PowerShell Summit 2014 Recap – Day 1

Well PowerShell Summit 2014 is in the books, and wow, what an event. I feel like I could write an entire blog post about how great the food alone was. If you didn’t make it to the event, I cannot express strongly enough that you need to do everything in your power to get to PowerShell Summit 2015 in Charlotte, NC. Start planning now. Start talking to your boss(es) now. Halfway through the very first day I felt like I had already gotten my money’s worth. Not only was the content of every session fantastic (and in most cases mind blowingly awesome), but the connections you make with people will pay for the trip itself. It was awesome to be able to meet and speak with people I had only previously known from reading their blogs, interacting with them on Twitter, or watching videos of presentations they had done on YouTube.

On to the recap!

Session #1
PowerShell Just in Time / Just Enough Admin – Security in a Post-Snowden world
Jeffrey Snover

This session was a tremendous way to get the week started. Just Enough Admin (JEA) is a PowerShell Toolkit focuses on securing your environment by reducing exposure to admins and administrative accounts. One of the things Jeffrey talked about what was an NSA document exposed by Snowden that showed the NSA was actively targeting Systems Administrators. You can find the document itself here and a breakdown of that document here.  The JEA Toolkit allows you to reduce the number of admin privileges and the scope of those privileges by being able to perform admin tasks without being an admin.

Briefly this is how it works:

  • JEA Toolkit allows you to create remote endpoints on servers with a specified set of abilities (restart services, run certain commands, etc.)
  • These endpoints create a local admin account with admin access that anyone that connects to that endpoint runs as when performing tasks
  • This local admin account has a 127 character password that is reset nightly (or more often if you like, however each time its reset requires a WinRM restart.  This will be fixed in a future release).

Next Steps:

  • Works Hours – Who can access which endpoints when
  • Work Tasks – One shot work hours
  • 2 Factor Authentication (I am pretty sure this is right, my notes and handwriting on this are a little sloppy)
  • DSC Driven Safe Harbors and Jump Boxes (more on this in a different session recap below, but HOLY CRAP!)
  • GUI Tools/Toolkits over JEA Endpoints
  • Approve users for a specific endpoint for a specific time frame (ie 5 minutes to restart a service)
  • Collect logs of a JEA session for an audit trail

Session # 2,3,4
The Life and Times of a DSC Resource
Building Scalable Configurations
Patterns for Implementing Configuration with a DSC Pull Server
Steven Murawski

Since these are all about DSC I am just going to lump them all in together. Having all three of these sessions back-to-back-to-back was really beneficial because they all built on each other. It was awesome to see the real world Configurations Steve is using at Stack Exchange and just as importantly, the process he went through to get those Configurations to where they are today.

Some notes from the session(s):

  • DSC Resources should be Discrete, Flexible, Resilient, Idempotent, Chatty (in the logging sense)
  • Use and love Test-DSCResource when building your own Resources
  • Friendly name of a Resource can (and probably should) be different than the Resource name
  • Writing your own Resources requires debugging and error-handling.  DSC Resources are not interactive.  Write-Verbose is your friend.
  • DSC Resources run in the System context
  • Every Configuration he uses has a ConfigData Hashtable in it’s own .ps1 file
  • You can filter your AllNodes data like Node $AllNodes.Where{$_.Role -Like WebServer}.NodeName
  • Composite Resources are key!  Helps to streamline the creation of the .MOF document
  • Considerations for Implementing a Pull Server Environment:  Build Script(s), Source Control, Build Servers, Operations, Logging
  • There are modules on GitHub he has created to speed up and streamline the process of creating, building and deploying Configurations.  You can find those here.

Session #5
Using PowerShell Workflows
Trevor Sullivan

I personally didn’t see anything here that I hadn’t seen or heard before, so I don’t have much to say about it. Some notes that I did write down were:

  • Only supported in Version 3.0 or Later
  • Remoting Enabled requires ports TCP 5985 and TCP 5986 (For SSL)
  • Can be setup to use SSL (which from the way he talked about it, sounds painful)

Session #6
SCOM – PowerShell Goodness
Jeff Truman

If you use SCOM on a regular basis there wasn’t anything new here.  However!  It was worth going because one of the attendee’s (I don’t know who it was) said that using Active Directory integration that you can install the SCOM agent on a template, and when the machine comes online the agent will show as Managed, and not as a manual agent install you need to approve.  I need to figure out how to do this!  If anyone has information on this I would like to speak to you about it :).

Session #7
Proper Tooling through PowerShell
Jim Christopher

This session was great.  Jim is a great speaker and was able to present using a lot of humor and a real world example that was easy to follow and he explained how it applied to everyone in the room.

Some takeaways from his presentation:

  • Tools should assume batch operations, not single ones
  • Do not assume a human presence.  That is, don’t assume someone is sitting there waiting to put in input or respond to the tool
  • His Entity Shell Module that he created and used for this presentation can be found here.

He also had a hilarious exchange with Steve Murawski.  Jim kept using ForEach in his example and Steve commented that he “died a little every time you use ForEach”.  Jim responded by typing out a bunch of ForEach code blocks on the screen which got a laugh from everyone.

That’s it for the Day 1 recap.  Day 2 coming later!