错误二：
[Microsoft][ODBC SQL Server Driver][SQL Server]未将服务器 'anywolfs.com' 配置为用于 DATA ACCESS。

错误三：
[Microsoft][ODBC SQL Server Driver][SQL Server]此游标不包括正在修改的表，或该表不能通过此游标更新。

 在asp中如果我使用rs.add和rs.update来添加数据就会报错误三，如果我使用insert into,就不会发生任何错误。在网上搜索半天，发现解决方法挺好用，方法如下：

解决：

如果是直接更换的服务器，那么主机名更换了，以前存在数据库的主机名也需要删除。进入SQL2005查询器
执行：
 
EXEC select @@servername
EXEC sp_dropserver @@servername
EXEC sp_addserver [new_name], local

第一行是查出老的实例名
第二行是删除老的实例名
第三行是 ‘new_name’ 是新的实例名，也就是当前计算机名，在重启一下sql2005服务，

执行完这一步，这时候如果asp会报错：

Microsoft OLE DB Provider for ODBC Drivers 错误 '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]未将服务器 'anywolfs.com' 配置为用于 DATA ACCESS。 
 
需要设置模式，执行：
EXEC sp_serveroption 'anywolfs.com', 'data access', 'true'

这时如果asp遇到：

[Microsoft][ODBC SQL Server Driver][SQL Server]此游标不包括正在修改的表，或该表不能通过此游标更新。

则需要再重启sql2005，

重启后还是没有解决问题，那么可以使用sp_helpserver 查看有多少实例名，然后统统都给他删掉（sp_dropserver @@服务器名    来删除所有服务器），在执行 sp_addserver 等其他操作。或者重新运行一下上面的命令，重新做一遍，重启sql2005解决不了问题可以重启服务器看看。

我的就是重启服务器就解决

要安装 URLScan，请访问下面的 Microsoft Developer Network (MSDN) 网站：

有关其他信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：

修改 URLScan.ini 文件

URLScan 的所有配置都是通过 URLScan.ini 文件执行的，此文件位于 %WINDIR%\System32\Inetsrv\URLscan 文件夹中。要配置 URLScan，请在文本编辑器（如记事本）中打开此文件，进行相应的更改，然后保存此文件。

注意：要使更改生效，必须重新启动 Internet 信息服务 (IIS)。一种快速的实现方法是在命令提示符处运行 IISRESET。

URLScan.ini 文件包含以下几节：

• [Options]：此节描述常规 URLScan 选项。
• [AllowVerbs] 和 [DenyVerbs]：此节定义 URLScan 允许的谓词（又称作 HTTP 方法）。
• [DenyHeaders]：此节列出 HTTP 请求中不允许的 HTTP 标头。如果 HTTP 请求中包含此节中列出的 HTTP 标头之一，URLScan 将拒绝该请求。
• [AllowExtensions] 和 [DenyExtensions]：此节定义 URLScan 允许的文件扩展名。
• [DenyURLSequences]：此节列出 HTTP 请求中不允许的字符串。URLScan 拒绝那些包含此节中出现的字符串的 HTTP 请求。

本文将更详细地介绍每一节。

 

[Options] 节

在 [Options] 节中，可以配置许多 URLScan 选项。此节中的每一行都具有以下格式：

可用选项及其默认值如下所示：

• UseAllowVerbs=1
  
  默认情况下，此选项设置为 1。如果将此选项设置为 1，则 URLScan 仅允许那些使用 [AllowVerbs] 节中列出的谓词的 HTTP 请求。URLScan 禁止任何不使用这些谓词的请求。如果将此选项设置为 0，则 URLScan 忽略 [AllowVerbs] 节，相反仅禁止那些使用 [DenyVerbs] 节中列出的谓词的请求。
• UseAllowExtensions=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 0，则 URLScan 禁止对 [DenyExtensions] 节中列出的文件扩展名的请求，但允许对任何其他文件扩展名的请求。如果将此选项设置为 1，则 URLScan 仅允许对带 [AllowExtensions] 节中列出的扩展名的文件的请求，而禁止对任何其他文件的请求。
• NormalizeUrlBeforeScan=1
  
  IIS 收到用 URL 编码的请求。这表示某些字符可能被替换为百分号 (%) 后跟特定的数字。例如，%20 对应于一个空格，因此，对 http://myserver/My%20Dir/My%20File.htm 的请求与对 http://myserver/My Dir/My File.htm 的请求是相同的。标准化就是对 URL 编码请求进行解码的过程。默认情况下，此选项设置为 1。如果将 NormalizeUrlBeforeScan 选项设置为 1，则 URLScan 分析已解码的请求。如果将此选项设置为 0，则 URLScan 分析未解码的请求。将此选项设置为 0 会影响 URLScan 禁止某种攻击的能力。
• VerifyNormalization=1
  
  由于百分号 (%) 本身可以是 URL 编码的，所以攻击者可以向服务器提交一个精心制作的、基本上是双重编码的请求。如果发生这种情况，IIS 可能会接受本应视作无效而拒绝的请求。默认情况下，此选项设置为 1。如果将 VerifyNormalization 选项设置为 1，则 URLScan 将对 URL 执行两次标准化。如果第一次标准化后的 URL 与第二次标准化后的 URL 不同，URLScan 将拒绝该请求。这样就可以防止那些依赖双重编码请求的攻击。
• AllowHighBitCharacters=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 0，则 URLScan 拒绝任何包含非 ASCII 字符的请求。这样可以防止某些类型的攻击，但同时可能也会禁止对某些合法文件的请求，如带有非英文名的文件。
• AllowDotInPath=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 0，则 URLScan 拒绝所有包含多个句点 (.) 的请求。这样可以防止通过将安全的文件扩展名放入 URL 的路径信息或查询字符串部分，以达到伪装请求中的危险文件扩展名的企图。例如，如果将此选项设置为 1，则 URLScan 可能允许对 http://servername/BadFile.exe/SafeFile.htm 的请求，因为它认为这是对 HTML 页的请求，但实际上这是一个对可执行 (.exe) 文件的请求，而该文件的名称在 PATH_INFO 区域中显示为 HTML 页的名称。如果将此选项设置为 0，URLScan 可能还会拒绝对包含句点的目录的请求。
• RemoveServerHeader=0
  
  默认情况下，Web 服务器返回一个标头，其中指出了 Web 服务器在所有响应中运行的 Web 服务器软件。这会增加服务器遭受攻击的可能性，因为攻击者可以确定服务器正在运行 IIS，于是便攻击已知的 IIS 问题，而不是试图使用为其他 Web 服务器设计的攻击手段来攻击 IIS 服务器。默认情况下，此选项设置为 0。如果将 RemoveServerHeader 选项设置为 1，可以防止您的服务器发送将其标识为 IIS 服务器的标头。如果将 RemoveServerHeader 设置为 0，则仍发送此标头。
• AlternateServerName=（默认情况下不指定）
  
  如果将 RemoveServerHeader 设置为 0，可以在 AlternateServerName 选项中指定一个字符串以指定将在服务器标头中传回的内容。如果将 RemoveServerHeader 设置为 1，则此选项将被忽略。
• EnableLogging=1
  
  默认情况下，URLScan 在 %WINDIR%\System32\Inetsrv\URLScan 中保留所有被禁止的请求的完整日志。如果不希望保留此日志，可将 EnableLogging 设置为 0。
• PerProcessLogging=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 1，URLScan 将为承载 URLScan.dll 的每个进程创建一个单独的日志。如果将此选项设置为 0，所有进程将记录到同一个文件中。
• PerDayLogging=1
  
  默认情况下，此选项设置为 1。如果将该值设置为 1，则 URLScan 每天创建一个新的日志文件。每个日志文件的名称都是 Urlscan.MMDDYY.log，其中 MMDDYY 是日志文件的日期。如果将该值设置为 0，则所有日志记录都保存在同一个文件中，与日期无关。
• AllowLateScanning=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 0，则 URLScan 作为高优先级筛选器运行，这表示它先于服务器上安装的所有其他 Internet 服务器应用程序编程接口 (ISAPI) 筛选器执行。如果将此选项设置为 1，则 URLScan 作为低优先级筛选器运行，以便其他筛选器可以在 URLScan 进行任何分析之前修改 URL。FrontPage Server Extensions (FPSE) 要求将此选项设置为 1。
• RejectResponseUrl=（默认情况下不指定）
  
  此选项指定在 URLScan 禁止请求时运行的文件的虚拟路径。这允许您自定义针对被禁止的请求发送给客户机的响应。必须将 RejectResponseUrl 指定为相应文件的虚拟路径，如 /Path/To/RejectResponseHandler.asp。可以指定 URLScan 通常禁止的文件，如 Active Server Pages (ASP) 页。还可以从该页指定以下服务器变量：
  • HTTP_URLSCAN_STATUS_HEADER：此变量指定请求被禁止的原因。
  • HTTP_URLSCAN_ORIGINAL_VERB：此变量指定被禁止的请求中的原始谓词（例如 GET、POST、HEAD 或 DEBUG）。
  • HTTP_URLSCAN_ORIGINAL_URL：此变量指定被禁止的请求中的原始 URL。
  如果将 RejectResponseUrl 设置为特殊值 /~*，则 URLScan 使用“仅日志记录”模式。这允许 IIS 为所有请求提供服务，但它会在 URLScan 日志中为所有通常被禁止的请求添加相应的项。这在需要测试 URLScan.ini 文件时很有用。
  
  如果没有指定 RejectResponseUrl 的值，则 URLScan 使用默认值 /<Rejected-By-UrlScan>。
  
   
• UseFastPathReject=0
  
  默认情况下，此选项设置为 0。如果将此选项设置为 1，则 URLScan 忽略 RejectResponseUrl 设置并立即向浏览器返回 404 错误信息。这比处理 RejectResponseUrl 要快，但它允许的日志记录选项没有那么多。如果将此选项设置为 0，则 URLScan 使用 RejectResponseUrl 设置来处理请求。

[AllowVerbs] 节和 [DenyVerbs] 节

[AllowVerbs] 节和 [DenyVerbs] 节定义 URLScan 允许的 HTTP 谓词（又称作方法）。常用的 HTTP 谓词包括 GET、POST、HEAD 和 PUT。其他应用程序（如 FPSE 和 Web 分布式创作和版本控制 (WebDAV)）使用更多的谓词。

[AllowVerbs] 节和 [DenyVerbs] 节的语法相同。它们由 HTTP 谓词列表组成，每个谓词占一行。

URLScan 根据 [Options] 节中 UseAllowVerbs 选项的值来决定使用哪一节。默认情况下，此选项设置为 1。如果将 UseAllowVerbs 设置为 1，则 URLScan 仅允许那些使用 [AllowVerbs] 节中列出的谓词的请求。不使用任何这些谓词的请求将被拒绝。在这种情况下，[DenyVerbs] 节被忽略。

如果将 UseAllowVerbs 设置为 0，则 URLScan 拒绝那些使用 [DenyVerbs] 节中明确列出的谓词的请求。允许任何使用未在此节中出现的谓词的请求。在这种情况下，URLScan 忽略 [AllowVerbs] 节。

 

[DenyHeaders] 节

当客户机向 Web 服务器请求页面时，它通常会发送一些包含有关此请求的其他信息的 HTTP 标头。常见的 HTTP 标头包括：

• Host:
  
  此标头包含 Web 服务器的名称。
• Accept:
  
  此标头定义客户机可以处理的文件类型。
• User-Agent:
  
  此标头包含请求页面的浏览器的名称。
• Authorization:
  
