Как я удаленно устанавливаю, настраиваю и поддерживаю SNMP?
Защита диска с системой полного шифрования диска, связанной с TPM (что-то как Microsoft Bitlocker, например), имела бы большое значение для предотвращения злонамеренных взломщиков от способности изменить или скопировать содержание диска. Взламывание TPM для вывода ключа является нетривиальной операцией, и даже решительный взломщик будет иметь некоторые настоящие проблемы, если у них нет довольно значительного бюджета.
SNMP's old and crusty. Microsoft has put their SNMP engine in deprecated status, so expect to not even see it included with new versions of Windows.
This also sounds like it would be a perfect job for Powershell's new Desired State Configuration, but, DSC is complex. It's a relatively heavy commitment in learning, setting up a pull server, updating Powersehell throughout the enterprise, etc.
If I were to run a script on every machine to check whether SNMP was installed or not, and install it if it wasn't, I might do something like this:
If($(Get-WindowsFeature SNMP-Service).Installed -EQ $False)
{ Install-WindowsFeature SNMP-Service }
You can distribute that script however you like, as a startup script perhaps. Or maybe run through a loop of all computers from one central computer and perform the installation remotely.
The configuration bit is not very glamorous. As I said, SNMP is deprecated so Microsoft is not going to spend any energy creating a bunch of Cmdlets for the SNMP service.
But the configuration is just registry settings. You could export the HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters *.reg file from a configured machine, and distribute that *.reg file to other machines via GPO or startup script.
Or you could take a more direct approach like this guy: http://poshcode.org/2066
From the poshcode link:
$pmanagers = "ADD YOUR MANAGER(s)"
$commstring = "ADD YOUR COMM STRING"
Import-Module ServerManager
#Check If SNMP Services Are Already Installed
$check = Get-WindowsFeature | Where-Object {$_.Name -eq "SNMP-Services"}
If ($check.Installed -ne "True") {
#Install/Enable SNMP Services
Add-WindowsFeature SNMP-Services | Out-Null
}
##Verify Windows Servcies Are Enabled
If ($check.Installed -eq "True"){
#Set SNMP Permitted Manager(s) ** WARNING : This will over write current settings **
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 1 /t REG_SZ /d localhost /f | Out-Null
#Used as counter for incremting permitted managers
$i = 2
Foreach ($manager in $pmanagers){
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v $i /t REG_SZ /d $manager /f | Out-Null
$i++
}
#Set SNMP Community String(s)- *Read Only*
Foreach ( $string in $commstring){
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" /v $string /t REG_DWORD /d 4 /f | Out-Null
}
}
Else {Write-Host "Error: SNMP Services Not Installed"}
So that's the idea. You probably want to spend a little more time polishing and completing that, but there's the concept.
Edit: Oh and here's a pretty nice MS document about managing multiple servers remotely via Powershell that has some good ideas in it: http://technet.microsoft.com/en-us/library/hh831809.aspx
function Invoke-WindowsFeatureBatchDeployment {
param (
[parameter(mandatory)]
[string[]] $ComputerNames,
[parameter(mandatory)]
[string] $ConfigurationFilePath
)
# Deploy the features on multiple computers simultaneously.
$jobs = @()
foreach($ComputerName in $ComputerNames) {
$jobs += Start-Job -Command {
Install-WindowsFeature -ConfigurationFilePath $using:ConfigurationFilePath -ComputerName $using:ComputerName -Restart
}
}
Receive-Job -Job $jobs -Wait | Select-Object Success, RestartNeeded, ExitCode, FeatureResult
}