Thursday, March 14, 2019

TIP 0005: Test bad SSL

This is a tool for testing "memorable site for testing clients against bad SSL configs"

https://badssl.com/

Tuesday, February 26, 2019

Easy and Free 2FA enabled Secure VPN solution in Azure


Long have I looked for a secure and easy to setup alternative for a "Jumpbox" or bastion server solution in Azure. Secure access always seems to add a lot of management overhead and cost to a project. Either you have to create a separate RDS server and pay for the licenses or you have to use the Client VPN solution in Azure that is limited.

Luckily, Pritunl has a great opensource VPN product which you can use to limit your exposure to the outside world. Under the hood Pritunl is built on the OpenVPN protocol which we all know and love, and you can easily enable 2FA with minimal setup.

To setup Pritunl, simply create a new Ubuntu VM image from the Azure marketplace. I used the latest 18.04-LTS image, but all other flavors of Linux will work as shown in the Installation documentation.

There really isn't much to the setup, I simply ran the "Ubuntu Bionic" commands listed on their documentation:


sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list << EOF
deb https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse
EOF
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt bionic main
EOF
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl mongodb-server
sudo systemctl start pritunl mongodb
sudo systemctl enable pritunl mongodb

Once that was completed, I simply  opened the SSH, HTTP / HTTPs and VPN ports required, limiting them to only my IP range: Please note that your VPN port may change when setting up the server.


When browsing to the web console, you're asked to provide a key for MongoDB - you can use the "sudo pritunl setup-key" command to retrieve this.

After this - you're prompted to login - the command "sudo pritunl default-password" will provide the default username and password for accessing the web console, you will be prompted to change it.

Once you're in - you will need to setup an organization, users, and a server.

As an example, I will setup an organization named "Bastion"


Next, add myself as a user- note the warning regarding the PIN number that is required.
Next, in the server tab, I configured the server using the majority default settings.

You will need to then attach the server to the organization and start the server from the console.

Finally, you can add & attach a route for the subnet that your Azure resources are on as shown below. Note you will have to stop and start the VPN for this to take place.


Easy! Now you will need to configure things from the client side.

To do so, I would recommend the option to create temporary profile links - as I have outlined below. These links can be shared and will allow users to download the VPN client, the VPN profile, change their PIN and setup two factor authentication.





After downloading the client opening the profile you'll be securely connected via VPN with unbridled access to the routes you specified. It's fast, easy and secure.

No need to spend a bunch of money on products like Duo or Pulse Secure - instead i'd recommend checking out their other paid offerings as they are reasonably priced :)


Tuesday, February 19, 2019

Azure - Helpful resources

A living list of helpful resources and links to Azure tools.

Azure Resource Explorer - A tool to view and edit the direct ARM JSON.
Azure Speed test tool - Runs speed tests and determine latency between regions.
Azure Advisors Yammer - Useful for questions - monitored directly from the product team often times.

Learning

Build Azure - A great community centered around certification and learning.

Whitepapers

Whitepapers - Customer engagement materials.

Azure - Check Invitation Status to guest user

Often times you will need to invite a 3rd party to your Azure AD tenant to support your environment.

When you add them to a resource, they will automatically be invited as a guest user in your Azure AD tenant, however they won't be able to access this until they accept the invitation email.

If you send an invite to a guest user you can see if they have accepted the invitation or not. You also have the option to resend the invitation.


From Azure AD you can search for guest users and drill down into an individual one.

Here is what the email looks like - the key here is the email comes from "[email protected]" because it can be sent on behalf of this may end up in the junk or spam email folder, so be sure to have them check there.


Monday, February 18, 2019

AZ-102 Study notes - Part 4

Manage identities (15-20%)

Manage Azure Active Directory (AD)

Add custom domains 

Add a purchased domain and add the MX or Text records. (ms=msXXXXXX)
The person who creates the tenant is automatically the global administrator.
TTL must be 60 minutes.
Make suire you don't have any unmanaged PowerBI tenants.

Configure Azure AD Identity Protection

Azure AD identity protection is P2 level and above.
You can force people to register for MFA - once everyone is register you can add everyone.

User / sign on risk prevents or forces MFA sign in from compromised users.

Azure AD Join, and Enterprise State Roaming

With Azure AD settings you can enable local admin rights for Azure AD members.
The local admins are set as device admins.
ESR allows Windows 10 user data to be synced between devices. Data is encrypted. Requires "EMS".

Configure self-service password reset

Password reset - selected groups or all. One or two methods. Email / Office Phone / Mobile Phone / Security questions (and how many 3-5).
Users can be forced to register and can be force to re-register after a period. 
You can be notified on Admin passwords or user password resets.

Implement conditional access policies

Conditional (- platforms, locations, apps, device state, etc.) / Control statements - (Block / grant, MFA, limited experiences, etc)

Manage multiple directories

Each tenant is independent and a domain name can only be used by a single tenant.

Perform an access review

Access reviews allow you to schedule reports when you approve or deny access to a group or application. If a viewer does not response, we can remove automatically or email.

Recommendations suggest best action. Users can advise on reasons.

Implement and manage hybrid identities

Install and configure Azure AD Connect

Requirements:
Azure AD premium
Global Admin of Azure AD
Azure AD connection health agent installed.
Connectivity (outbound - no ssl inspection.)

Configure federation and single sign-on

Use the Azure AD Connect tool to add an AD FS server, add an AD FS WAP server, and configure a federated domain.

Deploy seamless single sign on via the Azure AD Connect tool.
Deploy group policies to enable SSO.

Manage Azure AD Connect

You can configure health alerts from Azure AD connect health in the portal.

Manage password sync and writeback

Premium feature.
Account used must have elevated rights.
Configured through the Azure AD connect utility.

AZ-102 Study notes - Part 3

Continued from a previous series:

Configure and manage virtual networks (15-20%)

Create connectivity between virtual networks

Create and configure VNET peering

Vnet peering is private peering across region or subscriptions but not tenants. 10 per vnet by default, but up to 50.

Via Powershell:
Add-AzureRmVirtualNetworkPeering / 
az network vnet peering create
Create and configure VNET to VNET

Vnet to Vnet connections require public IPs
Only Vnets in the same subscription from the portal.
Add connection under the VNet.
Use the New-AzureRMVirtualNetworkGatewayConnection CMDlet to setup via Powershell.


Verify virtual network connectivity

Get-AzureRmVirtualNetworkGatewayConnection
az network vpn-connection show

Network Watcher Agent extenion.

Flow Logs require NGS rules, a log analytics work-space and a storage account.

Create virtual network gateway

Requires a DYNAMIC public IP address.
Review the SKUs noted in the documentation for gateway:
Basic SKU- Max 10 tunnels, others max 30. 
VPNGw1,2,3 support P2S IKEv2 connection and BGP and each have bandwidth higher then the last.

Configure name resolution

Configure Azure DNS 

Create a new DNS zone from the marketplace or use the powershell commands:

New-AzureRmDNS zone
New-AzureRMDnsRecordSet


Configure custom DNS settings 

Alias records dynamically update if they change in Azure.

Configure DNS zones

DNS zones contain one or more records for a domain.


AZ-102 Study notes - Part 2

Continued from a previous series. Here are my notes created from studying for the AZ-102 exam.
The LinkedIn Series here was helpful:


Implement and manage storage (5-10%)

Configure Azure files

Create Azure file share

Simple process if you've done it before, create a storage account > file share > New File Share.
Use connect to mount the share via CMD / powershell / Linux.
Quota is 5 TiB
Powershell you can create this with the key with the cmdlet New-AzureStorageShare after setting the storage context with New-AzureStorageShare

Create Azure File Sync service

Azure file sync is a "local" Windows Server copy of the Azure file share.
Configure the service from the Azure portal - Create a new Azure File Sync resource from the marketplace.
Configure the on-premise server - disable IE enhanced security. Install the Azure File Sync Agent. Register the server.

Gotchas:
Only local non-removable volumes are supported.
Module is named Az.StorageSync
Server 2012 R2 and above (Standard and DC versions) 2GB of memory is required.
DFS - DFS-N good - DFS-R not unsupported - but recommend replacing with Azure File Sync.

Create Azure sync group

Add a new SyncGroup from the portal. Select a storage account. Select a fileshare. Easy.
Add server endpoint from the cloud console.
Cloud tiering (only hot files on the cloud) has a lot of gothcas (no VSS, limited attributes, no system volume, etc).
.SystemShareInformation folder is used like the System Volume Information folder - no touchy.

Troubleshoot Azure File Sync

Don't remove the server endpoint as this could wipe your data.
Agent install troubleshooting: StorageSyncAgent.msi /l*v Installer.log
Changes can take up to 24 hours to in Azure File Sync.
Portal: Sync or Endpoint Health
Server: Applications and Services Logs\Microsoft\FileSync\Agent\Telemetry event logs.
AFSDiag tool
PDC role needs to be Server 2012 R2+
StorageSync.sys and StorageSyncGuard.sys are the two drivers you need to know.


TIP 0005: Test bad SSL

This is a tool for testing "memorable site for testing clients against bad SSL configs" https://badssl.com/