Rules to Better System Administrators - 22 Rules
System Administrators (SysAdmins) are the lifeblood of any business. They mantain the infrastructure, networks and systems and cloud of businesses. This is why we have developed these standards for better System Administrators.
If you still need help, visit our Network Architecture consulting page and book in a consultant.
At some point every business will experience a catastrophic incident. At these times it is important to have a plan that explains who to contact, the priority of restore and how to restore services.
At the time of a disaster, you should have a few objectives established and measure some results - The objectives are RPO (Recovery Point Objective) and RTO (Recovery Time Objective); and the measurements to take are RPA (Recovery Point Actual) and RTA (Recovery Time Actual).
It's recommended to practice your disaster recovery at least once every 12 months. This way you make sure that you are investing in the minimum amount of required resources, and that your plan actually works.
RPO or Recovery Point Objective, is a measure of the maximum tolerable amount of data that the business can afford to lose during a disaster. It also helps you measure how long it can take between the last data backup and a disaster without seriously damaging your business. RPO is useful for determining how often to perform data backups.
RTO or Recovery Time Objective, is a measure of the amount of time after a disaster in which business operation is retaken, or resources are again available for use. This measurement determines the amount of resources that are required for the recovery to happen within the timeframe required.
RPA or Recovery Point Actual, is the actual measurement of the amount of data lost during a disaster recovery.
RTA or Recovery Time Actual, is the actual measurement of downtime during a disaster recovery.
Note: these may all be different for different services. For example at a bank you may have a transaction database, this may need to be only ever able to experience a RPA\RTA of a few minutes as even in that few minutes, thousands of transactions could be lost. However the same bank may have a website that they are happy to have an RTA\RPA of several hours as this is much less critical to the banks overall operation.
RTO and RPO are determined via a consultation called BIA (Business Impact Analysis). The organization needs to work out what the maximum amount of data that they are prepared to lose and also the maximum amount of time that they are prepared to be without services. These are both measured in time, and could be seconds, minutes, hours or days depending on the organization's requirements. This is a balancing act as generally the shorter the timeframe required, the more resources the organisation will need in order to achieve the target.
After this a disaster should be simulated to test that the RTA/RPA values match the RTO/RPO required by the organization.
Example: Mr Bob Northwind experienced a catastrophic incident. The failure occurred at 8pm local time on a Friday night. Their website and sales transaction software were affected.
In his Disaster Recovery Plan he had the following objectives:
Service RPO RTO Northwind Website 2 days 4 hours North Sales 4 hours 8 hours
It is important that these objectives are signed off by the product owner as per https://www.ssw.com.au/rules/do-you-ask-clients-to-initial-your-work
After the recovery was complete they then analyzed the downtime which showed the following:
Service RPA RTA Northwind Website 8 hours 2 days North Sales 8 hours 8 hours
After analyzing the data, they discovered a few issues with their Disaster Recovery Plan:
- They didn't have any spare hardware on premises which meant that to get the website backed up and running they needed to find a shop on a weekend to buy a server and then start the recovery process. This delayed them by an entire day.
- Mr Northwind's IT Manager had mistakenly set the backups to 12-hour backups (at midnight and midday each day). This meant that the most recent backup for both services had occurred at 12pm on Friday and they had 8 hours of missing transactions. The greatest allowable data loss should have only been 4 hours.
This explains why it is important to practice your disaster recovery plan. A real incident is not the ideal time to realize that your backup/procedures are inadequate.
For unplanned outages, see Outage - Do you have an unplanned outage process?
If your servers are down or have to go down during business hours you should notify the users at least 15 minutes beforehand so you will not get 101 people all asking you if the computer is down.
For short outages (under 15 minutes) that only affect only a few people (under 5 people), or are outside of business hours, then IM is the best method. If you use Microsoft Teams or Skype, a quick message will do.
Note: If they are not online on Teams or Skype, then they can't complain that they were not warned.
For extended or planned outages, or if you have a larger number of users (50+), email is the suggested method.
