Thursday, 8 October 2015

Getting acquainted with PowerShell Desired State Configuration

Desired State Configuration is a solid choice for administrators who have PowerShell chops. Here's an introduction.

PowerShell Desired State Configuration is a feature introduced in the latter half of 2013 that was included by default with the final releases of Windows 8.1 and Windows Server 2012 R2. It is a configuration management system that uses standards-based Web services to make sure your machines are set up the way you want them to be. In this piece, I’d like to introducePowerShell Desired State Configuration and show you a bit about how it works and the tasks it can accomplish for you.

But first, a bit of context and a question many administrators have when they first hear of this: what is the point of using PowerShell Desired State Configuration over a tried and true systems management solution like System Center or another third-party tool? There are several advantages, but of them, three stand out the most.

PowerShell Desired State Configuration is included in Windows Server, so there is no additional expense in purchasing licensing and management instances of systems management and configuration deployment software.

PowerShell Desired State Configuration is pretty well agentless, and requires only PowerShell to be installed along with access over port 80 or port 443 to query a Web server to grab configuration information -- there is no additional management overhead for the configuration system.

PowerShell Desired State Configuration looks at only the functions that are defined within a configuration file. It ignores other settings, which makes for a much lighter configuration payload and speeds up other deployments while making it possible to define multiple configurations and stacked workloads (a Web server that is also a file server can get Web server settings without having its file server settings overwritten), a type of deployment that many system management suites cannot deal with easily or even at all.

Pushing and Pulling Configurations

The basic tenet of PowerShell Desired State Configuration is to use two models of defining a desired configuration in order to get machines to either pull the information about the correct configuration from a central repository, or push it to them at various intervals that you as the administrator can define.

The push model is an active configuration model that runs when you issue the Start-DscConfiguration –Computername –Path Powershell cmdlet and immediately pushes out system configurations based on the files stored wherever the location is that you entered for the –path attribute. This is pretty much an immediate "do this now" style of managing your targets and requires you to stick all your configuration files in a central location where they can be accessed by all of the machines you plan on targeting. It requires you always to push; there is no checking by default of configurations.

The pull model is a bit more passive; it involves a server that acts as a clearinghouse for both the configuration files and any components that act as intermediaries for configuring various facets of a computer. You might, for instance, write a custom provider -- a piece of code that provides the ability to use PowerShell Desired State Configuration -- that can translate the instructions in configuration files for your homegrown custom line of business application. The pull server is just a Web server running IIS that publishes an OData, a typical, well-defined and supported standard, interface that PowerShell’s Web service can query to retrieve the actual configuration data. This is the most common method of implementing PowerShell Desired State Configuration and is used in deployments where configurations "drift" off of a desired state over time; PowerShell Desired State Configuration runs periodically, pulls the right configurations down, and silently course corrects the configuration to the desired state.

These configuration definitions are in the format of management object files, or .MOF files, which are just basically text files with a bunch of classes listed, referring to elements of the Windows operating system that the PowerShell configuration engine understands, as well as the parameters for each of these classes that will define what the desired configuration will look like. Here is what a few lines of an .MOF file look like just for reference:

instance of PowerPlan as $PP

{

ResourceID = "[PowerPlan]Default::[BaseServer]JustTheBasics::[VirtualServer]VMWare";

SourceInfo = "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SELocalConfiguration\\StackExchangeConfiguration\\StackExchangeConfiguration.psm1::20::5::PowerPlan";

Name = "High performance";

ModuleName = "PowerPlan";

ModuleVersion = "1.0";

};

MOF files are generally built manually once and then copied and pasted as necessary. For configurations that involve installing, removing or making sure certain Windows roles and features are present, you can use the built in cmdlet Get-DscResource. This will grab the correct syntax and any available options you have for any given name. For example, just running that cmdlet as written will present the types of configuration "areas" that PowerShell Desired State Configuration can handle, and the sorts of tasks and configuration directives you can carry out within each area.

Name Properties

---- ----------

File {DestinationPath, Attributes, Checksum, Con...

