Azure Bastian – Jump Box As a Service

Traditional management of Jump severs in cloud is painful and it involves lots of tasks to setup and for on-going management.

To avoid potential attacks from external threats, Jump servers need to be completely locked-down and hard, like enabling aggressive block-list of apps and IPs, implement 2FA, zero admin mode, auditing and if possible re-build jump server every alternative days using automation tools to make it more secure in cloud.

I know a lot of you out there rely on “jump servers.” and not much serious about Jump server day to day operation management tasks. Many SMB segment companies were attacked because of exploits through poorly managed jump servers and in order to overcome those problems and make security more controlled, Microsoft introduced Bastian host last year  as a replacement for traditional jump server architecture.

Azure bastion is a fully managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.  After the initial release, the solution is being adopted by various azure customers and received great feedback.

Moreover, bastion hosts are very easy to setup with few clicks and the service will be ready within few minutes after deployment. Bastian type services are also available in other clouds with different feature sets.

Azure Bastian key characteristics and what it can offer to azure customers:

  • No public required for VMs in Azure.
  • Remote Session over TLS and firewall traversal for RDP/SSH.
  • Agent-less and no additional software’s required on VMs.
  • Internally it’s a VM scale set and it can expand based on connections requirement.
  • Centrally hardened and protects against port scanning, zero-day exploits and malware.
  • Additional security layer can be leveraged using NSG on top of bastion host
  • Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
  • As the name implies “Bastian” , it will act as true source of strength to enter into azure VM world.

High-level architecture:

This figure shows the architecture of an Azure Bastion deployment aligning to above  listed characteristics.

Bastian

Whats planned next – feature updates (not sure when but its under the pipeline):

  • Bastian host required to deployed under each vNet and currently doesn’t support vNet peering options. However, in upcoming product updates it should soon start supporting the peering options.
  • Azure AD SSO integration
  • Currently Bastian can only accessed through azure portal (via HTM5 browser) and its expected to start support of native RDP/SSH clients soon.
  • RDP full session recording for auditing usage.

 

Sources:

Bastian Overview – https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Bastian Pricing – https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

Create an Bastian Host – https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

 

Azure Sentinel – The Mutant hunter

Being a big fan of x-men series and security products, I couldn’t resist researching on the new SecOps offering from Microsoft called ” Azure Sentinel’. Those who are not familiar with x-men comics, Sentinel are mutant hunting robots which can monitor, detect and kill mutants 😛

Azure Sentinel service is a great SIEM and SOAR offering from Microsoft with the proper equation of SecOps + AI in a cloud native solution.

sentinel

The great advantage and differentiator of this offering from other SIEM solution is, its backed by Microsoft which is turning into a biggest security company in the world with huge loads of investment going into security research.  It’s clearly going to disrupt the SOC as a cloud security solution.

Since it’s a cloud native solution, no worries about capacity planning and other on-prem bottle necks.

Alright, upon doing some research and Lab on the Azure Sentinel, below are the list of high-level characteristics and feature set about this service offering.

Azure Sentinel SecOps flow:

Enable Azure Sentinel to easily aggregate security data generated by end point devices, network infrastructure, and other security systems, then leverage it to detect and respond to threats in your environment. ​

Collect / Visibility

Collect security data at cloud scale from mostly any source (On Premises, Cloud (Including Other Clouds like AWS) and SaaS Apps.

Data collection options: On-prem and Cloud:

  •  Agent based collection for Linux and windows devices (OS events, OS firewall, DNS, DHCP etc)
  •  Syslog based collection using syslog connector/CEF – either can be deployed in on-premises or cloud over TLS
  • Supports REST API based collection for F5, Barracuda and Symantec and other similar products.
  • Custom connectors using Azure functions for log storage like S3.
  • Azure log analytic data will also support sentinel analysis.
  •  Visualise:

    Workbooks – Interactive dasboarding with the analysis. There are good number of built-in workbook templates available from Azure sentinel like, Azure Activity, Azure AD audit-logs, Azure AD Sign-in logs and variety of other product supports (AWS Network activities, AWS user activities).  Based on the need custom workbook can be created

Detect – Analytics / Hunting

  • There are good number of built-in analytics available in Azure sentinel to choose for detecting threats.
  • Option available to create custom KQL based queries for analytics.
  • Trigger automated playbooks to tackle threats.
  • Leverage Machine learning to increase your catch rate without increasing the noise.

