Another Forensics Blog: When Windows Lies
— Read on az4n6.blogspot.com/2017/02/when-windows-lies.html
Does Disabling User/Computer GPO Settings Make Processing Quicker? | Ask Premier Field Engineering (PFE) Platforms
— Read on blogs.technet.microsoft.com/askpfeplat/2018/10/22/does-disabling-user-computer-gpo-settings-make-processing-quicker/
The other day I noticed that my commits were not being shown on my commit history on Github. I have a new laptop with a fresh install Git for Windows so I figured it was something to do with that, and it was!!
What I had forgotten to do was set my commit email address in Git, I’d obviously done it on my old laptop and forgotten I’d ever done so.
Running ‘git config –global user.email‘ came back with a blank result on my new laptop so I obviously needed to enter an email address in my Git config. I found this article https://help.github.com/articles/setting-your-commit-email-address-on-github/ which helped me solve my problem. As the article states if you have enabled email privacy on your Github account (which I had) you need to use a Github provided ‘noReply’ address as your Git commit address. This takes the format of ‘email@example.com’
So in Git I had to do:
‘git config –global user.email “firstname.lastname@example.org”
Next time I ran pushed my commits to Github the commits showed on my commit histroy
Recently announced is the new Microsoft learning site for all things Azure
“Introducing a new approach to learning
The skills required to advance your career and earn your spot at the top do not come easily. Now there’s a more rewarding approach to hands-on learning that helps you achieve your goals faster. Earn points, levels, and achieve more!“
At first glance these new training and learning options seem very good. I’ll be trying them out soon enough
Last July, Microsoft Learning announced some upcoming changes to the Microsoft Azure Certifications to make them more role-based. Recently, surrounding the Microsoft Ignite 2018 conference, they announced and released further information about these changes to transform the Azure certification tracks. This news includes more than just announcement of new Azure certification exams, but also the…
We have a hub and spoke design in Azure for our vNets and needed to peer the vNets together.
This can be done in an ARM template and we could have deployed all three networks in one go and peered them as part of the ARM template deployment. For various reasons that approach didn’t really work for us, 1 reason was the customer is very sensitive to change control and having all 3 vNets being controlled by one ARM deployment didn’t sit very well with them and made them nervous.
So PowerShell was the obvious answer, and it’s very simple in PowerShell anyway. So we deploy all 3 vNets using separate ARM templates and then peer them together with powershell. Code also over on github
#Peering for hub and spoke network design #Variables Section $hubVnetResourceGroup = "RG_hubVnet" $hubVnetName = "hubprodVnet" $spoke1VnetResourceGroup = "RG_spoke1vnet" $spoke2VnetResourceGroup = "RG_spoke2Vnet" $spoke1VnetName = "spoke1prodVnet" $spoke2VnetName = "spoke2prodVnet" $hubVnet = Get-AzureRmVirtualNetwork -Name $hubVnetName -ResourceGroupName $hubVnetResourceGroup $spoke1Vnet = Get-AzureRmVirtualNetwork -Name $spoke1VnetName -ResourceGroupName $spoke1VnetResourceGroup $spoke2Vnet = Get-AzureRmVirtualNetwork -Name $spoke2VnetName -ResourceGroupName $spoke2VnetResourceGroup #End Variables #Add Hub to spoke1 peer and allow gateway transit through hub1 Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke1peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke1vnet.id -AllowForwardedTraffic -AllowGatewayTransit #Add spoke 1 to hub and use hub 1 gateways Add-AzureRmVirtualNetworkPeering -Name 'spoke1tohubpeer' -VirtualNetwork $spoke1vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic -UseRemoteGateways #Add hub to spoke2 peer and allow gateway transit through hub Add-AzureRmVirtualNetworkPeering -Name 'hubtospoke2peer' -VirtualNetwork $hubvnet -RemoteVirtualNetworkId $spoke2vnet.id -AllowForwardedTraffic -AllowGatewayTransit #Add spoke 2 to hub and use hub 1 gateways Add-AzureRmVirtualNetworkPeering -Name 'spoke2tohubpeer' -VirtualNetwork $spoke2vnet -RemoteVirtualNetworkId $hubVnet.id -AllowForwardedTraffic -UseRemoteGateways
What is Azure Firewall – A fully stateful firewall as a service.
Before you can deploy Azure Firewall you need to register the provider in your subscription : https://docs.microsoft.com/en-us/azure/firewall/public-preview
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
It can take up to 30 minutes for the feature registration to complete
The easy way to get going and play with Azure Firewall is to use the quickstart template https://github.com/Azure/azure-quickstart-templates/tree/master/101-azurefirewall-sandbox
I’ve used the above template to get up and running with Azure Firewall quickly, easily and so I don’t have to click around in the portal.
First up is Network Rules – the template deploys adds an example rule in which I have deleted so I can start from scratch. At the moment I have no network rules in my firewall
If I now try to telnet to another server of mine that has RDP open to the internet we can see the connection is not successful
I now add a rule to my firewall:
And now the telnet connection to 3389 to the target is successful:
Next up is Application Rules. Application Rules allow you to control what FQDNs can be accessed and, somewhat obviously, these rules are http and https based. Again the deployment I used created a single Application Rule which I have deleted to give me a clean slate from which to start:
Now if I try to browse the web from my server in Azure I’m blocked. Interestingly the message I get in the web browser depends on whether I’ve gone to a https site or http:
I now add a rule for http and https for *.microsoft.com
I can now browse to Azure.microsoft.com
To get the abilty to filter http/https traffic like this you’d have to deploy a Network Virtual Applicance (NVA) and to control what can route to where in your Azure infrastructure you’d require an NVA or something like a Linux IaaS server running iptables.
Azure firewall looks like a good solution to filtering internet traffic and for controlling routing between servers in Azure. Compared to some NVA devices or iptables it may be more basic (at the moment) but it certainly does offer what I see a lot of people asking for.
This ARM template will deploy x number of virtual machines (takes the number you need as a parameter), a storage account in the target resource group for boot diagnostics, deploys the VMs in an availability group and deploys x number of data disks per VM. Both the number of data disks (per VM) and size are parameters. It attaches the VMs to an existing vnet/subnet, both of which are parameters. it also sets the Locale to UK on Windows servers using a custom script extension as per https://www.lewisroberts.com/2017/03/01/set-language-culture-timezone-using-powershell/
Template over on my Github page https://github.com/pagyP/AzARM/tree/master/VMs
This template will be updated over time to include additional functionality.
Baseline security policy for Azure AD admin accounts in public preview! – Enterprise Mobility + Security
— Read on cloudblogs.microsoft.com/enterprisemobility/2018/06/22/baseline-security-policy-for-azure-ad-admin-accounts-in-public-preview/