none
Need some help in building a PowerShell Script RRS feed

  • Question

  • I am in the process of setting up continuous self-auditing on a set of computers that are on a Domain. My company has a restriction on use of USB devices as well as CDs/DVDs. The domain pushes patches but we have been seeing some users that are using (or trying to) the network without becoming a part of the domain. My aim is to run a PowerShell script periodically (say, hourly) on each computer on the domain and dump certain parameters to XML / XHTML and then load these onto a web-server that can display the results in a (sort of) dashboard to flag anomalies like unauthorised USB use etc.

    I know there must be some commercial products for this but the boss says "No" to a purchase. 

    Am I on the right track or do I need to change my approach? Also, is there a starting scirpt available somewhere so that I can study it for techniques? My major problem is the display part. I am able to dump it into XML and (sort of ) format it but how do I collate the data and display it as a web-page is what is bothering me. Help would be deeply appreciated.

    Tuesday, June 17, 2014 6:05 AM

Answers

  • Bill, I do not require someone to write a script for me, 'per se'. What I was looking for was some help on HOW I would go about it. As you can see, the answers from both Oliver and JRV have a lot of info and I am now re-studying the problem to see what needs to be done.

    If I understand, you are asking for guidance with your design specification. You have found that some respondents have graciously responded with some good general information, but I would say that your design needs to be agreed upon within your organization before you start writing code. Design specification is definitely necessary in this case (and may require outside resources), but it's not really within the scope of this forum.


    -- Bill Stewart [Bill_Stewart]

    Friday, June 20, 2014 2:52 PM
    Moderator

All replies

  • Hi Sarab,

    I'll just throw some thoughts at you:

    • You could separate the process into two different components: Local scripts that do the monitoring each hour and push the result to a share and a processing Script that takes that data and builds a report.
    • You can transfer data well by using Export-Clixml and Import-CliXml
    • A database is a good data storage tool, that allows easier data analytics (Like the Reporting Services from MS SQL).
    • There's a cmdlet called "ConvertTo-Html" that can convert data to html display.
    • There's a function script in the gallery that allows simple formatting of html.

    Cheers and good luck with your task,
    Fred


    There's no place like 127.0.0.1

    Tuesday, June 17, 2014 6:37 AM
  • We would need to know what kind of information you want to audit.

    Up to now we only know of the USB usage. But what kind of info do you want to get?


    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer"
    MCC & PowerShell enthusiast
    http://oliver.lipkau.net/blog

    Tuesday, June 17, 2014 6:50 AM
    Moderator
  • Thanks, Fred. I have been exploring these areas too ...just thought I'd check with the experts before I spend time and effort on an unfruitful approach. 
    Tuesday, June 17, 2014 6:53 AM
  • I am looking for stuff like what time did the user log in / out, has he/she used any USB device, has any new application / software been installed, was the AV and OS updated etc.
    Tuesday, June 17, 2014 6:55 AM
  • Fred, must thank you for that function script pointer - it DOES help me a lot! 
    Tuesday, June 17, 2014 6:56 AM
  • I am in the process of setting up continuous self-auditing on a set of computers that are on a Domain. My company has a restriction on use of USB devices as well as CDs/DVDs. The domain pushes patches but we have been seeing some users that are using (or trying to) the network without becoming a part of the domain. My aim is to run a PowerShell script periodically (say, hourly) on each computer on the domain and dump certain parameters to XML / XHTML and then load these onto a web-server that can display the results in a (sort of) dashboard to flag anomalies like unauthorised USB use etc.

    I know there must be some commercial products for this but the boss says "No" to a purchase. 

    Am I on the right track or do I need to change my approach? Also, is there a starting scirpt available somewhere so that I can study it for techniques? My major problem is the display part. I am able to dump it into XML and (sort of ) format it but how do I collate the data and display it as a web-page is what is bothering me. Help would be deeply appreciated.

    I think you should start by learning the basics of Windows.  88% of what you are asking for is unnecessary with Windows.  User cannot do most of the things you mention unless everyone is a Domain Admin.  A user cannot install software and a user cannot remove a computer from the domain.  We also use Group Policy to restrict use of USB and all removable media.

    As you learn the basics you will begin to see why we use Windows in professional computing.

    You might consider training and certification as a possible path to obtaining a job in Windows networking.  Once you have managed to become certified you will be able to find an employer that is more intelligent than you current "boss".


    ¯\_(ツ)_/¯

    Tuesday, June 17, 2014 7:52 AM
  • @JRV:

    Users don't have to be domain administrators to be able to install software. Local admin is more than enough. ie: I am no admin in the domain of my customer but am allowed to install software

    Although I agree with you, in the sense it would be easier to restrict the users, it doesn't mean that a company has to do it that way; and it certainly doesn't represent the intelligence of an individual. 

    ------------------------------------------------------------------------

    @SarabRSingh:

    What you are asking for is a lot of work, to get the script right (considering the special demands, ie. AV update checking is different depending on the SW) and it might require a lot of resources on the client.

    From what you describe, you want to prevent any USB/Optical Media use. You should consider Group Policies to manage that. http://technet.microsoft.com/en-us/library/bb742376.aspx

    The only part I would script (based on my work environment) is the checking of AV updates (gets tricky because our SW has a hard time forcing the user to update when connected by VPN).

    • user log in / out --> group policy: logon/off script writing appending timestamp to a file
    • has he/she used any USB device --> if you want to block it: GPO, if you only want to track it: powershell
    Get-WmiObject Win32_USBControllerDevice

    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer"
    MCC & PowerShell enthusiast
    http://oliver.lipkau.net/blog


    Tuesday, June 17, 2014 8:22 AM
    Moderator
  • Why would user be local admins in a domain?  This is a very bad setup and is not how we configure a domain.  Learning how to use Windows correctly is a good place to start.

    If a user needs to have admin access to a local system they should have access to the password of the local admin and not run as an admin all of the  time.  Of course once you do tis the user has total access to the system so no amount of auditing can detect what they are doing.

    If a user cannot be trusted to use an Admin account then auditing won't help.

    e can force policy on a machine but a user can always circumvent that policy if they have admin access.  This is the most common route of infection in systems. 

    The level of audit that would be needed would be extensive and time consuming. It can be done but the solution is not one that can be done by someone with minimal Windows training.  It is a major project.  The fact that the user is asking and that the company is considering this shows that there is a lack of good knowledge about Windows.  Hiring an MCSE consultant might help to get a better approach to this for the company.  Asking an untrained support tech to solve the issue is not a good approach.

    Another issue that is clear is that setting up these machines for auditing would be highly OS dependent. 

    We can easily audit software installs and domain joins via the Eventlog.  On Vista and later USB usage is easily audited via the eventlog.

    Writing the script to do this would take considerable skill and effort.  The writer would become adept at  E.L. scripting. Managing the reporting to a web service would take more skills in networking and managing how the machine is able to update the servers.

    If the users are admins then tracking software copied from the Internet that does not require an installer would be almost impossible to track.  This could also be the most dangerous software.

    The recommendation for not giving users admin access is standard for Windows in a domain and has been for more than a decade.  It is almost always done as a result of lack of training in Windows networking.  I have fought this battle for years and have never found a case where standard users absolutely had to have admin access.


    ¯\_(ツ)_/¯

    Tuesday, June 17, 2014 8:42 AM
  • Why would user be local admins in a domain?  This is a very bad setup and is not how we configure a domain.  Learning how to use Windows correctly is a good place to start.

    If a user needs to have admin access to a local system they should have access to the password of the local admin and not run as an admin all of the  time.  Of course once you do tis the user has total access to the system so no amount of auditing can detect what they are doing.

    […]


    ¯\_(ツ)_/¯

    Agreed, but just because it's best practice doesn't mean it the only approach, nor the best for individual scenarios. I know of big companies with certified MCSEs where they decided on computer-specific permissions based on the local groups "Administrators",  Power Users" and "Users".

    If you give an user the password of the local admin, you no longer have control over the local admin (as the user might like a password of his choosing better), which would be of great value in case you have to take the computer out of the domain.

    You can of course give the user the necessary permissions based on domain permissions. But that would mean he would have these permissions on any computer connected to the domain; which might not be desired.

    I am not debating on the need of admin rights or what is the best approach. I only stated that domain administrator permissions is the only way to install software: "Users don't have to be domain administrators to be able to install software."


    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer"
    MCC & PowerShell enthusiast
    http://oliver.lipkau.net/blog

    Tuesday, June 17, 2014 9:00 AM
    Moderator
  • My point is that this is not a scripting question.  It is one of deployment and design.  It cannot be answered with a simple script.  It requires the attention of a trained Network and Systems analyst/engineer.  Time has to be spent gathering all of the criteria and research done to acquire all events and event record schemas before a script can be designed.

    This forum is not set up to answer questions this broad.  I have merely pointed out that this is nearly always unnecessary in a correctly implemented network.  If there is some need to break all of the security rules then it is incumbent on the person choosing to break the rules to engineer a solution to compensate for the system breaking requirements. THis cannot be done with a simple script.

    There are scripts in the repository which can do some of what is asked.  There are also third party tools that will do all of this.  The OP is asking for a single script that will replace a commercial package that may have tens of thousands of lines of code to accomplish this.  Where does the idea come form that a simple script can do this. 

    Just because we believe something can be done does not mean it should be done and just because it is possible with a script does not mean that you can actually write it in any short period of time.

    Anyway - the last part of the request is the one that we can address.  The OP claims to have everything in an XML file.  If this is the case then the XML can be easily formatted using XSLT.  THis also is beyond the scripting scope.  Web deoloyment of XML is a question for a web forum.

    I am proficient in XML/XSL.  This is how we can do this by just dumping an XML file.

    We can also just dump HTML from PowerShell and do all kinds off fancy editing to build web pages.  Here are some examples:

    How to use XSL to format XML for web display:

    http://tech-comments.blogspot.com/search/label/XSL

    Producing HTML reports with PowerShell:

    http://tech-comments.blogspot.com/2012/07/powershell-dynamically-color-posh.html


    ¯\_(ツ)_/¯

    Tuesday, June 17, 2014 9:23 AM
  • JRV, though, in essential what you say is correct, the issue is that, due to constraints, I cannot discuss ALL the reasons why I require this. I am aware of Group Policies and whatever security we have implemented is using GPO. 

    However, in my environment,I have a bunch of guys that, for example, access certain network resources but have gone off the domain. In addition, there are additional issues that I cannot go into, at present. 

    THAT is why I am trying to put into place a system that logs anomalous events so that I can take my Malacca cane and whip a few recalcitrant butts!

    Thursday, June 19, 2014 9:48 AM
  • Thanks, Oliver. You have given me a large amount to work with. All the rest is quite helpful but my major hurdle still remains: how do I implement a 'dashboard' (for want of a better word), where I can monitor what is going on in my domain -  a sort of continuous audit.
    Thursday, June 19, 2014 9:51 AM
  • JRV, I am fully with you on this - this is not a small job and neither can only a single script do EVERYTHING. But my requirement is slightly narrow, at present - I just need to monitor a few events for some violations that have been evaluated as MOST inimical to my environment. I'd like to thank you for the links you have given me - I have already used ConvertTo-HTML earlier. 

    What I wanted to know (probably did not frame the question unambiguously) is whether the approach I have outlined feasible for the very limited function that I am trying to implement?

    But thanks for the help and I really appreciate the advice given by you and Oliver. I think that we need to re-look at what we want out of this whole project.

    Take care, guys and thanks once again!

    Thursday, June 19, 2014 10:01 AM
  • What you are looking to do will take someone with extensive skills in automation.  If this is that critical and if you cannot use the very powerful tools that Microsoft has developed for this exact scenario you should hire an experienced and certified consultant to work with you on this.

    Complex off-task requirements like this cannot be easily resolved through forums. They require someone with considerable systems experience.o

    An alternate approach I to pick one small issue at a time and solve it.

    You mention wanting a "dashboard" and yet never even define what, in you usage of the term, you are talking about.


    ¯\_(ツ)_/¯

    Thursday, June 19, 2014 10:50 AM
  • JRV, what I mean by the term "dashboard" is a display element or web-page that is able to give me, at a glance, a picture of where, when and who is responsible for committing one of a few actions, for example, inserting an unauthorised USB, taking the computer off the domain and then trying to join back or access network resources after a day or two, stuff like that.

    After talking to you guys, I think I need to go back and relook at what I am trying to get out of this.

    Thursday, June 19, 2014 11:29 AM
  • So by "dashboard" you are asking how to build accustom web application.  This is not a scripting issue but one of web application development.

    Again - you need to get the help of a qualified consultant.

    Many of us were building "dashboards" for reporting and management long before the term was first used.  These are fairly complex applications.  Today we would use SharePoint to do this.  It cannot be effectively done with scripts.


    ¯\_(ツ)_/¯

    Thursday, June 19, 2014 11:34 AM
  • As Oliver says, it may be possible; just a small matter of programming.

    I think this isn't really a scripting question but really a custom application design specification. It is really doubtful that someone has the resources to do all of this for you for free and post customized code in a public forum that meets all of your specifications.

    I think you will need to hire someone with expertise to get you where you need to go. I don't think your request is really feasible to accomplish without involving other resources (consultants and/or software, but probably both).


    -- Bill Stewart [Bill_Stewart]

    Thursday, June 19, 2014 2:07 PM
    Moderator
  • Bill, I do not require someone to write a script for me, 'per se'. What I was looking for was some help on HOW I would go about it. As you can see, the answers from both Oliver and JRV have a lot of info and I am now re-studying the problem to see what needs to be done.
    Friday, June 20, 2014 4:28 AM
  • Hi Sarab,

    let's see if I got this right:
    The "product" (no matter the scale) you are tying to build consists of these elements:

    1. Gather Information (Output: Lot's of Information)
    2. Process Information (Output: Information that's useful to you)
    3. Make Information Presentable (Output: Good looking Information)
    4. Present Information (Output: Access to the Information you need)

     

    I'll assume you know what information you want gathered and how to do this. Processing it usually is the big part, I had the pleasure of doing some data analysis dashboards and usually went for a point-based system (Assign points to certain data, add up the points so I could read the highest priority based on score. May be an idea if you are trying to find the most offensive violators.).

    For 3. and 4., you could build static html tables and push them to a web server for the cheapest and fastest solution. There are several dashboard utilities out there (e.g.: ScriptCase) that can present data more dynamically and smoothly, which would require a database backend (I highly recommend using a database anyway for auditing information). Finally Microsoft has some sound solutions for presenting information itself: Sharepoint would be the most prominent such solution, however as I said previously, MS SQL Server has the Reporting Services for Data Reports.

    Generally, using a Database would be my recommendation, as it allows you to build multiple views on the same data set without creating redundant data (would be more effort though).

    Cheers and good luck with your project,
    Fred


    There's no place like 127.0.0.1

    Friday, June 20, 2014 7:29 AM
  • Bill, I do not require someone to write a script for me, 'per se'. What I was looking for was some help on HOW I would go about it. As you can see, the answers from both Oliver and JRV have a lot of info and I am now re-studying the problem to see what needs to be done.

    If I understand, you are asking for guidance with your design specification. You have found that some respondents have graciously responded with some good general information, but I would say that your design needs to be agreed upon within your organization before you start writing code. Design specification is definitely necessary in this case (and may require outside resources), but it's not really within the scope of this forum.


    -- Bill Stewart [Bill_Stewart]

    Friday, June 20, 2014 2:52 PM
    Moderator