Azure Devops – Execute task before Source Code Checkout
Sometimes we need to execute several tasks before Source Code Checkout – Install Certificates configure git. This Market Place solution can be very helpful:
https://marketplace.visualstudio.com/items?itemName=jessehouwing.pre-post-tasks
Sample task:
# Starter pipelinetrigger:– nonepool:name: privatepoolsteps:– task: jessehouwing.pre-post-tasks.Pre-CmdLineV2.Pre-CmdLine@2displayName: ‘Pre’inputs:script: ‘du -sh /agent/* | sort -h’– task: Bash@3displayName: ‘Main’inputs:targetType: ‘inline’script: |du -sh /agent/* | sort -h
Look like:
RDS infrastructure – The connection has been terminated because an unexpected server authentication certificate was received from the remote computer.
The connection has been terminated because an unexpected server authentication certificate was received from the remote computer. In my case the error was connected after adding HA for Connection Broker and adding new DNS name for the RD Connection Broker cluster, that was not included in certificate. You can always change it using Power Shell command as a admin:
Set-RDClientAccessName -ConnectionBroker connectionbroker-server-name -ClientAccessName New-DNS-Name-For-The-RD-Connection-Broker-Cluster
Please remember that DNS must be configured for New-DNS-Name-For-The-RD-Connection-Broker-Cluster
49 meetup Microsoft Azure User Group Poland – Warsaw
W środowy wieczór po 2 letnim czasie pandemii odbyło się 49 spotkanie Microsoft Azure User Group Poland w Warszawie, tym razem w siedzibie I dzięki uprzejmości ISS World Services. Co było ciekawego w porządku chronologicznym w nowej i chyba ciepło przyjętej formule wystąpień 15, czyli 20 minutowych.
Emil pokazywał dość skomplikowany przykład wykorzystania promowanej metody wdrażania zasobów z wykorzystaniem Azure Biceps. Jako że byłem spóźniony nie jestem przekonany czy widownia zrozumiała zalety i wdrożenie, a jeżeli nie to proponuje zacząć tutaj https://docs.microsoft.com/pl-pl/azure/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code. A osobiście zastanawiam się, czemu MS nie zaadoptował HELMa do tego. Było by prościej wszak byłyby template wraz z czystym yaml’em.
Następnie mogliśmy posucha o IT nie tylko Cloudowym okiem bezpiecznika, po czym jak to stwierdził Marek celebryckie wystąpienie Kamila o…. no właśnie chyba o Security Posture z przeslaniem korzystajcie przynajmniej z Microsoft Defender for Cloud.
Druga polowa to to co tygrysy lubią najbardziej!!!
Łukasz – łatwe wdrażanie kontenerów, bez ograniczeń jak w Web App typu Vnet, ruch tylko http/s – czyli Azure Container Apps. Usługa bardzo podobna do Azure Container Instances, ale ze znacznie większymi możliwościami i miejmy nadzieje, że dużo bardziej stabilna niż Azure Container Instances zwłaszcza z sieciami prywatnymi. Mogę się domyśleć, czemu MS chce aż 21 bitowych sieci do wdrożenia usługi, co swoja droga jest nie do przyjęcia, bo przy 27 bitowych sieciach w Container Instances był z tym problem… wiec przy okazji jak chcecie, aby Container Instances były stabilne zróbcie odpowiednio większe sieci i jak pozostanie wam 2 lub 3 wolne ip dla podów, to to za mało. Wada/Zaleta usługi to rozliczanie jak Azure Functions… więcej informacji: https://docs.microsoft.com/en-us/azure/container-apps/.
Już wcześniej wspominany Marek opowiadał o AMPLS – nie mylić z MPLS, chociaż blisko. Czyli Azure Monitor Private Link (AMPLS) – I wszyscy zerwali się wdrażać – tylko, że problem z wykorzystaniem Azure Sentinela z tym rozwiązaniem. Więcej informacji: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security.
Na zakończenie Tomek opowiedział o usłudze as a service Jmeter w Azure. Nie musimy się martwić o konfigurowanie Javy dla workerów Jmeter’owych, a wszystko zrobi za nas Azure. Więcej informacji: https://docs.microsoft.com/en-us/azure/load-testing/quickstart-create-and-run-load-test, możecie wykorzystać jmx, który wgrywamy do usługi z prezentacji, którą swojego czasu robiłem a materiał jest tutaj – https://rzetelnekursy.pl/how-azure-can-help-you-with-performance-tests-using-jmeter/.
On Wednesday evening, after the 2-year time of the pandemic, the 49th Microsoft Azure User Group Poland meeting was held in Warsaw, this time at headquarters I, courtesy of ISS World Services.
What was interesting in the chronological order in the new and probably warmly received the formula of 15 or 20-minute speeches.
Emil showed a rather complicated example of using the Azure Biceps. As I was late, I am not convinced that the audience understood the advantages and implementation; if not, I suggest starting here https://docs.microsoft.com/pl-pl/azure/azure-resource-manager/bicep/quickstart-create-bicep -use-visual-studio-code. And I wonder why MS has not adapted HELM to this. It would be simpler, after all, it would be a template with a pure YAML.
Then we could hear about IT from the security point of view, and Kamil’s celebrity speech about … Well, probably about Security Posture with sending the message – use at least Microsoft Defender for Cloud.
The other half is what tigers like best !!!
Łukasz – easy container implementation, without restrictions like in WebApp – Azure Container Apps. A service very similar to Azure Container Instances but with much more possibilities and hopefully much more stable than Azure Container Instances especially with private networks. I can guess why MS wants 21-bit networks to implement the service, which by the way is unacceptable because with 27-bit networks in Container Instances there is a problem with it … so by the way, if you want Container Instances to be stable, make correspondingly larger nets and if you have 2 or 3 it’s left for pods, that’s not enough. The disadvantage / Advantage of the service is billing like Azure Functions … more information: https://docs.microsoft.com/en-us/azure/container-apps/.
Marek talked about AMPLS – Azure Monitor Private Link (AMPLS) – be aware of the problem with using Azure Sentinel with this solution. More information: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security.
Finally, Tomek talked about the service Jmeter in Azure. We don’t have to worry about configuring Java for Jmeter workers, and Azure will do everything for us. More information: https://docs.microsoft.com/en-us/azure/load-testing/quickstart-create-and-run-load-test, you can use JMX, which can be uploaded to the service from the presentation that I did in my time and the material is here – https://rzetelnekursy.pl/how-azure-can-help-you-with-performance-tests-using-jmeter/.
Cybersecurity Maturity Model Certification (CMMC)
Controls of Cybersecurity Maturity Model Certification (CMMC) based on Microsoft Technical Reference Guide:
- Limit information system access to authorized users, processes acting on …
- Limit information system access to the types of transactions and functions …
- Control the flow of CUI in accordance with approved authorizations.
- Separate the duties of individuals to reduce the risk of malevolent activity …
- Employ the principle of least privilege, including for specific security…
- Use non-privileged accounts or roles when accessing non-security functions.
- Prevent non-privileged users from executing privileged functions…
- Limit unsuccessful logon attempts.
- Use session lock with pattern-hiding displays to prevent access and viewing …
- Terminate (automatically) user sessions after a defined condition.
- Monitor and control remote access sessions.
- Employ cryptographic mechanisms to protect the confidentiality of remote …
- Route remote access via managed access control points.
- Authorize remote execution of privileged commands and remote access…
- Authorize wireless access prior to allowing such connections.
- Protect wireless access using authentication and encryption.
- Control connection of mobile devices.
- Encrypt CUI on mobile devices and mobile computing platforms.
- Verify and control/limit connections to and use of external information …
- Limit use of portable storage devices on external systems.
- Control information posted or processed on publicly accessibleinformation systems.
- Create and retain system audit logs and records to the extent needed to …
- Ensure that the actions of individual system users can be uniquely traced to …
- Review and update logged events.
- Alert in the event of an audit logging process failure.
- Correlate audit record review, analysis and reporting processes for…
- Provide audit record reduction and report generation to support …
- Provide a system capability that compares and synchronizes internal system …
- Protect audit information and audit logging tools from unauthorized access…
- Limit management of audit logging functionality to a subset of privileged …
- Ensure that managers, system administrators and users of organizational …
- Ensure that personnel are trained to carry out their assigned information …
- Provide security awareness training on recognizing and reporting potential …
- Establish and maintain baseline configurations and inventories…
- Establish and enforce security configuration settings for information …
- Track, review, approve or disapprove and log changes to organizational …
- Analyze the security impact of changes prior to implementation.
