Ask an Expert: + Windows

For Federal System Integrators

For more information, contact Carahsoft or our reseller partners: [email protected] | 877-RHAT-GOV

Ask an Expert: Ansible Automation + Windows for Federal System Integrators

IT automation is critical for Federal System Integrators seeking to manage large number of systems and applications at scale. expert J.R. Morgan discusses how Red Hat Ansible Automation Platform helps ensure necessary security, consistency, and repeatability of management operations for Windows IT infrastructure.

Which integrations are supported by Ansible Tower? There’s really such an ecosystem around this [Ansible], it’s crazy. We Featuring: can integrate with VMware and pull our dynamic inventory from there, or we could spin up virtual machines (VMs). There are many different options. Same thing with AWS. We could pull an inventory or spin up EC2 instances or make changes in AWS. Same goes for Splunk.

Ansible can also integrate with lots of different configuration management databases (CMDB), like ServiceNow. You can pull your inventory, write an inventory into there, or even drive the automation through some of these programs. We also integrate with GitHub, GitLab, or Bitbucket. I recommend you store all your playbooks in source J.R. Morgan control management. You can take advantage of all the tools that these applications Senior Solutions Architect, have. They even have version control, so you can do PRs and Merges to see who’s Red Hat submitting the code and who’s merging it in if you have an approval committee that you’ve nominated within your company. They review the playbooks and then merge them into the new repository and that’s the repo that Tower reads from.

Ansible is the glue that holds all these different things together within your network.

Is Microsoft Windows’ capability on par with Ansible Automation? I’d say the short answer to that is yes, it’s very close as far as the core modules go with feature parity on managing Windows or Linux. That wasn’t always the case. Recently, you’re seeing a lot more added to the Windows modules and Windows collection to enable you to leverage automation against Windows endpoints.

What are the use cases of Ansible Tower for configuring Windows infrastructure? The first use case that comes to mind is provisioning a Windows VM inside of VMware. It doesn’t just target cloning the template, it might also include attaching the appropriate virtual machine networks or associating the proper static IP addresses via VMware customizations. All things can be automated from start to finish with Ansible.

Additionally, if you’re already leveraging Terraform by HashiCorp, Ansible can manage Terraform to instantiate these virtual machines in VMware. And, again, we’re not limited to that environment. We could just as easily target instance provisioning or VM

Ask an Expert: Ansible Automation + Windows for Federal System Integrators 1 provisioning across VMware, across AWS, across Azure, and then again, manage the artifacts that come along with provisioning those instances in different environments.

Now, I want to highlight security automation with regard to Windows. This is a very “All things can be common use case for Ansible against Linux endpoints, but it’s getting more and automated from start more common with Windows managed hosts and Ansible Tower. Part of that is to finish with Ansible.” a result of the Microsoft PowerStig project. Through this project, Microsoft and independent contributors allow you to make a Windows system STIG compliant, – J.R. Morgan regardless of version, supported as far back as 2008 and all the way up to 2019. PowerStig allows you to apply a STIG profile to a Windows server using Desired State Configuration (DSC) files and management object files as well. It’s a very easy to use a collection of PowerShell modules, and it integrates very nicely with Ansible as well.

I want to emphasize the different use cases that you can tackle with Ansible or Ansible Tower when it comes to Windows. It’s not isolated to Linux for all these different use cases anymore.

If you have a workflow where you are providing select exceptions to STIG profiles assigned to newer existing Windows hosts, you can incorporate that into a more elaborate workflow. You can add that approval or denial step into the workflow so it can be escalated to a member of your corporate information security team or an administrator who has the authority to approve or deny that security exception. If they end up denying the exception, it may still apply to the PowerStig DSC. Either way, you have a workflow in place to enforce certain profiles or provide exceptions for certain profiles.

Can Ansible discover a server configuration drift? For example, if the user changed a configuration file and then put it back to the way it was or should be. Absolutely, that is a very common use case. You can even show the diff output between the original source configuration and the new configuration file to verify what was changed and even have the capability to back up that file if any reversion to the original is executed.

How do you check configuration drift regularly on a schedule? Either via API or even via code checking, if your configuration files themselves are checked into some kind of version control system, you could even trigger it to apply the new version of that config file just based off of either, again, an API call or a web hook.

Has Ansible Tower been made into a Docker container? Typically, Ansible Tower is not installed as a Docker container. It certainly could be if you want to run it on Kubernetes or OpenShift directly; there is an operator that would install that in a container. If you’re not running it on OpenShift or Kubernetes, it’s typically installed with an Ansible playbook either on a VM or bare-metal.

Ask an Expert: Ansible Automation + Windows for Federal System Integrators 2 How can Ansible help with patch management on Windows? There’s actually a Windows Update module, and there are a couple different ways you can leverage that. “I want to emphasize the 1. You can have a playbook run periodically. different use cases that 2. You can have that Windows Update module preset a scheduled you can tackle with Ansible task that is managed either exclusively or partially by Ansible. or Ansible Tower when it If you’re already using a Microsoft solution, more than just Windows Server Update comes to Windows. It’s not Services (WSUS), like System Center, it’s going to have a different patching isolated to Linux for all pattern than leveraging the Windows Update module with WSUS. If you’re not these different use cases using System Center, Windows Update and WSUS together (which is a powerful anymore.” combination even without WSUS) it should be very quick and easy to schedule – J.R. Morgan and enforce updates against any given number of Windows endpoints. Do you see Ansible replacing Satellite for provisioning? What are the pros and cons of one over the other? Ansible and Ansible Tower complement, rather than replace, Satellite as far as provisioning and patching go. It is a symbiotic relationship. I can’t say it’s going to replace it because Ansible doesn’t really handle content management in the same way that Satellite does. As far as configuration management, Satellite has embedded Ansible included with it, but it does not have the API. It doesn’t have the ability to define and leverage elaborate workflow templates or approval dialogues, it doesn’t have the full role-based access control capabilities that Ansible Tower has. While some overlap occurs between the two products, they’re more complementary than competing. The same even applies to Terraform. I don’t see Ansible replacing Terraform, but I see them complementing one another. Terraform is amazing at provisioning infrastructure and maintaining state. Ansible can do that as well, but it doesn’t really maintain state as much.

You included WinRM basic on your example - what are other connectivity methods for WinRM for domain and workgroup servers? Such a good question! Again, basic authentication will be unacceptable for product environments. For demo, that’s fine. CredSSP, Kerberos, X.509, all of those are supported authentication mechanisms for managing hosts via WinRM. So, take your pick. We’ve had exposure and experience with all of those. I’ll also add that if you’re familiar with cloud-init, either on AWS or the Windows version of cloud-init, it does make configuration of WinRM on new instances spinning up quite easy, even if you are using something like X.509.

Can you incorporate the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Windows and Red Hat as a playbook? The PowerStig project is actually based off of DISA STIG guidelines. So, the short answer is yes, it’s as close as you’ll get. If there’s some rule missing from the PowerStig

Ask an Expert: Ansible Automation + Windows for Federal System Integrators 3 project, you can actually add those in directly. I’d refer to the wiki on the PowerStig project page for details on how to do that, but the baselines that the PowerStig project provides is pretty comprehensive. We only focused on the standard Microsoft server profile. With that said, if this was a SQL Server we were provisioning, there are Contact Us: other profiles you can apply for specific applications installed on Windows servers.

Is there a way to convert PowerShell to Ansible Red Hat Solutions playbook or Chocolatey playbook? for Government Yes, absolutely. For those who aren’t familiar, Chocolatey is a package wrapping Toll-Free: (877)-RHAT-GOV system for Windows binaries. It’s a RPM-like distribution format and allows you Main: (703)-871-8570 to install, very similar to how you would install a package on or Ubuntu using app-Git. Again, it’s a Windows native tool that makes Fax: (703)-871-8505 it easier to install packages - even specific versions of those packages. Email: [email protected]

I would encourage anyone who’s already leveraging something like PowerShell and WinRM, to reuse what you have. Especially if there’s not a native Windows module or Windows collection available to you, reuse your PowerShell. You can always drop back to the WinShell module. I even dropped back to that for the desired state configuration file that I was using with PowerStig. And part of that has to do with what the native Ansible module will recognize as a built in DSC. So yes, you can absolutely use and reuse PowerShell if you already have with Ansible playbooks.

You can even run your current PowerShell scripts from an Ansible playbook. As you start to make that shift, one thing to keep in mind: most Ansible modules are written in Python, except for the Windows modules - which are written in PowerShell.

In conclusion With the evolving demands required of today’s IT infrastructure, it’s crucial for system integrators to implement enterprise-wide automation that is repeatable, traceable, and less prone to human error. Red Hat Ansible Automation Platform is a simple, agentless and powerful tool that delivers any configuration, any deployment across multivendor environments. Red Hat Ansible simplifies IT infrastructure by building software for multiple targets – Linux, Unix, networking, cloud services, Windows – you name it. Through Ansible’s native Microsoft Windows support, you can manage your Windows and Linux systems with one unified automation tool.

Ask an Expert: Ansible Automation + Windows for Federal System Integrators 4

Thank you for downloading this Red Hat Webinar Digest! Carahsoft is the Master GSA and SLSA Dealer and Distributor for Red Hat Enterprise Open Source solutions available via GSA, SLSA, ITES-SW2, The Quilt and other contract vehicles.

To learn how to take the next step toward acquiring Red Hat’s solutions, please check out the following resources and information:

For additional resources: For upcoming events: carah.io/RedHatResources carah.io/RedHatEvents

For additional Red Hat solutions: For additional Open Source solutions:

carah.io/RedHatPortfolio carah.io/OpenSourceSolutions

To set up a meeting: [email protected] To purchase, check out the contract

877-RHAT-GOV vehicles available for procurement: carah.io/RedHatContracts

For more information, contact Carahsoft or our reseller partners: [email protected] | 877-RHAT-GOV