  此标头定义客户机支持的身份验证方法。

客户机可能会向服务器发送其他标头以指定其他信息。

在 [DenyHeaders] 节中，您定义 URLScan 将拒绝的 HTTP 标头。如果 URLScan 收到的请求中包含此节中列出的任何标头，它将拒绝该请求。此节由 HTTP 标头列表组成，每个标头占一行。标头名后面必须跟一个冒号 (:)（例如 Header-Name:）。

 

[AllowExtensions] 节和 [DenyExtensions] 节

大多数文件都有一个标识其文件类型的文件扩展名。例如，Word 文档的文件名一般以 .doc 结束，HTML 文件名一般以 .htm 或 .html 结束，纯文本文件名一般以 .txt 结束。[AllowExtensions] 节和 [DenyExtensions] 节允许您定义 URLScan 将禁止的扩展名。例如，您可以配置 URLScan 以拒绝对 .exe 文件的请求，防止 Web 用户在您的系统上执行应用程序。

[AllowExtensions] 节和 [DenyExtensions] 节的语法相同。它们由文件扩展名列表组成，每个扩展名占一行。扩展名以句点 (.) 开头（例如 .ext）。

URLScan 根据 [Options] 节中 UseAllowExtensions 的值来决定使用哪一节。默认情况下，此选项设置为 0。如果将 UseAllowExtensions 设置为 0，则 URLScan 仅拒绝对 [DenyExtensions] 节中列出的文件扩展名的请求。允许此节中未列出的任何文件扩展名。[AllowExtensions] 节被忽略。

如果将 UseAllowExtensions 设置为 1，则 URLScan 拒绝对 [AllowExtensions] 节中未明确列出的任何文件扩展名的请求。仅允许对此节中列出的文件扩展名的请求。[DenyExtensions] 节被忽略。

有关如何配置 URLScan 以允许对没有扩展名的文件的请求的其他信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：

[DenyUrlSequences] 节

可以配置 URLScan 以禁止那些 URL 中包含某些字符序列的请求。例如，可以禁止那些包含两个连续句点 (..) 的请求，利用目录遍历漏洞的攻击中经常采用这种手段。要指定一个想要禁止的字符序列，请将此序列单独放在 [DenyUrlSequences] 节中的一行上。

请注意，添加字符序列可能会对 Microsoft Exchange 的 Outlook Web Access (OWA) 产生负面影响。当您从 OWA 打开一个邮件时，该邮件的主题行包含在服务器所请求的 URL 中。由于 URLScan.ini 文件禁止任何包含百分号 (%) 和连字符 (&) 的请求，因此，当用户尝试打开主题行为“Sales increase by 100%”或“Bob & Sue are coming to town”的邮件时，会收到 404 错误信息。要解决此问题，可以从 [DenyUrlSequences] 节中删除这些序列。请注意，这样做会降低安全性，因为它有可能允许危险的请求到达服务器。 
 

参考原文：http://support.microsoft.com/kb/326444/zh-cn

Answer Files and UDFs

When Windows NT Workstation or Windows NT Server is installed using the winnt /u:answer_file or winnt32 /u:answer_file command, the options specified in the answer file (Unattend.txt) are applied to the installation.
If the /udf:uniqueness_database_file option is also specified on the winnt or winnt32 command line, the entries in the specified uniqueness database file (UDF) are also applied, overriding entries in the answer file.
For information on editing and using answer files and UDFs, see Chapter 2, "Customizing Setup," of the Windows NT Workstation 4.0 Resource Guide. This Appendix describes the sections and keys used in these files. Additional entries may be listed in the sample Unattend.txt file on the product compact disc.

The sections are:
 

[Unattended]
The keys in this section define the behavior of the Setup program during text mode setup. This section can only be specified in the answer file, not in the UDF.
 

[OEMBootFiles]
To install onto x86 computers, $OEM$\OEMFILES\TXTSETUP.OEM and all files listed in it (HALs and drivers), must be listed in this section. This section can only be specified in the answer file, not in the UDF.
 

[MassStorageDrivers]
This section is used to specify SCSI drivers. This section can only be specified in the answer file, not in the UDF.
 

[KeyboardDrivers]
This section is used to specify keyboard drivers. This section can only be specified in the answer file, not in the UDF.
 

[PointingDeviceDrivers]
This section is used to specify pointing device drivers. This section can only be specified in the answer file, not in the UDF.
 

[OEM_Ads]
This section describes a banner, logo, and background bitmap to be displayed during GUI-mode setup.
 

[DisplayDrivers]
This section is used to specify display drivers.
 

[Display]
This section is used to specify settings for video display.
 

[DetectedMassStorage]
This section is used to specify mass storage devices that Setup is to recognize, even if they are not physically present on the system at the time you perform the installation. This section can only be specified in the answer file, not in the UDF.
 

[GuiUnattended]
The keys in this section define the behavior of the Setup program during GUI mode setup.
 

[UserData]
The keys in this section specify information associated with each user or computer.
 

[LicenseFilePrintData]
This section pertains only to installations of Windows NT Server. It is used to supply information regarding the license agreement.
 

[Network]
This section is used to specify settings used for networking, such as protocols and adapters. If this section is not present, support for networking will not be installed.
 

[Modem]
This section header is used to identify whether a modem should be installed or not. It is used by RAS to install a modem if DeviceType = Modem is in the list of RAS parameters.
Some of the keys in these sections point to additional sections, which you must create and name. For example, to install protocols other than the defaults, you need to use the InstallProtocols key in the [Network] section to identify the name of the section in which the protocols are listed. You must also create and populate the section pointed to in the Install Protocols key.
 

The keys you can add to the answer file or UDF are listed in the remainder of this Appendix, grouped according to the kind of effect they produce.
 

Preferred Options in the Retail Product
These options affect the choices a user can make while installing the retail version of Windows NT Workstation.
 

Preserving Settings of Existing Windows NT Workstation Systems
By default, Setup installs Windows NT Workstation 4.0 with the retail default settings, except where different settings are specified in the answer file and the UDFs. As an option, you can have Setup upgrade existing installations of Windows NT Workstation, with the system settings intact.
To preserve existing settings when upgrading from an earlier version of Windows NT Workstation, add the following line to the [Unattended] section:
NtUpgrade = manual | yes | no | single

Where:
manual indicates that the user is to be prompted as to whether the existing installation is to be completely replaced, or upgraded with system settings intact. If the user chooses to replace the existing version, he or she will also be prompted to specify a directory in which to install Windows NT Workstation 4.0. If the user chooses to retain existing settings, the remainder of the settings in the answer file and in the UDF will be ignored.
 

yes indicates that the existing installation of Windows NT Workstation is to be upgraded with system settings intact. If NtUpgrade = yes, the remainder of the settings in the answer file and in the UDF will be ignored. If multiple installations are detected, the settings in first installation detected are used. On x86-based systems, the system that is listed first in the Boot.ini file is the first installation detected. On Alpha AXP-based, MIPS-based, and PowerPC-based systems, the first installation is the first one listed in the Startup Environment.
 

no indicates that the existing installation of Windows NT Workstation is to be completely replaced. The retail default settings will be used, except where keys in the answer file or UDF override them. This is the default option.
 

single indicates that if only one existing installation of Windows NT Workstation is detected, it is to be upgraded with system settings intact. If multiple previous installations are detected, the user must indicate which settings are to be retained.
This key can only be specified in the answer file, not in the UDF.

Preserving Settings of Existing Windows for Workgroups 3.1 or Windows 3.1 Systems
By default, Setup installs Windows NT Workstation 4.0 with the retail default settings, except where different settings are specified in the answer file and the UDFs. As an option, you can have Setup upgrade existing installations of Windows for Workgroups 3.1 or Windows 3.1, with the system settings intact.
To preserve existing settings when upgrading from either of these systems, add the following line to the [Unattended] section: Win31Upgrade = yes | no
 

Where:
yes indicates that if an existing installation of Windows for Workgroups 3.1 or Windows 3.1 is detected, the existing settings are to be preserved.
 

no indicates that the existing installation of Windows NT Workstation is to be completely replaced. The retail default settings will be used, except where keys in the answer file or UDF override them. This is the default option.
If any other values are supplied for the Win31Upgrade key, the user will be prompted to specify whether the settings should be retained.
This key can only be specified in the answer file, not in the UDF. Specifying the Directory in Which to Install Windows NT Workstation You can specify the directory on the destination computer in which the files for Windows NT Workstation 4.0 are to reside. To do so, add the following line to the [Unattended] section: TargetPath = manual | * | path
 

Where:
manual
indicates that the user is to be prompted for a directory. * indicates that the Setup program is to generate a unique directory name, and place the Windows NT Workstation 4.0 files in that directory. This is the default option.
 

path
indicates the name of the directory in which the Windows NT Workstation 4.0 files are to be placed. If the directory does not exist, it will be created.
This key can only be specified in the answer file, not in the UDF. Replacing OEM Files with Windows NT Workstation Product Files You can choose whether to replace older files that Setup finds on the system with files from the retail product that have the same name. By default, these files are overwritten. To specify whether to keep the older versions of such files, add the following line to the [Unattended] section: OverwriteOemFilesOnUpgrade = yes | no
If any Windows NT file in the existing installation has been overwritten by another application, you must set OverwriteOEMFilesOnUpgrade = yes. This key can only be specified in the answer file, not in the UDF.

Converting to NTFS
In general, partitions greater than 512 MB should be converted to NTFS. To specify whether to convert the primary partition to NTFS during installation, add the following line to the [Unattended] section: FileSystem = ConvertNTFS | LeaveAlone
Specifying When to Configure Graphics Devices
By default, graphics devices are configured during Setup. However, you can specify that the graphics devices be configured the first time someone logs on to the new system. To specify when the graphics devices are to be configured, add the following line to the [Display] section: ConfigureAtLogon = 0 | 1
If ConfigureAtLogon = 1, no specific video setting is made during setup. Instead, the user is prompted to select the screen resolution the first time the computer is started after setup. If ConfigureAtLogon = 0, graphics configuration will be done during setup. If this option is selected, the following other preconfiguration values may be set, also in the [Display] section: BitsPerPel = n XResolution = number_of_pixels YResolution = number_of_pixels VRefresh = n Flags = n
If an entry has a value of 0, or the entry is not present, the defaults will be applied.
Table A.1 Default Values for Video Settings
Key Default Value
BitsPerPel 8 If this is not a valid value, the lowest valid value is used. XResolution 640
If this is not a valid value, the lowest valid value is used. YResolution 480
If this is not a valid value, the lowest valid value is used. VRefresh 60 Hz
If this is not a valid value, the lowest valid value is used. Flags Any that are available.
For example, if all of these keys are set to = 0, the video settings would be 640x480, 256 colors, 60 Hz (as long as that mode exists). As another example, if BitsPerPel = 16 and all other values are set to 0, then the card will be configured in 640x480, 64 K colors, and 60 Hz (again, as long as that mode exists). Normally, the user is prompted to test the video settings. For an unattended installation, you might want the settings to be stored without testing. To specify whether the settings should be stored without testing, add the following line to the [Display] section: AutoConfirm = 0 | 1
If AutoConfirm = 0, or if it is not specified, the video settings specified elsewhere in the [Display] section are used, and the user must test the selected video mode in order to save the setting and continue with setup.
If AutoConfirm = 1, the settings are stored with no user intervention.

Additional Files and Applications
This section describes keys you can add to the answer file or UDF to add your own files or information to the retail version of Windows NT Workstation.
Displaying Your Company Information During Setup
To specify your own advertising or information during GUI Mode Setup, the following section must exist:
[OEM_Ads]
Banner = text
Logo = file_name{, n]
Bitmap = file_name{, n]
The value of the Banner key is the text string to be displayed as a banner in the upper left of the screen during GUI Mode Setup. The text must contain the substring "Windows NT Workstation" or "Windows NT Server" in order to be displayed. To create a multi-line banner, insert an asterisk (*) where a line break is to appear. If the Banner key is empty or does not contain the "Windows NT Workstation" or "Windows NT Server" substring, the Windows NT retail banner will be displayed.
The value of the Logo key is the filename of a bitmap to be displayed in the upper right corner of the screen during GUI Mode Setup. If your bitmap is referenced in a dynamic link library (DLL), you can specify the name of the DLL followed by the resource ID. The DLL must be in $OEM$\Oemfiles, and the resource ID must be supplied in base-10 format. If only a file name is specified, it must be the name of a .bmp file in $OEM$\Oemfiles that contains the bitmap.
If the Logo key is not specified, or its value is empty, or it specifies a non-existent bitmap, then the Windows NT retail bitmap will be displayed.
The value of the Bitmap key is the name of a bitmap that is to be tiled as a background during end-user setup.
If your bitmap is referenced in a dynamic link library (DLL), you can specify the name of the DLL followed by the resource ID. The DLL must be in $OEM$\Oemfiles, and the resource ID must be supplied in base-10 format. If only a file name is specified, it must be the name of a .bmp file in $OEM$\Oemfiles that contains the bitmap.
If the Bitmap key is not specified, or its value is empty, or it specifies a non-existent bitmap, then the Windows NT retail bitmap will be displayed.
For best results on VGA-based displays this bitmap should be exactly 640 x 480 pixels. On ARC computers (which do not necessarily use VGA mode during setup) other optimal sizes may be possible. If the bitmap is monochrome, it will be tinted blue when displayed (like the retail background bitmap, which is itself monochrome).

Running a Program Concurrently with Setup
To run a custom program concurrently with Setup, add the following line to the [GuiUnattended] section: DetachedProgram = path\filename
where path and filename describe the location of the custom program. For example: DetachedProgram = c:\mt32\mtrun.exe
To supply arguments to the custom program, add the following line to the [GuiUnattended] section: Arguments = path\filename/argument where path\filename indicates the path to the program and argument indicates the arguments you want to supply. For example: Arguments = c:\mt32\scriptl.pcd/H

Using Files You Supply in the Subdirectories of $OEM$
To include files you have added to customize the application, the following line must be present in the [Unattended] section: OemPreinstall = Yes
A Yes value indicates that Windows NT Setup might need to install some OEM-supplied files located in subdirectories of $OEM$. The default value is No. The default is used when the OemPreinstall key is missing. The No value implies that Setup will perform a regular unattended installation. This key can only be specified in the answer file, not in the UDF. The keys described in the following sections are used only if OemPreinstall = Yes.

Installing Display Drivers
To install display drivers, include the following section: [DisplayDrivers] driver_description = Retail | OEM
This section is optional. If the [DisplayDrivers] section is empty or absent, Setup will install all the Windows NT retail display drivers during Text Mode Setup. During GUI Mode Setup, any drivers that fail to initialize will be disabled.
The driver_description value identifies the driver to be installed. This value must match one of the strings defined in the right-hand side of the [Display] section of Txtsetup.sif (except for the string "Standard VGA (640x480, 16 colors)" or Txtsetup.oem (for an OEM-supplied driver). This key can only be specified in the answer file, not in the UDF. This section is valid only if OemPreinstall = Yes.

Installing SCSI Drivers
To install SCSI drivers, include the following section:
[MassStorageDrivers]
driver_description = Retail | OEM .
This section is optional. If the [MassStorageDrivers] section is empty or absent, Setup will attempt to detect and install all known miniport drivers. The driver_description value identifies the driver to be installed. This value must match one of the strings defined in the [SCSI] section of Txtsetup.sif or Txtsetup.oem (for an OEM-supplied driver). This key can only be specified in the answer file, not in the UDF. This section is valid only if OemPreinstall = Yes.

Installing Keyboard Drivers
To specify keyboard drivers to be installed, include the following section: [KeyboardDrivers]
driver_description = Retail | OEM .
This section is optional. If the [KeyboardDrivers] section is absent or empty, Setup will detect and install a keyboard driver from the retail Windows NT product. The driver_description value identifies the driver to be installed. This string must match one of the strings defined in the [Keyboard] section of the Txtsetup.sif or Txtsetup.oem (for an OEM-supplied driver). This key can only be specified in the answer file, not in the UDF. This section is valid only if OemPreinstall = Yes.

Installing Pointing Device Drivers
To install pointing device drivers, include the following section
[PointingDeviceDrivers]
driver_description = Retail | OEM .
This section is optional. If the [PointingDeviceDrivers] section is absent or empty, Setup will detect and install a pointing device driver from the retail Windows NT product. The driver_description value identifies the driver to be installed. This string must match one of the strings defined in the [Mouse] section of Txtsetup.sif or Txtsetup.oem (for an OEM-supplied driver). This key can only be specified in the answer file, not in the UDF. This section is valid only if OemPreinstall = Yes.

Networking Options
If networking is to be installed, you must include a [Network] section. If this section header is missing, network installation will be skipped. If the section is present but empty, the user will be presented with various error messages. Specifying Manual Installation of Network Components If you want the network components to be installed interactively during an otherwise unattended installation, include the following line in the [Network] section: Attend = Yes
For the installation of network components to proceed without user intervention, this key must be absent.
Detecting Network Adapters
To detect network adapter cards installed on a computer, the following must be specified under the [Network] section: DetectAdapters = adapters_section[,adapters_section]. . .
The value for the DetectAdapters key is a user-defined section name. For example, you could name a section [DetectAdaptersData] and specify it in this key. Create this section, and add to it the following keys:
DetectCount = number_of_cards_to_detect
LimitTo = inf_option [, inf_option] . . .
inf_option = parameter_section
The DetectCount key specifies the number of detection attempts Setup should make. The default is 1. If more cards than the number specified in DetectCount are present, the additional cards will not be detected.
The LimitTo key specifies a list of cards; detection will be limited to cards in that list. If this key is not present, any detectable adapters will be installed. The values can be obtained from the network-adapter INF files.
Each inf_option listed in the LimitTo key can also be listed as a key. The value of these keys will be the parameter normally associated with a network adapter. The values listed here will override detected values.
To detect and install only the first network adapter card, use following line under the [Network] section: DetectAdapters = ""
Note that there is no space between the beginning and end quotation marks. If neither the DetectAdapters key nor the InstallAdapters key (described under "Installing Network Adapter" later in this appendix) is present, user participation will be required. If DetectAdapters is present but contains no value, then the first adapter is detected and installed. The DetectAdapters and InstallAdapters keys can both be present.
Example [Network] InstallProtocols = SelectedProtocolsList [SelectedProtocolsList] TC = TCPIPParameters ATALK = AppleTalkParameters

Installing Network Adapters
To install network adapters, the following key must be included in the [Network] section: InstallAdapters = adapters_list_section[, adapters_list_section]. . .
The value for the InstallAdapters key is a user-defined section name. For example, you could name a section [InstallAdaptersList] and specify it in this key. All network adapters listed in the [InstallAdaptersList] section would then be installed. Create this section, and add to it a line for each adapter to be installed, using the following format: inf_option = parameter_section[, oem_path]
If the InstallAdapters key and the DetectAdapters key are not present, user participation will be required.
Each inf_option key in this section defines the inf_option to be installed. The answers for the inf_option key are adapter-specific. If the adapter is an OEM-supplied card, the path can be specified.
Example
[Network]
InstallAdapters = SelectedAdaptersList
[SelectedAdaptersList] NE2000 = NovelParameters ELNKII = 3ComParameters MSNETULTRA = MacrosoftNetUltraParameters, A:\
Note
For network adapters, you must know and specify the necessary parameters for the cards you want to preinstall. To determine whether a card supports unattended setup, search for stf_unattended in the INFs for that card.
Installing Network Services
To install network services, the following keys should be specified under the [Network] section: InstallServices = services_list_section[, services_list_section] . . .
All services listed will be installed. If the InstallServices key is absent, no extra services will be installed.
The value for the InstallServices key is a user-defined section name. Create the section named by the InstallServices key, and in it list the service to be installed, using the following syntax: inf_option = parameter_section[, oem_path]
Each inf_option key in this section defines the options to be installed. The value for this key is a user-defined section name and the OEM source path, if necessary. Create the section named by the inf_option key, and in it list the parameters to be used.
Example
[Network] InstallServices = SelectedServicesList [SelectedServicesList] SFM = ServicesForMacParameters WINS = WINServiceParameters

Installing Network Protocols
To detect network adapter cards installed on a computer, the following must be specified under the [Network] section:
InstallProtocols = protocol_list_section[, protocol_list_section] . . .
The value for the InstallProtocols key is a user-defined section name. For example, you could name a section [InstallProtocolsList] and specify it in this key. Create this section, and add to it a line for each protocol to be installed, using the following format:
inf_option = parameter_section[, oem_path]
The value on the left of the equals sign, inf_option, is the notation for the protocol, as it appears in the [Options] section of the INF file for that protocol. Protocol INFs have the filename Oemxpxx.inf, where xx refers to a particular protocol. The value on the right of the equals sign is a user-defined section name and the OEM source path, if necessary. Create the section named by the inf_option key, and in it list the parameters to be used for that protocol.
All protocols listed will be installed. If this key is not present, the default protocols will be installed and user participation might be required for Setup to continue.
Specifying the TCP/IP protocol is one case within the general topic of installing protocols, and is discussed in the section, "Installing TCP/IP."
Example
[Network] InstallProtocols = SelectedProtocolsList
[SelectedProtocolsList] TC = TCPIPParameters ATALK = AppleTalkParameters
Installing NetBEUI
To install NetBEUI, it must be specified in the "protocol_list_section" section specified by the InstallProtocols key described in the [Network] section. This is described under "Installing Network Protocols" earlier in this Appendix. In the protocol_list_section, include the following line: NBF = NetBEUI_parameters_section
The section you specify as the value for NBF must exist, but is empty since NetBEUI does not require any parameters. For example, your answer file might include the following lines: [Network] InstallProtocols = SelectedProtocolsList
[SelectedProtocolsList] NBF = NetBEUI_params TC = TCPIPParameters
[NetBEUI_params]
[TCPIPParameters]

Installing TCP/IP
To install TCP/IP, it must be specified in the section specified by the InstallProtocols key described in the [Network] section. This is described under "Installing Network Protocols" earlier in this Appendix. Create a separate section for the parameters, and refer to it in the section specified by the InstallProtocols key
The supported TCP/IP parameters are as follows:
DHCP = Yes | No
ScopeID = scope_ID
If you have set DHCP = No, you must also provide the following parameters. For a discussion of these parameters see Chapter 7, "Using Microsoft DHCP Servers," in the Windows NT Server Networking Guide.
IPAddress = ddd.ddd.ddd.ddd
Subnet = ddd.ddd.ddd.ddd
Gateway = ddd.ddd.ddd.ddd
DNSServer = IPAddress, IPAddress, IPAddress
;Up to 3 IP addresses can be specified
WINSPrimary = IPAddress
WINSSecondary = IPAddress
DNSName = DNS_Domain_Name
Both TCP/IP and SNMP allow you to configure computers on a site basis and/or on a computer-specific basis. A site-based configuration configures each computer with identical parameters, whereas a computer-specific configuration allows a computer to have unique parameters. These two configurations can be mixed together. The generic or site-specific parameters are processed first. If computer-specific parameters exist, they are overlaid on the site-specific ones. Example: TCP/IP without DHCP
[Network]
InstallProtocols = SelectedProtocolsList
[SelectedProtocolsList]
TC = TCPIPParameters
[TCPIPParameters]
DHCP = NO
IPAddress = 192.9.1.1
Subnet = 255.0.0.0
Gateway = 111.1.1.1
DNSServer = 192.9.1.7, 192.9.1.8, 192.9.1.9
WINSPrimary = 111.2.2.2
WINSSecondary = 111.3.3.3
DNSName = microsoft.com
ScopeID = This_is_the_scope_id
Example: TCP/IP with DHCP, and adding DNS and WINS parameters
[Network]
InstallProtocols = SelectedProtocolsList
[SelectedProtocolsList] TC = TCPIPParameters
[TCPIPParameters]
DHCP = YES
DNSServer = 192.9.1.7, 192.9.1.8, 192.9.1.9
WINSPrimary = 111.2.2.2
DNSName = microsoft.com
ScopeID = This_is_the_scope_id
 

Installing the SNMP Service
To install the Simple Network Management Protocol (SNMP) service, it must be specified in the section that you create and that you specify in the InstallServices key. The InstallServices key is described under "Installing Network Services" earlier in this Appendix. On the line that specifies the protocol, you name the section (also created by you) that contains the parameters for the protocol. This is illustrated in the example at the end of this section.
The supported parameters are as follows:
Accept_CommunityName = Name1, Name2, Name3 ;maximum of 3 names
Send_Authentication = Yes | No
Any_Host = Yes | No
Limit_Host = host1, host2, host3 ;limit to 3 hosts
Community_Name = name
Traps = IPaddress | IPXaddress ;maximum of 3 addresses
Contact_Name = name ;limit to 1 name
Location = location_name ;limit to 1 name

Service = Physical, Applications, Datalink, Internet, EndToEnd ; Any combination is valid
For a discussion of these parameters, see Chapter 11, "Using SNMP for Network Management," in the Windows NT Server Networking Guide. If a parameter is an IP address, all four octets must be specified in dotted decimal notation only. Both TCP/IP and SNMP allow you to configure computers on a site basis and/or on a computer-specific basis. A site-based configuration configures each computer with identical parameters, whereas a computer-specific configuration allows a computer to have unique parameters. These two configurations can be mixed together. The generic or site-specific parameters are processed first. If computer-specific parameters exist, they are overlaid on the site-specific ones.

Example [Network]
InstallServices = SelectedServicesList
[SelectedServicesList]
SNMP = SNMPParameters
[SNMPParameters]
Accept_CommunityName = MicrosoftCommunity
Send_Authentication = YES
Any_Host = NO
Limit_Host = HostSystem
Community_Name = MyCommunity
Traps = 1234567890AB, 192.001.001, 3456123456
Contact_Name = NT_Administration
Location = Building_26
Service = Physical, Datalink, Internet
 

Installing NWLNKIPX
To install NWLNKIPX, it must be specified in the "protocol_list_section" section specified by the InstallProtocols key described in the [Network] section. This is described under "Installing Network Protocols" earlier in this Appendix. In the protocol_list_section, include the following line: NWLNKIPX = NetBEUI_parameters_section
The section you specify as the value for NWLNKIPX must exist, but is empty since NWLNKIPX does not require any parameters. For example, your answer file might include the following lines:
[Network]
InstallProtocols = SelectedProtocolsList
[SelectedProtocolsList]
NWLNKIPX = NWLNKIPX _params
TC = TCPIPParameters
[NWLNKIPX _params]
[TCPIPParameters] . . .

Installing Client Service for NetWare (NWWKSTA Option)
To install Client Service for NetWare, it must be specified in the section specified by the InstallServices key (the InstallServices key is included in the [Network] section). To the section specified by the InstallServices key, add the following line:
NWWKSTA = NetWareClientParametersSection
You can assign any name for the NetWareClientParametersSection. Create a section with that name and specify the NetWare client parameters that you want to use in that section. The recognized parameters are as follows:

DefaultLocation = server_location DefaultScriptOptions = 0 | 1 | 3
DefaultLocation identifies the default logon server for the NetWare client. The DefaultScriptOptions key specifies the default action to take with scripts, and can be assigned any of the following values:
0 Do not run a script
1 Run NW 3.x level scripts only
3 Run NW 3.x or NW 4.x scripts
Example
[Network]
InstallServices = SelectedServicesList
[SelectedServicesList]
NWWKSTA = ClientNetwareParameters
[ClientNetwareParameters]
DefaultLocation = NWServer
DefaultScriptOptions = 0

Installing Remote Access Service (RAS)
To install Remote Access Service (RAS), include the following line in the section you defined with the InstallServices key in the [Network] section:
RAS = RAS_parameters_section
where RAS_parameters_section is a section that you define and use to specify the following parameters:
PortSections = MYCOM1, MYCOM2, MYCOM3-25
DialoutProtocols = TCP/IP | IPX | NETBEUI | ALL
DialinProtocols = TCP/IP | IPX | NETBEUI | ALL
NetBEUIClientAccess = Network | ThisComputer
TcpIpClientAccess = Network | ThisComputer
UseDHCP = YES | NO
StaticAddressBegin = IP_address
StaticAddressEnd IP_address
ExcludeAddress = IP_address1-IP_address2
ClientCanRequestIPAddress = YES | NO
IpxClientAccess = Network | ThisComputer
AutomaticNetworkNumbers = YES | NO
NetworkNumberFrom = IPX_net_number
AssignSameNetworkNumber = YES | NO
ClientsCanRequestIpxNodeNumber YES | NO
Defaults and restrictions are as follows:
PortSections Any number of port section names
DialoutProtocols ALL implies all installed protocols
DialinProtocols ALL implies all installed protocols
NetBEUIClientAccess Default is Network
TcpIpClientAccess Default is Network
UseDHCP Default is YES
StaticAddressBegin Required if UseDHCP = NO
StaticAddressEnd Required if UseDHCP = NO
ExcludeAddress One or more ranges, comma separated.
StaticAddressBegin and StaticAddressEnd should be specified.
ClientCanRequestIPAddress Default is NO
IpxClientAccess Default is Network
AutomaticNetworkNumbers Default is YES
NetworkNumberFrom 1 to 0xFFFFFFFE; required if AutomaticNetworkNumbers is NO
AssignSameNetworkNumber Default is YES
ClientsCanRequestIpxNodeNumber Default is NO
DeviceType = Modem
If you have specified a "PortSection" you must create the section, which can have the following keys:
PortName = COM1 | COM2 | COM3-COM25
DeviceType = Modem
DeviceName = device_name
PortUsage = DialOut | DialIn | DialInOut

Where:
PortName indicates the names of the ports to be configured in a particular port section.
DeviceType indicates the type of device RAS should install. For the current release of Windows NT Workstation, the only available device type is a modem. If DeviceType = Modem, the InstallModem key must be included in the [Modem] section.
DeviceName specifies the name of the device to be installed. PortUsage defines the dialing properties for the ports being configured.
For a discussion of RAS features and parameters, see Chapter 5, "Understanding Remote Access Service," in the Networking Supplement included with the product documentation. Example: RAS Using One Dialout Port
[Network]
InstallServices = SelectedServicesList

[SelectedServicesList]
RAS = RemoteAccessParameters

[RemoteAccessParameters]
PortSections = MYCOM1
DialoutProtocols = TCP/IP

[MYCOM1]
PortName = COM1
DeviceType = Modem
DeviceName = "Intel Fax Modem 144e"
PortUsage = DialOut

Example: RAS Using One Dialout, One Dialin and Four Dialin and Dialout Ports, With All Installed Protocols
This configuration uses default values for all protocols:
[Network]
InstallServices = SelectedServicesList

[SelectedServicesList]
RAS = RemoteAccessParameters

[RemoteAccessParameters]
PortSections = Dialin, Dialout, Dialinout
DialoutProtocols = ALL
DialinProtocols = ALL

[Dialin]
PortName = COM1
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialOut

[Dialout]
PortName = COM2
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialOut

[Dialinout]
PortName = COM3-COM6
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialInOut

Example: RAS 16 Dialin Ports, With TCP/IP and DHCP Enabled
[Network]
InstallServices = SelectedServicesList

[SelectedServicesList]
RAS = RemoteAccessParameters

[RemoteAccessParameters]
PortSections = InternetPorts
DialoutProtocols = TCP/IP
DialinProtocols = TCP/IP
TcpIpClientAccess = Network
UseDHCP = YES
ClientCanRequestIPAddress = NO

[InternetPorts]
PortName = COM3-COM17
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialIn

Example: RAS 16 Dialin Ports, With TCP/IP and Static IP Address Pool
[Network]
InstallServices = SelectedServicesList [SelectedServicesList]
RAS = RemoteAccessParameters

[RemoteAccessParameters]
PortSections = InternetPorts
DialoutProtocols = TCP/IP
DialinProtocols = TCP/IP
TcpIpClientAccess = Network
UseDHCP = NO
StaticAddressBegin = 101.16.1.1
StaticAddressEnd = 101.16.1.16
ClientCanRequestIPAddress = NO

[InternetPorts] PortName = COM3-COM17
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialIn

Example: RAS 16 Dialin Ports, With IPX and Static IPX Address Pool
[Network]
InstallServices = SelectedServicesList

[SelectedServicesList]
RAS = RemoteAccessParameters

[RemoteAccessParameters]
PortSections = InternetPorts
DialoutProtocols = IPX
DialinProtocols = IPX
IpxClientAccess = Network
AutomaticNetworkNumbers = NO
NetworkNumberFrom = 0xa100
AssignSameNetworkNumber = NO
ClientsCanRequestIpxNodeNumber = NO

[InternetPorts]
PortName = COM3-COM17
DeviceType = Modem
DeviceName = "USR Sportster V.34"
PortUsage = DialIn

Hardware Support
This section describes keys you can add to specify what hardware is detected during setup, and what hardware support is installed.
Installing a Modem Driver for Use with RAS
If the RAS parameters include the line DeviceType = Modem, the following line must be included in the [Modem] section:
InstallModem = Modem _Parameter_Section
where Modem_Parameter_Section is a section that you create and give any name you choose. This section contains the parameters required to install the modem on a specified COM port. If the section is empty, RAS will detect modems on its pre-configured ports and install any modem it finds. The [Modem_Parameter_Section] contains one line for each COM port on which a modem is to be installed, using the following syntax:
[Modem_Parameter_Section]
COMx = "description" [,Manufacturer, Provider]

Where:
COMx
identifies the COM port on which the modem is to be installed (for example COM1, COM2?
description
must match a modem description in a Mdmxxxxx.inf file that corresponds to the modem to be installed. This string must be enclosed in quotes. Manufacturer
is an optional field that identifies the manufacturer of a particular modem when description is not unique to a particular manufacturer. Provider
is an optional field that identifies the provider of a particular modem when description is not unique to a particular manufacturer.

Using Hardware Detected by Setup
You can have the user confirm the hardware and mass storage devices detected by Setup, or you can specify that Setup proceed with the installation without seeking confirmation. Mass storage devices include any devices controlled by a SCSI mini port driver. For example, all CD-ROM drives, SCSI adapters, and hard drive controllers (except ATdisk, abiosdsk, and standard floppy disks) are mass storage devices.
To specify whether the user is to confirm the hardware detected, add the following line to the [Unattended] section:
ConfirmHardware = yes | no

Yes indicates that the user must confirm hardware and mass storage devices detected by the Setup program. No indicates that the Setup program should use hardware detected by the Setup program.
This key can only be specified in the answer file, not in the UDF.

Note
If OEMPreinstall = yes, then the ConfirmHardware key is ignored.
Specifying Mass Storage Devices
When installing onto an x86-based computer, you can have Setup prepare the system for mass storage devices you specify, even if they are not physically present on the system at the time you perform the installation. To do so, add the section [DetectedMassStorage]. Copy the entries for the devices you want to specify from the [SCSI] section of the Txtsetup.sif file. This file is on the Setup boot floppy disks. This section can only be specified in the answer file, not in the UDF.
If this section is present and contains entries, support for the specified devices will be included in the installation, as if the devices had actually been detected by Setup.
If this section is present and has no entries, the result is the same as if Setup detected no mass storage devices.
If this section is not present, Setup will attempt to detect the mass storage devices on the computer by loading all known miniport drivers.

