I thought it would be interesting to cover a security topic: use Windows Server Core with the PI System. Maybe these questions are already bubbling: why and what do I have to gain?
If you attended Jim Davidson lab on Improving the security of your PI Infrastructure: Whitelisting, Firewalls & Windows Core at vCampus Live! 2012, you have learned that top 4 strategies can block 85% of targeted cyberattacks. These strategies were:
- Application whitelisting
- Patching application
- Patching operating system
- Minimizing users with domain or local administrative privileges
One good way to facilitate patching is to minimize it. Windows Server Core has a small footprint and no UI related applications; the number of patches to install is then kept to the minimum. Another argument is the Microsoft Hyper-V server is free and includes all the core features of Windows Server 2012 and Hyper-V. It owns the same virtualization capabilities as the Data Center edition. I invite you to take a look at what Microsoft says about it. Also, OSIsoft recommends running the PI System on Windows Core Servers for security and to reduce patch cycles that could impact a PI System installation.
I have tested for you the different steps to install from scratch your PI System 2012 on Microsoft Hyper-V Server 2012. Do not hesitate to share your findings and issues. Enjoy!
1. Install the Microsoft Hyper-V Server 2012 (read Windows Server 2012 core).
2. Use the sconfig.cmd script to customize your installation. You can easily configure machine's name, domain belonging, windows update, network settings, etc. Make sure you activate the Windows Remote Management (WinRM) to allow for controlling your machine from the outside)
3. Set the firewall rules to allow PI System connectivity with ports 5450, 5457, 5458, 5459. You can perform this using a MMC Snap-in console (older way) or with the PowerShell module NetSecurity. I recommend some reading at Microsoft on the subject (here and here). If you use a MMC Snap-in console, you will need to point it to another computer to "control" the rules.
4. If you need to deactivate the local firewall because you use another firewall solution, you can do this with the netsh advfirewall command.
netsh advfirewall set allprofiles state off
4. Install the Microsoft SQL Server 2012 (any edition) from the command line. You cannot make use of the graphical interface to install the database engine.
setup.exe /q /ACTION=Install /FEATURES=SQLEngine,FullText,Conn /INSTANCENAME=MYINSTANCE /IACCEPTSQLSERVERLICENSETERMS /SECURITYMODE=SQL /SAPWD=mypassword /SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" /AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" /TCPENABLED=1 /NPENABLED=1 /SQLSYSADMINACCOUNTS="MYMACHINE\administrator"
Other features are available such as REPLICATION, IS and AS. You can consult this KB article to get all the possibilities.
5. Test the connectivity with another SQL Server Management Studio tool (SSMS). Don't forget to specify your instance name if you have installed SQL Server with on.
6. By default, the Browser service is disabled. If it is disabled on an instance of SQL Server running on Server Core, run the following command from the command prompt to enable it. The extra space after the equal sign is required.
sc config sqlbrowser start= auto
7. After it is enabled, run the following command from the command prompt to start the service:
net start SQLBROWSER
or from a PowerShell prompt
8. Install the PI AF Server 2012 (PIAFServerWithEventFrames_2012_.exe) from the command line directly. This will deflate the package and launch the setup.exe command.
9. Install the PI AF Client 2012. You will need to ignore the warning regarding the lack of Internet Explorer. Also, during the PI SDK 2010 R2 (32 bit) installation, you will need to ignore the failure about the registration of richtxt32.ocx file. You can start the PI System Explorer (PSE) directly from the command line too.
10. Install the PI Notifications package. Unfortunately I found a bug when you install the client part, you won't be able to use the AFExplorer.exe from the command line. A support call has been created to address this problem. For now, only install the server part.
11. Install the PI Server 2012 following the general OSIsoft guidelines found in the PI-Server-2012-Installation-and-Upgrade-Guide_EN document. This document can be found in the Library.
12. Start the PI Server using the pisrvstart.bat script located under the c:\program files\pi\adm folder.
13. Install PI SMT 2012. Yes, it works now under a pure .NET world, so you can launch it on the command line.
14. You can install the latest PI SDK 2012 (32 and 64 bits). During the PI SDK 2010 R2 (32 bit) installation, you will need to ignore the failure about the registration of richtxt32.ocx file.
15. Install PI ACE 2010 R2 SP1.
16. Install the PowerShell tools for the PI System.
I hope this would have shed some light on how easy it is to install a PI System on top of a Windows Core OS.