAudit (windowsdir &"\system32\tapi32.dll")
setAudit (windowsdir &"\system32\urlmon.dll")
setAudit (windowsdir &"\system32\user32.dll")
setAudit (windowsdir &"\system32\userenv.dll")
setAudit (windowsdir &"\system32\utildll.dll")
setAudit (windowsdir &"\system32\uxtheme.dll")
setAudit (windowsdir &"\system32\version.dll")
setAudit (windowsdir &"\system32\w32topl.dll")
setAudit (windowsdir &"\system32\wininet.dll")
setAudit (windowsdir &"\system32\winipsec.dll")
setAudit (windowsdir &"\system32\winlogon.exe")
setAudit (windowsdir &"\system32\winmm.dll")
setAudit (windowsdir &"\system32\winscard.dll")
setAudit (windowsdir &"\system32\winspool.drv")
setAudit (windowsdir &"\system32\winsta.dll")
setAudit (windowsdir &"\system32\wintrust.dll")
setAudit (windowsdir &"\system32\wldap32.dll")
setAudit (windowsdir &"\system32\wmi.dll")
setAudit (windowsdir &"\system32\ws2_32.dll")
setAudit (windowsdir &"\system32\ws2help.dll")
setAudit (windowsdir &"\system32\wsock32.dll")
setAudit (windowsdir &"\system32\wtsapi32.dll")
setAudit (windowsdir &"\system32\wzcdlg.dll")
setAudit (windowsdir &"\system32\wzcsapi.dll")
setAudit (windowsdir &"\system32\wzcsvc.dll")
setAudit (windowsdir &"\system32\kdcom.dll")Sub setAudit (name)'------------------------------------------------------------------------------------------
'Create WMI Service object with privleges to get SD for the File/Folder object we want to process
'------------------------------------------------------------------------------------------
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
'------------------------------------------------------------------------------------------
'Verify the object exists then use the WMI Service object get the SD for the File/Folder
'object we want to process
'------------------------------------------------------------------------------------------
if instr(name, ".dll") or instr(name, ".exe") or instr(name, ".sys") then
If objFSO.FileExists (name) then
else
exit sub
end if
else
If objFSO.FolderExists (name) then
else
exit sub
end if
end if
Set objFile = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & name & "'")ts.writeline "Processing : " & name'------------------------------------------------------------------------------------------
'(1) Create the SACL we want to apply
'------------------------------------------------------------------------------------------
'(1A) Get the SID of the user or group account.
'Create a WMI object on the local computer (Assuming the local computer is in the
'same domain (or in a trusted domain) as the one specified
'------------------------------------------------------------------------------------------
Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
'Get the User and Group objects by WMI Query
Set colUsers = objWMI.ExecQuery("SELECT * FROM WIN32_ACCOUNT")
'The collection should only have one user in it. Loop through the one user collection
'and create a user object
For Each UserName in colUsers
if Username.Name = "EVERYONE" or Username.Name = "Everyone" or Username.Name = "everyone" then
Set objUserName = UserName
else
end if
Next
'Next, we need both the binary and string representation of the user's SID to create a new
'Win32_Trustee. objUser.SID only returns the string version. Create a Win32_SID object by
'referencing the objUser's SID
Set objSID = objWMI.Get("Win32_SID.SID='" & objUserName.SID & "'")
'------------------------------------------------------------------------------------------
'(1B) Create a new blank Win32_Trustee object, and set it's properties
'------------------------------------------------------------------------------------------'Create a new blank Win32_Trustee object
Set objTrusteeClass = objWMI.Get("Win32_Trustee")
Set objTrustee = objTrusteeClass.SpawnInstance_()
'Set the properties
objTrustee.Domain = objSID.ReferencedDomainName
objTrustee.Name = objSID.AccountName
objTrustee.SID = objSID.BinaryRepresentation
objTrustee.SidLength = objSID.SidLength
objTrustee.SIDString = objSID.SID
SID = objTrustee.SID
strsid = join(SID, ",")
'------------------------------------------------------------------------------------------
'(1C) Create a new blank Win32_ACE object, and set it's properties to the
'appropriate values. The Trustee property should point to the newly created
'Win32_Trustee
'------------------------------------------------------------------------------------------'Create a new blank Win32_ACE object
Set objACEClass = objWMI.Get("Win32_ACE")
Set objACE = objACEClass.SpawnInstance_()
'Set the properties
objACE.AccessMask = 983551
objACE.Trustee = objTrustee
objACE.AceType = 2 'Could be 0 or 1 or 2
objACE.AceFlags = 131
'------------------------------------------------------------------------------------------
'(2) Set the new ACE in place. The SACL property of a Security Descriptor is
'an array of Win32_ACE objects. So we need to take the ACE we just created and
'place it in an Array and then set the SACL equal to that array.
'------------------------------------------------------------------------------------------'For some reason you have to assign the return value of the function GetSecurityDescriptor
'or SetSecurityDescriptor as you cannot just do something like:
' objFile.GetSecurityDescriptor(objSD)
'which will not actually run the function and return the SD to objSD JunkVariable = objFile.GetSecurityDescriptor(objSD) Set objDictionary = CreateObject("Scripting.Dictionary")
objDictionary.Add "Empty Key", objACE
objSD.SACL = objDictionary.Items 'Make sure to set the Control Flags of the SD to include 16 (0x10) = SE_SACL_PRESENT so that
'when we add the SACL the system is aware of that and processes it. Unfortunately we cannot
'just add 16 to the decimal representation - if the flag was already set and we add 16 it would
'effectively set the 32 (0x20) SE_SACL_DEFAULTED which would tell the system to apply default SACL
'See Link 1 for more details and full explanation of flags changed = FALSE
changeFlags = setSESACLPRESENT(objSD.ControlFlags, changed) if changed then
'ts.writeline name & " ControlFlags " & objSD.ControlFlags & " Changed to " & changeFlags
objSD.ControlFlags = changeFlags
end if
JunkVariable = objFile.SetSecurityDescriptor(objSD)end sub '------------------------------------------------------------------------------------------
dim objNotes
set objNotes = CreateObject("Shell.Application")
fpath = path & "\setAuditLog.txt"
If MsgBox("Would you like to open the report?", vbYesNo) = vbYes then
objNotes.Open(fpath)
end if
'------------------------------------------------------------------------------------------
'------------------------------------------------------------------------------------------
Function setSESACLPRESENT(ByVal flags, ByRef changed)
'------------------------------------------------------------------------------------------
Dim testArray()
count = DecToBinStringArray(flags, testArray)
returnedStr = ""
'for each item in testArray
' returnedStr = item & returnedStr
'next
'wscript.echo returnedStr & " RETURNED"
'Position 4 is the one we want to set for the SE_SCAL_PRESENT control flag in the SD
if testArray(4) = 0 then
testArray(4) = 1
changed = TRUE
end if'rebuild a string to set the ControlFlags too
'convention leftmost position is least significant
'i.e. "0" position is 2^0 and "1" position is 2^1
setControlFlags = 0
count = count-1
for each item in testArray
if testArray(count)=1 then
value = 2^count
setControlFlags = value + setControlFlags
end if
count = count - 1
next setSESACLPRESENT=setControlFlags
end function
'------------------------------------------------------------------------------------------
'------------------------------------------------------------------------------------------
Function DecToBinStringArray(ByVal flags, ByRef arr)
'------------------------------------------------------------------------------------------
'
'Accepts two inputs:
'flags ByVal - the decimal representation of SD.ControlFlags
'arr ByRef - the array we want populated with the binary representation'We have to loop twice so setup second loop variables
dim flags2
flags2 = flags'Loop once to get the length of the resulting binary number
st = ""
Do While flags > 0
If flags Mod 2 > 0 Then
st = "1" & st
Else
st = "0" & st
End If flags = Int(flags / 2)
Loop
'With the length we know how long to redim the array of strings
'NOTE: the binary string is reversed so it is easier to index
'i.e. the "0" position is 2^0 and the "1" position is 2^1 etc
'instead of the traditional leftmost bit being most significant intLen = Len(st)-1
redim arr(intLen)
index=0 Do While flags2 > 0
If flags2 Mod 2 > 0 Then
arr(index) = "1"
index = index+1
Else
arr(index) = "0"
index = index+1
End If
flags2 = Int(flags2 / 2)
Loop
retVal = Len(st)
DecToBinStringArray=RetVal 'ReturnEnd Function
'------------------------------------------------------------------------------------------