Investigate – Incidents

  • Track investigation from sentinel security incident, raised based on priority.
  • Bring you own ITSM framework by integrating with ticketing tool for the incident track and resolution.
  • Visualize the entire threat attack to determine the scope and impact, by navigating the relationships between alerts.

Respond – Automation

  • Automate and orchestrate the scopes using integrated Azure logic Apps. Logic Apps will help in building automated and scalable playbooks that integrate across tools. Able to setup the complete workflow from alert trigger to resolution.
  • Again like other sections, there are good number of sample library available to configure and test the playbooks.

Learn more?

Complete Docs about Sentinel –  https://docs.microsoft.com/en-us/azure/sentinel/

Free Trail – Azure Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days. Usage beyond the first 31-days will be charged per pricing listed above. Charges related to Azure Monitor Log Analytics for data ingestion and additional capabilities for automation. And bring your “own machine learning” are still applicable during the free trial.

 

PowerShell now officially supports macOS and Linux

Microsoft has made generally available PowerShell Core, its cross-platform version of the PowerShell command-line shell and scripting language.

This version of PowerShell is notable for being a cross-platform DevOps tool that’s available for Windows, Linux and macOS operating systems.

As per the Microsoft documentation,  PowerShell now officially supports macOS and Linux, including:+

  • Windows 7, 8.1, and 10
  • Windows Server 2008 R2, 2012 R2, 2016
  • Windows Server Semi-Annual Channel
  • Ubuntu 14.04, 16.04, and 17.04
  • Debian 8.7+, and 9
  • CentOS 7
  • Red Hat Enterprise Linux 7
  • OpenSUSE 42.2
  • Fedora 25, 26
  • macOS 10.12+

Link – https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-powershell-core-60?view=powershell-5.1

Installing PowerShell Core on Windows : https://docs.microsoft.com/en-us/powershell/scripting/setup/Installing-PowerShell-Core-on-Windows?view=powershell-6

 

 

 

Windows Server 1709 & Docker Container Micro services – Deployment Part 1

Introduction

Windows Server, version 1709 is the first release to ship in Semi-Annual Channel. It is a new cadence of release which is supported for 18 months and will have the new versions released every 6 months, which is different from the standard Microsoft Long-term servicing Channel (LTSC).

Windows Server, version 1709 that runs only in server code mode contains variety of enhancements and new features. This version is all about innovations on applications, particularly those build in containers and micro-services. Since this version concentrates on specific scenarios, it is available only in Standard and Data-center editions.

Windows Server 1709 features

Following listed are the major features and enhancements on the version.

  1. Updated Server core container OS
  2. Nano server available as container OS
  3. Reduction in image size of Server core and Nano container
  4. Support for Linux Containers with Hyper-V isolation
  5. Project Honolulu, modern management

P1

 

System Requirements

System requirements remains same as in Windows Server 2016.  Following are the minimum requirements.

Processor:

  • 4 GHz 64-bit processor
  • Compatible with x64 instruction set
  • Supports NX and DEP
  • Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW
  • Supports Second Level Address Translation (EPT or NPT)

RAM:

  • 512 MB (2 GB for Server with Desktop Experience installation option)
  • ECC (Error Correcting Code) type or similar technology

Storage and disk space

  • 32 GB

Network adapter

  • An Ethernet adapter capable of at least gigabit throughput
  • Compliant with the PCI Express architecture specification.
  • Supports Pre-boot Execution Environment (PXE).

 

Windows Server 1709 Setup

In this section, you’ll find how to install Windows Server 1709 in Azure and run docker containers with the IIS web service.

  Getting started with 1709 version

Following is the procedure to create a new virtual instance in azure with Windows Server 1709 version.

  • Login to the azure portal and navigate to Virtual instances. Click on Add
  • On the compute window, type “Windows Server, version 1709” and search. You will get a list of versions among which select “Windows Server, version 1709 with containers”

P2

  • Choose the deployment model -> Provide other details on the virtual instance configuration such as Name, VM Disk type, Username, password, Resource group, Size, Location, etc.
  • On the Summary page, accept the terms of use and Click Create
  • Once the virtual instance is created, Connect and login to the server
  • Once you login, you will experience core mode welcome screen

p3

  • On the command prompt, type “docker version” to get the version information

p4

  • Before proceeding further, make sure that the server is installed with the latest updates
  • Execute command “sconfig” and type the option as “6” to download and install the updates

C1.png

  • Type “A” and enter to search for all the updates

C2.png

  • Type “A” and enter to install all the listed updates as per the system

B1.png

  • Once the machine is installed with the updates, execute the command “docker images” to list the images available on the server

B2

  • As per the above screenshot, we could see that there are two images, which are Microsoft/servercore and Microsoft/nanoserver.

