Author: <span class="vcard">fenneh</span>

How to rename your Ubuntu 12.04 Server

So, you just screwed up the name of your Ubuntu server?

Well that can be changed in no time and with no downtime

Just follow the ermm following;

  • Set a new hostname
sudo hostname your.brand.new.host.name
  • Edit the /etc/hosts file

sudo vi /etc/hosts

  • Edit the /etc/hostname file

sudo vi/etc/hostname

In some circumstances, you may also have to change the /etc/resolv.conf file.

Simple, yes! But worth 90 seconds to write out ;P


Windows Perfmon Counters, which one matter and why

Windows Perfmon Counters, which one matter and why


How to Send an e-Mail from Powershell

Thought I’d slam this up here considering I’ve written the little snippet for this (I say wrote, it’s no doubt in many places on the net)

This little bit of code has a lot of potential, it can be used to automate report sending, notifications, outputs of queries etc!

In time I’ll post some examples of how to use it, but if you’re just looking for a clear-cut way of how to fire an e-mail off, then here it is

This script utilizes the inbuilt Send-MailMessage cmdlet built int PowerShell V2.0, more information can be found at the following http://technet.microsoft.com/en-us/library/dd347693.aspx


Migrating All My Scripts to Gist @ Github

I actually noticed today that the formatting is totally screwed on any of the scripts, or snippets of code I’ve posted.

So what I’ll be doing from now on is uploading all code snippets to Github’s Gist so in the future if any lost Sysadmin stumbles across this page then you’ll have an easier time modifying and reading the code thanks to the inbuilt syntax highlighting 😀

You’ll be able to view all these code snippets over at https://github.com/fenneh

Enjoy!


PCI, IIS7.5, BEAST Vulnerability… Done’n’dusted!

As mentioned in a previous article, I’ve recently been trying to lock down our IIS servers a little bit more, mainly for PCI compliance.

On these ventures something was noticed, the enabled RC4 protocols were not actually working!

We ummed, we arrred to no result. After checking over Microsoft documentation, the problem became a little clearer.

It seems on Server 2008R2/IIS 7.5, simply setting the registry values for the ciphers to 1 wasn’t enough. They HAVE to be set to 0xfffffff or 4294967295 ;P

Something which was also noted was that TLS 1.1 and 1.2 hadn’t been activated, these also needed an extra registry key (Yep…)

So without much more jibberish, here’s the update Powershell functions/scripts to help aid you with making your IIS7.5 servers PCI compliant.

Now, that’s the ciphers and security protocols set up.

The last step to make your servers BEAST immune is to change the SSL cipher priority.

This is done by creating a GPO!

  1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
  2. Expand Computer ConfigurationAdministrative TemplatesNetwork, and then click SSL Configuration Settings.
  3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
  5. Follow the instructions labeled How to modify this setting.

It is necessary to restart the computer after modifying this setting for the changes to take effect.

The list of cipher suites is limited to 1023 characters.

See http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx for more indepth instructions.

The one thing to note for this is that the RC4 ciphers NEED to be at the top of this list as they are immune to the BEAST attack.

A great write-up of this by Steve Dispensa can be found over here http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php

He even includes an example string for the cipher priorities!

But that’s that.. for now. If only we could move onto TLS1.2!


Disabling SSL2.0 & Others for IIS7.5 for PCI! /w Powershell

=========================================================

Just to note, this has since been revised. You can see the changes @ http://justfen.com/post/22121613280/pci-iis7-5-beast-vulnerability-donendusted

=========================================================

So, recently been touching up some of our setups for PCI compliance, one of the things we failed on was the fact SSL2.0 and other Protocols were enabled on our IIS7.5 sites.

This had to be implemented into our Web Server deployment scripts and was done with the following;

function Set-IISSecProtocols {

$protopath = “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols”

& reg.exe add “$protopathPCT 1.0Server” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$protopathSSL 2.0Server” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$protopathSSL 3.0Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopathTLS 1.0Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopathTLS 1.1Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopathTLS 1.2Server” /v Enabled /t REG_DWORD /d 00000001 /f

}

And for the Ciphers;

function Set-IISCiphers {

$cipherpath = “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers”

& reg.exe add “$cipherpathNULL” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathDES 56/56” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC2 40/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC2 56/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC2 128/128” /v Enabled /t REG_DWORD /d 00000000 /f 

& reg.exe add “$cipherpathRC4 40/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC4 56/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC4 64/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpathRC4 128/128” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$cipherpathTriple DES 168/168” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$cipherpathAES 128/128” /v Enabled /t REG_DWORD /d 00000001 /f 

& reg.exe add “$cipherpathAES 256/256” /v Enabled /t REG_DWORD /d 00000001 /f

}

To have these changes you must remember to restart the machine, yes REALLY. I actually fell for the trap, so thought I’d share!

And yes, it’s a little dirty but it works!


Automating Software Deployment With Ninite!

So, as in a previous post you’ve seen, I was using PDQDeploy to push software out across our network.

Now, I’ve got to the point where I’m fed up of having to set up new tasks, packages, hacking .MSI’s, creating transforms for each deployment… So I came back to Ninite.

When I was first looking for a solution to our software patching woes I’d originally looked at Ninite, something like deploying a Ninite installer with a silent switch, this was quickly shelved… it seemed pretty unsupported and wasn’t the most robust of sounding strategies. Saying that, this was over a year ago so recently I decided to check them out again. In that time they’ve now released a very cheap PRO version which can now mimic the functionality of Linux’s apt-get -somewhat-.

This got me thinking about a few possibilities, so I set out to set up an automated software patcher using it by using a little batch script and some PowerShell to pull machines to deploy to.

The Plan

  • Automate software deployment
  • Generate a list of target machines to patch
  • Use PowerShell to generate this list from AD
  • Create a batch file and attach to scheduled task with some logging.

Pulling the data from AD

Now I went down a few routes for this, the first was using some of PowerQuest’s AD CMDlets but I was sure there was another method. My chosen one was to use ADSI.

So without further babble from me here’s the PowerShell script I used to generate a list of machines for Ninite to use to target

$NiniteADSearch=new-object System.DirectoryServices.DirectorySearcher([ADSI]‘LDAP://OU=The,OU=Computer,OU=Group,DC=My,DC=Domain,DC=Name’,’objectCategory=Computer’)

$NiniteADSearch.FindAll()|%{$_.Properties.name} | Out-File NiniteTargets.txt -Encoding Default

This lil script when run will pull a list of Machines from the OU you’ve set it to, and all the sub OU’s. As in my domain, all Desktops and Servers are in completely different OU’s, this wasn’t an issue.

The script will also output the result into a file called NiniteTargets.txt in the directory you ran it from using ANSI encoding (Ninite will bomb out without this encoding, and yes it took a while to find that out)

Plugging the results into a batch file

So you’ve managed to generate your list of machines, time to feed these into the Ninite Pro program.

This was simply done using the cmd line switches which are documented here.

My batch file looked something like the following;

set NiniteScript=D:NiniteNiniteMachineGenerate.ps1

set NiniteTargets=D:NiniteNiniteTargets.txt

set NiniteCache=D:NiniteNiniteCache

set NiniteLog=D:Ninitelog.txt

powershell.exe -command %NiniteScript%

NiniteOne.exe /updateonly /remote file:%NiniteTargets% /disableshortcuts /disableautoupdate /cachepath %NiniteCache% /silent %NiniteLog%

ECHO

So what does this batch file do?

  1. Will only update currently installed apps
  2. Will generate and feed list of target machines in from the NiniteTargets.txt file generated by PowerShell script
  3. Will disable shortcuts and auto updates
  4. Will cache the installer/patch files to selected directory
  5. Will install updates silently and log the results to selected log file
And that’s about it, the result of this is an automated patching system when you set the batch file to be run as a scheduled task.
A word to the wise though, you may want to try playing around with NiniteOne.exe manually before just doing this, it’s still relatively new and you don’t want to be screwing up a big deployment now do you ;)?
I hope this helps some admin out there, especially those with a pretty tight budget.

Mozilla Firefox 10 ESR

For those out of the loop… Firefox 10 ESR is Mozilla’s attempt at trying to recoup some of their market share by catering (I use this word very loosely) to enterprise companies by now offering a deploy-able and supposed customizable Firefox package.

Now, personally, I’ve been deploying Firefox for some time by using Frontmotion .msi packages, those guys are great and will pack up a tidy .msi in no time which can then be edited in Orca to disable features such as Auto Update etc…

But none the less, Mozilla are giving it a whirl despite 7 months ago telling enterprise customers to “Drop Dead” (Source).

So, without further ado here are the gory details of Mozilla’s attempt to leap back up on market share.

