3. Use PowerShell with the Best Practices Analyzer
The BPA tools also have full
PowerShell cmdlet support. You can accomplish the BPA tasks in
PowerShell as well. The BPA PowerShell cmdlets are also built in to the
server and do not require any additional tools or packages to be
installed to use them. The PowerShell tools also provide you with the
additional capability to run BPA scans of multiple roles at one time.
To be able to run the
BPA PowerShell commands, you need to load both the Server Manager
PowerShell module and the Best Practices Analyzer module. You can either
load them separately or run Windows PowerShell modules.
Load the Windows PowerShell modules by selecting Start => Administrative Tools and clicking Windows PowerShell Modules.
To
load the modules separately, after you have opened an administrative
PowerShell session, run the following procedure below. If you do not run
the BPA commands from an administrative window, you may see a message
similar to Figure 6 reminding you to run the command in an administrative window.
Follow these actions, referenced previously in Step 2:
Open administrative PowerShell by selecting Start => All Programs => Accessories => Windows PowerShell.
Right-click Windows PowerShell, and select Run As Administrator.
If prompted by User Account Control, click Yes.
From the PowerShell prompt, type the following, and then hit Enter:
Import-Module ServerManager
From the PowerShell prompt, type the following, and then hit Enter:
Import-Module BestPractices
There are really four commands you will need to learn, as shown in Table 2.
Table 2. BPA PowerShell Commands
| Command | Usage |
|---|
| Get-BPAModel | This
command will allow you to view the roles installed on the server where
you can run BPA scans; this tool will also show you when the last scan
on a particular role was created. |
| Get-BPAResult | This command will allow you to view the results for any given BPA scan you have performed. |
| Invoke-BPAModel | This command will allow you to run a BPA scan on your server for a particular role you want to scan. |
| Set-BPAResult | This command allows you to filter the BPA report from the Get-BPAResult command to allow you to see only the information you want to view in the report. |
3.1. BPA PowerShell Examples
To determine which roles are
currently installed on the server that you can run a BPA scan against,
or to see if a BPA scan has been run, you can use the following command:
Get-BPAModel
You will see results similar to Figure 7.
The important part of the Get-BPAModel
command are the model IDs displayed in the results. The model IDs are
used in the other BPA commands to perform designated tasks. Currently
there are only five IDs you can use to support the five roles currently
leveraging the BPA; they're listed in Table 3.
Table 3. BPA Role IDS
| BPA Role ID | Role |
|---|
| Microsoft/Windows/CertificateServices | Active Directory Certification Services (AD CS) |
| Microsoft/Windows/DirectoryServices | Active Directory Domain Services (AD DS) |
| Microsoft/Windows/DNSServer | DNS |
| Microsoft/Windows/TerminalServices | Remote Desktop Services (RDS) |
| Microsoft/Windows/WebServer | Internet Information Services (IIS) |
To scan the Internet Information Services role on your server, run the following command:
Invoke-BPAModel -id Microsoft/Windows/WebServer
To scan all the roles
currently supported by the BPA tool, you could run the following command
on your Windows Server 2008 R2 server:
Get-BPAModel | Invoke-BPAModel
To view the BPA report for
the Internet Information Services BPA scan, run the following command,
and you will see results similar to Figure 8:
Get-BPAResult -id Microsoft/Windows/WebServer
Although you can view the
results in the PowerShell window, remember that you can always view the
results in the Server Manager interface regardless of where you ran the
scan from (the GUI or PowerShell). So if you want to view the full
report, we recommend using the Server Manager interface. If you want to
filter results, you can do this in PowerShell with the Set-BPAResult command or with the Where clause.
If you want to view a BPA
report for Internet Information Services but only with the rules in the
Security category, you could run the following command:
Get-BPAResult -id Microsoft/Windows/WebServer
| Where { $_.Category -eq "Security" }
