Mailbag: Starting To Get The Hang Of This (Issue #9)

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hey y’all Mark, Tom and Hilde back for another mailbag Friday. Keep the questions coming and we’ll keep answering them. This week we are getting back into the Hyper-V pool and always some ADFS goodness. Let’s get into it.

FREE Security & The Cloud Virtual Event

Domain Admin credentials while installing ADFS

.NET versions and support life cycle

Hardened OS with Hyper-V cluster

Querying VMs and determine if they are running in Azure

Stuff from the Interwebs

 

Question

Is there any free Security and the cloud events taking place I need to know about?

Answer

There happens to be some right around the corner. March 25th 2015 is a online virtual event. You can register here.

Question

I run a tight ship with my Domain Admin credentials. If ADFS needs DA to install it must be changing something in AD. What is it?

Answer

Two things. First, We create the DKM container to protect the keys that allows sharing of token signing & token decryption certs when you are using self-signed certs. Second, also set the SPN on the service account with HOST/adfs.contoso.com for windows integrated authentication to work.

Question

I am trying to get a handle on .NET versions and support lifecycle – got any tips?

Answer

Here is a FAQ for .NET versions and OS support: http://support.microsoft.com/gp/Framework_FAQ

Question

I want to run Hyper-V on a Cluster but I'm running into issues with our 'hardened' OS build. Any insight?

Answer

I recently worked a couple of tripping points for Hyper-V and Clustering with some common hardening steps:

  • The "Create symbolic links" User Right is often restricted and set to <blank> or no one.
    • For a Hyper-V host, the following needs to have that user right:
    • “NT VIRTUAL MACHINE\Virtual Machines”

clip_image001

 

  • The "Deny access to this computer from the network" User Right is often set to include the "Local account" group to restrict local accounts from accessing the computer remotely. There is a non-administrative local account created by Failover Clustering and it needs this right (due to the Failover Cluster Virtual Adapter that provides cluster communications).

 

  • You CAN restrict this user right to local accounts that are also local admins via a new group added to 2012 R2 called “Local account and member of Administrators group”

clip_image002

clip_image003

Question

We have a large deployment of Azure VMs domain-joined to our on-prem AD. How can I query VMs and determine if they are running in Azure?

Answer

Here are a couple of methods…

1) Use the script here to query for a specific DHCP option that is used in Azure –

2) If your looking for something a bit more 'light weight', you can query for some aspect of the VM Agent (assumes the VM Agent is installed on the guest).

  • Query for "Windows Azure" services on the VM:

 

  • Query for the existence of this folder on the VM: "C:\WindowsAzure\"

 

Stuff from the Interwebs

-There is a Mexican wrestling league that has 3, that’s right 3, different groups of Teenage Mutant Ninja Turtles feuding with each other.

-Marvel’s Avengers: Age of Ultron trailer came out if you missed that.

-It’s almost baseball season here in America which means teams are at spring training. Will Ferrell is playing all 9 positions in 8 games.

-Daylight savings started this past Sunday which explains why everyone is sort of in a bad mood. John Oliver on Last Week Tonight, which is probably my favorite show on Sundays, asks “How is this still a thing?”

 

Mark “perpetually tired” Morowczynski, Tom “farm people” Moser and Michael “Cowabunga” Hildebrand