Specifying a Keyboard Layout
To specify a keyboard layout, add the following line to the [Unattended] section: KeyboardLayout = layout_description
This key is optional. If the KeyboardLayout key is not specified or is absent, Setup will detect and install a keyboard layout from the retail Windows NT Workstation product.
The layout_description value must match one of the strings in the [KeyboardLayout] section of Txtsetup.sif.
This key can only be specified in the answer file, not in the UDF. Per-user Settings
For a completely unattended installation, you must specify user settings in either the answer file or the UDF.

Specifying User Data
If the user's full name, the organization name, the computer name, and a product ID for the copy of Windows NT Workstation are not provided to the Setup program, the user will be prompted for them. This information can be included in an answer file, but it is generally more effective to provide it in a UDF. Indeed, the UDF functionality is designed to allow you specify a variant of the basic configuration for each user, rather than create separate answer files, one for each user, with most of the information copied in each answer file.
The section and keys are the same, whether you specify the data in an answer file or UDF. In the [UserData] section, add the following lines:
FullName = "User's full name"
orgName = "Organization name"
ComputerName = computername
ProductId = "123-456789012345"

The ProductId key specifies the Microsoft product identification number. This must be an authentic number that will be requested by Microsoft Product Support Services if you call for technical support. Note that you must include the hyphen in the product identification number. Note also that for the FullName, orgName, and ProductId keys, the value must be enclosed in quotation marks.

Specifying a Time Zone
If no time zone is specified, the user will be prompted to select one. To specify a time zone, add the following line to the [GuiUnattended] section:
TimeZone = "time_zone"
Where time_zone is one of the following:
(GMT) Greenwich Mean Time; Dublin, Edinburgh, London
(GMT+01:00) Lisbon, Warsaw
(GMT+01:00) Paris, Madrid
(GMT+01:00) Berlin, Stockholm, Rome, Bern, Brussels, Vienna
(GMT+02:00) Eastern Europe
(GMT+01:00) Prague
(GMT+02:00) Athens, Helsinki, Istanbul
(GMT-03:00) Rio de Janeiro
(GMT-04:00) Atlantic Time (Canada)
(GMT-05:00) Eastern Time (US & Canada)
(GMT-06:00) Central Time (US & Canada)
(GMT-07:00) Mountain Time (US & Canada)
(GMT-08:00) Pacific Time (US & Canada); Tijuana
(GMT-09:00) Alaska
(GMT-10:00) Hawaii
(GMT-11:00) Midway Island, Samoa
(GMT+12:00) Wellington
(GMT+10:00) Brisbane, Melbourne, Sydney
(GMT+09:30) Adelaide
(GMT+09:00) Tokyo, Osaka, Sapporo, Seoul, Yakutsk
(GMT+08:00) Hong Kong, Perth, Singapore, Taipei
(GMT+07:00) Bangkok, Jakarta, Hanoi
(GMT+05:30) Bombay, Calcutta, Madras, New Delhi, Colombo
(GMT+04:00) Abu Dhabi, Muscat, Tbilisi, Kazan, Volgograd
(GMT+03:30) Tehran
(GMT+03:00) Baghdad, Kuwait, Nairobi, Riyadh
(GMT+02:00) Israel
(GMT-03:30) Newfoundland
(GMT-01:00) Azores, Cape Verde Is.
(GMT-02:00) Mid-Atlantic
(GMT) Monrovia, Casablanca
(GMT-03:00) Buenos Aires, Georgetown
(GMT-04:00) Caracas, La Paz
(GMT-05:00) Indiana (East)
(GMT-05:00) Bogota, Lima
(GMT-06:00) Saskatchewan
(GMT-06:00) Mexico City, Tegucigalpa
(GMT-07:00) Arizona
(GMT-12:00) Enewetak, Kwajalein
(GMT+12:00) Fiji, Kamchatka, Marshall Is.
(GMT+11:00) Magadan, Soloman Is., New Caledonia
(GMT+10:00) Hobart
(GMT+10:00) Guam, Port Moresby, Vladivostok
(GMT+09:30) Darwin
(GMT+08:00) Beijing, Chongqing, Urumqi
(GMT+06:00) Alma Ata, Dhaka
(GMT+05:00) Islamabad, Karachi, Sverdlovsk, Tashkent
(GMT+04:30) Kabul
(GMT+02:00) Cairo
(GMT+02:00) Harare, Pretoria
(GMT+03:00) Moscow, St. Petersburg
For example:
TimeZone = "(GMT-08:00) Pacific Time (US & Canada); Tijuana"

Joining a Workgroup or Domain
The computer can be part of either a workgroup or a domain. If the computer is a server, a third option, domain controller, is available. The key for establishing the computer as a domain controller is described under "Windows NT Server Settings," later in this appendix
. To join a workgroup, the following key must be specified under the [Network] section:
JoinWorkgroup = workgroup_name
The workgroup_name value specifies the workgroup the computer will participate in. To join an existing domain, specify the following under the [Network] section: JoinDomain = domain_name
The domain_name value specifies the domain to join. In the lab, you might also want to define user credentials (for example, Administrator) and password required to create a computer account on the domain specified. In this case you would add the following under the [Network] section: JoinDomain = domain_name
CreateComputerAccount = [user_name_with_creation_rights [, user_password]

The CreateComputerAccount key supplies the credentials and password to create the computer account. The user account specified in the CreateComputerAccount key must already exist in the specified domain.
The [Network] section must contain one of the keys JoinWorkgroup, JoinDomain, or InstallDC. The InstallDC key applies only to Windows NT Server, and is described under "Installing a Domain Controller."

Windows NT Server Settings The following options apply only to installations of Windows NT Server:
Setting License Options
When installing Windows NT Server, you must specify whether the server is licensed in "per seat" or "per server" mode. If this is not specified in the answer file, Setup will prompt for the information.
To specify the license mode, add the following key to the [LicenseFilePrintData] section:
AutoMode = PerSeat | PerServer
If the AutoMode key is empty or missing, Setup prompts for the license mode. PerSeat indicates that a client access license has been purchased for each computer that accesses the server.
PerServer indicates that client access licenses have been purchased for the server to allow a certain number of concurrent connections to the server. If AutoMode is set to PerServer, AutoUsers must also be specified, as follows:
AutoUsers = n
where n is the number of concurrent client connections that the server is licensed to support. This will be a number between 0 and 999999.
If AutoMode = PerServer and AutoUsers is missing or empty, Setup will prompt for the number of concurrent client connections that the server is licensed to support. For information on the licensing modes, see Chapter 12, "Licensing and License Manager," in the Concepts and Planning Guide included with the Windows NT Server retail product. The chapter includes a worksheet to help you decide which licensing mode is best for your organization.

Installing a Domain Controller
When installing Windows NT Server, you can use the JoinWorkgroup or JoinDomain key in the [Network] section (as described under "Joining a Workgroup or Domain" earlier in this Appendix), or you can set the computer to be a domain controller. To establish the computer as a domain controller, add the following line to the [Network] section:
InstallDC = domain_name
If the specified domain does not exist, it will be created. This key is only valid if the server role has been set as a primary or backup domain controller and the AdvServerType key has been set accordingly.
If you are creating a backup domain controller (BDC), add the following line to the [Network] section to define the user credentials and password required to create a computer account on the domain specified:
CreateComputerAccount = [user_name_with_creation_rights
[, user_password]
The [Network] section must contain one of the keys JoinWorkgroup, JoinDomain, or InstallDC.
Example: Creating a Backup Domain Controller for the Marketing Domain
[Network]
InstallDC = Marketing
CreateComputerAccount = Administrator, FishScale
A computer account is also created for this computer, using the Administrator account and supplying the password (FishScale) for the Administrator account.

Setting the Server Role
A computer running Windows NT Server can be a standalone server, a primary domain controller (PDC), or a backup domain controller (BDC). To specify which role the computer is to have in the network, add the following line to the [GuiUnattended] section:
AdvServerType = SERVERNT | LANMANNT | LANSECNT
Where:
SERVERNT indicates that the computer will be a standalone server.
LANMANNT indicates that the computer will serve as a primary domain controller (PDC).
LANSECNT indicates that the computer will be a backup domain controller (BDC).

Installing the Internet Information Server (NT Server Only)
To install Internet Server on a Windows NT Server, add the following line to the [Network] section. This key is only valid for Windows NT Server, and will be ignored when installing Windows NT Workstation.
InstallInternetServer = Internet_Server_Parameter_Section
[Internet_Server_Parameter_Section]
where Internet_Server_Parameter_Section is a section that you create, and that contains parameters for installing Internet Server.
Example
[Network]
InstallInternetServer = InternetServerParameters
[InternetServerParameters]
Create a section called [INETSTP], and add some or all of the following keys, depending on the features you want to install, to that section:
InstallINETSTP= 1 | 0
InstallFTP=1 | 0
InstallWWW=1 | 0
InstallGOPHER=1 | 0
InstallADMIN=1 | 0
InstallMOSAIC=1 | 0
InstallGATEWAY=1 | 0
InstallDNS=1 | 0
InstallHELP=1 | 0
InstallSMALLPROX=1 | 0
InstallCLIENTADMIN=1 | 0
WWWRoot=c:\wwwroot
FTPRoot=c:\ftproot
GopherRoot=c:\gophroot
InstallDir=c:\inetsrv
EmailName=email_address
UseGateway=1 | 0
GatewaysList=\\gateway1 \\gateway2
Where the possible values for a key are 1 or 0; 1 means "yes" and 0 means "no."
The effects of these keys are shown in the following table:
InstallINETSTP= Specifies whether Internet Services will be installed.
InstallFTP= Specifies whether the FTP Service will be installed.
InstallWWW= Specifies whether the WWW Service will be installed.
InstallGOPHER= Specifies whether the Gopher Service will be installed.
InstallADMIN= Specifies whether the Internet Administrator Manager will be installed.
InstallMOSAIC= Specifies whether the Internet Explorer Browser will be installed.
InstallGATEWAY= Specifies whether the Gateway Service will be installed.
InstallDNS= Specifies whether the DNS Service will be installed.
InstallHELP= Specifies whether the HELP Files will be installed. (Applies to Windows NT Workstation only.)
InstallSMALLPROX= Specifies whether the Access Gateway Proxy will be installed. (Applies to Windows NT Workstation only.)
InstallCLIENTADMIN= Specifies whether the client administrator tools will be installed. (Applies to Windows NT Workstation only.)
WWWRoot=c:\wwwroot Specifies the virtual root for the WWW service.
FTPRoot=c:\ftproot Specifies the virtual root for the FTP service.
GopherRoot=c:\gophroot Specifies the virtual root for the Gopher service.
InstallDir=c:\inetsrv Specifies the installation directory for all components of Internet Services.
EmailName=email_name Specifies the Internet e-mail name of the user.
UseGateway= Specifies whether a gateway is to be used.
GatewaysList=\\gateway1 \\gateway2 Lists the gateways to be used (if UseGateway=1).

Using an Extended Partition for Text Mode Files
If you are installing Windows NT Workstation on a disk larger than 2 GB, you can cause Setup to extend the partition on which the temporary files are located into any available unpartitioned space that physically follows it on the disk. These temporary files must be installed on a primary partition. The space used must be limited to 1024 cylinders. Writing beyond cylinder 1024 will cause the installation to fail.
To control whether Setup extends the partition on which the temporary files are located, add the following line to the [Unattended] section: ExtendOemPartition = 0 | 1
Where:
0
specifies that the partition not be extended. 1
specifies that the partition is to be extended. When the value is 1, you must set FileSystem = ConvertNTFS.