If you send an email it is a good idea to tell the user a way to monitor the network themselves. Eg. Software solutions like SCOM or WhatsUp Gold.
Include a "To myself". It gives visibility to others who are interested in what needs to be done to fix the problem and makes it easier to remember to send the 'done' email. E.g. "done - CRM is alive again".
To: SSWAll Subject: Planned Outage
Here is the summary of the outage plan:
Planned/Unplanned: Planned Change Description: Install Windows Updates and Restart Server Risk (see table below): LOW RISK (LOW Probability and MEDIUM Impact) Reason For Change: Windows 2016 Windows Updates Uptime over last month: 91.361% Planned Outage (mins): 150 Planned Start Time: 26 October 9:00 PM Planned Finish Time: 26 October 11:30 PM Affected Services: \Windows Server 2016 , sharepoint.ssw.com.au intranet.ssw.com.au , projects.ssw.com.au
Risk Lookup Table by Probability and Impact:
Note: The following servers will be affected:
To show others who are interested in what needs to be done to fix the problem:
Detailed Change Plan:
- Lockout users via IIS
- Backup server
- Install Windows Updates
- Reboot server
- Follow test plan
- Based on result of test plan, follow backout plan if procedure failed
- Procedure completed
- Check Event log for errors
- Check each affected service is running
- Call test users to start “Test Please” on the affect services
- Get result of user “Test Please” by email by 11:15 PM
- Restore server from backup
Note: <This is as per rule Outage - Do you have a planned outage process? >
Immediately before the scheduled downtime, check for logged in users, file access, and database connections.
Open 'Windows Task Manager' (Run > taskmgr) and select the 'Users' tab. Check with users if they have active connections, then have them log off.
Open 'Computer Management' (Run > compmgmt.msc), then 'System Tools > Shared Folders'. Check 'Session' and 'Open Files' for user connections.
Open SQL Server Management Studio on the server. Connect to the local SQL Server. Expand 'Management' and double-click 'Activity Manager'.
Once these have been checked for active users, and users have logged off, maintenance can be carried out.
Restarts should only be performed during the following time periods
- Between 7am and 7:05am
- Between 1pm and 1:05pm
- Between 7pm and 7:05pm
If a scheduled shutdown is required, use the PsShutdown utility from Microsoft's Sys Internals page.
Always reply 'Done' when you finish the task.
For planned outages, see Outage - Do you have a planned outage process?
During your course of being a SysAdmin, you will come across many unplanned outages. Some of them will impact BAU (Business as usual) and others will just be minor service outages. Do you know what to do in the event of these outages?
Below is a process for these types of outages. Some amount of common sense is required here, an outage would be if services that would affect BAU work are disrupted and/or some hardware has failed.
- Blade Servers
- SAN Storage
- Active Directory Domain Services
- O365 Services; Teams, SharePoint, Exchange, OneDrive
- File Servers
- SQL Servers
- IIS Servers
Many services can be used for device monitoring e.g. WhatsUp Gold, Solarwinds, SCOM. You would do the following in any of them:
- Login to monitoring service
- Check to see what services are down
After you have determined what services have been disrupted it is time to call your SysAdmin team and organize a quick conference call. This will allow you to have a discussion prior to making any changes/fixes that could cause the outage to become worse.
Key Discussion Points:
- What services have been disrupted?
- What is the impact of these services?
- Is an email to everyone in your company required?
- What are your next steps?
What if you cannot reach anyone?
If you cannot reach anyone move on to the Email section.
If from the previous discussion you have determined that an email needs to be sent to your entire company, or you have decided this is necessary if you cannot contact anyone above, send an email in the following format:
::: email-template| | || -------- | --- || To: | SSWAll || Subject: | SysAdmins – Outage Notice |::: email-content
We are experiencing an outage and the following services have been affected:
We are working on restoring these services and will keep you updated.
A separate email needs to be sent to SysAdmins outlining what was discussed on the call. If no one was contactable, please proceed with what you have determined on your own.
::: email-template| | || -------- | --- || To: | SysAdmins || Subject: | SysAdmins – Outage Notice |::: email-content
As per our conversation,
The following services are disrupted:
The impact of these services disrupted are:
ZZZ We have decided that an email to ALL is/is not required.
The next steps to resolving this are:
If you have completed your tasks but the issue has not resolved, please try to make contact with the SysAdmin team again and send an updated To Myself email.
If your actions have resolved the issue, please notify ALL of the services being restored and update your To Myself email.
For any kind of backups, it is important to log a record on success so you can check for backups that have failed.
Without some kind of logging e.g. on a SQL database, on a txt file, on a SharePoint list, it is impossible to tell which backups have been completed or not. This applies to backups of any kind e.g. servers, personal computers, emails.
Some important stats to log:
- Date - Date backup has run
- Username - If a personal backup, which user was logged in when the backup ran
- PC Name - The name of the server (or PC) the backup came from
Having entries logged in a database is better than having an email sent because entries are easier to see and manage, and emails might get lost in the noise.
Now you are able to be aware of missing backups. You can make automatically notifications based on the above table e.g. by SQL Reporting Services data-driven subscription
It is also important to review the state of your backups at least on a weekly basis, ensuring that backups are not failing and that you are able to restore them when necessary. This is part of a good disaster recovery process.
To see the best backup tools currently available, check https://www.ssw.com.au/rules/pc-do-you-use-the-best-backup-solution
If you need any help with your backups or disaster recovery process, check https://www.ssw.com.au/ssw/Consulting/Backup-Recovery.aspx
We recommend enforcing strict password policies.
Below is a capture of the settings we use:
When passwords have to be changed they should meet the following complexity requirements:
- Not contain all or part of the user's account name
- Be at least 6 characters in length
Contain characters from 3 of the following 4 categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- A number (0 through 9)
- Non-alphanumeric characters (e.g., !, $, #, %)
Complexity requirements are enforced when passwords are changed or created. We also enforce a lockout policy so if a user gets their password wrong 5 times, their account will be locked out for 15 minutes.
Passphrases are better than passwords, they are even more difficult to crack than complex passwords https://www.zdnet.com/article/fbi-recommends-passphrases-over-password-complexity/
MFA is essential. You should use it everywhere possible. Check https://www.ssw.com.au/rules/do-you-have-mfa-multi-factor-authentication-enabled
Bad practice: Requiring users to change their passwords e.g. every 180 days does not improve security. If you already have a strong password (as above) and a second factor of authentication (e.g. MFA) changing it does very little to make you more secure. Generally, you should change your password only when you believe it has been compromised.
Do you protect your users and administrator accounts with more than one authentication method?
What is Multi-Factor Authentication (MFA)?
MFA is another layer of security for your users and administrators, it adds another code or approval that you can receive in a device that you possess - a phone, for example - to make it more difficult for attackers to steal your account.If they guess or brute-force your password, they still need the second code or approval to make it to your account.
Generally, every time you log in on a service, it will ask for your normal password and an additional code or approval. This can be retrieved through:
- An authenticator app (recommended)
- Email (OK)
- SMS (less secure)
- Phone call (less secure)
It is best practice to apply MFA to your Administrators first, as their accounts are the most important on the company and have access to all resources, and your users second, which still benefits from added security.
Do you have Password Writeback enabled in your Azure AD Connect?
If you want to let your users reset their own, on-premises passwords directly from the cloud, you need to have Password Writeback enabled in Azure AD Connect!
You can read more about Password Writeback from the Microsoft Documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback
When setting up Azure AD Connect, you need to set the "Password Writeback" option:
Good Example: Setting up Password Writeback in Azure AD Connect
Azure AD PIM (Privileged Identity Management) enables a more secure, manageable and monitorable approach to assigning privileged permissions in your organization.
PIM enables just-in-time privileged access for users that are eligible for it, reducing the chance of privileged actions being done by malicious (or unaware) actors.
Things that we can do with PIM (taken from https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure):
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments
As best practice, your company should use PIM to give access to new SysAdmins.
Do the following:
- Go to PIM at https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/MyActions/resourceId//resourceType/tenant/provider/aadroles
Go to Assignments | Add Assignment:
- Select Role | Select members | Next
Here, you have 2 options: Eligible or Active.
- Eligible: The member is eligible for activating the permissions, permanently or for a set period of time. Every time they activate, they will have the permissions for up to 8 hours, then they will lose it and will need to activate again. Activating is a manual process of going to PIM and clicking "Activate".
- Active: The member has the permissions active, forever or for a set period of time. They don't need to perform any manual steps to activate anything.
Select the correct one | Add a justification | Assign:
You are now assigned roles in PIM.
If you are eligible for assignments, you can activate them by doing the following:
- Go to https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/MyActions/resourceId//resourceType/tenant/provider/aadroles
- Click on My Roles | Role | Activate:
- Go through the steps to add a justification and time you need that access for.
You now have that role active for you, for up to 8 hours.
gMSA (Group Managed Service Accounts) are a secure and practical identity solution from Microsoft where services can be configured to use the gMSA principal and password management is handled by Windows - you don't need to worry about expired passwords anymore.
gMSAs are the superior option when it comes to security and flexibility. It should always be used, when possible, instead of user accounts, MSAs, security principals, service accounts (with manually managed passwords) and any other on-premises identity types.
- Multiple servers - Services and tasks can be set and run across multiple servers, a necessity given the modern state of organizations today
- Automated password management - Passwords are automatically generated, rotated and handled by the OS
- Passwords are handled by the OS - When applications require a password, they query Active Directory. No human knows the password to that, making it much harder to be compromised
- You can delegate management to other administrators - Having the flexibility to delegate management can be incredibly helpful for ensuring there isn't just a single admin responsible for your service account security
- Support - The application/service must support gMSAs
- AD domain and forest functional level - Windows Server 2012 or newer
- KDC - Domain controller with Microsoft Key Distribution Service (KdsSvc) enabled
- PowerShell - To create and manage service AD accounts, you need to install the Active Directory module for Windows PowerShell
- Supported Windows versions - Windows Server 2012/Windows 8 or newer
- Services set up without gMSAs - Rebuilding or changing the service account in applications that already set up and running (e.g. Data Protection Manager, Azure AD Sync) might break these applications, so a full re-install might be necessary to use gMSAs instead of a simple user change
A one-time operation must be performed to create a KDS root key. Do the following:
- Login to your DC (Domain Controller) | run the PowerShell command:
- Ensure the key has been created succesfully by running the following PowerShell:
Login to your DC | run the PowerShell command:
New-ADServiceAccount [-Name] <string> -DNSHostName <string> [-KerberosEncryptionType <ADKerberosEncryptionType>] [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal>] [-SamAccountName <string>] [-ServicePrincipalNames <string>]
Here's how you should fill out each of the bracketed parameters:
- Name: The name of your account
- DNS Host Name: The DNS hostname of the service
- Kerberos Encryption Type: The encryption type supported by the host servers
Managed Password Internal In Days: How often you want the password to be changed (by default this is 30 days -- remember, the change is handled by Windows)
* note: This cannot be changed after the gMSA is created. To change the interval, you'll need to create a new gMSA and set a new interval.
- Principals Allowed To Retrieve Managed Password: These can be the accounts of member hosts, or if there is a security group that member hosts are a part of, you would enter them here.
- Sam Account Name: This is the NetBIOS name for the service if it's different from the account name.
- Service Principal Names: This is a list of the Service Principal Names (SPNs) for the service)
The final command could look like this:
New-ADServiceAccount -name gMSAAccount1 -DNSHostName gMSAAccount1.sydney.ssw.com.au -PrincipalsAllowedToRetrieveManagedPassword gMSAAccount1GroupWithComputerAccountsIn –verbose
- Login to the target server | run the PowerShell command to install the Active Directory PowerShell module:
- Run the PowerShell command to install the gMSA on the server:
Install-ADServiceAccount -Identity gMSAAccount1
- Check if the gMSA is isntalled correctly:
If the command returns True, everything is configured correctly.