Archive {Destination, Path, Checksum, Credential...}

Environment {Name, DependsOn, Ensure, Path...}

Group {GroupName, Credential, DependsOn, Descript...

Log {Message, DependsOn}

Package {Name, Path, ProductId, Arguments...}

Registry {Key, ValueName, DependsOn, Ensure...}

Script {GetScript, SetScript, TestScript, Credenti...

Service {Name, BuiltInAccount, Credential, DependsO...

User {UserName, DependsOn, Description, Disabled...

WindowsFeature {Name, Credential, DependsOn, Ensure...}

WindowsProcess {Arguments, Path, Credential, DependsOn...}

As you can see there are a variety of facets of the operating system, from roles and features to scripts to registry settings to credentials, that you can control using DSC.

Those are the basics of PowerShell Desired State Configuration. For more information, check out powershell.org and in particular, the resources there tagged with DSC.

Courtesy: JonathanHassell

Sunday, 4 October 2015

6 Free Ways to Take Control of Your Internet Privacy

Takeaway: People are more active online than ever, which can mean increased risk of having your data exploited. But there are simple steps everyone can take to minimize danger.

As a trained risk manager I see lots of data regarding how careless individuals are when they venture into cyberspace. People love to log in to their social networks and post pictures, let everyone know where they are going to be and when, then tell the world of their travels and/or shopping sprees. Many people out there don’t even attempt to hide their personal information from the general public – their “friends” – let alone the various criminals and hackers who are swarming the Internet every second of every day. And that isn’t the half of it. We shop online, too, with unfettered abandon, making ourselves open books for any and all to see. Back in the old days, the bad guys had to use a gun to get our wallets and steal our credit cards. Now, we basically give it to them in the form of self-created peepholes in our Internet privacy.

When a deviant breaks into a system that maxes out our credit card, blows a security clearance or steals our identity, we blame the hackers or poor online security. We either forget or in many cases are unaware that there are simple, common-sense steps that we can take toward preventing the breach in the first place. It is human nature to become complacent, however it is easy enough to rise above the daily haze and protect ourselves with very little effort. Just as we lock our doors at night in the “real world,” we can put a lock on our digital profile.

The following are six free ways to take control of your Internet privacy:

1. Clean Up Your Cyber Footprint

Get a copy of your credit report* and use this as your foundation to correct any misinformation regarding past delinquencies and already closed accounts. Close any and all social media services that you don’t use, and think twice before sharing your personal information with anyone on any platform. At a minimum, make sure your connection is secure (encrypted) by looking for HTTPS:// as opposed to HTTP:// at the beginning of your intended Web address.

2. Isolate Email and Electronic Payment Methods

If you are going to buy online, and most of us do, the smartest thing to do is consolidate your cyber tools. Use a designated email account for ecommerce, and most importantly, if you insist on using plastic, use a dedicated credit card. However, it is always recommended to use an electronic option such as PayPal, Apple Pay or Amazon Payments.

3. Use a Password Generator

Stop using the same weak password – 12345, your middle name or a child’s birthday. Companies including Dashlane.com and Keepass.info offer free password generators and online password vaults that are very effective in protecting you and your personal information from the point of login.

4. Use Caution

Be proactive when browsing the net as some pages (porn, music, file-sharing sites, etc.) are more apt than others to have spyware, malware and/or hackers lurking about, and there is no way to know when or where you are at risk. Consider taking advantage of free anti-malware and/or anti-virus programs from Microsoft, Malwarebytes, AVG, et al. Learn how to control your cookie intake by adjusting your security-related Internet settings.

5. Heed Warnings

Pop-ups occur for a reason. Don't give out personally identifiable information too easily. Just as you might think twice about giving some clerk at the mall your home address and phone number, keep in mind that simply because a site asks for or demands personal information from you does not mean you have to comply.

