Archive for the ‘Azure’ Tag

Welcome to Olympia Set up your own Windows Insider Lab for Enterprise #Olympia #Office365 #EnterpriseMobility #WindowsServer #Microsoft #Azure #WindowsInsiders #SCCM   2 comments

 

Olympia V2 is the next step for enabling Windows Insiders to try new and pre-release Windows 10 Enterprise features. Windows Insider Lab for Enterprise v2 provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility Security evaluation trials. Customers can also add the latest Windows 10 Insider Preview Enterprise build to the lab. 

This is a great lab toolkit, to start with the new features. It is easy to setup with a great learning curve.

First we download the entire Lab. it around 14GB

The table below lists the virtual machines, which will be imported and created in Hyper-V:

Server Name

Roles & Products

HYD -DC1

Active Directory Domain Controller, DNS, DHCP, Certificate Services

Windows Server 2016

HYD-CM1

System Center Configuration Manager Technical Preview Branch – Version 1808 (Note: After installing a baseline version, you can then use in-console updates to bring your installation up-to-date with the most recent preview version. See Section 4.)

Windows Deployment Services

Microsoft Deployment Toolkit

Windows 10 ADK

Windows Software Update Services

Microsoft SQL Server 2014

Windows Server 2016

HYD-APP1

Microsoft BitLocker Administration and Monitoring

Microsoft SQL Server 2014

Windows Server 2016

HYD-GW1

Remote Access for Internet Connectivity

Windows Server 2016

HYD-CLIENT1 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD-CLIENT2 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined

HYD-CLIENT3 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

HYD-CLIENT4 (Optional)

If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

The VM list in Hyper-v

image

The table below lists the credentials and access type available in the default implementation:

Windows Insider Lab for Enterprise

After that just extract the files, keep in mind the setup extract the files at the current location of the setup files. You can move the VM’s afterwards

Windows Insider Lab for Enterprise

Starting the setup and extracting the VM’s

Windows Insider Lab for Enterprise

Select your Vswitch on the Hyper-v server

Windows Insider Lab for Enterprise

Select a insiders ISO or download one,

Windows Insider Lab for Enterprise

Plenty of room in the Windows Server 2019 Hyper-v server with Storage Spaces direct.

Windows Insider Lab for Enterprise

The extracting can take up some time depends on the disks and CPU speed for extraction

Windows Insider Lab for EnterpriseWindows Insider Lab for Enterprise

After the Extraction Several VM’s are added to the Hyper-v Server

image

The Gateway will route all the data to internet.

image

Windows Insider Lab for Enterprise

The setup is done the full lab is installed, there are several laps that you can do and setup

image

Windows Insider Lab for Enterprise

The domain structure that is created is the basic for all the labs

Windows Insider Lab for Enterprise

A SCCM site is created and ready for use. As this is the Technical preview I already got the 1812 Build

Windows Insider Lab for Enterprise

 

image

In the Azure Active directory we set some custom pictures.

image 

image

Customize these screens is easy done in the Azure portal

image

Next step is use SCCM and Intune to manage your systems. This lab is perfect for showing all the options.

 

The Setup is Complete and ready to use, this lab is a great way to self explore the new features.

     Lab Objectives

This guide is designed to provide step-by-step guidance in demonstrating the basic functionality of the feature.

·         Lab Setup

o   On-Premises Environment

o   Cloud Environment

o   On-Premises Environment Post Setup Manual Steps

·         Servicing

o   Windows Analytics Update Compliance

·         Deployment & Management

o   Modern Device Deployment

o   Modern Device Management with AutoPilot

o   Co-Management

o   Modern Application Management with Intune

o   Enterprise State Roaming

·         Security

o   Windows Information Protection

o   Windows Defender Advanced Threat Protection

o   Windows Defender Application Guard

o   Windows Defender Exploit Guard

o   Windows Hello

o   Credential Guard

o   Device Encryption (MBAM)

o   Device Guard – User Mode Code Integrity

·         Compatibility

o   Windows Analytics Upgrade Readiness

o   Browser Compatibility

o   Desktop Bridges

·         Additional Labs

o   MDM WINS over GP

o   MAM FAQ

The Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. There are two versions of the lab:

· Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest Microsoft 365 enterprise features through access to Olympia Corp – a virtual corporation has been set up to reflect the IT infrastructure of real world business. 

· Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility + Security evaluation trials.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 8, 2019 by Robert Smit [MVP] in Azure

Tagged with , ,

Extend you File server with Azure File Sync and Migrate with Windows Admin Center #WindowsServer #Azure #AFS #WAC #HybridCloud #FileServer   2 comments

In the former blog post :https://robertsmit.wordpress.com/2018/11/29/step-by-step-windows-server-2019-file-server-clustering-with-powershell-or-gui-cluster-ha-azure-windowsadmincenter-windowsserver2019/

I created a File share on a Cluster to make the share HA. This is more the traditional way to make the share HA. But what if you have multiple locations and you want to use this share in Azure. Big internal lines between the Datacenter and copy the files to Azure (DFS) method. but that’s old. Better use the Azure File Sync option the files are synced to all the Server and available in Azure. Better and faster.

#bettertogether  

 With Azure File Sync , shares can be replicated on-premises or in Azure and accessed through SMB or NFS shares on Windows Server. Azure File Sync is useful for scenarios in which data needs to be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

To get started with the Azure File Sync we need a Storage account in Azure.

Deploy Azure File Sync

We create a storage account in Azure.

Remember this works only on Windows Servers ! System Requirements:

  • A server running Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019:

    Version
    Supported SKUs
    Supported deployment options

    Windows Server 2019
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2016
    Datacenter and Standard
    Full (server with a UI)

    Windows Server 2012 R2
    Datacenter and Standard
    Full (server with a UI)

 

Now that the storage account is created we are starting with the Azure File Sync creation in Azure.

Deploy Azure File Sync Deploy Azure File Sync

Name the Storage Sync Service , and create a resource group.

The next step is register the Onpremise server to Azure with the Azure File Sync Agent

Deploy Azure File Sync

Azure File Sync  Agent download https://go.microsoft.com/fwlink/?linkid=858257

The installation is in two steps.

  1. Installing the agent
  2. Configuring the Agent

Deploy Azure File Sync

After the download install the Agent on the File server, As I use a Cluster install the Agent on every node of the Cluster.

Deploy Azure File SyncDeploy Azure File SyncDeploy Azure File SyncDeploy Azure File Sync

Now that the agent is installed the Second wizard pops up for the configuration and if needed a update.

imageDeploy Azure File Sync

So far so good. As the Agent is connecting to Azure there are some additional components needed.

Deploy Azure File Sync

As this Cluster was a fresh installation and I did not used the PowerShell command for Azure here I need to install the AzureRM modules (or AZ module)

https://go.microsoft.com/fwlink/?linkid=856959

Installing and updating the modules.

Install-Module -Name AzureRM –AllowClobber

Deploy Azure File Sync

With this command you can see the current Powershell version

Get-Module -Name AzureRM -List | select Name,Version

 

Deploy Azure File Sync

Now that the PowerShell commands are installed we can refresh the page and the installation continues

Deploy Azure File Sync

If you are using a CSP subscription in Azure then you need to set this check box. and use your tenant ID

Deploy Azure File Sync

In all other subscriptions keep this default

Deploy Azure File Sync

Pick the right Resource group the one with the created Storage Sync services in it. else the field will be empty.

Deploy Azure File Sync

Select a resource group that contains a Storage Sync Service, or use the Azure portal to create one in this resource group.

Deploy Azure File Sync

When this process is done we can configure the rest in the Azure portal.