Mozilla will offer an Extended Support Release (ESR) based on an official release of Desktop Firefox. Releases will be initially maintained for nine release cycles (currently 54 weeks, which is close to the target of 52 weeks the proposal is attempting to hit), with point releases coinciding with regular Firefox releases.

To permit organizations sufficient time for testing and certification, the ESR will have a two cycle (12 week) overlap between the time of a new release and the end-of-life of the previous release. This will allow organizations who control updates (e.g. have disabled automated updates) to Firefox to qualify and test against Aurora and Beta builds for twelve weeks leading up to the ESR, and an additional 12 weeks to certify and transition to a new ESR. Organizations that rely on Firefox’s built-in updater may be limited to a transition period of 6 weeks, dependant upon how the ESR releases are maintained.

The proposal can be read here.

Now, whilst I don’t totally agree with what is proposed I’ve gone ahead and deployed it to all non-developers within my organization.

Hold on a second, where can you download it?

Ah, well this was the very very first issue I had. Even though it had been released, finding the actual download was quite an issue even with my expertise in google-fu.

You can find the downloads tucked away on the Down…wait no, the FAQ page (I must confess since the first draft of this post there is now a download page located here)

Wait… it’s an .exe, enterprise??

Yeh well… uhmm.. :/ I don’t know

And, how to deploy?

Personally, I used PDQDeploy to deploy it, but you can use any of the usual methods of PSEXEC, GPO etc to get it done.

One thing you’ll want to know is the silent switch which is simple /s or I believe -ms this will allow you to deploy it and to have it install without user interaction.

Also from what I can gather is it can install over the top of previous Firefox installs, but this made need a little more testing!

Best of luck!


Trello – Organise Work and Life

I guess I’ve lacked a little bit of content up and over on here. The goal of this Blog? was to really give me a reference to look back on and see how much I’ve improved.

It was only 18 months ago that I was doing lots of data entry, I wasn’t even working in IT and now I’m here with my CCNA, scripting away, destroying group policies, designing fully fault tolerant virtualized systems for our production environments and generally improving every day.

I only wish I started this Tumblr when I started out on my SysAdmin adventures.

But alas, better late than never.

Now, this brings me onto something else, organization of work.

How do you do it? 

I’ve tried multiple things from using a calendar, pen & paper and even such things as Evernote and yet none of them seemed to fit me.

All I was looking for was a place to store ideas, requests, reminders and attach some files and that’s where Trello really has triumphed for me.

The best way to think of Trello is a collection of cork boards, and to each item you place on it you can pin others. These boards can be made public or kept private and are all fully searchable.

For me personally, I’ve found myself having two primary boards, work, and home. Each has a subsection, for work it follows a very Agile/Kanban approach but more tuned to my personal workflow.

For home use, it tracks personal goals, reminders, events etc.

I’m not going to give too much of an in-depth review of it, just an idea for any of those people out there looking to try something new, it’s not much to commit to… just a simple web page, no extra apps, just one page.

But, yep that’s about it. I urge you to try it out, if you’re fighting procrastination or are generally all over the place then try and get everything locked down. Sure, I’m not perfect, but I’m trying.. at the end of the day, it all helps go towards your overall focus.


Automating Windows Updates via Group Policy

A little bit of background information for this one. In the company I work for, we tend to patch everything, it’s a fine practice but when it comes to Windows Servers which we have close to 80 of, all of them are currently being updated by hand.

Now, other than being tedious and annoying it’s a pretty large overhead and consumes quite some time… never mind those which needed to be done outside of office hours.

So, my solution?

Well, the new year had come, I could see the horrific patch day Tuesday on the horizon (second Tuesday of every month) and decided to stamp my foot down.

First thing first, decide a time when this can happen, I opted for 3-5am where there are no Back-Up jobs going on, it’s outside of AV scans etc. This is now called the Update Window

Secondly, split a domain of servers up into groups based on different things, what ESX host they were on, what services run from them etc. One thing I kept in mind was to reduce any potential strain on our VM setups (Our hosts are a little crowded!) during the machine start ups the machines were distributed evenly between the two security groups.

Next thing was to construct the group policies and as a picture speaks a thousand words, here’s mine

GP

Once this GPO is published and applied the only other step is to exclude your 2 security groups (Romeo & Juliet in this case) from the default/predefined WSUS GPO’s

And that’s about it! 85% of our internal servers are currently auto-updating every Friday (You never know Microsoft and those damn extra hotfixes!)

TL;DR Make 2 security groups, exclude these from default WSUS GPO’s… copy the GPO above, publish, apply and enjoy.