Instant Windows AD DS Lab

Posted by Slowhand on August 10, 2012
Posted in: 70-640, 70-642, 70-643, 70-646, 70-647, 70-648, 70-680, Certification, Geeky, General IT, MCITP, MCSE, MCTS. Tagged: , , , , , , , , , , , , . Leave a Comment

If you’re anything like me while you study for certification tests, you break your lab on a weekly basis. And, while setting up services or features of Windows Server 2008 R2 isn’t all that bad, creating new dummy users, groups, and OUs for lab-practice gets a little annoying and tedious. After having re-created my test lab five times in as many weeks, I decided to take a few hours in order to script the process so I could start fresh with new lab-machines every time I really, REALLY break something and have to start over.

I suppose I could back up my configuration, but sometimes I just want a brand-new domain to play with. . . especially while I’m studying for my 70-648 exam and I keep creating convoluted GPOs that don’t always have the intended effect and I need to go back to something cleaner.

So, without further ado, here is the script – easily copied and pasted into a .ps1 file – for anyone else that hates sitting down and clicking through user and group-creation every time they need a new test-organization after getting that crisp, clean domain up and running.

Install your server, run dcpromo.exe, run this script, and voila: an instant lab to break play with. This script has been tested in a Windows Server 2008 R2 domain, but should run just fine as long as you’re running at least Windows Server 2003, PowerShell 2.0, and have the Active Directory Management Gateway Service installed:

# Written By: Slowhand
# Date: August 10th, 2012
# Purpose: Automatically creating test users, groups, and OUs for a study-lab
# Intended for use with a fresh install of AD DS for lab-purposes only
#
# [Please Note]
# Users, groups, and department-OUs will not be created a second time,
# even if you give the organization OU a different name
#
# To successfully re-run the script,
# delete the original organizational OU from the first run-through
#
# This script is provided ‘as-is’, please use at your own risk
Import-Module ActiveDirectory
if (!(Get-Module ActiveDirectory)) {
Write-Host “An Active Directory domain is required before this script can be run”
Write-Host ” “
} else {

# User-defined values
do {
Write-Host “Enter the name of your CSV file, (e.g., C:\Scripts\users.csv)”
[string]$csvpath = Read-Host “CSV file”
} while (!(Get-Item $csvpath))

Write-Host ” “
Write-Host “Please enter the name of lab (e.g., Contoso, ACME, Testlab)”
[string]$organization = Read-Host “Lab name”

Write-Host ” “
Write-Host “Please enter a complex default user password, or users will be disabled upon creation”
[string]$password = Read-Host “Default user password”
# Password not stored securely at this point for lab-purposes only

# Importing a list of users from a csv file
# (The necessary columns for this script are givenName, surname, and department)
$users = Import-Csv -Path $csvpath

Write-Host ” “
Write-Host ” “
Write-Host “CREATING TEST-LAB ENVIRONMENT, PLEASE STAND BY”
Write-Host “==============================================”
Write-Host ” “
Write-Host ” “
# Creating an OU to hold our organization
if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=$organization)”)) {
# Pull the distinguished name of the domain, as an LDAP query
$distname = (Get-ADDomain).DistinguishedName

Write-Host “Creating a company OU called $organization”
New-ADOrganizationalUnit -Name $organization -Path “$distname” -ProtectedFromAccidentalDeletion $true

$path = “OU=$organization,$distname”

# Some basic OUs to simulate a test company
$OUs = “Departments”,”Users”,”Computers”,”Workstations”,”Servers”

Write-Host ” “
Write-Host “CREATING ORGANIZATIONAL UNITS”
Write-Host “—————————–”
foreach ($OU in $OUs) {

if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=Computers)”)) {
Write-Host “Creating an OU called $OU in $path”
Write-Host ” “

New-ADOrganizationalUnit -Name $OU -Path “$path” -ProtectedFromAccidentalDeletion $true
} else {
Write-Host “Creating an OU called $OU in OU=Computers,$path”
Write-Host ” “

New-ADOrganizationalUnit -Name $OU -Path “OU=Computers,$path” -ProtectedFromAccidentalDeletion $true
}
}

Write-Host ” “
Write-Host ” “

# Creating individual OUs and groups for each department for GPO purposes
Write-Host “CREATING GROUPS”
Write-Host “—————”

foreach ($user in $users) {
$department = $user.department

# Checking for duplicates in the ‘departments’ column of the CSV file
if (!(Get-ADOrganizationalUnit -LDAPFilter “(OU=$department)”)) {
Write-Host “Creating an OU for the $department department”
New-ADOrganizationalUnit -Name $department -Path “OU=Departments,$path” -ProtectedFromAccidentalDeletion $true

Write-Host “Creating a group for the $department department”
Write-Host ” “
New-ADGroup -Name $department -SamAccountName $department -GroupCategory Security -GroupScope Global -DisplayName $department -Path “OU=$department,OU=Departments,$path”
}
}

Write-Host ” “
Write-Host ” “

$userpath = “OU=Users,$path”

Write-Host “CREATING USERS”
Write-Host “————–”

# Create users based on a given name, surname, and department
foreach ($user in $users) {

$first = $user.givenName
$last = $user.surname
$department = $user.department
$domain = (Get-ADDomain).DNSRoot
$name = $first + ” ” + $last
$logon = $first + “.” + $last
$userprincipalname = $logon + “@” + $domain

# Actual creation of users in User folder
if (!(Get-ADUser -LDAPFilter “(sAMAccountName=$logon)”)) {
Write-Host “Creating an account for $name”
New-ADUser -Name $name -SamAccountName $logon -GivenName $first -Surname $last -DisplayName $name -Department $department -PasswordNeverExpires $true -Enabled $true -AccountPassword(ConvertTo-SecureString $password -AsPlainText -force) -UserPrincipalName $userprincipalname -Path “$userpath”

Write-Host “Adding user $name to the $department group”
Write-Host ” “

# Add user to groups based on department
Add-ADGroupMember $department $logon
} else {
Write-Host “The user $name already exists, moving on to the next one”
Write-Host ” “
}
}

Write-Host ” “
Write-Host “The default user password is $password”
Write-Host “It does not need to be changed at logon, nor does it expire”
Write-Host ” “
Write-Host “============================================”
Write-Host “FINISHED! ENJOY YOUR LAB AND HAVE A NICE DAY”
Write-Host ” “
Write-Host ” “
} else {
Write-Host “The OU named $organization already exists”
Write-Host ” “
Write-Host “===============================”
Write-Host “ABORTING SETUP, HAVE A NICE DAY”
Write-Host ” “
Write-Host ” “
}
}

The only other thing that’s required for this script to run is a .csv file with three columns: givenName, surname, and department in order to create the users and groups properly. The following sample can be copied and pasted into Notepad and saved as ‘users.csv’, for example:

givenName,surname,department
Tony,Stark,Research
Pepper,Potts,Executives
Phil,Coulson,Security
Nick,Fury,HR
Bruce,Banner,Research
Steve,Rogers,Security
Reed,Richards,Research
Johnny,Storm,Security
Susan,Richards,Research
Ben,Grimm,Security
Peter,Parker,Research
Charles,Xavier,Executives
Scott,Summers,Security
Jean,Gray,HR

Here’s a download link to the script and the csv file for download: instantScript.zip

Windows PowerShell Resources

Posted by Slowhand on June 29, 2012
Posted in: 70-640, 70-642, 70-646, 70-680, Geeky, General IT, LinkedIn, MCTS, Programming. Tagged: , , , , , , , , , , , , , , , , , , . Leave a Comment

PowerShell LogoDuring my studies of Windows PowerShell, I’ve come across a great number of excellent resources for experienced admins and newbies alike. The following is a compilation of sites, book recommendations, and tools to help out anyone wanting to start working with this ridiculously powerful scripting language. Windows PowerShell comes as an optional feature in modern versions of Windows desktop operating systems such as Vista and Windows 7, and is generally installed by default on Windows Server 2008 and 2008 R2. PowerShell v3 comes as part of the core operating system for Windows 8 and Windows 2012, in the form of features you install from the “turn Windows features on and off” menu. If you’re running an older version of Windows, such as XP or Server 2003, you can download PowerShell here, and get some handy PowerShell Active Directory management tools for Windows Server 2008 and earlier here.

The starred (*) items are strongly recommended for beginners or anyone new to PowerShell.

Free Resources

Other Recommended Resources

When getting more advanced with any scripting or programming language, it’s always a good idea to get familiar with regular expressions to help get the most out of your scripts. Currently, Mastering Regular Expressions, 3rd Edition is one of the top-rated books out there on the subject. It doesn’t have code-examples specific to PowerShell, but hopefully future editions will. Here a great site for free tutorials of regular expressions to help you get started: Regular-Expressions.info

Dr. Radia Perlman, “The Mother of the Internet”

Posted by Slowhand on May 9, 2012
Posted in: Uncategorized. Tagged: , , , , , , , , , , , , , , , , , . 1 comment

We all know about Ada Lovelace, and her work as the first computer programmer. (You do know about her, don’t you?)

Today, however, I’m going to talk a little bit about Dr. Radia Joy Perlman, another great woman in the history of computer science. . . and one of the most important people in technology today, period.

Dr. Perlman is the creator of the algorithm for the Spanning Tree Protocol, a topic any networking student is intimately famliar with. Without STP, swithed networks (and internetworks) as we know them today wouldn’t be possible. She also worked on routing protocols, such as IS-IS and OSPF, increasing efficiency and fault-tolerance. At age 37, she earned her PhD in computer science from MIT, discussing the very topic she’s famous for in her doctoral thesis.

Currently a Fellow at Intel, Dr. Perlman has worked for Sun Microsystems, (where she filed for over 50 patents for her work,) and Digital Equipment Corporation. It was while at DEC she worked on her algorithm for STP. She’s written two books,Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and Network Security: Private Communication in a Public World, both of which still pop up as required reading for networking classes and as recommended reading for certain IT certifiations.

When asked to explain her seminal work, she famously replied, “The protocol is really very simple, I can summarize it in a poem!”

Algorhyme

I think that I shall never see
a graph more lovely than a tree.
A tree whose crucial property
is loop-free connectivity.
A tree that must be sure to span
so packets can reach every LAN.
First, the root must be selected.
By ID, it is elected.
Least-cost paths from root are traced.
In the tree, these paths are placed.
A mesh is made by folks like me,
then bridges find a spanning tree.


More reading on Dr. Perlman and her work:

Advice for Becoming an IT Security Professional

Posted by Slowhand on November 11, 2011
Posted in: Certification, General IT, LinkedIn, Miscellaneous, Work. Tagged: , , , , , , , , , , , , , , , . 1 comment

In the IT industry, there’s a lot of talk about how good a “security professional” is versus a “hacker”. Considering the companies that were compromised this year alone – Sony, RSA, Valve, just to name a few – the whole industry is looking at security a whole lot more seriously these days.

This brings me to a thread on TechExams.net from a few years ago that discusses what it takes to be an industry-recognized security professional. Something to note here, this forum assumes that certifications are earned through rigorous study and hands-on experience, not through memorizing stolen test-questions or cramming a book just enough to pass the test. That being said, this particular conversation discusses the much-lauded CISSP certification, which requires professional experience and a degree, in addition to a test, in order to obtain.

Keatron, who teaches courses in network security, had the following advice for another forum-member asking how to get into security:

I’ve had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I’d suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Again, keep in mind that the assumption here is that a professional would be working as he or she earns these certs, and actually learning the material in a practical way over the course of the two or three years it would take to study for all these tests.

So, the response we get from UnixGuy, another member of the forum who is interested in security-work:

Hmmm, isn’t this tooo long a way to earn a CISSP ??

And here is the big payoff, Keatron’s reasoning for all those other skills and experience:

For UnixGuy, think of it this way. Let’s say you have 6 different certifications that all deal with 6 different areas of Information Security. Think of these as your 6 cans of Coke. Now think of the CISSP as the little plastic stuff that holds a six pack of coke together. Take your 6 cans of coke (your experience and other certs) and the little plastic stuff (your CISSP), add those together and you have a solid six pack that’s held together well. For example, you might have a job as a firewall administrator. You might perform this job well for 6 or 7 years. However, you could be an expert firewall administrator, and not know squat about application security. In reality, the CISSP helps a security professional take all their years of experience, and certifications and FINALLY tie them all together and see clear relationships between it all. But there’s the old saying “garbage in, garbage out”. So in other words, if you are a person with only 1 can of coke (mimimal experience and minimal exposure to certifications), then the little plastic thing (CISSP) wont really do you much good, because you don’t have any cans (experience and certs) to tie together. The CISSP is often described as a mile wide and an inch deep. But it should be understood that you don’t go a mile deep because theoretically, you’ve already been 20 miles deep in several of the domains. I always stress experience first, then certs. However, sometimes you need the cert, to be awarded the opportunity to get the experience. But I often recommend people in the security field get vendor specific certs related to operating systems or network equipment they may be responsbile for securing. You can’t possibly secure a large building if you don’t know where all the doors and windows are. Additionally you need to know how to open and close these doors and windows. Same goes for systems and networks. Here’s a few examples;

