Tag: Powershell

SSH for Windows (Kinda)

Soooo, you’re using your windows environment and you’re getting kind of sad about how you can’t really SSH into your boxes any more and don’t want to use the clunky GUI and such….

Well, let me introduce you to a few neat little (And rather unknown??) Powershell cmdlets.

*drumroll*

What do PSSessions allow you to do? Run code on a remote machine. Simple as that.

If you’re having issues enabling it, make sure you have PSRemoting enabled. If not, you can enable it with the following

Enable-PSRemoting


Adding Domain/Sender to White list in Exchange 2010

Real simple one, but it’s something which can’t be done from the GUI from what I can see…

To view what currently is in the White List for senders, fire open the Exchange Management Powershell err shell.

And enter the following for induvidual e-mail address:

(Get-ContentFilterConfig).ByPassedSenders

And the following for white listed domains:

(Get-ContentFilterConfig).ByPassedSenderDomains

Now to add something to either of these!

To whitelist a domain e.g. justfen.com you’d do the this:

$WhiteDomain = (Get-ContentFilterConfig).BypassedSenderDomains

$WhiteDomain.add(“justfen.com”)

Set-ContentFilterConfig -BypassedSenderDomains $WhiteDomain

And to Whitelist a sender e.g. me@justfen.com you’d do this:

$WhiteSender = (Get-ContentFilterConfig).BypassedSenders

$WhiteSender.add(“me@justfen.com”)

Set-ContentFilterConfig -BypassedSenders $WhiteSender

Once you’ve done that, go ahead and confirm your changes by viewing the Bypassed Sender lists using the commands at the start of this post.


Ninite Automation – With E-Mail Confirmation + Logging!

I’ve had quite a bit of communication about how the AutoNinite script I wrote quite some time ago, and there were some features in it which I actually wasn’t happy about it.

So here I am with my latest version, it can be viewed over on GitHub @ https://github.com/fenneh/NiniteSloth

There are still a few features I want to build into it, such as not having a user have to edit so many variables, altering the report generated with some colour coding,

If you’re looking to run this as a scheduled task, I’ve also included a batch file to call the PowerShell script for a windows server.

Just simply create a new scheduled task, have it re-occur every day at a certain time and hook it up to the NiniteOne.bat packaged.

But really, please test this in your environments before going crazy and remember… YOU MUST SET THE VARIABLES TO BE SPECIFIC TO YOUR ENVIRONMENT

Hopefully, this will be helpful to some people, it’s currently what is powering the software updates within my own organization.

For more “detailed” instructions on how to use it, they can be viewed here: https://github.com/fennehNiniteSloth/blob/master/README.md

If you have any questions, leave a comment or email me at blog[at]fenneh.xyz


How to Prestage a VMWare VM in Windows AD via PowerCLI

Recently when working on our deployment of machines, we hit a few brick walls.

The main issue was how long it takes for a template from vSphere to be cloned, then join a domain. The delay is whilst you wait for the machine to Sysprep and VMWare to do its magic.

At first, I was dirty and put a delay in our creation scripts before doing anything else to the machine, but this just didn’t cut it.

So, I moved on to pre-staging the VM in our Windows AD, which meant things such as Group Policies and Security Groups would be applied on its very first boot which meant one less reboot before our virtual machines were ready to have applications deployed to them.

Here’s the function which can perform said wizardry… it’s pretty simple but doesn’t seem to be very well documented anyplace.


Automating Software Deployment /w Ninite – Improved!

It wasn’t so long ago that I wrote this article; http://www.justfen.com/post/18843356303/automating-software-deployment-with-ninite

It seemed quite well received, I actually had some tweets and messages about it :O!

Now, two weeks ago I came across the following post on Reddit;

Ninite Pro. There’s a powershell script on a Spiceworks forum that pulls all machines from AD, as the Ninite machine scan leaves a lot to be desired.

Really I thought? I best go check that out!

The scripts in mention are the following;

http://community.spiceworks.com/scripts/show/1376-ninite-updater-domain-update-part-1-powershell

http://community.spiceworks.com/scripts/show/1377-ninite-updater-domain-update-part-2-batch

http://community.spiceworks.com/how_to/show/2968

Just thought I’d point these out in a great upbeat passive-aggressive manner.

Imitation is the best form of flattery

Anyway, moving on swiftly!

What this post really is about, an improved version

So that’s what I worked on tonight whilst upgrading our AV systems.

So this is single PowerShell file, it has the following Pre-requisites;

  • It must be in the same folder as NiniteOne.exe
  • You have to set the variables and paths beforehand

As for where I’d like to take this script

  • E-Mail of the logs, in a more legible format
  • E-Mail of outstanding needed software
  • Possible input of parameters rather than setting variables

Rather than writing a new blog post for when I push one of these features, you’ll be able to follow them over at GitHub @ https://github.com/fenneh/NiniteSloth 


Run Powershell from a Network share – A Cheeky Bypass

There is a backstory for this which will be saved for a later post, but this is too good to not share.

So, say for example you have a script which isn’t signed (Ahem!) and you’re wanting to run it from a UNC path (Network Share)

If you try and do this, it’ll throw up a security error.

But to bypass this, you simply have to call it from a batch file something similar to this

This will then bypass any issues you have, and it’s for a one time use so you don’t have to change the ExecutionPolicy within Powershell.

Hope this helps some guys out there trying to run certain scripts on Logon (Or scheduled tasks!)


Windows Perfmon Counters, which one matter and why

Windows Perfmon Counters, which one matter and why


How to Send an e-Mail from Powershell

Thought I’d slam this up here considering I’ve written the little snippet for this (I say wrote, it’s no doubt in many places on the net)

This little bit of code has a lot of potential, it can be used to automate report sending, notifications, outputs of queries etc!

In time I’ll post some examples of how to use it, but if you’re just looking for a clear-cut way of how to fire an e-mail off, then here it is

This script utilizes the inbuilt Send-MailMessage cmdlet built int PowerShell V2.0, more information can be found at the following http://technet.microsoft.com/en-us/library/dd347693.aspx


Migrating All My Scripts to Gist @ Github

I actually noticed today that the formatting is totally screwed on any of the scripts, or snippets of code I’ve posted.

So what I’ll be doing from now on is uploading all code snippets to Github’s Gist so in the future if any lost Sysadmin stumbles across this page then you’ll have an easier time modifying and reading the code thanks to the inbuilt syntax highlighting 😀

You’ll be able to view all these code snippets over at https://github.com/fenneh

Enjoy!


PCI, IIS7.5, BEAST Vulnerability… Done’n’dusted!

As mentioned in a previous article, I’ve recently been trying to lock down our IIS servers a little bit more, mainly for PCI compliance.

On these ventures something was noticed, the enabled RC4 protocols were not actually working!

We ummed, we arrred to no result. After checking over Microsoft documentation, the problem became a little clearer.

It seems on Server 2008R2/IIS 7.5, simply setting the registry values for the ciphers to 1 wasn’t enough. They HAVE to be set to 0xfffffff or 4294967295 ;P

Something which was also noted was that TLS 1.1 and 1.2 hadn’t been activated, these also needed an extra registry key (Yep…)

So without much more jibberish, here’s the update Powershell functions/scripts to help aid you with making your IIS7.5 servers PCI compliant.

Now, that’s the ciphers and security protocols set up.

The last step to make your servers BEAST immune is to change the SSL cipher priority.

This is done by creating a GPO!

  1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
  2. Expand Computer ConfigurationAdministrative TemplatesNetwork, and then click SSL Configuration Settings.
  3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
  5. Follow the instructions labeled How to modify this setting.

It is necessary to restart the computer after modifying this setting for the changes to take effect.

The list of cipher suites is limited to 1023 characters.

See http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx for more indepth instructions.

The one thing to note for this is that the RC4 ciphers NEED to be at the top of this list as they are immune to the BEAST attack.

A great write-up of this by Steve Dispensa can be found over here http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php

He even includes an example string for the cipher priorities!

But that’s that.. for now. If only we could move onto TLS1.2!