Embed Size (px)
Citation preview
Kaseya EssentialsBootcamp
Developed by
Kaseya UniversityPowered by
IT ScholarsKaseya Version 6.2
Last updated on Jan. 24, 2012
DAY ONE AFTERNOON
Roadmap!1. Monday, Day One Morning
– Overview– System Architecture– Agents
2. Monday, Day One Afternoon– LAB Review– Agent Template and Policy
Management Concepts– Audit– Patch Management
3. Tuesday, Day Two Morning– LAB Review– Monitor– Ticketing
4. Tuesday, Day Two Afternoon– LAB Review– Agent Procedures– Remote Control– Live Connect
5. Friday, Day Three Morning– LAB Review– Agent Template vs. Policy
Management– System – Info Center
1. Monday, Day One Morning– Overview– System Architecture– Agents
2. Monday, Day One Afternoon– LAB Review– Agent Template and Policy
Management Concepts– Audit– Patch Management
3. Tuesday, Day Two Morning– LAB Review– Monitor– Ticketing
LAB REVIEW
Org & Machine GroupsScreenshot taken after Part1
Agent Deployment PackagesScreenshot taken after Part3
AD UsersScreenshot taken after Part3
AD MachinesScreenshot taken after Part3
LAN WatchScreenshot taken after Part3
Agent StatusScreenshot taken after Part3
Agent Icon in System TrayScreenshots taken after Part3
Views: Windows 2003 ServerScreenshot taken after Part4
Views: XPScreenshot taken after Part4
Agent MenuScreenshot taken after Part5
Application BlockerScreenshot taken after Part6
Agent Log ReportScreenshot taken after Part7
AUDIT
Three Types of Audits• Baseline Audit
– The Baseline Audit captures the configuration of the system in a known working state.
• System Audit– The System Info captures the system’s information that
will rarely change (i.e., processor, disk drive, memory, etc.).
• Latest Audit – Latest Audit captures the most up-to-date
configuration of the system and you will configure it to audit changes made to the machine on a daily basis.
AUDIT• Baseline Audit and System Info should be
executed only once. • Baseline Audit, System Info, and Latest
Audit are done by default when an AGENT is installed on a machine.
• Future Topic - Use Policy Management Module to schedule the LATEST AUDIT for a specific Organization or Machine Group.
AUDIT• Assumption
– The auditing has been completed and scheduled
• Tasks– View the audit information of the computers
View Audit27. View all the tabs under the two groups, View Group Data and View
Individual Data. Note what type of information can be obtained through audit and what it can be used for future applications.
Audit Summary• View Audit Information.
– Audit Summary• Provides a view of the data returned by audits of machines.
– Configure Column Sets• Create NEW Column Sets
Revisit Machine Views• Views (Machine Views)• Review Imported Views from the IT Service
Delivery Kit.• Review specific Machine Views
Review Inventory Information• Perform an Inventory Data Walkthrough
– Machine Summary– System Information– Installed Applications
• All Executable Files
– Add/Remove programs• Note the Uninstall String for each Application
– Software Licenses– Documents
Agent Template vs.
Policy Management
Benefits of Agent Templates• Consistency of Service delivery
• Standard Practice
• Kaseya Agent Basic Configurations is pushed during initial Kaseya Agent Installation
Benefits of Policy Management• Consistency of Service delivery
• Standard Practice
• Ensure distributed systems are in Compliance with IT policies
• Simplify the application and management of policies based on Organizations or Machine Groups.
Agent Template vs.Policy management
• Agent Template will push agent configuration settings during initial Kaseya Agent Installation
• Policy Management will ensure that Agents will follow certain Agent Policies.– Allow for simplified policy enforcement across
distributed organizations.
• STAY TUNED…..
Agent Templates Settings• Agent settings are copied during
installation of Kaseya Agent– Agent Deployment Package can reference an
Agent Template
Agent Settings• Menu options• Credentials• Working Directory• Check-in Control• Other options
– Audit Scan / Patch Scan– Event Log Settings– Agent – Alerts– Monitor Sets– Agent Procedures
LAB• Assumptions
– In the next few months a large number of computers will be added to your environment
– You figured that there are only three type of machines in your environment
• Tasks– Develop three customized agent templates
that incorporate the required agent settings for machines with similar roles
• Instructional lab computers• Guest computers• Servers
A Group for Agent Templates• Create a machine group for templates, called “Templates”.1. Open the System module. Go to Orgs / Groups / Depts > Manage.2. Verify if the Organization “FIU-<USERNAME>” is checked.3. Click on Machine Group on the right hand side of the module. 4. Click on New.
A Group for Agent Templates5. Create a group by typing its name “Templates” under Machine
Group Name. Click Save.
Creating Agent Templates• Create three agent templates: “Server”, “Instructional”, and “Guest”6. Open the Agent module. Go to Install Agents > Create.7. Type in “Server” in the textbox under New Machine ID.8. Select “Templates” under the Group ID textbox.9. Click on Create.10. Repeat steps 6-9 for the “InstructionalTemplate” and
“GuestTemplate”.
Note• An agent template will have an orange
square icon to emphasize the fact that the agent template will never be installed on a computer.
• Its sole purpose is to provide additional customized settings for agents with similar roles so that such setting can be added to the settings of already deployed agents or be used as part of an agent package.
LAB Assist• Review Steps
• Watch the Video demonstration
• Watch the Interactive demo
• Practice on your Virtual Lab
PATCH MANAGEMENT
Patch Management
• Patch Scan• Patch Policy• File Source• Reboot Action• Patch Update
Background Story• At this time, operating system patches are
applied on an individual basis.• An organized and closely monitored
method is needed to facilitate and monitor distribution and application of all necessary patches to the managed computers.
• Kaseya's Patch Management module allows you to accomplish all these tasks and monitor patch activities.
Exercises• Implement policies that will keep the
computers updated and avoid potential security risks by having non-patched computers within the environment.
• Set up Kaseya to scan all the computers to allow the VSA to keep a detailed record as to which patches have been installed.
• Configure Kaseya to download the patches from one central server to save bandwidth and decrease redundant network traffic.
LAB• Tasks
– To keep an accurate record of all the patches installed on each computer, it would be best to schedule a scan, through Kaseya's VSA, to all the computers.
– While this is not a heavy process, it would still be best to schedule the scan during a time when the computer is otherwise idle.
Patch Scan• Using Scan Machine, schedule a scan to run every day at 3:00am on
all the agent templates.1. Open the Patch Management module. Go to Manage Machines >
Scan Machine.
Patch Scan1. Go to Manage Machines > Scan Machine.
Patch Scan2. Select all the agent templates.3. Click on the Schedule button.
Patch Scan4. Set the scan to run
Daily at 3:00am with a Distribution window of 1 hour.
5. Click on Submit.
LAB Assist• Review Steps• Watch the Video demonstration (Step 1)• Watch the Interactive demo (Step 2)• Practice on your Virtual Lab (Step 3)
LAB• Background information
– Policies are like templates in which you can approve/deny a group of patches, or an individual patch.
• Tasks– Create two policies
• One for all the XP machines • One for the Windows 2003 Server machines
– The policies should automatically apply • All Security Updates approved on all machines • All optional updates pending approval.
Note• We create W2K3 and XP templates.
– If there were Windows 2008 servers or other servers in the environment, it would be better to name the policy for all the Windows servers as just "Servers”
– By the same token, if the were other workstations in the environment, it would be better to name the policy for all the workstations as just "Workstations".
Creating Patch Policy for W2K3• Create a patch policy, W2K3-PM-Policy-<USERNAME>• Set it to apply all future Security Updates by
default. • Everything else should be set to Pending
Approval. • Use a filter to deny patches that are optional
and have not been superseded by other updates.
Creating Patch Policy for W2K36. Go to Patch Management > Patch Policy > Create/Delete.7. Type “W2K3-PM-Policy-<USERNAME>” for the policy name.8. Click on Create.