- Define, document, approve and enforce physical and logical access …
- Employ the principle of least functionality by configuring organizational …
- Restrict, disable or prevent the use of nonessential programs, functions…
- Apply deny-by-exception (blacklisting) policy to prevent the use of …
- Control and monitor user-installed software.
- Identify information system users, processes acting on behalf of users or …
- Authenticate (or verify) the identities of those users, processes or devices, as …
- Use multi-factor authentication for local and network access to privileged …
- Employ replay-resistant authentication mechanisms for network access to…
- Prevent the reuse of identifiers for a defined period.
- Disable identifiers after a defined period of inactivity.
- Enforce a minimum password complexity and change of characters when …
- Prohibit password reuse for a specified number of generations.
- Allowtemporary password usefor system logons with an immediate changeto a permanent password.
- Store and transmit only cryptographically protected passwords.
- Obscure feedback of authentication information.
- Establish an operational incident-handling capability for organizational …
- Track, document and report incidents to designated officials…
- Test the organizational incident response capability.
- Perform maintenance on organizational systems.
- Provide controls on the tools, techniques, mechanisms and personnel used …
- Ensure equipment removed for off-site maintenance is sanitized of any…
- Check media containing diagnostic and test programs for malicious code …
- Require multifactor authentication to establish nonlocal maintenance …
- Supervise the maintenance activities of personnel without required access …
- Protect (i.e., physically control and securely store) system media containing …
- Limit access to CUI on systemmedia to authorized users.
- Sanitize or destroy information system media containing Federal Contract …
- Mark media with necessary CUI markings and distribution limitations.
- Control access to media containing CUI and maintain accountability for…
- Implement cryptographic mechanisms to protect the confidentiality of…
- Control the use of removable media on system components.
- Prohibit the use of portable storage deviceswhen such devices have no …
- Protect the confidentiality of backup CUI at storage locations.
- Screen individuals prior to authorizing access to organizational systems …
- Ensure that organizational systems containing CUI are protected during and …
- Enforce safeguarding measures for CUI at alternate work sites.
- Periodically assess the risk to organizational operations …
- Scan for vulnerabilities in organizational systems and applications …
- Remediate vulnerabilities in accordance with risk assessments.
- Periodically assess the security controls in organizational systems to …
- Develop and implement plans of action (e.g., POA&M) designed to correct …
- Monitor security controls on an ongoing basis to ensure the continued …
- Develop, document and periodically update System Security Plans (SSPs) …
- Monitor, control and protect organizational communications…
- Employ architectural designs, software development techniques and …
- Separate user functionality from system management functionality.
- Prevent unauthorized and unintended information transfer via shared …
- Implement subnetworks for publicly accessible system components that are …
- Deny network communications traffic by default and allow network …
- Prevent remote devices from simultaneously establishing non-remote …
- Implement cryptographic mechanisms to prevent unauthorized disclosure of …
- Terminate network connections associated withcommunications sessions atthe end of the sessions or after a defined period of inactivity.
- Establish and manage cryptographic keys for cryptography employed in …
- Employ FIPS-validated cryptography when used to protect the …
- Prohibit remote activation of collaborative computing devices and provide …
- Control and monitor the use of mobile code.
- Control and monitor the use of Voice over Internet Protocol (VoIP) …
- Protect the authenticity of communications sessions.
- Protect the confidentiality of CUI at rest.
- Identify, report and correct information and information system flaws in a…
- Provide protection from malicious code at appropriate locations within…
- Monitor system security alerts and advisories and take action in response.
- Update malicious code protection mechanisms when new releases are…
- Perform periodic scans of the information system and real-time scans of…
- Monitor organizational systems, including inbound and outboun…
- Identify unauthorized use of organizational systems.
More info:
Document:
Access to Azure Files integrated with AD or AD DS from non domain joined computer
1. You must see the domain controller get Kerberos Ticket – yes it is possible from a non-domain joined computer
nltest /dsgetdc:mytest.onmicrosoft.com
please remember it must be AD or ADDS domain FQDN not a Pre-WIndows 2000
2. Open Share using e.g. \\azureshare.file.core.windows.net\shared and provide username as FQDN from the previous command and username like mytest.onmicrosoft.com.onmicrosoft.com\mf
4. You should have access – you can verify tickets using klist.
Adding Guest users to the SharePoint site – not working / Nie działa udostępnianie witryny Sharepoint dla użytkowników Gości
- Please make sure that the sites can be externally shared.
SharePoint/Outlook Sharing (_layouts/15/online/AdminHome.aspx#/sharing)
- Particular – Site Sharing Policy (_layouts/15/online/AdminHome.aspx#/siteManagement/view/ALL SITES)
- Add Guests Users to Azure Active Directory
- Create Group (It is important – just without a group usually you can not invite users directly)
- Add Guests Users to the Group
- Share the SharePoint site with the Group.
uupdump
Great service – the parser for Microsoft Update files that can be used for download Microsoft stuff. For an example ARM version of Windows 10.
https://uupdump.net/download.php?id=7da4a3ef-38d9-4528-b7f3-81610babf468&pack=en-us&edition=professional
You can use it for specific version, add remove features.
You can use it on your own computer also – just source code is available.
This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school
Sometime you can see this message, when you try to join computer to the domain – even server.
Computer Name/Domain Changes The following error occurred attempting to join the domain This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school
The massage is clear – so solution is to execute:
dsregcmd /status
DSRegCmd /Leave
dsregcmd /status
virtual-environments GithubActions, Azure Devops – Cannot bind argument to parameter ‘ApplicationId’ because it is an empty string.
During building in Azure virtual-environments (https://github.com/actions/virtual-environments) you can see:
New-AzADAppCredential : Cannot bind argument to parameter ‘ApplicationId’ because it is an empty string.
At C:\virtual-environments\helpers\GenerateResourcesAndImage.ps1:224 char:13
+ $appCred = New-AzADAppCredential -ApplicationId $sp.AppId …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-AzADAppCredential], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-AzADAppCredential
In that case you must add:
- AzureClientId
- AzureClientSecret
- AzureTenantId
So the whole command:
GenerateResourcesAndImage -SubscriptionId xxxx -ResourceGroupName “DevOpsPackerAgent” -ImageGenerationRepositoryRoot “$pwd” -ImageType Windows2019 -AzureLocation “uksouth” -AzureClientId “yyy” -AzureClientSecret “zzz” -AzureTenantId “qqq”
Teams – share files between organizations, tenants.
Sometimes I need to explain several times differences between Guests and “non-guest” experience in Microsoft Teams.
https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations
Azure Cost Savings – Change all disk to standard
This script is just as a reminder that using Power-Shell you can change disk SKU for your VM – in that way you can save cost. You can build solution that it will be changed for switched off VM and powered on also.
#$SubscrybtionDev=”d2e666be-5fde-451b-84c9-9c545b3e435c”
#Connect-AzAccount -UseDeviceAuthentication
#Set-AzContext -Subscription $SubscrybtionDev
$RGs = Get-AzResourceGroup
$storageType = ‘Standard_LRS’
foreach ($RG in $RGs)
{
$vmDisks = Get-AzDisk -ResourceGroupName $RG.ResourceGroupName
foreach ($disk in $vmDisks)
{
$disk.Sku = [Microsoft.Azure.Management.Compute.Models.DiskSku]::new($storageType)
$disk | Update-AzDisk
Write-Host $disk.Id
}
}
Connect to Azure Rest API via CURL
As a user:
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
apt install -y jq
az login
az account get-access-token
declare subid=”xxx”
declare response=$(az account get-access-token)
declare token=$(echo $response | jq “.accessToken” -r)curl -i -X GET -H “x-ms-version: 2018-11-09” -H “content-length: 0” -H “Authorization: Bearer $token” “https://management.azure.com/subscriptions/xxx/resourceGroups/nvx-demo-sec/providers/Microsoft.Compute/virtualMachines?api-version=2021-07-01”
As a application:
declare TENANT_NAME=”xxx”
# Values for the first app registration
declare CLIENT_ID1=”xxx”
declare CLIENT_SECRET1=”xxx”ACCESS_TOKEN=$(curl -X POST -H “Content-Type: application/x-www-form-urlencoded” –data-urlencode “client_id=$CLIENT_ID1” –data-urlencode “client_secret=$CLIENT_SECRET1” –data-urlencode “scope=https://storage.azure.com/.default” –data-urlencode “grant_type=client_credentials” “https://login.microsoftonline.com/$TENANT_NAME/oauth2/v2.0/token” | jq -r ‘.access_token’)
curl -i -X GET -H “x-ms-version: 2018-11-09” -H “content-length: 0” -H “Authorization: Bearer $ACCESS_TOKEN” “https://management.azure.com/subscriptions/xxx/resourceGroups/nvx-demo-sec/providers/Microsoft.Compute/virtualMachines?api-version=2021-07-01”
Azure Virtual WAN – Force Tunneling
* Force tunnel to NVA You can specify a 0.0.0.0/0 route in the defaultRouteTable with next hop Virtual Network Connection. Then specify the specific IP of the NVA. This will force all internet-bound traffic to be sent to a Network Virtual Appliance deployed in a spoke Virtual Network. For more detailed instructions, please consider the alternate workflow described here: Route traffic through NVAs by using custom settings – Azure Virtual WAN | Microsoft Docs.
