I recently screwed up when testing an action in BigFix many many times. Instead of targeting an automatic group of test machines, I ended up targeting
All Computers. The end result of this action involves opening
notepad.exe as the current user. It could have been worse, but opening
notepad.exe everywhere isn’t great.
Because BigFix is pretty fast due to UDP notifications, the action hit at least 2000 computers before I stopped it.
This begs the question: what are the Best Practices when doing testing of new content in BigFix? What is the best way to limit the impact if
All Computers is accidentally selected?
One of the best options is to put the new content in a site that only test computers subscribe to. If
All Computers were selected in this case, then the impact would be limited to these test computers.
Another option is to set relevance for the content itself so that it is limited to a specific set of computer names or computer groups. This isn’t ideal as you have to remember to do this for every piece of new content, but this is also a very flexible option. It can start by being limited to a very small set of computers, but then grow in scope as the testing matures over time.
Another option is to have a separate operator account just for testing that only has management rights on some test computers. This is one of the better options as far as “least privilege” and absolutely minimizing the maximum impact of anything done as this account. This option is not ideal because it would require switching accounts frequently in some cases, which can take quite a while when closing and reopening the console. It also isn’t ideal to have the console open twice as 2 different accounts as this requires different computers to do this.
A separate by related issue is that
All Computers is selected by default in the Take Action dialog when targeting by property, even though
All Computers is NEVER what should be targeted in my organization. Actions are always targeted to different Automatic Groups depending on the target audience.
Ideally, only master operators would be able to target
All Computers. It would be useful if there was a way to configure BigFix to prevent
All Computers from being used.
Also, it would be interesting if in the Take Action dialog, when selecting “Dynamically target by property” if it wouldn’t have anything selected so you would have to actually click on
All Computers if that is what you wanted to happen, and it wouldn’t allow you to continue unless you actually selected something.
I created this relevance to detect if notepad was opened during a specific time window:
exists creation times whose(it > "Thu, 31 Mar 2016 17:00:34 -0700" as time AND it < "Thu, 31 Mar 2016 17:49:34 -0700" as time) of processes "notepad.exe"
@alexk came up with this as part of the solution to this screw up:
wait __Download\RunAsCurrentUser.exe --w --q C:\Windows\System32\taskkill.exe /FI "WINDOWTITLE eq Untitled - Notepad"