SlideShare a Scribd company logo

WinOps in a Secure Environment

Chocolatey Software
Chocolatey Software

Dwight Bragdon, IT Security Engineer at Qualcomm: Do you work in a non-internet connected environment? Are your computers and users locked down using government security standards? See how our division in Qualcomm use WinOps to provide local admin and internet connected behaviors without either, using Chocolatey and Puppet.”

1 of 26
Download to read offline
A sweet Conference focused on Windows Automation (WinOps)
WinOps in a Secure Environment Dwight Bragdon, IT Sec Engr, Sr Staff Qualcomm
Before we begin… ● Who am I? ○ Dwight Bragdon – IT Security Engineer, Sr. Staff ● What do I do? ○ Microsoft Stack, VMware, Citrix, Nutanix, etc… ● Why should you listen to me? ○ Great question!
Environment Overview • Network 1 “non-secure” • Internet Connected • Users are local admins • Corporate Business Productivity • “Wild West” • Network 2 “Secure Enclave” • Non-Internet Connected • Users are not local admins • Business/Mission Productivity • Windows Security Baselins/STIGs applied. • Carbon Black High Enforcement
Solutions Chocolatey for Business (C4B) Gerrit ● Honorable Mentions: ○ SCCM ○ GPO ○ Task Scheduler
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
Gerrit/Source Control Choco-Internlize.ps1 foreach ($package in get-content choco-pkg-list.txt) { Write-Output "Internalizing $package" Write-Output "------------------------------------------------------------------------" C:ProgramDatachocolateybinchoco.exe download --internalize locale=en-US $package --no-progress Write-Output "------------------------------------------------------------------------" Write-Output "" } choco-pkg-list.txt chocolatey chocolatey-agent chocolatey-core.extension chocolateygui firefox googlechrome pester winscp etc… Gerrit List of packages to internalize Choco- Internalize PowerShell Script
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
(external) ● Build Periodically – Daily, Weekly ● Build on Trigger – Gerrit Change Merged ● Build Step: ○ Run PowerShell command ○ Uploads choco packages to file share Gerrit Jenkins FileShare
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
Package Transfer FileShare FileShare ● Transfer files from external file share to non-internet connected file share ● Can be automated: ○ One-way snapmirror (Netapp) ○ Secure one-way transfers using data diodes ○ Other ● Can be manual ○ Sneakernet
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
(internal) ● Build Periodically – Daily, Weekly ● Build Step: ○ Upload choco packages from file share to Artifactory Jenkins Artifactory FileShare
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
browsers.pp class profile::browsers { require profile::chocolatey # Ensures latest Firefox package { 'firefox': ensure => latest, } # Ensures latest Google Chrome package { 'googlechrome': ensure => latest, } } workstation.pp class role::workstation { include profile::browsers } Artifactory Puppet Puppet Enforced settings Choco Packages
Ad Hoc installs prereq ● Chocolatey Agent ● Background Service ○ Use Puppet!
Ad Hoc installs ● “Self-Service” choco installs ○ Chocolatey GUI ○ Command Line ○ Carbon Black approved!
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
Custom Packages ● Custom packages ○ Custom application ○ Different install arguments ● Use Package Builder (C4B) ○ Command Line ○ GUI ● Non-Admins can create packages ○ C:ProgramdataChocolateytemplatesNewFileInstaller needs to be present Artifactory Custom Package
Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
Updates ● Puppet: ○ Ensure => latest ● Ad Hoc installs: ○ “cup all –y” scheduled task created via GPO or Puppet
Limitations ● If enforcing background service ○ Users and Puppet cannot call a custom source ● Ad-Hoc Installs: ○ Pinning versions ○ Uninstalling
Key Takeaways ● Use WinOps to enable everyone ● C4B enables users - without sacrificing security
Questions???
Thank you to our Sponsors
SSID: Park Central Meetings Password: chocolateyfest2018 WIFI
Ad

Recommended

Manage your bare-metal infrastructure with a CI/CD-driven approach
Manage your bare-metal infrastructure with a CI/CD-driven approachManage your bare-metal infrastructure with a CI/CD-driven approach
Manage your bare-metal infrastructure with a CI/CD-driven approach
inovex GmbH
 
Using NuGet the way you should - TechDays NL 2014
Using NuGet the way you should - TechDays NL 2014Using NuGet the way you should - TechDays NL 2014
Using NuGet the way you should - TechDays NL 2014
Maarten Balliauw
 