Deploy Azure File Sync

As you can see the Cluster CNO object is named here

In the pane that opens, enter the following information to create a sync group with a cloud endpoint:

  • Sync group name: The name of the sync group to be created. This name must be unique within the Storage Sync Service, but can be any name that is logical for you.
  • Subscription: The subscription where you deployed the Storage Sync Service.
  • Storage account: If you select Select storage account, another pane appears in which you can select the storage account that has the Azure file share that you want to sync with.
  • Azure file share: The name of the Azure file share with which you want to sync.

Next is creating the Sync group.

Deploy Azure File Sync

 

Deploy Azure File SyncDeploy Azure File Sync

Pick a name for the Sync group name. and the proper Storage account that we created earlier. In this storage account we did not create a File share this is needed to hold the Files. so the azure file share check box is not showing you anything.

Go the the storage account and create a File share

Deploy Azure File Sync

With this created the creation of the Sync group can be completed.

Deploy Azure File Sync

Next step is creating some endpoints. this means bind the local share to the services and sync this to the Azure storage account share.

Deploy Azure File Sync

Deploy Azure File Sync

Adding the endpoint and pick the registered server and the file share that will be synced.

Deploy Azure File SyncDeploy Azure File Sync

If you want to enable cloud Tiering and fill in the values. In this demo I don’t use this.

Note:

Only NTFS volumes are supported. ReFS, FAT, FAT32, and other file systems are not supported.

Failover Clustering

Windows Server Failover Clustering is supported by Azure File Sync for the "File Server for general use" deployment option. Failover Clustering is not supported on "Scale-Out File Server for application data" (SOFS) or on Clustered Shared Volumes (CSVs).

The Azure File Sync agent must be installed on every node in a Failover Cluster for sync to work correctly.

In my demo the Share is not listed, I already know why, As I used ReFS for the cluster disk.

This can be painful as you need to format that disk and move all the data to a temp location.

Deploy Azure File Sync        Deploy Azure File Sync

After changing the disk format and a refresh you can see that the deployment is pending and working.

Deploy Azure File SyncDeploy Azure File Sync

 

After this you have a full Hybrid file share Fully redundant on premise and a off load to Azure.

Deploy Azure File Sync

As last the best option to get the data into this HA file share is using the Windows Admin Center 

In Windows Admin Center there is a great options Storage Migration Services

image

Opening Windows admin Center and select the source this will be scanned and when done the files can be migrated. (the scanning can take some time)

image

image

When the scanning is done the files and shares are listed. more info can be found here https://youtu.be/WCWxAp27ERk

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted December 4, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

How to Protect your #Azure resources from Distributed Denial of Service #DDoS attacks #Cloud #SDN #VNET #Security #Alerts #Analytics   Leave a comment

 

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

image

What is DDoS Protection? Protecting applications from DDoS attacks has been one of the top security concerns for Azure customers. Azure DDoS protection service is an Azure Networking offering aimed at protecting publicly accessible endpoints from DDoS attacks. The offering gives customers access to the same protection that is used to protect Microsoft’s online assets, such as Xbox Live and Office 365. Azure DDoS protection service provides constant network flow monitoring of the protected endpoints, and when detecting a DDoS attack, automatically applies traffic scrubbing to make sure only legitimate requests are forwarded to the application.

Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS protection provides the following service tiers:

  • Basic: Automatically enabled as part of the Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions. Protection is provided for IPv4 and IPv6 Azure public IP addresses.
  • Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS Protection Standard is simple to enable, and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments. Real-time telemetry is available through Azure Monitor views during an attack, and for history. Rich attack mitigation analytics are available via diagnostic settings. Application layer protection can be added through the Azure Application Gateway Web Application Firewall or by installing a 3rd party firewall from Azure Marketplace. Protection is provided for IPv4 Azure public IP addresses.

Azure DDoS Protection Basic vs. Standard

So how to start with DDoS in Azure.

First go to the Virtual Networks.

Azure and Microsoft Windows Server Blog

Next selecting the Network and in the left pane there is a section DDoS Protection.

