Microsoft KB Archive/264178

= Description of the Windows 2000 Resource Kit Security Tools =

Article ID: 264178

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q264178





SUMMARY
The Microsoft Windows 2000 Resource Kit contains a set of tools designed to give administrators the ability to modify or enhance the security in Windows 2000. These tools include:
 * Dsstore.exe
 * Efsinfo.exe
 * System Scanner



Dsstore.exe: Directory Services Store
This tool assists in managing corporate public key integration. It includes functionality that is necessary for several deployment scenarios. You can use Dsstore to:
 * List information about a given computer's certificates.
 * List information about computer's objects on the domain.
 * List information about Certificate Authorities in the organization.
 * Add, remove, and display certificates from the directory services enterprise root store.
 * Add and remove certificate revocation lists (CRLs) from directory services.
 * Validate certificates from directory services public key infrastructure (PKI) locations.
 * Pulse &quot;autoenrollment&quot; events to speed up various PKI processes.
 * Add non-Windows 2000 Certificate Authorities or offline Certificate Authorities to the corporate PKI.
 * Manage enterprise roots in directory services.
 * Verify computer automatic enrollment and domain controller certificates from the Kerberos Key Distribution Center (KDC).
 * Check on the status and validity of domain controller certificates.
 * Check on the validity of smart card certificates.

File Required
Dsstore.exe

Dsstore Syntax
dsstore  [-del] [-display] [-addcrl crl_   ] [-addroot crl_  ] [-?]

Where:
 *   is the distinguished name of the target domain. You must specify this as the first parameter. For example, dsstore DC=dev,DC=microsoft,DC=com.
 * -del presents a list of roots, from which you can choose one for deletion.
 * -display displays enterprise roots.
 * -addcrl crl_   adds a certificate revocation list (.crl) file, a Certificate Authority name, and a computer name.
 * -addroot crl_  adds a certificate revocation list (.crl) file and a Certificate Authority name.
 * -? displays a syntax screen at the command prompt.

Efsinfo.exe: Encrypting File System Information
This command-line tool displays information about files and folders encrypted with Encrypting File System (EFS) on partitions that use the NTFS file system.

EFS is a feature of Windows 2000 that you can use to encrypt and decrypt files. This helps users keep files safe from others who might gain unauthorized physical access to their sensitive data (for example, by stealing a laptop computer or external disk drive).

In EFS, users work with encrypted files and folders just as they do with any other files or folders: encryption is transparent. If the EFS user is the same person who encrypted the file or folder, Windows 2000 decrypts the file or folder when the user accesses it later. Unauthorized users are prevented from accessing any encrypted files or folders.

You can also encrypt or decrypt a file or folder with the command-line tool cipher, which is included with Windows 2000.

Efsinfo Syntax
efsinfo [/u] [/r] [/c] [/i] [/y] [/s: ] [ [...]] [/?]

Where:
 * /u displays encryption information about the files and folders in the current folder. This is the default option. Running Efsinfo without switches produces the same output.
 * /r displays Recovery agent information.
 * /c displays certificate thumbnail information.
 * /i continues performing the specified operation even after errors have occurred. By default, Efsinfo stops when an error is encountered.
 * /y displays the current EFS certificate thumbnail on the local computer. The files specified might not be on this computer. If no items are returned, there are no encrypted files on the computer.
 * /s:  performs the specified operation on folders in the given folder and all subfolders.
 *  [...] specifies the path of one or more files or folders for which to display encryption information.
 * /? displays command-line Help.

Efsinfo Example
This example displays the current EFS certificate:

efsinfo /y

Your current EFS certificate thumbnail information on the computer named  is:

BAAF 99CB 2B76 C49C E49C 6B17 C404 1030 E6BD BF3D

NOTE: This command returns no information if no encrypted files or folders have been created on the computer.

File Required
Efsinfo.exe

System Scanner
System Scanner for Windows is a security-assessment solution for Windows 2000, Microsoft Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98. It performs nearly 300 vulnerability checks, including:
 * Extensive system baseline capabilities, including file, registry, and user checks.
 * Browser-specific vulnerabilities.
 * Comprehensive Microsoft Internet Information Services and Microsoft Personal Web Server checks.
 * Checks for the presence of well-known TCP/IP-based services.
 * NetBIOS checks.
 * Java vulnerabilities.
 * Microsoft Office vulnerabilities.
 * Windows 95 Policy Editor configuration problems.
 * Susceptibility to denial-of-service attacks.
 * Configuration of virus scanners.
 * Registry security checks.
 * User policy configuration checks.
 * Remote access checks and modem checks.

You can use System Scanner to define your own policies, as well as to schedule scans at specified times. Easy-to-use HTML reports provide detailed descriptions of vulnerabilities detected on your computer and information necessary to correct them.

Installing System Scanner
System Scanner is not installed during Windows 2000 Resource Kit installation. To install it:
 * 1) Insert the Windows 2000 Resource Kit companion CD-ROM in the CD-ROM drive
 * 2) When the Setup screen appears, click Explore the CD.
 * 3) In the  :\Apps\Systemscanner folder, double-click Sysscansetup.exe.
 * 4) Follow the directions that on the screen.

Files Required
System Scanner is a separate tool that is not installed by the Windows 2000 Resource Kit installation program. The required files are located in the :\Apps\Systemscanner folder on your Windows 2000 Resource Kit companion CD-ROM. For more information, see the System Scanner Help file. After you install System Scanner, click Start, point to Programs, point to ISS, and then click System Scanner Help.

Additional query words: pki kdc tgt efs

Keywords: kbcertservices kbinfo kbkerberos kbppkey kbschema KB264178

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.