Archy.net

Subscribe to Archy.net feed
Don't Follow the Trend
Updated: 4 hours 13 min ago

DHCP – Activate Filter “Allow” & import MAC address from SCCM by WMI request

Tue, 08/29/2017 - 12:08

Hello folks,
Recently, i have post a script to interroge SCCM and find the MAC address informations. In this post, i show you how activate DHCP Filter “Allow” to protect your DHCP delivery lease to deny access to your network (i know, there is NAP or NAC but, it is a simple way to block the issuance of a DHCP lease).

Prerequirements

First, you need to create a Active Directory user and give to this account rights “DHCP Administrator”.

In SCCM console, add this users to group “Read-only Analyst” .

Activate filter “Allow” on DHCP server

Connect to your DHCP Server and open the management consoleOn the IPV4 tab, open the drop-down menu, and then select the “Filters” option and right-click the “Allow” folder and select “Enable”.

From now, the DHCP server no longer delivers leases.

On the DHCP Server, launch this script for retreive and add the MAC Address informations from SCCM Server to filter list “Allow”.

Source code   # Connection information $SiteName = "FR1" $ServerSite = "sccm" # WMI Request $ImportSCCM = $(Get-WmiObject -Class SMS_R_SYSTEM -Namespace "root\sms\site_$SiteName" -computerName $ServerSite) # Create collection $Mycoll = @() foreach ($obj in $ImportSCCM) { Write-Host $obj.NetbiosName $obj.MACAddresses $obj.OperatingSystemNameandVersion $Mydetails = "" | Select-Object PCName, MacAddress, OS If ($([String]$obj.MACAddresses) -eq "") { $Mydetails.PCName = $obj.NetbiosName $Mydetails.MacAddress = "Nul" $Mydetails.OS = $obj.OperatingSystemNameandVersion } Else { $Mydetails.PCName = $obj.NetbiosName $Mydetails.MacAddress = [String]$obj.MACAddresses -replace ":","-" $Mydetails.OS = $obj.OperatingSystemNameandVersion } $Mycoll += $Mydetails } #Add MacAddress into DHCP Filter foreach ($objects in $Mycoll) { Add-DhcpServerv4Filter -List Allow -MacAddress $objects.MacAddress -Description $objects.PCName -Confirm:$false -Force -Verbose } # Remove Obsolete entries Compare-Object $(($Mycoll | Select-Object MacAddress).MacAddress) $(Get-DhcpServerv4Filter -ComputerName $DHCPServer -List Allow | Select-Object MacAddress).MacAddress -IncludeEqual | % { if ($_.SideIndicator -eq "=>") { Remove-DhcpServerv4Filter -ComputerName $DHCPServer -MacAddress $_.InputObject -Confirm:$false -Verbose } }

When the script is finished, you can see into the management console of DHCP Server, the entries are add into the “Allow” list.

The DHCP server correctly delivers the lease of the device whose MAC Address is allowed.

 

Categories: Community, Virtualisation

SCCM – Find Devices MAC Address

Fri, 08/25/2017 - 12:56

Hello Folks,

This week I needed to export from SCCM, the devices name and MAC Address to a CSV file.

I need this file to create green list into DHCP server. The Green list give permission to have a lease from DHCP server. I will speak of this subject in a futur post.

To find informations on devices into SCCM, we can work with WMI Class of SCCM. This script is based on WMI request.

Source code   $SiteName = "FR1" $ServerSite = "sccm" $Mycoll = @() foreach ($obj in (Get-WmiObject -Class SMS_R_SYSTEM -Namespace "root\sms\site_$SiteName" -computerName $ServerSite)) { Write-Host $obj.NetbiosName $obj.MACAddresses $obj.OperatingSystemNameandVersion $Mydetails = "" | Select-Object PCName, MacAddress, OS If ($([String]$obj.MACAddresses) -eq "") { $Mydetails.PCName = $obj.NetbiosName $Mydetails.MacAddress = "Nul" $Mydetails.OS = $obj.OperatingSystemNameandVersion } Else { $Mydetails.PCName = $obj.NetbiosName $Mydetails.MacAddress = [String]$obj.MACAddresses $Mydetails.OS = $obj.OperatingSystemNameandVersion } $Mycoll += $Mydetails } $Mycoll | Out-GridView

 

 

Categories: Community, Virtualisation

FCUGC – 3ème edition

Sat, 04/29/2017 - 07:54

FCUGC Rencontre du 3eme type !

Pour sa troisième rencontre, le French Citrix User Group Community (FCUGC) lâche l’ancre au 47 Quai de la Tournelle 75005 Paris – Péniche Henjo – pour une soirée de discussion sur des sujets autour de Citrix avec le partenaire de cet évènement, NUTANIX

 

La soirée sera composée de 3 présentations suivies d’un échange autours de 2 ou 3 sujets comme nous avons maintenant pris l’habitude de faire.

La communauté est un excellent moyen pour se lancer dans des présentations, le public est ouvert et tous les échanges sont constructifs, si tu veux te lancer, c’est le moment ! Donc tu souhaites présenter lors de cet évènement, prends contact avec Samuel Legrand ou moi même ! (formulaire de contact, email, twitter, téléphone, bref, tu trouveras un moyen de nous joindre)

A bientôt !

Pour s’inscrire, clique sur l’image :

Encore un merci aux précédents sponsors des deux précédentes éditions :

Control UP et Activlan

 

Categories: Community, Virtualisation

Active Directory Certificate Services [Part1]

Mon, 04/17/2017 - 09:45

In this post, I will tell you the information to prepare for the installation of a future two-tier PKI infrastructure.

What is it AD CS Services

Active Directory Certificate Services (AD CS) provide customizable services for issuing and managing certificates that are used in software security systems that use public key technologies.

Features of AD CS services
  • Certification authorities: Root and secondary certification authorities are used to issue certificates to users, computers, and services, as well as to manage the validity of certificates.
  • Registration of certification authority via the Web: registration via the Web allows users to connect to a certification authority using a Web browser to request certificates and retrieve revocation lists from Certificates.
  • Online Responder: The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and returns a signed response containing the requested information about the certificate status.

The applications supported by the AD CS services include the S/MIME (Secure/Multipurpose Internet Mail Extensions) extensions, secure wireless networks, virtual private networks (VPNs), Internet Protocol security (IPSEC), the EFS files, smart card logon, SSL/TLS (Secure Socket layer/Transport layer Security), and digital signatures.

Standards PKC Availability of infrastructure

The PKI infrastructure is separated into different components, each with its own service-level agreement (SLA).

  • Enrolment: This feature is considered non-critical within the infrastructure in terms of the use of certificates. A failed enrolment can always be postponed.
  • Revocation: This feature is critical. A compromise certificate must be revoked as quickly as possible. The SLA for this feature also depends on the status check feature due to the fact that the revocation information is given by the CRL (or the token of an OCSP responder if available).
  • Status check: Checking the status of a certificate depends on the availability of a valid CRL. This means that at minima a CRL file must be available and valid. For this, the CRL will be generated each day for a period of validity of 7 days.
What you need before start installation ?

Before start installation you need to take more informations to set your CA environnement. These settings are needed to prepare correctly your documents and your installation.

Define attributs for CA Root

First, define correctly the differents attributs of the CA Root :

Define Path CRL and AIA

Define attributs for Enterprise Subordinate CA

Define Path CRL and AIA

How to define the DN of certificates

You can help you with this array to define correctly your certificates DN :

Firewall rules

This array define the rules to activate on security firewall of your compagny.

To avoid opening all dynamic RPC ports, you can set the certificate authority’s DCOM port.

Fixed DCOM port :

If you want to set the CA server to use a static DCOM port, follow these steps :

  • Connect to the CA server with an account with local Administrator privileges
  • Open the “Component Services” MMC (DCOMCNFG)
  • In the left panel, unwind Component Services, Computers, My computer, and click DCOM Config
  • In the right pane, select “CertSrv Request” and right click and select “Properties”
  • In the “Endpoints” tab, click the “ADD” button
  • Select “Use Statistic endpoint” and add the port you want, example “49152” and, double-click OK
  • Restart the service of the Certificate Authority :
    • net stop certSvc
    • net start certsvc
  • To check the listening port, run the command “netstat-anob”, check the port linked to the “certsrv” process

 

Now that we have defined all of the prerequisites, you still have to define the infrastructure of your PKI two levels. The Root CA is not resource consuming and can be turned off at the end of the installation. It is autonomous and should not have an IP address in practice.
The point of attention comes to the intermediate CA. You must define in relation to the number of users, devices, the size of the CRL file. Whether you want to install all of your components on the same server or, if you want to separate the roles and for example install one or more IIS servers separately from the PKI.
I did not mention an element that simplifies the query of the CRL, the OCSP service. If you want to integrate this feature, you will need to set the service access URL.
We are ready to move on to the installation of our 2 tier PKI infrastructure. I would detail the installation of the components in a next post.

 

 

 

 

Categories: Community, Virtualisation