We will further see how to create new container with the image and configure services.

Deploying container and configure IIS Micro services

We will use the existing the server core image to create a new container.

  • Note down the image ID of the servercore. As per the screenshot, it is fc3e0de7ea04. Execute the command as mentioned below to create new container with the image

docker run –name IISWebserver –it –p 80:80 fc3e0de7ea04 cmd

(Creates new container IISWebserver with the image windowservercore and enables port 80 on the same. Parses cmd process to the container and runs it”)

B4.png

  • Command prompt on the container will be launched on successful completion
  • You could verify the status of the container by executing the command “docker ps”(docker ps –a lists all the created/exited containers)

D1

You could verify the hostname and IP addresses of the container

D2.png

  • Type “powershell” to change the mode and use the “Install-Windowsfeature web-server” command to install the IIS role on the container

D3

D4.png

D5.png

Note: You are configuring service on the container that you have created upon the server.

  • Web server role is successfully installed on the container
  • Now, access the server IP address from Internet explorer. You will receive the IIS default webpage.

Z1.png

  • Import the Webadministration PowerShell module and administer your websites through the same

Z2.png

  • Example of hosting a website
  • Copy any html file to the C:\inetpub\wwwroot path or create new one with test content

1.png

  • Access the webpage by adding the respective html file name

2.png

  • To stop the container, execute the command “docker stop <container ID>”

3.png

  • To start connect to the container again, execute the commands

docker start <container ID>

docker exec -it <container ID> cmd

4.png

In the next Part, will see how we can create & run multiple docker containers with different services using 1709 to understand the containers capabilities.

WannaCry – Already Crying!! – if you cant patch!

Already the news is all over, internet of ransomware. Below are the quick steps to action if you cant get the downtime of machines or etc..etc reasons (It’s running Windows and it only affects Windows.).

And the most important phrase for few days – Trust no one. Literally never open attachments in emails from someone you don’t know.

  1. Disable SMB1.0 / CIFS file sharing support from the windows features. (since it targets through SMB)

GUI:

PowerShell:

Windows Powershell as Administrator

Note :

  • If infected and do not have backups for critical data ( (Disconnect the object from network immediately). DO NOT delete your encrypted files. A decryptor may be possible within a few days
  • As Microsoft download servers seem busy or overloaded DON’T make the mistake of downloading patches from blurry sites.

Ref:

In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

https://technet.microsoft.com/library/security/MS17-010

 

Nano Server – The Future of Modern Datacenter

Windows without Windows –

Nano Server is the new headless deployment option for Windows Server 2016. It’s just Headless, but not brain less. 🙂 it’s an excellent solution for modern micro service architecture.

Most of the contents were extracted from Jeffrey Snover interview in Microsoft Mechanics.

The Lightest and Fastest:

The Nano Server is similar to the Windows Server Core mode, but the configuration size of the OS is way smaller compare to GUI one.

Key highlights: What makes Nano server unique?

  • Very few OS updates
  • Faster Reboots (In-fact, very less reboot)
  • Improved resource utilization
  • Install Components what your application needs and nothing else (So less process – Hence quick reboots)
  • Highly customizable
  • No to MSI support, Graphical Stack,  RDP (Highly secured, no much option for attackers :))
  • Fewer ports need to be opened.
  • And its remotely administered server operating system optimized for private clouds and data-centers.
  • Package based installation
    • You can Customize by creating an image or package using PS or DSC – Like,.
      • Hyper- V compute package
      • Web -IIS package
    • Installation of package can be done through either of following ways,
      • Local
      • UNC

 

Nano1

And the stats here:

nano2

The two main scenarios where NANO solution concentrating are,

  • Cloud and Private Infrastructure
  • Cloud and Application Platform

I have not included the steps on how to do it, since this post is more about exploration.

How do I Install Nano server?

Installation of Nano server is very simple and goes PS way. Import the PS file from 2016 image folder and convert the wim image file to VHD. You are done.

How do I Manage Nano server?

Nano Server is a remotely administered server operating system optimized for private clouds and data centers. Yes, it’s via PowerShell and WMI.

Also, you can remotely manage via existing tools and a new web-based remote management.

Further, offline management can be achieved via the new Nano Server Recovery Console – it’s a local interface.

Local interface will give options to mange the following,

  • Firewall
  • Network Components.

Nano server in Azure?

Microsoft had introduce Azure based remote server management tool, where you can manage nano in Azure portal with very good graphical representation of monitoring components like, CPU, Memory, Network etc.

Including, Device manager for that matter.

Can I install DNS in Nano?

Yes off course, but the DNS server thus created cannot be a domain controller.

The Nano server does not support running a domain controller in Windows Server Technical Preview 4

For more updates on Nano server : Follow the blog

https://blogs.technet.microsoft.com/nanoserver/2015/05/12/welcome-to-the-new-nano-server-blog/

 

ADFS 3.0 – SSL CERTIFICATE RENEWAL

INTRODUCTION:

Active Directory Federation Service (ADFS) is a component introduced by Microsoft in server operating system to provide federation and single-sign on as a service which helps an organization to connect with different partners applications in a secured manner. In simple terms, AD FS allows an organization to provide facility to the users to login into multiple applications with one-time login.

Certificate plays an important factor in terms of AD FS Service. It is the key which provides a connection to get the users into the necessary data in a much secured way restricting the unauthorized access to it. AD FS uses both public and “self-signed” certificates.

This article provides information on different types of certificates used in AD FS and also methods to renew the SSL certificate.

ADFS CERTIFICATES:

Before explaining on the types of certificates being used, let us see a short note on the keys being used on the certificates for the security purpose.

  • Public Key – Key which is available to any application that requests for communication to encrypt the messages.
  • Private Key – Secret key which is known only to the users who are involved in the communication.
  • Session Key – Combination of public and private key data to establish the communication

There are majorly three certificates being used by AD FS for Single-Sign on

  • Service Communications/SSL Communications:

As the name implies, this certificate is the one which is responsible for encrypting the connectivity of client to AD FS Servers. It encrypts all the data between client and AD FS Servers which is being parsed for establishing the connection to the application. (Username, password)

  • Token-Signing

Certificate which signs all the security tokens that AD FS produces so that the resources (Web Server) verifies and identifies the token being transmitted are from the authorized AD FS.

  • Token-Decryption

AD FS uses the token decryption certify to decrypt the security token with the private key for communicating with the claim providers.

Among the above mentioned certificates Token-signing and Token-Decryption are self-signed by default wherein secure communication is public.

PRE-REQUISITES:

We will further see how to renew different AD FS Certificates with a lab setup explained. Please make sure you have the following prerequisites checked before proceeding with the certificate renewal.

  • AD FS Infrastructure architecture (Primary Secondary details of ADFS Servers)
  • New Certificate from the Certificate Authority
  • Permissions available for the current certificates

Note: This document contains information only on AD FS 3.0 version.

LAB SETUP EXPLAINED

Following is the architecture of the lab setup in which we are going to perform the SSL renewal activity.

Server Name IP Address Role
TSTADFS01 192.0.0.6 Primary ADFS Server
TSTADFS02 192.0.0.7 Secondary ADFS Server
ADFSWAP01 192.0.0.4 ADFS Proxy Server
ADFSWAP02 192.0.0.5 ADFS Proxy Server
TSTLB01 192.0.0.1 Load Balancer Node 1
TSTLB02 192.0.0.2 Load Balancer Node 2
Adfs.test.com 192.0.0.3 VIP for ADFS

In this lab setup, ADFS 3.0 is been deployed as a farm and in total the farm has four servers, two backend or main ADFS servers and two WAP or proxy servers for public or internet access.

For redundancy, both ADFS and ADFS proxy servers are being paired. In addition to this the

External traffic is being routed through the load balancer.

ADFS

Application configuration

  • On the ADFS servers, the ADFS Role will be installed.
  • On the ADFS Proxy servers, the Web Application Proxy will be installed.
  • On All servers, KB2919355, which is a major update for WS2012R2, adds the new capability for alternate login ID will be installed

SSL CERTIFICATE RENEWAL – PROCEDURE:

As mentioned earlier, Service communication certificates are public and it is been published by trusted Certificate Authority. Since our lab environment contains more than one AD FS Server, we will perform the following steps only on primary server since the changes will get replicated to other servers in the farm.

Renewal with same private key

In order to renew the certificate with same private key, we need to retrieve the current private key from the SSL certificate.

To retrieve the private key, use the following steps.

  1. Install OpenSSL on the server where you will be performing the renewal process.
  2. Click Start, Run prompt and type in exe”
  3. Click File and select “Add/Remove snap-in”
  4. Select Certificates, Select Computer account”, then This Computer”, Click Add” and then “OK”
  5. In the Personal Container, right click the old SSL certificate, Select All Tasks” and then Export”
  6. Export with the option “Include all certificates path if possible” and “Export all extended properties”. Provide the name as “Privatekey” and export it.