6. Don’t Engage

We have all been told “If you don’t have anything nice to say….” That old adage most definitely applies to the Internet, with the emphasis shifting to written speech instead of spoken words. Point is, if you don’t have anything nice to write, don’t. Don’t engage in blogs, chat sessions or other forums where misinformation, hate or other malicious endeavors may be the intent. Deescalate. If you think what you are doing is hurtful, it probably is. Never lash out or try to hurt another’s feelings with your comments online. Remember your written words never go away once posted. They’re trackable and traceable, like a trail of breadcrumbs that can lead back to you months or years after you no longer care or feel differently about the subject or person.

Regarding Terms of Use and Privacy Agreements: All social networks and ecommerce sites have Terms of Use and Privacy Agreements. Don’t be shy about not signing up for a site because you don’t like how they may expose you. Many sites can and do commoditize your data. The only hope that your information won’t be sold is if you are paying for the site or service, and even then they may sell you out. Set your accounts to their highest privacy settings. There are a lot of bad people out there. The more streamline your route, the safer you and your personal information will be.

Courtesy: ToddLyle

Troubleshoot Windows Server file copy errors

Copying large files to a Windows Server file share can sometimes fail. Performance Monitor or PowerShell commands can help find and fix file copy errors.

Server Message Block file shares have existed for long enough that they are generally stable and reliable. However, some administrators have found that copying large files from a Windows 7 or Windows 8 client computer to a Windows Server file share can result in erratic -- and sometimes problematic -- behavior.

The first step in resolving file copy errors is to recognize what type of behavior occurs by design and what behavior indicates a problem. In Windows 7, it is usually easy to distinguish between normal file-copy behavior and problematic behavior. But due to the way the Windows 8 buffering process works, it can sometimes appear as though there are problems when none exist.

When copying a file to a remote file share, Windows 8 uses a memory buffer. It reads a portion of the file into memory, and then writes it to the file share. With smaller files, this technique results in very fast file copy operations. With larger files, the file copy process initially goes very quickly and then slows to a crawl (Figure A).

Figure A: When copying a large file in Windows 8 to a file share on the network, the transfer will start fast then slow significantly.

If the file being copied is not excessively large, then the behavior in Figure A will continue until the copy finishes. For larger files -- or computers with smaller buffers -- the copy operation will occur in spurts. Large chunks of data will be copied, with periods of little to no activity in between. These slowdowns occur as the operating system flushes and then repopulates the buffer (Figure B).

Figure B: In some cases, the file copy process may vary in speed.

Neither of the conditions shown in Figure A and Figure B indicates a problem. This is normal behavior for Windows 8.1. However, in some cases, the file copy process may time out, resulting in an error message (Figure C).

Figure C: In some cases, the copy will fail when the time-out period expires.

This problem only seems to occur when copying very large -- 10 GB and larger -- files. The error message in Figure C is "Error 0x80070079: The semaphore timeout period has expired." This general error can be hard to diagnose. The error can occur with Windows 7, Windows 8 and possibly other versions of Windows. It can be caused by the Windows desktop, Windows Server or the network connecting the two.

Check the server logs

Begin the troubleshooting process by checking the server's event logs. While this error may not generate an event in the log, you may spot something else that could contribute to the time-out.

Next, check if the server or the workstation is causing the problem. Although the Performance Monitor can help, subjective tests are just as effective. Start a large file copy that is likely to produce an error, and then test the responsiveness of the server and the desktop. Can you play a video on the desktop? Can you write files from another desktop to the server while the file copy process is going on? In most cases, you will probably find that the desktop remains responsive, but that the server's performance decreases dramatically.

Use PowerShell for a further diagnosis

If you isolate the problem to the server, then you will need to work to find the exact cause of the problem. The issue is almost always related to a storage bottleneck or network bottleneck. These bottlenecks can be the result of a poorly designed configuration or a health problem. Run the following twoPowerShell commands on your file server:

Get-PhysicalDisk

Get-PhysicalDisk | Get-StorageReliabilityCounter | Select-Object ReadErrorsTotal, WriteErrorsTotal, Temperature

These commands will show whether the disks in your server are healthy, and whether or not any read or write errors are occurring. Sometimes, the file-copy time-out error occurs because of an unhealthy disk that cannot keep pace with the I/O requests.

