IT Policy

What can be more important than having a secure Network? That’s right – “A Network Security Policy” or simply call it IT policy. Every organization; may it be an Enterprise or SMB; which has an IT infrastructure is bound to have a Network Security Policy which in simple terms describes acceptable computer, network and internet usage as well as steps to protect network resources and organizational assets.

Security policies have to be long, detailed and complex – says who? The point of having policies is to make the target audience aware not only about the rules and regulations that govern your organization but also make sure that end-users know the hierarchy of access permissions. In the end, it is a manual written primarily to address IT needs. I want my end-users to actually read and understand the policy/s. Though we have a fairly compressed version (4 single-sided pages) specifically related to IT/Network, it is a part of larger handbook that has set of regulations for operating policies, general security policies, standard operating procedures, safety policies and so on. I am not referring to documentations which have plans and procedures or further drill down to guidelines or processes. I have specifically mentioned the word policy as against plan or guidelines. This is because when we write network security policy, it is mostly high-level strategy for target audience who don’t need to know the technical details. For example, letting end-users know that their internet usage is controlled and monitored.

When it comes to Network Security policies, can you ever say that you have completed writing the policy? Every day there are new security risks, so as the threats evolve as does your policy over the period of time. I have been working on our policy since I have started work here at my current organization which has been 2 years now.

Coming to the components of a Network Security Policy – let’s see if I have successfully covered the basics. This is what I have as a high-level security policy – acceptable usage, access control, authentication (password), software compliance, monitoring, remote access, incident response, email and web, and last but the most important – end-user awareness. While most of this is what all of you might already have in your policies, I mentioned end-users as most important because these are those users who may or may not be IT literate but either ways, are the most serious threat to your organization’s network security – unintentionally or otherwise. Though the above mentioned components would probably best describe small and medium business, they all would be included in the policy for large businesses as well.

I am not writing this article to teach any one about what needs to be in their security policy, you already know that but I am simply trying to assess the need for one. Before thinking about the fact if your network is secure, please take a minute to evaluate if your network security policy is feasible and how far does it extend. Have you written this policy only for your internal users or have you considered contract-based employees or 3rd party vendors who provide specialized support. We have both and I needed to include them in our policy, to safeguard our data and control their access; but that becomes a part of the larger plan. Who makes decisions when it comes to writing or updating the policy? As an IT person, are you able to involve higher management in policy creation? Are you able to successfully enforce the policy – what is the reaction of the general masses? There has always been an unspoken rule about following the policy but how do we penalize those who rebel against such policies.

As a conclusion, I believe that such a policy must be regularly evaluated so as to achieve a realistic business environment and not just regulate user-driven outcome.

You can find a refined (proof-read by experts) version of this article here. This article was originally written for “Spotlight on IT” series on Spiceworks Community Forum.

Integrating iLO with Active Directory

1) Make sure that the iLO management processor is installed and running. I won’t go into that but here is a nice article about iLO setup – http://adyamarathon.wordpress.com/ilo-setup/
2) This is a schema-free integration using the iLO Web Interface.
3) For the web interface to be accessible, the iLO software version should be 1.80 and later.
4) To access the Web GUI for iLO, type the DNS name or IP address in the browser URL.

(Note: If the page fails to load, that may be because of SSL certificate not being accepted. In Internet Explorer, go to Tools and then Internet Options and then click Advanced tab. Check the Use SSL 2.0/3/0 and TLS 1.0. Click Apply and then OK. Restart the browser window and try again and you will get the browser page as shown in the above screenshot.)

5) Login using the username given on the iLO tag that is attached to the server. This is usually “Administrator” and the password which is also given on the same tag.
6) After successful login, you will be able to view the following screen.

7) Now, click the Administration tab and the Directory Settings, as shown below.

8) Next, you will see a page that requires choosing Authentication settings and entering Directory Server settings. Choose “Use Directory Default Schema”

(Note: I have entered the Directory Server Address as one of the Domain Controllers. The LDAP port is by default – 636. For Directory User Context, I have entered the user group giving permission for access.)

9) Next after applying the settings, click the “Administer Groups” button which takes you to the page for setting Group Administration. Select one that you want to view/modify.

