Windows server 2019 Upgrade virtual machine version in Hyper-V #hyperv #winserv #hybrid   Leave a comment

Why should I upgrade the virtual machine configuration version?

image

When you move or import a virtual machine to a computer that runs Hyper-V on Windows Server 2019, Windows Server 2016, or Windows 10, the virtual machine"s configuration isn’t automatically updated. This means that you can move the virtual machine back to a Hyper-V host that runs a previous version of Windows or Windows Server. But, this also means that you can’t use some of the new virtual machine features until you manually update the configuration version. You can’t downgrade the virtual machine configuration version after you’ve upgraded it.

The virtual machine configuration version represents the compatibility of the virtual machine’s configuration, saved state, and snapshot files with the version of Hyper-V. When you update the configuration version, you change the file structure that is used to store the virtual machines configuration and the checkpoint files. You also update the configuration version to the latest version supported by that Hyper-V host. Upgraded virtual machines use a new configuration file format, which is designed to increase the efficiency of reading and writing virtual machine configuration data. The upgrade also reduces the potential for data corruption in the event of a storage failure.

 

With PowerShell we check what versions I have running

Get-VM * | Format-Table Name, Version

image

As you can see I have version 5.0 – 9.0 running time for some upgrading.

This VM has version 5 and I’m upgrading this to version 9.0 , Windows server 2019 default.

Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

Update-VMVersion HYD-DC1 

image

image

Confirming and done.

image

If you want to upgrade all vm’s   then use a *

Update-VMVersion *

Get-VMHostSupportedVersion –Default

image

 

Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

In the table below you can see the versions between the OS versions and LTSC and SAC.

Supported VM configuration versions for long-term servicing hosts

The following table lists the VM configuration versions that are supported on hosts running a long-term servicing version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows Server 2019
Windows 10 Enterprise LTSC 2019
Windows Server 2016
Windows 10 Enterprise 2016 LTSB
Windows 10 Enterprise 2015 LTSB
Windows Server 2012 R2
Windows 8.1

Supported VM configuration versions for semi-annual channel hosts

The following table lists the VM configuration versions for hosts running a currently supported semi-annual channel version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows 10 May 2019 Update (version 1903)
Windows Server, version 1903
Windows Server, version 1809
Windows 10 October 2018 Update (version 1809)
Windows Server, version 1803
Windows 10 April 2018 Update (version 1803)
Windows 10 Fall Creators Update (version 1709)
Windows 10 Creators Update (version 1703)
Windows 10 Anniversary Update (version 1607)

 

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted June 5, 2019 by Robert Smit [MVP] in Windows Server 2019

Tagged with ,

How to install Azure Portal app on Windows server 2019 #ws2019 #Azure #portal #winserv #Cloud #Hybrid   Leave a comment

As Windows Server 2019 Still holds Internet Explorer and no Edge Chromium or other browser. therefore all initial internet contact is done by the Internet Explorer. This can be annoying when you want to do something on the server and connect to Azure and first you need to install another browser.

This is just a quick blog on the Azure portal app, as this could be handy on any machine without using the browser.

Or you can download the Azure portal app.

When opening the IE browser and go to https://Portal.azure.com

You will see this, the option to download the Application to manage the portal.

image

Agreeing on the Terms and download

image

The Azueportalinstaller can also be deployed by SCCM or intune if you want. its not only an application that can be used on older machines.

image

The setup is easy and you only need to logon.

image

Use your Azure credentials and you good to go.

image

 

image

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted June 4, 2019 by Robert Smit [MVP] in Windows Server 2019

Tagged with ,

Configure Azure Service Endpoints for Web Applications #Azure #ASE #Endpoints #AzureServiceEndpoints #webapp #AzureDevOps   Leave a comment

Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.

Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.

image

More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.

First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.

imageimageimage

Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.

image image image

At this point there is no Configuration, it is just adding a services to the network or subnet.

image

Below is a list of the Azure services that are currently available.

Generally available

Public Preview

The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.

image

For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints

image

Creating the Rules is a quick process, these are similar as in the NSG.

  • Network security groups (NSGs) with service endpoints:

    • By default, NSGs allow outbound Internet traffic and so, also allow traffic from your VNet to Azure services. This continues to work as is, with service endpoints.
    • If you want to deny all outbound Internet traffic and allow only traffic to specific Azure services, you can do so using service tags in your NSGs. You can specify supported Azure services as destination in your NSG rules and the maintenance of IP addresses underlying each tag is provided by Azure.

First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong 

image

image

In this case I don’t want a premium network, So we go to Configure Access Restrictions

image

Here we create a access rule, on who gets access to this web application.

image

I created a deny rule for a specific IP.

image

image

And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.

image

Changing this to Allow the App is visible

image

Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box

image

With these options you can create a more secure environment again this is a great add on.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 29, 2019 by Robert Smit [MVP] in Azure

Tagged with ,

Windows Server 2019 Cluster vs Windows Server 2016 Cluster #ws2019 #winserv #Cluster   Leave a comment

This post is already a long pending post, now that there is an updated ISO with 1903 thought it is time to dust off this draft post.

Originally it was more an overview on what is change and a first impression, but then the server 2019 got postponed.

On the MSDN there is the ISO 1903 Or download the evaluation version https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019

imageimage

In the mean time on Microsoft doc’s there are already some overviews and these are showing all the details on what is changed between Server 2008,2012,2016 and 2019

Summary of hybrid capabilities when you extend your datacenter to Azure Source : https://www.microsoft.com/en-us/cloud-platform/windows-server-comparison

Feature description

Windows Server 2008 R2

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Storage Migration Service helps to inventory and migrate data, security, and configurations from legacy systems to Windows Server 2019 and/or Azure.

Not supported in Windows Server 2008 R2 Not supported in Windows Server 2012 R2  Feature unavailable in Windows Server 2016 Fully supported in Windows Server 2019

Synchronizing file servers to Azure helps centralize your organization’s file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server.

 Feature unavailable in Windows Server 2008 R2  Included in Windows Server 2008 R2  Included in Windows Server 2016  Included in Windows Server 2019

System Insights brings local predictive analytics capabilities native to Windows Server. These predictive capabilities, each backed by a machine-learning model, locally analyze Windows Server system data to provide high-accuracy predictions that help reduce the operational expenses associated with reactively managing Windows Server instances.

Not supported in Windows Server 2008 R2 Not supported in Windows Server 2012 R2 Not supported in Windows Server 2016  Included in Windows Server 2019

Azure network adaptor easily connects to Azure virtual networks. Windows Admin Center performs the heavy lifting of configuring the VPN to a new network adapter that will connect Windows Server 2019 to a point-to-site Azure virtual network VPN.

Not supported in Windows Server 2008 R2 Not supported in Windows Server 2012 R2 Not supported in Windows Server 2016 Fully supported in Windows Server 2019

VM protection replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location.

Not supported in Windows Server 2008 R2 Fully supported in Windows Server 2012 R2 Fully supported in Windows Server 2016 Fully supported in Windows Server 2019
 

 

 

Because Windows Server 2019 is a Long-Term Servicing Channel (LTSC) release, it includes the Desktop Experience. (Semi-Annual Channel (SAC) releases don’t include the Desktop Experience by design; they are strictly Server Core and Nano Server container image releases.) As with Windows Server 2016, during setup of the operating system you can choose between Server Core installations or Server with Desktop Experience installations.

image

Failover Clustering :
Here’s a list of what’s new in Failover Clustering.

  • Cluster sets
  • Azure-aware clusters
  • Cross-domain cluster migration
  • USB witness
  • Cluster infrastructure improvements
  • Cluster Aware Updating supports Storage Spaces Direct
  • File share witness enhancements
  • Cluster hardening
  • Failover Cluster no longer uses NTLM authentication
  • Application Platform

 

Setting up the Cluster is still the same, In powershell we install the feature and install some extra components like the file server and deDup etc

Get-WindowsFeature Failover-Clustering
install-WindowsFeature "Failover-Clustering","RSAT-Clustering","FS-FileServer","FS-Data-Deduplication","Print-Server","Containers","Storage-Replica"-IncludeAllSubFeature

install-WindowsFeature "Failover-Clustering","RSAT-Clustering","FS-FileServer","FS-Data-Deduplication","Print-Server","Containers","Storage-Replica","SMS","SMS-Proxy"-IncludeAllSubFeature

 

when installing the Cluster Components and creating the cluster you will see no difference.

Cluster based on Server 2016

image

Cluster based on server 2019

image

USB witness

You can now use a simple USB drive attached to a network switch as a witness in determining quorum for a cluster. This extends the File Share Witness to support any SMB2-compliant device.

image

This is a nice option, maybe not real enterprise but for small setups this is handy.

Failover Clusters no longer use NTLM authentication. Instead Kerberos and certificate-based authentication is used exclusively. There are no changes required by the user, or deployment tools, to take advantage of this security enhancement. It also allows failover clusters to be deployed in environments where NTLM has been disabled.

Clustering FileServer Data Deduplication

ReFS is the Recommended configuration for Storage spaces and can also configured with Data Deduplication

https://robertsmit.wordpress.com/2018/02/21/clustering-fileserver-data-deduplication-on-windows-2016-step-by-step-sofs-winserv-refs-windowsserver2016-dedupe/

image

Below the Server 2016 layout with no dedup option on the storage

image

 

On the sizing no big changes that we saw as a limit in the day to day setup. More storage can be added, A lot more.

This could be handy in large storage clusters.

image

 

When looking at the Cluster settings there are some differences, this is all default I did not change anything. also handy when you want to know the original setting.

On windows 2019 vs Windows 2016

image

 

The CSV cache is now enabled by default to boost virtual machine performance. MSDTC now supports Cluster Shared Volumes, to allow deploying MSDTC workloads on Storage Spaces Direct such as with SQL Server. Enhanced logic to detect partitioned nodes with self-healing to return nodes to cluster membership. Enhanced cluster network route detection and self-healing.

image

More options and better to tune in the Cluster site.

Intra-cluster communication over Server Message Block (SMB) for Cluster Shared Volumes and Storage Spaces Direct now leverages certificates to provide the most secure platform. This allows Failover Clusters to operate with no dependencies on NTLM and enable security baselines.

Cluster Aware Updating (CAU) is now integrated and aware of Storage Spaces Direct, validating and ensuring data resynchronization completes on each node. Cluster Aware Updating inspects updates to intelligently restart only if necessary. This enables orchestrating restarts of all servers in the cluster for planned maintenance.

Moving Cluster from one domain to an other is now days also a scenario, with moving to the cloud consolidation and domain change is often a part of the migration.

Failover Clusters can now dynamically move from one Active Directory domain to another, simplifying domain consolidation and allowing clusters to be created by hardware partners and joined to the customer’s domain later.

Storage Replica is now available in Windows Server 2019 Standard Edition (with some limits)

There are some big list on the changes see for your self on what is change in Window Server 2019, it could be your choice during the migration of Windows server 2008 R2 EOL.

What’s new in Windows Server 2019 :

Windows Server Evaluations :  https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 24, 2019 by Robert Smit [MVP] in Windows Server 2019

Tagged with

Windows 10 version 1903 May update prepair Windows Update Delivery Optimization #Windows10 #ConfigMgr #DO #DeliveryOptimization #Waas #WUDO   Leave a comment

With the up coming Windows 10 1903 version you better be prepared, and save some bandwidth by setting up the right settings like Delivery Optimization. https://blogs.windows.com/windowsexperience/2019/04/08/releasing-the-may-2019-update-to-the-release-preview-ring/#XSwellpKSbo6oeum.97

What is Delivery Optimization ?

Windows Update Delivery Optimization helps you get Windows updates and Microsoft Store apps more quickly and reliably.

In many business networks, downloading apps and updates can be slow, inefficient, and, in many markets, expensive. When speaking with our customers, we often hear that they have regional facilities in limited and/or metered markets where devices download the same content, redundantly impacting coveted bandwidth and, ultimately, the organization’s financial bottom line. In almost any network, Delivery Optimization can be a highly effective tool, efficiently delivering content to devices and reducing the need for more internet bandwidth.

Delivery Optimization for Windows 10

Windows Update Delivery Optimization works by letting you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, like other PCs on your local network, or PCs on the Internet that are downloading the same files. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet, based on your settings. Sharing this data between PCs helps reduce the Internet bandwidth that’s needed to keep more than one device up to date or can make downloads more successful if you have a limited or unreliable Internet connection.

When Windows downloads an update or app using Delivery Optimization, it will look for other PCs on your local network (or from the Internet, depending on your settings) that have already downloaded that update or app. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows then gets parts of the update or app from the PCs that have it, and parts from Microsoft. Windows uses the fastest, most reliable download source for each part.

Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time.

you can turn this on in the update settings of Windows 10

Delivery Optimization for Windows 10

But there is also a GPO control that can be used. But you need the latest ADMX files in your PolicyDefinitions folder. If you are uncertain if you have the latest file check here to get the files

Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)

https://www.microsoft.com/en-us/download/details.aspx?id=57576

Delivery Optimization for Windows 10Delivery Optimization for Windows 10

With this GPO setting you can control the settings for Delivery Optimization

Delivery Optimization for Windows 10Delivery Optimization for Windows 10

All these settings depends on your need and how your network is configured.

You can also use Delivery Optimization with SCCM. Microsoft recommends that you optimize Windows 10 quality update delivery using Configuration Manager with express installation files and a peer caching technology

image

the SCCM client settings

Delivery Optimization for Windows 10

above a good overview on the difference between the different caching options.

To get some details on the caching there are some history charts and activity charts. these are depending on the system.

Delivery Optimization for Windows 10image

In this case these are just my lab machines so no big improvements here, and the machines are redeployed etc so for graphs not the best show models.

Delivery Optimization for Windows 10Delivery Optimization for Windows 10

other adjustments can be made on cache settings or bandwidth, 

Get-DeliveryOptimizationStatus

Delivery Optimization for Windows 10

Get-DeliveryOptimizationPerfsnap
Get-DeliveryOptimizationPerfsnapThisMonth

Delivery Optimization for Windows 10

Recommended Setting for Delivery Optimization  Quick-reference table   

Quick-reference table:

Use case Policy Recommended value Reason
Hub & spoke topology Download mode 1 or 2 Automatic grouping of peers to match your topology
Sites with > 30 devices Minimum file size to cache 10 MB (or 1 MB) Leverage peers-to-peer capability in more downloads
Large number of mobile devices Allow uploads on battery power 60% Increase # of devices that can upload while limiting battery drain
Labs with AC-powered devices Content Expiration 7 (up to 30) days Leverage devices that can upload more for a longer period


 

More info about Delivery-Optimization can be found here : https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted April 12, 2019 by Robert Smit [MVP] in Windows Server 2019

Tagged with

First look on the new Azure Sentinel cloud-native with Azure Notebooks free service #Jupyter #SIEM #SIEMaaS #Azure #Sentinel   2 comments

Azure Sentinel is Microsoft’s cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale.
This SIEM as a Service (SIEMaaS) solution is designed as a cloud-based security-monitoring platform that leverages the power of the cloud for analytics and detections.

https://azure.microsoft.com/en-us/services/azure-sentinel/

there is a good video  https://www.youtube.com/watch?v=XXZp6LQZSJU&feature=youtu.be 

Limitless cloud speed and scale
Azure Sentinel is the first SIEM built into a public cloud platform to help your security analysts focus on what really matters.

Easily connect your data sources
Azure Sentinel provides simple and easy integration with signals and intelligence from security solutions whether they are on premises, in Azure, or in other clouds.
Azure Sentinel provides seamless integration with Microsoft 365, Azure, and other Microsoft products, including Microsoft’s security products.

Detect suspicious activities in your organization
Azure Sentinel fuses together unique machine learning algorithms, world-class security research, and the breadth and depth of the critical security data available to Microsoft as a major enterprise vendor. Azure Sentinel helps you detect both known and unknown attack vectors, detecting threats across all stages of the kill chain.

Investigate and remediate breaches
Azure Sentinel gives you visibility into all the entities involved in an alert and provides a simple and instinctive UI to investigate the detection, helping you easily understand the scope of the breach.
To cut down on the volume of alerts you get, Azure Sentinel automatically investigates alerts to help you determine what action to take, enabling you to move from alert to remediation in minutes, at scale.
Leveraging the power of Logic Apps, Azure Sentinel helps you respond to incidents instantly, using built-in orchestration and automation playbooks.

Joining the Preview program give you the enable option and you will need some configuration in the Azure portal. Overall a great overview in the new dash boarding. one thing is I need more screens to show all this.

Azure Sentinel cloud-native Azure Notebooks  Azure Sentinel cloud-native Azure Notebooks

You will need a workspace I you have already one you can use this or just create a new one

Azure Sentinel cloud-native Azure Notebooks

I’ll pick my current one as all my VM’s are reporting into this.

Azure Sentinel cloud-native Azure Notebooks  

Now we can install the add-on for data collection, there is already a big list.

Azure Sentinel cloud-native Azure Notebooks

As I already had a workspace there is already some content to use, at this point I don’t have any incidents, so no cases and alerts

Azure Sentinel cloud-native Azure Notebooks

I think this is a grate feature the “hunting” predefined query’s ready to run and adjustable to your need.

Azure Sentinel cloud-native Azure Notebooks

Reuse the custom query, for better adjustment in your site.

Azure Sentinel cloud-native Azure Notebooks

You can find more samples on github https://github.com/Azure/Azure-Sentinel

Azure Sentinel cloud-native Azure Notebooks

Also the Azure Notebooks for Azure Sentinel is a new option, create your Project in Jupyter

 

image

Azure Notebooks for Azure Sentinel

What is Azure Notebooks?

Azure Notebooks is a free hosted service to develop and run Jupyter notebooks in the cloud with no installation. Jupyter is an open source project that lets you easily combine markdown text, executable code (Python, R, and F#), persistent data, graphics, and visualizations onto a single, sharable canvas called a notebook.

How do Azure Notebooks work?

Interactive Azure Notebooks provides security insights and actions to investigate anomalies and hunt for malicious behaviors. Each Azure Notebook is purpose-built with a self-contained workflow for a specific use case. Visualizations are included in each Azure Notebook for faster data exploration and threat hunting. Click on the button below to clone our prebuilt investigation and hunting Azure Notebooks into projects that belong to you. Modify and tailor your projects to your environment. Either run the Azure Notebooks for free or, for better performance, run them on a dedicated virtual host. Click here to learn more.

Using the Notebooks locally or in other environments

Azure Sentinel will provision notebooks and supporting modules for you in Azure Notebooks. You can also download the notebooks and modules and use them locally in a supported Python environment (Anaconda is recommended) or another notebook hosting environment such as Azure Databricks or a JupyterHub environment that supports Python 3.6 or later.

 

image 

With the import a copy will be made from the Github to your own repository to get you started.

image 

this take some time after this the project page is opening for you.

image

You can check the samples and adjust them for your needs

image 

Checking the Logs in the Azure Sentinel will give you a nice dashboard with all the content. I have limited amount of data in this so no big lines or exceptions.

image

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the general overview query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

Some are based on multiple pages, big screens are needed or smaller fonts but overall this is a nice addition to the Azure Family.

A Sample dashboard with the infrastructure query in Azure Sentinel

Azure Sentinel will take some time to get this running and configuring but once there is data you will see a very nice new tool that can help you to solve your problems in Azure better an quickly.

See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 28, 2019 by Robert Smit [MVP] in Azure

Tagged with ,

Secure DevOps Kit for Azure (AzSK) With Security Monitoring #Devops #Azure #AzSK #Security #LogAnalytics #PowerShell   Leave a comment

The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.

image

The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:

  • Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
  • Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
  • Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
  • Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
  • Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
  • Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.

Even in the Azure portal you can still connect to OMS

Complete feature set of Secure DevOps Kit for Azure

Feature Area Secure DevOps Kit Feature
Secure the subscription
  • Subscription Health Check
  • Subscription Provisioning
    • Alerts Configuration
    • ARM Policy Configuration
    • Azure Security Center Configuration
    • Access control (IAM) Hygiene
Enable secure development
  • Security Verification Tests (SVT)
  • Security IntelliSense- VS Extension
Integrate security into CICD
  • AzSK VS Extension-executes SVTs in a CICD pipeline
Continuous Assurance
  • Security scanning via Azure Automation Runbooks
Alerting & Monitoring
  • OMS Solution for AzSK containing:
    • Security dashboard views covering security state/actions
    • Alerts with pertinent search queries
Cloud Risk Governance
  • Control/usage telemetry through Insights

Setting up Secure DevOps Kit for Azure (AzSK)

First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.

Import-Module AzureRM.Automation

Get-AzSKAzureServicesSecurityStatus -SubscriptionId

image

Installing the Secure DevOps Kit for Azure (AzSK)

Install-Module AzSK -Scope CurrentUser

image

Now that the Powershell modules are installed we can start the (AzSK) Scan

Get-AzSKAzureServicesSecurityStatus –SubscriptionId  ID

image

In this subscription there are 44 items that are been checked

image

Items are been checked on the security issues

image

Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.

image

As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.

image

This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.

If needed there is an URL that points you to the right solution.

image

As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)

The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.

image

Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.

Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there.  (Timing) 

image

Creating the OMS default dashboard we need to run some powershell scripts.

$omsSubId =”id”   #subscription hosting the OMS workspace

$omsWSId =’OMS ID’

$omsRGName =’omsrsg’     #RG where the OMS workspace is hosted

$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.


    #This command will deploy the AzSK view in the OMS workspace.  
    Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `

                    -OMSResourceGroup $omsRGName `

                    -OMSWorkspaceId $omsWSId `

                    -ViewName $azSkViewName

image

Note:

1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.

To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.

2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que

ries.

We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.

image

Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.

image

image

and with longer logging and more Items in azure you will get a different overview.

image

There are lots of options you can set and there is a detailed description on how to use this on Github

Setting up ARM policys is also one of the options

Set-AzSKARMPolicies –SubscriptionId

image

So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs 

image

https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring

AzSK Security Controls Portal @https://aka.ms/azskosstcp

With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription 

And If you combine this directly and not afterwards then this could be your time saver to fix all the security items

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 24, 2019 by Robert Smit [MVP] in Azure

Tagged with , , ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: