Secure Your Infrastructure with Least Privileges

Hi,

I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.

 

Attachment:

Requirement Privilege Document

Advertisements

Problem: LAPS

Hi,

I am back with similar questions being asked when they install the LAPS.

“Question: Why I still have blank password and expiration set time?”

laps blank password

Answer:

  1. First of all, Computer has to be joined domain. if the computer is not joined domain, you won’t get those two values on that attributes.
  2. Make sure that you don’t manually add the computer account at the active directory. some they claimed that they already join to the domain, but it actually create the computer account manually with the same computer name in it.
  3. LAPS was installed differently with other deployment system.
  4. LAPS was installed manually. some of computers are joined domain, but they were installed manually and unable to connect or communicate with active directory.
  5. I recommend the LAPS installation was deploying the group policy.
  6. The computers are located on different organizational unit (OU). If you have large organization, you might have many computers and other inventory that sometime hard to manage and cascade. So you may not have the LAPS install or the attributes’ value. For example, your computers was at HQ OU in Florida, you have multiple ‘HQ’ OU in New York OU and you also have HQ OU in Florida.LAPS Group policy was configured at HQ OU in New York. This lead you don’t have the password blank
  7. Local Administrator account are misconfigured. By Default, the LAPS will look into built-in account. if you configured in group policy to use specific account, make sure that you create the user account in the client computer.
  8. Make sure you have supported OS platform. Please check the link here https://technet.microsoft.com/en-us/mt227395.aspx.
  9. Please make sure that you have permission to view and proper delegation of users to view the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Mostly, domain user would not be able to see this because this confidential attribute only managed by AD administrators.

 

Here is the example screenshot for the software deployment via group policy.

 

group policy LAPS

Sync the Azure AD

In this post, will show you on how to sync the Azure AD on your premise and password.

just to make thing simpler, I quickly run the Get-ADSyncscheduler to show you the parameter.

1ed

in this command, it shows you type of policy, sync enabled, and the next synchronization will going to be happened.

Let’s say if you have recently created the new users in some OrganizationalUnits you permit to sync, then you have to wait 3o minutes.

To sync the recent changes or force the sync, you have to run this:

2

Also, you can run this command below to full sync from initial:

3

 

you may refer this article below:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-scheduler/

http://www.msexchange.org/blogs/walther/news/azure-ad-connect-11-forcing-synchronization.html

 

Connect and Integrate AD Identities On-Premise to Azure AD

In this topic, I would like to cover to connect and integrate  your existing AD accounts at home or office (premises) to Azure AD. This could benefit you to have single sign on to other applications such as office 365, dropbox, etc.

All you need is to install the Azure AD Connect Tool. you may download at this link here.

Follow this step below.

Step 1: At the welcoming wizard of Microsoft Azure Active Directory Connect, you need to check the box “I agree to the license terms and privacy notice” and click Continue

w1.JPG

 

Step 2: You may use the express setting for faster installation. This is to get you understand on how you can connect to the Azure AD. In this express setting, the wizard will automatically discover your forest. In this example is NETOVERME.

To continue, click on Express Settings

w2.JPG

 

Step 3: You need to input the Azure AD account. If you have multiple accounts in this Azure, you need to use the account which has “Global Admin” role.

In my example, I use “aliyani@example.onmicrosoft.com”. click Next to continue.

w3.JPG

 

Step 4:  Then, you will ask the admin account in your premise AD forest. click Next.

w4.JPG

 

Step 5:  Final step is to start installation.

w5.JPG

finish.jpg

 

Output Success: This is the screenshot that I captured from my Azure.

SUCCESS.jpg

 

 

Assign Static IP Address in Domain Controller Virtual Machine Azure

Hi,

I would like to share you some information on how to assign the static IP Address in virtual machine Azure where some of the VMs need static IP Address such as Domain controller.

We need to use Azure Powershell to configure the the static IP Address.

Firstly, We need to use Test-AzureStaticVNetIP.

Type the command: For example, Test-AzureStatic -VNetName ‘TestNetwork’ -IPAddress ‘10.0.0.10’. if the operationstatus is succeeded, that means we can use the IP address.

Type the command : Get-VMAzure -ServiceName ‘Nom-DC1’ -Name ‘NOM-DC1’. This is to verify the IP Address of the VM which were assigned by DHCP. Here the IpAddress value is 10.0.0.4get-azurevm1

Then after that, we need to assign the IP address from 10.0.0.4 (by DHCP) to static ip address 10.0.0.10

Type the command:

Get-AzureVM -ServiceName ‘Nom-DC1’ -Name ‘Nom-DC1 | Set-AzureStaticVNetIP -IPAddress ‘10.0.0.10’ | Update-AzureVM

get-azurevm2

Then verify it by typing “get-azurevm -servicename ‘nom-dc1’ -name ‘nom-dc1’. You see the IP address have changed to 10.0.10 and the powerstate is ‘starting’

get-azurevm3