Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten. #TrotsopIT #patching #MVPBuzz #security #cloudrocks

Soms start je de dag net als alle andere dagen, rustig met een bakkie koffie en je wandelt rusting naar kantoor, ploft neer aan je desk, klop je aan in je mail approved je sign (fido2) en doet je dingetje https://robertsmit.wordpress.com/2020/08/18/starting-with-fido2-security-keys-with-azure-active-directory-trustkey-pointblank-fido-azure-security-aad/

image

Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten zo dat jou password weer werkt. Er is een groep die een kei is in het opsporen en misbruiken van de kleine dingetjes die oh ja doe ik morgen wel en worden de volgende dag vergeten, en 4 jaar later druk er iemand op de knop, en de telefoon gaat je kan niet meer aan melden ? hoe zo weer je password vergeten. pfff capslock ?

imageimage

Mmm ik ook niet reboot dan maar, niks, password reset, niks ondertussen zie je wel dat het data verkeer de afgelopen 5 dagen enorm is toegenomen, zie ook meldingen van c2wasb4m.dll , service accounts die gebruikt worden als login, kortom de omgeving wordt voor jou gepatched en geupdate met de laatste technologie, gelukkig heb je alle picobello in orde en is er niks aan de hand toch, eh virus scanner, updates,os versie, security, domain admin als service account, hardening van servers die direct aan het internet hangen, RDP poort gesloten etc. Er zijn van die dagen dan stap je weer in zo’n museum en het voelt als of je in ene aflevering zit van de gevaarlijkste wegen van de wereld. Er komt maar 1 ding in mij op Hoe dan ?

image

We gaan de noodrem gebruiken en gaan hunten, wat natuurlijk super cool is om te kijken hoe het zo mis is gegaan dat niks meer werkt. De een zijn D. de ander zijn brood zeg ik maar.En ja IT kost bakken met geld en waar 10 ITers zijn, zijn 11 oplossingen, Waarom is de email spam nog nooit gestopt ? , Oldtimers zijn mooi echter die moet je alleen op zondag gebruiken en niet meer dagelijks in de productie, dat is vragen om problemen, ja is snap dat piet al met pensioen is en zijn access app zo mooi werkt en allemaal ingewikkelde dingen doet waar niemand meer iets van af weet. Wat kost het als het hele bedrijf plat ligt door deze app ? wat kost een nieuwe app ? Denk niet dat je met een nieuwe app failliet gaat..lig je 2 weken stil als bedrijf wat zijn dan de kosten ?

Kijk een goed naar je omgeving en ontdek de weakspots en los het op, gebruik MFA/Fido2, gebruik een supported OS en zorg er voor dat je in control bent en nee de Cloud is niet gevaarlijk maar is wel toegankelijk voor iedereen net als jou eigen datacenter als de deur openstaat. De cloud is een bak met oneindig veel resources en je kan er super snel zaken mee testen en laten zien dat jou concept werkt en kosten kan besparen -pay per use- maar een 15 jaar oude app beschikbaar stellen aan de hele wereld is geen goed idee immers niet iedereen houdt van oldtimers, er zijn ook mensen die van schroot houden.

image

IT is zo veel meer dan "iets in computers" het is een super gevaarlijke baan, en het klagen en trage systemen nee het is echt geen pretje echt afzien als je "iets in computers" doet.

image

Het is toch super gaaf als je dagelijks met de nieuwste technologie kan werken en kan laten zien dat het ook anders kan, anderen kan helpen waar het totaal is mis gegaan of gewoon iemand uit de Community helpen met zijn vraagstuk #TrotsopIT zelfs in de cloud wordt de dag niet langer en dat is wel jammer.

Zorg er wel voor dat alles goed op slot zit en dat je niet in een museum zit, tenzij het een showcase is.

 

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Hornet Security – FREE Webinar – What’s New in Windows Server 2022 #altaro #winserv #Windows

What’s New in Windows Server 2022

Every three years Windows unveils a new version of its massively widespread OS, Windows Server. But this time it feels different.

The rollout of Windows Server 2022 has felt strangely subdued compared to past iterations and it seems that this is part of Microsoft’s larger strategy to push admins towards a more cloud-hosted future. So, what does this mean for the future of system admins? How will your daily operations change because of this strategy shift?

Get the full lowdown on Windows Server 2022 and its implications for IT admins from expert Microsoft MVPs Andy Syrewicze and Paul Schnackenburg in this unmissable upcoming webinar from Altaro/Hornetsecurity on 13 October.

clip_image002

They will explain the full new feature set, security enhancements, editions and license comparisons, where Hyper-V Server has gone, where Azure Stack HCI fits into this discussion, and more!

The presenters will also be answering all your burning Windows Server 2022 questions so come prepared and make the most out of this event to prepare your organization for the next generation of IT workloads!

Save your seat now!

Step By Step Troubleshooting Azure Arc-enabled servers with agent connection issues #Windows #WindowsServer #WinServ #Azure #AzureArc #Cloud

Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.

When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.

This is all test So it may look different in your site.just to say so.

Here I have my two servers managed by Arc

Azure Arc-enabled server

As you can see “Something went wrong while getting your resources. Please try again later.”

Azure Arc-enabled server

yes let me get more info about this as currently I know nothing about the error.

image

Azure Arc-enabled server

So It is all OK according to the Azure troubleshooter and still it doesn’t work

Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also. 

image

Will that be the issue ?  checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022

Let me check the agent version,  well the latest version for now..

image

How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,

let me check the configuration of this and see if I can find something there.

C:\ProgramData\GuestConfig

imageimage

Perfect lots of log files and a config let me check this all

image

time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"

Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–

As I did not update the agent the certificate got expired make sense.

But the device has already the new agent So reconnect ? but how ?

Looking at the Config I see all the details how the agent is been registered and the resource group etc

C:\ProgramData\AzureConnectedMachineAgent\Config

agentconfig.json

{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}

Let me open powershell and maybe I got more details. and reactivate the Agent

With the azcmagent command you can get more details.

image

let me get all the logs

azcmagent logs

image

now we have all the logs in a zip file this could be handy for a next time.

Azure Arc-enabled server

As I reconfigure the agent with the following command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose

With the reconnect we need to log in again and all goes well

imageimage

But in the logging there is suddenly another error

image

When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.

Thought this was about an Agent that has an expired Certificate.

Azure Arc-enabled server

Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.

image

image

image

After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose

image

Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"

image

As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)

Azure Arc-enabled server

Perfect reconnecting and waiting for the Agent.

Azure Arc-enabled server

Now I can look at the Azure Arc Insights again.

Flickr Tags: Windows Server 2022,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

First hands-on Upgrading to Windows Server 2022 Domain Controller #Windows2022 #Windows2016 #winserv #CloudOS #WIMVP

Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

As some of my Domain controllers are running on Server 2016 this is a great moment to upgrade them,Upgrading a domain controller is always tricky when you loos you AD, well I got a copy in Azure Winking smile

How ever Windows Server 2016 is supporting Rolling Upgrades Upgrading to Windows Server 2022 but this is only for a Cluster.

For other Servers you can upgrade your server or better reinstall. Bet you all choose for the Clean install. Well For a domain controller, it’s a quick process to redeploy but often there is ton’s of software on the DC that should not be there and makes it hard to loos the DC right ?

So my DC server 2016

image

Finding the FSMO roles

netdom query fsmo

image

You can’t upgrade the server when there is a FSMO role running on the server. Tested this and if failed So move the FSMO roles from your DC.

Yes I hear you you have only one DC well create a virtual second one and move the fsmo roles to that server upgrade and move the roles back and demote the Extra DC and you are back to a single DC.

my other DC is mvpdc22

image

I move the roles to my second DC

image

Quick and Smooth migration

Move-ADDirectoryServerOperationMasterRole -Identity “Your-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

I mounted the ISO to the DC (virtual CD disk)

image

YEs I want to make the product better.

image

Use your Product key or if you are on hyber-v you can use the AVMA key https://docs.microsoft.com/en-us/windows-server/get-started-19/vm-activation-19?WT.mc_id=AZ-MVP-4025011

The following AVMA keys can be used for Windows Server 2022:

Datacenter
W3GNR-8DDXR-2TFRP-H8P33-DV9BG

Standard
YDFWN-MJ9JR-3DYRK-FXXRW-78VHK

image

I still love my gui So I install the desktop experience

image

Read the entire EULA and I agree.

image

My domain Controller desktop (remember this is my lab) Don’t use your DC for any other things than using it for a DC.

I want to keep My files

image

Yes Install

image

Let the Setup running

imageimage

So in just 20 min my DC was upgraded to 2022 lot’s of new stuff is there but that’s all for a next blog post. Hope it was usefull and remember make sure you have a backup things my fail in your environment

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

Flickr Tags: Windows Server 2016,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Azure Firewall and starting with Azure Firewall Manager step away from Classic #Azure #Firewall #classic #policy #security #AVD

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process  https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

image

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

  • Stateful firewall as a service
  • Built-in high availability with unrestricted cloud scalability
  • Centralized network and application level connectivity policy
  • Threat intelligence-based filtering
  • Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

  • Built-in TLS Inspection for customer’s selected encrypted applications
  • Ability to detect and block malicious traffic through advanced IDPS engine
  • Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
  • Web Categories provide enhanced content filtering capabilities
  • IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

image

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

image

As you can see there is an option standard or premium and use the Firewall policy or the Classic.  In premium there is no classic any more the only option is firewall policy.

image

Choosing the Premium and the option firewall management is gray out.

image

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

image

image

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

image

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

image

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

image

Looking at the firewall policys from here you can add them to a hub or a vnet

image 

here you see an overview of the firewall policy’s

image

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

image

Adding the Policy to a network,

image

The firewall manager blade with all the rules and options

image

You can  add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

image

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

image

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

imageimage

Remember the naming if you want to find this later in your rules, keep it clean and neat

image

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that 

Removing the Firewall does not mean that you will loose the policy’s  or removing the policy and loose the firewall unless…

image

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile