Software

This section looks at what is new in the world of software (Operating Systems included) and how to take best advantage of what is out there.

If you are running (or use) the Sympa Mailing List but also use Windows PowerShell then you may want to be aware of PSSympa which recently went v1.0 on GitHub and the PowerShell Gallery.

In this release we have…

Functions

  • Get-SympaLogin (to login and get a session cookie – the result of which is used with all other functions)
  • Get-SympaMailingListMember (get the members of a list or list(s))
  • Add-SympaMailingListMember (add a member(s) to a list)
  • Remove-SympaMailingListMember (removes a member(s) from a list)
  • Test-SympaMailingListMember (checks to see if someone is a Subscriber, Owner or Editor of a list)
  • Sync-SympaMailingList (based on the contents of a reference CSV makes changes to the membership of a list)

Samples

  • How a CSV storing credentials might look (samplecredsfile.csv)
  • How a CSV that is used to Add/Remove members in bulk to/from a single list (samplememberslist.csv)
  • How a CSV that is used with the Sync- function would look (samplesynclist.csv)

Super Awesome Features

  • Credentials can be stored in a CSV to avoid them being typed in as part of a wider script
  • Pipeline support for members in lists

How to get it

The PowerShell Gallery is the best route to get your hands on the Module, see this link – https://www.powershellgallery.com/packages/PSSympa for the full details in short though you should only need to run the following command at your PowerShell prompt (assuming you are running a recent version of PowerShell) to install the module on your PC.

Install-Module -Name PSSympa

Continue reading

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.

However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).

In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.

Have a look at the screenshot sequence below for more info!

  Get-Rss (4.0 KiB, 142 hits)

Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)

As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.

Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).

One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…

  • Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
  • Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
  • Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
  • On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
  • Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
  • Up to 32 recovery points and real-time file protection (when connected to the DiskStation)

So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.

Then restoring a file that has been deleted on the Windows PC; note that you can restore either individual files or entire folders to a point in time.

The same but for OSX…

So that’s all of the good, the only downside we have found thus far is while shared drives can be protected with encryption it is not possible to protect each individual home area (per user) with a unique encryption key thus opening up issues with data privacy. However, if you consider the following scenario…

  • A business needs to provide backup to remote workers
    • Those remote workers do not connect to the trusted network often
      • Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
    • and those remote workers do not use a commercial ‘cloud’ service to protect their data with
      • Perhaps trusting a 3rd party to host the data is not an option
    • The remote workers use OSX/macOS

…then using a Synology DiskStation should be a serious consideration for that business.

So this post is a more a reminder to me than anything else but…having recently come across the Microsoft TechNet article ‘Keyboard Shortcuts for the Windows PowerShell ISE’ (https://msdn.microsoft.com/powershell/scripting/core-powershell/ise/keyboard-shortcuts-for-the-windows-powershell-ise) I thought it necessary to highlight the two keyboard shortcuts….

Ctrl + J – brings up a list of code snippet templates (e.g. try-catch-finally and do-until)
Ctrl + M – expand or collapse braces

See the screenshots below for a demo and do make sure you try them yourself!

If you are looking for a free tool to manage some of the more intricate features of the Gemalto IDPrime .NET and MD cards then the Mini-Driver Manager (downloadable from http://www.gemalto.com/products/dotnet_card/resources/development.html) may well fit the bill. However it has one small downfall in that out of the box it only allows you to manage cards with the Admin Key set to 48 0s or 48 Fs with neither option being much use to anyone once they have changed the Admin PIN.

Luckily these values are only set in a INI file so its pretty easy to change them to anything else.

Please note that this guide uses a feature in Notepad++ to elevate an application to have local Admin access, you can download Notepad++ from https://notepad-plus-plus.org however you could also use plain old Notepad you’ll just need to launch it as an Administrator and browse to the INI file within Notepad.

On with the guide!!

So after meaning to play with Smart Cards in greater detail for some time we’ve just received a set of cards and accessories from Smartcard Focus (http://www.smartcardfocus.com/) including….

  • Gemalto GemPC Shell Token V2 (IDBridge K30) (a USB dongle style Smart Card reader which you can see in the screen shot sequence below)
  • Gemalto IDPrime .NET smartcard – SIM cut (to go in the IDBridge K30)
  • Gemalto IDPrime .NET card – just your standard Smart Card
  • Omnikey 3121 – just your standard Smart Card reader

One of the first things I wanted to do was get PIN complexity and policy defined; the chaps over at Gemalto provide a number of tools which can be used to manage the cards which can be downloaded from the links below…

http://www.gemalto.com/products/dotnet_card/resources/development.html

http://www.gemalto.com/products/dotnet_card/resources/libraries.html

So time to get on with the guide (which also shows you which downloads are needed from the links)!

48 0s typed out… 🙂

000000000000000000000000000000000000000000000000

So first things first….the title of this article is misleading; thus far Avid do not seem to have released a sounds pack specific for Sibelius 8 as you will see on the website when you login in (https://my.avid.com/account/orientation) the only option is for the 7.5 sounds pack. But…this works!

Now deploying Sibelius it’s self in a silent manner is (in my opinion) pretty well documented at this link – http://avid.force.com/pkb/articles/en_US/how_to/en396971.

When you get to the sounds the documentation (again in my opinion) (which can be found here – http://avid.force.com/pkb/articles/en_US/How_To/Installing-and-using-Sibelius-Sounds-across-a-network) is flaky at best not to mention the confusion around version 7/7.5/8.

For example the install path is listed as C:\Program Files (x86)\Avid\Sibelius Sounds\Sibelius 7 Sounds, well Sibelius 8 is x64 only so do we put it in the C:\Program Files folder instead? The registry entry is listed as HKEY_LOCAL_MACHINE\SOFTWARE\Avid\Sibelius Sounds\Sibelius 7 Sounds\ContentPath – well again do we update this to be ‘Sibelius 8 Sounds’?

Well as it transpires their guide is correct in all respects; however, as it states in the clear there is no silent install command for the sounds. Ultimately though its just a copy and paste operation with the addition of a registry key so lets use some PowerShell to get this software deployed! Continue reading

Check DCsOne of those monthly jobs that every SysAdmin will come across is good old Patch Tuesday; to help make Patch Tuesday a little more fun after all of the servers have been updated I use Hyper-V Replica (run by a PowerShell script) to shutdown each Virtual Machine and move it onto another host (ticks the box for the machine reboot component of Windows Updates and also tests our DR solution in one hit!).
However as both of my DCs are Virtual Machines I want to make sure that at least one DC is up at all times, to do that I have built a little PowerShell function (see below to download it within a zip file!) that is run before every migration to ensure that both DCs are up and running (along with the Network Policy Server service which is used to authenticate clients on the network (and so is very important!!)) before any migration happens.

Hopefully this will help someone someday!

  See if DCs are up (905 bytes, 283 hits)

A silly gotcha more than anything else…. after recently updating my WSUS server to use SSL (to allow publishing through the firewall) I noticed my clients that were deployed with MDT (Microsoft Deployment Toolkit) were not installing updates as part of the Task Sequence; indeed the message log at the end indicated that the updates could not be downloaded as there was no connectivity to the WSUS server.

Lone behold I had updated the path to be https:// (against http://) in the Group Policies that pointed the clients at the WSUS server but not in the Deployment Share properties in MDT. So let the lesson be learnt… be sure to make the URL change in MDT as well as in Group Policy.