Strona 3 – Wiedza

Connect to Azure Virtual Machine using Azure Active Directory Account

Deploy your favorite VM that Supports login using Azure Active Directory credentials, selecting the option Login with Azure AD, and then Enable system assigned managed identity will be selected automatically.

In the IAM of the Virtual Machine (or Resource Group, Subscription, and finally Management Group), add one of the options:
Virtual Machine Administrator Login
Virtual Machine User Login

against the user you would like to use to log in.

Download an RDP file that can connect to the VM
Edit the downloaded file using notepad, adding two lines:

authentication level:i:2

enablecredsspsupport:i:0

So the whole file should look like this:

full address:s:20.124.36.45:3389

prompt for credentials:i:1

administrative session:i:1

authentication level:i:2

enablecredsspsupport:i:0
Disable NLA (Network Level Authentication) on the VM using the Run command:
Restart the VM.
Double-click on the file and connect to the VM using Azure Active Directory credentials; please add AzureAD\ before the username.

You should see the following screen to enter the credentials:
If you see the message:

The Sign-in method you’re trying to use isn’t allowed. For more info, contact your network administrator.

You must relax the Conditional Access methods by adding Azure Windows VM Sign-In to the excluded apps.

Azure Monitor Agent (AMA) vs Log Analytics Agent (part 3) – How to ingest logs

The initiative:

[Preview]: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent
mentioned in part 1 contains from the following policies:
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent
[Preview]: Configure supported Windows machines to automatically install the Azure Security agent
[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
Configure Linux Arc-enabled machines to run Azure Monitor Agent
Configure Windows Arc-enabled machines to run Azure Monitor Agent
[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent
[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent
[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

So you see at least two about creating Data Collection Rule:

[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

And you notice in Monitor | Data Collection Rules that for Windows and only for Windows the Data Collection Rule has been created. But how is it looks like:

So no logs are gathered. Select what you would like to ingest, by checking the appropriate check boxes:

and finally check Event table in Log Analytics workspace:

You can also add Data Collection Rules for Linux just there are not added automatically like for Windows.

Azure VM – Deploy CNI plug-in for Docker containers

Everyone is usually aware of CNI in Azure Kubernetes Service; it allows you to expose the POD IP address in Virtual Network directly. So simply, every pod has an IP address from Virtual Network. This functionality can also be reached if you install docker in Virtual Machine. It can be helpful if you would like to build functionality similar to google cloud “… deploy a container to this VM instance by using a container-optimized OS image…”.

You can start reading about this technology here: https://learn.microsoft.com/en-us/azure/virtual-network/deploy-container-networking#download-and-install-the-plug-in and finish with this repo:

https://github.com/Azure/azure-container-networking.

But there is the clue – command by command for Linux and Windows:

Ubuntu 20.04:

sudo su –
sudo apt-get update
sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg –dearmor -o /etc/apt/keyrings/docker.gpg

echo \
“deb [arch=$(dpkg –print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable” | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin

docker ps

git clone https://github.com/Azure/azure-container-networking.git

cd azure-container-networking/scripts/

./install-cni-plugin.sh v1.4.20

chmod u+x docker-run.sh

sudo apt-get update

sudo apt-get -y install jq

#Nic-name and resourcegroup is the Network Interface of Virtual Machine – That one create additional ip on existing network interface
az network nic ip-config create –name container01 –nic-name cni-lin-10603 –private-ip-address 10.224.0.6 –resource-group CNI-Test02

iptables -t nat -A POSTROUTING -m addrtype ! –dst-type local ! -d 10.224.0.0/16 -j MASQUERADE
iptables -I DOCKER-USER -d 10.224.0.6 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -I DOCKER-USER -s 10.224.0.6 -j ACCEPT

./docker-run.sh vnetdockerdemo default alpine

sudo docker exec -it vnetdockerdemo /bin/sh

ifconfig

Windows 2016 with container (Image from Azure):

#Powershell as a admin

Invoke-WebRequest -Uri https://github.com/Azure/azure-container-networking/archive/refs/heads/master.zip -OutFile azure-container-networking.zip

Expand-Archive azure-container-networking.zip -DestinationPath azure-container-networking
cd .\azure-container-networking\azure-container-networking-master\scripts\

.\Install-CniPlugin.ps1 v1.4.2

#Nic-name and resourcegroup is the Network Interface of Virtual Machine – That one create additional ip on existing network interface
az network nic ip-config create –name container04 –nic-name cnit-03-win151 –private-ip-address 10.224.0.8 –resource-group CNI-Test02

Invoke-WebRequest -Uri https://github.com/stedolan/jq/releases/download/jq-1.6/jq-win64.exe -OutFile C:\windows\system32\jq-win64.exe

jq-win64.exe

C:\k\azurecni\netconf\10-azure.conflist:
{
“cniVersion”: “0.3.0”,
“name”: “azure”,
“adapterName”: “”,
“plugins”: [
{
“type”: “azure-vnet”,
“mode”: “bridge”,
“bridge”: “azure0”,
“capabilities”: {
“portMappings”: true,
“dns”: true
},
“ipam”: {
“type”: “azure-vnet-ipam”
},
“dns”: {
“Nameservers”: [
“10.0.0.10”,
“168.63.129.16”
],
“Search”: [
“svc.cluster.local”
]
},
“AdditionalArgs”: [
{
“Name”: “EndpointPolicy”,
“Value”: {
“Type”: “OutBoundNAT”,
“ExceptionList”: [
“10.224.0.0/12”
]
}
},
{
“Name”: “EndpointPolicy”,
“Value”: {
“Type”: “ACL”,
“Action”: “Allow”,
“Direction”: “In”,
“Priority”: 65500
}
},
{
“Name”: “EndpointPolicy”,
“Value”: {
“Type”: “ACL”,
“Action”: “Allow”,
“Direction”: “Out”,
“Priority”: 65500
}
}
],
“windowsSettings”: {
“enableLoopbackDSR”: true
}
}
]
}

.\docker-exec.ps1 vnetdockerdemo default mcr.microsoft.com/windows/servercore/iis add

docker exec -it vnetdockerdemo powershell

ipconfig

Azure Monitor Agent (AMA) vs Log Analytics Agent (part 2)

Let’s see how Azure Monitor Agents looks under Linux VM:

As previously mentioned, boot Legacy Log Analytics Agent and new Azure Monitor Agent can report to the single Log Analytics Workspace. What it looks like:

One of the differences between Log Analytics Agent for Windows and Linux was that only Windows one can report to two different Log Analytics Workspaces simultaneously. Using bot agents Azure Monitor Agent and Legacy Log Analytics Agent, you can also reach this functionality for Linux.
From another perspective, reporting twice, especially for one Log Analytics Workspace, you will get all the data double, you will be paying double, and your reports can be affected by double data.

Sometimes you can see a message on your Virtual Machine “Some details about the installed extensions are unavailable. This can occur when the virtual machine is stopped or the agent is unresponsive...” suggestion that the VM is not running or hangs can be OK and easy to resolve, by restarting, but if it does not help please try to redeploy VM:

To check if Azure Monitor Agent is working under Linux, just execute the following:

systemctl status azuremonitoragent

You can also view logs using the following:

cat /var/opt/microsoft/azuremonitoragent/log/mdsd.*

To check if Legacy Log Analitics Agent is working, you can execute the following:

systemctl status omsagent-*service

cat /var/opt/microsoft/omsagent/*-*/log/*

Azure Monitor Agent (AMA) vs Log Analytics Agent (part 1)

One point of security, covered also by Defender For Cloud is install Log Analytics (LA) on all workloads that uses Virtual Machines (e.g. starting from Cloud Services to the ending to normal VM). It was clear as far we have one Agent, but currently we have two chooses:

Azure Monitor Agent (AMA) – some features are in preview
Log Analytics Agent (Legacy Agent)

The legacy Log Analytics agent will be deprecated by August 2024. Migrate to Azure Monitor agent before August 2024 to continue ingesting data.

So not so much time to go to the Azure Monitor Agent, but always get confirmation (from Microsoft) that your intentions, are not against the PREVIEW functionality and remember:

“Remember that you SHALL NEVER use non-GA services and features for production workloads. The purpose of Private and Public Preview is only for evaluation purposes only. Except for the lack of SLA and formal support, there might be other issues that were not yet discovered or fixed. Think about the #ChaosDB vulnerability, which was caused by a CosmosDB feature that was in Public Preview.” More info.

To install the old Log Analytics Agent (Legacy Agent) we can use the following:

We can use also embedded Azure Polices like:

Deploy Log Analytics extension for Linux VMs. See deprecation notice below
Deploy – Configure Log Analytics extension to be enabled on Windows virtual machines
Windows machines should have Log Analytics agent installed on Azure Arc
Configure Log Analytics extension on Azure Arc enabled Windows servers

Let’s move to the new Azure Monitor Agent (AMA). For install the following extensions:

AzureMonitorLinuxAgent (version 1.15)
AzureSecurityLinuxAgent (version 2.0)
AzureMonitorWindowsAgent (version 1.2)
AzureSecurityWindowsAgent (version 1.0)

You can use only one Policy Initiative named:

[Preview]: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent

If you previously used Legacy Log Analytics Agent – there is official migration path. You can also install new agent (using policies). Installation on Windows VM looks like (first Log Analytics Agent the second Azure Monitor Agent):

Whats happen than, the two Log Analytics agent will working and send the data to the two Log Analytics Workspace, of course if the different one has been configured for Azure Monitor Agent and Log Analytics Agent.

Finally You can query against them (The first is the Log Analytics Agent, the second is Azure Monitor Agent – observe the Version column):

How to detect if Azure Monitor Agent is working, just check if MonAgentCore.exe

If you deal with the Azure Policies and you would like to Invoke Azure Policy Evaluation you can invoke the following API (even via GUI, just there is API Explorer):

https://docs.microsoft.com/en-us/rest/api/policy/policy-states/trigger-resource-group-evaluation

Azure Monitor Agent docs:

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

If you think your cloud provider is down / Jeżeli myślisz, że dostawca chmury ma awarie

If you think your cloud provider is down:

Check if you made a mistake
Check best practices for deployed resources.
Consult your friends if there is a similar problem.
Check Twitter for a shit storm apropos cloud not working.
If you still think the cloud provider has a problem, see point 1.
If you are convinced that it’s a cloud problem – contact the application developers – because it may be the application’s fault.
Next time, consider starting at the end.

Jeżeli myślisz, że dostawca chmury ma awarie:

Sprawdź czy to nie Ty popełniłeś błędu
Sprawdź najlepsze praktyki dotyczące wdrożonych zasobów.
Skonsultuj się ze znajomymi, czy nie ma podobnego problemu.
Sprawdź Twitter’a, czy nie ma gówno burzy apropo niedziałania chmury.
Jeżeli nadal myślisz, że dostawca chmury ma problem patrz punkt 1.
Jeżeli jesteś przekonany, że To problem chmury – skontaktuj się z developerami aplikacji – bo może to wina aplikacji.
Następnym razem zastanów się, czy nie zacząć od końca.

Azure GPU Instances in duty of recover RAR passwords

Using Azure GPU instances to recover/crack RAR passwords, 3 steps:

Deploy this Standard Azure Gaming Instance with Nvidia Tesla GPU: https://github.com/MariuszFerdyn/azure-gaming
Download cRARk55 http://www.crark.net. There is only one file encrypted so you can extract rest.
Rename any def to password.def and configure tool – usually just line 56 [$a $A $1 $!] *
Execute cRARk.exe newbase.rar and wait for results.

cRARk.exe rar.rar
cRARk 5.5b (OpenCL enabled) Freeware
Copyright 1995-2001, 2006-20 by P. Semjanov, http://www.crark.net
(c) Password Definition Language & PDL engine v. 4.0 by P. Semjanov 1999-2019

Testing archive rar.rar: version 5.0
Testing newbase\fx-server\.gitignore
OpenCL device #0 Tesla M60 found, 1177 MHz, 2048 SP cores, GPU rate = 11.26
Trying to compile FAST NVIDIA OpenCL kernel. Please wait… Successfully.
Running self-test… Successfully

Choosing best crypto functions……….
Chosen: AVX2, AVX, AVX2 (-f479), AES-NI
Clock cycles per password expected = 8458338 (SIMD)/31320216 (x64) (*), theoretical = 40235893
SHA-256 clock cycles per byte expected = 2.1 (SIMD)/7.5 (x64) (*), theoretical = 9.6
Intel(R) Xeon(R) CPU E5-2690 v3 @ 2.60GHz found, CPU rate = 4.76 (*)
(*) May be inaccurate if Turbo Boost is on

Processing line 59 of password definition file…
Expected passwords to test (approx.) = 7417954634
Testing 1-character passwords …
Passwords tested = 94 (time = 00.32, rate = 292 p/s)
Testing 2-character passwords …
Testing * on device #0, Block size is: 512 x 256 (-m512), step = 1/2 (-d2)
Passwords tested = 8930 (time = 01.51, rate = 5898 p/s)
Testing 3-character passwords …
Testing * on device #0, Block size is: 512 x 256 (-m512), step = 1/2 (-d2)
Passwords tested = 839514 (time = 51.79, rate = 16209 p/s)
Testing 4-character passwords …

Be aware that it is almost impossible to crack more than 8 characters password.

Cloud Assessments

Some post ago I shared with Cloud Audits Assessments, now some Cloud and Dev-ops Assessments, all delivered by Microsoft:

https://learn.microsoft.com/en-us/assessments/

Can be useful not only when are you going to the meeting and do not know what to say…

Enable-AzureRmAlias – uset this statement if you want to use your old Powershell Azure scripts

Inststall Windows Store application without Windows Store

Download appx or better boundle if preset using this link: https://store.rg-adguard.net/
Execute:

Add-AppxPackage -Path “C:\Path\to\File.Appx”

Azure Monitor – Tables used by Defender for Cloud

List of tables used by Defender for Cloud:

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SigninLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AADNonInteractiveUserSignInLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AADServicePrincipalSignInLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AADManagedIdentitySignInLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureActivity

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureDiagnostics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceHTTPLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceFileAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAppLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAntivirusScanAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureDiagnostics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMConnection

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/InsightsMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMBoundPort

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Heartbeat

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ServiceMapProcess_CL

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMProcess

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceFileAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/HealthStateChangeEvent

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceHTTPLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SecurityBaseline

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Update

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ServiceMapComputer_CL

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ProtectionStatus

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMComputer

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/UpdateSummary

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SecurityBaselineSummary

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAntivirusScanAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceIPSecAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureDiagnostics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureDiagnostics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureDiagnostics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceFileAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMBoundPort

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/InsightsMetrics

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMConnection

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SecurityEvent

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceHTTPLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAppLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Heartbeat

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ServiceMapProcess_CL

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMProcess

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AzureActivity

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Usage

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Update

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceIPSecAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SecurityBaseline

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/Operation

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/NetworkMonitoring

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/VMComputer

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ProtectionStatus

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/ServiceMapComputer_CL

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAntivirusScanAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/AppServiceAuditLogs

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/UpdateSummary

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/SecurityBaselineSummary

Windows, Fonts are very small via Citrix on Microsoft Surface

From version after 2203.1 Citrix Receiver has no settings for DPI, and Microsoft Surface and similar advanced computers have very high DPI than the Citrix render graphics that it is very small. The workaround is to use the old Citrix Receive Client:

https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/workspace-app-for-windows-LTSR.html

cloud-Init – just for remember

#cloud-config
runcmd:
– date >> /home/onlyonce
bootcmd:
– date >> /home/everyboot

More info.

Azure Devops – Execute task before Source Code Checkout

Sometimes we need to execute several tasks before Source Code Checkout – Install Certificates configure git. This Market Place solution can be very helpful:

https://marketplace.visualstudio.com/items?itemName=jessehouwing.pre-post-tasks

Sample task:

# Starter pipeline

trigger:

– none

pool:

  name: privatepool

steps:

– task: jessehouwing.pre-post-tasks.Pre-CmdLineV2.Pre-CmdLine@2

  displayName: ‘Pre’

  inputs:

    script: ‘du -sh /agent/* | sort -h’

– task: Bash@3

  displayName: ‘Main’

  inputs:

    targetType: ‘inline’

    script: |

      du -sh /agent/* | sort -h

Look like:

RDS infrastructure – The connection has been terminated because an unexpected server authentication certificate was received from the remote computer.

The connection has been terminated because an unexpected server authentication certificate was received from the remote computer. In my case the error was connected after adding HA for Connection Broker and adding new DNS name for the RD Connection Broker cluster, that was not included in certificate. You can always change it using Power Shell command as a admin:

Set-RDClientAccessName -ConnectionBroker connectionbroker-server-name -ClientAccessName New-DNS-Name-For-The-RD-Connection-Broker-Cluster

Please remember that DNS must be configured for New-DNS-Name-For-The-RD-Connection-Broker-Cluster

49 meetup Microsoft Azure User Group Poland – Warsaw

W środowy wieczór po 2 letnim czasie pandemii odbyło się 49 spotkanie Microsoft Azure User Group Poland w Warszawie, tym razem w siedzibie I dzięki uprzejmości ISS World Services. Co było ciekawego w porządku chronologicznym w nowej i chyba ciepło przyjętej formule wystąpień 15, czyli 20 minutowych.

Emil pokazywał dość skomplikowany przykład wykorzystania promowanej metody wdrażania zasobów z wykorzystaniem Azure Biceps. Jako że byłem spóźniony nie jestem przekonany czy widownia zrozumiała zalety i wdrożenie, a jeżeli nie to proponuje zacząć tutaj https://docs.microsoft.com/pl-pl/azure/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code. A osobiście zastanawiam się, czemu MS nie zaadoptował HELMa do tego. Było by prościej wszak byłyby template wraz z czystym yaml’em.

Następnie mogliśmy posucha o IT nie tylko Cloudowym okiem bezpiecznika, po czym jak to stwierdził Marek celebryckie wystąpienie Kamila o…. no właśnie chyba o Security Posture z przeslaniem korzystajcie przynajmniej z Microsoft Defender for Cloud.

Druga polowa to to co tygrysy lubią najbardziej!!!

Łukasz – łatwe wdrażanie kontenerów, bez ograniczeń jak w Web App typu Vnet, ruch tylko http/s – czyli Azure Container Apps. Usługa bardzo podobna do Azure Container Instances, ale ze znacznie większymi możliwościami i miejmy nadzieje, że dużo bardziej stabilna niż Azure Container Instances zwłaszcza z sieciami prywatnymi. Mogę się domyśleć, czemu MS chce aż 21 bitowych sieci do wdrożenia usługi, co swoja droga jest nie do przyjęcia, bo przy 27 bitowych sieciach w Container Instances był z tym problem… wiec przy okazji jak chcecie, aby Container Instances były stabilne zróbcie odpowiednio większe sieci i jak pozostanie wam 2 lub 3 wolne ip dla podów, to to za mało. Wada/Zaleta usługi to rozliczanie jak Azure Functions… więcej informacji: https://docs.microsoft.com/en-us/azure/container-apps/.

Już wcześniej wspominany Marek opowiadał o AMPLS – nie mylić z MPLS, chociaż blisko. Czyli Azure Monitor Private Link (AMPLS) – I wszyscy zerwali się wdrażać – tylko, że problem z wykorzystaniem Azure Sentinela z tym rozwiązaniem. Więcej informacji: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security.

Na zakończenie Tomek opowiedział o usłudze as a service Jmeter w Azure. Nie musimy się martwić o konfigurowanie Javy dla workerów Jmeter’owych, a wszystko zrobi za nas Azure. Więcej informacji: https://docs.microsoft.com/en-us/azure/load-testing/quickstart-create-and-run-load-test, możecie wykorzystać jmx, który wgrywamy do usługi z prezentacji, którą swojego czasu robiłem a materiał jest tutaj – https://rzetelnekursy.pl/how-azure-can-help-you-with-performance-tests-using-jmeter/.

On Wednesday evening, after the 2-year time of the pandemic, the 49th Microsoft Azure User Group Poland meeting was held in Warsaw, this time at headquarters I, courtesy of ISS World Services.

What was interesting in the chronological order in the new and probably warmly received the formula of 15 or 20-minute speeches.

Emil showed a rather complicated example of using the Azure Biceps. As I was late, I am not convinced that the audience understood the advantages and implementation; if not, I suggest starting here https://docs.microsoft.com/pl-pl/azure/azure-resource-manager/bicep/quickstart-create-bicep -use-visual-studio-code. And I wonder why MS has not adapted HELM to this. It would be simpler, after all, it would be a template with a pure YAML.

Then we could hear about IT from the security point of view, and Kamil’s celebrity speech about … Well, probably about Security Posture with sending the message – use at least Microsoft Defender for Cloud.

The other half is what tigers like best !!!

Łukasz – easy container implementation, without restrictions like in WebApp – Azure Container Apps. A service very similar to Azure Container Instances but with much more possibilities and hopefully much more stable than Azure Container Instances especially with private networks. I can guess why MS wants 21-bit networks to implement the service, which by the way is unacceptable because with 27-bit networks in Container Instances there is a problem with it … so by the way, if you want Container Instances to be stable, make correspondingly larger nets and if you have 2 or 3 it’s left for pods, that’s not enough. The disadvantage / Advantage of the service is billing like Azure Functions … more information: https://docs.microsoft.com/en-us/azure/container-apps/.

Marek talked about AMPLS – Azure Monitor Private Link (AMPLS) – be aware of the problem with using Azure Sentinel with this solution. More information: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security.

Finally, Tomek talked about the service Jmeter in Azure. We don’t have to worry about configuring Java for Jmeter workers, and Azure will do everything for us. More information: https://docs.microsoft.com/en-us/azure/load-testing/quickstart-create-and-run-load-test, you can use JMX, which can be uploaded to the service from the presentation that I did in my time and the material is here – https://rzetelnekursy.pl/how-azure-can-help-you-with-performance-tests-using-jmeter/.

Cybersecurity Maturity Model Certification (CMMC)

Controls of Cybersecurity Maturity Model Certification (CMMC) based on Microsoft Technical Reference Guide:

Limit information system access to authorized users, processes acting on …
Limit information system access to the types of transactions and functions …
Control the flow of CUI in accordance with approved authorizations.
Separate the duties of individuals to reduce the risk of malevolent activity …
Employ the principle of least privilege, including for specific security…
Use non-privileged accounts or roles when accessing non-security functions.
Prevent non-privileged users from executing privileged functions…
Limit unsuccessful logon attempts.
Use session lock with pattern-hiding displays to prevent access and viewing …
Terminate (automatically) user sessions after a defined condition.
Monitor and control remote access sessions.
Employ cryptographic mechanisms to protect the confidentiality of remote …
Route remote access via managed access control points.
Authorize remote execution of privileged commands and remote access…
Authorize wireless access prior to allowing such connections.
Protect wireless access using authentication and encryption.
Control connection of mobile devices.
Encrypt CUI on mobile devices and mobile computing platforms.
Verify and control/limit connections to and use of external information …
Limit use of portable storage devices on external systems.
Control information posted or processed on publicly accessibleinformation systems.
Create and retain system audit logs and records to the extent needed to …
Ensure that the actions of individual system users can be uniquely traced to …
Review and update logged events.
Alert in the event of an audit logging process failure.
Correlate audit record review, analysis and reporting processes for…
Provide audit record reduction and report generation to support …
Provide a system capability that compares and synchronizes internal system …
Protect audit information and audit logging tools from unauthorized access…
Limit management of audit logging functionality to a subset of privileged …
Ensure that managers, system administrators and users of organizational …
Ensure that personnel are trained to carry out their assigned information …
Provide security awareness training on recognizing and reporting potential …
Establish and maintain baseline configurations and inventories…
Establish and enforce security configuration settings for information …
Track, review, approve or disapprove and log changes to organizational …
Analyze the security impact of changes prior to implementation.
Define, document, approve and enforce physical and logical access …
Employ the principle of least functionality by configuring organizational …
Restrict, disable or prevent the use of nonessential programs, functions…
Apply deny-by-exception (blacklisting) policy to prevent the use of …
Control and monitor user-installed software.
Identify information system users, processes acting on behalf of users or …
Authenticate (or verify) the identities of those users, processes or devices, as …
Use multi-factor authentication for local and network access to privileged …
Employ replay-resistant authentication mechanisms for network access to…
Prevent the reuse of identifiers for a defined period.
Disable identifiers after a defined period of inactivity.
Enforce a minimum password complexity and change of characters when …
Prohibit password reuse for a specified number of generations.
Allowtemporary password usefor system logons with an immediate changeto a permanent password.
Store and transmit only cryptographically protected passwords.
Obscure feedback of authentication information.
Establish an operational incident-handling capability for organizational …
Track, document and report incidents to designated officials…
Test the organizational incident response capability.
Perform maintenance on organizational systems.
Provide controls on the tools, techniques, mechanisms and personnel used …
Ensure equipment removed for off-site maintenance is sanitized of any…
Check media containing diagnostic and test programs for malicious code …
Require multifactor authentication to establish nonlocal maintenance …
Supervise the maintenance activities of personnel without required access …
Protect (i.e., physically control and securely store) system media containing …
Limit access to CUI on systemmedia to authorized users.
Sanitize or destroy information system media containing Federal Contract …
Mark media with necessary CUI markings and distribution limitations.
Control access to media containing CUI and maintain accountability for…
Implement cryptographic mechanisms to protect the confidentiality of…
Control the use of removable media on system components.
Prohibit the use of portable storage deviceswhen such devices have no …
Protect the confidentiality of backup CUI at storage locations.
Screen individuals prior to authorizing access to organizational systems …
Ensure that organizational systems containing CUI are protected during and …
Enforce safeguarding measures for CUI at alternate work sites.
Periodically assess the risk to organizational operations …
Scan for vulnerabilities in organizational systems and applications …
Remediate vulnerabilities in accordance with risk assessments.
Periodically assess the security controls in organizational systems to …
Develop and implement plans of action (e.g., POA&M) designed to correct …
Monitor security controls on an ongoing basis to ensure the continued …
Develop, document and periodically update System Security Plans (SSPs) …
Monitor, control and protect organizational communications…
Employ architectural designs, software development techniques and …
Separate user functionality from system management functionality.
Prevent unauthorized and unintended information transfer via shared …
Implement subnetworks for publicly accessible system components that are …
Deny network communications traffic by default and allow network …
Prevent remote devices from simultaneously establishing non-remote …
Implement cryptographic mechanisms to prevent unauthorized disclosure of …
Terminate network connections associated withcommunications sessions atthe end of the sessions or after a defined period of inactivity.
Establish and manage cryptographic keys for cryptography employed in …
Employ FIPS-validated cryptography when used to protect the …
Prohibit remote activation of collaborative computing devices and provide …
Control and monitor the use of mobile code.
Control and monitor the use of Voice over Internet Protocol (VoIP) …
Protect the authenticity of communications sessions.
Protect the confidentiality of CUI at rest.
Identify, report and correct information and information system flaws in a…
Provide protection from malicious code at appropriate locations within…
Monitor system security alerts and advisories and take action in response.
Update malicious code protection mechanisms when new releases are…
Perform periodic scans of the information system and real-time scans of…
Monitor organizational systems, including inbound and outboun…
Identify unauthorized use of organizational systems.

More info:

https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-cmmc-acceleration-update-march-2022/ba-p/3258999?lightbox-message-images-3258999=360588i2B9322EAF7C33FA3

Document:

https://download.microsoft.com/download/c/a/6/ca67ab87-4832-476e-8f01-b1572c7a740c/Microsoft%20Technical%20Reference%20Guide%20for%20CMMC%20v2_(Public%20Preview)_20220304%20(2).pdf

Access to Azure Files integrated with AD or AD DS from non domain joined computer

1. You must see the domain controller get Kerberos Ticket – yes it is possible from a non-domain joined computer

nltest /dsgetdc:mytest.onmicrosoft.com

please remember it must be AD or ADDS domain FQDN not a Pre-WIndows 2000

2. Open Share using e.g. \\azureshare.file.core.windows.net\shared and provide username as FQDN from the previous command and username like mytest.onmicrosoft.com.onmicrosoft.com\mf

4. You should have access – you can verify tickets using klist.

Adding Guest users to the SharePoint site – not working / Nie działa udostępnianie witryny Sharepoint dla użytkowników Gości

Please make sure that the sites can be externally shared.
SharePoint/Outlook Sharing (_layouts/15/online/AdminHome.aspx#/sharing)
Particular – Site Sharing Policy (_layouts/15/online/AdminHome.aspx#/siteManagement/view/ALL SITES)
Add Guests Users to Azure Active Directory
Create Group (It is important – just without a group usually you can not invite users directly)
Add Guests Users to the Group
Share the SharePoint site with the Group.

uupdump

Great service – the parser for Microsoft Update files that can be used for download Microsoft stuff. For an example ARM version of Windows 10.

https://uupdump.net/download.php?id=7da4a3ef-38d9-4528-b7f3-81610babf468&pack=en-us&edition=professional

You can use it for specific version, add remove features.

You can use it on your own computer also – just source code is available.

This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school

Sometime you can see this message, when you try to join computer to the domain – even server.

Computer Name/Domain Changes The following error occurred attempting to join the domain This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school

The massage is clear – so solution is to execute:

dsregcmd /status
DSRegCmd /Leave
dsregcmd /status

virtual-environments GithubActions, Azure Devops – Cannot bind argument to parameter ‘ApplicationId’ because it is an empty string.

During building in Azure virtual-environments (https://github.com/actions/virtual-environments) you can see:

New-AzADAppCredential : Cannot bind argument to parameter ‘ApplicationId’ because it is an empty string.
At C:\virtual-environments\helpers\GenerateResourcesAndImage.ps1:224 char:13
+ $appCred = New-AzADAppCredential -ApplicationId $sp.AppId …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-AzADAppCredential], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-AzADAppCredential

In that case you must add:

AzureClientId
AzureClientSecret
AzureTenantId

So the whole command:

GenerateResourcesAndImage -SubscriptionId xxxx -ResourceGroupName “DevOpsPackerAgent” -ImageGenerationRepositoryRoot “$pwd” -ImageType Windows2019 -AzureLocation “uksouth” -AzureClientId “yyy” -AzureClientSecret “zzz” -AzureTenantId “qqq”

Teams – share files between organizations, tenants.

Sometimes I need to explain several times differences between Guests and “non-guest” experience in Microsoft Teams.

https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations

Azure Cost Savings – Change all disk to standard

This script is just as a reminder that using Power-Shell you can change disk SKU for your VM – in that way you can save cost. You can build solution that it will be changed for switched off VM and powered on also.

#$SubscrybtionDev=”d2e666be-5fde-451b-84c9-9c545b3e435c”
#Connect-AzAccount -UseDeviceAuthentication
#Set-AzContext -Subscription $SubscrybtionDev
$RGs = Get-AzResourceGroup
$storageType = ‘Standard_LRS’
foreach ($RG in $RGs)
{
$vmDisks = Get-AzDisk -ResourceGroupName $RG.ResourceGroupName
foreach ($disk in $vmDisks)
{
$disk.Sku = [Microsoft.Azure.Management.Compute.Models.DiskSku]::new($storageType)
$disk | Update-AzDisk
Write-Host $disk.Id
}
}

Connect to Azure Rest API via CURL

As a user:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
apt install -y jq
az login
az account get-access-token
declare subid=”xxx”
declare response=$(az account get-access-token)
declare token=$(echo $response | jq “.accessToken” -r)

curl -i -X GET -H “x-ms-version: 2018-11-09” -H “content-length: 0” -H “Authorization: Bearer $token” “https://management.azure.com/subscriptions/xxx/resourceGroups/nvx-demo-sec/providers/Microsoft.Compute/virtualMachines?api-version=2021-07-01”

As a application:

declare TENANT_NAME=”xxx”
# Values for the first app registration
declare CLIENT_ID1=”xxx”
declare CLIENT_SECRET1=”xxx”

ACCESS_TOKEN=$(curl -X POST -H “Content-Type: application/x-www-form-urlencoded” –data-urlencode “client_id=$CLIENT_ID1” –data-urlencode “client_secret=$CLIENT_SECRET1” –data-urlencode “scope=https://storage.azure.com/.default” –data-urlencode “grant_type=client_credentials” “https://login.microsoftonline.com/$TENANT_NAME/oauth2/v2.0/token” | jq -r ‘.access_token’)

curl -i -X GET -H “x-ms-version: 2018-11-09” -H “content-length: 0” -H “Authorization: Bearer $ACCESS_TOKEN” “https://management.azure.com/subscriptions/xxx/resourceGroups/nvx-demo-sec/providers/Microsoft.Compute/virtualMachines?api-version=2021-07-01”

Azure Virtual WAN – Force Tunneling

* Force tunnel to NVA You can specify a 0.0.0.0/0 route in the defaultRouteTable with next hop Virtual Network Connection. Then specify the specific IP of the NVA. This will force all internet-bound traffic to be sent to a Network Virtual Appliance deployed in a spoke Virtual Network. For more detailed instructions, please consider the alternate workflow described here: Route traffic through NVAs by using custom settings – Azure Virtual WAN | Microsoft Docs.

* Force tunnel to Azure Firewall in the Hub You can use Firewall Manager to configure Virtual WAN to send all internet-bound traffic via Azure Firewall deployed in the Virtual WAN hub. For configuration steps and a tutorial, please reference following documents (Install Azure Firewall in a Virtual WAN hub – Azure Virtual WAN | Microsoft Docs and to configure routing Tutorial: Secure your virtual hub using Azure Firewall Manager | Microsoft Docs) Alternatively, this can also be configured via Routing Policies and Routing Intent. For more information on Routing policies please read the following document How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Docs.

* Force tunnel to Third party provider: You can use Firewall Manager to send internet traffic via a third-party security provider. For more information on this capability, please read the following: Deploy an Azure Firewall Manager security partner provider | Microsoft Docs.

* Force tunnel to a branch You can configure one of your branches (Site-to-site VPN, ExpressRoute Circuit or Network Virtual Appliance in the Virtual WAN Hub) to advertise the 0.0.0.0/0 route to Virtual WAN. Your on-premises device will have to be configured to do that.

The info is form Microsoft and can be very helpful.

Back to young… Small Basic from Microsoft

More than 25 years ago I started programming using BASIC 2.0 (Commodore 64) – The Internet says that it was connected with Microsoft also…

But nowadays you can use Small Basic – also from Microsoft:

You can download it from: https://smallbasic-publicwebsite.azurewebsites.net/

You can also export these to Visual Basic using this manual:

https://social.technet.microsoft.com/wiki/contents/articles/38265.small-basic-instructions-to-graduate-and-debug-with-visual-studio-2017.aspx

Simply two steps after exporting:

The target application is a .NET 4.5
Add a reference to SmallBasicLibrary.dll
In case of errors, replace “0.5” with “CType(0.5, Primitive)” to cast. To cast means to convert variable type. This sample changes type real (0.5) to Primitive (for all Small Basic variables).

This one is a good way for starting learning: https://github.com/olik-son/instalogik—Zadanie/blob/main/Rozwiazanie.sb

Kolejne 3 błędy, które mogą doprowadzić do kompromitacji Twoich zasobów w chmurze

Zapraszam do udziału w The Hack Summit 2021, gdzie będę miał przyjemność prezentować następującą sesje:

Kolejne 3 błędy, które mogądoprowadzić do kompromitacjiTwoich zasobów w chmurze.

Przy okazji, jeżeli chcą Państwo otrzymać, oczywiście bezpłatnie dokumentacje wdrożenia mechanizmu inwentaryzacji i kopii konfiguracji (ARM) Microsoft Azure, która omawiam podczas wydarzenia oraz dokument jak bezpiecznie skonfigurować usługę WebApp / App Service w Microsoft Azure – proszę wypełnić poniższe zgłoszenie.

AWS CLI delete multiple snapshots using Name Tag

First of all display commands if it is correct to delete snapshot, using:

aws ec2 describe-snapshots –output text –filters Name=tag:Name,Values=tag-value|grep SNAPSHOTS|awk ‘{print “Deleting-> ” $4,$6,$8,$9,$10; system(“echo aws ec2 delete-snapshot –snapshot-id ” $10)}’

and than you can delete snapshots:

aws ec2 describe-snapshots –output text –filters Name=tag:Name,Values=tag-value|grep SNAPSHOTS|awk ‘{print “Deleting-> ” $4,$6,$8,$9,$10; system(“aws ec2 delete-snapshot –snapshot-id ” $10)}’

< 1 2 3 4 5 >»

Added to Cart