Automation in Windows can be difficult to achieve. You can write batch files. Use Windows Scripting Host. Use WMI. But all of these methods have their drawbacks. While trying to figure out how to disable a NIC from the command line for my NAC test bed, I found AutoIT, freeware scripting utility.
I am testing a bunch of NAC products and I want to be able to save an environment like disk images and router/switch configurations, quickly and easily. We use Symantec???s Altiris Deployment Solution to install OS???s, applications, as well as take and deploy images. My NAC client computers have dual port PCI NIC with NIC on the test network and the other on our production network. I want to make sure that while testing, the production network NIC is disabled, but there is no easy why to automate using Windows.
I found AutoITand a script on their forum that will manipulate my NIC???s individually. AutoITis a development processor and automation tool that lets you script actions and manipulate a GUI to automate tasks. The scripting language is Basic like, so it???s not too complicated to read, learn, and write in. You can even compile your scripts into an executable file and distribute that to workstations. Most importantly, there is an active forum with running scripts available and help with programming and other questions. If you manage desktops and servers, AutoITshould be in your tool box.
I tried Devcon which is a Microsoft command line utility that will let you find, enable, and disable devices in Windows. For some reason, the individual NIC???s can???t be enabled or disabled using devcon. If I try to disable one NIC, they both are disabled. However, Devcon looks interesting for other projects, so I am going to keep that in my goodie bag.
Next I found the Network Configuration Tool Command-line Control netshx script written by Bryan Keadle over on Novell???s Cool Solutions site. Netshx is a wrapper to simplify the usage of netsh, Microsoft???s shell utility to manage network connections. Netshx does make netsh easier to use for common tasks like managing your NIC configurations but similar to devcon, I could only disable both NIC???s on my dual PCI card. But netshx is a good lightweight script.
I can see using AutoITcompiled scripts to achieve a poor man???s NAC. For example, writing a script that checks for running processes ensuring that your AV is running, firewall is enabled, and other configuration parameters and then taking actions like restarting the stopped processes or in the case of failure, assigning a static, non routable IP address to a NIC, might be enough to deploy network access control without purchasing a NAC product. Sure, the DIY route means more work on your part and you may have to compromise on features, but I have hacked together enough scripts to know that you can achieve a lot is some creative scripting and the right tool. There are lots of other automation tools available for Windows desktops. What are your favorites?