Sunday, 20 February 2011

Remote Powershell

On my travels I picked up this useful method of remoting into another machines powershell. Windows 7 and Server 2008 R2 have WinRm packed inside so you dont need to download anything. If your not sure you can try typing the following:

[PS] Get-Service winrm

On the server you want to remote into (lets call it the target), type the following:

[PS] Enable-PSRemoting

This command will start the WinRM service and sets the startup type to Automatic.  It will also enables a firewall exception for WS-Management communications and create a listener to accept requests on any IP address.
The next step involves establishing which machines can connect to the target (that is your client). On the target type the following:

[PS] cd wsman:
(note the colon:)
[PS] cd localhost\client
[PS] dir

You should see a table displayed indicating that the TrustedHosts has a no value. This has to be changed so that your client can connect. To do this type the following but note you MUST be in the WSMan namespace as shown above!

[PS] Set-Item TrustedHosts *

You should then restart the WinRm service

[PS] Restart-Service winrm 

You could have performed the action by typing one single cmdlet:

[PS] Set-Item WSMan:\localhost\Client\TrustedHosts *

Now that your target is configured, you need to configure the client. Type the following:

[PS] New-PSSession -computername "FQDN of the Target"

You should now see a table displayed referencing your session with an ID number. To display the session created at any time type the following:

[PS] Get-PSsession

To enter the session type the following:

[PS] Enter-PSsession -id (the numerical value of the session e.g. 1)

You should now be in the remote powershell! To end the session type the following:

[PS] Exit-PSsession

and to remove the seesion entirely type the following:

[PS] Remove-PSsession

Friday, 11 February 2011

How to Setup a Simple WSUS Server on Server 2008 R2

In its most basic form, a WSUS deployment consists of a single server on the local intranet inside the DMZ and inside the Internet firewall. This server will be used to connect to Microsoft Update and download available updates in a process that is called synchronization. You will synchronize the WSUS server with the Windows Update servers on a regular basis, and the WSUS server will verify that available updates have been synchronized to the WSUS server. The initial synchronization will take an extended period of time if your Internet connection speed is good and longer if it is not. Subsequent synchronizations will be faster
because the WSUS server is only synchronizing new updates that have been made available.

WSUS uses port 80 and 443 to obtain updates from Microsoft Update servers. You can change them (which I have needed to do). Automatic Updating is the client-side part of WSUS deployments. The service has to use the port assigned to the WSUS website in IIS. If there are no websites running on the server where you install WSUS, you can choose to use the default website (port 80) or a custom website and ports.

WSUS on Server 2008 R2 uses Computer Groups to target client machines that require the updates. There are two default groups that are defined: All Computers and Unassigned Computers. You can create additional groups assigned specific computers to these groups so that WSUS can target specific client needs.

WSUS servers can be chained together in larger networks. This takes on two methods:
  1. In autonomous mode, the upstream server, or the server connected to Microsoft Update, shares synchronization information with its downstream partner but does not share its computer group information. This way, the available updates are passed from WSUS server to WSUS server while maintaining the integrity of the individual computer groups.
  2. In replica mode, the upstream server shares its synchronization information and its computer group information with its downstream partners. The downstream partners hold the same information and are thus functional replicas of the upstream WSUS server.
Servers/clients not Connected to The Network.
If you machines that live in isolation, you can export the updates to external media (flash,drive,CD etc.) and sneakernet to the isolated network. You then import the updates to a isolated WSUS server and deploy the updates from there.

Space Requirements - Keep it Local
Microsoft recommends that you haveat least 20GB of local storage at a minimum and actually recommends 30GB. Keep in mind that these numbers are only estimates and could go higher than 30GB depending on your network needs and particular situation. 1GB minimum free space on the system partition is recommended. 2GB minimum free space on the volume on which the database files will be stored is recommended.

WSUS uses the Background Intelligent Transfer Service 2.0 (BITS 2.0) protocol for all of its file transfer needs. Each time files are downloaded from servers to clients, they are moved using “spare” bandwidth. This technology also makes it possible to continue downloads, even if the computer is shut down in the middle of a download, once the computer is restarted.

Software Requirements
Before installing WSUS in your environment, you must ensure that both the WSUS server(s) and clients meet the minimum software requirements.

The WSUS servers must have at least the following installed:
  • Windows Server 2003 with Service Pack 1, Windows Server 2008, or Windows Server 2008 R2.
  • Internet Information Services (IIS).
  • Windows Installer 3.1 or newer.
  • .NET Framework 2.0 or newer.
  • If you are using a separate database server, you must have a computer installed that is running SQL Server 2005 with Service Pack 2 or newer. We will use an Internal Database.
To run the WSUS Administration Console, you must have the following installed:
  • Windows XP with Service Pack 2, Windows Vista, Windows Server 2003, Windows Server 2008 Windows Server 2008 R2, or Windows 7
  • Microsoft Management Console 3.0
  • Microsoft Report Viewer Redistributable 2005
WSUS clients must be running one of the following operating systems:
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows Vista
  • Windows XP
  • Windows 2000 with Service Pack 4
The Windows Internal Database does not support remote connections, so you will not be able to install the WSUS Administration Console on another computer if you are using the Windows Internal Database.

Configuring Prerequisites for WSUS 3.0
You will need to install IIS and Report Viewer 2008 SP1Redistributable (at time of writing)
  1. Log on to the computer as a member of the local Administrators group
  2. Select Start Administrative Tools Server Manager.
  3. In the Roles Summary section, click Add Roles.
  4. On the Before You Begin page, click Next.
  5. Select the Web Server (IIS) check box, click Add Required Features, and then click Next.
  6. Read the Web Server (IIS) page. On the Select Role Services page, ensure that only the following check boxes are selected:
  • Static Content
  • Default Document
  • .NET Extensibility
  • ISAPI Extensions
  • ISAPI Filters
  • Windows Authentication
  • Request Filtering
  • Dynamic Content Compression
  • IIS 6 Metabase Compatibility
      7. Click Install. This may take a few minutes to complete.
      8. When the installation is complete, click Close

Finally, you can install the Report Viewer 2008 SP1 Redistributable
  1. Download the Microsoft Report Viewer Redistributable from
  2. Double-click ReportViewer.exe, and then click Next to start the installation.
  3. Select the “I have read and accept the license terms” check box, and then click Install.
  4. When the installation is complete, click Finish
Installing and Configuring WSUS 3.0
WSUS 3.0 is packaged as a stand-alone installer available from the Microsoft Download Center. On Server 2008 R2 (thats what were using here) it is included as a role:
  1. Log on to the computer as a member of the local Administrators group
  2. Select Start Administrative Tools Server Manager.
  3. In the Roles Summary section, click Add Roles.
  4. Select the WSUS role and click Next (this might take a while).
  5. Click Install
  6. On the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard click Next
  7. Select the I Agree radio button and click next
  8. Select the appropriate Update Source (Store Updates Locally)
  9. Select Install Windows Internal Database on this Computer and leave the default path
  10. Select Create a Windows Server Update Services 3.0 SP2 Web Site (NB The listening port of 8530)
  11. Click Next and Finish
  12. On the Windows Server Update Services Configuration Wizard consider your firewall settings and Internet connectivity and click Next
  13. On the Join the Microsoft Update Improvement Program deselect the checkbox and click next
  14. Choose the Upstream Server by synchronizing from Microsoft Update
  15. On Specify Proxy Server, do not configure and click next
  16. On the Connect to Upstream Server click Start Connecting
  17. On the Choose Languages select Download Languages Only in these Languages and select English
  18. On Choose Products choose your update types. By default, WSUS chooses all Windows and
    Microsoft Office updates.
  19. Choose the classification of updates. By default, WSUS chooses only critical updates, definition updates, and security updates. Click Next.
  20. On the Set Sync Schedule page, choose the “Synchronize manually” option, and then click Next. If you would rather choose automatic synchronization, you can do it from this step in the configuration wizard.
  21. On the Finished page, click Finish to launch the WSUS Administration Console and begin initial synchronization.

Saturday, 5 February 2011

BitLocker Drive Encryption

BitLocker Drive Encryption is a technology designed to provide protection for entire disk drives. BitLocker to Go is a development on the same technology available with Windows 7 that enables encryption of USB flash drives. You can therefore protect drives in the event of theft and data on drives that might exist on decommissioned servers.

Protection using BitLocker can be enhanced with a TPM chip on the computers' motherboard. TPM (Trusted Platform Module 1.2). BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your operating system, BitLocker requests the key from the TPM chip and then uses it to unlock the drive. If the drive is put in a different computer it will stay locked until it is manually unlocked using a recovery key. When using a BitLocker-encrypted drive, if you add new files to the drive, they are automatically encrypted.

If the machines do not have TPM, drives (fixed or removable) can be unlocked with a password or a smart card, or you can set the drive to automatically unlock when you log onto the computer.

To add BitLocker on Server 2008 R2 (REQUIRES TPM!)

  1. Open Server Manager.
  2. Right-click Features.
  3. Click Add Features.
  4. Select BitLocker Drive Encryption
  5. Restart your computer
  6. Close the Server Manager window
  7. Open Control Panel, System and Security and open BitLocker Drive Encryption
  8. Click Turn On BitLocker
BitLocker Drive Encryption is available on Windows 7 Enterprise and Ultimate editions. However, the USB and other portable drives encrypted with BitLocker to Go cannot be accessed directly in Windows Vista or Windows XP. Microsoft has released a special utility with the name BitLocker To Go Reader (bitlockertogo.exe), which is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been protected (or encrypted) with BitLocker Drive Encryption in Windows 7. BitLocker To Go Reader allows people running Windows 7 to share their BitLocker-protected data on removable drives, such as USB flash drives or external hard drives, with anyone running Windows 7, Windows Vista, or Windows XP.Windows XP.This will only work however if the drives have been encrypted with a password.

Before you turn on BitLocker in control panel you should see the following:

After you click Turn on BitLocker the following window will appear:

Type in a complex password and confirm. The next window to appear will ask you how you want to save a recovery key in the event of forgetting the password (print or save to file). Choose one and on the next window start encrypting.