Windows
如何從 LOCAL 組策略中導出 IPSec 規則?
我有幾個在其本地組策略下配置了 IPSec 的 Server 2008 R2 域控制器。Windows 防火牆或網路 GPO 中不存在這些條目。這些政策陳舊而復雜,阻礙我們添加新的 DC。
我正在尋找導出/轉儲規則,以便我可以在單獨的環境中簡化和測試。我首選的解決方案是 CMD/PowerShell。
不管它是在本地還是組策略中,一旦它被導入,伺服器就會在它的本地儲存中看到它。由於這是帶有 POSHv2 的 Server 2008 R2,因此我們僅限於使用
netsh
命令,但是我將輸出包裝在 PowerShell 中以生成可以導出以在遠端電腦上進行分析的對象。$OutFile = "$env:temp\IPsecRules.csv" $objects = @() netsh ipsec static show filterlist all level=verbose | Select-String ':' | ForEach-Object { $split = $_.Line.Split(':') $name = $split[0].Trim() $value = $split[1].Trim() switch ($name) { 'Description' {${Description} = $value} 'Store' {${Store} = $value} 'Last Modified' {${Last Modified} = $value} 'GUID' {${GUID} = $value} 'No. of Filters' {${No. of Filters} = $value} 'Mirrored' {${Mirrored} = $value} 'Source IP Address' {${Source IP Address} = $value} 'Source Mask' {${Source Mask} = $value} 'Source DNS Name' {${Source DNS Name} = $value} 'Destination IP Address' {${Destination IP Address} = $value} 'Destination Mask' {${Destination Mask} = $value} 'Destination DNS Name' {${Destination DNS Name} = $value} 'Protocol' {${Protocol} = $value} 'Source Port' {${Source Port} = $value} 'Destination Port' {${Destination Port} = $value} #'FilterList Name' {${FilterList Name} = $value} } If (${Destination Port}) { $object = New-Object psobject -Property @{ 'Description' = ${Description} 'Store' = ${Store} 'Last Modified' = ${Last Modified} 'GUID' = ${GUID} 'No. of Filters' = ${No. of Filters} #'Description' = ${Description} 'Mirrored' = ${Mirrored} 'Source IP Address' = ${Source IP Address} 'Source Mask' = ${Source Mask} 'Source DNS Name' = ${Source DNS Name} 'Destination IP Address' = ${Destination IP Address} 'Destination Mask' = ${Destination Mask} 'Destination DNS Name' = ${Destination DNS Name} 'Protocol' = ${Protocol} 'Source Port' = ${Source Port} 'Destination Port' = ${Destination Port} #'FilterList Name' = ${FilterList Name} } $objects += $object ${Destination Port} = "" } } $objects | Export-Csv -Path "c:\temp\IPsecRules.csv" -NoTypeInformation -Force
編輯:重寫腳本以提供更多資訊。只需要詳細的過濾器列表查詢。