Learning PowerShell in Degrees – Creating Template OUs



Effective systems management has myriad methodologies, yet if we reduce management techniques into the trichotomy of imperative graphical management, interactive command line management, and highly scripted automation, where do you spend most of your time? What is your preferred way to manage systems? It may largely depend on what you are trying to do. Certainly if there are tasks you perform often, some degree of scripting, verging on full automation, can become essential.

But even within the realm of scripting, it can rapidly become apparent that we’re working in a spectrum. When I’m working in the realm of software development, I tend to take a certain approach to tool building within the context of the current development. With IT management, I take another, at least slightly different tack. Take, for example, the management of Active Directory. Falling into the graphical imperative “do this once, now” motif is common. But if you’re going to do something more than once, the gravity of Windows PowerShell takes over (unless I’m managing Active Directory from UNIX or a phone).

During a class on Windows Server 2008/2008R2, we were discussing creation of organizational units, user accounts, groups, changing group membership, using template user accounts, and delegation of administrative control. All of these operations can be performed in various graphical user interface (GUI) tools. Alternately, they could be performed interactively at a command prompt (cmd.exe), in a batch file (.BAT), using a classic Windows scripting environment like VBscript (.VBS), or of course with Windows PowerShell. To tie these different tasks together, you probably guessed that I demonstrated use of PowerShell. Note the following function: New-DelegatedOU.

function New-DelegatedOU( $ou ){

$dom = ([ADSI]””).distinguishedName

$ouDN = “ou=$ou,$dom”

dsadd ou $ouDN

dsadd user “cn=$($ou) Template,$($ouDN)” -dept “$ou”

dsadd group “cn=$($ou) Users,$($ouDN)” -members “cn=$($ou) Template,$($ouDN)”

$groupDN = “cn=$($ou) Admins,$($ouDN)”

dsadd group “$groupDN”

dsacls $ouDN /g “$($groupDN):SDRCWDWOWPRPCALO” | out-null

dsacls $ouDN /g “$($groupDN):CCDC;user;” | out-null

dsacls $ouDN /g “$($groupDN):CCDC;group;” | out-null

dsacls $ouDN /g “$($groupDN):SDRCWDWO;;user” | out-null


Because the course was not about PowerShell, I didn’t start using the [ADSI] type accelerator very much, although using its objects’ .Create, .Put, .GetInfo, and .SetInfo methods is something we do in the PowerShell course. Also, because not all of the students are going to be using Windows Server 2008 R2 or a download of PowerShell version 2.0, I didn’t want to use the Active Directory Module for PowerShell 2.0 with the AD provider and cmdlets. Instead, you can see from the above function, I opted for the somewhat more familiar dsadd and dsacls commands. I suppose using ADSI class instances, using the newer cmdlets, or using the ds* commands is another trichotomy of AD management in PowerShell.

Rather than delve into an explanation of what the script does, I just wanted to note one thing along the lines of these trichotomies (or spectra). If you’re trying to learn any scripting language, there are as many styles of how you use that language as there are people using it. Certainly, there are patterns we can use. If you’re new to PowerShell, keep it simple. If you don’t like pipelines, don’t use them. If you don’t like variables don’t use them. If parentheses scare you, don’t use them. Then again, it’s always good to learn new aspects of the shell once you have gotten comfortable with a simple example that suits your style. Venture deeper into the water as you learn to swim better.

ZeuS on the LeuS



Yes, it’s true. As reported earlier today by  Jordan Robertson for the Associated Press “Corporations, agencies infiltrated by ‘botnet’,” and now trickling its way to FOXNews.com (“Massive Hack Attack Shows Major Flaws in Today’s Cybersecurity“) and elsewhere, yet another incarnation of the ZeuS trojan and botnet is on the loose. According to the AP article, “Security experts have found a network of 74,000 virus-infected computers that stole information from inside [more than 2,400 organizations including] corporations and government agencies.” Just last week I was teaching a Global Knowledge course titled “Defending Windows Networks,” in which students use hacker tools to create trojan horse applications in two of the lab exercises.

What the recent news articles don’t spell out is something many of my students realized last week – just how incredibly easy it is for someone to use free software to create such software infections and infestations. You don’t need to be a software engineer, or an evil genius. All you have to know how to do is press a few buttons and maybe even type in a few parameters to spell out what you want your software robots to do. If you manage to implant such software within organizations around the net, you have a botnet. It’s almost too trivial.

Of course, one of the ways in which such bots can go viral and spread themselves into numbers such as 74,000 computers is that they are able to be morphed into many different strains. The Kneber strain of ZeuS has obviously evaded detection for some time although earlier forms of ZeuS from a year ago are readily detected by many organizations’ defenses. The FOXNews article notes that “NetWitness points out that over half the machines infected with Kneber were also infected with Waledac, a peer to peer botnet.” Indeed, there have been patches and scanner updates available to detect and quarantine Waledec outbreaks as well.

How do new strains of these pieces of software evade detection so successfully? A fundamental aspect of the Anti-Virus, Anti-Spam, and Anti-Malware industries is that these systems are predominantly reactive. When a worm, virus, or other sort of attack makes use of a security vulnerability, several things typically follow in reaction to it. Depending on the nature of the beast, operating system vendors such as Microsoft may develop and release patches such as hot fixes to protect Windows from software which makes use of these vulnerabilities, or equipment vendors such as Juniper or Cisco may release firmware updates to protect network equipment. Intrusion detection and prevention systems (IDS/IPS) and virus scanners are updated with signatures of the current strain of the attack.

As Marcus J. Ranum stated in “The Six Dumbest Ideas in Computer Security,” which I still refer students to even though it was written several years ago, the ways in which many organizations approach computer and network security is wrong. In fact, both in the “Defending Windows Networks” class last week and the “Managing, Maintaining, and Securing Your Networks Through Group Policy” course I’m teaching this week, most students noted that their organizations have classically used a “Default Permit” + “Enumerating Badness” approach which is the default in so many subsystems of Windows rather than the “Default Deny” + “Enumerating Goodness” combination which makes sense when you just look at the big picture for a few moments.

As the AP news article about ZeuS-Kneber+Waledec botnet notes “The unusual thing about the incident is not that it happened but that it was discovered.” Even that one sentence should be enough to motivate us to approach systems security differently.

Image: Painting of Zeus © Mario Larrinaga

Paddling Out to the Coming Wave – SharePoint 2010



If you’re a surfer, you are good at paddling out to sea. It’s a different sort of meditation than riding the wave in to shore, which many people find more exciting, more physically demanding, yet in a deeper sense more centering and relaxing than riding a chair-lift up the slopes to make your big alpine skiing run. Perhaps Nordic skiing is more akin to surfing than the Alpine flavor, but that’s beside the point. If you’re using either Microsoft’s Windows SharePoint Services (WSS) or Office SharePoint Server (MOSS) [or the older Portal Server], the time is ripe for grabbing your board and paddling out for the coming wave.

One of the reasons that now is the time is that, even if you don’t plan to deploy SharePoint 2010 technologies (still in beta) until the year 2011 (or even 2012), it is good to take time to plan your strategy. Take time to paddle out before the wave comes – connect with the technologies so that you’re ready for SharePoint 2010 in body, mind, and spirit.  It’s not rocket science, nor is it surfing, so let’s take a look at the cast of characters, the elements, the building blocks of a SharePoint 2010 farm.

Like earlier versions of SharePoint technologies, SharePoint Foundation 2010 (think WSS 4.0), SharePoint Server 2010, and their cousins for Internet applications, can be deployed to a single stand-alone server, or to a distributed farm. Whether your deployments warrant one or more servers, the key services are the web front-end services, the application services, and the database services. All services must be hosted on 64-bit (x64) servers as 32-bit hosting is no longer an option. Here are some of the requirements:

  • Windows Server 2008 R2 or Windows Server 2008 64-bit with Service Pack 2: the operating system platform for SharePoint 2010 must be 64-bit. If you’re planning to deploy on Server 2008 SP2 rather than Server 2008 R2, be sure to upgrade Windows PowerShell to version 2.0.
  • SQL Server 2008 or SQL Server 2005 SP2: the database platform must be hosted on 64-bit servers. On a stand-alone server with an Express version, you’ll be hosting on 64-bit Windows Server anyway, but in a bigger farm, SharePoint also requires that the other servers also be 64-bit.
  • In farm configurations, the farm configuration in the SQL databases is bootstrapped via Active Directory Domain Services (or in some cases Active Directory Lightweight Directory Services) even in small farms in which one server is used for the web, app, and database components. Of course, performance and capacity factors usually demand more than one server in the farm, and the AD DS (or AD LDS) requirement is more obvious. Standalone configurations could be deployed with AD if necessary.

Just remember to be purely 64-bit and get ready with PowerShell v2.0. Yes, you guessed it, we don’t need to use those crazy PowerShell scripts for SharePoint management anymore. That’s right, you don’t have to type those magic incantations only after manually loading assemblies and referring to the classes by their true names – unless you really want to. The SharePoint cmdlets are coming to the SharePoint 2010 Management Shell. More on that later.

Here’s to a sure-footed surfing experience with SharePoint 2010 for you. Cheers!

VPN State of the Union



Back in the Windows NT 4.0 days, the Microsoft style of Virtual Private Network (VPN) technologies consisted of the Point to Point Tunneling Protocol (PPTP). Third-party software could be added to Windows, or network devices could be used to implement other VPN solutions for use with Windows, however hosting VPN solutions with built-in Windows Server software was limited.

With the advent of Windows 2000, Microsoft provided support for the Layer Two Tunneling Protocol (L2TP), which offers a number of technological advantages over PPTP. As with most other vendors’ implementations of L2TP, Microsoft’s was and is dependent upon the Internet Protocol security extensions (IPsec) to accomplish the confidentiality of the tunneled network traffic.

Both L2TP and PPTP provide a Point-to-Point Protocol (PPP) virtual network interface at each endpoint. Such an interface supports upper layer protocols such as the Internet Protocol version 4 (IPv4), and in more recent versions of Windows, the newer IPv6.

One problem many organizations have with either Windows-based VPN solutions, or classic VPN solutions from vendors such as Cisco and Nortel is that many firewalls near the client environment, or at the VPN hosting side may not be entirely VPN-friendly. For example, protocols such as the generic routing encapsulation (GRE) protocol, or IPsec’s encapsulating security payload (ESP), authentication header (AH), and Internet security association and key management protocol (ISAKMP) could be filtered and blocked at one of the firewalls between the client and VPN server.

Many network equipment vendors, such as Barracuda, Cisco, Juniper, Nortel, and SonicWALL were looking for other alternatives to classic PPTP, L2TP, and other older offerings. Several products which use the secure sockets layer (SSL) or it’s standardized cousin transport layer security (TLS) to implement VPNs are known as SSL VPN products.

With Windows Server 2008, Microsoft started offering the Secure Socket Tunneling Protocol (SSTP) as an alternative to PPTP and L2TP for Windows-hosted VPNs. Although SSTP is based on tunneling PPP on top of an SSL/TLS enabled session, some people distinguish it from general SSL VPN technologies.  One key difference between this and some other SSL VPN offerings is that SSTP is targeted at individual client device access to an organization’s VPN. SSTP does not currently support network-to-network tunnels for use in office-to-office or customer network to provider network solutions.

Windows Server 2008 R2 and Windows 7 support yet another variation on the SSL tunneling scheme, yet this feature, called DirectAccess is referred to as offering access for a single client “without the need to VPN.” Although DirectAccess uses IP-HTTPS tunneling, it not labeled as a VPN technology by Microsoft, but as an alternative to VPNs. Dependent upon IPv6 for the tunneled communications, DirectAccess can either use IP-HTTPS, or other IPv6 tunneling mechanisms such as Teredo or 6to4 to carry the tunnel traffic across IPv4 (or IPv6) backbones and public networks.

Whether you’re hosting your VPNs with network appliances, UNIX, or Windows, there is another complexity which has grown over the past several years. Most enterprise and even smaller business environments interact with a vast array of devices rather than just Windows clients, from smart phones such as BlackBerries and iPhones to NetPCs and tablets with either non-Windows operating systems, or older version of Windows such as XP. An increasing mobile workforce often demands increased capacity as well. What percentage of your systems activity is connected via VPN?

Cool and Codeless – SharePoint 2010

Content is king, or queen, or maybe just the Count of Monte Codeless. Many of my students this week will probably go straight to Microsoft SharePoint Server 2010 rather than the Windows SharePoint Services (WSS) 3.0 or Microsoft Office SharePoint Server (MOSS) 2007 which we were focusing on this week.

Even with SharePoint 2007, the degree of dynamic behaviors which can easily be configured into web sites seemingly without writing code in the classic sense is quite powerful. The newer SharePoint 2010 offerings coming up from Microsoft soon (perhaps June 2010), go even further.

At the bottom of the SharePoint 2010 line-up is the successor to Windows SharePoint Services 3.0. So you think it’s called Windows SharePoint Services 4.0? Well, that’s just not a cool enough name; the new name is SharePoint Foundation 2010, but it’s like WSS 4.0 by any other name – sweeter than WSS 3.0 actually. For example, the blog and wiki features which were introduced in WSS 3.0 have been substantially upgraded and polished for greater ease of use. This makes generating easy-to-read relevant content even less painful. Announcement lists, syndicated (RSS) feeds, and these updated blog and wiki versions can be a powerful mix together for enhancing communication and collaboration among employees, suppliers, customers, or any community.

If SharePoint Foundation 2010 is not powerful enough to meet the needs of your department or organization, or at least not for all SharePoint server farms that you’re deploying, like the relationship between WSS 3.0 and MOSS 2007, SharePoint Foundation 2010 has a bigger sibling as well – more than one actually. Like MOSS 2007, there are Standard and Enterprise editions of SharePoint Server 2010, or are there? The standard and enterprise degrees of SharePoint 2010 functionality beyond the SharePoint 2010 Foundation are distinguished by the Standard and Enterprise types of Client Access Licenses (CALs) for SharePoint Server 2010. Many organizations can benefit from that flexibility when some people in the SharePoint community need the business intelligence and workflow support of the enterprise edition and others simply needs SharePoint services at the standard level.

Due to the growth and maturity of using portals for Internet-facing and project-protected deployments, Microsoft is expected to release SharePoint Server 2010 for Internet Sites, also in Standard and Enterprise editions, yet not just differentiated with different CALs, but with distinct server licenses for each edition. This should allow deployment to fast-changing user communities without having to count the growing number of users who need CALs on a daily basis.

Think about this line-up for a moment. Small workgroups or even large deployments which just need basic Foundation level functionality can use SharePoint Foundation 2010. For communities like corporate or government employees, which are hopefully fairly stable, client access licenses for Standard or Enterprise functionality beyond the foundation level can be purchased for use of services hosted on SharePoint Server 2010. For potentially massive degrees of users, two levels of functionality can be purchased of SharePoint Server 2010 for Internet Sites, Standard or Enterprise editions.

But how do you author content for all of these types of environments? Of course, Microsoft Office 2010 client applications, or cloud-like Web App versions of them, email, SOAP, plain-old browser access and many other methods can be used to store, retrieve, convert, and otherwise work with documents, information, records, messages, graphics, videos, Silverlight, Flash, and more.

What about structured forms-based content and applications? As a portal, SharePoint 2010 can be used for accessing back-end applications in foundation, standard, and enterprise styles like WSS 3.0 and MOSS 2007. Naturally InfoPath 2007 or the newer Office 2010 version could be used to work with form layouts. SharePoint Workspace 2010 (think Groove 2010) for offline editing of SharePoint sites, Expression Web 2010 for rich web content (with or without SharePoint), and of course SharePoint Designer 2010 can be used for working with SharePoint Foundation, Server, and Server for Internet Sites versions of SharePoint 2010.

As SharePoint evolves, the elements of it, and the other software which works with it (which come from different origins, not all within Microsoft) comes together and stands to enable more powerful, fluid, usable collaboration between us humans. Are you ready for the coming wave? Uh, no, I wasn’t talking about Google Wave, the article was about Microsoft SharePoint, right?