You can read more about gMSAs here: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
To manage multiple servers and group of domain joined computers remotely, it would be a pain for a System Administrator to use Microsoft Remote desktop connection application inbuilt in Windows https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c
- Remote Desktop Services currently does not support multiple monitors on the terminal server.
- The GUI interface is outdated
- Remote Desktop Services should provide an option to scale up or down the screen size after a connection is established. Currently you can only adjust the screen size prior to a connection is established.
- Remote Desktop Services does not have a menu to send special key strokes like Ctrl+Alt+Del to the terminal server.
Devolution is security website which offers a free Remote Connection Management called "Remote Desktop Manager", which is built to centralizes all remote connections on a single platform that is securely shared between users and across the entire team.::: good:::
To install the application, check https://devolutions.net/remote-desktop-manager/home/downloadfree
SugarLearning item - https://my.sugarlearning.com/SSW/items/13222/ssw-remote-desktop-manager?term=RDM
When you fix someone else's PC (locally or remotely), one of the best practices is always make sure it has the latest updates.
- To achieve this, we run Windows Update and install all latest updates.
Warning: Of course if you are fixing a bug on someone’s PC, you should only update one piece of software at a time, so you know if an update fixes the problem. After that (if the company allows it), update all software to the latest version. If they get a new problem, then rollback.
It is important that the system administrator can easily find out how reliable his servers are. This can be achieved using tools like What's Up Gold (WUG) https://www.whatsupgold.com to monitor many statistics e.g.:
- Uptime - Ping, Interface monitor
- Performance - RAM usage, CPU usage
- Network - Bandwidth, Interface throughput
- Storage - Disk usage, health
For example, here is a report in WhatsUp Gold you can use to monitor servers on a daily basis.
Another option is to use WUG's built-in email alerts, which can be formatted in HTML or plain text. You can also add variables that change based on the current state of devices and other stats.
The best option is to use SQL Reporting Services to create a custom report that can be emailed via a data-driven subscription, which sends a nicely formatted email when there's a problem.
Do you know if your computer should be joined to the domain or not?
Joining your company's domain is a trade-off:
Option #1: If you join the domain, the company is the one responsible for managing your device, so all company rules and policies will be applied to it (Windows Update frequency, users, password resets, etc) and you will need to go through your SysAdmins if you have troubles with it.
Option #2: If you choose to not join the domain, the PC management is all yours, giving you more freedom, but any automatic scripts would need to be done manually.
Below are the pros and cons of joining the domain:
Area Pros (+) Cons (-) PC Management Client management through GPOs (Group Policy Objects) Lack of freedom/autonomy Resource Access Direct access to resources (e.g. fileserver) Needs to sign in first, or be attached to a VPN or the network to access resources Automatic Scripts GPOs apply automatic scripts like the Login Script and Backup Scripts Need to run Login and Backup scripts manually Support Level More support available from your SysAdmins, you have someone to rely on for any troubleshooting on all computer applications Less support available from SysAdmins, you can run any obscure application on your computer that may not be supported by your company
Occasionally, one server and its drives will not have sufficient space to store all related files in a network share. For example, you may have a "SetupFiles" directory that stores all Setup executables on your network e.g. \bee\SetupFiles. There are problems with this approach.
- You will run out of space - which means you will have to copy or move old (but still used) setup files around to other drives (\bee\d$\SetupOld\ ) or other machines e.g. \tuna\SetupFiles. This fragmentation of your setup files can cause confusion for your users.
- When you retire or rename the old server, links to the old server location will not work
So how do you get around this problem? The answer is in the Distributed File System (DFS). Instead of having several server-specific file share locations, you can have a domain-wide setup location that offers a seamless experience to your users. DFS will even track a history of when and where file locations were moved.
Previously the way we managed our certificates was using a SharePoint list as well as calendar reminders to inform us when they were going to expire. The issue with using this system is the SharePoint list as well as ensuring the certificates remained up to date was a manual process. This left a lot of room for human error especially when managing hundreds of certificates. There are of course commercial solutions to manage certificates but these haven't been econmical for our environment.
With Certify the Web and Let's Encrypt, we remove this human error and manual handling, ensuring that our certificates never expire.
You should use Certify the Web.
What is the best option for your business when it comes to securing your website with HTTPS?
When you create a website, you can only access it through HTTP (http://), and not securely through HTTPS (https://) if you do not own an SSL Certificate.
When it comes to website certificates, you can choose from free or paid SSL certificates!
Free certificates can be obtained from Certificate Authorities like Let's Encrypt, which is helping provide free and automated certificates for the web.
- provide the same level of SSL encryption as paid certificates;
- provide HTTPS with a green padlock on the address bar of your browser, just like paid certificates;
- can be automatically renewed easily, through programs like Certify The Web or win-acme
Why would anyone use paid certificates, then?
If you are operating a big business, paid certificates give you some more assurances over free ones, and you can obtain them through reputable Certificate Authorities like Comodo, GeoTrust, Symantec, etc:
- gives you warranty against misuse or wrongly issued certificates;
- are normally valid for at least 1 year or more, while free certificates are only valid for 3 months;
- offer support for any errors or problems you have with your certificates.
SSL Certificates are an important part of any reputable website, so if you are operating a small website, blog, testing environment, personal site, anything that doesn't need too much support, getting a free certificate is the way to go.
If your business or site does not fit on the above affirmation, getting a paid certificate is the best option!
Wireless networks are everywhere now. You can't drive down the street without finding a network which is insecure. However, in an office environment, there is a lot more to lose than a bit of bandwidth. It is vital that wireless is kept secure.
WEP, No SSID broadcast, allowed MAC addresses are all OK but these are more home security.
Figure: Bad example - the above settings are not suitable for a company's wireless access point
For the office, you need something a bit more robust and not requiring much management overhead.
It is recommended to use Radius authentication to integrate with your Active Directory.
Figure: Good example - configure your wireless access point to authenticate against AD
This article explains how to setup your wireless AP to use WPA2-enterprise. WPA2-Enterprise verifies network users (AD a/c's) through a server (Domain Controller).
The recommended method of authentication is PEAP (Protected Extensible Authentication Protocol), which authenticates wireless LAN clients using only server-side digital certificates (In our case we used an AD CA) by creating an encrypted SSL/TLS tunnel between the client and the authentication server. The tunnel then protects the subsequent user authentication exchange.
- 802.1X-capable 802.11 wireless access points (APs)
- Active Directory with group policy
- Network Policy Server (NPS) servers
- Active Directory Certificate Services based PKI for Server certificates for NPS computer/s and your wireless PC's
This document assumes you have some knowledge of how to configure your wireless access points and install server roles. It also assumes that you have already configured an Enterprise Certificate Authority on your Active Directory Domain.
- Configure your wireless access points In SSW we use Unifi APs. I have configured these access points to:
Install NPS on your server On Windows 2008 or 2008 R2 open up the server manager and:
- Add the "Network Policy and Access Services" Role Under role services add:
- Network Policy Server
- Routing and Remote Access Services
- Configure Radius Clients on NPS Open up the NPS Console. Right click on "Radius Clients", and then click on "New". Fill out the fields for Friendly Name (enter the name of the wireless access point), Address (IP address) and then add the shared secret (Keep this safe for example we use Keepass as a password repository) you configure on your access point.
Configure 802.1x on the NPS server In the NAP servers Server Manager, open "Roles", then "Network Policy and Access Services" then click on NPS (Local). In the right-hand pane under standard configuration choose "Radius Server for 802.1x Wireless or Wired Connections", and then click on "Configure 802.1X" to start a wizard-based configuration.
- Select the top radio button “Secure Wireless Connections" click next
- On the Specify 802.1X Switches Page check the AP's you have configured under Radius Clients are in that list then click next
- Now the authentication method. From the Drop Down lists select Protected EAP (PEAP) NOTE: This method requires a Computer Certificate and the Radius Server and either a computer or user certificate on the client machine
- Select the groups (eg. Domain\WirelessAccess) you would like to give wireless access to. You can do this by user or computer or both
- If you need to configure VLan's in the next step, wasn't required in my case I just used the defaults
- You then need to register the server with Active Directory. So right click on NPS (local) and select Register Server in Active Directory
Configure Certificate Auto enrolment First open Group Policy Management.
- Create a new GPO policy and name it "CertEnrollmentWireless" or whatever name you deem suitable and link it to the root of the domain or a specific OU depending on your needs and OU structure
- Under the security filtering scope for what the policy gets applied to remove "Authenticated Users" and add your AD created. This ensures that the policy, once configured, is applied only to members of those groups.
- Edit the settings of the group policy and go to:
- Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies In the details pane, you need to right-click the Certificate Services Client – Auto-enrolment and then select properties. In the Properties, dialog box select enabled from the drop down box and then place a tick in all the remaining tick boxes. This makes sure that the computer auto-enrolls for a certificate from AD CA.
- Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings Right-click in the details pane and select New | Automatic Certificate Request. This will open up a wizard and you can select a Computer Certificate.
Creating a Windows Wireless 802.1x GPO Policy
- Now go to Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies Right click and Create a new policy for Windows Vista and later (if you only have XP machines, do only an XP one). If you have Vista or later you must do a Vista policy or else Vista will try to use the XP policy (not recommended).
- Enter a Policy Name (e.g. BeijingWifiSettings) and description and link to the root of the domain.
When guests come to an SSW Office, we provide them with easy Wifi access using a QR code. This saves people manually typing in a password and can have them up and running in a matter of moments.QR codes can easily be created with services like QR Code Monkey.
How often do you find files on your network file server that clearly shouldn't be there? Developers are notorious for creating temporary files and littering your file system with them. So how can you identify exactly who created or modified the file, and when?
The easiest way is to configure Windows file auditing .
Thankfully, Windows Server come with built-in file auditing. Any changes create and delete can be logged to your system event log. Here's how to set it up.
- Terminal Server into the file server
- In Windows Explorer, locate the directory you want to configure logging for (e.g. C:\Inetpub\wwwroot for logging changes to your website files)
- Select Security tab | Advanced
- Click the Auditing tab
- Select the users whose usage you want to monitor (usually all users, so select Everyone )
- Select what you want to monitor. For best performance, we only tick the options in shown in the figure below - there's no need to log when someone opens a file.
- Click OK and OK again to apply the changes. The process may take some time depending on the number of subfolders and files selected. Now you need to configure the system event log.
- Open Control Panel->Administrative Tools->Event Viewer
- Right-click the Security node and Control Panel | Administrative Tools | Event Viewer
- Right-click the sure Overwrite events as needed is checked
Now test to see if auditing is working.
- On the server, create a file called "test.aspx" somewhere in the path that is being audited
- Open Control Panel->Administrative Tools->Event Viewer
- Select the Security node, and notice the entries that have been created. They will have a similar format to the figure below.
That's all! It is also great for finding out who accidentally deleted files from the file system.
Furthermore, we can dump the event log to an Access or SQL Server database to make it easier to handle. Here is how to do it:
- Download the scripts: one for Access database and the other for SQL Server.
- Find and change the strEventDBConn variable to your connection string, also, modify strEventDB and tblEvents variable to your database name and table name.
- Write down the names of the servers to monitor in EventHosts.txt.
Done, now you need only double-click to start it.