* Force tunnel to Azure Firewall in the Hub You can use Firewall Manager to configure Virtual WAN to send all internet-bound traffic via Azure Firewall deployed in the Virtual WAN hub. For configuration steps and a tutorial, please reference following documents (Install Azure Firewall in a Virtual WAN hub – Azure Virtual WAN | Microsoft Docs and to configure routing Tutorial: Secure your virtual hub using Azure Firewall Manager | Microsoft Docs) Alternatively, this can also be configured via Routing Policies and Routing Intent. For more information on Routing policies please read the following document How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Docs.
* Force tunnel to Third party provider: You can use Firewall Manager to send internet traffic via a third-party security provider. For more information on this capability, please read the following: Deploy an Azure Firewall Manager security partner provider | Microsoft Docs.
* Force tunnel to a branch You can configure one of your branches (Site-to-site VPN, ExpressRoute Circuit or Network Virtual Appliance in the Virtual WAN Hub) to advertise the 0.0.0.0/0 route to Virtual WAN. Your on-premises device will have to be configured to do that.
The info is form Microsoft and can be very helpful.
Back to young… Small Basic from Microsoft
More than 25 years ago I started programming using BASIC 2.0 (Commodore 64) – The Internet says that it was connected with Microsoft also…
But nowadays you can use Small Basic – also from Microsoft:
You can download it from: https://smallbasic-publicwebsite.azurewebsites.net/
You can also export these to Visual Basic using this manual:
Simply two steps after exporting:
- The target application is a .NET 4.5
- Add a reference to SmallBasicLibrary.dll
- In case of errors, replace “0.5” with “CType(0.5, Primitive)” to cast. To cast means to convert variable type. This sample changes type real (0.5) to Primitive (for all Small Basic variables).
This one is a good way for starting learning: https://github.com/olik-son/instalogik—Zadanie/blob/main/Rozwiazanie.sb
Kolejne 3 błędy, które mogą doprowadzić do kompromitacji Twoich zasobów w chmurze
Zapraszam do udziału w The Hack Summit 2021, gdzie będę miał przyjemność prezentować następującą sesje:
Kolejne 3 błędy, które mogą doprowadzić do kompromitacji Twoich zasobów w chmurze.
Przy okazji, jeżeli chcą Państwo otrzymać, oczywiście bezpłatnie dokumentacje wdrożenia mechanizmu inwentaryzacji i kopii konfiguracji (ARM) Microsoft Azure, która omawiam podczas wydarzenia oraz dokument jak bezpiecznie skonfigurować usługę WebApp / App Service w Microsoft Azure – proszę wypełnić poniższe zgłoszenie.
AWS CLI delete multiple snapshots using Name Tag
First of all display commands if it is correct to delete snapshot, using:
aws ec2 describe-snapshots –output text –filters Name=tag:Name,Values=tag-value|grep SNAPSHOTS|awk ‘{print “Deleting-> ” $4,$6,$8,$9,$10; system(“echo aws ec2 delete-snapshot –snapshot-id ” $10)}’
and than you can delete snapshots:
aws ec2 describe-snapshots –output text –filters Name=tag:Name,Values=tag-value|grep SNAPSHOTS|awk ‘{print “Deleting-> ” $4,$6,$8,$9,$10; system(“aws ec2 delete-snapshot –snapshot-id ” $10)}’
Zero Trust Model – Audit For Free
You can visit:
and get access for free online audit security in your company.
After answering some question, you will receive how to fix potential issues.
Here are all topics to cover, all that the web question based tool can generate.
Identities:
Implement multifactor authentication.
- Multifactor authentication helps protect your applications by requiring users to confirm their identity using a second source of validation, such as a phone or token, before access is granted.
- Azure Active Directory (Azure AD) can help you enable multifactor authentication for free.
- Already have Azure AD? Start deploying today.
Enable passwordless authentication.
- Passwordless authentication methods such as Windows Hello and Microsoft Authenticator provide a simpler and more secure authentication experience across the web and mobile devices. Based on the recently developed FIDO2 standard, these methods allow users to authenticate easily and securely without requiring a password.
- Microsoft can help you adopt passwordless authentication today. Download the passwordless authentication datasheet to learn more.
- If you already have Azure Active Directory (Azure AD), see how you can enable passwordless authentication today.
Implement single sign-on (SSO).
- SSO not only strengthens security by removing the need to manage multiple credentials for the same person but also delivers a better user experience with fewer sign-in prompts.
- Microsoft Azure Active Directory (Azure AD) provides an SSO experience to popular software as a service (SaaS) apps, on-premises apps, and custom-built apps that reside on any cloud for any user type and any identity.
- Plan your SSO deployment.
Enforce access controls with adaptive, risk-based policies.
- Move beyond simple access/block decisions and tailor decisions based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multifactor authentication.
- Use conditional access in Azure AD to enforce fine-tuned adaptive access controls, such as requiring multifactor authentication, based upon user context, device, location, and session risk information.
- Plan your conditional access deployment.
Block legacy authentication.
- One of the most common attack vectors for malicious actors is to use stolen or replayed credentials against legacy protocols, such as SMTP, that can’t use modern security challenges.
- Conditional access in Azure AD can help you block legacy authentication. See more information about Block Legacy Authentication.
Protect identities against compromise.
- Real-time risk assessments can help protect against identity compromise at the time of login and during sessions.
- Azure Identity Protection delivers real-time continuous detection, automated remediation, and connected intelligence to investigate risky users and sign-ins to address potential vulnerabilities.
- Enable Identity Protection to get started. Bring in user session data from Microsoft Cloud App Security to enrich Azure AD with possible risky user behavior after they were authenticated.
Enrich your Identity and Access Management (IAM) solution with more data.
- The more data you feed your IAM solution, the more you can improve your security posture with granular access decisions and better visibility into users accessing corporate resources, and the more you can tailor the end-user experience.
- Azure Active Directory (Azure AD), Microsoft Cloud App Security, and Microsoft Defender for Endpoint all work together to provide enriched signal processing for better decision making.
- Configure Conditional Access in Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security.
Fine-tune your access policies.
- Enforce granular access control with risk-based adaptive access policies that integrate across endpoints, apps, and networks to better protect your data.
- Conditional Access in Azure AD enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Fine-tune your Conditional Access policies.
Improve your identity security posture.
- The identity secure score in Azure AD helps you assess your identity security posture by analyzing how well your environment aligns with Microsoft best-practice recommendations for security.
- Get your identity secure score
Endpoints:
Register your devices with your identity provider.
- In order to monitor security and risk across multiple endpoints used by any one person, you need visibility in all devices and access points that may be accessing your resources.
- Devices can be registered with Microsoft Azure AD, providing you with visibility into the devices accessing your network and the ability to utilize device health and status information in access decisions.
- Configure and manage device identities in Azure AD
Enroll devices in Mobile Device Management for internal users.
- Once data access is granted, having the ability to control what the user does with your corporate data is critical to mitigating risk.
- Microsoft Endpoint Manager enables endpoint provisioning, configuration, automatic updates, device wipe, and other remote actions.
- Set up Mobile Device Management for internal users.
Ensure compliance before granting access.
- Once you have identities for all the endpoints accessing corporate resources and before access is granted, you want to ensure that they meet the minimum security requirements set by your organization.
- Microsoft Endpoint Manager can help you set compliance rules to ensure that devices meet minimum-security requirements before access is granted. Also, set remediation rules for noncompliant devices so that people know how to resolve the issue.
- Set rules on devices to allow access to resources in your organization using Intune
Enable access for unmanaged devices as needed.
