Thursday, August 14, 2014

How to Configure HP ILO 4 for Active Directory Login

1. Make sure that your Windows Active Directory Domain Controller has an SSL Certificate to support port 636 (HP's authentication doesn't like 389)

2. Use Softerra LDAP Administrator (or whatever is your preferred tool to get the OU path) if you don't know how to do it by heart (which...um...sometimes its better to verify).

3. Make sure that you have a way to authenticate users by adding in the OU where your restricted accounts are located. You don't want anyone in the domain to be able to login to the server.

ILO Login > Administration > User Administration - Click New and Add the Group DN Only:



Click Add Group and then you will see your group added. (*Make sure it's a security group)


4. Add in your Windows Active Directory DC to authenticate against (Verified against 2008R2):

ILO Login > Administration > Security - Directory (*Make sure it's the OU where the security group is)


5. Sign Out (Log off) and then Log Back in (If you don't see Directory or..., something is wrong):



Tuesday, August 12, 2014

How to Create a Red Hat Enterprise Linux 7.0 VMware Template

If you are using Chef, Puppet, Active System Manager or OpenStack their are more automations you can script and include.

References:
Red Hat (VMware Cloning Precautions) - https://access.redhat.com/site/solutions/271643
Red Hat (Register VMware for unlimited RHEL VM's) - https://access.redhat.com/site/solutions/659563
Red Hat (Register VMware for Virtual Subscriptions) - https://access.redhat.com/site/solutions/543333
The Lone SysAdmin - http://lonesysadmin.net/2013/03/26/preparing-linux-template-vms/
Mfariso1 - https://www.suse.com/communities/conversations/creating-standard-server-template-sles-11-sp1-vmware/
NSA - (RHEL hardening guide) -
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
CIS Benchmark Guide for RHEL 7.0 - CIS Bechmark Red Hat Enterprise Linux 7.0
CIS Benchmark Guides (Other OS/Cisco/etc) https://benchmarks.cisecurity.org/downloads/latest/

1. Upload the ISO to your datastore. Create a Linux virtual machine (Remove the floppy disk and boot into the BIOS and Disable anything you don't need or won't need) with only the packages you actually need and will use.

2. vi /etc/motd (This is the security banner message for your company).

3. Antivirus/Malware Software: (Trendmicro, Sophos, Symantec, SELinux...freaking something) - Do not believe that just because the server is Linux based it doesn't need malware software; that being said, depending on your environment, don't enable what you won't use and don't install what your never going to use...EVER. It's a fools gamble in 2014. Security should be in layers, nothing is 100% full proof unless you disconnect the LAN cable and lock the server in a closet and remove the hard drives/SD cards, crush them, from the server. If you're not going to do that...harden and secure your server and remove any services or .rpm packages/applications/services you do not specifically need.

4. Clean out your temporary files and log files
/usr/bin/yum clean all
/usr/sbin/logrotate –f /etc/logrotate.conf
/etc/ssh/sshd_config (configure to your hearts content)
/tmp/ (be careful completely blowing away /tmp on VMware for VMware Tools, etc)

5. Blow away the current NIC configurations:
 /bin/sed -i '/^\(HWADDR\|UUID\)=/d' /etc/sysconfig/network-scripts/ifcfg-ens19 (*whatever ens is)
(ens32 is new and different from eth0. Go Here is you want to know what changed)

6. Remove SSH Keys
/bin/rm –f /etc/ssh/*key*

7. Remove Root's History
/bin/rm -f ~root/.bash_history
unset HISTFILE

8. Shutdown and convert to template
init 0 
(*VMware/RHEV/OpenStack Convert it to a template)

Monday, August 11, 2014

How to Configure BGInfo for Windows Server 2012 R2

FYI: It's not hypervisor specific and works fine for physical servers also.

Download BGINFO from Microsoft Downloads Only
http://technet.microsoft.com/en-us/sysinternals/bb897557

1. Create a folder named bginfo under C:\bginfo
2. Extract all of the contents of bginfo to that folder.
3. Open Bginfo and setup your configurations.


*Custom configurations can be found here thanks to Shay Levy: http://blogs.microsoft.co.il/scriptfanatic/2008/07/22/bginfo-custom-information/

4. Once you have completed your custom configurations. Click on File Save As and save your .bgi configuration to C:\bginfo (Don't bother saving to C:\Windows\System32\* SysPrep and Imaging will strip and mess up any settings so don't bother) *Do NOT just clone your VM's!!


5. After you have saved your configuration. Create a batch file named whatever and add the following to the first line (*whatever you named the .bgi file is what you put second after the bginfo.exe path):



6. In case you forgot how. Enable the ability to see the extensions on folders when you created the file in Notepad (NOTE: Make sure you disable it after you're done!)


7. Go to Regedit (Type regedit in PowerShell) and configure the string for Run (HKLM\Software\Microsoft\Windows\CurrentVersion\Run):


8. Finish configuring your template for your physical server or your virtual image (VMware/OpenStack/RHEV/Hyper-V/OracleVM).




Monday, June 16, 2014

How to Extract Microsoft SysPrep Files for vCenter Convertor

Are you trying to P2V a Windows 2003 Server? Did you download the Microsoft SysPrep files and run them and it didn't work? Ok. Stop pulling your hair out and read further.



Have you gotten this error when you download and try to run the .exe file for Microsoft Sysprep?

1. VMware KB for SysPrep Locations: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005593

2. Download error if you just try to run it. (Not enough storage space is available...blah blah blah)


3. Open up Powershell or Command Prompt and put /x after the file name.


4. The files then extract. Wahoo! 

5. Copy them to where they belong...

C:\ProgramData\VMware\VMware vCenter Converter Standalone\sysprep\svr2003 
(*NOTE: You must copy all of the files from SP2QFE and update to \svr2003\)


6. Run VMware Convertor again.




Saturday, April 12, 2014

How to Hide Clear Text Passwords on Cisco Routers and Switches

When you configure your Cisco Router or Switch you need to make sure your passwords are not in clear text. When you pop your new switch or router out of the box and are running configurations the very first time (or if you have to go back and fix it). You want to make sure you're not allowing casual exposure of your passwords:

Cisco IOS CLI:

SWITCHKING# conf t
SWITCHKING# service password-encryption
SWITCHKING# sh run
SWITCHKING#
!
enable password 7 892398498FF1111D
!
line vty 0 4
 password 7 075E731B7D10987987
 login
line vty 5 15
 password 7 075E731B7D1043434222
 login

SWITCH# crypto key generate rsa
SWITCH# ip ssh version 2

*This is instead of seeing "enable password JimBobPassword or line vty passwords in clear text"