Category: Active Directory


Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure  / Office 365:

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Azure AD Blog: http://blogs.technet.com/b/ad/

Azure Powershell: https://azure.microsoft.com/en-us/blog/azps-1-0/?utm_content=buffer067b3&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Azure RMS blog: http://blogs.msdn.com/b/rms/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure training kit: http://www.microsoft.com/en-us/download/details.aspx?id=8396

FAQ and enhancement suggestions: http://www.mygreatwindowsazureidea.com/forums/34192-general-feedback

portal and management: https://manage.windowsazure.com

main: http://www.windowsazure.com     calculatrice: http://aka.ms/calculatrice      white papers: http://aka.ms/livresblancs     FR blog: http://aka.ms/AzurBlogFr

Security: http://aka.ms/trustcenter   http://aka.ms/px2ahn

To go deeper:  http://aka.ms/MsdnAzureFr     Forum: http://aka.ms/ForumSupport     channel9:  http://aka.ms/Channel9AzureFr     Dashboard/SLAB: http://aka.ms/AzureDashboard

Blogs: http://blog.jeanlucboucho.com

Prerequisites before using Azure:

Prepare your environment: http://msdn.microsoft.com/en-us/library/windowsazure/jj554332.aspx

Need certificates: http://msdn.microsoft.com/en-us/library/windowsazure/gg981929.aspx

How to use CSUpload?

How do you get CSUPLOAD?

CSUPLOAD is part of the Windows Azure SDK. After installing all components, it finds you csupload under the following path:
“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload.exe”
How does CSUPLOAD work?

CSUPLOAD is a command console program that the VHDs in the uploads BLOB storage account and authenticated to the azure cloud client certificates.
Overall it with Visual Studio is very simple and fast to create the appropriate certificates, and to distribute them to the appropriate locations through the function
“Publish to Azure” that requires requires developer know-how or you experience with the Visual Studio.

CSUpload syntax reference:
http://msdn.microsoft.com/en-us/library/gg466228.aspx

Managing disks and images:
http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx

How to:http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http://blogs.technet.com/b/patrick_heyde/archive/2012/07/12/windows-azure-csupload-setup-amp-how-to.aspx

the article above refers to: http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fblogs.msdn.com%2Fb%2Favkashchauhan%2Farchive%2F2011%2F09%2F21%2Fhow-to-generate-2048-bit-certificate-with-makecert-exe.aspx

Example:

CSUPLOAD how to?

# Create exportable certificate for Azure (use -pe to be exportable)
makecert -r -pe -n “CN=My Azure IaaS Cert2048” -a sha1 -ss My -len 2048 -sy 24 -b 07/08/2013 -e 07/08/2014

then open mmc,load certificates snap-in, My user, personal,
select the certificate, export
to D:\Contoso
MyAzureCertificate.cer

upload the certificate, from the Azure portal, settings, certificates management

get the thumbprint: 4D15540AFD7182964651826BE133FB3C868BA4D1

Now with csupload:

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” Set-Connection “SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net”

# just for fun

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-Connection
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
ConnectionString          : SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net/
SubscriptionId            : eaea9c22-cc5a-4da2-8dd2-d89837f042b7
CertificateSubjectName    : CN=Amadeus Azure IaaS Cert2048
CertificateThumbprint     : 4D15540AFD7182964651826BE133FB3C868BA4D1
ServiceManagementEndpoint : https://management.core.windows.net/

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-location
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Location : West US

Location : East US

Location : East Asia

Location : Southeast Asia

Location : North Europe

Location : West Europe

A total of 6 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-hostedservice
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name          : amazure
Label         : amazure
Location      : North Europe

A total of 1 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-disk
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name                : Contoso-Contoso-0-201308011545510947
Location            : North Europe
OS                  : Windows
LogicalDiskSizeInGB : 128
MediaLink           : http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/amazure-Contoso-2013-08-01.vhd
SourceImageName     : a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-Datacenter-201306.01-en.us-127GB.vhd

A total of 1 record(s) were found.

—————————————–
Upload a disk (vhd) to Azure:

You can use the Add-Disk parameter of the CSUpload Command-Line Tool to upload a .vhd file and register it in Windows Azure as either an operating system disk or a data disk.
An image is a VHD that has been generalized and is used to create an operating system disk. An operating system disk is a VHD that contains specific settings for a virtual machine.