Puppet On Windows - Puppet Camp DC 2015
Puppet On Windows - Puppet Camp DC 2015Puppet On Windows - Puppet Camp DC 2015
Puppet On Windows - Puppet Camp DC 2015
Rob Reynolds
 
FrameMaker and the DITA Open Toolkit
FrameMaker and the DITA Open ToolkitFrameMaker and the DITA Open Toolkit
FrameMaker and the DITA Open Toolkit
Contrext Solutions
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
NETWAYS
 
Using nu get the way you should svcc
Using nu get the way you should svccUsing nu get the way you should svcc
Using nu get the way you should svcc
Maarten Balliauw
 
Getting Started with EasyBuild - Tutorial Part 2
Getting Started with EasyBuild - Tutorial Part 2Getting Started with EasyBuild - Tutorial Part 2
Getting Started with EasyBuild - Tutorial Part 2
inside-BigData.com
 
Embedded Linux primer
Embedded Linux primerEmbedded Linux primer
Embedded Linux primer
Drew Fustini
 
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-ChocolateyNJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
Dan Franciscus
 
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Max Romanovsky
 
Symfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim RomanovskySymfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim Romanovsky
php-user-group-minsk
 
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Puppet
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
Mender.io
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
Mender.io
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
Abid Malik
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution Maker
Sherif Mousa
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
Solano Labs
 
Yocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux DistributionYocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux Distribution
emertxemarketing
 
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Nico Meisenzahl
 
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligence
Carlos Toxtli
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems
Mender.io
 
Building Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto projectBuilding Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto project
twcoimbatore
 
Vagrant crash course
Vagrant crash courseVagrant crash course
Vagrant crash course
Marcus Deglos
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospective
Open-RnD
 
The Android Build System - Android Marshmallow
The Android Build System - Android MarshmallowThe Android Build System - Android Marshmallow
The Android Build System - Android Marshmallow
Ron Munitz
 
FOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CIFOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CI
OlinData
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Chocolatey Software
 
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and ChocolateyProvision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Chocolatey Software
 
Ad

More Related Content

Similar to WinOps in a Secure Environment (20)

NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-ChocolateyNJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
Dan Franciscus
 
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Max Romanovsky
 
Symfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim RomanovskySymfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim Romanovsky
php-user-group-minsk
 
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Puppet
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
Mender.io
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
Mender.io
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
Abid Malik
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution Maker
Sherif Mousa
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
Solano Labs
 
Yocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux DistributionYocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux Distribution
emertxemarketing
 
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Nico Meisenzahl
 
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligence
Carlos Toxtli
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems
Mender.io
 
Building Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto projectBuilding Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto project
twcoimbatore
 
Vagrant crash course
Vagrant crash courseVagrant crash course
Vagrant crash course
Marcus Deglos
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospective
Open-RnD
 
The Android Build System - Android Marshmallow
The Android Build System - Android MarshmallowThe Android Build System - Android Marshmallow
The Android Build System - Android Marshmallow
Ron Munitz
 
FOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CIFOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CI
OlinData
 
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-ChocolateyNJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
NJEdgeCon2018-Automating-Package-Management-in-Windows-with-Chocolatey
Dan Franciscus
 
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...Symfony under control. Continuous Integration and Automated Deployments in Sy...
Symfony under control. Continuous Integration and Automated Deployments in Sy...
Max Romanovsky
 
Symfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim RomanovskySymfony Under Control by Maxim Romanovsky
Symfony Under Control by Maxim Romanovsky
php-user-group-minsk
 
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Easily Manage Patching and Application Updates with Chocolatey + Puppet - Apr...
Puppet
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
Mender.io
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
Mender.io
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
Abid Malik
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution Maker
Sherif Mousa
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
Solano Labs
 
Yocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux DistributionYocto Project : Custom Embedded Linux Distribution
Yocto Project : Custom Embedded Linux Distribution
emertxemarketing
 
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...
Nico Meisenzahl
 
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward Berlin 2017: Dominik Bruhn - Deploying Flink Jobs as Docker Con...
Flink Forward
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligence
Carlos Toxtli
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems
Mender.io
 
Building Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto projectBuilding Emmbedded Linux with Yocto project
Building Emmbedded Linux with Yocto project
twcoimbatore
 