Stopping Setup Before GUI Mode Begins
If OEMPreinstall = Yes, the Setup program stops at the end of text mode by default, rather than continuing into GUI mode. This gives you the ability to duplicate disks with the operating system and applications pre-installed. The first time a computer is started with the duplicated disk in place, the system boots into GUI mode. The user can then be prompted for information such as username, computername, and the Workgroup or Domain that the computer is to join.
You can specify whether Setup continues into GUI mode at the end of text mode by adding the following line to the [Unattended] section:
NoWaitAfterTextMode = 0 | 1
Where:
0
specifies that Setup should stop at the end of text mode.
1
specifies that Setup should automatically reboot into GUI mode at the end of text mode.
Sample Unattend.txt File
[Unattended]
Method = express
TargetPath = srv1231

[GuiUnattended]
AdvServerType = SERVERNT
; AdvServerType = LANMANNT (PDC) | LANSECNT (BDC) | SERVERNT (STANDALONE)
TimeZone = "(GMT-08:00) Pacific Time (US & Canada); Tijuana"

[UserData]
FullName = "John L. Smith"
orgName = "Microsoft"
ComputerName = JohnSm_1
ProductId = "123456789012345"

[LicenseFilePrintData]
AutoMode = PerSeat

[Network]
DetectAdapters = DetectParams
; InstallAdapters = AdaptersList
InstallProtocols = ProtocolsList
; InstallServices = ServicesList

; JoinWorkgroup = OurWorkGroup

JoinDomain = NTWKSTA
CreateComputerAccount = JohnSm, FriedFrogs

; for a PDC install
; InstallDC = Our_DOMAIN

; for a BDC install
; InstallDC = Our_DOMAIN
; CreateComputerAccount = Administrator, FishScale

[DetectParams]
DetectCount = 1
LimitTo = IEEPRO, ELNKII

[AdaptersList]
IEEPRO = IntelEEProParams
ELNKII = 3ComELIIParams

[ProtocolsList]
TC = TCPIPParams
; NBF = NetBEUIParams
; NWLNKIPX = NWLinkIPXParams

[ServicesList]
RAS = RemoteAccessParameters

[IntelEEProParams]
Interrupt = 5
IoChannelReady = 4
Transceiver = 4
IoAddress = 784

; irq = 5
; i/o = 0x310
; io channel = auto
; transceiver = auto

[3ComELIIParams]
InterruptNumber = 2
IOBaseAddress = 512
Transceiver = 2
MemoryMapped = 0
; where Transceiver = 1 - External; 2 - On Board
; MemoryMapped = 1 - ON; 0 - OFF

; Optional:
; !AutoNetInterfaceType = 0 | 1 | 2 ...
; !AutoNetBusNumber = 0 | 1 | ...

[RemoteAccessParameters]
PortSections = MYCOM1
DialoutProtocols = TCP/IP

[MYCOM1]
PortName = COM1
DeviceType = Modem
DeviceName = "Intel Fax Modem 144e"
PortUsage = DialOut

 echo "更改windows安装文件的路径"
echo Windows Registry Editor Version 5.00 > c:\Win2003setupPath.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup] >> c:\Win2003setupPath.reg
echo "ServicePackSourcePath"="D:\\anywolfs" >> c:\Win2003setupPath.reg
echo "SourcePath"="D:\\anywolfs" >> c:\Win2003setupPath.reg
regedit /S c:\Win2003setupPath.reg
del /f /s /q c:\Win2003setupPath.reg
echo "生成snmp无人值守安装选项文件"
echo [NetOptionalComponents] > c:\snmp.txt
echo SNMP = 1 >> c:\snmp.txt
echo [SNMP] >> c:\snmp.txt
echo Contact_Name = anywolfs >> c:\snmp.txt
echo Location = anywolfs.com>> c:\snmp.txt
echo Community_Name = anywolfs.com>> c:\snmp.txt
echo Send_Authentication = Yes >> c:\snmp.txt
echo Accept_CommunityName =anywolfs.com:Read_Only >> c:\snmp.txt
echo Any_Host = No >> c:\snmp.txt
echo Limit_Host = LocalHost, anywolfs.com>>c:\snmp.txt
Sysocmgr.exe /i:sysoc.inf /u:c:\snmp.txt
del /f /s /q c:\snmp.txt
echo snmp安装完毕
 

注册表： 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
两个键值是你放置I386的物理路径，比如我的安装所需文件都放置在D:\anywolfs\I386下，那么我就设置成"ServicePackSourcePath"="D:\\anywolfs" ，记住不需要在路径后面再加I386了，系统会自己去识别。

剩下的关于snmp的安装参数，请看下面这段说明：
 

SNMP Service Parameters

This document explains and maps three related entities:

• SNMP Service Properties, specifically the Agent, Traps, and Security tabs
• HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters registry values
• [SNMP] section of an answer file for use with WUI or SysOCMgr

The service properties are a graphic interface to the registry values. The answer file provides a method for setting the registry values during installation of the service.

To open the SNMP Service Properties, right-click My Computer, select Manage. In the Computer Management console, expand Services and Applications, then select Services. Scroll to and double-click SNMP Service. Three tabs of this property page will be referred to below: Agent, Traps, and Security.

Agent tab

All parameters on the Agent tab set values under the following key:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\RFC1156Agent

GUI Property	Registry Name	Registry Type	Registry Data
Contact	sysContact	REG_SZ	(string)
Location	sysLocation	REG_SZ	(string)
Service	sysServices	REG_DWORD	0x01 (1) = Physical 0x02 (2) = Datalink and subnetwork 0x04 (4) = Internet 0x08 (8) = End-to-end 0x40 (64) = Applications

Answer file details

Parameter	Value(s)	Default(s)
Contact_Name	"string"
Location	"string"
Service	Physical, Applications, Datalink and subnetwork, Internet, End-to-End	Applications, Internet, End-to-End

Example

[NetOptionalComponents] SNMP = 1 [SNMP] Contact_Name = "Aaron Czechowski,1234" Location = "CK 6" Service = Physical, Applications, End-to-End

yields

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\RFC1156Agent[sysContact] = Aaron Czechowski,1234 HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\RFC1156Agent[sysLocation] = CK 6 HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\RFC1156Agent[sysServices] = 0x00000049 (73)

Traps tab

All parameters on the Traps tab set values under the following key:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration

Any Community name added to the list will create a subkey below the above path. For example, adding a Community name Towson1 will create the following key:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\Towson1

All Trap destinations for each community will map to the following values under each community subkey:

Name	Type	Data
ordinal number (e.g., 1, 2, 3)	REG_SZ	<trapDest_hostname> (e.g., trap1.towson.edu)

Answer file details

Parameter	Value(s)	Default(s)
Community_Name	<communityName> e.g., Towson1
Traps	<trapDest_hostname>, ... (e.g., trap1.towson.edu)

Example

[NetOptionalComponents] SNMP = 1 [SNMP] Community_Name = Towson1 Traps = trap1.towson.edu, trap2.towson.edu, trap3.towson.edu

yields

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\Towson1[1] = trap1.towson.edu HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\Towson1[2] = trap2.towson.edu HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\Towson1[3] = trap3.towson.edu

It does not seem to be possible to create multiple Community Names for traps from an answer file. Programmatically adding an additional Community Name to the Traps tab will require editing the registry.

Security tab

The Send authentication trap check box maps to the following registry key value:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters

Name	Type	Data
EnableAuthenticationTraps	REG_DWORD	0 = disable 1 = enable

Adding a community to the Accepted community names list adds values to the following key:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

The Community Name is the Name of the registry value and the Community Rights are the Data of the registry value.

Name	Type	Data
<communityName> (e.g., Towson1)	REG_DWORD	1 = NONE 2 = NOTIFY 4 = READ ONLY 8 = READ WRITE 16 = READ Create

Checking Accept SNMP packets from these hosts and adding a management host adds values to the following key:

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

Name	Type	Data
ordinal number (e.g., 1, 2, 3)	REG_SZ	<manager_hostName> (e.g., accept1.towson.edu)

Answer file details

Parameter	Value(s)	Default(s)
Send_Authentication	Yes | No
Accept_CommunityName	<communityName1>:<privilege>, ... (e.g., Towson1:Read_Only)	public:Read_Only
Any_Host	Yes | No
Limit_Host	<hostname>, ... (e.g., trap1.towson.edu)

Example

[NetOptionalComponents] SNMP = 1 [SNMP] Send_Authentication = Yes Accept_CommunityName = Towson1:Read_Only Any_Host = Yes Limit_Host = trap1.towson.edu, trap2.towson.edu

yields

HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters[EnableAuthenticationTraps] = 1 HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities[Towson1] = 4 HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers[1] = trap1.towson.edu HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers[2] = trap2.towson.edu

Unknown Registry Values

The functionality of the following registry values is currently unknown:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
  

  Name	Type	Data
  NameResolutionRetries	REG_DWORD	0x00000010 (16)

 原文：https://wwwnew.towson.edu/knowledgecenter/article.aspx?article=74
参考 http://www.s-w-r.com/news_appendix.html
http://www.petri.co.il/forums/showthread.php?t=3836

 原文：http://technet.microsoft.com/zh-cn/library/cc739550.aspx

相关文档：
 

ipseccmd.exe说明
http://www.anywolfs.com/liuhui/article.asp?id=417

注意：IPSec 筛选规则会导致网络程序丢失数据和停止响应网络请求，包括无法对用户进行身份验证。只有当您清楚地了解阻止特定端口对您的环境具有的影响之后，才应将 IPSec 筛选规则作为一种迫不得已的防护措施加以采用。如果您按照本文列出的步骤创建的 IPSec 策略对您的网络程序有不利影响，请参阅本文稍后的“取消指定和删除 IPSec 策略”一节，了解有关如何立即禁用和删除该策略的说明。

确定是否指定了 IPSec 策略

基于 Windows Server 2003 的计算机

在为基于 Windows Server 2003 的计算机创建或指定任何新的 IPSec 策略之前，请确定是否有从本地注册表或通过组策略对象 (GPO) 应用的任何 IPSec 策略。为此，请按照下列步骤操作：

1. 运行 Windows Server 2003 CD 上的 Support\Tools 文件夹中的 Suptools.msi，安装 Netdiag.exe。
2. 打开命令提示符窗口，然后将工作文件夹设置为 C:\Program Files\Support Tools。
3. 运行以下命令以验证尚未为该计算机指定现有 IPSec 策略：
   netdiag /test:ipsec
   如果没有指定策略，您将收到以下消息：
   IP 安全测试。. . . . . . . . : 传递的 IPSec 策略服务是活动的，但是没有指定策略。

基于 Windows XP 的计算机

在为基于 Windows XP 的计算机创建或指定任何新的 IPSec 策略之前，请确定是否有从本地注册表或通过 GPO 应用的任何 IPSec 策略。为此，请按照下列步骤操作：

1. 运行 Windows XP CD 上的 Support\Tools 文件夹中的 Setup.exe，安装 Netdiag.exe。
2. 打开命令提示符窗口，然后将工作文件夹设置为 C:\Program Files\Support Tools。
3. 运行以下命令以验证尚未为该计算机指定现有 IPSec 策略：
   netdiag /test:ipsec
   如果没有指定策略，您将收到以下消息：
   IP 安全测试。. . . . . . . . : 传递的 IPSec 策略服务是活动的，但是没有指定策略。

基于 Windows 2000 的计算机

在为基于 Windows 2000 的计算机创建或指定任何新的 IPSec 策略之前，请确定是否有从本地注册表或通过 GPO 应用的任何 IPSec 策略。为此，请按照下列步骤操作：

