Mailbag: Starting To Get The Hang Of This (Issue #9)

Hey y’all Mark, Tom and Hilde back for another mailbag Friday. Keep the questions coming and we’ll keep answering them. This week we are getting back into the Hyper-V pool and always some ADFS goodness. Let’s get into it.

FREE Security & The Cloud Virtual Event

Domain Admin credentials while installing ADFS

.NET versions and support life cycle

Hardened OS with Hyper-V cluster

Querying VMs and determine if they are running in Azure

Stuff from the Interwebs

 

Question

Is there any free Security and the cloud events taking place I need to know about?

Answer

There happens to be some right around the corner. March 25th 2015 is a online virtual event. You can register here.

Question

I run a tight ship with my Domain Admin credentials. If ADFS needs DA to install it must be changing something in AD. What is it?

Answer

Two things. First, We create the DKM container to protect the keys that allows sharing of token signing & token decryption certs when you are using self-signed certs. Second, also set the SPN on the service account with HOST/adfs.contoso.com for windows integrated authentication to work.

Question

I am trying to get a handle on .NET versions and support lifecycle – got any tips?

Answer

Here is a FAQ for .NET versions and OS support: http://support.microsoft.com/gp/Framework_FAQ

Question

I want to run Hyper-V on a Cluster but I'm running into issues with our 'hardened' OS build. Any insight?

Answer

I recently worked a couple of tripping points for Hyper-V and Clustering with some common hardening steps:

  • The "Create symbolic links" User Right is often restricted and set to <blank> or no one.
    • For a Hyper-V host, the following needs to have that user right:
    • “NT VIRTUAL MACHINE\Virtual Machines”

clip_image001

 

  • The "Deny access to this computer from the network" User Right is often set to include the "Local account" group to restrict local accounts from accessing the computer remotely. There is a non-administrative local account created by Failover Clustering and it needs this right (due to the Failover Cluster Virtual Adapter that provides cluster communications).

 

  • You CAN restrict this user right to local accounts that are also local admins via a new group added to 2012 R2 called “Local account and member of Administrators group”

clip_image002

clip_image003

Question

We have a large deployment of Azure VMs domain-joined to our on-prem AD. How can I query VMs and determine if they are running in Azure?

Answer

Here are a couple of methods…

1) Use the script here to query for a specific DHCP option that is used in Azure –

2) If your looking for something a bit more 'light weight', you can query for some aspect of the VM Agent (assumes the VM Agent is installed on the guest).

  • Query for "Windows Azure" services on the VM:

 

  • Query for the existence of this folder on the VM: "C:\WindowsAzure\"

 

Stuff from the Interwebs

-There is a Mexican wrestling league that has 3, that’s right 3, different groups of Teenage Mutant Ninja Turtles feuding with each other.

-Marvel’s Avengers: Age of Ultron trailer came out if you missed that.

-It’s almost baseball season here in America which means teams are at spring training. Will Ferrell is playing all 9 positions in 8 games.

-Daylight savings started this past Sunday which explains why everyone is sort of in a bad mood. John Oliver on Last Week Tonight, which is probably my favorite show on Sundays, asks “How is this still a thing?”

 

Mark “perpetually tired” Morowczynski, Tom “farm people” Moser and Michael “Cowabunga” Hildebrand