Azure and Microsoft Windows Server Blog

Selecting the DDoS Protection there is the Basic and the Standard Setting

Azure and Microsoft Windows Server Blog

Pricing Details

There the Basic is the default and comes with free pricing.

The Standard is a different option and Cost you some real money! and these are monthly costs. For a demo I turned it on and forget to turned it of and spend 10K in 4 months so keep a track on your Azure costs.

Azure and Microsoft Windows Server Blog

The DDoS Protection service will have a fixed monthly charge, as well as a charge for data processed. The fixed monthly charge includes protection for 100 resources. Protection for additional resources will be charged on a monthly per-resource basis.

Monthly price for DDoS Protection (includes protection for 100 resources): €2,483/month

Overage charges (more than 100 resources): €25 per resource per month

 

When Enabling the DDoS Standard we need to create a DDoS protection plan first, if you have already one you can add the ID.

Azure and Microsoft Windows Server Blog

Check the create DDoS protection Plan

Azure and Microsoft Windows Server Blog

Now that we created a plan witch is more a resource place holder, we can add this to the DDoS protection plan

Azure and Microsoft Windows Server Blog

Azure and Microsoft Windows Server Blog

Now that the DDoS and the plan is in place we can create an alert rule in case we have a DDoS attack.

In the Azure Monitor we can create the alert rule and we can see the logging.

Azure and Microsoft Windows Server Blog

To see telemetry for a DDoS attack, log into the Azure Portal and navigate to the “Monitor” blade.

Within the monitor blade, click on “Metrics”, select the appropriate subscription, resource group, resource type of “Public IP” and the Public IP that was the target of the attack. After selecting the resource, a series of Available Metrics will appear on the left side. These metrics are selected and then will be graphed.

The metric names are relatively self-explanatory and the basic construct is that there are tag names on each metric as follows: • Dropped tag name (e.g. Inbound Packets Dropped DDoS): The number of packets dropped/scrubbed by the DDoS system

• Forwarded tag name (e.g: Inbound Packets Forwarded DDoS): The number of packets forwarded by the DDoS system to the destination VIP – traffic that was not filtered • No tag name (e.g: Inbound Packets DDoS): The total number of packets that came into the scrubbing system – representing the sum of the packets dropped and forwarded

image

The traffic shown in the Monitor dashboard.

Azure and Microsoft Windows Server Blog

To create a dashboard there are some options with counters. It all depends on your need.

 

Azure and Microsoft Windows Server Blog

now we create an alert rule.

Email Alerting To configure an email alert for a metric, click on the “Click to add an alert” text. An email alert can be created on any metric, but the most obvious metric to create an alert on is “Under DDoS attack or not”. This is a boolean value 1 or 0. “1” means you are under attack. “0” means you are not under attack. To be emailed when under attack, set the Metric for “Under DDoS attack or not” and “Condition” to “Greater than” zero (0) over the last 5 minutes. Similar alerts can be set up for other metrics. An example screenshot is provided below.

 

Azure and Microsoft Windows Server Blog

 

Azure and Microsoft Windows Server Blog

To divine the Severity I keep this as this is also be used in SCOM

Azure Monitor Alert Severity Levels

Sev 0 = Critical
Sev 1 = Error
Sev 2 = Warning
Sev 3 = Informational
Sev 4 = Verbose

Azure and Microsoft Windows Server Blog

Last part in selecting the email for this alert.

Azure and Microsoft Windows Server Blog

With this setup you got a good protection against DDoS attacks. below is the workflow how DDoS protection works.

Diagram of how DDoS Protection Standard works, with "Policy Generation" circled

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted November 27, 2018 by Robert Smit [MVP] in Azure

Tagged with ,

Azure portal VM creation Changed with a new layout is Awesome #Azure #Cloud #MSTCommunity #MVPBuzz   Leave a comment

In the Azure portal every day there are some changes some are big others are minor.

