Dwight Bragdon, IT Security Engineer at Qualcomm: Do you work in a non-internet connected environment? Are your computers and users locked down using government security standards? See how our division in Qualcomm use WinOps to provide local admin and internet connected behaviors without either, using Chocolatey and Puppet.”
2. WinOps in a Secure
Environment
Dwight Bragdon, IT Sec Engr, Sr Staff
Qualcomm
3. Before we begin…
● Who am I?
○ Dwight Bragdon – IT Security Engineer, Sr. Staff
● What do I do?
○ Microsoft Stack, VMware, Citrix, Nutanix, etc…
● Why should you listen to me?
○ Great question!
4. Environment Overview
• Network 1 “non-secure”
• Internet Connected
• Users are local admins
• Corporate Business Productivity
• “Wild West”
• Network 2 “Secure Enclave”
• Non-Internet Connected
• Users are not local admins
• Business/Mission Productivity
• Windows Security Baselins/STIGs
applied.
• Carbon Black High Enforcement
6. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
7. Gerrit/Source Control
Choco-Internlize.ps1
foreach ($package in get-content choco-pkg-list.txt) {
Write-Output "Internalizing $package"
Write-Output "------------------------------------------------------------------------"
C:ProgramDatachocolateybinchoco.exe download --internalize locale=en-US $package --no-progress
Write-Output "------------------------------------------------------------------------"
Write-Output ""
}
choco-pkg-list.txt
chocolatey
chocolatey-agent
chocolatey-core.extension
chocolateygui
firefox
googlechrome
pester
winscp
etc…
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
8. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
10. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
11. Package Transfer
FileShare FileShare
● Transfer files from external file share to non-internet connected file share
● Can be automated:
○ One-way snapmirror (Netapp)
○ Secure one-way transfers using data diodes
○ Other
● Can be manual
○ Sneakernet
12. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
14. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
16. Ad Hoc installs prereq
● Chocolatey Agent
● Background Service
○ Use Puppet!
17. Ad Hoc installs
● “Self-Service” choco installs
○ Chocolatey GUI
○ Command Line
○ Carbon Black approved!
18. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
19. Custom Packages
● Custom packages
○ Custom application
○ Different install arguments
● Use Package Builder (C4B)
○ Command Line
○ GUI
● Non-Admins can create packages
○ C:ProgramdataChocolateytemplatesNewFileInstaller needs to be present
Artifactory
Custom
Package
20. Workflow Overview
Gerrit
List of packages
to internalize
Choco-
Internalize
PowerShell
Script
Jenkins
Merged changes start
internalization job.
Internalization job also
run on a schedule.
(C4B)
FileShare
Pushes Internalized
packages to file share
after internalization job
runs
Jenkins
Artifactory
Custom
Package
Puppet
Puppet Enforced settings
Choco Packages
AdHoc Chocolatey Packages
Self-Service/Background Service
(C4B)
Pulls Internalized
packages brought in
from the outside ,
pushes packages to
Artifactory
Package Builder (C4B)
FileShare
Internet Connected Non-Internet/Secure Enclave
21. Updates
● Puppet:
○ Ensure => latest
● Ad Hoc installs:
○ “cup all –y” scheduled task created via GPO or Puppet
22. Limitations
● If enforcing background service
○ Users and Puppet cannot call a custom source
● Ad-Hoc Installs:
○ Pinning versions
○ Uninstalling
23. Key Takeaways
● Use WinOps to enable everyone
● C4B enables users - without sacrificing security