It is also a good idea to review how the server's physical network adapters are being used, especially if the file server is a virtual machine. Imagine that a host server has a single NIC team that it uses for all traffic. Virtualization-related operations, such as live migrations and replication operations, can steal bandwidth from user sessions and cause file copy operations to time out.

If you are not immediately able to solve the file copy errors, then you might be able to temporarily work around the issue by using a dedicated file-copy utility, such as Robocopy, rather than the operating system's built-in copy functionality.

Courtesy: Brien Posey

Saturday, 3 October 2015

Introduction To Automated Patch Management Software In The Enterprise

As companies continue to struggle with budget pressures in a tight economy, the importance of automating routine tasks remains a prominent consideration in theallocation of IT budgets. Patch management software is a prime example of a tedious manual task that benefits greatly from automation, ensuring that all computers remain up to date with the latest patch releases from operating system (OS) and application software vendors.

Keeping computers up to date with the latest patches is no longer just a recommended best practice for corporate IT. The Sarbanes-Oxley Act (SOX) and internal corporate guidelines have codified the requirement for consistent, up-to-date patching of all computers in a given IT infrastructure.

Patch management software offers companies the ability to abide by industry best practices while also complying with any applicable regulatory requirements for the securing of IT systems against possible malware or unauthorized intrusions.

Why patch operating systems and software?

Rather than relying on industry best practice recommendations for manually keeping all OS and applications up to date with patches, patch management software enables IT pros to delegate that task to sophisticated software that can seamlessly handle the distribution process. Patch management software can also provide automated compliance reports that document which computers are -- and are not -- up to date, as well as sending notifications to admins based on successful or unsuccessful patch activities.

One need only refer to recent, well-publicized outbreaks of malware that were specifically designed to attack vulnerabilities in popular software such as Microsoft SQL Server to see that patching isn't just a good idea; keeping patches up to date is a mandatory component of the IT software management process.

How does automated patching work?

Most patch management software requires the installation of an agent on target computers. This agent provides a connection between the patch management server and the computers to be patched. Agents can also handle patching tasks such as sending alerts, caching patches locally on the target computer prior to installation, and retrying failed patch installations.

Many admins are understandably reluctant to install an agent on hundreds or thousands of computers just to handle patch management. This is one of the reasons that standalone patch management software is frequently included in an integrated bundle with other monitoring and management software that also requires an agent.

Installing one agent that, for example, facilitates patch management, performance monitoring and server health statistics is usually a better strategy than installing three separate agents that each address different aspects of managing a target computer. Any modern patch management software will include agents that run on all recent versions of Windows, Linux/UNIX and, in a nod to the BYOD movement currently afoot, will frequently include agents that run on mobile platforms such as Android or iOS.

Patch management caveats

As it turns out, the practical challenges of patch management are not usually in the distribution of the patches themselves. Pushing patches across a modern network with patch management software is a relatively simple process, once all of the target computers have an appropriate agent installed. The trick comes not in how to push patches but rather in which patches should be pushed to targets and when.

Even though software vendors regularly release patches -- and experts usually recommend installing these immediately -- there is also a patch management best practice that all patches should be installed and tested in a development or test environment before those patches are pushed to all pertinent computers requiring the patch. Why? Because, while it's a logical assumption that software vendors would never release a patch that might break existing software, it's not difficult to find examples of patches that addressed one or more existing issues while also breaking other features or functionality.

Patch admins must also be mindful of the fact that not every software vendor tests its patches against every possible other piece of software running in IT. The only thing worse than not applying a patch that could leave software vulnerable, is to install a patch that breaks other pieces of software in the process.

The cost of automating patch management

The cost of purchasing automated patch management software is as varied as the many patch management products on the market. There are freeware versions of patch management products, there are standalone products for those with a budget but alsoon a budget, and there is patch management software that is integrated within an all-encompassing monitoring and management software suite.