A company-wide Word template brings many benefits e.g.:
- Consistency - It's important to maintain consistent documents for internal and clients https://www.ssw.com.au/rules/do-you-understand-the-value-of-consistency
- Automatic footers and headers - showing the latest edit time and who the editor was, updating automatically on save
- Branding - More and better branding and correct company colors
How to have a company-wide Word template:
- Modify your Normal.dotm file to have the headings and format that you want for Word document
- Create standard employee email footer files e.g. JamesZhou.htm or JamesZhou.txt
- Put the files on a network location - this is the place that will have the master copies
- Have a logon script which is set up through Group policy that will copy the file to the users' computer when they logon. e.g. a PowerShell login script like https://github.com/SSWConsulting/SSWSysAdmins.LoginScript
ECHO Copy Office Templates To Workstation >> %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Normal.dot" "%APPDATA%\Microsoft\Templates\Normal.dot" %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Normal.dotm" "%APPDATA%\Microsoft\Templates\Normal.dotm" %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\ProposalNormalTemplate.dotx" "%APPDATA%\Microsoft\Templates\ProposalNormalTemplate.dotx" %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dot" "%APPDATA%\Microsoft\Templates\NormalEmail.dot" %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Microsoft_Normal.dotx" "%APPDATA%\Microsoft\Templates\Microsoft_Normal.dotx" %LogonLogFile% call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Blank.potx" "%APPDATA%\Microsoft\Templates\Blank.potx" %LogonLogFile% xcopy /Y "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dotm" "%APPDATA%\Microsoft\Templates\" >> %LogonLogFile% xcopy /Y "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dotx" "%APPDATA%\Microsoft\QuickStyles\" >> %LogonLogFile% ECHO Templates Copied
Figure: Bad Example - This is a snippet of an old login script
You can automatically have your SSW Word doc template on sign-in via a script. See https://github.com/SSWConsulting/SSWSysAdmins.LoginScript
Good Example - New Login script on Github
Note #1: We don't want people using .RTF emails so we include this message in SSW.rtf. Be aware that we don't want to use RTF because of Remove RTF as an option or explain when it is a good choice.
Note #2: If you use a Mac computer, a login script will not work. In order to use a Word template, you must open the template on Word locally, hit "Save as Template", and then upload that document to Teams.
Most companies have physical assets and it is crucial to keep track of those assets: Are they in a particular location? Who are the assets with? Are they assigned somewhere else?
Businesses generally need to provide their employees with a multitude of assets e.g.:
- Mobile Phones
Keeping track of those assets is essential for the business to have any control over them, and having a spreadsheet with values for the assets and all that is not the best approach.
In our day and age, we have better (and free!) systems that allow us to track the businesses' assets, including:
- Purchase Date
- Order Number
- Serial Number
- Which location that asset belongs to
- Which user that asset belongs to (or is in possession of/checked out to)
- Number of assets
- And even their depreciation value
All this in a nice UI that allows for you - or even your user themselves - to edit and check out assets.
Tracking is all fun and games, but what about knowing which asset is which? You also need to physically label your assets.
This means that after creating the asset in the system, it generally gets a unique ID within it, and you should generate a label (preferably with a QR or bar code for easy scanning) and attach the label to the asset in question. This makes it super easy to see the asset ID and name at a glance, and, in the case the asset is lost somewhere, anyone can easily scan the QR code and be brought to a site with instructions on how to return or notify the company that asset is lost.
There is a couple of exceptions to the above:
- When the items are physically small and can't have a tag on them you shouldn't put one on.
- When the items are too cheap they don't need to be individually tagged, having the total number + the number of items checked out to people is enough.
A good system that does all this is SnipeIT. SnipeIT has a nice interface, easy to use, maintain and upgrade. It generates labels for you, has an API for you to integrate with your current systems and is free if you host it yourself!
When you are connected to the company's network, you should complete the following procedure if you want to setup a printer server.
Steps to add a printer to Active Directory:
- In Windows Run | Type "printmanagement.msc" | Hit Enter
- Right-click 'Print Server' | Choose 'Add/Remove Servers' | Add IP address or computer name | Finish
Right click the 'Print Server' | Add printer | Choose the best option (e.g TCP/IP) | Put the IP address of the Printer | Finish
- Add DNS entry for your print server (e.g \printer) to make it friendly for the users to find
Note: Another method is using a Universal Printer in Azure https://azurescene.com/2020/04/10/how-to-configure-universal-print/
Now your users can find the printers by doing the following:
- In the File explorer | Type \printer on the address bar to show all the printers connected to the server
- Double click on your printer name to connect/add it. Follow prompt to finish the printer driver installation