1. 运行 Windows 2000 CD 上的 Support\Tools 文件夹中的 Setup.exe，安装 Netdiag.exe。
2. 打开命令提示符窗口，然后将工作文件夹设置为 C:\Program Files\Support Tools。
3. 运行以下命令以验证尚未为该计算机指定现有 IPSec 策略：
   netdiag /test:ipsec
   如果没有指定策略，您将收到以下消息：
   IP 安全测试。. . . . . . . . : 传递的 IPSec 策略服务是活动的，但是没有指定策略。

创建用于阻止通信的静态策略

基于 Windows Server 2003 和 Windows XP 的计算机

对于没有启用本地定义的 IPSec 策略的系统，请创建一个新的本地静态策略，以阻止定向到 Windows Server 2003 和 Windows XP 计算机上的特定协议和特定端口的通信。为此，请按照下列步骤操作：

1. 验证 IPSec Policy Agent 服务已在“服务”MMC 管理单元中启用并启动。
2. 安装 IPSeccmd.exe。IPSeccmd.exe 是 Windows XP Service Pack 2 (SP2) 支持工具的一部分。
   
   注意：IPSeccmd.exe 将在 Windows XP 和 Windows Server 2003 操作系统中运行，但仅有 Windows XP SP2 支持工具包中提供此工具。
   
   有关下载和安装 Windows XP Service Pack 2 支持工具的更多信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：
   838079  (http://support.microsoft.com/kb/838079/ ) Windows XP Service Pack 2 支持工具
3. 打开命令提示符窗口，然后将工作文件夹设置为安装 Windows XP Service Pack 2 支持工具的文件夹。
   
   注意：Windows XP SP2 支持工具的默认文件夹是 C:\Program Files\Support Tools。
4. 要创建一个新的本地 IPSec 策略和筛选规则，并将其应用于从任何 IP 地址发送到您要配置的 Windows Server 2003 或 Windows XP 计算机的 IP 地址的网络通信，请使用以下命令。
   
   注意：在以下命令中，Protocol 和 PortNumber 是变量。
   IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r "Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK –x
   例如，要阻止从任何 IP 地址和任何源端口发往 Windows Server 2003 或 Windows XP 计算机上的目标端口 UDP 1434 的网络通信，请键入以下命令。此策略可以有效地保护运行 Microsoft SQL Server 2000 的计算机免遭“Slammer”蠕虫病毒的攻击。
   IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x
   以下示例可阻止对 TCP 端口 80 的入站访问，但是仍然允许出站 TCP 80 访问。此策略可以有效地保护运行 Microsoft Internet 信息服务 (IIS) 5.0 的计算机免遭“Code Red”蠕虫病毒和“Nimda”蠕虫病毒的攻击。
   IPSeccmd.exe -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK -x
   注意：-x 开关会立即指定该策略。如果您输入此命令，将取消指定“Block UDP 1434 Filter”策略，并指定“Block TCP 80 Filter”。要添加但不指定该策略，则在键入该命令时不要在结尾带 -x 开关。
5. 要向现有的“Block UDP 1434 Filter”策略（阻止从基于 Windows Server 2003 或 Windows XP 的计算机发往任何 IP 地址的网络通信）添加其他筛选规则，请使用以下命令。
   
   注意：在此命令中，Protocol 和 PortNumber 是变量：
   IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r "Block Outbound ProtocolPortNumber Rule" -f *0=:PortNumber:Protocol -n BLOCK
   例如，要阻止从基于 Windows Server 2003 或 Windows XP 的计算机发往任何其他主机上的 UDP 1434 的任何网络通信，请键入以下命令。此策略可以有效地阻止运行 SQL Server 2000 的计算机传播“Slammer”蠕虫病毒。
   IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block Outbound UDP 1434 Rule" -f 0=*:1434:UDP -n BLOCK
   注意：您可以使用此命令向策略中添加任意数量的筛选规则。例如，可以使用此命令通过同一策略阻止多个端口。
6. 步骤 5 中的策略现在将生效，并将在每次重新启动计算机后都会生效。但是，如果以后为计算机指定了基于域的 IPSec 策略，此本地策略将被覆盖并将不再适用。
   
   要验证您的筛选规则是否已成功指定，请在命令提示符下将工作文件夹设置为 C:\Program Files\Support Tools，然后键入以下命令：
   netdiag /test:ipsec /debug
   正如这些示例中所示，如果同时指定了用于入站通信和出站通信的策略，您将收到以下消息：
   IP 安全测试。. . . . . . . . :
   传递的本地 IPSec 策略活动:“Block UDP 1434 Filter”IP 安全策略路径:SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
   
   有 2 个筛选
   无名称
   筛选 ID:{5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
   策略 ID:{509492EA-1214-4F50-BF43-9CAC2B538518}
   源地址:0.0.0.0 源掩码:0.0.0.0
   目标地址:192.168.1.1 目标掩码:255.255.255.255
   隧道地址:0.0.0.0 源端口:0 目标端口:1434
   协议:17 TunnelFilter:无
   标志:入站阻止
   无名称
   筛选 ID:{9B4144A6-774F-4AE5-B23A-51331E67BAB2}
   策略 ID:{2DEB01BD-9830-4067-B58A-AADFC8659BE5}
   源地址:192.168.1.1 源掩码:255.255.255.255
   目标地址:0.0.0.0 目标掩码:0.0.0.0
   隧道地址:0.0.0.0 源端口:0 目标端口:1434
   协议:17 TunnelFilter:无
   标志:出站阻止
   注意：根据是基于 Windows Server 2003 还是基于 Windows XP 的计算机，IP 地址和图形用户界面 (GUID) 号会有所不同。

基于 Windows 2000 的计算机

对于没有启用本地定义的 IPSec 策略的系统，请按照下列步骤创建一个新的本地静态策略，以阻止定向到未指定现有 IPSec 策略的 Windows 2000 计算机上的特定协议和端口的通信：

1. 验证 IPSec Policy Agent 服务已在“服务”MMC 管理单元中启用并启动。
2. 访问下面的 Microsoft 网站以下载并安装 Ipsecpol.exe：
   http://www.microsoft.com/downloads/details.aspx?displaylang=en&amp;FamilyID=7D40460C-A069-412E-A015-A2AB904B7361 (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7D40460C-A069-412E-A015-A2AB904B7361)
3. 打开命令提示符窗口，然后将工作文件夹设置为安装 Ipsecpol.exe 的文件夹。
   
   注意：Ipsecpol.exe 的默认文件夹是 C:\Program Files\Resource Kit。
4. 要创建一个新的本地 IPSec 策略和筛选规则，并将其应用于从任何 IP 地址发送到您要配置的 Windows 2000 计算机的 IP 地址的网络通信，请使用以下命令，其中 Protocol 和 PortNumber 是变量：
   ipsecpol -w REG -p "Block ProtocolPortNumber Filter" -r "Block Inbound ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK –x
   例如，要阻止从任何 IP 地址和任何源端口发往基于 Windows 2000 的计算机上的目标端口 UDP 1434 的网络通信，请键入以下命令。此策略可以有效地保护运行 Microsoft SQL Server 2000 的计算机免遭“Slammer”蠕虫病毒的攻击。
   ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x
   以下示例可阻止对 TCP 端口 80 的入站访问，但是仍然允许出站 TCP 80 访问。此策略可以有效地保护运行 Microsoft Internet 信息服务 (IIS) 5.0 的计算机免遭“Code Red”蠕虫病毒和“Nimda”蠕虫病毒的攻击。
   ipsecpol -w REG -p "Block TCP 80 Filter" -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK -x
   注意：-x 开关会立即指定该策略。如果您输入此命令，将取消指定“Block UDP 1434 Filter”策略，并指定“Block TCP 80 Filter”。要添加但不指定该策略，请在键入该命令时不在结尾带 -x 开关。
5. 要向现有“Block UDP 1434 Filter”策略中添加其他筛选规则，用于阻止从 Windows 2000 计算机发往任何 IP 地址的网络通信，请使用以下命令，其中 Protocol 和 PortNumber 是变量。
   ipsecpol -w REG -p "Block ProtocolPortNumber Filter" -r "Block Outbound ProtocolPortNumber Rule" -f *0=:PortNumber:Protocol -n BLOCK
   例如，要阻止从基于 Windows 2000 的计算机发往任何其他主机上的 UDP 1434 的任何网络通信，请键入以下命令。此策略可以有效地阻止运行 SQL Server 2000 的计算机传播“Slammer”蠕虫病毒。
   ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Outbound UDP 1434 Rule" -f 0=*:1434:UDP -n BLOCK
   注意：您可以使用此命令向策略中添加任意数量的筛选规则（例如，使用此命令通过同一策略阻止多个端口）。
6. 步骤 5 中的策略现在将生效，并将在每次重新启动计算机后都会生效。但是，如果以后为计算机指定了基于域的 IPSec 策略，此本地策略将被覆盖并将不再适用。要验证您的筛选规则是否已成功指定，请在命令提示符下将工作文件夹设置为 C:\Program Files\Support Tools，然后键入以下命令：
   netdiag /test:ipsec /debug
   如果同时指定了用于入站通信和出站通信的策略（如这些示例中所示），您将收到以下消息：
   IP 安全测试。. . . . . . . . :
   传递的本地 IPSec 策略活动:“Block UDP 1434 Filter”IP 安全策略路径:SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{D239C599-F945-47A3-A4E3-B37BC12826B9}
   
   有 2 个筛选
   无名称
   筛选 ID:{5EC1FD53-EA98-4C1B-A99F-6D2A0FF94592}
   策略 ID:{509492EA-1214-4F50-BF43-9CAC2B538518}
   源地址:0.0.0.0 源掩码:0.0.0.0
   目标地址:192.168.1.1 目标掩码:255.255.255.255
   隧道地址:0.0.0.0 源端口:0 目标端口:1434
   协议:17 TunnelFilter:无
   标志:入站阻止
   无名称
   筛选 ID:{9B4144A6-774F-4AE5-B23A-51331E67BAB2}
   策略 ID:{2DEB01BD-9830-4067-B58A-AADFC8659BE5}
   源地址:192.168.1.1 源掩码:255.255.255.255
   目标地址:0.0.0.0 目标掩码:0.0.0.0
   隧道地址:0.0.0.0 源端口:0 目标端口:1434
   协议:17 TunnelFilter:无
   标志:出站阻止
   注意：IP 地址和图形用户界面 (GUID) 号将不同。它们将反映基于 Windows 2000 的计算机的相应内容。

为特定协议和端口添加阻止规则

基于 Windows Server 2003 和 Windows XP 的计算机

如果基于 Windows Server 2003 和 Windows XP 的计算机现有一个本地指定的静态 IPSec 策略，那么，要为该计算机上的特定协议和端口添加阻止规则，请按照下列步骤操作：

1. 安装 IPSeccmd.exe。IPSeccmd.exe 是 Windows XP SP2 支持工具的一部分。
   
   有关下载和安装 Windows XP Service Pack 2 支持工具的更多信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：
   838079  (http://support.microsoft.com/kb/838079/ ) Windows XP Service Pack 2 支持工具
2. 识别当前指定的 IPSec 策略的名称。为此，请在命令提示符下键入以下命令：
   netdiag /test:ipsec
   如果已指定策略，您将收到类似于以下内容的消息：
   IP 安全测试。. . . . . . . . : 传递的
   本地 IPSec 策略活动:“Block UDP 1434 Filter”
3. 如果已为计算机指定了 IPSec 策略（本地或域），请使用以下命令将其他 BLOCK 筛选规则添加到现有的 IPSec 策略中。
   
