Powershell TIPS

  1. How to Extract ZIP Files Using PowerShell

Expand-ZIPFile –File “C:\file1.zip” –Destination “C:\users\pandy\file”

 

 

How to determine what version of PowerShell is installed?

PS C:\> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
4      0      -1     -1

string replace file content with powershell

(Get-Content file.txt) | 
Foreach-Object {$_ -replace '\[MYID\]','MyValue'}  | 
Out-File file.txt

How can I uninstall an application using PowerShell?

$app = Get-WmiObject -Class Win32_Product | Where-Object { 
    $_.Name -match "Software Name" 
}

$app.Uninstall()


or

Get-WmiObject -Class Win32_Product -ComputerName . -Filter "Name='Microsoft .NET Framework 2.0'"| Format-List -Property *
 

					

Use PowerShell to Find Installed Software

In the following example, I use the Get-ItemProperty cmdlet to return values from the Uninstall Registry Key within the HKEY LOCAL MACHINE (HKLM) Registry Provider, selecting specific properties and then formatting output.

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Format-Table –AutoSize

The Get-ItemProperty cmdlet is a great tool because it’s designed to work with data that is exposed by any provider. To get a better idea of the various providers that are available in your session, simply execute the Get-PSProvider cmdlet.  

And of course, depending on my needs, I could have also used alternative output methods like Out-GridView or Export-Csv. Either way, we’ve now reduced the process to a one-liner that can be used in 64-bit and 32-bit environments:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Format-Table –AutoSize

Problem #3: Can we make it even more useful?

Absolutely! We are talking Windows PowerShell after all…

One way that comes to mind (and again, visible within the comments from the previous post), is addressing the issue of how to query multiple remote devices. My solution (or a number of reasons) is to rely on using the Invoke-Commandcmdlet. In the following example, I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Commandto execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }

The output now includes the PSComputerName column, which will help when I want to sort results down the road. And there we have it…an easy method to report installed software!

BITS & POWERSHELL to Transfer Files

BITS technology and Powershell

BITS or Background Intelligent Transfer service is basically a windows service that is used to transfer files from websites.  Windows updates and SCCM already uses this technology in order to download files to target computers.

BITS is around since windows XP and some utilities (such as bitsadmin.exe) were made available to help administrators to take advantage of the bits technology.  Bitsadmin.exe is still around but has been deprecated in favor of Powershell cmdlets.

When using BITS, you can basically transfer files (Downloads and Uploads) between 2 computers.    The service is intelligent because Bits uses idle network bandwidth to transfer the files and does not impact the network performance.  If an application requires more bandwidth, BITS will adjust automatically in order to decrease its transfer rate avoiding any negative impact on user’s interactive experience.  The service is also intelligent because it will automatically resume file transfer if you have a time out on your network or if a computer needs to restart.

BITS was exactly what I was looking for in order to transfer the files to this remote location and not to impact their day to day business.

Amazing….

How to Use PowerShell to perform Bits Transfers

We will quickly demonstrate how you can perform and Bits transfer and how easy it has become when using PowerShell cmdlets.

If you have Windows Vista or later or Windows 2008 or later, BITS is built-in in the operating system. As long as you have Powershell V2.0, you should be able to use Bits PowerShell Cmdlets.  If you have Windows 2003, you will still be able to use this approach.  However, you will need first to install the update package for Bits and you will need to install PowerShell V2.0 on your system.  When this is done, you should be able to start your bits transfer.

Downloading files using PowerShell and Bits

We assume that the file you want to download is stored on an HTTP server (for example http://c-nergy.lab/ISO/MySoftware.iso).  We also assume that anonymous access has been configured.  We will see later that you can also implement authentication mechanism on your web server and pass valid credentials to your Powershell Bit Transfer command.

Import Bits modules

In order to start the transfer, on the target computer (in the remote location), you will open a PowerShell command prompt and type

  • Import-Module BitsTransfer. 

When the module is imported, you can quickly get a list of available commands by typing something like

  • get-command *-BITS

bits_1

Click on picture for better resolution

Bits Synchronous Transfer

To initiate a download, you will simply type the following command (see screenshot below)

Start-bits –source  <%Source path %> -destination <%destination Path%>

bits_2

Click on picture for better resolution

This cmdlet starts the transfer operation in synchronous mode. This means that this transfer is similar to a copy operation.  In this mode, you have a progress bar (see screenshot above) that’s displayed and you can monitor the transfer operation.  My understanding is when using this mode, if you restart the computer, the transfer will stop and will not resume.

Bits Asynchronous Transfer

In order to have a persistent Bits Transfer Job; it’s recommended to start the process in asynchronous mode.  How do you do that ? Simply by adding the switch – asynchronous.

bits_3

Click on picture for better resolution

In this mode, if something happens (network outage, reboot of computers), the job will resume automatically and the download will proceed.  This is so cool  !

The small drawback here is that you do not have the visual hint about the operation progress.  You will have to use the Get-BitsTransfer cmdlet to check the download progress.  In the screenshot below, you can see the bytes transferred vs total bytes

bits_4

Click on picture for better resolution

In asynchronous mode, you will need to perform a small additional action in order to complete the transfer process. When the transfer is complete (you can check that with the Get-BitsTransfer cmdlet), you end up with a TMP file that has been created.  To convert this TMP file into the final file version, you will need to run the command Complete-BitsTransfer as shown in the screenshot below

bits_5

Click on picture for better resolution

At this stage, you have completed your download and everything should be fine.

As mentioned earlier, if the server  holding the files you need to download requires authentication, you can provide the credentials via the Powershell cmdlet  and the download will still be possible… You would type a command similar to the one on the screenshot

bits_6

Click on picture for better resolution

Note :

When using BitsTransfer in asynchronous mode, you will need to type multiple timeGet-BitsTransfer in order to monitor the download progress. This is not really practical and not elegeant. A better option would be to create a small script that would monitor the job for you and notifies you when the jobs is completed.  When completed, the script would also issue the complete-Bitstransfer for you.  I have provided you in the following screenshot a sample script that could do that

bits_7

Click on picture for better resolution

Uploading files using PowerShell and Bits

 In our environment, we will mainly use Bits to perform download operations. However, you have to know that you can also perform upload operations if required.  To be able to upload files to an HTTP server, you will first need to configure your server accordingly.   You will need to install IIS and install the BITS Server Extension Feature. 

We assume that you have Windows 2008 server (or later) running and you have already installed IIS (or web server role on top of it). To install the Bits Server Extensions, you simply open your Server Manager Console, go to the features node, right-click on it and select Add Features.  The Wizard will start. You will be presented with the following screen. Ensure that you select the Bits Server Extension option.

 bits_11

 Click on picture for better resolution

Note :

IIS 6 Management Compatibility roles must be installed.

After that, you can create you Bits Upload virtual directory within IIS.  Click on it and you will see at the bottom of the mid pane, the icon to configure Bits extension for the directory.

bits_12a

Click on picture for better resolution

Click on it and will be presented with a screen similar to the screenshot.  You simply need to ensure that you enable the option “allow clients to uploads files”. The other options can be configured as required or you simply accepts default configuration

bits_12

Click on picture for better resolution

 You have to ensure that permissions on the virtual directory are configured correctly.  If you have scripting and execute permissions enabled, the upload job will fail (this is a security feature).  Microsoft recommends to turn off write access to the virual directory as well given that bits does not require it.

Finally, you will need to ensure that the physical directory to which the virtual directory is mapped has the correct permissions set.  If you use anonymous access to upload files, ensure that the IIS anonymous user has Change permissions on that folder.  If you use an authenticated user, ensure that this user has Change permission as well on the physical folder.

When you have done, all this stuff, you should be ready to upload files to your Http server by issuing a command similar to

Start-bits –source  <%Source path %> -destination <%destination Path%> – Transfertype Upload

 bits_9

 Click on picture for better resolution

I had problems to upload larger files onto my Windows 2008 BITS server.  I tried to upload an iso image into my upload folder and the powershell command failed returning an error HTTP 404 – The requested Url Does not Exist

bits_9a

Click on picture for better resolution

This behavior is by design.  IIS is configured to allow files upload no larger than 30 MB.  On Windows 2008, I had to change the configuration of the Web.config file of the virtual directory.  I had to add the <security> section into the file.  the web.config file should look similar to the following screenshot.   Change the value of the maxAllowContentLength to fit your needs and you should be good to go.

 bits_10

Click on picture for better resolution

Final words

Bits and Powershell is the best combination I’ve found so far to download large files over slow networks.  The download will still take some times but I will not need to restart the download from the beginning either will I negatively impact the network during the transfer file.   And that’s a big plus for me.  This technique will be part of my “Scripting Toolbox”.

You have to give it a try and see how simple and efficient it becomes to download one or multiple files accross networks in a smart way….

We have not covered all the possibilities that offers Powershell and Bits but you can have a look here and start playing around http://msdn.microsoft.com/en-us/library/windows/desktop/ee663885(v=vs.85).aspx

Openstack – Microsoft Windows Image

Requirements :

  • ISO image of the Windows OS.
  • VirtIO driver for Windows.
  • Cloud init drivers for Windows.

Procedure :

Download the signed VirtIO drivers ISO from the Fedora website.

https://launchpad.net/kvm-guest-drivers-windows/20120712/20120712/+download/virtio-win-drivers-20120712-1.iso

Create a target hard drive to install the Windows Server 2008 R2 Operating System.

$ cd ~ && mkdir KVM && cd KVM

$ qemu-img create -f qcow2 WIN2K8R2.qcow2 20G

Attach Windows Server 2008 R2 ISO and boot the same.

$ qemu-system-x86_64 –enable-kvm -m 2048 -boot d -drive file=WIN2K8R2.qcow2,if=virtio -cdrom Win2K8X64R2Ent.iso -drive file=virtio-win-drivers-20120712-1.iso,media=cdrom -net nic,model=virtio

If Don’t have KVM, remove KVM enabled

$ qemu-system-x86_64  -m 2048 -boot d -drive file=WIN2K8R2.qcow2,if=virtio -cdrom <path to windwos.iso> -drive file=<path to VirtIO.iso>,media=cdrom -net nic,model=virtio

Once installation is started you need to connect to VM using tight VNC viewer.
Follow the below mentioned steps to install the drivers & operating system.

  • Click Install
  • Select your Operating System type
  • Accept License Terms
  • Select Custom Installation
  • Click ‘Load Driver’
  • Click Browse
  • Navigate to the cdrom ‘Virtio Drivers’ You should see two cdroms attached. One is the install cdrom and the other the ‘Virtio Drivers’
  • Select ‘Virtio Drivers’ => STORAGE => SERVER2008R2 => AMD64
  • Click OK
  • The ‘Red Hat VirtIO SCSI controller’ driver should be highlighted. If not then you have done something wrong.
  • Click Next Driver should load without error and take you back to the screen to select the hard drive to install the Operating System on
  • Click ‘Drive options’
  • Click ‘New’ Ensure the entire drive space is being used – in our case the entire 20G
  • Click ‘Apply’
  • Click ‘OK’
  • Click ‘Next’ The Operating System will install. This process may take awhile depending on resources you gave initially.
  • Once completed you should be prompted to changed the Administrator password.

Set the Date and Time

  • From the ‘Initial Configuration Tasks’ screen
  • Click ‘Set time zone’
  • From the ‘Date and Time’ window Click ‘Change time zone…’
  • From the ‘Time zone:’ drop-down select your time zone.
  • Click ‘OK’
  • Click ‘OK’

Enable Remote Desktop

  • From the ‘Initial Configuration Tasks’ screen scroll down to the option ‘3. Customize This Server’
  • Click ‘Enable Remote Desktop’
  • At the ‘System Properties’ window the ‘Remote’ tab under ‘Remote Desktop’ select your preferred level .
  • Click ‘OK’

Once remote desktop enable for the VM, establish a remote desktop connection & install cloud init driver in the VM from below links :-

From the below links you are able to download cloud init package for window .
http://www.cloudbase.it/cloud-init-for-windows-instances/

Once cloud init installed sucessfully it will ask you to run sysprep at end to installation of cloud init package.