There is no one right answer for which type of patch management software is the best fit for a specific situation. Each method of patch management software licensing represents a different price point and feature set that will help guide organizations to the best product within their budget.

Part of the patch management product comparison process is to examine the tradeoffs between price and features, then settling on a short list of the software that most closely aligns with your requirements and budget. Although patch management automates a previously manual process, organizations must still include costs for administration of their chosen patch management product. Even automated patch management products require trained expertise to configure and maintain the product.

To patch or not to patch

Automating a patch distribution process is a best practice that must not be ignored or allowed to fall by the wayside. Keeping patches up to date can protect companies from exposure to malware or intruders, but considering the requirements of maintaining SOX compliance, patch management software can also keep company CEOs and/or CIOs out of hot water with government regulators, internal auditors or shareholders.

That said, IT must always weigh the benefits of automating a task with the possible downside that automation software doesn't always behave as automatically or as appropriately as expected. This is where testing of all patches prior to pushing those patches to target computers becomes key.

A comprehensive patch management strategy keeps vulnerabilities at bay while also protecting the company and its leadership from regulatory trouble. No company can afford to ignore either risk in the modern world of patch management compliance.

The next article in this series will present various real-world scenarios and use cases for patch management software to consider when making the decision to purchase an automated patching product. It will compare standalone patch management products versus patch management software as part of a comprehensive monitoring framework. It'll also provide IT professionals with the tools and techniques to make a solid business case to executive management for the appropriate patch management products.

Courtesy: Earl Follis

How to Create a Windows 10 Password Reset Disk

Have you ever had a fear of not remembering your Windows account password? You don’t have to worry if you’re willing to plan ahead. In this article, we take a look at one method you can use to reset your Windows 10 password.

Getting Started

A password reset disk is a removable storage device you can use to reset your password in the event you forget it. You’ll need the following to create one of these:

· Access to the local user account for which you wish to make the password reset disk

· A USB flash drive

Note: That password reset disks apply to local user accounts. If your Windows 10 user account is connected to your Microsoft account, then you can follow the steps outlined here by Microsoft to begin the password reset process and therefore shouldn’t follow the advice in this article: https://account.live.com/ResetPassword.aspx

USB flash drives are quite inexpensive and even a minimal capacity variant will do: 1GB of less is plenty. Look online to find the best prices or visit a local store. Ideally you’ll only use this USB flash drive for use as a password reset disk and for nothing else.

The instructions contained within this article apply to all versions of Windows 10.

Creating a Password Reset Disk

First, log in to your computer under the user account for which you wish to create a password reset disk. Once logged in, connect your USB flash drive to one of your computer’s USB ports. It may take a minute or two for Windows to finish installing the flash drive – you’ll be notified when it’s finished.

Next, it’s time to start creating the password reset disk. Open the Start menu (yes, it’s back) by clicking the Windows icon in the lower left of your screen. When opened, type control panel into the search and wait for the results to display.

Open the Control Panel by clicking it in the list of search results. It should be the first result listed.

(Note: although Windows 10 features a new Windows Settings desktop app to manage computer settings, it can’t be used to create a password reset disk which is why we’re going through the traditional Control Panel.)

In the Control Panel, ensure the View by drop-down at the upper right is set to Category (if not, change it). Then click the green User Accounts link. On the screen that follows, click the User Accounts link once more. Doing so will take you to your user account settings.

On the left side of the screen, click the link to Create a password reset disk. The password reset disk wizard will open in a new window.

In the first screen that opens, click the Next button. In the subsequent screen, select the USB flash drive that you connected to your computer earlier. This will likely be labeled D:\ or E:\. Click the Next button after you’ve selected your drive.

(Note you can’t select C:\ drive, which is where Windows is installed – it wouldn’t be very secure to have a file to reset your password on the same drive as the operating system.)

You’ll be asked to enter your password on the following screen; do so, then click the Next button. The wizard will now create your password reset disk. This should take less than a minute to complete. Click theNext button on that screen after it completes, and then the Finish button on the last screen to exit the wizard.