   注意：在此命令中，Existing_IPSec_Policy_Name、Protocol 和 PortNumber 是变量。
   IPSeccmd.exe -p "Existing_IPSec_Policy_Name" -w REG -r "Block ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK
   例如，要向现有“Block UDP 1434 Filter”中添加一条筛选规则来阻止对 TCP 端口 80 进行的入站访问，请键入以下命令：
   IPSeccmd.exe -p "Block UDP 1434 Filter" -w REG -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK

基于 Windows 2000 的计算机

如果基于 Windows 2000 的计算机现有一个本地指定的静态 IPSec 策略，那么，要为该计算机上的特定协议和端口添加阻止规则，请按照下列步骤操作：

1. 访问下面的 Microsoft 网站以下载并安装 Ipsecpol.exe：
   http://support.microsoft.com/kb/927229 (http://support.microsoft.com/kb/927229)
2. 识别当前指定的 IPSec 策略的名称。为此，请在命令提示符下键入以下命令：
   netdiag /test:ipsec
   如果已指定策略，您将收到类似于以下内容的消息：
   IP 安全测试。. . . . . . . . : 传递的
   本地 IPSec 策略活动:“Block UDP 1434 Filter”
3. 如果已为计算机指定了 IPSec 策略（本地或域），请使用以下命令将其他 BLOCK 筛选规则添加到现有 IPSec 策略中，其中 Existing_IPSec_Policy_Name、Protocol 和 PortNumber 是变量：
   ipsecpol -p "Existing_IPSec_Policy_Name" -w REG -r "Block ProtocolPortNumber Rule" -f *=0:PortNumber:Protocol -n BLOCK
   例如，要向现有“Block UDP 1434 Filter”中添加一条筛选规则来阻止对 TCP 端口 80 进行的入站访问，请键入以下命令：
   ipsecpol -p "Block UDP 1434 Filter" -w REG -r "Block Inbound TCP 80 Rule" -f *=0:80:TCP -n BLOCK

为特定协议和端口添加动态阻止策略

基于 Windows Server 2003 和 Windows XP 的计算机

有时您可能需要暂时阻止对特定端口的访问。例如，在可以安装修补程序之前，或者在已经为计算机指定基于域的 IPSec 策略时，您就可能需要阻止特定的端口。要使用 IPSec 策略暂时阻止对 Windows Server 2003 或 Windows XP 计算机上的某个端口的访问，请按照下列步骤操作：

1. 安装 IPSeccmd.exe。IPSeccmd.exe 是 Windows XP Service Pack 2 支持工具的一部分。
   
   注意：IPSeccmd.exe 将在 Windows XP 和 Windows Server 2003 操作系统中运行，但仅有 Windows XP SP2 支持工具包中提供此工具。
   
   有关如何下载和安装 Windows XP Service Pack 2 支持工具的更多信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：
   838079  (http://support.microsoft.com/kb/838079/ ) Windows XP Service Pack 2 支持工具
2. 要添加一个动态 BLOCK 筛选以阻止从任何 IP 地址发往您系统的 IP 地址和目标端口的所有数据包，请在命令提示符下键入以下命令。
   
   注意：在以下命令中，Protocol 和 PortNumber 是变量。
   IPSeccmd.exe -f [*=0:PortNumber:Protocol]
   注意：此命令可动态创建阻止筛选。只要 IPSec Policy Agent 服务在运行，该策略就会保持指定状态。如果重新启动 IPSec Policy Agent 服务或重新启动计算机，此策略将丢失。如果要在每次重新启动系统时动态重新指定 IPSec 筛选规则，请创建一个启动脚本以重新应用该筛选规则。如果您要永久性地应用此筛选，请将该筛选配置为静态 IPSec 策略。“IPSec 策略管理”MMC 管理单元提供用于管理 IPSec 策略配置的图形用户界面。如果已应用基于域的 IPSec 策略，netdiag /test:ipsec /debug 命令仅在由具有域管理员凭据的用户执行时才会显示筛选详细信息。

基于 Windows 2000 的计算机

有时您可能需要暂时阻止特定端口（例如，在可以安装修补程序之前，或者在已经为计算机指定基于域的 IPSec 策略时）。要使用 IPSec 策略暂时阻止对 Windows 2000 计算机上的某个端口的访问，请按照下列步骤操作：

1. 访问下面的 Microsoft 网站以下载并安装 Ipsecpol.exe：
   http://support.microsoft.com/kb/927229 (http://support.microsoft.com/kb/927229)
2. 要添加一个动态 BLOCK 筛选以阻止从任何 IP 地址发往您系统的 IP 地址和目标端口的所有数据包，请在命令提示符下键入以下命令，其中 Protocol 和 PortNumber 是变量：
   ipsecpol -f [*=0:PortNumber:Protocol]
   注意：此命令可动态创建阻止筛选，并且只要 IPSec Policy Agent 服务在运行，该策略就会保持指定状态。如果重新启动 IPSec 服务或重新启动计算机，此设置将丢失。如果要在每次重新启动系统时动态重新指定 IPSec 筛选规则，请创建一个启动脚本以重新应用该筛选规则。如果您要永久性地应用此筛选，请将该筛选配置为静态 IPSec 策略。“IPSec 策略管理”MMC 管理单元提供用于管理 IPSec 策略配置的图形用户界面。如果已应用基于域的 IPSec 策略，则 netdiag /test:ipsec /debug 命令可能仅在由具有域管理员凭据的用户执行时才会显示筛选详细信息。Netdiag.exe 的更新版本将在 Windows 2000 Service Pack 4 中提供，本地管理员可以使用它来查看基于域的 IPSec 策略。

IPSec 筛选规则和组策略

在通过组策略设置分配 IPSec 策略的环境中，必须更新整个域的策略才能阻止特定的协议和端口。在成功配置组策略 IPSec 设置后，您必须强制刷新域中所有基于 Windows Server 2003、Windows XP 和 Windows 2000 的计算机上的组策略设置。为此，请使用以下命令：

IPSec 策略更改将在两个不同轮询间隔之一的间隔内检测到。对于一个新指定的、应用于 GPO 的 IPSec 策略，该 IPSec 策略将在为组策略轮询间隔设置的时间内应用于客户端，或者当在客户端计算机上运行 secedit /refreshpolicy machine_policy 命令时应用于客户端。如果已为 GPO 指定了 IPSec 策略并且正在将新的 IPSec 筛选或规则添加到现有策略中，secedit 命令将不会使 IPSec 识别发生更改。在这种情况下，系统将在基于 GPO 的现有 IPSec 策略自己的轮询间隔内检测到对该 IPSec 策略的修改。此时间间隔是在该 IPSec 策略的“常规”选项卡上指定的。您还可以通过重新启动 IPSec Policy Agent 服务来强制刷新 IPSec 策略设置。如果 IPSec 服务停止或重新启动，由 IPSec 保护的通讯将中断并将需要几秒钟的时间才能恢复。这可能导致程序连接被断开，对于主动传输大量数据的连接更是如此。当 IPSec 策略只应用于本地计算机时，您不必重新启动该服务。

取消指定和删除 IPSec 策略

基于 Windows Server 2003 和 Windows XP 的计算机

• 具有本地定义的静态策略的计算机
  1. 打开命令提示符窗口，然后将工作文件夹设置为安装 Ipsecpol.exe 的文件夹。
  2. 要取消指定您以前创建的筛选，请使用以下命令：
     IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" –y
     例如，要取消指定以前创建的“Block UDP 1434 Filter”，请使用以下命令：
     IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -y
  3. 要删除您创建的筛选，请使用以下命令：
     IPSeccmd.exe -w REG -p "Block ProtocolPortNumber Filter" -r "Block ProtocolPortNumber Rule" –o
     例如，要删除“Block UDP 1434 Filter”筛选和以前创建的两个规则，请使用以下命令：
     IPSeccmd.exe -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -r "Block Outbound UDP 1434 Rule" -o
• 具有本地定义的动态策略的计算机
  如果通过使用 net stop policyagent 命令停止 IPSec Policy Agent 服务，将取消应用动态 IPSec 策略。要删除以前使用的特定命令而不停止 IPSec Policy Agent 服务，请按照下列步骤操作：
  1. 打开命令提示符窗口，然后将工作文件夹设置为安装 Windows XP Service Pack 2 支持工具的文件夹。
  2. 键入下面的命令：
     IPSeccmd.exe –u
     注意：您还可以重新启动 IPSec Policy Agent 服务以清除所有动态指定的策略。

基于 Windows 2000 的计算机

• 具有本地定义的静态策略的计算机
  1. 打开命令提示符窗口，然后将工作文件夹设置为安装 Ipsecpol.exe 的文件夹。
  2. 要取消指定您以前创建的筛选，请使用以下命令：
     ipsecpol -w REG -p "Block ProtocolPortNumber Filter" –y
     例如，要取消指定以前创建的“Block UDP 1434 Filter”，请使用以下命令：
     ipsecpol -w REG -p "Block UDP 1434 Filter" -y
  3. 要删除您创建的筛选，请使用以下命令：
     ipsecpol -w REG -p "Block ProtocolPortNumber Filter" -r "Block ProtocolPortNumber Rule" –o
     例如，要删除“Block UDP 1434 Filter”筛选和以前创建的两个规则，请使用以下命令：
     ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -r "Block Outbound UDP 1434 Rule" -o
• 具有本地定义的动态策略的计算机
  
  如果通过使用 net stop policyagent 命令停止 IPSec Policy Agent 服务，将取消应用动态 IPSec 策略。但是，要删除以前使用的特定命令而不停止 IPSec Policy Agent 服务，请按照下列步骤操作：
  1. 打开命令提示符窗口，然后将工作文件夹设置为安装 Ipsecpol.exe 的文件夹。
  2. 键入下面的命令：
     Ipsecpol –u
     注意：您还可以重新启动 IPSec Policy Agent 服务以清除所有动态指定的策略。

将您的新筛选规则应用到所有协议和端口

默认情况下，在 Microsoft Windows 2000 和 Microsoft Windows XP 中，IPSec 使得广播、多路广播、RSVP、IKE 和 Kerberos 通信免于受到任何筛选和身份验证的限制。有关这些例外的其他信息，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：

当 IPSec 只用于允许和阻止通信时，可以通过更改注册表值来删除对 Kerberos 和 RSVP 协议的豁免。有关如何执行此操作的完整说明，请单击下面的文章编号，以查看 Microsoft 知识库中相应的文章：

通过按照这些说明进行操作，即使攻击者将他们的源端口设置为 Kerberos 端口 TCP/UDP 88，您也可以保护 UDP 1434。通过删除 Kerberos 豁免，现在可以将 Kerberos 数据包与 IPSec 策略中的所有筛选进行匹配。因此，可以在 IPSec 内部对 Kerberos 进行保护（阻止或允许）。这样，如果 IPSec 筛选与发往域控制器 IP 地址的 Kerberos 通信匹配，您可能必须更改 IPSec 策略设计来添加新的筛选，以便允许发往各个域控制器 IP 地址的 Kerberos 通信（如果您没有按照知识库文章 254728 的说明使用 IPSec 来保护域控制器之间的所有通信）。

在计算机重新启动时应用 IPSec 筛选规则

所有 IPSec 策略均依赖于要指定的 IPSec Policy Agent 服务。当基于 Windows 2000 的计算机正在启动过程中时，IPSec Policy Agent 服务未必是第一个启动的服务。这样，计算机的网络连接可能会在某个很短的时间内容易受到病毒或蠕虫病毒的攻击。这种情况仅在满足以下条件时才会发生：IPSec Policy Agent 服务尚未完全启动并指定所有策略，存在潜在漏洞的服务便已成功启动并开始接受连接。

原文：http://support.microsoft.com/kb/813878/zh-cn