After cloud init is installed you need to check “Cloud Initialization Service” running in services.

Reboot the VM.

Now import the qcow2 image in glance .

# glance image-create –name window –is-public=true –disk-format=qcow2 –container-format=bare –file (location of qcow2 image that you want to import into glance ).

 

Note : For windows lovers who likes to prepare image in windows, can use qemu-windows libraries click qemu-windows

Linux Hardening

Following are the areas of hardening / security that needs to be addressed on a Linux VM, along with their procedures.

 

  • No internet access on the server

This can be taken care through the Mirantis dashboard for the VMs.

Locate the Access & Security >> Egress rule for ipv4 & ipv6 which is enabled by default.

Verify that the same Access & Security rule template is not being used by any other VM, it is then you will have to create a new custom template for your VM.

Disable the default Egress rule for ipv4 & ipv6, which is set to send any & all traffic out of the VM. This will disable any http, https, ftp, request going out of the system.

Please Note : As this approch affects all out going traffic from the VM, hence you might have to enable outgoing ports as per request only incase needed.

 

  • No direct root login, only sudo enabled

Rather than disabling the root account, you can lock the root account password. This will not allow the root user to login with his credential.

Before locking the root user, create a new user using useradd.

Locate the group that has sudo access in the /etc/sudoers files, and add the new user to this group.

Test the sudo access for the new user.

Now lock root user account ‘sudo passwd -l root’

 

  • Only key based login, no X

Goto /etc/inittab, check the line indicating ” id:5:initdefault: “

Replace with ” id:3:initdefault: ” & save the file.

On the next boot / reboot the system should boot in to shell.

 

  • Enable SE Linux

Verify the current selinux status using the command – sestatus

It should be in either of these states :

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded.

Set the appropriate value in the file /etc/selinux/config

To fully enable selinux, set it to :

SELINUX=permissive

SELINUXTYPE=targeted

 

  • Enable logrotate for system logs under /var/log

Most of the logs under /var/log/ are set for auto backup & rotation.

Incase any help is needed with setting new log rotate scripts, refer to http://www.thegeekstuff.com/2010/07/logrotate-examples/

 

  • Disable rlogin & rsh services

None of these services are enabled, even their binaries were missing on the host.

Host Intrusion Prevention System (HIPS)

The process tp enable this involves installation of the HIPS agent, configuring the agent, verifying that the agent is communicating with the HIPS server.

 

  • Installation of HIPS agent

Download the HIPS agent on the VM using winscp tool.

Uncompress the the file, it should contain the agent installer, agent-cert.ssl an agent certificate file, a pdf explaining the installation process.

Important aspect during installation is specifying the Primary Management Server = abc.com, Alternate Management Server = abc.com, source the agent-cert.ssl from the installation folder.

 

  • Configuring the agent

Enter an alternate DNS entry for local area connection for communicating with the HIPS server as XX.XX.XXX.XX(IP)

Whitelist the HIPS server by making an entry in hosts file @ c:\Windows\Systems32\drivers\etc\hosts

Add entries for ip1 with abc.com  && ip2 with abc2.com

 

  • Verifying the HIPS agent communication

Reboot the VM (This is needed for the agent to start communicating to the server)

Connect using Remote Desktop and run this tool from command prompt

c:\Program Files<x86>\Symantec\Critical System Protection\Agent\IPS\bin\sisipsconfig.exe -v

If a connection successful message is returned, then the agent is communicating with the server.

If NOT, port 443 & 2222 needs to be opened in Dashboard using Egress rules as well as on all intermediate firewalls on the network.