Running late with the deadline for your work? Then we are your reliable assistant in paper help.
Get ready to ask for our assistance when you need essays, research or course works, reports, case studies, etc. Our experts have seen it all and are ready to start working on your assignment right away. Go for it!
With over 6 years of experience in the custom writing service, our team of support agents, managers, editors and writers has got a lot of knowledge about everything that may be required by you. Heres what you get for sure when cooperating with us:
Everyone needs some paper help from time to time, because we are only human.
Our prices start at $10 per page for works completed from scratch and from only $6 per page you need to be edited and proofread.
What factors influence the cost of our paper writing services? There are 5 of them:
Youre a lucky client! Why? Because you never pay for everything. You have lots of freebies to go with every single assignment. They are:
Asking for our paper writing help, you dont only pay us. We also pay you! You can receive up to 15% bonuses back and even earn money with our referral program.
We understand that sometimes you may want your deeds to go unknown. That is why we guarantee your complete privacy and security with our paper help writing service. After registration, you receive a unique ID and that is the only thing along with your instructions visible to our experts. Only our support team will see all the details you provide to be able to contact you in case any questions arise and send you a happy birthday discount on your special day.
Our custom writing service is completely ethical and provides busy students with great resources for their assignments. In the modern world when we need to do a lot of things at the same time, its nice to know you can count on someone for back up. We are always here to create the needed sample or perfect your work through editing/proofreading or explain the solutions to any problems you may have. Find out how much more free time you can get with our writing help.
Do my write my dissertation online online powerpoint presentation fall of byzantine empire New Brunswick Theological Seminary, do my custom written dissertations Cornell Tech, Manhattan, Marymount Manhattan College illustration essay on tattoos Chenango. St. Francis College catene bottari prezi presentations write dissertation conclusion on social security numbers asap 31st Street, East zip 10016. Ulster County Community College act 5 scene 1 macbeth essay soliloquy order writing an introduction for a dissertation Peconic American Museum of Natural History, Nyack College (School of Music) xaf report filters W 9th Street zip 10011.
Do my write my dissertation online online write for me capstone homes ramsey mn time article one a day that's on James Preston thank you much the intubation from David so goals we're going to show how some of these technologies are installed and then our operations of those technologies within Queens we're also going to be looking at the resources that you guys can then pick up from and go away to learn about these more so lynda.com is heavily featured throughout that and there's a shameless plug for my personal blog in there along with other resources and the plan is we've already seen is loosely going to be around this and I haven't done any presentations like this in a while so we see if we if the content actually meets our expectations please do ask questions as we're going along otherwise this is just going to be me talking and that's going to get horribly boring so the IT office inside Queens we've got three full-time IT staff members that's David who is our manager I'm the systems officer and then Linda who talks to you our first line support we run three hyper-v hosts and that's largely based upon Microsoft services as far as what our top of drap network switching and so on goes we've got a Palo Alto firewall a pair of ruckus zone directors using the 73 63 wireless access points which of course we're now looking at moving on because those access points are going into life there's an HP 5400 zero two core switch in the middle of all that and that is our main fiber aggregation point and just for the next couple of weeks hopefully there's a Juniper and DMZ switch in there just so that we can speak to two different types of network we've got the old IP address range one nine two one two nine six seven address and we're also now moving everything to private addresses behind 10.28 so we installed brand-new HP switches two maybe three years ago now our course which is pretty much populated fully now with fiber so there's no fiber really running to anywhere else except for to the core we do have a dr room over on one of our other buildings and we've got two different links that's the switches as they were being built by our good friends at switch shop as far as the hyper-v hosts go we've got to delve T for 30s in the server room they are designed to be tower service but we actually went out and bought the rail conversion kits for them so they're now mounted in our rack in our server room we've then got another Delta 4:30 which effectively has double the RAM of one of the single ones and the primary hosts and double the storage and that's uses our dr site so hyper-v server if you haven't already come across it hyper-v itself is actually free what's not free is to license the Windows virtual machines that will run on it so if all you're doing is running Linux servers you might well wish to use hyper-v to host those we use it with the five-minute replication options so every 5 minutes the Delta of everything that's happened on the primary host is shipped over to the dr site such that if main college were to suddenly disappear off the face of the earth we've only really lost 5 minutes of data and however long it takes to turn everything on hyper-v has really come along so it's got technologies like discrete device assignment now which allows you to take a graphics card plug that inside your hyper-v hosts and expose that graphics card that it's pure bare metal to the virtual machines inside that should youself have some good reasons do that support secure boot as well for trusty computing of course it's got clustering which again is free out of box and of course does live migration be that and live migration from locally attached storage or just in memory using sounds if you want to get a free copy of hyper-v server 2 then spin that up on some metal links are going to be up there all these slides will be available with both the video so we're capturing the audio off me at the moment and also the slides and themselves so you can grab the links off them a little bit later so our implementation apply today we've got our primary hosts in the dr host as we were saying every 5 minutes everything goes over to that so when i started out we were mainly running Server 2008 r2 we've slowly been moving over - Server 2016 we started out with the select agreements that we could buy through the IT services shop but with a little bit of a nudge from previous experience we've now moved to the Microsoft and ramen for education solutions licensing option which is a yearly thing you basically say how much you're going to be running inside that year and then license the corresponding amount that's you licensing it by per year use in the Select Agreement effectively allows you to upgrade to whatever the latest version of Windows server is out of that time it also allows you access to the new six monthly release cycle of Windows service should you decide to go to that instead if we take the cost of the select agreement against using ye-yes you effectively gonna have to use your select agreement license for seven years for it to be cost effective and bytes of course now being the university's preferred supplier for yes so for the purpose of today's demonstration we've spun up the King's College Oxford we've got a couple of client pcs running Windows 10 and a PF sense firewall and various other virtual machines all running Windows Server 2016 so that's the end of our introduction the first major topic of today is the Microsoft deployment toolkit so what does it do we deploy Windows operating systems in theory it can go all the way back to Windows XP so if you're still deploying Windows 7 or for whatever reason you're using Windows 8 you can use MDT to deploy that inside colleagues we're now moving exclusively over to Windows 10 so no more windows 7 it does the initial installation of applications so it's that initial copy of office going on to the machine or maybe Adobe Acrobat or Google Chrome anything that you're installing at the time of deploying the operating system it's not designed to manage the applications on the machine later you can manually invoke those installations if you desire if you are happy running a PXE server inside your environment which certainly makes life a lot easier you can run MDT over Network boots and then it basically grabs all the files that it needs to install the operating system and the applications via network share equally so if you've got some niche cases whereby you maybe you've got a machine that doesn't like to network boot for some strange and interesting reason you can take the boot image it comes as an ISO copy that onto either a DVD or a USB memory stick and then connect to the network share knew clearly so if you've got a very large capacity memory stick you can run MDT as an isolated environment on that memory stick without requiring any external resources whatsoever and deploy operating systems straight off a USB DVD whatever you happen to be using we use it as a single operating system image instead of maintaining a copy of Windows it's exclusively designed for the students to copy that's designed for the staff a copy that's designed to go on different machines we take the very bare windows copy stick it straight into MDT and then apply our modifications through MDT instead of capturing the image uploading it onto the server and deploying that image with the way that Windows is going now with six monthly releases if you want to type part on those six monthly releases this really makes life a lot easier for it and then driver packs for machines come from all the major OEMs of course so Dell Lenovo HP and we mainly used a Lenovo within the college couple of alternatives of course services is free straight out of the box with Microsoft Windows Server and there's loads of other pieces of software out there that you might be using in your own environments as well it's important to note that some of these applications are also there to manage the operating system after you've deployed it so all tourists and we're really just focusing on MDT's ability to deploy the operating system System Center Configuration Manager if you've got the time is really worth the investment it can do pretty much anything to any machine on the planet sorry the installation what you're effectively spinning up is a file server in our environment we're running it with just with just two inga bytes of RAM really doesn't need too much to go so the first thing we're going to need on our server so we spun up a new server dedicated to deploying operating systems is to get hold of the automated deployment toolkit or ad cane now throughout the course of today I've got videos that show how to do these different steps on the route the ones as we necessarily go along unfortunately this one really is just a case of going to the website clicking download and getting hold of that copy and spinning it's really a next next next Wizards eventually you'll get asked loads of questions as to what applications or what features of the ADK you want to install and we just want the default ones so click install and you'll be away so next installing the windows deployment services role on the windows server will use PowerShell to do that kick it off as an administrator install - windows feature we're going to be using and we're after the WDS role now go off and install on your server itself this way you don't have to interact with the GUI too much there's less chance of you going oh that looks interesting I'll choose that that that and that as well and then go and script so as much as you can use PowerShell to deploy these tools and we've got an entire talk on PowerShell coming up next so for the time being we won't worry about this one too much so configuring DHCP on our service this is our domain controller which is handing out DHCP to our machines we're gonna set it up such that it's got a scope option to point any clients that talk to that DHCP server off to our deployment server so as you're there spamming f12 to get Windows to network boot by putting option 66 inside there it knows where to go to actually deploy operating system so we need an Active Directory account for WDS and MDT to deploy our computers this is gonna be a service account so we're gonna set a nice strong password which probably when I was sitting this up was password 1-2-3 with a capital P make sure the user can't change the password and doesn't change a password at the next login and the account should never expire right once we've done that there's a wonderful tool we can download from the Microsoft TechNet gallery which spectively sets the correct permissions on the organizational units inside Active Directory so that account can only domain join machines it's not there to do anything else again it's not a PowerShell make sure you unblock the script before attempting to run it otherwise you just get a load of red text then once we run PowerShell as an administrator we're gonna point it out that script and provide it with both the name of the account and the path to the organizational units that we want to set these settings against so we've changed the directory gonna kick off the script we're gonna put our service MDT account inside there now target oh you were just after the öyou path we're not after the domain name so I'm doing computer's attribute editor distinguished name we can grab that straight from there which is staff to the oh you not the domain name and we're gonna use this to both join domain computers and domain servers I've set up two different organizational units for that purpose you get a nice bit of debug text once you've done if we look at the security tab we can now see that accounts being added in there and it's only added the Commission's it needs we will also be using this account a little bit later to connect out to the deployment share as well so that's when MDT is running on your machine that's it's saying this is where I need to go and get my copy of office or other where we've applied the same to the domain servers as well so let's get em DT itself installed you can download it from this link from Microsoft it going on TechNet Microsoft have now started gifting MDT pushed out at the same release Cadence's windows itself and in this case we're gonna get the 64-bit version of the tools of course Microsoft's website never makes it quite that easy if you're using even the most basic of pop-up blockers so we'll get the link MDT itself is really small it's kind of under 20 megabytes in size it really is just a load of scripts and a Microsoft management console plug-in I think we're gonna make ourselves wait for that under 20 megabytes and again it's just a next next next install opt-in to the customer experience improvement program should you say wish send wipes up all your data now and that is how fast it installs because it's such a small piece of software so the initial setup of MDT you find it from Start menu under Microsoft deployment toolkit and deployment workbench it does require elevation to run and we're gonna be focusing around deployment shares useful to pin it to your taskbar on your server as well so deployment share is where it's going to keep all its settings we're gonna save that to see deployment share it's just a useful place and I'm gonna remove the dollar sign as well to make it a visible share instead of it hidden one easy there's a couple of settings that it'll ask you about most of the time I just completely ignore them and I'm ticked all the boxes because we want things like BitLocker to be installed and set up on the machine by default that copies over its scripts it's worth noting you can have multiple deployment shares if you have a good reason to most of the time you'll just keep it all under a single deployment share as we've done here and once we expand that we can see the different options that MDT has so our option to set up applications operating systems the drivers and the task sequences themselves which is kind of the core of MDT this is the list of what to do when deploying windows so it's deploying the iso for windows we can get this off downloads to IT docs to AC UK of course and that's a big old iso which we won't wait for it to download once that's completed you want to mount the iso you can do that in Windows simply by double clicking on it my first video where I forgot to set it to play automatically here we go just mount the iso launch the MDT console head two operating systems once it wakes up right click and import operating system and we want the full set of source files because there's some files inside that ISO that we need for MDT to be able to deploy operating systems mainly focusing around image X and as it goes and downloads all those files from that ISO into its deployment share the main one or the biggest one is that going to be that install dot wim so that's where the files to actually install Windows R and then there's some supporting files around there like the image rect tool like sysprep and suchlike which MDT can use for its own internal purposes now once it's imported that ISO will then see all the different operating systems that were inside that win file in this case that's Windows 10 for education that's Windows 10 enterprise that's Windows 10 professional well we don't actually need all of those most of the time we stick with Windows 10 enterprise if you wish to you can use education as well I would seriously recommend you steer clear of professional these days though because Microsoft has been doing some fun and interesting things with the pro version that allows them to update it without you having any control over it whatsoever so we don't want the rest of those windows installs and we're just going to leave ourselves with Windows 10 enterprise which was part of that Windows 10 education wind farm sorry next we need some drivers from Dell Dell Dell have a very helpful website which provides us with driver packs in the form of cab files which we can get hold of all the drivers for all the different versions of Dell machines all the way back to the earliest ones indeed so from that Dell website do a quick ctrl + F to find the machine that we want in this case it's going to be a 74 40 all-in-one there's a driver pack for Windows 10 these driver packs can vary in size from half a gigabyte all the way up to two gigabytes or more especially if that machine would normally come with really complicated six cards in this case it's a little under a little over 500 megabytes in the form of Dell they kick them out as cabinet files which we can then extract using 7-zip or other tools that allows you to extract CAD files so once that is completed its download we can extract that driver file which we've saved in this case just using 7-zip it usually kicks up a couple of errors about there being weird data it's a CAD file it's bound to happen and if we start to explore that file as they extract we'll see it's got some windows 10 64-bit drivers inside there it's got audio drivers those massive real tech ones which are like a hundred megabytes and no one knows why thank you and the video drivers of course which have a little bit more of a reason to be larger in size right once we've done that we need to import those drivers into MDT now one important point to note is that your naming conventions that you use should reflect and match the model names of the computers that you're deploying them to get old PowerShell kicks in here get WMI object win32 computer system we want the manufacturer in the model I run this a little bit earlier on my machine here it's lenovo and that's its model number now these numbers need to match all these strings need to match exactly what you put into MDT later otherwise when MDT goes to detect which drivers it should install you won't know what to do so important those drivers we're going to create a folder structure in this case top level is going to be the name Dell and make another structure beneath that matching the machine that we're going to deploy it to in this case is 74 40 all in one once we've done that we're going to right click on the folder and kick off the import of those drivers this will take a varying amount of time depending on how many drivers there are it'll search inside that folder as well as for any additional cab files that might have find of interested the drivers might be saved as mainly it's looking for the in files to say hey this is the supporting files that I need on occasion you might see this throw a couple of errors and warnings it's usually along the lines of the driver says it's a 64-bit driver but it's in file says it's a 32-bit driver and MDT doesn't know what to do i've never encountered a situation where skipping past those has actually caused a problem but if you find a problem to do with driver imports it might be something to do with something along these lines so we also run the no-go laptops inside the college they have a similar resource the same applies to HP Toshiba and most of the other main suppliers as well so the no go website it's largely the same deal we just search for the model that we're going to deploying in this case 220 HQ its next one carbon laptop they've got their driver packs similar sizes to the Dell ones starting at 500 megabytes going all the way up to a couple of gigabytes depending on what the laptop does a little note about these drivers they actually come as an executable if you try and extract that executable using 7-zip or many other tools you'll just get a horrible mess so you actually have to run that executable to extract the drivers so let's we kick that off it'll choose a nice default place to save it like C drivers now one little note about these driver packs is they're actually mainly aimed at a piece of software called System Center Configuration Manager which is effectively one step up in complexity complexity against MDT the same driver packs can be used in MDT so if you're searching for driver packs with some excu mine are of machine try searching SCCM driver packs instead of MDT driver packs because most of the time that's where we find them so once that's extracted it's the same with a load we need to create a folder structure which represents the name of the machine and the model number I think I chipped out here because I couldn't quite remember what the full model number is so if it says just 20 Hz or 28 Q now I've just put x1 carbon I fix that later so it's okay and really is important these structures are well-named same deal after that after you've extracted it just point at the file start the copy app and you can see all the types of drivers they're inside their be they audio drivers or suchlike so selection profiles this is the bit which MDT really does use to determine what drivers it's going to apply to the machine so we've gone to advanced configuration selection profiles and we've created a selection profile which says I'm going to use these drivers and called it it's appropriate name navigating through our structure so once we've got all our drivers set up let's import some applications into MDT you can pretty much use any applications with NDT that you've got best if it's got a silent install script or a silent installer if that's a MSI file MSI exec /r a 4 slash the name of the path /q that will do a quiet installation most of the time you can also apply these things called transforms to msi files which allow you to change things like where the application will actually be installed to or what shortcuts you want there's a tool called Orca which is free from Microsoft again that allows you to modify those files and we won't look at that for this purposes but we are going to look at the google chrome installer so Google Chrome have an enterprise installer or Google has a enterprise installer for Chrome and we can download that msre 50 megabytes it includes the Google updater utility as well and we just want to create a folder for that that we're going to import it from and save that to cutable inside there once we're inside MDT we're going to create a new application it's going to be an application with source files so we're going to point it out that folder these bits are largely optional just so long as you've got an application name inside their pointer that google chrome installation directory if you've got a particularly large application you cannot to move the files instead of copy them and this is where we put the command line in there that's going to install that application silently in this case MSI exact /i you then go back to figure out what the application is actually called copy and paste that in and then put /q at the end a little confirmation everything's worked okay if you've got applications that are like well anything from Microsoft Office to CorelDraw you can pretty much install them through this after that you can then use other utilities such as Windows Server Update Services to patch and update those applications so next creating the tar sequence so the core of what MDT is at the task sequence we're gonna give it an ID in a name in this case just deploy or install Windows 10 it's gonna be a client tar sequence but you can also use MDT to deploy server operating systems now churn through the wizard and change it to the King's College not the queens college set the admin password of a local admin password for the machine that's gonna be one two three four five six in this case ever so slightly better than one two three four five and we actually come round on to that in a second and at the end of the day when open vas actually detects that we've got a really insecure password in use on one of our machines as it attempts to brute-force the computer so we're gonna inject the drivers for up to Plex 70 for 40 machine and we're gonna use that driver selection profile that we've created this is the super important bit we're gonna add a task sequence variable that's going to be model it's got to equal exactly you got out of the machine for its model name from that powershell script that we ran earlier well you do the same for the logo drivers this is where I think I properly do it now it is also possible Microsoft have a script on the MDT website that allows you to avoid using selection profiles entirely and I've used it with limited success in the past but you're welcome to give it a go the link to that is a little bit later on so again a sequence variable is going to be model it's gonna equal exactly the right thing not work at guaranty so after we've done that we can then make any other changes to our task sequence that we need it's important noting that nuovo ones you have to set it to install all drivers things like enabling Windows Update as part of the task sequence so as the operating system is being deployed you can tell it to reach out to Windows Update and ensure that once it's done it's got the latest Microsoft updates on there we do that before and after we install applications so first Windows will update itself conduct a reboot if necessary install any applications that might need like office and then update those afterwards as well go ahead yes then the wsus server as well and which is actually what we do in this wonderful load of fun and interesting things here so wsus server in this case here and that's it that's my pen my laser pointer where's my laser point again today we're pointing it our wsus server so if we've got our applications locally cached so this wonderful massive text is used to set certain things inside MDT that when you're actually deploying the operating system you've already made some decisions for the user making life a little bit easier so things like setting the name or the old zatia name of the computer things like setting the admin password on the machine you can change that for different task sequences and then also doing things like domain joining it so here we've set it to join Kings Docs to AC UK we set our service - MDT account that we're using later password for that account unfortunately it's saved in plain text so please protect your MDT servers losing the blinds and you can do things like skipping unnecessary parts of the task sequence wizard like if you were deploying an operating system for a server and you don't want to choose which roles that server is going to run at that time you can say skip roles yes one thing that I only recently found out actually is that you can as part the task sequence provide a drop-down to the users to which organizational unit the machine should go into and you just do that by domain OU's starting from one I think you've only got up to ten options and then putting the path of that o you inside that so where do we actually use all this so this is updating the deployment share we're only gonna use it for 64-bit so we've got our custom settings file here which you can use and modify as you see fit and we're gonna paste that in over there there's another file that we need to modify as well called bootstrap dot ini' and that's where we say what settings it should use to connect the deployment share now we're gonna build a 64-bit image of Windows pre execution environment and also create an ISO and also MDT has a monitoring and deployment service so that when you've got a machine deploying out in someone's office you can check on the MDT server to see what its progress is instead of having to go over to it constantly and check from there now the deployment share we need to add our service MDT account as a read option on there and it's not included in this video but also make sure you set sharing permissions on that folder as well such that when the machine is deploying it can connect out to that share after that we need to actually create those images that's a right-click on MDT deployment share and update image directories this will take half an hour or so because what it's also doing is talking to all the drivers that you've imported into MDT figuring out which ones are network and which ones are storage drivers in particularly if you've got some obscure machines and making sure that those drivers are imported and injected into the actual deployment image that way when it network boots you can also talk out over the network it can talk to the storage that's inside the machine and we've seen in particular that with newer machines with the new nvme drives you really need to make sure you update the deployment share each time you import a new up and you Dell PC or new Lenovo laptop so once that's done it can take up to half an hour or so you get a nice little confirmation to say that it's done we can then find where those Isis has been saved where that image has been saved in the deployment share and boot folder we've got our wind file which we can import into WDS and also the ISO which we could burn to a DVD or CD you know kick off WDS expand servers right-click boot images import image and pointed it at wim file the MDT created for us this again will take a couple of minutes or so to import it's basically got a check over that 500 megabyte file to make sure everything is ok so once we're at this stage were actually ready to deploy Windows to our computers which should be a big sigh of relief because you just spent the last two hours playing around with text files and wondering what's going on so let's deploy Windows to our computers so we're gonna start up this machine here which is running inside hyper-v we're going to instruct it to network boot we'll work in other hypervisors as well once its kicked off it will take us through a wizard this wizzy could also password protect as well and that's just a simple string no username just the password and they'll ask us first which task sequence do we want to run so if we have multiple task sequences for example deploying Windows Server as well we could select that from there you'll then ask us for some details about that computer such was what name it wants to use if we had more applications in there we could select them from that drop-down and it then kicks off at our sequence process from that point on sit back relax and in this case I think the video takes about 17 minutes to run who is that we'll skip around this a little bit so we can see it installing the Windows operating system on to that machine that zips fine especially if you've got a nice gigabit network to run it over once that's done minutes later it then goes through the outer box of experience for Windows once it's finished doing that it logs in as a local administrator onto the machine and kicks off Windows Update for you as per our toss sequence stores any applications you might have selected as well in the second or so we should see Google Chrome go and we get a nice little report as to what went well and what didn't go well we said it so that when you finish the machine instantly reboots that's a little things such that if someone comes across that computer whilst it's running its tar sequence hopefully they'll hit the finish button for us and save us a trip out there once that's done you've got a completely deployed ready to go Windows environment 17 minutes in this case for us at Queen's including an installation of office including so fast including running appropriate Windows updates it's usually about half an hour so final bits is to have a use MDT at Queen's any questions so far anyone think they might use this do not yeah so MDT queens we've got a number of different task sequences and deploying our hyper-v hosts we haven't used that one in quite a while so I should probably test it just in case we use both Server 2016 in its core Edition which is the PowerShell only version effectively and its user interface version we also have Windows 10 tasks sequences for our normal deployment just windows 10 we've got one for fellows laptops such as when they bring them to us that doesn't domain join but it does install appropriate applications suitable to their needs we've also got one for our library terminals as well so who our own list so pack machines whatever you want to call them and for convenience as well if we ever forget to install an application as part of the tar sequence and I've also Minotaur sequence which is really just install application so you can make these tar sequences deploy operating systems encrypt drives or just install applications you can do whatever you like with them really and when you go to kick off the install application tar sequence obviously we're not needing to network boot from there but if you had the deployment share and scripts as a suitable administrative account you can kick off the light touch BBS file and that will give us that sequence wizard to churn through we so for scale client they're quite install is really so sauce installed XE - queue so anything that you can finally install you can use with that and we've got a default install for Adobe Reader DC as well and so forth cloud is inside there set K DC's for the Kerberos domain controllers that really is just a little registry patched so import the registry keys that we've set and we set that hides that application inside the deployment wizard so no one needs to click on it and it's just their part of the tasks week and it's already installed so further reading from these guys and lynda.com does have a video on how to set up a more complete MDT environment there's proof of concepts there for how to deploy Windows 10 according to Microsoft's way of doing things and so on so questions good yes yeah so if you've already got WDS server running you've already got a win file and you can import that straight into MDT right-click operating systems there's actually an option there which if it's still sitting in the MDT server you can point it straight at the MDT server and it will grab it from there now not that we use WDS and MDT in that manner but you can deploy an operating system install applications onto it and then capture that as an image so if you were deploying six seven hundred computers as Mike and I were well remember and you want to deploy those computers as fast as possible that's another good way around it because it's just tricking that image straight onto there you're not having to wait for things to install anyone else stunned silence excellent right PowerShell begins and we're pretty much running to time sorry PowerShell what does it do everything freaking anything anything everything in anything send emails direct to SQL servers changed files especially if they're text files it loves text files and still rolls in features we've already seen that one it can kick most of its data sets out as CSV HTML pretty much anything you like and you might already be aware I wrote a little para shell module to manage simper mailing lists and the chap he was talking about that an IT SSD yesterday it doesn't have any functionality for the white lists I'm afraid and that just isn't implemented inside Simpa but you can use this to add users remove users create mailing lists delete mailing lists as well we're also working on using PowerShell to start configuring our networks which is so we have HPE Aruba switches they have a restful interface on them now and in the latest version of PowerShell version 6 which is still in the kind of beta and alpha stages and it's fixed a little bug that does allow us to talk to our network switches and make configuration changes to them through PowerShell so bringing pretty much everything that we do to manage all our infrastructure under one single programming scripting language you can do interactive scripts where it asks you something and you reply back with a string or pointer a file or whatever you want or not interactive where it really does just sit on a server and once a morning at 7:30 it kicks off does its thing and then starts sleeping I do try and think of any true alternatives and I just put some random things up there so people can have a play with them I'm sure they're all very good I've never used any of them sorry so first thing to do is enable the running of scripts PowerShell by default doesn't allow you to run scripts that are locally saved on the machine so we're gonna create a new group policy and deploy this out to our computers we're gonna head through policies administrative ten plates windows components Windows PowerShell and there's a little box somewhere which says enable the running of scripts on local machines now the execution policy will allow you to choose how rigorous you want to be in this case we're going to go local scripts and sign scripts so once you've done that on your machines you want to make sure you've got the very latest version of powerful shell on those computers if you're running Windows 10 you really don't need to worry about that now but if you've got Windows 7 machines Server 2008 r2 or suchlike you will need to update PowerShell on those machines you can get that from the link down there in the bottom left-hand corner and you after download wmf so PowerShell is part of something called the windows management framework all wmf you install that on your machine and you're good to go to check that you're on the latest version of PowerShell right click the Start menu kick off PowerShell dollar sign PS version table hit enter if you see something like 5.1 you're probably there already so let's have a quick little play with what PowerShell can do in a very simple environment first we're going to start out with discovering what's called commandlets so PowerShell is written around the notion of verb noun so get - help get - services get ad user and suchlike or mu ad user for example so to play with services we're gonna kick off PowerShell as an administrator on our machine and first we want to know what we can do with services so get - help you can tab autocomplete through the options star service do we want to update help well I probably have pressed yes if it would have taken ages and it will give us a list of all the things that PowerShell can do to services so we've got get you restart resume all kinds of fun and interesting things let's do get service and run it and we get a horrible list which is useless so we'll pipe that into out grid view outward view then allows us a little search charity so we can see what those services are doing let's look at the Windows Update service in this instance so how about we go get service and we're gonna say specifically the name of the service that we're interested in and look there's that service just one service and we can equally so pipe that to our grid view as well you can get it in that nice graphical user interface way so how about we do something more interesting to it like stop service now we can kill that I think I do get service again and we'll seen it's now stopped magic and equally so start the services up again so PowerShell really focused around verb noun hopefully it makes things pretty easy to discover if you want to do something to do with ad users get - help space 5-star ad you'll probably get a million-in-one things or ad users for example so to help us get through PowerShell and to make scripts and do more fun and interesting things we don't want to use the power shell prompt that's useless let's use PowerShell IFE this will be installed on your computer's by default and it gives us a nice long list on the right hand side of pretty much everything PowerShell can do on that machine with what has available to it and he's got drop-down autocompletes and our hello world example we're gonna choose a foreground color of red I think once I finally figure out what I'm doing and running that with f5 will output to the prompt hello world equally so we can explore all of the powershell commandlets on the right hand side there's a search box there so we don't have to worry about using get help this is just the machine with its basic install you can see how long that list would potentially be given how small the scrolling bar there is so PowerShell remoting PowerShell is useless unless you're gonna run it against other machines so typically you'd have your administrative computer you'd have your set of servers your set of clients you want to execute remote commands against them if you're running Server 2012 or Windows 8 or higher PowerShell will already be enabled for remoting for you on domain and private networks and public networks you'll only an hour on the local subnet one thing to bear in mind for coffee shops in satisfying and by default any administrators can use PowerShell PowerShell will always execute on the machine in the context of the user that you're logged in as hopefully that made sense so if you're logged in as a basic user you will only ever be able to execute basic user things on that computer if you logged in as the full domain administrator crack on deleting virtual machines and destroying people's lives if you've got older clients so Server 2008 r2 Windows 7 Windows Vista naval - PS remoting space - force will turn PowerShell on that machine equally so you can configure that through group policy you can test connections to the machines so if you're having some weird thing where your remote commands won't work you can use tests WS man and then the hostname to that machine one important note about PowerShell you should always be using the host names it will send everything over encrypted connections if you're using IP addresses it doesn't particularly appreciate that so PowerShell is no fun without things to administer that are remote so let's get hold of the remote server administration tools and download from Microsoft again free if you're running Windows Server 2016 you need be running Windows 10 to administer it if you're running Server 2008 r2 you need to be running Windows 7 to administer it you need to download the appropriate tools for the appropriate operating system that you're managing all the interesting things you can do with it select the right operating system and then kick off the install for the version of Windows that you're running at that time in this case Windows 10 1709 in the 64-bit flavor and there are still versions available for 1703 1607 and all the way back to when Windows 10 was first kicked out and the installation effectively runs as Windows Update on your machine one little thing to note is that every time you move from Windows version or to Windows version so when 1709 becomes 1803 you'll need to go to the Microsoft website again download the latest version of us at install that on your machine otherwise you'll be sitting there and be wondering where's my active directory management console so if you've not already used our saps quick little tour around it so you've got Active Directory users and computers instead of logging in to your domain controllers you can manage your Active Directory domain from your client PC group policy management console hyper-v tools certificates tools pretty much anything you can manage on a Windows server with the minor exception of Internet Information Services for some strange reason and you can run through a stat so we've asked that installed on our computer that now gives us access to all the PowerShell tools that Windows server has things like managing Active Directory things like starting and stopping hyper-v virtual machines so let's do some fun with PowerShell in IC in IRC so I think we're gonna run get computer what's another video that I forgot to set as all the different things we can do with OD and we're gonna go get a D computer that'll give us a nice option on the right hand side of what our parameters are in this case we're gonna just use the filter of star to return pretty much everything it's again to only get a nice little list of every machine that's inside the directory equally so we can out that or output that to an out grid view and see the machines that we've got on the domain with various different attributes of that and we can get pretty much any attribute that's inside ad out of it as well or we could export that to a CSV and that will kick that information out as a CSV so if you've got other tools that you want to manage your computers with but you can use PowerShell to at least extract the information out of Windows CSV so how about doing something a little bit more useful like creating a Yankee account inside Active Directory so in this case this is an interactive script it's using read host it's asking me what's the users first and last name you use Jim Bob the password is used as a secure string so it will give me a little prompt which hides the password and it goes off and creates that account for you so we can then kick that off and say hey look this is the account that we've just created so PowerShell just making scripts like this it would take you forever so what we want to do with PowerShell is make proper tools things that you can reuse in a regular basis things that you can just pop out of nowhere and go I need to create a new account quick run so for that power showers the notion of modules so here we've created a bit more of a complicated script we've wrapped it round in a function we're gonna save that inside the windows powershell modules folder on the users Documents area inside windows we're going to give another subfolder name which is the same as the function that we're creating we're gonna save as a PSM one file that's a PowerShell module file in it's very basic form so when we close PowerShell and open it up again that module would be imported inside PowerShell we can kid it kick it off just by typing KC new Kings new so ad account that gives us the parameters that we can choose that we defined earlier now let's take for name Jim's name Bob when we kick that off it will then prompt for the password and then it will promptly fail because I forgot to delete the account before I recorded this video red text that looks bad so how does it work at Queen's how does PowerShell work at Queen's for our use and that PowerShell Foggia and folder which is inside documents or your user accounts documents Windows PowerShell can be expanded with a few other folders so modules these are all the tools that you've named scripts that's really just a dumping ground snippets are little sections of PowerShell scripts that you've used that one day you're going to use again so things like making a new function and then profile ps1 every time you launch a PowerShell interactive window it will also load that PowerShell profile ps1 file now inside that file we've created a little script which will copy from our SMB share all the new modules that we've created since we last launched PowerShell and overwrite them on the users directory now obviously you can use in many other different ways of managing that be it through some form of get service maybe your hosting on our web service or something like that whatever works for you so the list of almost everything we've made so far that's PowerShell modules and tools we've got full complete modules which have a manifest file and multiple scripts inside them like the PS Simpa utility that we wrote and then you've got the very basic ones which just use PS m 1 in this case QC gets just by running that it goes out and queries ad with a file that I've already defined to go and look out for our ad servers and return them so this is the file that we use our profile ps1 file that copies over all the changes from our central store you can also print out a little prompt there that says hey if something has changed close PowerShell open up again to apply those changes inside and PowerShell so one of our quite regularly used tools when we've got a contractor inside the college and we want to provide them with network access we do that through our network policy server and 881 X authentication and what this PowerShell module does it asks us what's the MAC address of decline what's the first name last name of the user what company are they from what's the general description of their machine what's their email address and how long do we want the account to be valid for and then finally it says hey which network should they also be allowed into so we've got pure internet access no access to internal services that's dictum in VLAN 11 if we want them access to our privileged environment for some strange and interesting reason welcome to VLAN 4 and then finally if they're just there to look at the BMS system we can stick them inside the BMS network now that's set as a valid set so PowerShell will provide you that as a drop-down list option to say hey which network do you want them to join it then uses a switch which is a pretty common term in these things to then take whatever answer you've provided and set variables accordingly so one of those being the network ID which is a term used inside Active Directory to say hey this is the group ID of that machine and another one which is really just the name of the Active Directory group they're being joined to there's a little bit of validation inside there so it basically says if the MAC address isn't equal to 11 or so 12 characters and kick out the script provide a little prompt that says you've been enough T you need to put 12 characters inside there once it creates the script we've also got a couple of sleeps inside there to allow ad to catch up as it's creating that account and it also replaces the primary group on that account so pretty much anything that you can do inside the GUI tools of Windows for any administrative purposes you can do inside PowerShell so a couple of other things that we use inside Queens hope that I sanitize these to make sure that none of them reveal incidents interesting information so one of those is querying an SQL server so our SQL Server which stores all the information about all the devices which are connected to the domain whether they be authenticated by security certificate MAC address username password QC get MAC address ports will return based upon the MAC address of the machine where the machine was last plugged in be that in a wireless access point or a physical network switch and also which switch which wireless access point it was plugged into that way if we get a detection from oxer that says hey we've seen malicious traffic we've gone through our DHCP logs to figure out hey this was this client let's go figure out well where it's plugged in at the moment we can do that through this grip pretty quickly next one you can do things like tap into the Windows Event log through PowerShell in this case it's just returning the last 50 events on our print server for the print service every now and again someone will say hey did that print job statement or something along those lines very quickly run this get a list of last 50 events oh yeah there's your print job you sent it this unfortunately it was 4,000 pages so it was then rejected and one of my favorite ones create a new test virtual machine taps into hyper-v says hey I'm going to create a new virtual machine with this name I'm going to prefix it with a word test I'm gonna have a default of 4 gigabytes of RAM it's gonna connect to our network this is where it's going to save the virtual hard disk and it's going to have 4 virtual CPU cores it's also going to go into our clients network so when we run this script I've created a virtual machine called cheese that goes off and talks out to hyper-v on that machine creates that virtual machine for me it provides me a little log at the end and then once I'm done with that virtual machine and I don't want it anymore delete test VM this pops up a window which wasn't actually captured by this which says these are all the test virtual machines that you're running at the moment which one would you like to delete select the appropriate virtual machine press ok and eventually or then obliterate that machine not only from the hyper-v hosts as well but if that machine was ever domain joined it will delete it from active directory as well for you so making sure things that have leaned up and tidied up one of the things I'm really hoping that the sofas guys will kick out pretty soon as some of you might be aware is a nice restful api for the so-forth cloud console that way I can also delete machines from the sofa Scout console without having to go in there and login delete stuff and otherwise I could just use one single script select one machine and do actions in three four hundred different places the DNS in this case we've just said hey reach out to all these DNS servers return what their responses are for a query we use another shameless plug for my world of IT nets and a backup script which reaches in using winscp to all our network switches takes a copy of their current running config and then saves that onto the local server now PowerShell is built around the dotnet core framework so if you ever come across any libraries that work with dotnet you can probably tap into them with PowerShell and one of the most obscure ones I ever came up with and was sins capitis Sims is a school's information management system that's built around net guess what you can tap straight into it with PowerShell took me absolutely ages to figure out how it works so in this case this script is simply loading up the dll than it needs reading a CSV which has all the host names and credentials required to connect to the machines reaches out to those individual switches and saves a copy of the config and grouping them by the switch name and also the date so interactive scripts absolutely fantastic here's just a small sample of some of the scripts we're running right now that run automatically be that 7:30 in the morning 7 o'clock in the morning we've got things like reading the cud feed and creating our active directory accounts things like getting hold of the backup reports and then emailing them out to the IT office for us to examine one of the things that was a little bit of a niche topic exporting students special diets so a specific request from our confidence office saying hey can we get a list of the students that sounds rude can we get a list of all the students with special diets absolutely fantastic can we have that updated daily okay let's not get the finance guys to do that let's not get the college office to do that let's figure out the SQL required to take that from the database dump it into a PowerShell script export it is a CSV there it is for them and we use freshdesk as our helpdesk and we have a CSV which has tasks that we do on a regular basis things like go check that the server room hasn't caught on fire things like take a backup of X Y Zed that we can't automate yet so every morning at 7:30 just as I'm on the bus on the way into work it then puts those tickets straight into our helpdesk vietze restful api David might have hijacked that for personal purposes as well and follow the scripts inside there detects privilege group changes so that reaches into the Machine reaches into ad we've established a list of that we're interested in if we see an elevation on any of those groups alert us that runs once an hour one day I'll figure out how to get that to run instantly and even things like an RSS reader so it may be a little reader employed PowerShell that will generate tickets inside our help desk for topics that might be of interest to me so I don't have the time to go scrolling around the web all this all the day so why not read things straight from reddit why not read things straight from the Palo Alto security blog and have those generated as tickets so actionable items for me for things to do and mark them as result once done so backup server and has all those scripts on PowerShell really isn't just about Microsoft Services is now cross-platform in the sense that you can run PowerShell on both OSX and Linux services and the PowerShell gallery is Microsoft's publicly created list of everything else that anyone has ever done with PowerShell that was really fun and interesting so the third-party tools for things like tapping into MySQL definitely not a Microsoft product or VMware talking into VMware servers so you can deliver the same things like creating a test virtual machine using PowerShell bringing all your scripting environments under the same single umbrella lynda.com really does have some excellent things on PowerShell not only does it have complete step-by-step this is every single last feature it also has these are common use cases of PowerShell go use them in your environment things that you could literally pick up and run with right away and then of course another shameless plug for my blog any questions or is it just gonna be me talking today and the large majority yes there are a limited number for fun and interesting reasons that I can't on my blog I do have a number of ones which are things like the networks which backup things that we use for the RSS reader and so on I'm slowly figuring out which ones that really I can put on things like it hub and so on so they'll be up there eventually yep so PowerShell without using it for malicious purposes where there's special privilege privilege execution bugs and side windows that someone's just discovered will only ever execute at the permission level of the user that's running it so if you really do just have your basic user and they type get - ad user enter if they don't have permissions to read ad they won't get anything the commandlets can be there the tools can be there but it's built around the same security framework that windows house just as earlier when we were installing roles and features on the server and stopping services that requires specific elevation as an administrative account that requires you to specifically right-click on it run as administrator get the UAC prompt press yes now obviously a lot of malware these days is hidden inside PowerShell scripts VBS scripts most of the time that's just reach out somewhere download something running on the machine now to be honest if you haven't got an anti-virus service which can block that kind of thing like intercept X which we're using which is fantastic by the way you really need to consider those kind of mitigations instead of saying let's forget about this awesome remote memory management tool the other thing run PowerShell is the most recent version so just like any other software that you patch date don't sit around with computers that are running powershell version to get them updated to powershell 5.1 and six when it comes out anyone else know I really want to so desired state configuration is Microsoft's equivalent of puppet and here's the state that I want this machine to be in go and configure it like that if it ever deviates from that state send it back this guy's for it on lynda.com to be honest in our scale of environment we're running about twenty-four virtual machines all of which have specific unique purposes with the exception in the domain controllers it hasn't really hit me as something I need to worry about yet but if you're running a server farm of a hundred machines 20 of which are web servers 20 of which are data center servers for SQL Server or whatever you should probably be looking at DSC as well and that really is Microsoft's equivalent of puppet anyone else nope wow we are over running already ten minutes of the next presentation then I think we sprayed for coffee I know it's really cold in here at some point we'll figure out if we can do star jumps to Walmart so PRTG Network Monitor and I have been using this since I have been working with Mike and other fun and interesting people over the last couple of years and it's really evolved as a product that can monitor pretty much anything you can point it out so what does it do monitors network connected devices there's some really example good examples on the PRTG blog about obscure things that people have monitored things like temperature sensors for monitoring chicks as they hatch things like monitoring dumper trucks which kick out so much IOT day to these days in our cases they're pretty much the standard boring one so monitoring switches seeing what our firewall the sflow traffic through that our service to see if they're up in the first place and what CP utilisation websites is a really good one so monitoring when your security certificates gonna expire PRTG is free for up to a hundred senses at the moment and will probably be for life now so if you've just take away one thing from this go download PRTG point it all your ssl certificates make sure they don't expire and it can configure all kinds of alerts when things go wrong be that via email SMS HTTP restful action push notifications or a custom executable i'd always suggest that you get at least two different types of notification and installed in your PRTG instance in our case we're running plain old email but of course the smtp relay could in theory go offline we're also running HTTP actions to slack and also through the PRTG application on our mobile phones we're getting push notifications so that way the internet as a whole for the entire university on Sunday we'd have to disappear and for us to lose access to PRTG and there are loads of other alternatives to PRTG of course a lot of them are going to be free at the point of view downloading them but not necessarily free in the sense of the time that it takes to configure them we'll set up a couple of videos with just configuring basic senses inside PRTG to monitor things like ssl certificates to monitor things like Windows servers and I would happily challenge anyone to see if they can run those demonstrations faster on other options it's really good transparent pricing their price is basically you are running a thousand sensors you pay for a thousand sensors our next bracket is at five thousand or whatever it's at and then your unlimited at Queens we're running with a thousand sensor license so pricing should be transparent just like it is for SpaceX if you want to send something that's 5.5 metric to do transfer orbit it's going to cost you sixty-two million pounds same applies for PRTG now sensors the way they're licensed if you are monitoring a network port on a switch that's one sensor now obviously if you've got a 48 Network port switch that's 48 sensors and that's quite a big chunk if you're having to do that kind of set the monitoring you're probably looking at the unlimited licenses anyway in our cases for the monitoring of things like network switches we are effectively watching for it to be up we are watching its CPU its memory utilization and we're watching its uplink ports we're not overly interested in the rest of the ports on that switch so and the pricing there I think was for one year after that year you can continue to run PRTG at that licensing level but without feature updates and new software updates the we're laughs looked at it it's then 20 percent of the initial investment each year if you want to pay for renewals and software maintenance basically I do know a couple of people who really have just bought the 500 sensor license and run that for two or three years now so long as you're not publishing PRTG publicly semi ok I'd still rather update it in patchy all the same just like any other piece of software all the same so whatever you want really 20% I think it was each year so sorry gone yep I think that's yeah if you're doing that kind of monitoring you probably need to be doing that kind of you need to be looking at the free tools for that unless you want to go straight up to the unlimited sensor license the way it works out for us is it really is 20% of our licenses spent on the switches 20% is spent on the servers 20% on UPS is and so on and so forth so we've got the kind of a nice healthy balance if we were monitoring every single switch port to see every single piece of traffic on it we've probably need the 5,000 license which just isn't gonna work out for us but certainly the free tools if you want to do that crack on so really easy to add new devices just plug in the IP address the hostname some credentials for that device in your away the feature set for it is absolutely humongous they have a couple of hundred out-of-the-box sensors to go from things as simple as monitoring traffic on a port to monitoring HTTP actions or monitoring your QNAP nass box to all kinds of fun and interesting things it's easy to migrate to newer hosts so this is one thing I like about a piece of software I want to be able to say right now it's running on Server 2008 r2 in a couple of months time I'm going to take it to 2016 in PRTG it's a simple case of install PRTG on the next host take a couple of config files and it's logs copy and paste those over the top and you're good to go there's a lot of software out there these days that seems to bind itself an intricate and complicated ways that has no real migration path that makes it easy PRTG it's extensible by pretty much anything you can do in PowerShell or another scripting language if you can run it PRG Petey PRTG can probably talk to it and of course it's got this Maps feature which kicks out displays such as there which you can have running inside your office they give something for people to look at as they walk in nearly time yep okay let's break therefore tea coffee back here half an hour to continue with PRTG thank you guys welcome back that's like the most easiest piece of software to get a license key forever it's just like here have a license PRTG trial copy and paste so free for a hundred senses saying earlier and it does give you a wonderful keep someone steal that feel free I've probably already deleted the machines it was running on anyway PRTG itself a couple hundred megabytes in saris and that includes every single last runtime library everything it needs with the exception in the.net framework which should already be on your server anyway so you don't need to worry about installing anything additional just crack on well as part of the process ask you for an email address I've never seen it do any validation on that email address so don't worry about that too much if you decide to go and buy PRTG for whatever strange and interesting reason you just get a new license key put that into the server and then you're instantly good to go again for the licensing model if you ever decide to upgrade to a higher licensed version you only pay the difference in what you've paid already so again it's pretty upfront and sensible and the way of the licensing works for it the RTG includes its own web server so you don't need to wrote worry about running Apache or RIS and it also has its own database as well so again you don't need to worry about installing and licensing databases it really is by the license that's you good to worry don't worry about SQL Server IRAs or anything else like that installation of course takes a couple of minutes once you're done you'll get taken to the server you can install a valid ssl certificate and onto the machine just request one through the university is normal and then PRTG has a certificate importer utility that allows you to dump that straight into PRTG using the certificates that were received for the purpose of this demonstration of course we're not going to get a security certificate for it because King's College doesn't actually exist so once you've installed PRTG and enabled SSL these days and set an administrators password for your PRTG installation the default really is just PRTG PRTG PRTG will also generate a pass hash for you as well to use with it's restful api so you don't need to worry about sending you username password and full you can use once you've done that enable ad access so PRTG will talk to your Active Directory servers and we're gonna add the domain admins group or any other group that you decide to either have administrative access to PRTG will read access to one very specific application within PRTG so for instance our JCR helper who handles the topping up of the paper in the photocopier rooms and reports issues to us from the students if it's a large and wide-reaching thing and they actually have access to the PRTG sensors that are on our printers or monitoring the printers to see when the paper trays are running low to see when the toner is running out thereby saving a little bit of time for him and to actually go and top those up really it's just a case of enable ad point at the group that you want to use from the list that provides d1 submission you've accessed yes or no once you've done that you can then login with groups with account sir of that group now the very first thing I'll suggest you do is log in and then delete everything PRTG has just done for you so it will kick off a unauthenticated scan of whatever it can see inside your network so really we'll just start looking at pings and other things it can figure out in this case we just go through and delete absolutely everything and then start making your own groups you can organize PRTG however you'd like and in the past we first started out by having groups for our different annex buildings for example and then on our maps we could display geographically where they were as time has gone on we've really just consolidated it around the notion of servers and then websites and all those basic kind of groups there for each group that you create provide it with some credentials so it can log into that machine and get the data out of it now it's worth noting that Windows you can actually enable the SNMP feature on Windows to monitor windows through SNMP without providing domain a mystery of credentials administered credentials on that machine once you've created your group any other client that's within that group will automatically refer to those credentials so start putting in your host names for the machines that you want to monitor in this case one of the domain controllers we're gonna give it a nice little icon it'll kick off auto discovery after that another forever you can keep populating these manually based upon just typing in the text you can point it a list of servers if you've maybe exported it from ad using PowerShell or another scripting language of your choice and it's got this auto discovery feature for the auto discovery it's got a list of things that it kind of expects to see things like a ping sensor just to see if the server is up in the first place ranging all the way down to seeing if the server has got the latest Windows updates applied to it so it kicks off a little script on the server hey what's the latest update status do you have any updates if yes I'll report it back in tgd for it so other things like I was mentioning earlier monitoring websites so there we can see our windows services kicking away we can add another group and we're going to monitor the Queens College website yet in this case we're going to look for the HTTP send searches to see how fast the response time is when querying that server we then get our query it's Excel sales certificate to see when it needs to renew and it's also going to check that SSL certificate to match and make sure that the sni matches what's in the certificate equally so if it starts responding with the wrong certificate you'll report that for you as an arrow inside PRTG then finally once we stole through the video PRTG have database or they have sensors in data centers around the planet and they will offer you a free cloud service where they will then check what your website loads and how fast it loads what its response time isn't such like on a global scale going from Asia to America and such like for each of these sensors you can configure custom thresholds so if you see your website starting to take longer than 200 milliseconds to respond you can set that in PRTG and that will generate alerts for you so this case our certificate sensor it's gonna check that the common name matches what's in the certificates things like certificate sensors given that they don't really need constant monitoring you can set them to only poll that certificate for once every 24 hours perhaps just to make life a little bit lighter on your servers now the different sensors within PRTG have different load levels that they'll place on the server things like monitoring at an MP traffic for a network switch port is a really low impact sensor whereas things like polling through WMI and PowerShell is much more intensive sensor for PRTG in the case of the environment we've got set up here is just another case of 4 gigabytes of RAM for processor cos 127 gigabyte hard that runs quite happily for the actual deployment inside Queens College we're again running four gigabytes around four virtual CPUs and that's enough to happily monster monitor the thousand sensors that we're running so monitoring network switches I had a couple of switches plugged into this we're gonna create another group and this time creates an SNMP credentials for them PRTG supports v1 v2 C and v3 in this case I've enabled v3 SNMP on the switches we're also going to configure a scan range so you can tell PRTG look at everything within this range of IP addresses and scan them that's an MP v3 enables our credentials inside there and I'll start to talk out to the switches again it's part of the auto discovery PRTG will reach into those switches hey what do I have that you might be interested in again looking at the ping sensors looking at things like system uptime memory usage not so long ago we had a couple of switches that had really quite nasty memory leaks and PRTG was warning us about those memory utilization went all the way up the switch effectively started forgetting it's config rebooting it and upgrading it to latest firmware version helped and PRTG was the thing which actually alerted us about that in the first place so network switches after the initial scan a couple of sensors I only plugged in a couple of cables into those switches so it's not really returned much for things like the traffic sensors you can see how much traffic is of course passing through those sensors but more usefully you can tell it to say that it's going to be in an error state if that sensor is disconnected if that port is no longer plugged in so if you've got up links and perhaps you've got a link aggregated set of four up links into a hyper-v hosts for example and one of those cables fails or the network port dies on the hyper-v hosts PRTG can tell you that port is now going on flying you're now an integrated state go and fix the cable doing so PRTG will also pull through an SNMP details that are inside the network switch so I've configured one of the ports inside the switch to have a specific name where it says hello world and that's come through in PRTG as well I'm going to say show that as an alarm or disconnected era state I know there's nothing plugged into that so it will kick off an alarm smoker it's done that first can PR CG is the wonderful notion of a really nice vibrant red to say hey something's gone wrong and this yellowy color that will come on to a little bit later to say something is in a warning state and the green so everything is up and running we can configure things like maintenance windows so if we know that port is going to be offline for some fun and interesting reason between these particular hours we can then say hey PRTG pause that sensor during these periods you don't need to worry about monitoring that port it goes into a poor State clearing that error now equally so there might be occasions where a ping sensor goes offline but that's actually ok so devices like printers if people turn them off that ping sensor will go down and well you don't really want to be alerted about that printer going offline perhaps and you want PRTG to automatically acknowledge it and not generate an error State for you so in this case with the MDT server I can say settings on its ping sensor and if that sensor goes down set it as an acknowledge state without generating any warnings or alerts you can simulate error states within PRTG as well so you don't have to unplug something to test that the alerting features will work fine just right click simulate error after a refresh or two refresh all three by the end neck's it's gone into a warning stage it stopped replying and then after that it goes into the red arrow state and it will pause all the other senses for you little note about the licensing aspects of PRTG when a sensor is paused it doesn't actually count towards your license so if you've got 4,000 sensors in your environment of which you know only 1000 are actually going to be monitored actively at any given time get the 1000 sensor license and then when you pause that additional thousand here's your thousand sensors back unpause the next thousand never actually come across a scenario where that's helpful but certainly it's a useful little thing to know about their licensing scheme so in this case demonstration from our PRTG environments that conference office and MFD has been turned off the sense has gone into an acknowledged state and we're no longer monitoring and is printer's details so configuring mail relay and PRTG can talk to up to two mail relays at any given time if one of them doesn't respond and in this case you just put smtp docstore AC dot uk' and you can send you mail out that way for your notifications you can configure a number of different types of notification and through PRC G they're all done centrally so be that email the system administrators send a push notification to slack anything else you can really come up with that's restful based it's also got the ability to talk to SM SMS services as well so if you want a text message when your firewall goes offline and you've got a modem plugged into PRTG for SMS sending out or you've got a backup internet connection PRTG you can still send that out for you and the app itself for iOS Android Windows Phone I think they still got a BlackBerry app as well does support push notifications as I was saying earlier for tea and coffee it's really good to have multi different notification channels set up that way if one of them goes offline like the mail relay or the internet connection or something like that you've got another way of PRTG letting you know something's gone wrong you can also execute custom programs as well so if you've got a script you can pass that script parameters and it'll go run that script and let you know that something's gone wrong so once you've created your notifications you assign them against your groups within PRTG it'll default create one at the very top just as before we're going to literate that and set custom notifications on our different groups so if the things like our servers I probably want to know pretty quickly when they go offline for things like printers uninterruptible power supplies supplies but other devices I could wait a minute or two to maybe see if that device restores itself before actually sending a notification you can say how long you want the sensor to be down for before it will send that notification and what it will do when that sensor comes back up and equally so there's the option to have a regular reminder so you could wake up in the morning with 2,000 emails saying this service it's still a fly should you so wish those can be set at the group level or at the individual device level or equally so at the sensor level as well so a couple of things from Queens instrumentation or of PRTG we've got our wireless clients so we can pretty much tell when the students started leaving there and that's just reading SNMP off our wireless controllers next while this is showing our dell idrac interfaces so it says which hard drives are up and running and if one of them goes into an error state so just as we can configure idrac to send us an email just like powershell it's bringing all these different types of notifications all under the same banner equally so in addy our room we don't actually have any air conditioning do you need to get an air handling unit in there one day and occasionally it can get pretty hot especially during the summer PRTG can be monitoring the temperature status through a sense of the they've actually made themselves and tell you when it goes into a warning or error state we've also got it monitoring our helpdesk so it can show us the line graph of how many helpdesk tickets we've got open that's just talking to freshdesk over its own restful api and here's the script that actually does that you've got a fresh desk API key and hidden there it's just talking out to that API and then returning a count of the number of tickets PRTG then looks with the right host at the end to say hey how many tickets have you actually got open when we go to Paul's our virtual machines as we're running touch Tuesday so as we're running these reboots I don't want a thousand and one notifications from PRTG saying that the servers are offline I know they're offline I've told them to go offline so let's put maintenance window in there it's what we've done inside Active Directory and its attributes for each machine we've put in its employee ID its ID in PRTG that way I can send a restful request up to PRTG as part of our Patch Tuesday script to say hey to the next five minutes this server is going to be offline that's okay don't email James and equally so through slack we've got notifications that come through throughout the course of the day so I always have it so that pretty much every sensor goes up to slack and I can just have that as a constant scrolling feed and on one of my monitors and then out of hours is that still going into slack but perhaps it'll also email me that way I don't get notifications from slack and email at the same time and during the times that I'm actually going to be in the office and on the knowledge base and community forum they've got loads of examples about how to talk to various different web services and scripts and commandlets that you can download from that little natty thing they've got a enterprise console application which you can install on your PC it's win32 application instead of going to the website and I've set it up such that if I press f9 when I've got a server selected that will remote desktop into it and equally so if I've got a switch selected I can press f10 there's a chance of that switch so instead of having my remote desktop shortcut it's my party shortcuts I just select the machine press the button I'm jumping straight into it and final overview of all the different types of senses that's in there when I was making these screen shots I got bored by the fourth one because I was still scrolling if you want to see the rest of them there's a heck of a lot there's things like monitoring Dropbox to see how much space is inside that counts there's things like monitoring dell powervault sans and such like things like monitoring files so if you've got a file at the root of your directory that you're saying hey if this file changes maybe we've got a cryptolocker style environment going on you can get PRTG to alert you about that one of the fun and interesting senses is an SMTP and I'm at round-trip so it'll email out a message to a marowak's that's hosted in some third party service you know then reach into that mailbox see how long it took to actually get there and then from that mailbox mail it back to the original account and see how long it took to get there so if you're concerned that maybe your emails are taking two minutes to get to people where it should only take one consider setting up that sensor notes more I won't bore you with all of them this just blows plain and simple nose look loads further reading PR through G's website of course and I've written a fair cold quantity about it on the website things like how to set up s flow sensors things like how to set up some maps I used to have some thin clients that were hanging behind monitors that would then display rotating sets of PRTG maps as a kind of a general overview about what things were going on so questions about PRTG is it slightly warmer in here now no anyone ruling openness so there are only three of us in the IT office that means we don't have a whole lot of time to play with every single last piece of security software on the planet and one of the ones that we found that has really really really helped us is open vas which is effectively a penetration testing piece of software or a vulnerability scanner it can conduct both authentication and authenticated scans so if you give it some Windows credentials it will then reach into the registry and the files on that machine to then do a bit more of an in-depth analysis equally so if you give it two Corrections for network switches or other network connected devices it can see if there's any potential vulnerabilities inside there that it wouldn't be able to pick up just remotely without credentials it really detects a heck of a lot about the date software we first started scanning it it was like I didn't know we had Java on that machine I didn't know Skype was running there what's going on you spend the first couple of days just running around computers and running around things and patching things like crazy because it said it's a level eight out of ten bug and it can cause remote code execution and people can do all kinds of mean things to your computer and then after that you just have it running daily and you just start getting used to the background noise and fixing things as you go along and it'll also highlight bad configurations for you that are we really know you shouldn't be running this configuration and let you know about them equally so if you really really really want to run that configuration that's known to be bad you can tell it to ignore it so don't worry about that alternatives this is a really short list because I didn't look up too much the university is now starting it looking at hosting it's necesary scythe Inc for everyone else anyone want to give a nod to that we'll put any words out about that okay and that a very basic port scanner that will just tell you what open ports you've got running on your machines one of the really good tools out there is Kali Linux if you want to go and download that it's got loads of penetration testing pieces of software out there stick it inside a virtual machine for a couple of hours let it do it thing and tell you what's wrong it also includes open vas along with other tools as well most of the time I look at that as being a spin it up throw it away kind of virtual machine whereas the open implementation we've got running on Ubuntu it's a bit more of a permanent thing not going to take you through the installation of open vas simply because it takes so long that I do have a guide written from the viewpoint as a Windows guy who really doesn't know anything about Linux on my website there's a four-part series on there how to set up a server initially the things that you'll find probably coming out of it pretty quickly the cycles that you'll go through and things as well one little note on there is I put printers originally on this graphic when I started scanning the printers Network PRTG actually started saying no don't do that stop because apparently it can start to send print jobs and people will start to get random things out of it so I saw and read it once that if you get it to scan a VoIP telephone network it will start making telephone calls for you and people will get P open vas saying hey the other so a couple of things to be aware of there and as far as the scans we've done so far we've all our window servers all our websites all our IP security systems be there our network door locks or our security system security cameras and suchlike along with most of our building management systems have all been scanned without any issues the one device that threw out the most crazy things was our Palo Alto firewall basically it started trying to brute force the firewall trying to get in through its credentials and that kicked out how many emails David many many emails it was in the thousands by the time and I set this to run overnight as well so I didn't even realize what was going on so be aware of things like that especially if you've got devices configured to email out when someone decides force them but equally so it's a good test of those kind of measures it'll take a database of known passwords that people are regularly using like one two three four five six and one two three four five six seven and test those against machines so a couple of things is really useful to have reverse DNS set up inside and Windows environment if you're running DNS and you're Windows servers this allows open vas-tu when it conducts scans it'll also give you the hostname not just the IP address of the machines that it's scanned setting up a reverse DNS yeah just press next put your IP address range inside there and that's our private range that we're using for this testing environment I'm over time that will then start to populate with the IP addresses and host names for a reverse lookup inside your environment now for authenticated scans on Windows computers you need to enable remote registry we can do that through group policy where we set a policy that enables the remote registry service so in a create an open vast specific policy here and apply it against all our machines and you can enable and disable services through group policy that's through computer configuration policies Windows settings security settings no system services scroll down all the way to the bottom you find remote registry you want to have that service set to automatic we then need to start securing this again you've just opened up this massive hole with our computers let's protect it a little bit so Windows Firewall inbound rules and we're gonna create a predefined rule for file and printer sharing it basically says SMB in is allowed from the open vast machine so we're gonna restrict that to its IP address to only to prevent that being used as possible exploit address is just going to be that one of your investment now I set all of our client devices to reply to pings with inside our network it just makes life a little bit easier for things like PRTG I know some people won't necessarily like that but that's just the way I operate equally so through Windows Firewall you can figure it and for file and printer sharing to allow ICMP Arcos on both ipv4 and six now for that I've actually going to set it for all devices it's just the way I work but equally so if you wanted to restrict that to just the IP address of open vas and crack on so once you got open mass installed you're all going to jump into its web console and the very first thing you're going to do is change the password from admin admin to something else you might have thought a security piece of software that can do a lot of damage would have a better default password or at least not allow you to have a default password oh who do I know that's a pretty simple process so once you're done with that we're gonna give open vas some administrative credentials to our Windows computers as part of the installation of open vas you also install the Linux client for SMB so it can talk SMB to your Windows machines and then we're gonna do that by going up to configuration and credentials you can put credentials in here for VMware SSH and a couple of other options as well it would be a good idea to create a specific account for this purpose and only enable it when you're actually conducting scans once we're done with that we're going to set up our targets so who we're gonna start to scan now in this case it's going to be the IP address range that's being used we must figure that out one day we're just gonna tell it to the IP address range that were using for our clients this could be sudden that base that can be ranged based it can be single IP addresses you can upload from a CSV pretty much anything you like we're gonna set it so that the alive test is ICMP ping if it doesn't get a ping reply from the machine at the other end it won't continue with its scanning and we're going to say you can use the SMB credentials that we've provided earlier once we've done that set up a quick task so we've got our devices that we're gonna scan you can have multiple tasks for each device these tasks are the bits where you actually say now go run the scan and you can configure these to happen on a schedule and you can also configure these to have email alerts and once they've completed there's a couple of different options for the type of scan that you can run full and very deep is the one that we usually run and that basically forgets everything it's known about that IP address in the past before scanning the lesser ones use a bit of the information that they've learned already to scan those clients now once you kicked it off the a length of time that it will take will depend on how big the network range is how many clients are responding within that network and the types of devices at the other end for us scanning about a hundred computers doing four scans at the same time and executing twenty vulnerabilities at the same time against those machines takes about an hour and a half so scan against our servers we limit it so that only one or two servers they're ever being scanned at the same time to prevent overloading our hyper-v hosts and hammering the disks too much however having said that although the PRTG server itself consumes a lot of CPU resource as it runs we've never really seen it and bump up the CPU on the service themselves too much but with these things starts slow is really the best option so as we can see executing scans start and find things Casey Penn zero one there it's hammering its CPU nearly 100% in this case it's got four gigabytes of RAM for virtual CPUs and that was all that scan that we've configured there for those virtual machines takes about 20 minutes so once the task completes you'll probably get something that looks like this and you'll go oh 10 hi that sounds bad and what's wrong start drilling into those reports and you'll see you've got out-of-date machines and various other fun and interesting things so click through a couple of those so Microsoft Windows multiple vulnerabilities here it's scanned a file inside Windows that will give it an indication as to what patch level that machine is that this machine hasn't been patched in the wild so we've just got to go and run Windows Update on that one SMB server of vulnerabilities this machine is susceptible to one a crypt now we can keep going through there and we've got SMB brute-force logins with the default credentials that's for those machines that we set with the password is one two three four five six and a couple of other faults there as well you'll also fig pick up things on weak ciphers and if you're running SSL v3 SSL v 1s or TLS v1 and suchlike as well you can also export these reports as CSV XML for processing in other pieces of software what I'll sometimes do especially if we've got a particularly large report is dump that into Microsoft power bi it's been business intelligence piece of software that allows you to create pretty graphs and so on decide who your first targets are going to be who's your first victims to fix so as far as open vast looks inside college and we've got our scanners configured as two groups of servers that we're gonna scan at any given times and network ranges that we're going to scan an example from a testing machine and it's picked up Java vulnerabilities on that machine for example so if you've got out to date software and it's registered with this global database of software that gets patched and it'll let you know and equally so it will give you more information in this case is saying you're running an out of date version here's the versions that it's running here's where to go find more about this vulnerability here's what's to do to fix it an old one Skype had a DLL hijacking vulnerability inside it and updating Skype was the simple and easy fix to that most of the time if it's a high level vulnerability you want to be patching that within the first couple of days of seeing it if it's a medium level one genuinely it depends on what's actually going on that machine it requires a bit more intelligence to actually see what's happening and diagnosing the issues on that machine sometimes you'll also have highs with mediums on the same piece of software and that's just saying this piece of software is super vulnerable to these attacks and not so vulnerable to other attacks so in this case it's a level 4 medium and it's just a weak ciphered SSL certificate and this is being used internally inside the college and I actually know what that host is and to me that machine running that configuration is okay if it were published through the firewall for people to access remotely definitely not okay so these medium level vulnerabilities it takes a little bit more thinking to figure out what's going on in this case it's reported the suite 32 attackers are level 5 that is something to consider however the suite 32 attack for internal clients it's worth noting that for most 881 X authentication systems so if you're running packet fence or NPS's we'll see later if you disable that cipher your clients will stop authenticating so again it's a medium level one on our internal networks we're going to happy for this running as a client protocol but if this were running on one of our web servers it's a whole different issue suite 32 attack OS crypto is an easy way to fix these issues and for ciphers and TLS versions free downloads and they've got a CLI version which could be run as part of say an MDT tar sequence or run remotely through a powershell script they've also got a GUI version as well now one this runs on your server it will tell you what its current configuration is the defaults for Windows 10 1709 are actually pretty high as we can see here the defaults for Windows Server 2016 are actually pretty low so they've got through templates and different cipher suites that you can enable based upon best practices established by others so the best practices template actually Rhian Abel's TLS one because some clients might still need to talk to TLS l TLS one websites as I've found out a couple of weeks ago when attempting to visit certain internal university services or make it PCI 3.1 compliant which will knock off TLS 1.0 and disable other options for you it's important noting that after you've run this you need to restart the machine before those changes are applied and please please please do this in a test environment first disabling TLS 1.0 on an SQL server if that server isn't at the latest patch will feature level can kill SQL on that server just as it can kill all manner of other things like 802 u1x authentication so take it slow if you can decide to start doing this it is really worth mentioning though if you're on the latest version of Windows 10 you're good to go already they've already got pretty secure settings set in there now as far as what this is actually doing it's actually just making changes to the registry on your behalf and you can go and examine those registry changes and see what's enabled and what's disabled based upon responses in red edit if you really don't like the piece of software you can also take a scraping of all these registry changes and push them out through group policy but again please test it thoroughly before you go and do this you can break a whole lot of things that are really hard to fix if you don't do it right not saying that I did a couple of giggles from that so further reading open glass website where you can go and troll around that they've got a virtual appliance which you can download I would I suggest you completely natholi ignore that and it's actually missioning quite a few features your better option is to install it on a Linux distribution of your choice you can get carly linux as well of course I've got my blogpost series on how to install it from the perspective of a person who really doesn't know anything about Linux and there's a Linda lynda.com course as well which covers pen testing in all kinds of security and courses as well any questions on that can yes other than the printers and VoIP phones when it started saying no don't do this and so every device that we've scanned other than kicking out loads of logs from the firewall hasn't caused retro mental effects now there is a higher level scan that it can conduct where it will actually try to maliciously attack your server and start and stop services that are running on that now that would be a good option if you want to establish a kind of a baseline can I attack this against a testing virtual machine really not a good idea to run that against a live machine yep and so we have our scans grouped by and days and weeks and second oh that is the whole network and the things well I mean we need like edgy roam and things like that or yes yeah so those scans that we've configured cover every device every client that we haven't that we've got out there some of them really are here's a list of the servers I know what the list of servers are because I can look at them in Active Directory the other ones are here's the DHCP range for our wired clients here's the DHCP range for our wireless clients here's the VLAN and range for our security devices those ones it really does do a massive broad scan and just looks for devices that respond to pings equally so if I wanted to do a scan that didn't reply to pings it would take absolutely ages to scan well everything yeah so in our cases most of our scans are a couple of hours we've grouped them by the servers that we run and most of the time they're running during the quiet hours the client networks that runs at about 10 o'clock during the course of the day when most pcs are actually turned on in the first place and that one's an hour and a half to two hours depending on how many computers have actually turned on yeah anyone else who thinks they can find some fun and interesting things when they run open ves on their networks excellent right and so it goes on so Windows Server Update Services and chocolaty so wsus is Microsoft's method of managing what patches and security updates go on your computers it's important to note if you are running Windows 10 Professional ignore everything use Windows 10 Enterprise for education and Microsoft have already shown that professional is actually more orientated towards the consumer who needs a couple of extra features more so than just base Windows 10 if you're running Windows 10 in an enterprise class environment with Active Directory and domain controllers and wsus you really need to be running Windows 10 Enterprise it's free through the university anyways Microsoft software including Windows itself and then the roles features another Microsoft software like Office Silverlight was a good one that open bass detected for us we had a couple of Silverlight deployments out there we got wsus spun up to start looking at Silverlight and start patching that for us equally so W sauce can be mangled slightly to talk to other repositories of updates that can be pushed out through the same mechanism so there's a piece of software up there called system center update publisher System Center local update publisher and also Windows package publisher that allows you to take repositories from Adobe and other companies and push updates for things like Acrobat flash Java and suchlike out onto your machines through the same infrastructure that's used to patch the windows and Microsoft services on those and chocolaty is something I've thrown in there just as a little side project that we're working on the moment it's a Windows package manager so just as you've got up gets and yum for Linux services it's a similar notion to that and we'll have a quick look at that as well and alternatives to be honest your only real options are talk straight to Windows Update itself and that offer you much flexibility in improving in denying updates at all so the installation of the recess guess what is kicked off by parish shell now you can tell wsus to install using its own internal database or using an SQL server if you wish in this case we're just going to use its own internal database we also want the UI elements for it as well so we can manage it from the server don't direct there are our SAP tools for wsus as well however I would typically suggest you have a full server install of wsus and you run the server tools on that direct loading the management console particularly if you've got a large number of updates inside there is a bit of a drag sometimes equally so you can manage it through PowerShell as well so you can just say approve all the updates that are needed as necessary through PowerShell so once it's completed its installation you're gonna kick up the installation and configuration wizard now for us we don't actually store our updates locally if we were to we would need about 350 gigabytes of storage it's about half the entire size of our file server so I'm not too keen about just keeping storage around for no particular reason if your bandwidth constrained or if you don't like pushing things onto university backbone networks and you can store your updates locally however keep in mind that that folder can balloon very quickly so once you've configured that but once you've said we're going to keep our updates downloading from Windows Update direct and we're just going to use wsus to manage those updates we go through the wizard and at some point we reach the stage where we say start connecting and this starts reaching out to Microsoft Update to say hey what types of updates are currently available what categories what software this will take an age at this point go get a cup of coffee go to lunch go for another cup of coffee come back at the end of the day it will be done that's just life and during this is really hammering its internal sqlserver because it's going to populate all these different products and that are available for you first thing to do make sure none of them are selected and go through and find the ones that you do want Windows 10 Windows Server Microsoft Office Windows Defender if you're using it Silverlight anything else that you happen to be using and it's all available through there if you click on the updates themselves or if you click on the products it'll give you a bit more of a description about what that product actually means and it has things in there for Windows XP as well so if you've got Windows XP for some strange and interesting reason and Microsoft kicks out an update to Windows XP you can still turn it out through wsus next we need to elect a couple of boxes which aren't on there by default update rollouts update roll-ups updates and we're gonna set it to automatically sync with Windows Update once an hour so if you've got things like security patches for Windows Defender those are being released once an hour so it's a good idea to regularly sync your Windows Update so once you finish begin the initial synchronization and once again go out for a cup of coffee come back the following day if you're lucky it'll be done and you can see that synchronization is running it gives you eventually a progress bar or a percentage I think at this point I gave up and went to bed so next we're going to configure some Active Directory security groups so when we deploy our updates we're going to want to deploy some of the updates to test clients and test servers first before we deploy them the rest of our environment in this case we do that by creating two security groups in Active Directory that will then add our testing clients to see if you've got a virtual machine with Windows server on it but nothing else feel free to add that client if you've got your IC office machines you guys want to test the latest updates for your users first you've got a couple of users who are really actually quite tech-savvy and happy for their computer to be broken for two hours basi fix whatever put their computers in those security groups as well next we need to configure our group policies through group policy we point our clients at our Windows Update server to say hey this is where you go to get your updates we're going to configure four policies one of them is for our clients fast and what we're going to do there is say this is our fast clients in the other clients policy that's where we can figure everything else that's where we say reach out to this server that's where we say when to update how to reboot and things like that don't forget your domain controllers as well they're going to their oh no you by default so make sure you link one of your update policies to that for your clients past remove the default security group for it and add in the one that you created that way this policy will apply to that client in particular make sure you headed a delegation tag and add authenticated users as read access something new for group policy if you use security fields during that needs to be in there otherwise it breaks same applies to your service group as well so once we've done with that we need to configure the policies themselves we're gonna right click Edit computer policies administrative templates and we scroll through the big long list windows components Windows Update I usually sort it by letter and then churn through all these we want media installation for updates that are not going to affect Windows services we're going to say hey if you've got signed updates from another service that's internal to the network you can use those how often do you want to detect for new updates that's how often your clients poll your servers I usually set that around two to four hours there's a good description about why you might want to do it for longer though there and then we get to the good bit where we say hey when do we actually want our updates to install do we want to let the client know what we're going to do about it so in this case it's going to automatically download those updates the moment it seen them and it's going to install it during automatic maintenance which is a feature for Windows 10 and equally so for our other clients we're going to say install at four o'clock so that way five o'clock when people are leaving their computers to go home or there abouts they can then shut down their computer or apply the updates or reboot their computer to be ready for the morning following clients like targeting is the bit that allows us to say these clients get these updates and we're just going to put it inside their the name of the group that we're using in this case just clients so when we go and look at our W server later any machine which is getting this policy applied to it we can say these updates will go on through it one windows power management to open up the wake up the computer if that's enabled on that computer I've very rarely seen that work but it's good to enable all the same and then go and configure the path to your update server now if you've enabled HTTPS on your Windows Update server make sure that says HTTPS and the port number will be 85 31 instead of 85 30 as it is here if you're publishing your windows update server through your firewall which is actually quite a good idea make sure you enable SSL for it and that you reconfigure these policies that way when clients are outside of your network and not connected on to a VPN they can still get their Windows updates especially if that machine is outside of the network for a long time so for our fast ring all we're going to do is say client side targeting is for clients fast and then courtesy of group policy ordering it's a very pretty policy yeah I've got to pick up it hearing um courtesy of policy ordering if you've got a policy which is higher as in number one that policy will be the one which actually applies to the clients at the end so your machines which have enable client side targeting set as clients fast will actually get that policy against getting the one that just says clients all the other settings that we've configured in the previous policy which is filter through as well unless they're configured in this pane here now for the server's ever so slightly different what I usually set them to is also downloads and notify for install that allows me to then invoke PowerShell on those servers to say now I want you to install the updates we know Server 2016 introduced this horrible feature whereby Microsoft will decide when your server updates and when it reboots unless you set this and equally so there's another feature in there that says when it installs the update Microsoft will decide when your server reboots and unless you do something else which I'll show you in PowerShell in a minute or two so once we've done that we need to create our groups inside wsus we're going to say and the options that we're going to use group defines by group policy and we create the group's as per the client names that we had earlier so its clients clients fast servers and servers fast so after time and after your Windows clients start checking in to your update server those clients will start to drop through into your update server and you can scroll through and see which ones are set as clients fast which ones are set to servers that little yellow warning icon to the left hand side of each client means that there are updates waiting to be improved or installed on those clients as long as you set them at some point it's okay so you do need to manually create them they're not going to happen by magic so in client side targeting if you then put another character at the end you then need to go and change it in here as well so it is dependent on the names in here equally so through options you need to tell wsus that it's going to be using these groups as defined through group policy so once you've done that we need to start approving some updates all updates it'll give us big long list of all the ones that are currently unapproved and what you then need to do is say superseded let's decline all the updates that have already been superseded by other updates and you can see that by this little icon so the one with a blue icon at the top that's saying that's now the top-level update the intermediary one and the one with a blue icon at the bottom are all updates have been superseded multi-select arrows right click hit decline and that way you can make sure that these older updates aren't applied to your clients you then go through and apply the newer updates to your clients also helps to improve performance on the database I've heard somewhere no idea floow2 cleanup wizard as well yes and I've found this to be a little bit more reliable than the cleanup wizard but yes you can through the cleanup wizard that'll take an age then we actually approve our updates so we're gonna refresh see that we've got less updates to now look at we're gonna sort by filter by the updates that are actually needed so here's our list of updates that are still needed by our clients we're gonna multi select those and approve them for our fast deployment ring we can then go to the computers that are in our first deployment ring and manually set them to update all set them to update through PowerShell or some other method that will get those clients to update so we can test those updates first now it's worth noting that Microsoft now has the notion of security updates and feature updates all of which are then brought under the notion of a cumulative update so if you apply any key motive updates that will always bring that client up to that very latest patch level you don't need the updates that came before it the total update roll ups that are in there they will apply both the feature and the security updates for your environment if for whatever reason you don't want the feature updates which are mainly actually just fixes for the features that are already in the operating system you can just approve the security ones for a period of 18 months since Mike look Microsoft released that version of Windows 10 so after a short while on our client PC that's approved for the fast ring we can go to updating security we can see that it's got some updates available for us and that they're slowly churning away if you do happen to approve both the security feature and curative updates for your clients which is what I typically do it will always install the one that it actually needs which would be the cumulative update however I have seen on cases whereby maybe the feature update didn't install and it then drops through to install at least the security updates is good to approve all the different options meanwhile on our PC that's not been approved for the fast Rin when we go to settings we can see that actually it thinks it's already up to date not actually true but it's just referring to the information that's coming from the wsus server so once you've approved your updates once you're happy that those updates are gonna fix things then have to go back to wsus approve all updates and apply them to the children that zips through and then make sure those policies are apply to all the clients visible they are still needed though so they've been approved by some clients or for some clients but are still needed by other clients so they'll stay in there until every client has actually got them yep so as far as the Windows 10 strategy for patching goes these I've got links to little bit latest is from a Microsoft ignite conference mics off to basically recommending be at the latest version however they also have the notion of current branch for business and this is effectively the one that they're saying we know this is really good really stable we've worked a heck of a lot on it and the current branch for business according to this chart is Windows 10 1607 which may seem actually quite old we've had 1703 since then 17:09 now with that version is still gonna be supported for the next six months which gives you time to then plan what your next version is going to be now again stolen from some Microsoft slides Microsoft are now pushing us towards the notion that applying Windows feature updates should be something that we're doing on a regular basis and by using things like having a fast ring and having a slow ring we can manage that we can test it on our different types of computers we've got in the environment we can see how those updates apply and then when we're happy we can deploy them to the broad user base which is pretty much what we're doing inside here equally so if you deploy those ten 1709 now or at least when it was launched you've still got 18 months of support for it so you can still crack on and use that version until it actually runs out so a couple of looks at all WCS server here and I've got a separate group set out for the different update roll-ups we've got 1703 there is this update roll-up this meaning deploying here yep several times yes so a couple of points on that one if you've enabled any of the settings in group policy to manage the feature updates you've probably broken something because Microsoft has the notion of you can either use wsus or you use Windows Update for business Windows Update for business is purely used through group policy wsus is the more advanced management console for that so it's worth noting that if you've gone into group policy and you saw all current branch for business deny latest updates or approve latest updates that's probably actually broken something unless you're intending on using that feature instead of wsus as far as actually deploying the updates ago it has just actually just been working for us most of the time we find it takes 2 or 3 days for the update to actually materialize on the PC it'll then start extracting itself on the PC it'll then give the user a prompt that the next time you reboot we're going to install the latest Windows feature update it actually goes ahead and does it so sometimes it's just a case so for the feature updates waiting a couple of days before they actually materialize on the clients yep it's supposed to be managed through Microsoft's new idea of maintenance windows which i've never quite got my head around but hang on so how we actually manage Windows Update on our servers and there's a PowerShell of module which we use to manage it and the version we are on at the moment is actually one point six point one point one there is a version 2.0 which can be completely better than the version that I'm showing here but I have actually played around with it yet so we'll the older version but the same notion applies to the newer version as well so on my management computer for managing my server updates so saying when I want updates to deploy I've got get W in W you install which comes from that PowerShell module inside the powershell gallery and then my windows update script now in there get w you install at the very bottom of the script it and then says run itself accept all updates and ignore any prompts to reboot so this is the script when that's fired off on the server you'll actually kick off the updates on that machine now all the script which i use to then manage the updates this is a much more simplified version but the same principles apply first we get a list of all the servers inside our domain in this case just querying Active Directory and combining the two results from the server so you and the domain controllers are you into one parameter after that we've got another function which jumps into the server executing remote commands against it the first bit is tell the server just disable the auto reboot task introduced in Server 2016 this bit basically breaks one of the scheduled tasks inside that machine that will quite helpfully for you reboot your server at the worst possible time like three o'clock so there's a little bit of verbose out there that says hey this is what I'm going to run it creates a temporary directory on the client PC at the other end all the server PC at the other end and then copies over that get W install and script onto that machine once it's done that it then creates a scheduled task on that machine to run that script which will update windows on the machine now there isn't actually a direct way through PowerShell yet to say hey run Windows Update on this computer so what most people will do is create a scheduled task on that machine and then kick off that scheduled task remotely that has the same of running Windows Update on the machine so look we're further down there online 69-61 that's where it then invokes a remote command against the machine to say hey run windows up legs I then configured the script to take a break - 30 seconds before running the next client and at the very bottom we've got an out grid view there from the server's so when I actually run this script I'll get a prompt to say hey which service do I want to update right now I'm going to use multi select or single select and it will then go off and talk to that server now this script doesn't actually include it but once you've then updated all your servers and disabled the helpful reboot tool you can then invoke a remote command on the computer simply using reboot - computer and then the computer name and that will then shut down and restart that computer for you at the other end that server at the other end that way we know is update on your service is completely managed by you and not by Microsoft so when you actually kick off the scheduled tasks this is what it kind of looks like on the machine looking at task manager here after a second or so we'll see loads of CPU activity local system process will jump all the way up to the top indicating that explaining Windows Update on the machine now our service and there it is you chewing through loads of CPU for you and any task scheduler of course if you were to right-click and refresh that you see that the script is then running and managing Windows updates any questions on Windows Update yep I'm just doing it now so for windows server if you configure it like this and disable that scheduled reboot task you have complete control for your client pcs if you would just put the same view to break the scheduled tasks inside there in the same manner you could have that same level of control and what I think it is at the moment it's after three days if it doesn't after installation of updates if it doesn't reboot it will force a reboot without question but certainly if you wanted your client pcs to not reboot until the time with your tutoring and break the scheduled tasks using this script which I'll email out included with everything else yeah anyone else I know updating isn't the most attractive subject on the planet is it I don't have many equipment controls computers I'm afraid are they running Windows client Windows server or what they actually running is it XP embedded or something you can set a deadline to say by this time it must have installed the update but are you on about managing the reboots or managing the installation so yeah but after three days on Windows 10 it will reboot regardless yeah so you can still break the update schedule tasks just as we do with the servers and then equally so if the machines are turned on all the time which I guess they probably aren't you can invoke the remote reboots at times of your choosing so maybe monitor those devices themselves and then when they're up lying you can reboot it's just the security Quilly so those versions of Windows 10 IOT as well which designed around that purpose as well so embedded devices that shouldn't be rebooted equally so break the update reboot and so chocolaty quick run through this one and then we've just enough got tough time for the last presentation and it's something we've been playing around with haven't quite got fully developed yet but might spark off some ideas it's the package manager for Windows and it's installation is just kicking off a PowerShell script that's elevated and you can get this script from the chocolaty website when that installs it will install some new features on your computer that allows you to have effectively the same kind of features as apt-get or young-in Linux on your Windows PCs so after it's completed its installation you launch up another PowerShell window and you can start interacting with the chocolaty client so for example from the chocolaty website we go up to packages and they've got a package repository of community and third-party generated software one of those being for example notepad plus plus so we can copy that path there kick off an elevated powershell prompt and that will then install notepad plus plus for us without having the hassle of manually going to the neck pad plus plus website downloading the Installer running the Installer choosing which options pressing finish so these are mainly just wrappers around the default installers however it is a community created resource so there could well be bad actors among it so just yet it's not something I can say hey manage all your computers with this however if you're examining the packages and taking it slow things like Google Chrome and things like notepad plus plus which I'm particularly obscure which are being readily used should genuinely be said so once you've got any completed that installation you can launch up notepad plus plus on your computer so equally so things like VLC media player inside there you can also use the minus sign Y command at the end of chocolate ease installs grip there and that will just go straight off and install it without prompting any further for confirmation so for some pieces of software that aren't particularly easy to deploy or manage maybe they don't have easy to use silent installers choppity might well be a good way around that now chocolaty itself also has a update feature built into it so when you run chocolaty or choco update that will look at all the packages which is installed on your client PCs and then go out and update those packages if newer versions are available so the way we're looking at this at the moment every time that you run a chocolaty command it requires elevation so we've been looking at building a scheduled task built into SAS schedule running as the system account that will allow chocolaty to install new applications on our PCs based upon the contents of a text document for example or maybe the response from a web service and then equally so you'd go and update those applications so in testing forests at the moment I've got a folder inside program data called Queen's choco inside that we've got choco apps list which is list that was generated based upon Active Directory security groups that will install Skype Google Chrome in the visual studio redistributable for skype on that machine so this way if you want to start managing applications that are available through the chocolaty repository and equally so you can host your own repositories or communicate or contribute to the community one and you can start to manage applications through this way for us it's still very early starts with it but we're starting to build out an infrastructure that could actually be very helpful managing things like Skype running things like power bi or SQL Server management studio which aren't particularly easy to update on a hundred or just 20 pcs at a time the script itself and basically goes and downloads the latest version of chocolaty each time execute make sure that's the lightest version and then reads that text file after copying off from our central server and then starts running any of the installs that it might need to do and equally so runs the chaco upgrade script to make sure any applications which are already installed on that client PC are indeed up-to-date we've also got it writing to a log path as well so every time chocolaty runs something it's logging the date/time stamp that it did and whatever the verbose output of the chocolaty commands were still very early days for it so further reading for this one Microsoft have a really good video from most recently ignite conference which really well describes how Microsoft is moving to this continuous Windows as a service notion the couple of slides that I had up there earlier from Microsoft we're taking from that video I've got a couple of things on the blog about wsus it's mainly just error codes that I've encountered in the past and how to fix them and then of course lynda.com has some really good resources on how to install Windows Update server how to use some more the intricate features on it as well any questions on that yes so the scripts that are actually wrappers around the installers for them there's almost always an install and upgrade and an uninstall for it so and so there is a feature within it where you can say scan Windows look for everything that's already installed detect the ones which I think I've got as well and add them to my list now for the main kind of things like Google Chrome and really well not acknowledged and supported that works pretty well actually for more obscure pieces of software not so much again it's kind of early stages for chocolaty for us so we're still discovering these things right so last presentation and then we all get to go wherever we're gonna go next and so when we deployed our new HP HPE rubra network switch infrastructure one of the key things we wanted out of it was the ability to authenticate every device that was on the network and put that device in the right VLAN now in this sequence I've got a couple of videos that show this initial installation the rest of it is largely taken from our implementation of network policy server so what can you do it's authenticating your clients based upon a number of different attributes 18 1 X credentials provided either by user name and password so similar in the way that edge your own works security certificate which we are using to authenticate our and desktop computers our laptops on the wired and wireless and equally so MAC address as well so if you've got clients that for whatever reason due to age or just the way that they work that don't support username passwords or certificates we can still put Manuel MAC address overwrite in there now it's important to note that network policy server is a very entry-level solution to this that works great for us but if you want more advanced things like posture checking or making sure the client isn't doing anything malicious as part of the sequence and you need to be looking at a more advanced and more complicated piece of software however for our purposes network policy server works great for that so Bradford network century Aruba clearpass which is my HP's new solution for it and of course packet defense mistress open source so on our network switches we have a configuration that basically says use this radius server and there's a shared secret inside there as well and then enable these ports for authentication using 802 One X and also by pass-through to MAC address if they don't reply with any 881 X credentials now it's important to know that here VLAN network so if a device doesn't have any credentials doesn't have a recognized MAC address it'll dump them into the outlet network and so for conference guests perhaps they at least they get something so then when they plug in they can be like oh I've got something it's just not what I was expecting and then they can then communicate with us and we can get them into the right network so installing it to use machine certificates you need an active directory certificate authority power chels back again install that certification authority on your machine and then once that's complete you need to go off and configure it on your servers so what we're going to do is take the default computer certificate bring it up to Windows 7 as a minimum standard and deploy that security certificate to our client pcs and there are some really good guides out there on how to configure this again I'll include some links as part of the maildrop for that so these security certificates are then issued to all the client computers that you have that our domain joined such that when they connect they have some method of saying this is who I am this guy said it's okay in this case our certificate authority which is running on two main controllers it's important to make sure that also enroll is set up on your security certificates so the machines can actually grab them in the first place then the superseded templates we want to take the original security certificate for the computers that microsoft offers and supersede that with our shiny new one that'll work with Windows 7 once we've done that we need to start configuring it so that certificate can be used by our clients so from the certification Authority we're gonna go manage new difficut to a few to go points note here make sure the original computer certificate is still in there if you delete that or remove that out from there your client computers won't actually grab the better newer one that you've configured that's because later on in the group policy you actually just have the option of computer certificate so you look at that computer certificate which is still published realized it's being superseded by a new one and get the new one instead so once we've done that having to group policy create a new policy that allows our domain joint computers to grab its security certificate and then you'll find as group policy refreshes on those machines they start to get their security certificates this can take a couple of hours couple of days depending on how how often your clients actually connect to your network so before going nuclear and enabling this absolutely everywhere and make sure every clients got the security certificate on it obviously this is really something that needs to be staged rolled out otherwise you're gonna cause yourself a world of hurt as clients can't connect to your network so that's the initial setup complete so the rest of it is just how we've configured it within Queens and hopefully will spark off some ideas so we've got all our radius clients configured with the names they're hidden and that's our network switches and our wireless controllers the radius clients are basically what's at the other end what's trying to authenticate the client that's connecting so as a network switches wireless access points wireless controllers we've then got our connection requests policies and these are the very first line of defense that basically says what have I seen should I allow it to be processed further now one of the ones we've actually got in there is Eddy roam secured wired connections so as part of that policy there we actually forward your thent occation traffic back up to the universities radius servers and if they come back with access except we allow them into the edge roam network so network policy to where it gets a little bit more details so at this point we start deciding what VLANs what networks different clients should go into so taking a step back looking at the radius clients we configure a friendly name in an IP address for the lor a dns address along with a shared secret that's the shared secret that we configured on the switch as part of its configuration earlier equally so we have remote radius server groups so we've got the university edgy roam servers in there with their shared secrets as configured by the web UI that Network policy level or that initial connection requests policy level we've got a number of different groups or buckets that we're going to put our clients in so secured wired connections is going to come through on Ethernet at the beginning of the username is going to be the word host which is how clients identify themselves when connecting so we've got another one for wireless you could combine the two together whatever suits you each have separate them out just to make it a little bit easier for logging purposes equally so for ad password based secured wireless connections these rules are processed in order so if it sees hosts it'll process that one first for secured wire if it sees hosts on a wireless network it will process that one next equally so it will then drop through to cool station ID if it's seen it from our queens domain wireless network that you might have seen on your phones it's been broadcasting out you'll process that one and finally if it doesn't have anything else to do it'll ProSource it by MAC address looking a little bit closer at the edge around one that we've got configured we're basically saying if the username includes an @ symbol so it does really work for people who've put an @ symbol in there for word the authentication request over to the edgy range servers at the bottom here you can see under settings and radius attributes we've got a number of attributes listed there one of which is tunneled private group ID 98 VLAN 98 is our edgy roam and network for internal clients so that's where we're saying if this server here says it's ok this is the network we're going to put them into so for things like our domain joint or in this case our thousand staff Network VLAN 8 here we're saying we're protecting this with a secured password or a MAC address if they presenting the correct credentials and if it is ok against the domain controller you can put them inside VLAN eight equally so we've got another one that is based upon security certificates see if this one replies back saying the security certificate matches what it seen it'll go off and configure that and in this case but it interview and for so as far as configuring it on clients goes you're gonna need another group policy that basically enables the wired Auto config settings on the computer this is disabled by default on Windows computers group policy we can use that step that to automatically start we then create a new wired Network policy this is can be fried to main join PCs we set the security types to use authentication notice computer we're going to use a security certificate and if we were to scroll down and trusted root certification authorities there you would only accept certificates that have been issued by our domain controller our internal CA so as far as our network actually looks this is our list of VLANs and all of fun and interesting things so we've got our public range that's our old public IP address while infrastructure network switches there's no authentication on those because I kind of need the authentication on the network switches to be rock solid reliable the things like wired clients that's only ever gonna work for certificate or MAC address things like our wireless clients that's only ever certificate for our printers we're just taking that based upon the MAC address of the printer equally so for security devices as well like our all access control and our CCTV cameras we then also got other networks with things like IOT our Internet of Things networks that's the one that we put the students in with our Playstations and suchlike again authenticated by MAC address with that one well there is an internal network to us we treat it as untrusted we terminate that connection at our firewall direct it doesn't have the ability to route to any other networks and it then goes straight out onto the internet we've then got our University networks of course as well so I'll add your own invoice and now we don't need to worry about too much head your own that's using those remote access credentials so user name and password and the boy network we're authenticating all our IP phones based upon the MAC addresses so how does it look like on the switches when we actually run it this is from one of our network switches and I mr. Hyde of an IT office which there yeah well and and you'll be able to see the Kline names the MAC addresses that they've applied back with and on the far right hand side the VLANs that they've all been dropped into now didn't actually get as far as making access control this slide unfortunately I then realized that actually some of this stuff I really shouldn't be sharing anyway in short on our course which so for our networks here default gateway if it's the core that's going to our HP 5400 pull switch that then allows routing between all the other networks as that course which has a leg inside and it also says any traffic that I don't know where to send send it up to the Palo Alto firewall on that course which we've then got access control this set up on things like the printers that basically says the printer can only talk to the server and actually it's just the print server I only wanted to talk to print service but equally so I want it to allow to send outward bounds via port 25 to the university's mail relays so we've got access control lists to make sure that clients that we don't necessarily trust like printers I can't stick antivirus on a printer after all can I to make sure that they can only talk to the devices that they really need to and if anyone ever wants to have a good chat about that one and you're welcome to talk but that would be separate to these because I can't really show you all my security rules for that so further reading on this link aam and it's got a guide on how to set up network policy server haven't quite gotten around setting at my own one yet simply because there's quite a few really good ones out there anyway clearly the ones on lynda.com so that's that's pretty much finished for the day which is hanging on time now it's 12:30 thank you all for coming there's any final questions feel free to grab me what I kind of when we're talking to saffron earlier she's keen for us to do these kind of things as well for other units this is how we do things at Queen's if you guys want to show off how you do things get in touch with saffron so you can really have finance and investment thesis topics Manhattan campus.