ADFS3

Note: If “Yes, export the private key” option is disabled then you cannot renew the certificate with the same private key since the certificate authority has generated the certificate with the option “non-exportable”. Hence you need to further check with CA to resolve it.

  1. Run the following command to export the private key from the certificate file(.pfx)

Openssl pkcs12 –in Privatekey.pfx –nocerts –out pkey.pem

  1. Make sure you have new certificate, exported private key file and OpenSSL installed. Run the following command to create a new certificate file with the private key and new certificate

Openssl pkcs12 –export –in new.crt –inkey pkey.pem –out newsslcert.pfx

  1. Import the newly created certificate file to the Computer accounts personal container with the option “Mark this key as exportable. This will allow you to back up or transport your keys at a later time” and “Include all extended properties” selected.

Remaining steps to set the new certificate for AD FS will be explained in the next section. (Refer steps (ii) to (vii))

Renewal with new private key

(i)Import new certificate in ADFS Primary Server

  1. Click Start, Run prompt and type in “mmc.exe”
  2. Click File and select “Add/Remove snap-in”
  3. Select “Certificates”, Select ”Computer account”, then ”This Computer”, Click Add and then OK”
  4. In the Personal Container, import your new certificate.

(ii)Set permissions for the new certificate

  1. In Certificates console, Right click the new certificate, Select “All tasks” and then “Manage Private keys”
  2. Add Read access to the service accounts which is being used to run the AD FS Service

(iii)Set new Certificate in AD FS

  1. Open AD FS Management console, Expand Services and select Certificates
  2. Select the new certificate and click “Set service Communications Certificate” in the action pane
  3. You will be presented with a list of certificates that are valid for Service Communications. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key.

(iv)Restart the Active Directory Federation services

  1. Open Powershell as administrator and run the following command

Restart-Service adfssrv

(v)Execute Powershell cmdlets to change the configuration file

  1. To complete the configuration change, run the following commands in Powershell

Get-AdfssslCertificate

(Make a note of the thumbprint of the new certificate)

Set-AdfsSslCertificate –Thumbprint <Thumbprintofnewcertificate>

(vi)Restart the Active Directory Federation services

  1. Open Powershell as administrator and run the following command

Restart-Service adfssrv

(vii)Update Certificate in WAP Server

  1. Import the new certificate to the server as in step 1 to 4
  2. Run the following commands(in Powershell) in AD FS WAP proxy Server

Get-WebapplicationProxyApplication

(Make a note of the thumbprint of th(e new certificate)

Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofnewcertificate>

  1. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for updating them with the new thumbprint. Run the following command

Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”

  1. Restart the Web Application Proxy services to complete the configuration

TOKEN-SIGNING & TOKEN-DECRYPTING RENEWAL

Since Token-signing and token-decrypting are self-signed, by default the certification lifetime is set to 365 days.

Verify the settings in your AD FS configuration which is required for the renewal by running the following command

Get-ADFSProperties

This command will display all the configuration properties of ADFS among which we require the information of only the following properties

 AutoCertificateRollover

  • CertificateDuration
  • CertificateGenerationThreshold
  • CertificatePromotionThreshold
  • CertificateRolloverInterval

These properties help us to find whether the ADFS is set to automatically manage the certificate renewal and expiry process

ADFS4

As per the above settings,

  • ADFS will be aware that the certificates will be expiring within 20 days
  • Creates new certificates valid for 365 days and set the new certificates as secondary certificate
  • After 5 days updates the new certificate as primary.

If the AutoCertificateRollover property is set to false, we need to manually rollover the certificates.

Note: AD FS service outage incurred when the Token-Decrypting or Token-Signing certificates are updated because the relaying parties must update their configuration to expect the new certificates.

Run the following command to force the AD FS to generate the new certificates and promote them as primaries immediately

Update-ADFSCertificate –CertificateType “Token-Signing” –Urgent

Update-ADFSCertificate –CertificateType “Token-Decrypting” –Urgent

Other simplest way would be to extend the “CertificateDuration” Property with the following command.

Set-ADFSProperties -CertificateDuration <Numberofdaystoextend> -AutoCertificateRollover $true

 Example: Set-ADFSProperties -CertificateDuration 1825 -AutoCertificateRollover $true

This command will set the certificates to last for 5 years