PowerShell Cmdlets that will save your time and energy

Introduction

 

jetty feet sign wooden

Still in the continuation of my former post PowerShell-What you need to know to get started I’m going to continue to help you finding your way with PowerShell.

We all know the situation where we are in front of our blue PowerShell console painted with red everywhere…. 😦  Just because you don’t really know the command and how you need to play with to get the result you expected!!!!
The funiest moment…or maybe not(depening of what you typed) is when you type a command that worked, but the result is not what you expected. 🙂 🙂 🙂

When practicing PowerShell, the best advice I can give is: help yourself with a lab environment. That one doesn’t need to be a monster. 2VMs will be enough. If you don’t have the luck to setup your own lab environment, play with PS on a machine (can be your own first) and do only read actions in the first place…
As a last resort, you can use a cheat…!!! You will need to continue the read to know it 🙂 🙂

Read commands ?? Yeah! Remember what I said in my earlier post (check the link at the beginning of this post).

Your interactions with objects in Powershell can be split 4 main categories. Those categories can be grouped in 2 groups (Active & Passive)  with their associated risks.

To get a better understanding or a better view of what I say, let’s take a look at the following table:

 

Actions CategoriesGroupRisk
CreateActivePotential
ModifyActivePotential
DeleteActiveHigh
ReadPassiveNone*
Actions categories overview

So based on that information, we can continue with the main topic of the post which is about commands or more specifically cmdlets that will facilitate your journey with PowerShell.

Here is the list of cmdlets that we will talk about in the next sections of the post:

  • Get-Command
  • Show-Command
  • -whatif (parameter)

cmdlets

Get-Command

Get-command is probably one of the top command that you need to know with Powerhsell as it will reveals you all the commands known by powershell and its related modules.

Before continuing with Get-command cmdlet, I will do a very quick introduction about PowerShell modules. You will understand why very quickly! I promise!

A PS module is just an extension of the core components of PowerShell which introduce a whole set of cmdlets and functions.

For instance:
let say that you want to manage an EMC storage array with PowerShell. Natively PS is not able to do it, but with its related module installed on your machine, you will be able to manage your storage array with PS. Most of the time, modules are cmdlets and functions written by 3rd party providers outside Microsoft ecosystem, to let engineers and admins manage their products with tools they are familiar (Yes, for you too! 🙂 )

Now, that you know what a PS module is, let’s continue with the cmdlet Get-command.
So, simply typing Get-command in your PS console without any parameters will return you on screen all commands available in PS and its related modules (you see! I told you it would be quick!!)

You will get someting like this:

Get-command extract

The main problem is that it will return you thousands of cmdlets. Even if know the information you look for, it could be painfull to retreive the extact data you expect.

So my advice: Create your own cheatsheet with all your commands in it via Get-command cmdlet and keep it with you.

Copy-Paste the following command to create a csv file in your “C:\temp” with the required information

Get-Command | Select-Object -Property Name,CommandType,ModuleName,Version | ConvertTo-Csv -Delimiter ";" | Out-File -FilePath "C:\temp\pscommands.csv" -Encoding utf8

For the formatting of the result, I let you deal with MS Excel or your other favorite tool for tables.

Don’t hesitate to do it reguralry based on the modules you’ve installed over time and PowerShell updates.

You’ve seen on the command that I’ve selected only 4 properties. For my own use, those ones are the most interesting, feel free to change the properties you want to see.

If you wondering which propreties you have in the panel, use the following command:

Get-Command | Get-Member -MemberType Properties

Last but not least, regarding Get-command, if you don’t want to deal with a csv file on your side, you can always do a search based on the name of the object you want to deal with.

For instance: You need to work on a disk with Powershell but you have no idea about the available commands for disk. You can type the following command to get a better view:

Get-Command -Name *disk*

This will return you all commands where “disk” is included in the name of the cmdlet.

This conclude Get-command section. hope it will help

Show-Command

show-command can be viewed as a second line of help when you didn’t find your path with the built-in help of PowerShell.

The syntax (vey simple BTW 🙂 )

Show-command followed by a space character and finally the command for which you need help

show-command Get-Eventlog

This command will pop-up a window (GUI yes!!! GUI ) that will guide you throught the basic syntaxt of the command. Mainly by helping you with the parameters.

Let’s take an example:

You want to get the last 50 eventlogs from system context on your machine, but you want to see only “Error” messages. Unfortunately you don’t know how to do it with PowerShell . The help about the command didn’t help you enough.

  1. Type the command in your PowerShell console
show-command explained – step 1

2. A Pop-up appears

show-command explained – step 2

3. When you have a closer look at the pop-up, you can see the following. I added annotions to give more explanations.

show-command explained (Intermediate step)

4. Fill the parameters boxes as described in the beginning of the example

show-command explained – step 3

5. Click on “Run” button to get the command directly typed with the correct syntax in your PS console (don’t forget to remove “^M” at the end of the command if it appears)

show-command explained – step 4

And Boom! the magic happens! 🙂

show-command explained – demonstration

Which concludes the show-command topic

-whatif parameter

Bingo! Here is our cheat one! 🙂 you remember at the begining of the post?
This one is a very cool feature, especially when you don’t have any other options (lab environment) to test your command in PowerShell.

A key concept you need to know with -whatif parameter is that, it is only available for commands that will modify the objects you’re working on!
It will simulate the actions taken by the command only.

Don’t try to add -whatif parameter where the verb of the cmdlet is Get (typically read), it won’t work 😦

whatif explained 1

Here is an example on how to use it

whaif explained 2

You can see, as show in the screenshot that the -whatif parameter will simulate the action without performing it.

For your fun only 🙂

New-Alias -Name Whattime -Value Get-Date -Description "need to know when I can grab my coffee" -WhatIf

Last word before finishing this post

A last parameter that is also nice to use is: -confirm parameter which is also available on commands that will modify objects in PS. This one won’t simulate, it will take action after receiving your confirmation

It means that you know what will be the result of the actions taken. It’s only a validation. This is the main difference with -whatif

Conclusion

To help yourself, run this cmdlets and parameters as frequently as you can. They will help you and they will save you time and energy.

Thanks for reading! Don’t hesitate to leave a comment or rate this post. It will help for the future posts.

Take care and stay safe!

PowerShell – What you need to know to get started

Introduction

The objective of this post is to give you the key elements to permit you finding your path dealing with Powershell espcially if you are a new comer.

Target audience ( Yes I need to specify 🙂 ):

This article is not for people with advanced powershell skills (sorry guys 😉 ) as I try to help beginers to jump on the “Powershell train”.
But don’t hesitate to read and comment, always room for improvments

Powershell is a fantastic tool but as all programming language it has its own rules based on syntax and interoperabilities with different components.

In the IT community some people will tell you that PS is not a programming language others will tell you the opposite. My little background in studying VB pushes me in the second group.

I let you decide if yes or not it’s a programming language! Enjoy the lecture and the learning

Rules of thumb: Objects, Objects and Objects!! :-)

PS is an object oriented language. It means that you will manipulate or get informations about objects. An object can be a NIC card, a VM, a storage array setting, even a .csv file.

With powershell you can split your interactions with objects in 4 main categories:

  1. Modify
  2. Create
  3. Delete
  4. Read

wait a second! 🙂 I told you earlier (Powershell Introduction) that you can do a multitude of things with Powershell and now I say only 4 things.

Let’s take a step back! PS is an object oriented language, what do you need more when dealing with objects? If you still have some doubts, let’s take the example of a file: What do you want to do with a file? Euuhh,… Modify, create, delete and read. Bingo! Here it is!

Now, the beauty of powershell is that you have a multitude of ways to accomplish the same thing and you can play on a multitude of objects at the same time.

Still not convinced, here is an example about the options you have for getting the same information about a specific disk on a machine:

In this example, I wanted to get the name of my disk number 6 on my machine. You can see that I’ve wrote 2 lines to get the same result

  1. Long way
  2. Short way

Result: The same in both cases: “Kingston DataTraveler 3.0”

Before discussing more about commands and because we’re talking of objects in Powershell, here is a list of objects that are interesting when you learn Powershell. It’s not exaustive at all, but I need to restrict myself for this post.
If you want to see more about Powershell objects, I strongly advise you to read about_topics in help (help will be detailed later in this post)

ObjectsDescription
AliasesAn alias is a nickname for a specific cmdlet. You can create your owns
VariablesA variable is an object that you store in memory to be re-used later in a script or in an advanced command by PS
FunctionsA function is a command or a script for which you assign a name. The function can have parameters as commands
PSProvidersPSProviders are objects that render visible data that is residing outside Powershell (instance / session)
ModulesA module is an extension of Powershell which contains its own cmdlets, functions, help files. Most of the time, it is developped by 3rd parties, like Amazon, HP, VMware… This way it extend the PS footprint.

Powershell Commands

Of course! Commands! 🙂 As you need to interact with objects, you need commands to accomplish the magic!

Powershell commands can be categorized as follow:

  1. cmdlets -> is the native command-line utility that is only present in Powershell ecosystem. It is written in the .NET Framework
  2. functions -> You can see a function as a group of cmdlets. Typically a script that is written in PS scripting language.
  3. Applications -> An application is a command understood by powershell but which is coming from outside Powershell framework (for instance a command coming from your regular Windows command-prompt such as ping, telnet, diskpart…

Understanding the cmdlet mechanism and syntax

The best way to explain the syntax is an example. So here under you will find a powershell command that illustrates all its components.

Powershell-Command explained

The cmdlet itself (1 & 2 on the picture) is always composed of a verb and noun seperated by a dash sign (-). No space in between
Typically action on object.

A parameter (3, 5 on the picture) is always preceded by a dash sign (-). When needed, you can or must add a value (4 & 6 on the picture) to this parameter.
You always put a space between a parameter and its associated value
Typically it is how you do the action on a object

A switch parameter (7 on the picture) can be added at the end of the command but is not linked directly to it and is not mandatory as well (it really depends of the cmdlet you use).

With powershell nothing is case-sensitive!!! Thanks to the creators of Powershell.

If you’re interested to get more info about Powershell syntax you can run the following command: Get-Help about_Command_Syntax

Cool stuff about commands in Powershell

Autocomplete

A very cool feature that unix guys know for a while but was not present for Windows guys is “autocomplete”.
Whatever your experience with powershell and because you cannot recall every single command syntaxt, you can use the auto-complete feature to help you. Start typing Get- in you powershell console and type on TAB key of your keyboard to receive suggestions from powershell. This feature will help you a lot.

Commands history

Another very cool feature with Powershell is the command history. Again, unix guys know this for while which was not the case for Windows guys.
With Windows Command prompt when you close and re-open it again, you are not able to retreive your commands you typed before, which could be frustrating especially when you spent hours to make a command working (complex of course 🙂 🙂 🙂
How the magic happens with history? Simply because of the presence of a file located in your machine as shown here under:

For those who want to get the path ready for their own checks, here is the path:
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline

!! Attention!!! it’s only valid if you have at least Powershell V5 on your machine.
You can quickly verify by running the following command in Powershell console:
Get-host

You should obtain a result like this:

Be aware that this file stores 4096 commands by default. which means that each time the limit is reached, it overwrites the file. You can play with the size of the file by changing a Powershell variable

$MaximumHistoryCount

I’m not going to go in the details for that as it’s not the objective of this post, maybe it could be a topic for a more detailed post about that

Powershell Help

For this one, I can really dedicate a full post, maybe I will do it. For the good handling of this post I will give you the bird’s eye view on this.

All the IT pros using Powershell will tell you that the best thing you can do to help yourself in your PS journey is the constent usage and good understanding of PS help.
Whatever you write a script or executing a simple command, PS help is always there to help you 🙂
Even with 6 years of experience dealing with PS, we still use PS help.

Microsoft identifies 2 categories of help files. It identify them as follow:
1. Help files for cmdlets ( syntaxt example: Get-Help Get-eventlog)
2. Help files for concepts (Get-Help about_profiles)

Get-Help comes with a set of built-in parameters that will help you differently regarding which piece of the puzzle you miss.
Here is a list of parameters (not exaustive) that you can find with Get-Help cmdlet:

  • Get-Help Get-Eventlog -detailed
  • Get-Help Get-Eventlog -full
  • Get-Help Get-Eventlog -examples
  • Get-Help Get-Eventlog -online

I let you try on your own to identify the differences between all of them! But I promise, you will notice differences 😉

Updating help

As the rest of your computer, you need to update the help content of Powershell. Why? simply because it will help you to receive the most accurate information regarding a command or concept. Sometimes, errors are reported, a new command is available and you don’t have help information for that.
After using it for some time you will see that this cmdlet will be one of your best friend.

Note! to update your help files, you need to run the following cmdlet Update-Help in a elevated session (Administrator session)

If you do it in a regular session, it will fail as you alter the system.
Depending on the environment you work, you may not be able to run a PS session in Adminisrator mode, probably due to security policies put in place in your company. Refer to them to help you in updating your Help files.

Powershell Session

A powershell session is the instance of Powershell you run locally, remotely or via API.
To complement this short description, here is a picture that is illustrating easily the concept of session

Not all Powershell objects live across different sessions. Variables are the perfect example of this.
For instance, I can create a viariable in a local session (Powershell console interacting with local computer), create a variable and close this session.
Next, I reopen a session, type the same variable. Result Powershell doesn’t know anymore.

As demonstration is always better, here are the screenshots 🙂

Session 1:

Powershell variable across session 1

Session 2:

Powershell variable across session 2

Why? What’s happening under the hood?

The answer is quite evident when you have a closer look at the annotations in the screenshots.

Powershell is an executable, and because of that, each Powershell session run in its own memory pages. This means that the information is not shared between sessions.

Powershell Session – Memory usage

When the session is closed all related objects present in the memory pages are cleared from memory (RAM).

Statement: All objects (variables, functions, aliases…) created by a user have a lifetime equivalent to the one of the PS session.

This natural behavior is quite ennoying when you want to reuse the same objects over sessions. That’s why the creators of Powershell wanted to help and render your work more comfortable 🙂 🙂

They created: Powershell profiles which is detailed in the following section of the post

As a last note: Powershell system objects are persitent across sessions.

Powershell Profile

Last (component) but not least for this post! 🙂

Powershell profile is powershell script that is located in a specific place on your drive. You can configure everything you need for your different PS sessions (variables, functions, modules…)

Each time you launch Powershell, it will load all the objects you configured in the Powershell profile file. So depending of what you configured in that script, the Powershell session will take more or less time to start.

Prerequisite:

To be able to run a powershell profile you need to configure Powershell to run script via the following cmdlet.

Set-ExecutionPolicy

Please check the help if you are not sure how to use it via: Get-Help Set-ExcutionPolicy as it could expose your computer to security risks.

If you have a computer managed by an IT team within your company, maybe the best option is to check with them what is the best approach for your needs.

For my homelab environment, here is the full command I type. Security in this case is not a concern:
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted
As this one removes any security checks, I would recommend you to execute that one in a isolated lab environment only.
Depending of your environment, you will need to modify the syntaxt.

In Powershell, you need to know that you have 6 Powershell profile files.
Here is the table which details locations and purposes

DescriptionPath
Current User, Current Host (local machine/console)$Home\[My] Documents\WindowsPowershell\Profile.ps1
Current USer, All hosts$Home\[My] Documents\Profile.ps1
All users, Current Host (local machine/console)$PsHome\Microsoft.PowerShell_profile.ps1
All users, All hosts$PsHome\Profile.ps1
Current USer, Current Host (ISE)$Home\[My] Documents\WindowsPowershell\Microsoft.PowershellISE_Profile.ps1
All users, Current Host (ISE)$PsHome\Microsoft.PowerShellISE_profile.ps1
PowerShell profiles and their paths

Additional resources to help you in your Powershell Journey (they still help me today 🙂 )

Whatever your level with Powershell, you will always need help that will permit you to acheive your goals.

Here is the list of resources that are helping me:

Book TitleDocument typeLink
Learn Windows PowerShell in a Month of LunchesBook or E-bookhttps://www.amazon.com/Learn-Windows-PowerShell-Month-Lunches/dp/1617294160
Step by Step Windows PowershellBook or E-bookhttps://www.amazon.com/Windows-PowerShell-Step-Ed-Wilson/dp/0735675112
Powershell cheat sheetPDF posterhttps://www.powershellmagazine.com/2014/04/24/windows-powershell-4-0-and-other-quick-reference-guides/
External references

Conclusion

I hope this post helped you to get a better understanding of PowerShell basics. I hope, at least, it gaves you the envy to learn or practice it.
Today as IT admin, working on servers or computers without knowing how to automate tasks, is a real break in your career so don’t hesitate to jump in and practice powershell.

Install VMware Tools on Windows 2016 Core

Introduction:

In this post I will explain quickly how to install VMware Tools package inside your Windows 2016 Core server VM.

The main point to keep in mind with Windows 2016 Core is that, as the GUI feature is not available, not all installers will work with this version. You need to check with vendor if the software you want to install is compatible with 2016 Core

Regarding VMware, the VM tools installer is fully compatible with the core version of Windows

The procedure:

Note: The procedure here considers that you already mount the VMware tools ISO on your VM via the VMware vSphere Client or VMware workstation GUI.

1)Log on to the guest OS

2) Check that the VMware Tools ISO is mounted to the guest OS by running the Powershell command: Get-volume

3)Identify the drive letter of your Virtual DVD drive (typically the ISO mounted by VMware vSphere Client or VMware Workstation)

4)Navigate to the drive letter of your Virtual DVD (in our case d: ) by typing d: at the prompt

5) Launch the installer by typing the following command in the prompt .\setup.exe and wait for the installer to run as shown in the following screenshot

6) Install the VMware Tools depending on your needs (Typical, Complete, Custom) as shown here under and wait for the installation to finish.

7) At then end of the installation, reboot the VM by selecting yes as detailed in the screenshot here under

8) Check the VMware tools service is running by typing the following command at the prompt: get-service -Name VMTools

You should get the following result …. Ta-Da!!! Enjoy 🙂 🙂

Powershell Introduction

Powershell

Introduction

Nowadays, who in IT didn’t heard about Powershell and more specifically Windows Powershell? I think we can say not so much people.
Powershell evolved incredibly this last decade to the extend that now it is available on Linux and on MAC machines… and plenty of manufacturers as Dell, HP, and many others have developped their own modules for Windows Powershell to help IT admins in the daily administration of their products. it’s quite amazing!

Now, with Powershell and its modules developped my Microsoft and many other vendors and IT admin can tackle a massive amount of work with one core technology

Background

The following table gives you an overview of the release dates of the different version of Powershell and their avail abilities in the different editions of Windows.

Powershell versionRelease date Default Operating System 
Windows Powershell 1.02006Windows XP SP2, Windows 2003 SP1 and Vista
Windows Powershell 2.02009Windows 7 and 2008 R2
Windows Powershell 3.02012Windows 8 and 2012
Windows Powershell 4.02013Windows 8.1 and 2012 R2
Windows Powershell 5.02016Windows 10 and 2016
Windows Powershell 5.12016Windows 10 and 2016
Powershell Core 6.02018Windows 10 and 2019, Linux and MacOS
Powershell Core 6.12018Windows 10 and 2019, Linux and MacOS

Powershell Core 6.2

2019Windows 10 and 2019, Linux and MacOS

Architecture of Windows Powershell

Windows Powershell is a component of the WMF (Windows Management Framework).

WMF? what’s that guy? 🙂

Based on Microsoft definition:

Windows Management Framework (WMF) provides a consistent management interface for Windows. WMF provides a seamless way to manage various versions of Windows client and Windows Server. WMF installer packages contain updates to management functionality and are available for older versions of Windows

Each version of WMF is composed of the following components.

  • Windows PowerShell
  • Windows PowerShell Desired State Configuration (DSC)
  • Windows PowerShell Integrated Script Environment (ISE)
  • Windows Remote Management (WinRM)
  • Windows Management Instrumentation (WMI)
  • Windows PowerShell Web Services (Management OData IIS Extension)
  • Software Inventory Logging (SIL)
  • Server Manager CIM Provider

 

To summarize WMF:

WMF, is a core component of windows based on .Net framework which permits to manage OSes in the same way whatever the version. It is composed of the components listed right above.

WMF is included in each version of Windows whatever it is a server or client OS. Here is a table explaining the availability of WMF based on the OS version:

Windows Server 2019Ships in-box    
Windows Server 2016Ships in-box    
Windows 10Ships in-boxShips in-box   
Windows Server 2012 R2YesYesShips in-box  
Windows 8.1YesYesShips in-box  
Windows Server 2012YesYesYesShips in-box 
Windows 8 (Out of support)   Ships in-box 
Windows Server 2008 R2 SP1YesYesYesYesShips in-box
Windows 7 SP1YesYesYesYesShips in-box
Windows Server 2008 SP2   YesYes
Windows Vista (Out of support)    Yes
Windows Server 2003 (Out of support)    Yes
Windows XP (Out of support)   YesYes

Why Powershell?

The main goal of Powershell was to permits IT admins to automate long and repetitive taks but not only that. If you compare the time you need to click on different elements of the GUI and the time you need to run a command-line to accomplish the same thing. The CLI command wins.

What is Powershell?

As introduced here above, Powershell is a Command-Line (CLI) utility which permits to configure, report, analyze, a single or a multitude of servers and computers at the same time.

Interested to learn more? Let’s get started 🙂

My VCP6-DCV Experience

As you probably know, most of IT providers (Microsoft, VMware, Cisco, and many others) that delivers certifications with a limited lifetime. VMware is not an exception.

The main reason invoked everywhere: The rapid change of the technologies put in places.

Recently, I’ve passed my VCP6-DCV as I needed to renew my VCP5-DCV before its expiration. It’s a good way to stay in the train and prove to customers and yourself that you know what you’re talking about.
BUT to achieve this statement, you need to prepare yourself seriously, I mean:

  • Read official Study guides
  • Read un-offcial Study guides
  • Read Documentation and books related to the technology
  • Train yourself with the practice exams delivered with the official VMware Study Guide
  • If you don’t have hands-on experience with vSphere 6, build your lab or use VMware Hands-On labs

After passing my exam, I can say you that this exam is not the easiest one. It’s a good mixture of memory questions and practice questions. For some questions, you need to put in practice what you’ve learned from the theory (which are my prefered).

My personal preparation:

Reading:

Practice:

  • HomeLab
  • Real-life experience (thanks to my job 🙂 )

Troubleshooting IIS after removing WSUS Role on a Windows 2012 Server

Several months ago, for one of my customers, I needed to remove the WSUS role from a server where AD and Exchange role were also configured (Windows 2012 + Exchange 2013). I agree with you, this is not an optimal scenario, but when the budget come into place…
Once I rebooted the server after removing WSUS role, any HTTPS connection to Exchange AppPool in IIS was impossible. This means that any ActiveSync sync, any request to the OWA, any request to the ECP in an error 500 at IIS.
This is the worst error because your browser is unable by default to return you an error code more detailed about the issue that could put you on a track.
After much research, I enabled debugging and I read more consistent IIS logs. These logs in matters related to me the error 500.19. Ahhh !!! Finally a track.
To get more details on this error 500.19, I launched an HTTPS connection on the same server and here’s what it returned me:
iis-error-500-19

IIS is constructed in the following manner:

The default web content: C:\inetpub\wwwroot
The IIS Engine: C:\%windir%\ system32\Inetsrv\
The global configuration file: C:\% windir%\system32\inetsrv\config\ ApplicationHost.config (regains all your IIS configuration)
The websites hosted configuration file:%PhysicalPath_website%\web.config (specific configuration website)
The AppPool related to hosted website:%PhysicalPath% AppPool (the AppPools load the complementary modules in IIS and for the proper functioning of Apps-There are AppPools as for SMEX Trend, Exchange, and many others.)

According to the error returned, the problem could come from two main files:

• The web.config Site
• The ApplicationHost.config

 

To ogo further in the dignostic, I based my investigations on the following points:

iis-error-detailed1

With this page, I knew which module was the guilty one. With the error code returned by the webpage, I was able to define the origin of the issue with my friend Google 🙂

I could find what I was looking for via this website : https://support.microsoft.com/en-us/kb/942055

ms-error500

 

The “web.config” file being very limited with its content, It was an evidence for me that there wasn’t any references to the « DynamicCompression » module. So, I edited the file “ApplicationHost.config” file and I started a search on the concerned module.

Bingo !!!!

Here the guilty line. The one that gave me headaches!

<scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true” dll=”C:\Program Files\Update Services\WebServices\suscomp.dll” staticCompressionLevel=”10″ dynamicCompressionLevel=”0″ />

The Exchange website and all its loaded modules called a DLL file that was not there anymore.

After deleting this line, saving the modifications in “ApplicationHost.config” and finally applying an “IISreset” command, everything came back!

 

 So, if you are in a similar scenario than me, Exchange 2013 that is no more functional after removing WSUS role on the server, take a in the “ApplicationHost.config” file and check any references related to WSUS.

 

IoT, the importance to secure your connected infrastructure

This week I’ve read a good article on a French IT News website (Zdnet FR) regarding a Cloud provider / ISP that has been victim of a major DDOS attack. This time, the devices that flooded OVH (French ISP/ Cloud Provider) servers were not computers but CCTV cameras.

Wouaaahhh!! 🙂 🙂 New kind of attackers?

Yes indeed, but it was predictable!

But before going further, the best option is to permit you to read the source article:

Zdnet FR: DDoS attack against OVH

Sorry, for those people who don’t speak French but here is a quick extract from the CTO of OVH that will help to understand the situation:

zdnet_ddos

What about the context?

Since several years ago, we saw an exponential emergence of connected devices or smart devices, it started with phones, TV and now, almost everything is smart:

  • SmartPhones
  • Smart TV
  • Smart Fridges
  • Smart Watches
  • Smart Cars
  • Smart blabla …. 🙂 🙂

The announced arrival of all these devices pushed ISP to adopt IPv6 because they received directly Public IP when they’re connected to mobile carrier via 3G, GPRS, 4G,…

The fact that all these devices can get directly public IP, expose them to outside world and of course to hackers.

For this new generation of fully connected devices that represent a new ecosystem, marketers found a bright new acronym: IoT (Internet Of Things).
This new ecosystem is the new playground of hackers as they represent an impressive source of compute power and network bandwidth for massive DDoS.

The weak point of most of these devices is that the security has been left behind during the development because implementing high-level of security is a cost generator and competition to get the lowest price of the market is very aggressive.

As a technologist, I’m happy about the advantages some of these devices can afford us but unfortunately there’s a drawback: The security-How these devices are secured by their manufacturers?

As system administrator, I’m forced to notice that the security is not a top priority when all these devices are implemented. That’s why we need to stop security breaches before they reach those devices to prevent the OVH scenario. But this is not the worth scenario.

We can imagine that instead of flooding a 3rd party, it steals our personal data which can seriously impact us badly.

 

What this scenario teach us?

In today’s world securing connected devices (smart devices, IT infrastructures, Private and Public Cloud) is becoming more and more complex. At firewall level, we cannot just open and block ports as now the hackers try to find security breach at OS and application level. Nowadays, even user identity is compromised which is one of the most damageable security issue a company can live today.

In my consultant job, a big challenge when I’m facing customers for the implementation of security is the budget.

What I’ve often heard about new firewalls, centralized Antivirus Solutions, Antispam Gateways and so on:

  • The firewall you propose is too sophisticated for the size of our company. We are not a bank
  • Are you sure, you’re not exaggerating the risks?
  • We have a free version of a named antivirus solutions, everything seems nice, why we should pay?
  • In case of data loss we have a backup solution!
  • Do you have some products that afford me central monitoring, efficient anti-spam solution, protect my network perimeter efficiently for the lowest cost. We have tight budget.

All of these arguments make me confident that they don’t realize how much they’re exposed. Sometimes, they realized after their lost their data because they never tested their backup before the issue.

As I explain to customers, potential customers, more devices you have connected to Internet, more your surface attack is important. The damages can be more than the price of a new firewall with a full UTM suite. The risks are not limited to the enterprise perimeter but also at home where the security measures are most of the time very limited or nonexistent.

Fortunately for most of the people, the law is 2 or 3 wars behind the IT security world.
When I say fortunately, I’m thinking about the owners of devices infected by a botnet participating in DDoS attack. For the moment, concerning the law, nothing is planned here in Belgium, France. If you have more info about this topic feel free to comment 😉

Only the hacker is punished, but when he is identified, most of the time, the guy was acting alone and generated a DoS and not a DDoS attack.

Maybe the day the law will generate fins against the infected devices participating in DDoS attacks, the mentalities will change and people will secure their infrastructure (even at home).

It’s just a thought, I’m not for, I’m not against this thought :-). It’s just an analysis !!!

My conclusion.

In each IT infrastructure, security should be design as a basement not as an option.
As the user in the enterprise needs to be more and more mobile, more devices he is susceptible to use, more the risks are present.
The budget should not be a brake as the risk and its consequences are real.
Don’t hesitate to buy a good antivirus on your smartphones, when you host risky devices like CCTV camera don’t forget IPS, restrict the number of hosts from where they’re reachable. When hosting e-commerce think about WAF and DDoS counter-measures.

All of these measures will save your money on the long term view.

 

 

How to Diagnose Traffic issue between 2 hosts with a Fortigate Firewall?

Context of a real-life scenario:

For one of my customers, I needed to configure strict Firewall rules between VLANS. In VLAN A had an Exchange Server and in VLAN B, a Veeam Server that needed to backup the Exchanger server VM.

Each time I tried to run a backup of the Exchange server Veeam returned me a network error (RPC Unavailable). Even if I authorized the predefined RPC service in the Firewall Policy Rule, it didn’t work.

The best thing to permit understand what’s going wrong is to use built-in sniffer of the Fortigate Unit. Depending of the Fortigate Unit model you have the sniffer utility is available in the GUI or via CLI or both. More your unit is near from entry level model, more you will need to run advanced tools from CLI.

In all cases, my preferred way for Troubleshooting is the CLI. Let’s begin with it.

Run the Fortigate Sniffer utility from the CLI:

  1. How to access the CLI on the fortigate unit?

You have 2 options:

  • in the GUI interface (Yes Yes!!! from the GUI 🙂 )
  • run an SSH session from any SSH client (Putty stays the most current and most used)

For more information on Putty, please go on the official website (Putty Website)

If you want to keep a log of what you’ve done and be able to display a big quantity of information, I strongly recommend you to use Putty instead of the CLI integrated by default in the GUI interface.

From the GUI

  1. open the URL of your firewall
  2. Login to the web interface
  3. click on CLI Widget as show here

fortigate-clifromgui
WebInterface

From the SSH client

Prerequisite: Enable SSH Server on the Interface of the Fortigate Unit from where the SSH Client will run.

Example: Your server where Putty is installed has IP 10.0.0.23 and your Fortigate unit has an IP of 10.0.0.1. Be sure to enable SSH on the interface where the Fortigate has its IP 10.0.0.1 via the GUI

fortigategui_enablessh

Procedure:

  1. Run Putty or any other SSH client from your server
  2. Connect to the Fortigate by entering its IP
  3. Type your credentials
  4. Launch a sniffer session by typing the following command:

diag sniffer packet <interface_name> <‘filter’> <verbose> <count>

in real case scenario here is what you should type if you want to see the traffic between host A 192.168.0.229 and host B 172.17.0.35

diag sniffer packet any ‘src host 172.17.0.35 and dst host 192.168.0.229’ 1

Command Explanation:

diag sniffer packet: Is the sniffer running
any: is the interface name on which the sniffer should listen for traffic that needs to be monitored. In my case I’ve chosen ANY as the hosts are located on 2 different interfaces.
‘src host 172.17.0.35 and dst host 192.168.0.229’: is the filter. I want to see only the traffic between host A & B with no protocol filtering
1: is the verbose level of the sniffer

Note: Concerning the verbose level of the sniffer you have 6 levels. Choose the appropriate one depending of the issue you need to resolve

Verbosity levels:

1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

Output:

144.718932 192.168.0.229.64314 -> 172.17.0.35.135: psh 3914262130 ack 63685806
144.718952 192.168.0.229.64314 -> 172.17.0.35.135: psh 3914262130 ack 63685806
144.720622 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
144.755747 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
144.755805 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
144.755825 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
147.708245 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
153.708268 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
174.760978 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761066 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761090 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761393 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
174.761460 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
174.761481 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
188.353298 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657
188.353391 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657
188.353414 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657

In my case, I could determine that some RPC ports and CIFS ports were blocked as the firewall returned me some rst (reset from source commands)