跟着微软漏洞修补机制，学习批处理应用

今天早上自动更新要求我修复一个漏洞，点了一下相关的连接（http://www.microsoft.com/technet/security/Bulletin/ms08-028.mspx）进去，发现了下面的给域管理员看的手动修补方法。虽然是针对这个特定漏洞的操作指引，但是其中的暴露的神奇指令cacls应该可以用于很多漏洞修补的情况，对组策略登陆脚本的应用方法也值得一看。

Use group policy to restrict the Microsoft Jet Database Engine from running for any application

To implement the workaround, perform the following steps:

1.	Create the following script, named JetCacls.cmd for illustration: @echo off if exist %systemdrive%\Cacls.log goto end cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N > nul 2>&1 echo %date% %time%: Msjet Cacls updated > %systemdrive%\Cacls.log :end exit
2.	Copy JetCacls.cmd to the Netlogon shared folder, or another shared folder on the domain controller from which JetCacls.cmd would run.
3.	Set up JetCacls.cmd. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
4.	Click the Group Policy tab.
5.	Click New to create a new Group Policy object (GPO), and enter JetCacls for the name of the policy.
6.	Click the new policy, and then click Edit.
7.	Expand Windows Settings for Computer Configuration, and then click Scripts.
8.	Double-click Logon, and then click Add. The Add a Script dialog box appears.
9.	Type \\servername\sharename\JetCacls.cmd in the Script Name box.
10.	Click OK, and then click Apply.
11.	Then restart the client computers that are members of this domain.

Impact of workaround. Any application that requires the use of the Microsoft Jet Database Engine to make data access calls will not function. This restriction only applies to applications that are running on client computers in the domain.