- Enabling your employees to access appropriate resources from unmanaged devices can be critical to maintaining productivity. However, it’s imperative that your data is still protected.
- Microsoft Intune Mobile Application Management lets you publish, push, configure, secure, monitor, and update mobile apps for your users, ensuring they have access to the apps they need to do their work.
- Configure access for unmanaged devices.
Enroll devices in Mobile Device Management for external users.
- Enroll external devices Enrolling devices from external users (such as contractors, vendors, partners, etc.) into your MDM solution is a great way to ensure your data is protected and they have the access they need to do their work.
- Microsoft Endpoint Manager provides endpoint provisioning, configuration, automatic updates, device wipe, and other remote actions.
- Set up Mobile Device Management for external users.
Enforce data loss prevention policies on your devices.
- Once data access is granted, controlling what the user can do with your data is critical. For example, if a user accesses a document with a corporate identity, you want to prevent that document from being saved in an unprotected consumer storage location, or from being shared with a consumer communication or chat app.
- Intune app protection policies will help protect data with or without enrolling devices in a device management solution by restricting access to company resources and keep data within the purview of your IT department.
- Get started with Intune App policies.
Enable real-time device risk evaluation.
- Ensuring only healthy and trusted devices are allowed access to your corporate resources is a critical step in a Zero Trust journey. Once your devices are enrolled with your identity provider, you can bring that signal into your access decisions to only allow safe and compliant devices access.
- Through integration with Azure AD, Microsoft Endpoint Manager enables you to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, excluding certain device platforms from accessing specific apps.
- Configure Conditional Access in Microsoft Defender for Endpoint
Apps
Enforce policy-based access control for your apps.
- Move beyond simple access/block decisions and tailor decisions based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multi-factor authentication.
- Conditional Access in Azure AD enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Configure Conditional Access for your app access
Enforce policy-based session controls.
- Stopping breaches and leaks in real time before employees intentionally or inadvertently put data and organizations at risk is key to mitigating risk after access is granted. Simultaneously, it’s critical for businesses to enable employees to securely use their own devices.
- Microsoft Cloud App Security (MCAS) integrates with Azure Active Directory (Azure AD) conditional access so you can configure apps to work with Conditional Access App Control. Easily and selectively enforce access and session controls on your organization’s apps based on any condition in conditional access (such as preventing data exfiltration, protecting on download, preventing uploads, blocking malware, and more).
- Create a Microsoft Cloud App Security session policy to get started.
Connect your business apps to your cloud application security broker (CASB).
- Visibility across apps and platforms is critical for performing governance actions, such as quarantining files or suspending users, as well as mitigating any flagged risk.
- Apps connected to Microsoft Cloud App Security (MCAS) get instant, out-of-the-box protection with built-in anomaly detection. MCAS uses entity and user behavioral analytics (UEBA) and machine learning to detect unusual behavior across cloud apps, helping identify threats, such as ransomware, compromised users, or rogue apps.
- Connect your business-critical cloud apps to Microsoft Cloud App Security.
Provide remote access to on-premises apps through an app proxy.
- Providing users with secure remote access to internal apps running on an on-premises server is critical to maintaining productivity today.
- Azure AD Application Proxy provides secure remote access to on-premises web apps without a VPN or dual-homed servers and firewall rules. Integrated with Azure AD and Conditional Access, it enables users to access web apps through single sign-on while enabling IT to configure Conditional Access policies for fine-tuned access control.
- Get started today.
Discover and manage shadow IT in your network.
- The total number of apps accessed by employees in the average enterprise exceeds 1,500. That equates to more than 80 GB of data uploaded monthly to various apps, fewer than 15 percent of which are managed by their IT department. As remote work becomes a reality for most, it’s no longer enough to apply access policies to only your network appliance.
- Microsoft Cloud App Security can help you discover which apps are being used, explore the risk of these apps, configure policies to identify new risky apps being used, and unsanction these apps to block them natively using your proxy or firewall appliance. See the e-book, to learn more.
- To get started discovering and assessing cloud apps, set up Cloud Discovery in Microsoft Cloud App Security.
Manage virtual machine access using Just-in-Time.
- Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive polices and data protection to protect both data and productivity.
- Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center’s just-in-time (JIT) virtual machine (VM) access feature to reduce your exposure to attacks while providing easy access when you need to connect to a VM.
- Enable JIT virtual machine access.
Infrastructure
Use a cloud workload protection solution.
- Having a comprehensive view across all of your cloud workloads is critical to keeping your resources safe in a highly distributed environment.
- Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not – as well as on premises.
- Configure Azure Security Center
Assign app identities.
- Assigning an app identity is critical to securing communication between different services.
- Azure supports managed identities from Azure Active Directory, making it easy access other Azure AD-protected resources such as Azure Key Vault where secrets and credentials are securely stored.
- Assign an app identity in the Azure Portal
Segment user and resource access.
- Segmenting access for each workload is a key step in your Zero Trust journey.
- Microsoft Azure offers many ways to segment workloads to manage user and resource access. Network segmentation is the overall approach, and, within Azure, resources can be isolated at the subscription level with Virtual networks (VNets), VNet peering rules, Network Security Groups (NSGs), Application Security Groups (ASGs), and Azure Firewalls.
- Create an Azure Virtual Network to enable your Azure resources to secure communicate together.
Implement threat detection tools.
- Preventing, detecting, investigating, and responding to advanced threats across your hybrid infrastructure will help improve your security posture.
- Microsoft Defender for Endpoint Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
- Plan your Microsoft Defender for Endpoint Advanced Threat Protection deployment
Deploy a Security Information and Event Management (SIEM) solution.
- As the value of digital information continues to increase, so do the number and sophistication of attacks. SIEM’s provide a central way to mitigate threats across the entire estate.
- Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution that will allow your Security Operations Center (SOC) to work from a single pane of glass to monitor security events across your enterprise. It helps to protect all of your assets by collecting signals from your entire hybrid organization and then applying intelligent analytics to identify threats quickly.
- Deploy Sentinel to get started.
Implement behavioral analytics.
- When you create new infrastructure, you need to ensure that you also establish rules for monitoring and raising alerts. This is key for identifying when a resource is displaying unexpected behavior.
- Microsoft Defender for Identity enables signal collection to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Learn more about Microsoft Defender for Identity
Setup automated investigations.
- Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Implementing a solution with automated investigation and remediation (AIR) capabilities can help your security operations team address threats more efficiently and effectively.
- Microsoft Defender for Endpoint Advanced Threat Protection includes automated investigation and remediation capabilities to help examine alerts and take immediate action to resolve breaches. These capabilities can significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives.
- Learn more about automated investigations.
Govern access to privileged resources.
- Personnel should use administrative access sparingly. When administrative functions are required, users should receive temporary administrative access.
- Privileged Identity Management (PIM) in Azure AD enables you to discover, restrict, and monitor access rights for privileged identities. PIM can help ensure your admin accounts stay secure by limiting access to critical operations using just-in-time, time-bound, and role-based access control.
- Deploy Privileged Identity Management to get started
Provide just-in-time access for privileged accounts.
- Personnel should use administrative access sparingly. When administrative functions are required, users should receive temporary administrative access.
- Privileged Identity Management (PIM) in Azure AD enables you to discover, restrict, and monitor access rights for privileged identities. PIM can help ensure your admin accounts stay secure by limiting access to critical operations using just-in-time, time-bound, and role-based access control.
- Deploy Privileged Identity Management to get started.
Data
Define a classification taxonomy.
- Defining the right label taxonomy and protection policies is the most critical step in an data protection strategy, so start with creating a labeling strategy that reflects your organization’s sensitivity requirements for information.
- Learn about data classification.
- When you’re ready, get started with sensitivity labels.
Govern access decisions based on sensitivity.
- The more sensitive the data, the greater the protection control and enforcement needed. Similarly, the controls should also be commensurate with the nature of the risks associated with how and from where the data is accessed (for example, if a request originates from unmanaged devices or from external users). Microsoft Information Protection offers a flexible set of protection controls based on data sensitivity and risk.
- Some sensitive data needs protection by policies that enforce encryption to ensure only authorized users can access the data.
- Set up sensitivity labels govern access decisions. The new Azure Purview provides a unified data governance service that builds on Microsoft Information Protection. Read the announcement blog to learn more.
Implement a robust data classification and labeling strategy.
- Enterprises have vast amounts of data that can be challenging to adequately label and classify. Using machine learning for smarter, automated classification can help reduce the burden on end users and lead to a more consistent labeling experience.
- Microsoft 365 provides three ways to classify content, including manually, automated pattern matching, and our new Trainable classifiers. Trainable classifiers are well-suited to content that isn’t easily identified by manual or automated pattern matching methods. For on-premises file repositories and on-premises SharePoint 2013+ sites, Azure Information Protection (AIP) scanner can help discover, classify, label, and protect sensitive information.
- See our labeling deployment guidance to get started.
Govern access decisions based on policy.
- Move beyond simple access/block decisions and tailor access decisions for your data based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multi-factor authentication.
- Conditional Access in Azure AD enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Integrate Azure Information Protection with Microsoft Cloud App Security to enable Conditional Access policies.
Enforce access and usage rights to data shared outside company boundaries.
- To properly mitigate risk without negatively impacting productivity, you need to be able control and secure email, documents, and sensitive data you share outside your company.
- Azure Information Protection helps secure email, documents, and sensitive data inside and outside your company walls. From easy classification to embedded labels and permissions, always enhance data protection with Azure Information Protection, no matter where it’s stored or who it’s shared with.
- Plan your deployment to get started.
Implement data loss prevention (DLP) policies.
- To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information such as credit card numbers, social security numbers, or health records.
- Use a range of DLP policies in Microsoft 365 to identify, monitor, and automatically protect sensitive items across services such as Teams, Exchange, SharePoint, and OneDrive, Office apps such as Word, Excel, and PowerPoint, Windows 10 endpoints, non-Microsoft cloud apps, on-premises file shares and SharePoint, and Microsoft Cloud App Security.
Network
Segment your networks.
- Segmenting networks by implementing software-defined perimeters with increasingly granular controls increases the cost to attackers to propagate through your network, dramatically reducing the lateral movement of threats.
- Azure offers many ways to segment networks to manage user and resource access. Network segmentation is the overall approach. Within Azure, resources can be isolated at the subscription level with virtual networks, virtual network peering rules, network security groups, application security groups, and Azure Firewall.
- Plan your segmentation strategy.
Put network protections in place.
- Cloud applications that have opened up endpoints to external environments, such as the internet or your on-premises footprint, are at risk of attacks coming in from those environments. It’s imperative that you scan the traffic for malicious payloads or logic.
- Azure provides services such as Azure DDoS Protection Service, Azure Firewall, and Azure Web Application Firewall that deliver comprehensive threat protection.
- Setup your network protection tools
Set up encrypted admin access.
- Admin access is often a critical threat vector. Securing access is essential to preventing compromise.
- Azure VPN Gateway is a cloud-native, high-scale VPN service that enables remote access for users fully integrated with Azure Active Directory (Azure AD), conditional access, and multifactor authentication. Azure Virtual Desktop from Azure enables a secure, remote desktop experience from anywhere, managed by Azure. Azure AD Application Proxy publishes your on-premises web apps using a Zero Trust access approach.
- Azure Bastion provides secure Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) connectivity to all the virtual machines in the virtual network in which it is provisioned. Using Azure Bastion helps to protect your virtual machines from exposing RDP/SSH ports to the outside world while still providing secure access using RDP/SSH.
- Deploy Azure Bastion.
Encrypt all network traffic.
- Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step attackers use to gain access to confidential data.
- End to end encryption starts with connectivity to Azure first, and all the way to the backend application or resource. Azure VPN Gateway makes it easier to connect to Azure over an encrypted tunnel. Azure Front Door and Application Gateway can help with SSL offloading, WAF inspection and re-encryption. Customers can design their traffic to run over SSL end-to-end. Azure Firewall Premium TLS inspection allow you to view, detect and block malicious traffic within an encrypted connection via its advanced IDPS engine. End-to-end TLS encryption in Azure Application Gateway helps you encrypt and securely transmit sensitive data to the backend while taking advantage of the Layer-7 load-balancing features. End-to-end TLS encryption in Azure Application Gateway with Azure Application Gateway.
Implement machine learning-based threat protection and filtering.
- As the sophistication and frequency of attacks continues to increase, organizations must ensure they’re equipped to handle them. Machine learning-based threat protection and filtering can help organizations respond more quickly, improve investigation, automate remediation, and manage scale more easily. Additionally, events can be aggregated from multiple services (DDoS, WAF, and FW) into the Microsoft SIEM, Azure Sentinel, to provide intelligent security analytics.
- Azure DDoS Protection uses machine learning to help monitor your Azure-hosted application traffic, baseline and detect volumetric traffic floods, and apply automatic mitigations.
- Turn on Azure DDoS Protection Standard.
Azure Backup vaults – New era of snapshot backups – backup every 1h
If you think about backup in Azure – probably you think about Recovery Services vaults. But there is currently a new possibility named Backup vaults. Of the box, you can configure backups every 4 hours. Currently, it supports:
VM Managed Disk Backups (Snapshot)
Azure Blobs
Azure PostgreSQL Databases
You can create ad-hock backups using portal or PowerShell. If you using PowerShell and see an error like:
Backup-AzDataProtectionBackupInstanceAdhoc : Input provided for the call is invalid
Probably you are using wrong parameter for -BackupRuleOptionRuleName it should be:
-BackupRuleOptionRuleName “BackupDaily”
Or
-BackupRuleOptionRuleName “Daily”
Note “Default” like mentioned in Documentation.
Here is a code that can be implemented in the Azure function to do backup every 1h.
param($Timer)Install-Module -Name Az.ResourceGraph -Force
Import-Module -Name Az.DataProtectionImport-Module -Name Az.ResourceGraphGet-InstalledModule$VaultBackupRG=”xxxx”$VaultBackupName=”xxxx”$AzureFunctionAppID = “xxxx”$AzureFunctionAppPwd = “xxxx”$TennantId = “xxxx”$SubscrybtionDev=”xxxx”$User = $AzureFunctionAppID$Pass = ConvertTo-SecureString -String $AzureFunctionAppPwd -AsPlainText -Force$Credential = New-Object System.Management.Automation.PSCredential $User,$Pass# Get the current universal time in the default string format.Write-Host “Logging to Azure….”Connect-AzAccount -Credential $Credential -TenantId $TennantId -ServicePrincipalSet-AzContext -Subscription $SubscrybtionDevWrite-Host “Logged In and Starting Processing….”$AllInstances = Get-AzDataProtectionBackupInstance -ResourceGroupName $VaultBackupRG -VaultName $VaultBackupNameBackup-AzDataProtectionBackupInstanceAdhoc -BackupInstanceName $AllInstances[0].Name -ResourceGroupName $VaultBackupRG -VaultName $VaultBackupName -BackupRuleOptionRuleName “BackupDaily”$job = Search-AzDataProtectionJobInAzGraph -Subscription $SubscrybtionDev -ResourceGroup $VaultBackupRG -Vault $VaultBackupName -DatasourceType AzureDisk -Operation OnDemandBackupWrite-Host “Snapshots:”Write-Host $job
requirements.psd1 file:
@{
# For latest supported version, go to ‘https://www.powershellgallery.com/packages/Az’.
# To use the Az module in your function app, please uncomment the line below.
# ‘Az’ = ‘6.*’
‘Az’ = ‘6.4.0’
‘Az.DataProtection’= ‘0.3.0’
‘Az.ResourceGraph’ = ‘0.11.0’
}
The line Install-Module -Name Az.ResourceGraph -Force is needed to avoid this error:
EXCEPTION: Az.ResourceGraph Module must be installed to run this command. Please run ‘Install-Module -Name Az.ResourceGraph’ to install and continue. Exception : Type : System.Management.Automation.RuntimeException
Azure Managed Application
Azure Managed Application is not widely used, just to create it we must use ARM templates. Sometimes it is a must when you want to deploy a solution via Azure Marketplace. Managed Application is simply a set of Azure Resources that usually can not be managed/modify by the person who deploys it but by the creator. So it is a very useful way to distribute an application across your organization or via mentioned Azure Marketplace. You can start with this simple code:
#mf@fast-sms.net
$Subscribtion=”ed4838b9-2782-4ada-xxxx”
$tenant=”50ea0418-683d-4007-87fb-xxxx”az login –tenant $tenant
az account set -s $Subscribtionaz group create –name ManagedApp –location eastus
az storage account create –name mfmanagedapp –resource-group ManagedApp –location eastus –sku Standard_LRS –kind StorageV2
az storage container create –account-name mfmanagedapp –name appcontaineroracle –public-access blob
az storage blob upload –account-name mfmanagedapp –container-name appcontaineroracle –name “app.zip” –file “app.zip”
$groupid=$(az ad group show –group group_in_azure_ad –query objectId –output tsv)
$ownerid=$(az role definition list –name user_in_azure_ad –query [].name –output tsv)
az group create –name appDefinitionGroup –location westcentralus
$blob=$(az storage blob url –account-name mfmanagedapp –container-name appcontaineroracle –name app.zip –output tsv)
$blob
$groupid
$owneridaz managedapp definition create –name “ManagedStorageMF” –location “westcentralus” –resource-group appDefinitionGroup –lock-level ReadOnly –display-name “Managed Storage Account MF” –description “Managed Azure Storage Account MF” –authorizations “groupid:ownerid” –package-file-uri “$blob”
There is guid of group and user who will be able to manage this Managed Application.
After that you will see this app in Service catalog managed application definitions:
After that, you can deploy this managed application.
Here is an example of an application with simply Storage Account as a resource only, but you can include every resource from azure in Manage Application. If you delete deployed application the resource group that you deploy managed application will be deleted.
Please be aware that in this example the definition of Managed Application is in app.zip – that first must be uploaded to the blob storage account. Sometimes we need to know which storage account contains the definition, unfortunately, it is not visible in the portal even if you export deployment or arm definition. Fortunately, there is an API that can provide some information about this:
https://docs.microsoft.com/en-us/rest/api/managedapplications/application-definitions/get
There is an example:
{
“isEnabled”: true,
“lockLevel”: “ReadOnly”,
“displayName”: “Managed Storage Account MF”,
“description”: “Managed Azure Storage Account MF”,
“artifacts”: [
{
“name”: “ApplicationResourceTemplate”,
“type”: “Template”,
“uri”: “https://prdsapplianceprodcy01.blob.core.windows.net/applicationdefinitions/022E0_ED4838B927824ADAAD25E6C1AD689428_63FE57E899BE630776D4FAA7260442F0FAE75C86FFEA70D351AD1AA35C65199E/c1b0010866364bb4979fe7bc36bef4ce/applicationResourceTemplate.json”
},
{
“name”: “CreateUiDefinition”,
“type”: “Custom”,
“uri”: “https://management.azure.com/subscriptions/ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF/applicationArtifacts/CreateUiDefinition?api-version=2017-09-01”
},
{
“name”: “MainTemplateParameters”,
“type”: “Custom”,
“uri”: “https://management.azure.com/subscriptions/ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF/applicationArtifacts/MainTemplateParameters?api-version=2017-09-01”
}
]
},
“id”: “/subscriptions/ /resourceGroups/appDefinitionGroup/providers/Microsoft.Solutions/applicationDefinitions/ManagedStorageMF”,
“name”: “ManagedStorageMF”,
“type”: “Microsoft.Solutions/applicationDefinitions”,
“location”: “westcentralus”
}
AWS – EKS error: You must be logged in to the server (Unauthorized)
It is not well-known information that after creating AWS EKS Cluster the person (user) who created the cluster must give rights to other persons to use kubectl. If the person is not available you will not be able to login to Kubernetes Cluster. We can try to create the same user again and try to move permission to another user.
So it the important to move the permission to the next person, just after creating the EKS cluster:
eksctl create iamidentitymapping –cluster clustername –arn arn:aws:iam::XXXXXX:user/destination_user_name –group system:masters –username destination_user_name
The eksctl is a parser for kubectl.
Or the best option can always use the DevOps process for creating not only EKS but all resources.
When EKS was created using role you can try one of four scenarios:
https://stackoverflow.com/questions/50791303/kubectl-error-you-must-be-logged-in-to-the-server-unauthorized-when-accessing
The access is denied because of the deny assignment with name – System deny assignment created by the managed application.
If you use Managed Application (usually third-party appliances) you can see this error. This is because usually a third-party vendor is responsible for it and is responsible for actions that you can perform. Sometimes there is a special group that can have permission to do some operations. Just go to the resource group, with this error and then to the IAM. Select Deny assignments:
And then select the entries, so you should be able to see Deny assignment excludes and you can try to add the user that needs permissions to that group.
How to find and dump the password for windows service.
During migrations to Cloud from IaaS many times I need to access the SQL or other subsystems using an existing password that is stored in the registry for service.
How to do it step by step.
- Disable Antivirus including Windows Defender and real-time protection using gpedit.msc. See here: https://rzetelnekursy.pl/?s=mimikatz&id=m
- Execute gpupdate /force.
- Download and unzip tools. This tool is provided by Paula Januszkiewicz company CQURE. The tool with password was widely distributed during Microsoft Ignite Conferences and similar. I have no right to distribute it, but I can use it for you – just contact me.
- Download and unzip psexec from pstools package: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- Execute as an Administrator PsExec.exe -i -d -s cmd.exe. Now we have bigger permissions than Administrator – SYSTEM.
-
Execute CQSecretsDumper.exe /service servicename
Go ahead with your dumped password and do not forget to enable Antivirus.
Always Up Script
PowerShell Always Up Script:
$i = 1
do{
$rn=(Get-Random -Minimum 90 -Maximum 200)
Write-Host “wt: $rn”
Start-Sleep -Seconds $rn
$wsh = New-Object -ComObject WScript.Shell
$wsh.SendKeys(‘%{RIGHT}’)
}
while($1 -ne 1)
Move VM to new WVD Infrastructure e.g. in new Region.
- Get a screenshot of the current config from Nerdio (if you are using it).
-
Get a screenshot of the current config from WVD:
-
Export new Registration Key:
- Create a new WVD Infrastructure without VM (in New Region) – https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/overview
- LOG into the current VMs as an Administrator and restart it, to be sure that there is no user. The preferred way is to use a regular Remote Desktop with a local account.
-
Remove VMs from current VWD Host Pool:
- Open Regedit as an administrator and go to HKLM\Software\Microsoft\RDInfraAgent.
- Edit the RegistrationToken key, and paste your host pool registration token into the key value.
- Edit the value of the IsRegistered key. It is likely currently set to ‘1’. Change the value to ‘0’.
- Restart VM.
-
Configure the WVD Host Pool in the same way as source one, especially Assignments and Applications:
Please do not forget about Nerdio settings if you are using them.
- Check if the VM is assigned to the New Host Pool and please be aware that now you see two applications – so remove the old/source Session Host Pool.
To see this sometimes you need to re-login – not just refresh the webpage (https://rdweb.wvd.microsoft.com/arm/webclient).
Consider deploying a custom webpage on your custom domain: https://github.com/MariuszFerdyn/WindowsVirtualDesktopHomePage
Hub-Spoke Topology Benefits
Using Hub-Spoke Topology Benefits:
- Network Isolation
- Ready to grow – with growing the company, IT, computer systems.
-
The central point of Administration
- Control traffic in HUB between different Spokes
- Control Traffic to/from the Internet
- Control Traffic to/from On-Premises
- Capture traffic on HUBs
- Easy to put NSG based on all networks like 172.21.0.0/20
- Hubs Should be included Shared Services like DNS, Active Directory
- Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops) – an eg. different team can have access to Spoke, different to HUB.
- Hubs reduce the potential for misconfiguration and exposure services to the Internet.
More information: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology
The security problem of the mapping file structure of Azure Web App and other IIS APP – part 3
Previously in part 1 and part 2, there was no final and easy-to-use solution to prevent bad guys to map your website. There is a final solution that works with On-Premise IIS and with Azure Web App. It is independent of Web Application Firewall and Front Door service.
The solution is based on rewrite, and based on information that we want to protect mapping for an example /a subdirectory and /b sbdirectory we should create the following config:
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<appSettings>
<add key=”setting1″ value=”setting1″ />
</appSettings>
<system.webServer>
<rewrite>
<rules>
<rule name=”RequestBlockingRulea” stopProcessing=”true”>
<match url=”.*” />
<conditions>
<add input=”{URL}” pattern=”^/a(/?|/.)$” />
</conditions>
<action type=”CustomResponse” statusCode=”404″ statusReason=”Not Found” />
</rule>
<rule name=”RequestBlockingRuleb” stopProcessing=”true”>
<match url=”.*” />
<conditions>
<add input=”{URL}” pattern=”^/b(/?|/.)$” />
</conditions>
<action type=”CustomResponse” statusCode=”404″ statusReason=”Not Found” />
</rule>
</rules>
</rewrite>
<httpErrors errorMode=”Custom” existingResponse=”Replace” >
<remove statusCode=”500″/>
<error statusCode=”500″ path=”hostingstart.html” responseMode=”File”/>
<remove statusCode=”404″/>
<error statusCode=”404″ path=”hostingstart.html” responseMode=”File”/>
<remove statusCode=”400″/>
<error statusCode=”400″ path=”hostingstart.html” responseMode=”File”/>
<remove statusCode=”403″/>
<error statusCode=”403″ path=”hostingstart.html” responseMode=”File”/>
</httpErrors>
</system.webServer>
</configuration>
Rewrite rules return 404 Not Found for subdirectory /a and subdirectory /b and must be adjusted to your directories in your solution. Please be aware that access to /b/file.ext is not blocked.
If you have here underlying subdirectories pattern must be adjusted, e.g. allow only specific file extensions, etc.
The above solution is with custom error pages, and for clearance can be removed.
The security problem of the mapping file structure of Azure Web App and other IIS APP – part 2.
Previously I showed you the method of preventing mapping of the file structure of your WebApp based on 404 and 403 response codes. The disadvantage of runAllManagedModulesForAllRequests=”true” method is that it must be handled by application code.
The main problem is that these requests 403 and 404 are server not by IIS from WebApp, but by Load Balancer… So, if we cannot do it in that way, let’s try to use a Web Application Firewall for that. In Azure, we can utilize for that Web Application Firewall and/or Front Door with WAF Policies.
So, the concept is to create at least two custom rules:
The first rule Prevent browsing Existing Directory – and it must include all existing directories of the application:
This simply prevents enumerating all directories.
The second rule will allow traffic only to the listed files and directories, but only if the previous does not meet conditions, so files in directories can be browsed.
It can look like:
So it is not so easy, but we can use regex also for that.
Another method can be to allow only specific URI based on Regex as a first rule and then as a second rule Deny.
You can also apply your own rules to address the issue, of course.
Finally, instead of Deny traffic rule, you can use Redirect traffic:
Principals of type Application cannot validly be used in role assignments
New-AzRoleAssigment -objectid service_principal -RoleDefinitionName “Managed Identity Operator” -Scope ResourceID
In case of error:
Principals of type Application cannot validly be used in role assignments
Please provide -objectid Service Principal, not Application. Just display it, by:
Get-AzureADServicePrincipal -SearchString “app_name”
Security problem of mapping file structure of Azure Web App and other IIS APP – part 1.
If you deploy sample ASP.NET 4.x pure, out of the box web app (https://portal.azure.com/#create/Microsoft.WebSite) the behaviors is like:
https://pure.azurewebsites.net/yfgrueygfuyrgfrf – 404 error – what is ok…
https://pure.azurewebsites.net/a/a.txt – 200 OK (of course you need first put a.txt file to this directory)
https://pure.azurewebsites.net/a/ – 403 forbidden – so it means that hacker can search for something here. Expected secure behavior is to return here 404 also…
I tried to test UMBRACO CMS deployed from Azure marketplace (https://portal.azure.com/#create/umbracoorg.UmbracoCMS) what seems to be written to avoid mapping file structure – just see:
https://umbrecomf.azurewebsites.net/wruihfgweihgufr – 404 error
https://umbrecomf.azurewebsites.net/a/a.txt – 200 – OK (of course you need first put a.txt file to this directory)
https://umbrecomf.azurewebsites.net/a/ – Also 404… – What is OK…. We need this behavior…
This behavior is because the UMBRACO CMS is routing all requests into the Umbraco app (<modules runAllManagedModulesForAllRequests=”true”>) – and when the CMS encounters a path that hasn’t been configured in their system, it returns a 404. So it is addressed programmatically.
UMBRACO CMS web.config:
<?xml version=”1.0″ encoding=”utf-8″?>
<configuration>
<!–
Define the Web.config template, which is used when creating the initial Web.config,
and then transforms from web.Template.[Debug|Release].config are applied.
Documentation for Web.config at: https://our.umbraco.com/documentation/Reference/Config/webconfig/
–>
<configSections>
<section name=”clientDependency” type=”ClientDependency.Core.Config.ClientDependencySection, ClientDependency.Core” requirePermission=”false” />
<sectionGroup name=”umbracoConfiguration”>
<section name=”settings” type=”Umbraco.Core.Configuration.UmbracoSettings.UmbracoSettingsSection, Umbraco.Core” requirePermission=”false” />
<section name=”HealthChecks” type=”Umbraco.Core.Configuration.HealthChecks.HealthChecksSection, Umbraco.Core” requirePermission=”false” />
</sectionGroup>
<sectionGroup name=”imageProcessor”>
<section name=”security” requirePermission=”false” type=”ImageProcessor.Web.Configuration.ImageSecuritySection, ImageProcessor.Web” />
<section name=”processing” requirePermission=”false” type=”ImageProcessor.Web.Configuration.ImageProcessingSection, ImageProcessor.Web” />
<section name=”caching” requirePermission=”false” type=”ImageProcessor.Web.Configuration.ImageCacheSection, ImageProcessor.Web” />
</sectionGroup>
</configSections>
<umbracoConfiguration>
<settings configSource=”config\umbracoSettings.config” />
<HealthChecks configSource=”config\HealthChecks.config” />
</umbracoConfiguration>
<clientDependency configSource=”config\ClientDependency.config” />
<appSettings>
<add key=”Umbraco.Core.ConfigurationStatus” value=”8.13.0″ />
<add key=”Umbraco.Core.ReservedUrls” value=”” />
<add key=”Umbraco.Core.ReservedPaths” value=”” />
<add key=”Umbraco.Core.Path” value=”~/umbraco” />
<add key=”Umbraco.Core.HideTopLevelNodeFromPath” value=”true” />
<add key=”Umbraco.Core.TimeOutInMinutes” value=”20″ />
<add key=”Umbraco.Core.DefaultUILanguage” value=”en-US” />
<add key=”Umbraco.Core.UseHttps” value=”false” />
<add key=”Umbraco.Core.AllowContentDashboardAccessToAllUsers” value=”true” />
<add key=”ValidationSettings:UnobtrusiveValidationMode” value=”None” />
<add key=”webpages:Enabled” value=”false” />
<add key=”enableSimpleMembership” value=”false” />
<add key=”autoFormsAuthentication” value=”false” />
<add key=”dataAnnotations:dataTypeAttribute:disableRegEx” value=”false” />
<add key=”owin:appStartup” value=”UmbracoDefaultOwinStartup” />
<add key=”Umbraco.ModelsBuilder.Enable” value=”true” />
<add key=”Umbraco.ModelsBuilder.ModelsMode” value=”PureLive” />
</appSettings>
<!–
Important: if you’re upgrading Umbraco, do not clear the connectionString/providerName during your Web.config merge.
–>
<connectionStrings>
<remove name=”umbracoDbDSN” />
<add name=”umbracoDbDSN” connectionString=”Data Source=|DataDirectory|\Umbraco.sdf;Flush Interval=1;” providerName=”System.Data.SqlServerCe.4.0″ />
</connectionStrings>
<system.data>
<DbProviderFactories>
<remove invariant=”System.Data.SqlServerCe.4.0″ />
<add name=”Microsoft SQL Server Compact Data Provider 4.0″ invariant=”System.Data.SqlServerCe.4.0″ description=”.NET Framework Data Provider for Microsoft SQL Server Compact” type=”System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe” />
</DbProviderFactories>
</system.data>
<system.net>
<mailSettings>
<!–
If you need Umbraco to send out system mails (like reset password and invite user),
you must configure your SMTP settings here – for example:
–>
<!–
<smtp from=”noreply@example.com” deliveryMethod=”Network”>
<network host=”localhost” port=”25″ enableSsl=”false” userName=”” password=”” />
</smtp>
–>
</mailSettings>
</system.net>
<system.web>
<customErrors mode=”RemoteOnly” />
<trace enabled=”false” requestLimit=”10″ pageOutput=”false” traceMode=”SortByTime” localOnly=”true” />
<httpRuntime requestValidationMode=”2.0″ enableVersionHeader=”false” targetFramework=”4.7.2″ maxRequestLength=”51200″ fcnMode=”Single” />
<httpModules>
<add name=”ScriptModule” type=”System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ />
<add name=”UmbracoModule” type=”Umbraco.Web.UmbracoModule,Umbraco.Web” />
<add name=”ClientDependencyModule” type=”ClientDependency.Core.Module.ClientDependencyModule, ClientDependency.Core” />
<add name=”ImageProcessorModule” type=”ImageProcessor.Web.HttpModules.ImageProcessingModule, ImageProcessor.Web” />
</httpModules>
<httpHandlers>
<remove verb=”*” path=”*.asmx” />
<add verb=”*” path=”*.asmx” type=”System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ validate=”false” />
<add verb=”*” path=”*_AppService.axd” type=”System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ validate=”false” />
<add verb=”GET,HEAD” path=”ScriptResource.axd” type=”System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ validate=”false” />
<add verb=”*” path=”DependencyHandler.axd” type=”ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core ” />
</httpHandlers>
<compilation defaultLanguage=”c#” debug=”false” batch=”true” targetFramework=”4.7.2″ numRecompilesBeforeAppRestart=”50″ />
<authentication mode=”Forms”>
<forms name=”yourAuthCookie” loginUrl=”login.aspx” protection=”All” path=”/” />
</authentication>
<authorization>
<allow users=”?” />
</authorization>
<!– Membership Provider –>
<membership defaultProvider=”UmbracoMembershipProvider” userIsOnlineTimeWindow=”15″>
<providers>
<clear />
<add name=”UmbracoMembershipProvider” type=”Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco.Web” minRequiredNonalphanumericCharacters=”0″ minRequiredPasswordLength=”10″ useLegacyEncoding=”false” enablePasswordRetrieval=”false” enablePasswordReset=”false” requiresQuestionAndAnswer=”false” defaultMemberTypeAlias=”Member” passwordFormat=”Hashed” allowManuallyChangingPassword=”false” />
<add name=”UsersMembershipProvider” type=”Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco.Web” />
</providers>
</membership>
<!– Role Provider –>
<roleManager enabled=”true” defaultProvider=”UmbracoRoleProvider”>
<providers>
<clear />
<add name=”UmbracoRoleProvider” type=”Umbraco.Web.Security.Providers.MembersRoleProvider” />
</providers>
</roleManager>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration=”false” />
<modules runAllManagedModulesForAllRequests=”true”>
<remove name=”WebDAVModule” />
<remove name=”UmbracoModule” />
<remove name=”ScriptModule” />
<remove name=”ClientDependencyModule” />
<remove name=”FormsAuthentication” />
<remove name=”ImageProcessorModule” />
<add name=”UmbracoModule” type=”Umbraco.Web.UmbracoModule,Umbraco.Web” />
<add name=”ScriptModule” preCondition=”managedHandler” type=”System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ />
<add name=”ClientDependencyModule” type=”ClientDependency.Core.Module.ClientDependencyModule, ClientDependency.Core” />
<!– FormsAuthentication is needed for login/membership to work on homepage (as per http://stackoverflow.com/questions/218057/httpcontext-current-session-is-null-when-routing-requests) –>
<add name=”FormsAuthentication” type=”System.Web.Security.FormsAuthenticationModule” />
<add name=”ImageProcessorModule” type=”ImageProcessor.Web.HttpModules.ImageProcessingModule, ImageProcessor.Web” />
</modules>
<handlers accessPolicy=”Read, Write, Script, Execute”>
<remove name=”WebServiceHandlerFactory-Integrated” />
<remove name=”ScriptHandlerFactory” />
<remove name=”ScriptHandlerFactoryAppServices” />
<remove name=”ScriptResource” />
<remove name=”ClientDependency” />
<remove name=”MiniProfiler” />
<remove name=”ExtensionlessUrlHandler-Integrated-4.0″ />
<remove name=”OPTIONSVerbHandler” />
<remove name=”TRACEVerbHandler” />
<add name=”ScriptHandlerFactory” verb=”*” path=”*.asmx” preCondition=”integratedMode” type=”System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ />
<add name=”ScriptHandlerFactoryAppServices” verb=”*” path=”*_AppService.axd” preCondition=”integratedMode” type=”System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ />
<add name=”ScriptResource” verb=”GET,HEAD” path=”ScriptResource.axd” preCondition=”integratedMode” type=”System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35″ />
<add verb=”*” name=”ClientDependency” preCondition=”integratedMode” path=”DependencyHandler.axd” type=”ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core” />
<add name=”MiniProfiler” path=”mini-profiler-resources/*” verb=”*” type=”System.Web.Routing.UrlRoutingModule” resourceType=”Unspecified” preCondition=”integratedMode” />
<add name=”ExtensionlessUrlHandler-Integrated-4.0″ path=”*.” verb=”*” type=”System.Web.Handlers.TransferRequestHandler” preCondition=”integratedMode,runtimeVersionv4.0″ />
</handlers>
<staticContent>
<remove fileExtension=”.air” />
<mimeMap fileExtension=”.air” mimeType=”application/vnd.adobe.air-application-installer-package+zip” />
<remove fileExtension=”.svg” />
<mimeMap fileExtension=”.svg” mimeType=”image/svg+xml” />
<remove fileExtension=”.woff” />
<mimeMap fileExtension=”.woff” mimeType=”font/woff” />
<remove fileExtension=”.woff2″ />
<mimeMap fileExtension=”.woff2″ mimeType=”font/woff2″ />
<remove fileExtension=”.less” />
<mimeMap fileExtension=”.less” mimeType=”text/css” />
<remove fileExtension=”.mp4″ />
<mimeMap fileExtension=”.mp4″ mimeType=”video/mp4″ />
<remove fileExtension=”.json” />
<mimeMap fileExtension=”.json” mimeType=”application/json” />
</staticContent>
<!– Ensure the powered by header is not returned –>
<httpProtocol>
<customHeaders>
<remove name=”X-Powered-By” />
</customHeaders>
</httpProtocol>
<!– Increase the default upload file size limit –>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength=”52428800″ />
</requestFiltering>
</security>
<!–
If you wish to use IIS rewrite rules, see the documentation here: https://our.umbraco.com/documentation/Reference/Routing/IISRewriteRules
–>
<!–
<rewrite>
<rules></rules>
</rewrite>
–>
</system.webServer>
<runtime>
<assemblyBinding xmlns=”urn:schemas-microsoft-com:asm.v1″>
<dependentAssembly>
<assemblyIdentity name=”Microsoft.Owin” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-4.0.1.0″ newVersion=”4.0.1.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”Microsoft.Owin.Security” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-4.0.1.0″ newVersion=”4.0.1.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”Microsoft.Owin.Security.Cookies” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-4.0.1.0″ newVersion=”4.0.1.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”Microsoft.Owin.Security.OAuth” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-4.0.1.0″ newVersion=”4.0.1.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”Newtonsoft.Json” publicKeyToken=”30ad4fe6b2a6aeed” culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-12.0.0.0″ newVersion=”12.0.0.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”System.Collections.Immutable” publicKeyToken=”b03f5f7f11d50a3a” culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-1.2.3.0″ newVersion=”1.2.3.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”System.Web.Http” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-5.2.7.0″ newVersion=”5.2.7.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”System.Web.Mvc” publicKeyToken=”31bf3856ad364e35″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-5.2.7.0″ newVersion=”5.2.7.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”System.ValueTuple” publicKeyToken=”cc7b13ffcd2ddd51″ culture=”neutral” />
<bindingRedirect oldVersion=”0.0.0.0-4.0.3.0″ newVersion=”4.0.3.0″ />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name=”System.Net.Http.Formatting” publicKeyToken=”31bf3856ad364e35″ />
<bindingRedirect oldVersion=”0.0.0.0-5.2.7.0″ newVersion=”5.2.7.0″ />
</dependentAssembly>
</assemblyBinding>
</runtime>
<location path=”umbraco”>
<system.webServer>
<urlCompression doStaticCompression=”false” doDynamicCompression=”false” dynamicCompressionBeforeCache=”false” />
</system.webServer>
</location>
<location path=”App_Plugins”>
<system.webServer>
<urlCompression doStaticCompression=”false” doDynamicCompression=”false” dynamicCompressionBeforeCache=”false” />
</system.webServer>
</location>
<imageProcessor>
<security configSource=”config\imageprocessor\security.config” />
<caching configSource=”config\imageprocessor\cache.config” />
<processing configSource=”config\imageprocessor\processing.config” />
</imageProcessor>
<system.codedom>
<compilers>
<compiler language=”c#;cs;csharp” extension=”.cs” type=”Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ warningLevel=”4″ compilerOptions=”/langversion:7 /nowarn:1659;1699;1701″ />
<compiler language=”vb;vbs;visualbasic;vbscript” extension=”.vb” type=”Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ warningLevel=”4″ compilerOptions=”/langversion:14 /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+” />
</compilers>
</system.codedom>
</configuration>