How can one possibly understand group policy if they’ve never implemented or least labbed it out in preperation for MCSE? How could you know that group policies only apply to computers that are a member of the domain, OU, or site that group policy was applied to if you haven’t done it, or again labbed it out. Not to mention you have to remember to give groups read and apply group policy permissions to the group policy object if it is to have any effect at all. If one doesn’t understand these basics, then how could they possibly even start to secure a Windows based network? How does Kerberos work (in Windows world). What’s sent in clear text and what’s encrypted? How feasible is it for an attacker to forge a ticket and fool another device or computer in the realm to believing it’s legit? If you’ve never implemented a Pix or an ASA then how could you know what it’s default inspection rules for the FTP protocol is? We’re taught that FTP uses ports 20 and 21 only. But is that actually accurate? Is is true that FTP actually uses dynamically allocated ports to actually do the data transfer part of an FTP session? How does the ASA default inspection rules allow for this? And if you know the answer to that, then what security concerns does this behavior and allowance or disallowance by ASA introduce or expose your organization to? Have you observed it’s behavior via ethereal or some other analyzer or sniffer? What about the bazillion other protocols you’re forced to allow into your network? Are you sure DNS only uses port 53? TCP or UDP? Both? When you perform a query for a resource on the web, does the response to query come back in on UDP port 53? What about zone transfers? Is that via port 53 as well? TCP or UDP? Are these zone transfers in cleartext? If they are, what can you implement to encrypt these zone transfers? How does Checkpoint Firewall solutions deal with this behavior? (And saying it just works doesn’t count). Are the ways in which it deals with this behavior introducing unique security considerations? Isn’t it true that the biggest problems with firewall, IDS, and other mechanisms is that they act and behave in a very predictable manner? How does NTFS file systems store data and files? What about NFS? FAT? What about ZFS? So how do ZFS and EXT2 differ in how they store and catergorize data? From a confidentiality perspective, which is more feasible? If you haven’t worked with these file systems you might not know the answers. However, getting certifications can expose you to this very information and least give you some level of knowlegde in those areas.

This list could go on and on. And obviously a CISSP that thinks they only utilize port 21 when they go to an FTP site and download files probably could have benefited from getting little more experience (or getting more cans) before getting the plastic peice (CISSP) to pull it all together. Because pulling it all together with too few cans causes us to have huge “knowledge gaps” and therefore renders us less effective in our roles as information security professionals.

So UnixGuy, the above is some of the major reasons I suggest a path to the CISSP that’s probably a little longer than what you normally hear. Thanks for reading. And I hope it helps. 

Keatron.

I agree with every word of it. You cannot secure a network, a server, a website, or even a stand-alone PC, if you don’t know how those things work in the first place. Security is a second-tier skillset, you have to learn how it works before you can learn how to protect it. ”Security” isn’t some additional field that was invented for us to work in, it’s a term for the in-depth knowledge we gain as we work and learn about these systems that helps prevent exploits and hacks from being executed. UnixGuy’s question is a common one, and he’s not stupid or self-entitled for thinking that the road is too long. Unfortunately, I think that security isn’t taken seriously enough as a whole by this industry, (and many others,) and the result is that most of us don’t know how much work and effort goes into becoming an expert on that level.

Given, even experts make mistakes and sometimes the black-hats (bad guys) are sometimes smarter than the white hats (good guys), but that’s all the more reason to study, train, and prepare yourself if you want to be a CISSP, for example. Some people think the road is too long. . . I think that the road isn’t often long enough. It’s a big, bad world out there full of threats and people who want to steal our information. The more you know, the fewer times you’ll get caught with your pants down.

Dear Jos. A Banks, London Fog, The Men’s Wearhouse, etc. . .

Posted by Slowhand on November 11, 2011
Posted in: General Life, Humor, Miscellaneous. 1 comment
All I’m asking for is a full-length trench coat in size 50 Long that comes in brown, is that too much to ask? I know you have a hard-on for black and beige, but I’d really love a few more options with one of the most common articles of men’s clothing in the world. Also, “full-length” doesn’t mean “down to my thighs“, I’d love to avoid getting my pants completely drenched if I’m caught in the rain; that’s the whole point of a long, water-poof coat.
And one more teensy, tiny little thing. A trench coat is meant to keep the rain out, hence why it’s also called a rain coat. . . so WHY IN THE HELL DO HALF THE COATS I FIND ONLINE HAVE LEATHER COLLARS?!?