Creating Patch Policy for W2K39. Go to Patch Policy > Approval by Policy.10. Select “W2K3-PM-Policy-<USERNAME>” under the Policy dropdown
list.11. Click on the green checkmark for all the Security Update rows. The
Green checkmark is under the column Default Approval Status.12. Make sure the other rows’ Default Approval Status is set to Pending
Approval.13. Click on Total at the bottom of the table. A new page will load up.
Creating Patch Policy for W2K3
Creating Patch Policy for W2K314. Click on Filter... A new window will open up.
Creating Patch Policy for W2K315. Select Optional Updates from the Classification / Type dropdown.16. Select Not Superseded from the Superseded dropdown.17. Click on Apply
Creating Patch Policy for W2K318. Click on Select All.19. Click on Deny.
Creating Patch Policy for XP• A patch policy, XP-PM-Policy-<USERNAME>
• Set it to all future Security Updates by default• Everything else should be set to Pending
Approval.
Creating Patch Policy for XP20. Go to Patch Management > Patch Policy > Create/Delete.21. Type “XP-PM-Policy-<USERNAME>” for the policy name.22. Click on Create.
Creating Patch Policy for XP24. Select “XP-PM-Policy-<USERNAME>” under the Policy dropdown list.25. Click on the green checkmark for all the Security Update rows..26. Set the other rows’ Default Approval Status to Pending Approval.
Creating Patch Policy for XP• Approve all Security Updates for all patch policies.27. Go to Patch Management > Patch Policy > Approve By Patch.28. Click on Edit next to Patch View. A new window will open up.
Creating Patch Policy for XP29. Select All Security
Updates (High Priority) from the Classification / Type dropdown.
30. Select Not Superseded from the Superseded dropdown.
31. Type “<USERNAME> Patch View” in the View Name textbox. Click on Save.
Creating Patch Policy for XP32. Click on Select All.33. Click on Approve.
Patch Policy• Policy / Group By Views
– Classification vs. Product Views
Note:Between the two views the Default Approval Status is determined by:
Highest --------------------- LowestDenied Pending
Approved Approval
LAB• Background information
– Downloading all the patches to a file server and distributing it to all the machines on network will allow you to save bandwidth.
• Tasks– Configure all the templates to pull from the file
server using the UNC path “\\dc\PatchTemp” • Set the patch directory to “C:\PatchTemp” on the
dc• If the computer cannot access DC, it should then
download from the internet.
Setting Patch File Source• Using File Source set up all the machines so that they download their
updates from the DC. If the DC is unreachable, the machine should then download it from the Internet. The UNC path should be “\\dc\PatchTemp” while the local directory should be “C:\PatchTemp”.
39. Open the Patch Management module. Go to Configure > File Source.40. Select all the agent templates.41. Select Pulled from file server using UNC path.42. Type “\\dc\PatchTemp” next to Pulled from file server using UNC
path.43. Select “fiu-<USERNAME>.mr” next to Machine Group Filter.44. Select “dc.mr.fiu-<USERNAME>” next to File share located on.45. Type in “C:\PatchTemp” next to in local directory.46. Select the Download from Internet if machine is unable to connect
to the file server checkbox..Click on Apply.
Setting Patch File Source
LAB• Background Information
– Certain updates require the Windows OS to restart to finish installation.
• Tasks – Set up the XP machines so that they restart
only when a user is not online. – For servers, set up an email notification so that
you can plan the restart and notify in advance the users of the server maintenance.
Setting Reboot Action• Use Reboot Action to set the Guest and Instructor templates to Skip
reboot if user logged in immediately after applying new patches and updates. Then, set the Server template to notify you immediately, via email, when a reboot is required after applying new patches and updates.
47. Open the Patch Management module. Go to Configure > Reboot Action.
48. Select the Guest and Instructor templates. 49. Click on Skip reboot if user logged in.50. Click on Apply.51. Repeat steps 47-50 for the Server template. Set the Server template
to send the reboot notification to your personal email.
Why do we need to change the Server Template Reboot Action from the default Skip reboot if user logged in?
Setting Reboot Action
Note• Setting to skip reboot means it may take longer for the
patch to take effect, thus increasing the risk of vulnerability.
• The instructional computers are set to reboot at night automatically after an install, since no user work at night and we do not worry about losing open files.
