Group Policy & PuppetA Tale of Two Hierarchies

Matthew Stone@matthewstone (Twitter)

@souldo (Puppet Community Stuff)

matthewrstone (GitHub)

Let’s Talk Group Policy!

•Why are we using Group Policy?

• Is it doing what we “need”?

•Do we understand what it is doing?

•Do we know it’s doing what it’s supposed to?

3

In the beginning…

Group Policy was the original abstraction layer for Windows configuration management

“Specify intranet Microsoft update service location“

or

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!WUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!WUStatusServer

4

What DevOps Brings to the Table

• Offers new patterns and practices for managing infrastructure.

• Encourages consistent, reliable behaviors.

• Encourages us to express our infrastructure as code.

• Encourages us to be transparent in our processes.

• Encourages us to work together.

5

Beginning Our IaC Transformation

• Hybrid environment, half Windows, half Linux.

• Technology silos are a thing!

• GOAL: reduce complexity through automation.

• GOAL: integrate existing products and services.

• GOAL: build a pipeline from request to delivery.

6

Our Definition of “Code”

• All of our infrastructure code should be text based.

• All of our infrastructure code should be documented.

• All of our infrastructure code should be versioned.

• All of our infrastructure code should be “datacenter redundant” and “domain independent”.

7

Our Pipeline

Packer(packer.io)

JSON manifest for versioned, up-to-date

images.

PunchOut

In-house developed API client tool to

consume CSV and covert to JSON

Phoenix

In-house developed REST API and “box cannon” consuming

JSON requests.

Puppet

One would assume you already know what

this thing does.

8

Group Policy vs. IaC

• Group Policy is not text based, version controlled and does not align with our other efforts for Infrastructure as Code.

• Group Policy is strictly tied to the domain, OU and filter from whence it came.

• For these reasons, having GPO alongside configuration management in a multiple domain environment can cause inconsistent builds or configuration drift across domains, OUs or WMI filters that aren’t visible to other IT workers.

9

Group Policy != Configuration Management

• GPOcanapplypolicychangestoconfiguration.Thatistrue.

• Lacks‘fullstack’capabilities.

• Lacks‘idempotent’nature.

10

Puppet Enterprise 2016 Console

11

With Puppet Enterprise Console managing all things, we can see a complete overview of everything as it pertains to our system.

• OS base configuration. • Packages being installed. • Security settings applied. • Application configuration.

Puppet Enterprise 2016 ConsoleGotta love those little green checkmarks.

12

You might have a group policy problem…

• As the Windows standard for decade(s), it may have been over-relied on.

• Hard to track the owner or date of changes unless we can pin to external process.

(change control)

• You don’t have a ‘console’ experience verifying that things are really as they seem.

• The owner of the changes may not understand the underlying changes that are being

made on the system.

13

STRATEGERYIt’s not a word.

14

Actually…It…IS A WORD?!??!

STRATEGERYIt is a word.

16

I didn’t say this was easy…

• Puppet has a very explicit view of your system.

• Question the user experience. Don’t forklift.

• Group management is fairly easy.

• Managing user security policy via Puppet is cumbersome. (secedit?)

• Local users / groups *is* an option.

17

$features = [ ‘server-gui-mgmt-infra’, ‘server-gui-shell’ ]windowsfeature { $features : ensure => absent }

User Rights Assignment

18

User Rights

ntrights.exe available on the

Windows 2003 Resource Kit

Group Policy != Security

•What is your security policy?

•Think in terms of compliance (HIPAA, SOX, PCI, etc…)

•Build your security policy around compliance, not registry

keys.

•Think in terms of hardening (CIS).

19

Windows Updates

20

puppetlabs/wsus_client

https://puppet.com/blog/wsus-client-module-beginners-guide

Execs? Aaaargh!

• Tools like secedit and auditpol can run as execs.

• Or…learn to write modules / types and providers!

21

“but throwing scripts at stuff works great!”, said everyone.

• We want desired state, not ‘script ran’. We need to know if it really happened.

• We want the same metadata that describes a system to configure that system.

• We really want passwords removed from clear text files.

22

Group Policy != Package Management

23

} Installed by Chocolatey / Puppet

} Installed by Group Policy

} Installed by a bored ops guy with an idea…

Installed by puppet / powershell (provisioning tool)}

} Installed by Chocolatey / Puppet

Installed by chocolatey (base template)}splunk is expensive}

WHO INSTALLED THIS?!?

• Was it automation, group policy or a human?

• Why was it installed? What purpose does it serve?

• Is there a track record? Perhaps a commit / PR / change request?

• What’s the source of the installation? Web? Network? USB disk?

• Can we safely remove this mystery thing without impacting the system?

24

Just use chocolatey already…

• Chocolatey provides an easy to use way to make package management exist on

Windows infrastructure.

• Pro versions give you even more superpowers, like resolving dependencies.

• We can reduce complexity, like tons of build docs and cross departmental

nitpickery.

• We can integrate well with puppet, using the Package / File / Service

methodology instead of Package / File / Service / Registry / Objects / Files /

Rando Command Line Tools.

25

Group Policy != Package Management

26

} Installed by chocolatey / Puppet

Installed by puppet / powershell (provisioning tool)}

}Installed by Chocolatey / Puppet

Installed by chocolatey (base template)}splunk somehow got more expensive between slides, but chocolatey/puppet nonetheless}

Windows as a First Class Citizen?

28

Windows Modules - Forge vs. DSC

Forge PSGallery

29

Forge v. Gallery - Specialized Areas

Forge PSGallery

30

In the future…

• There is a new world of Windows coming.

• Docker doesn’t care about your group policies.

• Nano doesn’t care about your group policies.

• Get to know your registry / objects.

• If you are going to abstract, it should be easy to inspect.

• Stop dual-managing your Windows infrastructure.

31

Thank You

32