Vagrant crash course
Vagrant crash courseVagrant crash course
Vagrant crash course
Marcus Deglos
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospective
Open-RnD
 
The Android Build System - Android Marshmallow
The Android Build System - Android MarshmallowThe Android Build System - Android Marshmallow
The Android Build System - Android Marshmallow
Ron Munitz
 
FOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CIFOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CI
OlinData
 

More from Chocolatey Software (13)

Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Chocolatey Software
 
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and ChocolateyProvision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Chocolatey Software
 
Docker - A Container Full of Chocolatey
Docker - A Container Full of ChocolateyDocker - A Container Full of Chocolatey
Docker - A Container Full of Chocolatey
Chocolatey Software
 
Killing Golden Images In Your Infrastructure Setups
Killing Golden Images In Your Infrastructure SetupsKilling Golden Images In Your Infrastructure Setups
Killing Golden Images In Your Infrastructure Setups
Chocolatey Software
 
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Chocolatey Software
 
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Chocolatey Software
 
The Future of Windows Automation
The Future of Windows AutomationThe Future of Windows Automation
The Future of Windows Automation
Chocolatey Software
 
Improving Infrastructure Quality
Improving Infrastructure QualityImproving Infrastructure Quality
Improving Infrastructure Quality
Chocolatey Software
 
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and ChocolateyEnsuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Chocolatey Software
 
Bootstrapping a New Machine in 1 Click
Bootstrapping a New Machine in 1 ClickBootstrapping a New Machine in 1 Click
Bootstrapping a New Machine in 1 Click
Chocolatey Software
 
Chocolatey and Puppet at Yelp
Chocolatey and Puppet at YelpChocolatey and Puppet at Yelp
Chocolatey and Puppet at Yelp
Chocolatey Software
 
Chef + Chocolatey: Sweet Recipes
Chef + Chocolatey: Sweet RecipesChef + Chocolatey: Sweet Recipes
Chef + Chocolatey: Sweet Recipes
Chocolatey Software
 
10 Things I Hate About You - Taming Windows w/Ansible
10 Things I Hate About You - Taming Windows w/Ansible10 Things I Hate About You - Taming Windows w/Ansible
10 Things I Hate About You - Taming Windows w/Ansible
Chocolatey Software
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Chocolatey Software
 
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and ChocolateyProvision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Provision and Manage Servers w/Otter, DSC, Git, and Chocolatey
Chocolatey Software
 
Docker - A Container Full of Chocolatey
Docker - A Container Full of ChocolateyDocker - A Container Full of Chocolatey
Docker - A Container Full of Chocolatey
Chocolatey Software
 
Killing Golden Images In Your Infrastructure Setups
Killing Golden Images In Your Infrastructure SetupsKilling Golden Images In Your Infrastructure Setups
Killing Golden Images In Your Infrastructure Setups
Chocolatey Software
 
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Maintenance Mode: Leveraging Chef to Schedule Patching, Reboot, etc.
Chocolatey Software
 
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Wardley Maps Saved The Day: How Stack Overflow Enterprise automated all the t...
Chocolatey Software
 
The Future of Windows Automation
The Future of Windows AutomationThe Future of Windows Automation
The Future of Windows Automation
Chocolatey Software
 
Improving Infrastructure Quality
Improving Infrastructure QualityImproving Infrastructure Quality
Improving Infrastructure Quality
Chocolatey Software
 
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and ChocolateyEnsuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Ensuring Compliant, Consistent Systems w/Chef, InSpec, and Chocolatey
Chocolatey Software
 
Bootstrapping a New Machine in 1 Click
Bootstrapping a New Machine in 1 ClickBootstrapping a New Machine in 1 Click
Bootstrapping a New Machine in 1 Click
Chocolatey Software
 
Chocolatey and Puppet at Yelp
Chocolatey and Puppet at YelpChocolatey and Puppet at Yelp
Chocolatey and Puppet at Yelp
Chocolatey Software
 
Chef + Chocolatey: Sweet Recipes
Chef + Chocolatey: Sweet RecipesChef + Chocolatey: Sweet Recipes
Chef + Chocolatey: Sweet Recipes
Chocolatey Software
 
10 Things I Hate About You - Taming Windows w/Ansible
10 Things I Hate About You - Taming Windows w/Ansible10 Things I Hate About You - Taming Windows w/Ansible
10 Things I Hate About You - Taming Windows w/Ansible
Chocolatey Software
 
Ad

Recently uploaded (20)

Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Ad

WinOps in a Secure Environment

  • 1. A sweet Conference focused on Windows Automation (WinOps)
  • 2. WinOps in a Secure Environment Dwight Bragdon, IT Sec Engr, Sr Staff Qualcomm
  • 3. Before we begin… ● Who am I? ○ Dwight Bragdon – IT Security Engineer, Sr. Staff ● What do I do? ○ Microsoft Stack, VMware, Citrix, Nutanix, etc… ● Why should you listen to me? ○ Great question!
  • 4. Environment Overview • Network 1 “non-secure” • Internet Connected • Users are local admins • Corporate Business Productivity • “Wild West” • Network 2 “Secure Enclave” • Non-Internet Connected • Users are not local admins • Business/Mission Productivity • Windows Security Baselins/STIGs applied. • Carbon Black High Enforcement
  • 5. Solutions Chocolatey for Business (C4B) Gerrit ● Honorable Mentions: ○ SCCM ○ GPO ○ Task Scheduler
  • 6. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 7. Gerrit/Source Control Choco-Internlize.ps1 foreach ($package in get-content choco-pkg-list.txt) { Write-Output "Internalizing $package" Write-Output "------------------------------------------------------------------------" C:ProgramDatachocolateybinchoco.exe download --internalize locale=en-US $package --no-progress Write-Output "------------------------------------------------------------------------" Write-Output "" } choco-pkg-list.txt chocolatey chocolatey-agent chocolatey-core.extension chocolateygui firefox googlechrome pester winscp etc… Gerrit List of packages to internalize Choco- Internalize PowerShell Script
  • 8. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 9. (external) ● Build Periodically – Daily, Weekly ● Build on Trigger – Gerrit Change Merged ● Build Step: ○ Run PowerShell command ○ Uploads choco packages to file share Gerrit Jenkins FileShare
  • 10. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 11. Package Transfer FileShare FileShare ● Transfer files from external file share to non-internet connected file share ● Can be automated: ○ One-way snapmirror (Netapp) ○ Secure one-way transfers using data diodes ○ Other ● Can be manual ○ Sneakernet
  • 12. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 13. (internal) ● Build Periodically – Daily, Weekly ● Build Step: ○ Upload choco packages from file share to Artifactory Jenkins Artifactory FileShare
  • 14. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 15. browsers.pp class profile::browsers { require profile::chocolatey # Ensures latest Firefox package { 'firefox': ensure => latest, } # Ensures latest Google Chrome package { 'googlechrome': ensure => latest, } } workstation.pp class role::workstation { include profile::browsers } Artifactory Puppet Puppet Enforced settings Choco Packages
  • 16. Ad Hoc installs prereq ● Chocolatey Agent ● Background Service ○ Use Puppet!
  • 17. Ad Hoc installs ● “Self-Service” choco installs ○ Chocolatey GUI ○ Command Line ○ Carbon Black approved!
  • 18. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 19. Custom Packages ● Custom packages ○ Custom application ○ Different install arguments ● Use Package Builder (C4B) ○ Command Line ○ GUI ● Non-Admins can create packages ○ C:ProgramdataChocolateytemplatesNewFileInstaller needs to be present Artifactory Custom Package
  • 20. Workflow Overview Gerrit List of packages to internalize Choco- Internalize PowerShell Script Jenkins Merged changes start internalization job. Internalization job also run on a schedule. (C4B) FileShare Pushes Internalized packages to file share after internalization job runs Jenkins Artifactory Custom Package Puppet Puppet Enforced settings Choco Packages AdHoc Chocolatey Packages Self-Service/Background Service (C4B) Pulls Internalized packages brought in from the outside , pushes packages to Artifactory Package Builder (C4B) FileShare Internet Connected Non-Internet/Secure Enclave
  • 21. Updates ● Puppet: ○ Ensure => latest ● Ad Hoc installs: ○ “cup all –y” scheduled task created via GPO or Puppet
  • 22. Limitations ● If enforcing background service ○ Users and Puppet cannot call a custom source ● Ad-Hoc Installs: ○ Pinning versions ○ Uninstalling
  • 23. Key Takeaways ● Use WinOps to enable everyone ● C4B enables users - without sacrificing security