You’ve successfully created a Windows 10 password reset disk!

Using a Windows 10 Password Reset Disk

Using a password reset disk in Windows 10 is simple. At the Windows login screen, click your user account and then type your password incorrectly. A link will appear with the text Reset your password …. underneath it. Click this link and connect your USB flash drive password reset disk to your computer. Follow the few quick steps in the wizard to complete the process; you’ll be able to enter a new password for your account without having to know the current password.

Naturally, you’ll want to keep the password reset disk in a safe place as anyone with access to your computer can use it to reset the password for your user account.

Conclusion

Password reset disks are useful in the event you forget the password to your local Windows 10 user account. Note that the advice we provided applied to local accounts only – for Microsoft accounts, you’ll want to follow Microsoft’s guidance here to get your password reset:https://account.live.com/ResetPassword.aspx. Most non-business users running Windows 10 will likely be connected to a Microsoft account.

For local account users however, password reset disks can be especially useful in the event you’re setting up a computer for someone else, such as a family member, who you think may forget their password at some point. Create a password reset disk for them for such an event. Ensure you keep your password reset disk in a safe place, as anyone with access to your computer can use it to reset the password for that user account!

Courtesy: Charles P Jefferies

How the brave virtualize DNS, AD and other core IT services

Critical IT infrastructure services -- DNS, DHCP servers -- don't need to live in the physical realm.

If the virtual platform is sufficient to host critical applications, why aren't all infrastructure services virtualized?

Not all IT infrastructure services are created equal. Some services are less critical, like a PXE boot server used occasionally to build new servers. Others are highly critical, like DNS services that locate everything inside and outside the company.

Most IT organizations have already virtualized those less important services, while some of the critical infrastructure services remain on physical hosts. Is it time to virtualize the last of these services? Should they reside alongside existing workloads, or in isolation?

Data centers forgo the benefits of virtualization for critical infrastructure mainly due to how we manage the virtualization platform when something goes wrong. We rely on IT infrastructure services for troubleshooting. If the entire infrastructure lives on the virtual platform, what do we have when the platform is down? Having been in this situation with an enterprise that was not prepared, I can tell you it takes a lot of work to get back in control. With some planning however, it is usually possible to virtualize critical services without risking this lockout.

Things people don’t virtualize

The IT infrastructure services commonly left on physical servers are Active Directory (AD) domain controllers (DCs) -- sometimes multiple DCs. They provide authentication, name resolution (DNS) and usually IP address allocation (DHCP). These are some of the most fundamental network services -- almost everything on your network depends on them.

Active Directory allows a scale-out redundancy model: multiple DCs that share the AD workload and continue to operate in the event that some DCs go down. Make sure the AD role of Global Catalog, as well as the DHCP and DNS server roles, is on multiple VMs before a failure. These services need to be available regardless of whether parts of the platform fail.

Proper planning enables a virtualized DNS, DHCP or AD infrastructure that survives single and even multiple failures and continues to deliver services to applications.

Small IT deployments

An IT shop with fewer than six virtual servers and only one data center location has limited options when virtualizing IT infrastructure services. At this small scale, the organization probably relies on manual efforts of staff members to keep IT infrastructure services up. Smaller organizations may be confident that their staff can overcome any shortcomings of process and automation, but any larger organization will want standardization and automation to handle every eventuality.

Small organizations can place all their infrastructure services on their virtualization platform if the systems engineers have the expertise to restore services if something fails. If relying on staff prowess isn't acceptable, then even a small organization needs to behave like a larger one -- which involves more money.

Single site, management cluster

The next scale up from a small deployment involves only one site that is home to enough virtual servers (VMware ESXi and vSphere virtualization is used in this example) that it is cost effective to build a management cluster. The VMs that deliver applications to end users run in one or more workload virtual clusters. The management cluster is a separate set of ESXi servers that run only the infrastructure VMs.

Courtesy: Alastair Cooke