Monday, March 21, 2011

MED-V Step by Step Setup Guide | Part 1: Server Setup Prerequisites

In Part 1 of MED-V Step by Step Setup Guide, I’ll be concentrate on the prerequisites for MED-V server setup. First of all, we need to enable Web Server IIS role, followed by features like .NET Framework 3.5.1 and BITS. Lastly, we will install SQL Server 2008 SP2 Express Edition.
Open Server Manager, click Roles, and then click Add Roles
Click Next on the Before You Begin tab
Tick the Web Server IIS role on the Server Roles tab
Click Next on the Web Server (IIS) tab
Scroll down to the Security section and tick the following services:
 - Basic Authentication
 - Windows Authentication
 - Client Certificate Mapping Authentication
 Click Next once you’re done
Click Install on the Confirmation tab
Click Close after the installation finished
Go back to the Server Manager and this time click on the Features option
Tick the .NET Framework 3.5.1 features and BITS. A pop-up windows (Refer to below) will appear once you tick the features.
Click Add Required Roles
Click Add Required Roles
Click Next on the Web Server (IIS) tab
Click next on the Role Services tab
Click Install on the Confirmation tab
Click Close once the installation is done
Next, we will proceed to SQL Server installation. MED-V support both SQL Server 2005 Express Edition and SQL Server 2008 Express Edition. In my case, I'm using the SQL Server 2008 SP2 Express Edition. You can download it here.
After the SQL Server finished the extraction, click on the Installation tab. Select the first option, New SQL Server stand-alone installation or add features to an existing installation
Click OK on the Setup Support Rules page
Click next on the Product Key tab

Agree the license terms and then click Next
Click Next on the Setup Support Files tab
Click Next on the Setup Support Rules tab
On the Features Selection page, tick the Database Engine Services and then click Next
Click Next on the Instance Configuration tab
Click Next on the Disk Space Requirement page
On the Server Configuration page, select the SQL Server Database Engine Service’ Account Name as NT AUTHORITY\SYSTEM. Click Next after you’re done.
On the Database Engine Configuration page, Account Provisioning tab, select the Authentication Mode as Mixed Mode (SQL Server authentication and Windows authentication). Enter the complex password, P@ssw0rd for my case. Click Add Current User to specify the SQL Server administrators. Click Next once you’re done.
Click Next on the Error and Usage Reporting page
Click Next on the Installation Rules page
Click Next on the Ready to Install page to proceed the installation
Click Next on the Installation Progress page
Click Close once the installation completed
 Hooray… You’ve done all the prerequisites already. Next, we will proceed to Part 2: MED-V Server Installation and Configuration. Stay tuned~!!!
Posted by at No comments:
Labels:

Thursday, March 17, 2011

IOS privilege and Show Running Dispute

When this particular user is created with a privilege level 10, and only show running-config is assigned to that privelege but to my surprise it only shows blank configuration Initially it was considered to be cisco Bug. When i dig it further, it found out that it is Cisco design and not any bug.

Please refer below for details
IOS Privilege Levels Cannot See Complete Running Configuration

Cisco IOS comes with 16 privialege level from 0-15 By default, Cisco assigns commands to only three of these privilege levels: zero, user, and enable. There are five commands with privilege level zero: disable, enable, exit, help, and logout. User EXEC mode — privilege level 1 (when you login this is default level). Privileged EXEC mode — privilege level 15 (when you are in enable mode, equivalent to root access of linux)

To assign a privilege level to a user:

Router(config)# username support password abc privilege 5
Router# show privilege
Current privilege level is 5

To assign a privilege level to a particular command

Router#configure terminal
Router(config)#privilege exec level 1 show running-config


Problem Finding:
The show running configuration only displays all of the commands that the current user is able to modify. i.e. in other words, only shows configuration section that is below the user's current privilege level.

Solution:
1- Instead of using show run, we may use show startup but it may show steal configuration and might not be actual replica of running configuration.
2- We may use command

username printconfig privilege 10 password test

username printconfig privilege 15 autocommand show running
 
By doing when the user is login the show running config command will be executed immediately but immediately logut the user. SO we will leave with configuration but need some other account to perform troubleshooting etc.



Reference:
How to Configure Local Username Database in Cisco IOS
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htm

IOS Privilege Levels Cannot See Complete Running Configuration
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Posted by at 1 comment:
Labels:

Restricting Restart/Shutdown Rights

I am here to give you some hints about restricting server restart/shutdown rights of any user role including local administrators and even domain admins. Unlike topic says, you can give restart/shutdown right to any user or user groups. For example a standard user can restart/shutdown a server by remotely executing commands with psexec or a domain admin can not restart/shutdown.

First of all, i would like to give a little background information about why you would need to restrict a local administrator not to be able to restart/shutdown a server. If you and your team is the only person that logs in to the server there is no problem with that scenario. But in some cases, you may have to give local administrator right to application admins like almost every single server that i am managing. Of course best practice is not to give admin right to application admins, but there are lots of 3rd party tools that require application admin to have admin rights in server.

As following figure shows, you can achieve restricting restart/shutdown from Local Security policy.

 RUN --> gpedit.msc -- > Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Right Assigment -- > Shutdown the system.


If you remove all users and groups from the list, then nobody will be able to restart/shutdown the server. Depending on your case you can restrict this settings however you want to. But do not forget a local administrator has the right to change this policy, so in a workgroup environment you may not be able to restrict a local administrator. Here comes another advantage of using domains. If your server is in a domain environment and you change this settings by a Group Policy then, a local administrator will not be able to change this setting from local policy. Instead administrator will see a grayed out screen.



Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)