Author Archives: Don Jones

About Don Jones

Don Jones is a Windows PowerShell MVP, author of several Windows PowerShell books (and other IT books), Co-founder and President/CEO of PowerShell.org, PowerShell columnist for Microsoft TechNet Magazine, PowerShell educator, and designer/author of several Windows PowerShell courses (including Microsoft's). Power to the shell!

Free Online Access to TechLetter Back Issues


Did you know that PowerShell.org has, for more than a year now, offered a mostly-monthly TechLetter e-mail newsletter? It’s stuffed with community news, announcements (like our free webinar schedule), feature articles on PowerShell, and much more. It’s a great way to learn a little bit at a time, and it’s truly awesome content.

And we keep back issues for your perusal!

You can find the back issues online. We post all but the most recent 2-3 issues, but of course you can subscribe and have them delivered right to your inbox around the middle of most months.

We’re always on the lookout for new content, too – and if you’re thinking, “oh, I have nothing really to share,” you’re wrong! It can be as simple as an article about something you figured out. With more than 5,000 subscribers, someone’s sure to appreciate your perspective! Contact our Editors at PowerShell.org via e-mail to submit your article, or to suggest an article idea.

And please – tell a friend!

Wish List: Better Code Formatting in the Forums (Can You Help?)


I know it’s been a “wish” of many folks for our forums to have better code formatting. Well, if you know some PHP and a little about WordPress, you can make it happen.

What we need is a WordPress plugin that hooks the action for post displays. The plugin needs to take the post body, and look for anything contained within HTML “code” tags or “pre” tags.

Within that content, the plugin needs to strip any further code/pre tags (WordPress has a bit of a glitch where it’ll sometimes nest them). It should then HTML-encode the remaining content to turn any backticks into an HTML entity. Finally, it should color-code the content, or whatever, and hand it back to WordPress for display.

If you think you might be interested, let me know.

There ARE existing code formatters. But they have some weaknesses:

  • Many require you to use a custom shortcode, which our forums users won’t pick up on. Getting folks to use the standard CODE tag, which is even on the toolbar, is hard enough.
  • Most require additional directives to specify the language and whatnot that will be formatted – that’s a hurdle people, in the past, weren’t able to grasp.
  • Some use extensive client-side JavaScript, which is heavy, performs poorly, and doesn’t interact well with some of the other JavaScript on the site.
  • Many don’t accommodate WordPress’ treatment of backticks. WP wants them to be code delimiters, but obviously in PowerShell the backtick is important for other reasons.

What we need isn’t giant, and it isn’t complicated, it’ll just require some time.

UPDATE: I’m working on it.

UPDATE: I think I got it. I’m using the GeSHi parser Joel uses on PoshCode.org, although I’ve applied different CSS style to it. If anyone would like to tackle improving that parser, or the CSS, you can hit me up and I’ll give you the code as it stands. But as-is, we get line-numbered, colorized syntax in a scrollable window when you use

 to enclose your code blocks. WordPress backticks aren’t allowed for code, and inline code isn’t supported. Older HTML-style CODE and PRE tags will be converted automatically. I think.

Quick Tip: WMI vs. CIM Syntax



# List all classes in a namespace
Get-CimClass -Namespace root\CIMv2
Get-WmiObject -Namespace root\CIMv2 -List

# list all classes containing “service” in their name
Get-CimClass -Namespace root\CIMv2 | Where CimClassName -like ‘*service*’ | Sort CimClassName

(or)

Get-CimClass -Namespace root\CIMv2 -Classname *service*
Get-WmiObject -Namespace root\CIMv2 -List | Where Name -like ‘*service*’ | Sort Name

# get all class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem

# filter class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_LogicalDisk -Filter “DriveType=3″
Get-WmiObject -Namespace root\CIMv2 -Class Win32_LogicalDisk -Filter “DriveType=3″

# show all properties
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | Get-Member
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | Get-Member

# show all properties and values
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | fl *

# remote computer
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_BIOS -ComputerName dc,win81
Get-WmiObject -Namespace root\CIMv2 -Class Win32_BIOS -ComputerName dc,win81

# use CIM command to talk to non-CIM computer
Get-CimInstance -Namespace root\CIMv2 -ClassName win32_BIOS -CimSession (
New-CimSession -ComputerName OLD-XP-PC -SessionOption (
New-CimSessionOption -Protocol Dcom
)
)

PowerShell.org Annual Operating Budget


As we approach our annual shareholder meeting for PowerShell.org, Inc., I wanted to take a moment and share some details about our 2014-2015 operating budget.

First, you can always review the budget spreadsheet in our OneDrive account. This is updated as our plans change, prices rise, and so on; you’re welcome to check back whenever you like.

Now, let’s talk about some of our organizational goals, and what some of the items in the spreadsheet mean. As you know, we’ve been fortunate to have the support of several corporate sponsors since our invention. MVP Systems, Interface Technical Training, CBT Nuggets, and SAPIEN Technologies have been amongst those helping us out; Interface and SAPIEN both signed on for a generous three-year commitment right when we launched, and we couldn’t have gotten to this point without them. However, we know that companies’ goals and positions change over time, so we’ve been trying to drive to a point where we didn’t need to rely on corporate sponsorship. We now believe that the PowerShell Summit is stable enough that, with a conservative budget, we can meet our operational needs out of the profits from the North America and Europe events.

As a note, PowerShell.org isn’t classified as a nonprofit; we’re a not-for-profit. We’re legally allowed to make a profit; it just isn’t a goal. The corporation pays Federal income tax on any profits, although most of our income is spent on expenses, which end up being deductions.

As you’ll notice in the spreadsheet, we believe we can meet our annual operating budget by applying a $175 overhead charge to each attendee of the Summit, assuming we get 100 attendees between the two events annually. That’s conservative; the N.A. show has done 100 and 150, in its two years. So in reality the number can probably be much smaller.

Our $750 annual AWPP fee includes Summit admission, VERIFIED EFFECTIVE exams, and other benefits; our operating budget reflects the costs for these items (including virtual machine hosting for the examination program). So $175 of that $750 is earmarked for PowerShell.org; that leaves $575 to cover actual Summit expenses. Due to the exchange rate, Europe is our worst-case show for expenses, with a $330/person overhead for food and beverage. The remaining $245 goes to cover speaker overhead: speaker food and beverage (we admit them to the event for free, but they still eat), and some speaker travel reimbursement. With 50 paid attendees, that’s $12,250 in overhead income. Subtract $3300 for 10 speakers’ F&B, and we have about $9000 left to cover other expenses, including some speaker travel reimbursement. The US shows do somewhat better; in reality; we probably will take less than the $175 per person from the Europe show, to allow for more speaker travel expenses, and take a bit more from the US show where our expenses are lower and attendance is known to be higher.

Most of the budget line items should be fairly self-explanatory. In some cases, we’re receiving some of the services for free at present; we’ve budgeted to pays for them should our free ride ever end. You’re welcome to ask about anything that seems unclear, too. But you’ll notice that there’s no budget for salaries: nobody associated with PowerShell.org, Inc. is paid for their efforts. We’re run by volunteers.

So what happens when we get 200 global Summit attendees instead of the 100 we budget for? That’ll give us an operational pad. In most cases, it means we’ll be able to be a bit more elaborate with the Summit itself, buying some food for an evening event, for example. As I mentioned, it’ll also allow us to better reimburse speakers for their out-of-pocket travel expenses, which is definitely a goal. In fact, one reason we’ve tried to pay the operational budget from just half our expected attendance is specifically so we’ll have extra funds so that speakers don’t have to be entirely out-of-pocket to present at the Summits.

I hope this is helpful. As always, feel free to post your questions.

Analyzing the “Black Magic” PowerShell “Exploit” and Appropriate Actions


Trend Micro released a report on a new PowerShell-vectored exploit named Black Magic. I had a lovely Twitter conversation about what this means in terms of PowerShell’s vulnerability to attack, and what admins should do. Unfortunately Twitter sucks for carrying on that kind of conversation, so I wanted to post this to clarify a few things.

First, I’m going to write this article as if “you” were hit by this exploit. Don’t take it personally, it’s just an easier style of language for me – it’s not actually addressing you.

Second, when it comes to security, the goal is to stop attacks from happening. That means you have to consider all the ways something could nail you, and try to block as many of them as is practical. That’s called “defense in depth,” giving you multiple layers of defense. The corollary to that is that your environment must still be functional. I mean, from a secure standpoint, if I unplugged all the WiFi access points and Ethernet switches you have, you’d be pretty secure. And non-functional.

Third… and I don’t know how to be delicate about this, but a lot of admins out there aren’t very sophisticated about security. There’s sometimes a tendency to fix what they can get their hands on, whether or not that makes any impact on security or not. So let’s be very clear about what you do when it comes to security: You do as little as possible, and impinge as little functionality as possible, while achieving your security goals. That helps maintain a “functional” environment, and keeps the security aspect of it “maintainable.” Sometimes, “as little as possible” is quite a lot indeed – but you look for that balance. Finally, you almost never do anything to “improve” security if it is in fact a null improvement. That is, you don’t lock the doors if the windows can’t be closed. There’s no point.

Now, let’s look at how Black Magic operates.

 

Step 1: Social Engineering

The exploit comes in the form of an .LNK e-mail attachment. That’s a Windows shortcut file. Users are meant to double-click it, and the shortcut launches a PowerShell session with the execution policy essentially turned off.

Problem 1: You let users get .LNK e-mail attachments from external users. This is stupid. Users shouldn’t be able to receive executable file types. Note that a .PS1 file isn’t an executable file type, which is why the exploit had to take this action. If you’d blocked .LNK attachments at the firewall, the exploit would be useless.

Problem 2: Your users are opening file attachments from people they don’t know. There is no technical way to protect an environment where users aren’t doing the right thing. No way. Just give up. This is why I keep going on about building a “culture of security.” If your users’ job descriptions, or your company employee manual, doesn’t say something to the effect of, “employees must be able to safely operate company computers in accordance with company policies and standards,” then you’re just doomed. If it does say that, and a user does open an attachment like this, you write them up and eventually fire them. If you think you can stop stupid users from bypassing every security measure you put in place, you are dumber than they are. You have to fix the social engineering element. There is almost no point in trying anything else, because users will get around it.

I know. A lot of you are shrugging and saying, “well, you can’t fix users, so I’ll just lock down PowerShell.” It won’t work.

I once, and rather famously, refused to help a law firm client get their NTFS file permissions under control, because they let users print sensitive documents and leave them lying around the office. Don’t bother locking the door if the windows are open.

 

Step 2: The Download

One of the elements of the Twitter discussion was, “maybe standard users shouldn’t have PowerShell able to run, because it’s so powerful and can be exploited so easily.”

Um, no.

First: PowerShell’s execution policy is not a measure against malware. It was never designed to be, so don’t be disappointed when it isn’t. If you thought it was, you were wrong, and that’s your fault for not educating yourself, not Microsoft’s fault for failing to do something they never set out to do in the first place.

Second: PowerShell only lets you do what you have permission to do. The Black Magic exploit used PowerShell simply to download a file from the Internet. That’s it. It didn’t wipe out Active Directory, it didn’t erase a file server, and it didn’t start grabbing messages out of Exchange, because normal users can’t do those things.

Would locking down PowerShell, so that normal users couldn’t run it, have stopped this exploit? No, because normal users have an abundance of ways to download files, and the exploit would simply have used a different one. PowerShell was convenient here, not necessary. If you’re going to posit locking down PowerShell, you must also lock down every other possible means of downloading a file from the Internet, or you’ve done nothing to impact security. Nothing.

PowerShell is not powerful. Erase that from your mind. Everything PowerShell is and does comes from the .NET Framework installed on every one of your computers, which your users have full access to. PowerShell is nothing more than a human-friendly way of getting to the Framework without needing Visual Studio on-hand. You could erase PowerShell and 100% of its functionality would still be present and absolutely usable by an exploit. Get your brain wrapped around that, because it’s an important concept.

Problem 3: You let your users download files from trashy websites. Your firewall should have been blocking access, and if it had integrated malware tools and realtime block lists, it probably would have caught this access.

Problem 4: You’re not using a local to block outgoing access by applications. For standard users, there’s little reason to access the Internet by means other than a web browser or known applications. This is a well-known technology and approach that’s been around for a decade.

Step 3: Run a File

Black Magic’s last step is to run the downloaded payload, which it does under normal user permissions.

Problem 5: You’re allowing users to run arbitrary applications. AppLocker has been around since Windows Vista, and provides a way of “whitelisting” applications that may run. This payload would never have been allowed to execute if you’d been using a built-in tool that’s been around since 2008. AppLocker even offers the ability to build that whitelist for you.

Problem 6: You’re not running updated anti-malware software that would have detected the payload and blocked it – and alerted someone. Most would have blocked access to the URL where the payload came from, too.

Conclusions

So you’ve had six opportunities to stop this exploit, all of which involve well-known, years-old technologies and techniques. You probably haven’t done most of them, and so you want to blame PowerShell.

OK… I’ll step out of the “you” attack-y mode :).

The point is that, once you have arbitrary code running on users’ systems, you’re owned. Nothing you can do to PowerShell will stop that. This attack could easily have been a .LNK file that ran Cmd.exe and the Telnet or FTP client – it could have achieved the same thing. It could easily have been an .EXE (“no, we block EXE file attachments;” “why the hell don’t you also block .LNK then, dummy?”).

I don’t want to come across as defending PowerShell per se; I’m trying to help folks understand where the real security problems lie. PowerShell is a red herring in all this; it was a convenient way of getting innocuous code to execute. There were six other places where this attack would have been stopped in its tracks, and any six of those would also have stopped every other similar kind of attack that didn’t rely specifically on PowerShell. That’s what makes those six effective – they’re global, not targeted at one specific piece of code. All of those six act to stop malware.

Before you take actions in security, you need to make sure you’re doing so from a holistic, professional security perspective. The first time a fire broke out in a crowded theater, officials didn’t say, “well, we should put sprinklers and alarms in that theater.” They put them in every theater, and started demanding flame-retardant fabrics and other measures. You address security across the board, not on a piecemeal basis.

 

A Tangent Argument

“Ah,” the argument goes, “but we should reduce moving parts. Users don’t have a legit need to run PowerShell, so we should lock them out of it.”

Valid. Except that PowerShell.exe isn’t PowerShell. PowerShell is a .NET Framework-based engine; PowerShell.exe is just a console application that lets you feed typed commands to that engine. You can’t remove PowerShell, and you can’t “block” users’ access to it, because it’s part of the Framework. It’s an integral part of the operating system. Things you don’t even realize are using it, are using it.

But yes, you could block users’ access to the console application, PowerShell.exe. I might even buy that argument, especially in a highly secure environment where you simply don’t want users having access to anything they don’t explicitly need to do their jobs. In fact, I would buy that argument, if and only if you block users’ access to everything they don’t explicitly need. Notepad. Windows Paint. Solitaire. Etc. Because based on the theory you’re working from, all code is bad code (a valid security perspective) and you block everything not explicitly needed. Remember, PowerShell doesn’t give users any special capabilities. Anything a normal user can do in PowerShell can be done in at least 2 other ways using other native tools. This is why AppLocker is a better approach: the list of apps a user needs is smaller than the list of apps they don’t, and so a whitelist is more maintainable, no matter how huge it is.

 

Anyway…

There you go. Now, you’re welcome to make comments on this, and offer your perspective. However, I have a couple of guidelines.

  1. Keep the conversation civil and professional. I’ll delete anything obnoxious.
  2. Keep the conversation focused on security. And remember that security isn’t about locking down the doors when the windows are open; it’s about holistically achieving specific goals. You don’t take security measures that simply move the target elsewhere. “Defense in depth” doesn’t mean 80 security restrictions and 20 ways around them. If something is super-easy to bypass, you don’t bother.

 

 

[UPDATED] Verified Effective Exams will Begin Soon


Check it out…

getcertificate

Wave 1

We’ll be going live with the PowerShell Toolmaker program very soon. Wave 1 will permit our PowerShell Summit N.A. 2014 alumni who registered early and were given a free exam. If you’re one of those folks, and if you would like to be an early registrant, please contact exams at PowerShell.org. You will need to have your Summit confirmation code (it was e-mailed to you when you registered, and was printed on your badge; we cannot provide it to you if you’ve lost it). We’re looking for a small handful of early registrants to take the exam and help us test the grading systems. If you pass, it’s “real,” and you’ll get an e-certificate like the one shown here!

How do you know if you got a free exam? There was a slip included with your badge at the Summit. If you weren’t paying attention, we’ll allow you to try entering your Summit confirmation code as an exam voucher to see if it works. If you can’t find your confirmation code, you’re out of luck.

Wave 1 is designed to let us test the system and make sure everything is working well, in a small enough scale to manage any problems that arise.

 

Next Steps

If you’d like to know more about the program, and understand when it may be open to you, please review the VERIFIED EFFECTIVE information page.

 

Installing PowerShell v5? Be a Little Careful, OK?


I’m getting a lot of questions from folks, via Twitter and other venues, regarding Windows Management Framework 5.0 – which is where PowerShell v5 comes from. It’s awesome that people are installing v5 and kicking the tires – however, please help spread the word:

  • v5 is a preview. It isn’t done, and it isn’t guaranteed bug-free. It shouldn’t be installed on production computers until it’s officially released.
  • v5 doesn’t install ‘side by side’ with v3 or v4. You can’t run it with “-version 3″ to “downgrade.” Now, v5 shouldn’t break anything – something that runs in v3 or v4 should still work fine – but there are no guarantees as it’s a preview and not released code at this stage.
  • Server software (Exchange, SharePoint, etc) often has a hard dependency on a specific version of PowerShell. You need to look into that before you install v5.
  • After installing v5, you might not be able to cleanly uninstall and revert to a prior version.

Generally speaking, v5 should be installed in a test virtual machine at the very least, not on a production computer. It’s great to play with it, and you should absolutely log bugs and suggestions to http://connect.microsoft.com.

This situation will be true for any pre-release preview of PowerShell or WMF going forward. “Preview” is the new Microsoft-speak for “beta,” and you should treat it as such. Play with it, yes – that’s the whole point, and it’s how we get a stable, clean release in the end. But play with caution, and never on production computers.

Attend a Beta “Advanced PowerShell” Class Live or Remote


As you may know, I helped developing the forthcoming Microsoft Official Courseware 10962A class, “Advanced Windows PowerShell.” It’s a 3-day class that includes an overview of DSC, a full day of scripting and toolmaking, a Workflow overview, error handling and debugging, and more. It’s meant as a direct follow-on to the 5-day 10961 course. We’re scheduling a beta teach through a Microsoft training center in mid-August 2014. It’ll be taught by MCT Jason Yoder, who’s an excellent trainer (and who attended PowerShell Summit North America 2014 a few weeks ago, so you know he’s jiggy with PowerShell).

There will likely be a fee to attend live or remote, as you’ll get the complete “A” rev of the course. If you think you might be interested, go to http://powershell.hosted.phplist.com/lists/?p=subscribe&id=7 and sign up. Once the full class info is online, we’ll e-mail you and let you know where to go find it – we won’t share your info with anyone else, including the training center.

Do this quickly – the class will likely fill up.

BETA PowerShell Lab Guide for Classes


I’ve been working on a new lab guide for my classes, and thought I’d share an early version. Note that this may become unavailable at any point; the final version will go on MoreLunches.com, as the lab guide corresponds largely with Learn Windows PowerShell in a Month of Lunches and Learn PowerShell Toolmaking in a Month of Lunches, as well as with several of the free ebooks here on PowerShell.org.

Also note that there is no slide deck. I hate slides and don’t use them in class, so I haven’t produced any slides. I do use a few diagrams in class (I load them into an iPad app called AirSketch, which “broadcasts” to my computer’s web browser, allowing me to show those images on the screen, and to whiteboard on them as needed), and those diagrams are replicated in the lab guide for students’ convenience.

This new guide is designed to be more standalone than the ones I’ve used in the past. Each lab includes background and syntax reminders, designed so that students don’t have to take notes while the instructor is demonstrating things. That way, everyone can focus on the demos. I basically review each lab myself before I start a unit, and then just teach and demo what’s covered in the lab. Students then get the lab itself as a reminder, and exercises to cement what they’re learning. In many of my classes, this guide is the only thing students have in front of them, and it works well with my teaching style.

At 119 pages, it’s a pretty substantial guide – and I have about nine more units to write, plus an additional four I plan to develop in the future.

You can download the guide in PDF form. Again, this link may go dead at some point when I’m done with the guide, and officially post it on MoreLunches.com. Right now, I’m very interested in what you think. It’s designed to present very concise summaries of what I teach, not completely replace me, but in some places it’s still pretty extensive.

PowerShell Summit N.A. 2014 Session Videos!


Aaron Hoover was kind enough to webcam the Summit sessions he attended, and he’s posted the videos on YouTube. URLs, from Aaron’s channel, are below.

Just Enough Admin – Security in a Post-Snowden World – Jeffrey Snover – PowerShell Summit 2014

Windows System Internals with PowerShell – Adam Driscoll – PowerShell Summit 2014

PowerCLI: How to Automate Your VMWare Environment Reports – Matt Griffin – PowerShell Summit 2014

Parallel Execution with PowerShell – Tome Tanasovski – PowerShell Summit 2014

PowerShell for Security Incident Response – Lee Holmes and Joe Bialek – PowerShell Summit 2014

Leverage Multi-Threading for Speeding Up Your Scripts – Jason Walker – PowerShell Summit 2014

Advanced PowerShell Eventing Scripting Techniques – Matt Graeber – PowerShell Summit 2014

Using PowerShell as a Reverse Engineering Tool – Matt Graeber – PowerShell Summit 2014

On the Job: Putting PowerShell Scheduled Jobs to Work – Jeff Hicks – PowerShell Summit 2014

The Seven Secrets of CIM – Brian Wilhite – PowerShell Summit 2014

WSMan Cmdlets – Richard Siddaway – PowerShell Summit 2014

Networking Administration with PowerShell – Richard Siddaway – PowerShell Summit 2014

Kerberos Delegation, CredSSP, and Windows PowerShell – Aleksandar Nikolic – PowerShell Summit 2014

The Joy of Intellisense: Tab Expansion – James O’Neill – PowerShell Summit 2014

Trending and Reporting – Don Jones – PowerShell Summit 2014

Leveraging Web Services with PowerShell – Trond Hindenes – PowerShell Summit 2014

Monitoring Using PowerShell – Josh Swenson – PowerShell Summit 2014

Cmdlet-ize the Registry – Richard Siddaway – PowerShell Summit 2014

PowerShell Module Design Rules (and When to Bend Them) – Kirk Freiheit – PowerShell Summit 2014

TechEd N.A. 2014 Session Recordings


There’s some great PowerShell content now online for your viewing pleasure.

Jeffrey Snover and I had a blast doing “Windows PowerShell Unplugged,” and I reviewed some best PowerShell practices (and hopefully provided a little inspiration for your career) in “Windows PowerShell Best Patterns and Practices: Time to Get Serious.” And the #2 overall session of TechEd? “DSC: A Practical Overview,” including a surprise demo (and announcement) from Snover showing DSC running on Linux.

Enjoy!

Why “Puppet vs. DSC” isn’t Even a Thing


After all the DSC-related excitement this week, there have been a few online and Twitter-based discussions including Chef, Puppet, and similar solutions. Many of these discussions start off with a tone I suppose I should be used to: fanboy dissing. “Puppet already does this and is cross-platform! Why should I bother with DSC?” Those people, sadly, miss the point about as entirely as it’s possible to do.

Point 1: Coolness

First, what Microsoft has accomplished with DSC is cool. Star Wars Episode V was also cool. These facts do not prevent previous things – Puppet/Chef/etc and Episode IV – from being cool as well. Something new being cool does not make other things less cool. This shouldn’t be a discussion of, “Puppet did this first, so nothing else can possibly be interesting at the same time.” As IT professionals, we should be looking at everything with an eye toward what it does, and what new ideas it might offer than can be applied to existing approaches.

Point 2: Switching

Have you seen the magazine ads suggesting you ditch Puppet and start using DSC? No, you have not – and you will not. If Puppet/Chef/etc is meeting your needs, keep using it. The fact that Microsoft has introduced a technology that accomplishes similar things (make no mistake, they’re not the same and aren’t intended to be), doesn’t mean Microsoft is trying to convince you to change.

I know where people get confused on this, because in the past that’s exactly what Microsoft intended to do. They’re not, this time. And I’ll explain why in a minute.

Point 3: DSC on Linux

Snover demonstrated a DSC Local Configuration Manager running on Linux, consuming a standard DSC MOF file, being used to set up an Apache website on the server. The underlying DSC resources were native Linux code.

This is not an attempt to convince Linux people to switch to Windows, nor is it an attempt to convince them to use DSC. Saying so is like saying, “Microsoft made PowerShell accept forward slashes as path separators in an attempt to convert Linux people…. but we’re too smart for that, hahahahah!” It’s idiotic. Microsoft knows you’re not going to suddenly break down and switch operating systems. They may be a giant corporation that sometimes makes silly moves, but they’re not dumb.

No, DSC on Linux is for Windows admins who choose to use DSC, and who want to extend that skill set to other platforms they have to manage. People who aren’t, in other words, faced with a “switch” decision.

Point 4: Puppet/Chef/etc Should Use DSC

Linux is, in many many ways, a more simplistic OS than Windows. And I mean that in a very good way, not as a dig. Most config information comes form text files, and text files are ridiculously easy to edit. Getting a solution like Puppet to work on Linux is, form a purely technical perspective, pretty straightforward. Windows, on the other hand, is built around an enormous set of disparate APIs, meaning getting something like Chef/DSC/whatever working on Windows is not only harder, it’s essentially a never-ending task.

Microsoft is pouring time and money into creating DSC resources that can, through a very simple and consistent interface, configure tons of the OS. The coverage provided by DSC resources will continue to grow – exponentially, I suspect. That means Microsoft is doing a lot of work that you don’t have to.

Even if you’re using Puppet/Chef/etc instead of DSC, you can still piggyback on all the completely open and human-readable code that actually makes DSC work. Your recipes and modules can simply call those DSC resources directly. You’re not “using” DSC, but you’re snarfing its code, so that you don’t have to re-invent that wheel yourself. This should make Puppet/Chef people super-happy, because their lives got easier. Yes, you’ll doubtless have to write some custom stuff still, but “save me some work” should always be a good thing.

Point 5: Tool vs. Platform

Another thing that sidetracks these discussions is folks not understanding that Puppet/Chef/etc each provide a complete solution stack. They are a management console, they are a domain-specific language, and they are a platform-level implementation. When you adopt Puppet, you adopt it from top to bottom.

DSC isn’t like that.

DSC only provides the platform-level implementation. It doesn’t come with the management tools you actually need in a large environment, or even in many medium-sized environments. I completely expect tools like System Center Configuration Manager, or something, to provide the management-level tooling on top of DSC at some point – but we aren’t discussing System Center.

So arguing “Puppet vs. DSC” is a lot like arguing “Toyota vs. 6-cylinder engine.” The argument doesn’t make sense. Yes, at the end of the day, Puppet/Chef/etc and DSC are meant to accomplish every similar things, but DSC is only a piece of the picture, which leads to the most important point.

Point 6: Microsoft Did Something Neat

You can’t take your Puppet scripts and push them to a Chef agent, nor can you do the reverse. Puppet/Chef/etc are, as I mentioned, fully integrated stacks – and they’re proprietary stacks. “Proprietary” is not the same as “close-sourced;” and I realize that the languages used by these products aren’t specifically proprietary. But the Puppet agent only knows how to handle Puppet scripts, and the Chef agent only knows how to read Chef scripts. That’s not a dig at those products – being an integrated, proprietary stack isn’t a bad thing at all.

But it’s interesting that Microsoft took a different approach. Interesting in part because they’re usually the ones making fully-integrated stacks, where you can only use their technology if you fully embrace their entire product line. This time, Microsoft bucked the trend and didn’t go fully-integrated, proprietary stack. Microsoft did this, and the simple fact that they did is important, even if you don’t want to use any of their products.

From the top-down, that is from the management side down, Microsoft isn’t forcing you to use PowerShell. They’re not forcing you to use Microsoft technology at all, in fact. The configuration file that goes to a managed node is a static MOF file. That’s a plain-text file, as in “Management Object Format,” as in developed by the Distributed Management Task Force (DMTF). A vendor-neutral standard, in other words.

See, Microsoft isn’t pushing DSC as a fully integrated stack. DSC is just the bottom layer that accepts a configuration and implements it. Puppet Labs could absolutely design their product to turn Puppet scripts into the MOF file that DSC needs. You’d be able to completely leverage the OS-native, built-in configuration agent and all its resources, right from Puppet.

Frankly, de-coupling the administrative tooling from the underlying API should make people happy. If we’re having a really professional, non-fanboy discussion about declarative configuration, I think you have to admit that Microsoft has kinda done the right thing. In a perfect world, the Puppet/Chef/etc administrative tools would let you write your configuration scripts in their domain-specific language, and then compile those to a MOF. Everyone’s agents would accept the same kind of MOF, and execute the MOF using local, native resources. That approach means any OS could be managed by any tool. That’s cross-platform. You’d be free to switch tools anytime you wanted, because the underlying agents would all accept the same incoming language – MOF.

I’m not saying Puppet/Chef/etc should do that. But if you’re going to make an argument about cross-platform and vendor-agnostic tooling, Microsoft’s approach is the right one. They’ve implemented a service that accepts vendor-neutral configurations (MOF), and implements them using local, native resources. You can swap out the tooling layer anytime you want to. You don’t need to write PowerShell; you just need to produce a MOF.

At the End of the Day

I think the folks behind Puppet/Chef/etc totally “get” all this. I think you’re probably going to see them taking steps to better leverage the work MS is doing on DSC, simply because it saves them, and their users, work. And I don’t think you’re going to see Microsoft suggesting you ditch Puppet in favor of DSC. That’s a complete non-argument, and nobody at Microsoft even understands why people thing the company wants that.

I fully recognize that there’s a lot of “Microsoft vs. Linux” animosity in the world – the so-called “OS religions.” I’ve never understood that, and I certainly am not trying to convince anyone of the relative worth of one OS over another. PowerShell.org – a community dedicated to a Microsoft product – runs on a CentOS virtual machine, which should tell you something about my total lack of loyalty when it comes to choosing the right tool for a job. If you’re similarly “non-religious” about operating systems, I think DSC is worth taking a look at just to take a look at it. What’s it do differently? How can you leverage that in your existing world? Are there any approaches that might be worth considering?

Part of my frustration about the whole “Puppet vs DSC” meme is that it smacks of, “my toys are shinier than your toys,” which is just… well, literally childish. And it worries me that people are missing some of the above, very important, points – mainly, that Microsoft is trying really damn hard to play nicely with the other kids in the sandbox for a change. Encourage that attitude, because it benefits everyone.

Once More…

And again, I don’t think Microsoft is trying to convince you to use DSC, or any other MS product, here. I’m certainly not trying to do so. I think DSC presents an opportunity for folks who already have a declarative configuration management system, strictly in terms of saving you some work in custom module authoring. And I think for folks that don’t have a declarative configuration management solution, and who already have an investment in Microsoft’s platform, DSC is going to be an exceptionally critical technology to master. That doesn’t in any way diminish the accomplishment of the folks behind Puppet/Chef/etc. In fact, if nothing else, it further validates those products’ goals. And I think it’s massively interesting that Microsoft took an approach that is open to be used by those other products, rather than trying to make their own top-to-bottom stack. It’s a shift in Microsoft’s strategic thinking, if nothing else, and an explicit acknowledgement that the world is bigger than Redmond.

Let’s at least “cheers” for that shift in attitude.

 

 

 

 

My TechEd 2014 “Patterns and Practices” Example Scripts


I’ll be using these examples in my TechEd 2014 session on PowerShell patterns and practices. They won’t make much sense, perhaps, until you see the session (live, or in the recordings – and I believe this session is one of the “Taste of TechEd” ones that will be live-streamed), but here are the scripts.

TechEd-NA-2014-Patterns-Examples

Fundraising: PowerShell People Kick Butt, Take Names


Our IndieGoGo Campaign is off to an amazing start, raising over $6,300 (including some offline donations) toward our ultimate $9,000 goal. So far, we’ve raised enough to ensure we can record two tracks of Summit content – enabling us to record speakers’ laptops and voice, and to post the videos on YouTube, for free. Meeting our full $9,000 goal will enable three tracks of recordings, which is what the North American show currently produces.

The equipment we’re investing in will also support, should we choose to add it, an analog camera input and automatic picture-in-picture, meaning we can later add-on to include video of the speaker(s) as well as what’s on their laptop.

This equipment also meets an important set of goals for us: It requires no software on speaker laptops (often problematic), and it’s operated – literally – by a single big, red, lighted button. Meaning, it’s easy to use and shouldn’t interfere with the live audience’s experience.

I’m personally humbled by the generosity of our community. While larger donations are being considered “share purchases” in PowerShell.org, Inc., these contributors are essentially getting nothing in return for their money – but they’re making something possible that will benefit everyone. Making this content permanently available, for free, will become a treasure trove of valuable information forever. I can’t express my gratitude enough.

Tell a colleague, tell a friend: Every donation helps, no matter how small. And thank you, thank you, thank you.

Help us Record the PowerShell Summit Sessions


We’re often asked if the PowerShell Summit sessions will be recorded or live-streamed. The answer, so far, has been “no,” because the equipment needed to do so gets expensive.

But we’re willing to give it a go – with crowd funding. Check out our IndieGoGo campaign, where you can contribute to making session recordings a reality – forever. We’ve got about 30 days to reach our goal. So if recorded sessions are important to you – now’s the time to put your money where you mouth is!!

Fingers crossed!