In this blog I show you the change in the VM creation.

image

When Creating a NEW VM you can see the change now there are several tabs and the best part is you can jump forward with out filling in all the fields.

image

Creating the NSG port rules.  Select which virtual machine network ports are accessible from the public internet. You can specify more limited or granular network access on the Networking tab.

image

Creating the NSG directly

image

The Identity Settings with the Auto-Shutdown and even select the backup

image

I think this layout is much better and gives you a better overview on the VM creation with all the options.  Hope this will be there for the Containers also

image

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted September 17, 2018 by Robert Smit [MVP] in Azure

Tagged with

Microsoft Tech Summit Amsterdam #MSTechSummit   Leave a comment

Today and tomorrow I’ll be at the Microsoft Tech Summit.  You can find me at the Workshop Proctor "Build and manage your applications on Azure" or at the  Microsoft Booth or somewhere at the Expert Hub Center the help the Microsoft Tech Community

To help the Community / visitors Build your skills with the latest in cloud technologies at a free, technical learning event for IT professionals and developers, coming to a city near you. The Tech Summit is hitting the road with their top engineers to bring you two days of in-depth sessions, networking opportunities, industry insights, and hands-on skill-building with the experts behind Microsoft’s cloud services.

The cloud is changing expectations and transforming the way we live and work. Whether you’re developing innovative apps or delivering optimized solutions, Microsoft Tech Summit can help you evolve your skills, deepen your expertise, and grow your career.

Discover the latest trends, tools, and product roadmaps at more than 70 sessions, covering a range of topics across Microsoft Azure and Microsoft 365, which includes Windows 10, Office 365, and Enterprise Mobility + Security. From beginner sessions that will help you develop core cloud skills, to advanced, 400-level training that will take your expertise to the next level, there is something for everyone.

image

This year we will have two 60-minute keynotes focusing on Microsoft 365 and Azure. This will enable our keynote presenters to focus deeply on their areas of expertise and will include customers on stage and demos.

New this year to Microsoft Tech Summit is The Hub Expert Center where attendees will have the opportunity to connect with Microsoft SME’s during Day 1 and 2. It is an excellent opportunity to connect, gather lead retrievals and engage with potential customers.

Ask the Experts: We will hold an Ask the Experts Networking Hour on Day 1 from 17:45 – 18:45. All Speakers and Staff are required to attend this event. New this year are two 30-minute panels hosted by Microsoft SME and MVP’s. Additionally, attendees will be able to interact and learn from industry peers and representatives from Microsoft. Expert table topics will be as follows, and Speakers are required to self-staff these areas: Business Applications, Data and AI, Cloud Infrastructure, App Development, Internet of Things, Modern Workplace and Microsoft 365

 

on the Microsoft Tech Community at:

Visit aka.ms/ts/amsterdam

Sign in with your Microsoft or LinkedIn account and select ‘Evaluations’ to submit your feedback after sessions

image

Posted March 28, 2018 by Robert Smit [MVP] in Event

Tagged with ,

How to Backup Azure file shares with #AzureBackup #ASR #AFSB #Azure   Leave a comment

Backup for Azure file shares is something that is a feature that we all want. Azure Files is a cloud-first file share solution with support for industry standard SMB protocol. Azure Backup enables a native backup solution for Azure file shares, a key addition to the feature arsenal to enable enterprise adoption of Azure Files. Using Azure Backup, via Recovery Services vault, to protect your file shares is a straightforward way to secure your files and be assured that you can go back in time instantly.

If you want to read my old blogs about Azure backup https://robertsmit.wordpress.com/tag/azure-backup/

Below is a schematic on how the Backup for Azure File Shares Works.

Backup for Azure File Shares

Key features

  • Discover unprotected file shares: Utilize the Recovery Services vault to discover all unprotected storage accounts and file shares within them.
  • Backup multiple files at a time: You can back up at scale by selecting multiple file shares in a storage account and apply a common policy over them.
  • Schedule and forget: Apply a Backup policy to automatically schedule backups for your file shares. You can schedule backups at a time of your choice and specify the desired retention period. Azure Backup takes care of pruning these backups once they expire.
  • Instant restore: Since Azure Backup utilizes file share snapshots, you can restore just the files you need instantly even from large file shares.
  • Browse individual files/folders: Azure Backup lets you browse the restore points of your file shares directly in the Azure portal so that you can pick and restore only the necessary files and folders.

