IT AUTOMATION

School of Computing & Information Sciences

IT AUTOMATION

Developed by Dr. Masoud Sadjadi

Powered by Kaseya & IT Scholars

Last updated on August 20, 2012

Lectures 4-5


Kaseya Fundamentals Workshop

LAB REVIEW


Part 1• Define Organization Structure

– Define fiu-<USERNAME> as the organization – Define SCIS, MR, GL and CEC as machine

groups for this organization.


Org & Machine GroupsScreenshot taken after Part1


Part 2 & 3• Create agent deployment packages

– “package4mr-<USERNAME>”– “package4scis-<USERNAME>”– “package4gl-<USERNAME>”– “package4cec-<USERNAME>”

• Deploy agents– dc and pc1: Manually– ws1: Using AD Users– guest1: Using AD Computers– laptop1: LAN Watch


Agent Deployment PackagesScreenshot taken after Part3


AD UsersScreenshot taken after Part3


AD ComputersScreenshot taken after Part3


LAN WatchScreenshot taken after Part3


Agent StatusScreenshot taken after Part3


Agent Icon in System TrayScreenshots taken after Part3


Part 4• Define a “view” named “Windows 2003

Server-<USERNAME>” that once selected will only show machines with Windows Server 2003 operating system on them.

• Define another “view” named “XP-<USERNAME>” that will only show machines with the Windows XP operating system on them.

• Make sure to check the correctness of this newly created “views” by trying them.


Views: Windows 2003 ServerScreenshot taken after Part4


Views: XPScreenshot taken after Part4


Part 5• Customize Agent Menus

– Remove the agent icon from the servers– On workstations, don’t allow users to exit– Provide an option inside of the agent menu to

go to your company’s website


Agent MenuScreenshot taken after Part5


Part 6• Use the Application Blocker to block solitaire.


Application BlockerScreenshot taken after Part6


Part 7• Generate a report through the Info Center

module showing the successful check-in and install of agents using Agent Logs report.


Agent Log ReportScreenshot taken after Part7


Progress CheckAre you done with all the Agent labs?

Have you checked the correctness of your work?


Questions?• Please type your questions in the chat

section of your GoToMeeting window.

• Remember that you can always send your questions to [email protected] too.

• If you are falling behind the steps in the lab, please just watch the presentation, take some notes, and perform your labs after the lecture.

mailto:[email protected]


Kaseya Fundamentals WorkshopAUDIT


Three Types of Audits• Baseline Audit

– The Baseline Audit captures the configuration of the system in a known working state.

• System Audit– The System Info captures the system’s information that

will rarely change (i.e., processor, disk drive, memory, etc.).

• Latest Audit – Latest Audit captures the most up-to-date

configuration of the system and you will configure it to audit changes made to the machine on a daily basis.


AUDIT• Baseline Audit and System Info should be

executed only once. • Baseline Audit, System Info, and Latest

Audit are done by default when an AGENT is installed on a machine.

• Future Topic - Use Policy Management Module to schedule the LATEST AUDIT for a specific Organization or Machine Group.


AUDIT• Assumption

– The auditing has been completed and scheduled

• Tasks– View the audit information of the computers


View Audit27. View all the tabs under the two groups, View Group Data and View

Individual Data. Note what type of information can be obtained through audit and what it can be used for future applications.


Audit Summary• View Audit Information.

– Audit Summary• Provides a view of the data returned by audits of machines.

– Configure Column Sets• Create NEW Column Sets


Revisit Machine Views• Views (Machine Views)• Review Imported Views from the IT Service

Delivery Kit.• Review specific Machine Views


Review Inventory Information• Perform an Inventory Data Walkthrough

– Machine Summary– System Information– Installed Applications

• All Executable Files– Add/Remove programs

• Note the Uninstall String for each Application– Software Licenses– Documents


Progress CheckDo you know the different types of audit?

Do you know how they are different?

Should all different audit types run at the same interval?



Agent Template vs.

Policy Management


Benefits of Agent Templates• Consistency of Service delivery

• Standard Practice

• Kaseya Agent Basic Configurations is pushed during initial Kaseya Agent Installation


Benefits of Policy Management• Consistency of Service delivery

• Standard Practice

• Ensure distributed systems are in Compliance with IT policies

• Simplify the application and management of policies based on Organizations or Machine Groups.


Agent Template vs.Policy management

• Agent Template will push agent configuration settings during initial Kaseya Agent Installation

• Policy Management will ensure that Agents will follow certain Agent Policies.– Allow for simplified policy enforcement across

distributed organizations.

• STAY TUNED…..


Agent Templates Settings• Agent settings are copied during

installation of Kaseya Agent– Agent Deployment Package can reference an

Agent Template


Agent Settings• Menu options• Credentials• Working Directory• Other options

– Audit Scan / Patch Scan– Event Log Settings– Agent – Alerts– Monitor Sets– Agent Procedures


LAB• Assumptions

– In the next few months a large number of computers will be added to your environment

– You figured that there are only three type of machines in your environment

• Tasks– Develop three customized agent templates

that incorporate the required agent settings for machines with similar roles

• Instructional lab computers• Guest computers• Servers


A Group for Agent Templates• Create a machine group for templates, called “Templates”.1. Open the System module. Go to Orgs / Groups / Depts > Manage.2. Verify if the Organization “FIU-<USERNAME>” is checked.3. Click on Machine Group on the right hand side of the module. 4. Click on New.


A Group for Agent Templates5. Create a group by typing its name “Templates” under Machine

Group Name. Click Save.


Creating Agent Templates• Create three agent templates: “Server”, “Instructional”, and “Guest”6. Open the Agent module. Go to Install Agents > Create.7. Type in “Server” in the textbox under New Machine ID.8. Select “Templates” under the Group ID textbox.9. Click on Create.10. Repeat steps 6-9 for the “InstructionalTemplate” and

“GuestTemplate”.


Note• An agent template will have an orange

square icon to emphasize the fact that the agent template will never be installed on a computer.

• Its sole purpose is to provide additional customized settings for agents with similar roles so that such setting can be added to the settings of already deployed agents or be used as part of an agent package.

http://kaseya2.cis.fiu.edu/AgentTab/agentStatus.asp


Progress CheckDo you know how Agent Templates and

Policy Management are different?

When should you use Agent Templates?

When should you use Policy Management?

Have you created the three agent templates?



PATCH MANAGEMENT


Patch Management• Patch Scan• Patch Policy• File Source• Reboot Action• Patch Update


Background Story• At this time, operating system patches are

applied on an individual basis.• An organized and closely monitored

method is needed to facilitate and monitor distribution and application of all necessary patches to the managed computers.

• Kaseya's Patch Management module allows you to accomplish all these tasks and monitor patch activities.


Exercises• Implement policies that will keep the

computers updated and avoid potential security risks by having non-patched computers within the environment.

• Set up Kaseya to scan all the computers to allow the VSA to keep a detailed record as to which patches have been installed.

• Configure Kaseya to download the patches from one central server to save bandwidth and decrease redundant network traffic.


LAB• Tasks

– To keep an accurate record of all the patches installed on each computer, it would be best to schedule a scan, through Kaseya's VSA, to all the computers.

– While this is not a heavy process, it would still be best to schedule the scan during a time when the computer is otherwise idle.


Patch Scan• Using Scan Machine, schedule a scan to run every day at 3:00am on

all the agent templates.1. Open the Patch Management module. Go to Manage Machines >

Scan Machine.


Patch Scan1. Go to Manage Machines > Scan Machine.


Patch Scan2. Select all the agent templates.3. Click on the Schedule button.


Patch Scan4. Set the scan to run

Daily at 3:00am with a Distribution window of 1 hour.

5. Click on Submit.


Progress CheckHave you scheduled a patch scan on all

your agent templates?

Have you run an initial patch scan on all your machine?

Note: You need to do this at least once on one Windows 2003 and one XP machines, so that your KServer is aware of what operating systems are in your network.


LAB• Background information

– Policies are like templates in which you can approve/deny a group of patches, or an individual patch.

• Tasks– Create two policies

• One for all the XP machines • One for the Windows 2003 Server machines

– The policies should automatically apply • All Security Updates approved on all machines • All optional updates pending approval.


Note• We create W2K3 and XP templates.

– If there were Windows 2008 servers or other servers in the environment, it would be better to name the policy for all the Windows servers as just "Servers”

– By the same token, if the were other workstations in the environment, it would be better to name the policy for all the workstations as just "Workstations".


Creating Patch Policy for W2K3• Create a patch policy, W2K3-PM-Policy-<USERNAME>• Set it to apply all future Security Updates by

default. • Everything else should be set to Pending

Approval. • Use a filter to deny patches that are optional

and have not been superseded by other updates.


Creating Patch Policy for W2K36. Go to Patch Management > Patch Policy > Create/Delete.7. Type “W2K3-PM-Policy-<USERNAME>” for the policy name.8. Click on Create.


Creating Patch Policy for W2K39. Go to Patch Policy > Approval by Policy.10. Select “W2K3-PM-Policy-<USERNAME>” under the Policy dropdown

list.11. Click on the green checkmark for all the Security Update rows. The

Green checkmark is under the column Default Approval Status.12. Make sure the other rows’ Default Approval Status is set to Pending

Approval.13. Click on Total at the bottom of the table. A new page will load up.


Creating Patch Policy for W2K3


Note • If the links on this page are not available or

some of the patch categories are not listed, it basically means that you have not yet done any patch scan on your machines.

• Make sure to perform a patch scan on dc and one of the XP machines before defining the patch policies.


Creating Patch Policy for W2K314. Click on Filter... A new window will open up.


Creating Patch Policy for W2K315. Select Optional Updates from the Classification / Type dropdown.16. Select Not Superseded from the Superseded dropdown.17. Click on Apply


Creating Patch Policy for W2K318. Click on Select All.19. Click on Deny.


Creating Patch Policy for XP• A patch policy, XP-PM-Policy-<USERNAME>

• Set it to all future Security Updates by default• Everything else should be set to Pending

Approval.


Creating Patch Policy for XP20. Go to Patch Management > Patch Policy > Create/Delete.21. Type “XP-PM-Policy-<USERNAME>” for the policy name.22. Click on Create.


Creating Patch Policy for XP23. Go to Patch Management > Patch Policy > Approval by Policy.24. Select “XP-PM-Policy-<USERNAME>” under the Policy dropdown list.25. Click on the green checkmark for all the Security Update rows..26. Set the other rows’ Default Approval Status to Pending Approval.


Creating Patch Policy for XP• Approve all Security Updates for all patch policies.27. Go to Patch Management > Patch Policy > Approve By Patch.28. Click on Edit next to Patch View. A new window will open up.


Creating Patch Policy for XP29. Select All Security

Updates (High Priority) from the Classification / Type dropdown.

30. Select Not Superseded from the Superseded dropdown.

31. Type “<USERNAME> Patch View” in the View Name textbox. Click on Save.


Creating Patch Policy for XP32. Click on Select All.33. Click on Approve.


Patch Policy• Policy / Group By Views

– Classification vs. Product Views

Note:Between the two views the Default Approval Status is determined by:

Highest --------------------- LowestDenied Pending

Approved Approval


Null Patch Policy• A null patch policy is one that all its patches

are set to the default Pending Approval status.

• Note that once this policy is applied to any machine, no patches would be approved, as Pending Approval acts like denied, and when combined with any other policies, the result is not applying any patches.

• This is useful when you want, for example, to temporarily not let any patches to be installed on a group of machines.


Progress CheckHave you created the two patch policies?

Have you approved and denied the patches for these two patch policies?

Do you know what is a Null Patch Policy?


LAB• Background information

– Downloading all the patches to a file server and distributing it to all the machines on network will allow you to save bandwidth.

• Tasks– Configure all the templates to pull from the file

server • Using the UNC path \\192.168.0.10\PatchTemp • Set the patch directory to “C:\PatchTemp” on the

dc• If the computer cannot access DC, it should then

download from the Internet.


Note• Note that instead of \\dc\PatchTemp, we

use \\192.168.0.10\PatchTemp, as pc1 and laptop1 cannot resolve “dc”, because they are not part of the FIU domain.

• If you look at the network diagram, you can see that 192.168.0.10 is actually the IP address of one of the cards on dc.

• Yes, you could use the IP address of dc’s other network card (i.e., 192.168.1.10) instead too.


Setting Patch File Source• Using File Source set up all the machines so that they download their

updates from the DC. If the DC is unreachable, the machine should then download it from the Internet. The UNC path should be “\\dc\PatchTemp” while the local directory should be “C:\PatchTemp”.

39. Open the Patch Management module. Go to Configure > File Source.40. Select all the agent templates.41. Select Pulled from file server using UNC path.42. Type “\\dc\PatchTemp” next to Pulled from file server using UNC

path.43. Select “fiu-<USERNAME>.mr” next to Machine Group Filter.44. Select “dc.mr.fiu-<USERNAME>” next to File share located on.45. Type in “C:\PatchTemp” next to in local directory.46. Select the Download from Internet if machine is unable to connect

to the file server checkbox..Click on Apply.


Setting Patch File Source


LAB• Background Information

– Certain updates require the Windows OS to restart to finish installation.

• Tasks – Set up the XP machines so that they restart

only when a user is not online. – For servers, set up an email notification so that

you can plan the restart and notify in advance the users of the server maintenance.


Setting Reboot Action• Use Reboot Action to set the Guest and Instructor templates to Skip

reboot if user logged in immediately after applying new patches and updates. Then, set the Server template to notify you immediately, via email, when a reboot is required after applying new patches and updates.

47. Open the Patch Management module. Go to Configure > Reboot Action.

48. Select the Guest and Instructor templates. 49. Click on Skip reboot if user logged in.50. Click on Apply.51. Repeat steps 47-50 for the Server template. Set the Server template

to send the reboot notification to your personal email.

Why do we need to change the Server Template Reboot Action from the default Skip reboot if user logged in?


Setting Reboot Action


Note• Setting to skip reboot means it may take longer for the

patch to take effect, thus increasing the risk of vulnerability.

• The instructional computers are set to reboot at night automatically after an install, since no user work at night and we do not worry about losing open files.

• However if the target machines were end user machines, the best policy would be to set the workstations to "ask" and reboot if not logged in.

• The KaUsrTsk.exe is the application that determines whether a user is logged in or not.


LAB• Assumptions

– We have setup the patch policies to our liking.• Tasks

– We need to setup Kaseya to apply the patches automatically to the machines.


Applying Patch Policies52. Go to Patch Management > Manage Machines > Automatic Update.


Applying Patch Policies53. Select all the template agents in the list


Applying Patch Policies54. Click on Schedule


Applying Patch Policies55. Click on Daily56. Set the run time to

5:00 AM with a distribution window of 1 hour.

57. Click on Submit


LAB• Assumptions

– All three agents templates contain all the patch management settings.

• Tasks– Push the settings captured in the templates to

all the currently deployed agents with the similar roles.


Copy Settings• Copy the settings from the templates to the

specified computers on the network. – Server template will be used for the MR

building. – Instructional template will be used for the SCIS

and CEC buildings. – Guest template will be used for the GL

building.


Copy Settings58. Open the Agent module. Go to Configure Agents > Copy Settings.59. Click on select machine ID link and a new window will open up.


Copy Settings60. Select “fiu-<USERNAME>.templates”.61. Click on “Server” from the list of templates shown.


Copy Settings62. Select All under Do Not Copy, Replace for Patch Settings, Patch File

Source and Patch Policy Memberships, Agent Procedure Schedules.


Copy Settings• Note: When you have a schedule in Agent Procedures activity on an

agent template, you need to make sure Agent Procedure Schedules is selected in copy settings.

63. Select all the computers in the MR building and click on the Copy button.

64. Repeat steps 52-57 for the Instructional and Guest templates.


Progress CheckHave you setup the File Source?

Did you apply the policies to the machines?

Did you see some patches to appear in the File Source on dc?

Does the reboot actions are set as instructed?


LAB• Background Information

– Windows Automatic Update can interfere with the functionality of Kaseya's Patch Management and must be disabled.

• Tasks– Disable Windows Automatic Update for all computers.

Note: In previous versions of Kaseya, Kaseya did not support applying Windows auto update option to agent templates. In the current version, however, this is supported.


Disabling Windows Auto Update65. Open the Patch Management

module. Go to Configure > Windows Auto Update.

66. Select all the computers.67. Select Disable – Disable Windows

automatic Update to let patch management control system patching.

68. Click on Apply.


Note• If the checkboxes are missing, please wait

5-10 minutes and refresh the page as the Patch Scan is not completed yet.

• Checkboxes will not display for any machine that either has an operating system that does not support Windows Automatic Updates, or for which an initial Scan Machine has not been completed.


LAB• Assumptions

– Microsoft has released a new KB article and it entails a new version of Internet Explorer; however, management has asked you not to install it and to prevent future installations of it via Windows Updates.

• Tasks– Use KB Override to accomplish this task since it

will override all current patch policies and future patches.

– KB article (KB944036) for IE8.


Denying a Patch Globally• Prevent Internet Explorer from installing by using KB Override.69. Go to Patch Management > Patch Policy > KB Override.70. Type in “944036” in the KB Article textbox.71. Click Deny.


Note• If this patch has already been denied, it

means that another administrator who shares this Kaseya server with you have already performed this task.

• If this is the case, you can first remove it, by clicking on the X icon, and add this setting by going through the above steps.

• This way, you will make sure that your work is reflected in the system logs for future reference.


Initial Update• One Time Patch Update

– Initial Update will complete a patch update process on machines

• NOTE: All patches that are approved will be installed. If no Patch Policy is assigned all patches will be installed

• NOTE: It will automatically reboot the machines without any warning.


Progress CheckHave you turned off the Windows auto

update?

Were you able to use the KB Override?


THE END!

IT AUTOMATION

Documents

Transcript of IT AUTOMATION