Specifies a VHD file to be uploaded as a disk. A VHD file that has been uploaded as a disk can be used to create a virtual machine if the file contains an operating system or it can be used to create a data disk that can be attached to a virtual machine.
•–Connection <string> – (Optional if the Set-Connection command has been run) Specifies the connection string that is used to connect to Windows Azure. The connection string contains the identifier of your Windows Azure subscription and the thumbprint of the management certificate that you created to enable API access to the subscription. The connection string is provided in the following format: “SubscriptionID=subscription-id;CertificateThumbprint=cert-thumbprint;ServiceManagementEndpoint=https://management.core.windows.net”. You can find the subscription identifier and certificate thumbprint in Management Portal.
•-Destination <string> – Specifies the blob storage account where the VHD file is stored. The destination includes the endpoint of the account, the container in the account where the file is stored, and the name of the VHD file. For example,”http://auxpreview146imagestore.blob.core.azure-preview.com/mydisks/mydisk.vhd&#8221;
•-Label <string> – Specifies the identifier that is used for the disk in the Management Portal.
•-LiteralPath <string> – Specifies the location and name of the VHD file to upload as a disk.
•-Name <string> – (Optional) Specifies the name to be used for the VHD file that is being uploaded.
•-OS <string> – (Optional) If the VHD file that is being uploaded contains an operating system to be used with a virtual machine, you must include this parameter with the value of Windows or Linux depending on the type of operating system that is installed.
•-Overwrite – (Optional) Indicates that you intend to overwrite an existing VHD file with a new file.

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/SP2010.vhd -label SP2010 -literalpath d:\contoso\contoso1.vhd -name contoso1.vhd -os Windows

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/EX2010.vhd -label EX2010 -literalpath d:\contoso\contoso2.vhd -name contoso2.vhd -os Windows

What is DSRM?

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Note: Do not confuse DSRM with Safe Mode. Active Directory will still attempt to start in Safe Mode and if it fails you will not be able to log on. Instead use DSRM.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account name .\Administrator

Windows Server 2008-2016: DSRM is only needed when you are using remote desktop software, or when doing a domain-wide restore or a forest-wide restore, or when AD is so damaged that it will not boot.

How to Log on to DSRM

After booting DSRM (see below) click on Switch User -> Other User. When prompted for the logon account name type .\Administrator

The initial logon prompt will show the account name MyDomain\Administrator, where MyDomain is the name of the domain. This is incorrect and will not work. You must click on Switch User and manually type the name .\Administrator.

If you forgot the DSRM password, you can reset the password using ntdsutil. See Reset DSRM Password on Internet.

If you forgot the DSRM password and you also forgot your Active Directory password, see Changing a Lost Domain Administrator Password on Internet.
How to Boot DSRM: F8 Key

To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

Windows 8 or later: The F8 key is disabled on desktop editions of Windows 8 or later. If you want to boot into Safe Mode, run msconfig and select Minimal. Then reboot.
How to Boot DSRM: msconfig.exe

You can configure Windows to boot DSRM using msconfig.exe:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” check the box Safe boot.
5.Select Active Directory repair and click OK.
6.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer into DSRM.

To boot normally, reverse the procedure:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” uncheck the box Safe boot and click OK.
5.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer back into normal mode.
How to Boot DSRM: Bcdedit

On Windows Server 2008 or later you can run bcdedit inside of an administrative console:
1.To boot DSRM, type the command bcdedit /set safeboot dsrepair, then reboot: shutdown /r /f /t 5.
2.When you are ready to boot normally, type bcdedit /deletevalue safeboot, then reboot: shutdown /r /f /t 5.

You can use this procedure when a graphical user interface (GUI) is not available (e.g., on Server Core).

https://www.myotherpcisacloud.com/post/SRV-Record-for-NTP-In-MY-Active-Directory

 

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario.

 

Technet article: https://technet.microsoft.com/en-us/library/cc978014.aspx

” Explanation:

When a requested object exists in the directory but is not present on the contacted domain controller, name resolution depends on that domain controller’s knowledge of how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller.

An LDAP referral is a domain controller’s way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251. ”

Atlassian KB article: https://confluence.atlassian.com/confkb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-612959323.html

 

 

Microsoft’s file systems organize storage devices based on cluster size. Also known as the allocation unit size, cluster size represents the smallest amount of disk space that can be allocated to hold a file. Because ReFS and NTFS don’t reference files at a byte granularity, the cluster size is the smallest unit of size that each file system can reference when accessing storage. Both ReFS and NTFS support multiple cluster sizes, as different sized clusters can offer different performance benefits, depending on the deployment.

Full article from MS: https://blogs.technet.microsoft.com/filecab/2017/01/13/cluster-size-recommendations-for-refs-and-ntfs/

Summary:

ReFS cluster sizes

ReFS offers both 4K and 64K clusters. 4K is the default cluster size for ReFS, and we recommend using 4K cluster sizes for most ReFS deployments because it helps reduce costly IO amplification:

  • In general, if the cluster size exceeds the size of the IO, certain workflows can trigger unintended IOs to occur. Consider the following scenarios where a ReFS volume is formatted with 64K clusters:
    • Consider a tiered volume. If a 4K write is made to a range currently in the capacity tier, ReFS must read the entire cluster from the capacity tier into the performance tier before making the write. Because the cluster size is the smallest granularity that the file system can use, ReFS must read the entire cluster, which includes an unmodified 60K region, to be able to complete the 4K write.
    • If a cluster is shared by multiple regions after a block cloning operation occurs, ReFS must copy the entire cluster to maintain isolation between the two regions. So if a 4K write is made to this shared cluster, ReFS must copy the unmodified 60K cluster before making the write.
    • Consider a deployment that enables integrity streams. A sub-cluster granularity write will cause the entire cluster to be re-allocated and re-written, and the new checksum must be computed. This represents additional IO that ReFS must perform before completing the new write, which introduces a larger latency factor to the IO operation.
  • By choosing 4K clusters instead of 64K clusters, one can reduce the number of IOs that occur that are smaller than the cluster size, preventing costly IO amplifications from occurring as frequently.

Additionally, 4K cluster sizes offer greater compatibility with Hyper-V IO granularity, so we strongly recommend using 4K cluster sizes with Hyper-V on ReFS.  64K clusters are applicable when working with large, sequential IO, but otherwise, 4K should be the default cluster size.

NTFS cluster sizes

NTFS offers cluster sizes from 512 to 64K, but in general, we recommend a 4K cluster size on NTFS, as 4K clusters help minimize wasted space when storing small files. We also strongly discourage the usage of cluster sizes smaller than 4K. There are two cases, however, where 64K clusters could be appropriate:

  • 4K clusters limit the maximum volume and file size to be 16TB
    • 64K cluster sizes can offer increased volume and file capacity, which is relevant if you’re are hosting a large deployment on your NTFS volume, such as hosting VHDs or a SQL deployment.
  • NTFS has a fragmentation limit, and larger cluster sizes can help reduce the likelihood of reaching this limit
    • Because NTFS is backward compatible, it must use internal structures that weren’t optimized for modern storage demands. Thus, the metadata in NTFS prevents any file from having more than ~1.5 million extents.
      • One can, however, use the “format /L” option to increase the fragmentation limit to ~6 million. Read more here.
    • 64K cluster deployments are less susceptible to this fragmentation limit, so 64K clusters are a better option if the NTFS fragmentation limit is an issue. (Data deduplication, sparse files, and SQL deployments can cause a high degree of fragmentation.)
      • Unfortunately, NTFS compression only works with 4K clusters, so using 64K clusters isn’t suitable when using NTFS compression. Consider increasing the fragmentation limit instead, as described in the previous bullets.

While a 4K cluster size is the default setting for NTFS, there are many scenarios where 64K cluster sizes make sense, such as: Hyper-V, SQL, deduplication, or when most of the files on a volume are large.

Some interesting sites:

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Securing Domain Controllers to Improve Active Directory Security

 

Download sysmon:

NEW: Sysmon 6.0 is available ! : https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it:

Installation and usage:

List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir

Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

Sysmon config files explained:

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml

https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/

View story at Medium.com

Else other install guides:

Sysinternals Sysmon unleashed

http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

 

Detecting APT with Sysmon:

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

 

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

Sysmon with Splunk:

http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://securitylogs.org/tag/sysmon/

Sysmon log analyzer/parsing sysmon event log:

https://github.com/CrowdStrike/Forensics/blob/master/sysmon_parse.cmd

https://digital-forensics.sans.org/blog/2014/08/12/sysmon-in-malware-analysis-lab

https://github.com/JamesHabben/sysmon-queries

http://blog.crowdstrike.com/sysmon-2/

logparser: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

logparser GUI: http://lizard-labs.com/log_parser_lizard.aspx

Web article:

https://technet.microsoft.com/en-us/library/cc784450(v=ws.10).aspx

 

How to test SSL/TLS:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( http://nmap.org ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (172.19.133.64)
Host is up (0.025s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_AES_128_CBC_SHA – strong