Uncategorized

Azure Bastian – Jump Box As a Service

devstime Uncategorized

Traditional management of Jump severs in cloud is painful and it involves lots of tasks to setup and for on-going management.

To avoid potential attacks from external threats, Jump servers need to be completely locked-down and hard, like enabling aggressive block-list of apps and IPs, implement 2FA, zero admin mode, auditing and if possible re-build jump server every alternative days using automation tools to make it more secure in cloud.

I know a lot of you out there rely on “jump servers.” and not much serious about Jump server day to day operation management tasks. Many SMB segment companies were attacked because of exploits through poorly managed jump servers and in order to overcome those problems and make security more controlled, Microsoft introduced Bastian host last year  as a replacement for traditional jump server architecture.

Azure bastion is a fully managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.  After the initial release, the solution is being adopted by various azure customers and received great feedback.

Moreover, bastion hosts are very easy to setup with few clicks and the service will be ready within few minutes after deployment. Bastian type services are also available in other clouds with different feature sets.

Azure Bastian key characteristics and what it can offer to azure customers:

  • No public required for VMs in Azure.
  • Remote Session over TLS and firewall traversal for RDP/SSH.
  • Agent-less and no additional software’s required on VMs.
  • Internally it’s a VM scale set and it can expand based on connections requirement.
  • Centrally hardened and protects against port scanning, zero-day exploits and malware.
  • Additional security layer can be leveraged using NSG on top of bastion host
  • Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
  • As the name implies “Bastian” , it will act as true source of strength to enter into azure VM world.

High-level architecture:

This figure shows the architecture of an Azure Bastion deployment aligning to above  listed characteristics.

Bastian

Whats planned next – feature updates (not sure when but its under the pipeline):

  • Bastian host required to deployed under each vNet and currently doesn’t support vNet peering options. However, in upcoming product updates it should soon start supporting the peering options.
  • Azure AD SSO integration
  • Currently Bastian can only accessed through azure portal (via HTM5 browser) and its expected to start support of native RDP/SSH clients soon.
  • RDP full session recording for auditing usage.

 

Sources:

Bastian Overview – https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Bastian Pricing – https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

Create an Bastian Host – https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

 

PowerShell now officially supports macOS and Linux

devstime Uncategorized

Microsoft has made generally available PowerShell Core, its cross-platform version of the PowerShell command-line shell and scripting language.

This version of PowerShell is notable for being a cross-platform DevOps tool that’s available for Windows, Linux and macOS operating systems.

As per the Microsoft documentation,  PowerShell now officially supports macOS and Linux, including:+

  • Windows 7, 8.1, and 10
  • Windows Server 2008 R2, 2012 R2, 2016
  • Windows Server Semi-Annual Channel
  • Ubuntu 14.04, 16.04, and 17.04
  • Debian 8.7+, and 9
  • CentOS 7
  • Red Hat Enterprise Linux 7
  • OpenSUSE 42.2
  • Fedora 25, 26
  • macOS 10.12+

Link – https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-powershell-core-60?view=powershell-5.1

Installing PowerShell Core on Windows : https://docs.microsoft.com/en-us/powershell/scripting/setup/Installing-PowerShell-Core-on-Windows?view=powershell-6

 

 

 

WannaCry – Already Crying!! – if you cant patch!

devstime Uncategorized

Already the news is all over, internet of ransomware. Below are the quick steps to action if you cant get the downtime of machines or etc..etc reasons (It’s running Windows and it only affects Windows.).

And the most important phrase for few days – Trust no one. Literally never open attachments in emails from someone you don’t know.

  1. Disable SMB1.0 / CIFS file sharing support from the windows features. (since it targets through SMB)

GUI:

PowerShell:

Windows Powershell as Administrator

Note :

  • If infected and do not have backups for critical data ( (Disconnect the object from network immediately). DO NOT delete your encrypted files. A decryptor may be possible within a few days
  • As Microsoft download servers seem busy or overloaded DON’T make the mistake of downloading patches from blurry sites.

Ref:

In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

https://technet.microsoft.com/library/security/MS17-010

 

Domain Controller in VM is unable to authenticate the users

devstime Uncategorized
Findings in Windows events during this kind of scenarios:
 
1.       A NetoLogon service is getting paused.
2.       Unable to rollback operation on NTDS Database.
3.       An attempt to write the edb.log return failed.
Directory Service Logs:

ESX Logs:
Observed below events in the VM logs at same point of time prior to the net logon service pause.

Why this behavior?

Based on the events, active Directory database is encountering problems with respect to read and write operations to the NTDS database.
 A sequence of events is observed indicating a possible AD database corruption. After multiple failures to update the directory database it results in a condition wherein users cannot logon to AD, and as a proactive measure the NetLogon service is paused by AD. This causes users or machines to unable to authenticate and logon to the server or domain.
Suspected Causes:
Possible causes can be,
·         Database Corruption
·         Snapshot process causing the performance hit, freezing the system, especially the disk IO.
·         Antivirus scanning the database and corresponding files
Also this issue can happen due to unsuccessful P2V conversion of the DC or DC is restored from a snapshot.
Suggestions and Recommendations:

  • Offline defragmentation of AD database
  • Check with application team if any specific tasks are running which is interfering with the snapshot backup process rendering the system to be non-responsive.
  • Confirm that Antivirus scan timings and also it excludes NTDS and other AD related folders from the scan selection list.
I recommend to create another DC (VM) and move all roles to the new DC, then demote the OLD DC and if required promote it as a DC again. This is to avoid situations like offline defragmentation, repair and restore of the database.

ADPREP /DOMAINPREP failures

devstime Uncategorized
I am putting forth my investigation into this problem and the solution I found hoping it will be helpful to others in similar Scenarios.
Note that the Fix may not be applicable if the cause of failure is any bit different to what I faced.
I have recently upgraded one of my customer’s environments AD to Windows server 2008 R2 from 2003 server
During the course of this activity, command ADPREP / DOMAINPREP returned with the following error statement.
Error Code:
Message: 000020B5: AtrErr: DSID-03152395, #1: 0: 000020B5:
DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects).

The error code returns 0x13 DSID-03152395 in log file has to be converted to readable format using the tool DSID.exe and is available only with Microsoft and is not for general public. After decoding the code with the help of MS, i have come up with below findings based on the status message. 
What caused the Failure?
The execution of adprep /domainprep will work on the various domain wide operations to make the domain configuration changes to adapt for W2K8 R2. In that, one of the operations will be to create Managed Service Accounts container in AD.
Windows Server 2008 R2 introduces a new type of Container account called a Managed Service Accounts that assists in the endpoint administration. In a way, a managed service account can function like the Built-in organizational unit in default domain configurations.
The error cited in the Adprep.log indicated that domain configuration attribute could not be populated, and this is because of the Managed Service Accounts container already being present in the current AD.
By chance or mistake, we had an OU called” managed service account” in 2k3 environment.  Hence while preparing the AD, there is a conflict in creating the Managed service account OU by system command.

What fixed the failure?

Delete the Managed service accounts OU from windows 2003 AD and then run the adprep domainprep.
Don’t rename the OU, because, chances of solving the issue by renaming the OU are very slim.
So better delete it.
Action to be performed:
          Take a system state backup on all domain controllers.
          Move the contents of the Managed service account OU to another OU.
          When all users and sub OU have been, delete the OU.

Then run adprep domainprep and it should complete without errors.