10) For “Administrator Group Settings”, you would want to grant access as “Yes” to all the options. You can choose according for other types of users and also custom special user groups for iLO.

11) Go back to “Directory Settings” page. Click “Test Settings” button to run Directory Tests.

12) To confirm that iLO is actually functioning after the server is powered down, click the “Virtual Devices” tab. Then click the “Virtual Power” link.

13) In the page that shows setting for Virtual Power, select the method to power on the server. By default the method is “Momentary Press”. Click the “Virtual Power” button. Click the “Submit” button for Power Configuration Settings which is “Yes” by default. This will result in powering on the server (machine).

14) Click the “Remote Console” tab and then the “Remote Console” in the left pane, which results in popup window that lets you access the server (machine) remotely.

Reset HP iLO 2 Password without Server reboot

It is possible to reset the Administrator password (or even add another user with specific privileges) using Remote Insight Board Command Language (RIBCL). Apparently, to use RIBCL through your OS, you need to have login rights to the server (presumably enough rights to install HP system tools).  Following steps are to be performed:

1. Install SNMP (prerequisite for HP Insight Management Agents)

2. Download and Install HP Insight Management Agents

http://h18013.www1.hp.com/products/servers/management/im-agents/downloads.html

3. Download and Install HP Lights-Out Online Configuration Utility

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=1135772&prodTypeId=15351&prodSeriesId=1146658&swLang=8&taskId=135&swEnvOID=1005

Note 1: If these Agents and Configuration Utility are already installed, upgrade them

Note 2: If you encounter NTVDM error while installing HP Lights-Out Online Configuration Utility, just use a common compression tool like WinZip or WinRAR to extract the contents to C:\Program Files\HP or C:\HP\iLO.

4. Download HP Lights-Out XML Scripting Sample for Windows. Extract its contents to a folder.

Choose the following two XML files and copy them to the folder where you extracted the HP Lights-Out Online Configuration Utility.

- Administrator_reset_pw.xml or Change_Password.xml 
- Add_User.xml

Note 3: If you extracted HP Lights-Out Online Configuration Utility to C:\Program Files\HP or C:\HP\iLO, then there will be a folder named “HPONCFG” which will contain the required utility “hponcfg.exe”

Note 4: Make sure that you copy the above mentioned files within the folder called “HPONCFG”

5. Using notepad (any text editor), open up the Administrator_reset_pw.xml sample file and modified it slightly as per your requirement. The initial LOGIN USER_LOGIN is required for syntax reasons but it is not actually processed. I gave the Administrator a “bogus” password.

Similarly, you can use Change_Password.xml sample to reset Administrator (or even other passwords)

Below shown is the screenshot that shows the modified sample file I made for resetting “Administrator” password.

6. If changing Administrator’s password seems risky, you can also add another user with administrator privileges. You can then login as that user and change the Administrator password via the web console. Below shown is the screenshot that shows the modified sample file to add a user.

7. Finally open command prompt and change directory path to C:\Program Files\HP\hponcfg or C:\hp\ilo\hponcfg and type the following:

Exporting and Importing DHCP Scopes

This article explains the steps taken to export DHCP scopes from one server and import them to another or from old to new server. I have tried and tested them for DHCP on Windows Server 2003.

Run the following from command prompt using administrator login. You can try running this from any domain computer.

C:\> netsh dhcp server \\dhcpservername1 export C:\DHCPServerScope1 all

This exports the DHCP scope from this server to a file called “DHCPServerScope1” under C drive.

If the above method does not work due to invalid path error, which is possible; then you can export the scopes by logging into the DHCP server. You can then export and save the scopes to the local or shared folder. After this, to import the scopes, you can log into the other DHCP server and again using “netsh.exe” utility import the configurations of the scopes to the other DHCP server (Recommended)

To export scopes following syntax can be used:

netsh dhcp server export <Filename> <ScopeList>

Example:

C:\>netsh dhcp server export c:\scopes\DHCPServerScope1 10.0.0.1

To import scopes following syntax can be used:

netsh dhcp server import <Filename> all

Example:

C:\>netsh dhcp server import c:\scopes\DHCPServerScope1 all