How to start with the Azure File share backup

First we make a backup vault that holds all the backups.

image

In the Azure Recovery services Vault I created a new vault that holds my file share backup.

Doing this with powershell :

$vaultname="Azure-Fileshare-Vault02"
$rsgroup="AFS-BV-02"
$Location="West US"

Get-AzureRmRecoveryServicesVault
New-AzureRmResourceGroup -Name $rsgroup -Location $Location
New-AzureRmRecoveryServicesVault -Name $vaultname -ResourceGroupName $rsgroup -Location $Location

Now we open the just created backup vault and add a Backup job

image

Adding the Azure Backup job

image

As you can see the new Azure FileShare option is there.  If you want to do this with Powershell keep in mind that you will need the latest updates and as this is a preview it might change in the next version as currently there is only the -WorkloadType "AzureVM" option there.

image

Now we select the storage account that holds the file share.

image

It could take some time for the validation.

image

Now that the file share is selected, we can make a backup policy. Or use one that you already created.

image

After establishing a backup policy, a snapshot of the File Shares will be taken at the scheduled time, and the recovery point is retained for the chosen period.

image

Then finally we enable the backup. There will be a initial backup created.

image

When you check the backup jobs in you backup vault you can see the just created file share backup.

image

Just wait for the first backup or go to the job an right click and do a backup now.

image

You can also create an ondemand backup or stop the backup. 

image

With the backup now you can force to backup the FileShare.

image

If you double click the backup item and go to …more you can Stop the backup or even delete the backup.

Azure File Share Restore

image

Well the Azure FileShare Restore is easy, Pick restore in the menu and pick a restore point.

image

You can pick the original location but an alternate location can also be used. This is a great option on selecting the files or place the restored files on a different locations to sort out the files first.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Bing  : Find me on Bing Robert Smit

LMGTFY : Find me on google Robert Smit

Posted February 27, 2018 by Robert Smit [MVP] in Azure Site Recovery

Tagged with ,

Check with Powershell for Meltdown and Spectre #exploit critical vulnerabilities Protection #Meltdown #Spectre #KB4056892   1 comment

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Edit:5-1-2018

Meltdown is Intel-only and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.

Spectre applies to Intel, ARM, and AMD processors and works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.

Meltdown work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

image

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affects many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues to work closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well.

The following sections will help you identify and mitigate client environments affected by the vulnerabilities identified in Microsoft Security Advisory ADV180002.

The Windows updates will also provide Internet Explorer and Edge mitigations. We will also continue to improve these mitigations against this class of vulnerabilities.

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Install the powershell module from the Gallery.

image

Install-Module SpeculationControl

image

With  Get-SpeculationControlSettings you can check your settings

image

As my system is not protected, but after all the fixes it should be like this below.

image

But you need to do more than just a software patch.

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

checking the BIOS of you machine with

get-wmiobject win32_bios

image

image

As there is no later Bios from my system, I’m out off luck.  good moment to renew my test machine.

SO I need to patch my system, As I’m a windows insider I run several versions of windows. First check there was KB4056890 but this is already updated to KB4056892 make sure you get the latest version of the patch. you don’t want to patch and reboot the machine twice.

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

Get the hotfix http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056890

image

The Updated version!

Get the hotfix http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056892

 

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056892

 

In this case I installed the KB4056890 Update installation may stop at 99% and may show elevated CPU there is a fix for that read this :

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

 

image

You need a reboot for this fix.

image

Remember this is not just a Microsoft Windows thing if you are on Citrix,Xenserver,Amazon or VMWare You need to check your hardware.

https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Posted January 4, 2018 by Robert Smit [MVP] in Windows Server 2016

Tagged with

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: