Desired Configuration Management – Remediating Services

Following on from my whine post about how i got into Desired Configuration Management, I decided to push this as a priority. I wanted to increase the capacity of the baseline, and wanted to include all manner of cool things.

For now, SERVICES!

For now, I have two services I want to be part of my baseline:

  • The Config Manager Service
  • The Windows update Service

Now yes, I know the Config Manager service needs to be running for DCM to evaluate anything, but i have a consistent problem with certain individuals deliberately sabotaging services. They don’t know DCM needs the Config Manager Service. Hah.

So, I created a Configuration Item thus; the first page of the wizard:

You'll take yer medicine, and like it!

You’ll take yer medicine, and like it!

There is nothing much to shout about here. There is no point ticking the Application Settings box, as we’re looking at services.

Page two is all about to which Operating Systems you wish to this to be applicable to. It’s self-explanatory, so I won’t waste any more time with it.

Page three is much more interesting! Click on New, and you’ll get a window with two tabs. We will want to play with both tabs. I configured mine thus:

Don't forget your script!

Don’t forget your script!

Click on Add Script, and select your poison from the drop down list. If you’re not using Powershell, well everyone’s different #amidoingitright?

Powershell. It's really rather nice.

Powershell. It’s really rather nice.

So nothing too complicated. It’ll check for the services I need. You can of course add other services you wish to check for. Here is the code is you wish to copy and paste it:

function CheckService {param($Services)
$Compliance= “Compliant”
$StoppedServices= Get-WmiObject Win32_Service -Filter {state=’stopped’ or startmode!=’auto’}
$StoppedServices | ForEach-Object {if ($services -match $_.Name) {$Compliance = “NonCompliant”}}
$Compliance
}
$services= “ccmexec”
$services= “wuauserv”
checkService $services

If you’re feeling particularly adventurous, you can add a remedial action script to act when the desired services are out of compliance.

Click on the Compliance Rules tab, and then click New. Powershell will be outputting “Compliant”, if the services are as desired, so pop “Compliant” in the Value box; you should have something similar to the following screenshot:

You will comply.

You will comply.

You can set the severity alert to whatever you like. This is a big issue for me, so I went for critical 😉 I also ticked the box to report noncompliance.

It;s wort noting that if you select a remedial script, then there will be an extra option here. Naturally, you’re taking the gloves off at this point:

Tick it...

Tick it…

JUst remember you’ll only see this extra option *if* you also specify a remedial script.

You’re home free now. Finish off the wizard, and create a Baseline configuration. Add this COnfiguration Item to the baseline, and deploy it.

Oh by the way, if you have read my previous posts then you’ll know I setup an internet facing Management Point. Well clients well get DCM from the Internet Facing server over their home broadband.

They can run…

Advertisements

Flame on xD

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s