• However if the target machines were end user machines, the best policy would be to set the workstations to "ask" and reboot if not logged in.
• The KaUsrTsk.exe is the application that determines whether a user is logged in or not.
LAB• Assumptions
– We have setup the patch policies to our liking.• Tasks
– We need to setup Kaseya to apply the patches automatically to the machines.
Applying Patch Policies52. Go to Patch Management > Manage Machines > Automatic Update.
Applying Patch Policies53. Select all the template agents in the list
Applying Patch Policies54. Click on Schedule
Applying Patch Policies55. Click on Daily56. Set the run time to
5:00 AM with a distribution window of 1 hour.
57. Click on Submit
LAB• Assumptions
– All three agents templates contain all the patch management settings.
• Tasks– Push the settings captured in the templates to
all the currently deployed agents with the similar roles.
Copy Settings• Copy the settings from the templates to the
specified computers on the network. – Server template will be used for the MR
building. – Instructional template will be used for the SCIS
and CEC buildings. – Guest template will be used for the GL
building.
Copy Settings58. Open the Agent module. Go to Configure Agents > Copy Settings.59. Click on select machine ID link and a new window will open up.
Copy Settings60. Select “fiu-<USERNAME>.templates”.61. Click on “Server” from the list of templates shown.
Copy Settings62. Select All under Do Not Copy, Replace for Patch Settings, Patch File
Source and Patch Policy Memberships, Agent Procedure Schedules.
Copy Settings• Note: When you have a schedule in Agent Procedures activity on an
agent template, you need to make sure Agent Procedure Schedules is selected in copy settings.
63. Select all the computers in the MR building and click on the Copy button.
64. Repeat steps 52-57 for the Instructional and Guest templates.
LAB• Background Information
– Windows Automatic Update can interfere with the functionality of Kaseya's Patch Management and must be disabled.
– While Kaseya allows you to disable Windows Automatic Update from within the Patch Management module this option cannot be implemented in a template and must be implemented by selecting agents that check in.
• Tasks– Disable Windows Automatic Update for all computers.
Disabling Windows Auto Update65. Open the Patch Management
module. Go to Configure > Windows Auto Update.
66. Select all the computers.67. Select Disable – Disable Windows
automatic Update to let patch management control system patching.
68. Click on Apply.
Note• If the checkboxes are missing, please wait
5-10 minutes and refresh the page as the Patch Scan is not completed yet.
• Checkboxes will not display for any machine that either has an operating system that does not support Windows Automatic Updates, or for which an initial Scan Machine has not been completed.
LAB• Assumptions
– Microsoft has released a new KB article and it entails a new version of Internet Explorer; however, management has asked you not to install it and to prevent future installations of it via Windows Updates.
• Tasks– Use KB Override to accomplish this task since it
will override all current patch policies and future patches.
– KB article (KB944036) for IE8.
Denying a Patch Globally• Prevent Internet Explorer from installing by using KB Override.69. Go to Patch Management > Patch Policy > KB Override.70. Type in “944036” in the KB Article textbox.71. Click Deny.
Initial Update• One Time Patch Update
– Initial Update will complete a patch update process on machines
• NOTE: All patches that are approved will be installed. If no Patch Policy is assigned all patches will be installed
• NOTE: It will automatically reboot the machines without any warning.
Roadmap!1. Monday, Day One Morning
– Overview– System Architecture– Agents
2. Monday, Day One Afternoon– LAB Review– Agent Template and Policy
Management Concepts– Audit– Patch Management
3. Tuesday, Day Two Morning– LAB Review– Monitor– Ticketing
4. Tuesday, Day Two Afternoon– LAB Review– Agent Procedures– Remote Control– Live Connect
5. Friday, Day Three Morning– LAB Review– Agent Template vs. Policy
Management– System – Info Center
1. Monday, Day One Morning– Overview– System Architecture– Agents
2. Monday, Day One Afternoon– LAB Review– Agent Template and Policy
Management Concepts– Audit– Patch Management
3. Tuesday, Day Two Morning– LAB Review– Monitor– Ticketing
THE END!
