One Bastion to access them all (All peered vNets)

azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month, $1500/Bastion/Year. (10 vNets = $15.000)
This have now changed. Now, $1500/customer/year is enough (Well worth it!). (10 vNets = $1.500)

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts

azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to do the following:

Delete all accounts except the default administrator (Disable default on 2016)
Rename the default to a different name
Set a new ‘impossible’ password that nobody knows (45chrs)
Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
  $UserName = ($Admin.Name).ToString().split("\")[1]
  Disable-LocalUser $UserName
  If ($UserName -ne $DefaultAdmin) {
    Remove-LocalUser $UserName
    Write-Host "Removed Admin: $UserName"
  }
  else {
    $Random = ConvertTo-SecureString ((1..45 | ForEach-Object   {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
    Set-LocalUser -Name $DefaultAdmin -Password $Random
    Write-Host "Default Admin password reset to 45 chrs long random string"
    if ($DefaultAdmin -ne $NewAdminName){
      Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
      Write-Host "Renamed default Admin: $UserName to $NewAdminName"
    }
  }
}
Write-host "Done - Server secured :-)"

– – – – – – – – – – – – – – – – – – – –

Pre Windows Server 2016:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")
foreach ($LocalUser in $LocalAdmins){
  $UserName = $LocalUser.Name
  $UserSID = $LocalUser.SID
  $userDomain = $LocalUser.Domain
  if ($LocalUser.Domain -eq $Env:Computername)
  {
    If ($userSID -like "S-1-5-21-*-500"){
      Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
      If ($UserName -ne $NewAdminName){
        $LocalUser.Rename($NewAdminName)
      }
      $Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
      [adsi]$User = "WinNT://./$NewAdminName,user"
      $User.SetPassword($Random)
      $User.SetInfo()
    }
    else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
    [ADSI]$server = "WinNT://$Env:computername"
    $server.delete("user",$UserName)
  }
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}

Happy PowerShell scripting!

References
Not this one

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

The easy guide to creating a scheduled task running as system

G’day Windows lovers.
Again, this is not a SharePoint post per se, but hey, we all need to Schedule a task from time to time, unless we have completely flown into the clouds…
No need for any command prompt, at.exe, schtasks.exe or anything like that. This can all be done from the gui.

Note: Some people may state that it is a bad idea running a scheduled task as system, that this is bad for security reasons. I can agree with both sides but a fact is that Microsoft has a number of their default scheduled tasks running as system, so it can’t all be wrong. Also, running the task as a different administrator account is even worse, so…do as you like here. Secure the location of the script files, at least do that.
Good or bad, it is still a fact that some people in some situations want to do this, run a script as system, perhaps for the simplicity of it, for not having to rely on service accounts beeing created or other reasons good or bad.

Step by step:

Note: These steps have been verified on Windows Server 2012, but will function just as well on Windows Server 2012 R2 or Windows Server 2008R2/Windows Server 2008, Windows 7 nd Windows 8x

–

Note: You have to be logged on as a local administrator in order to follow these steps.

Start the Windows Task Scheduler, from the ‘Start’ menu or search, any way works…
When the Windows Task Scheduler is open, Browse to a task under Microsoft. I’m using a .NET Framework task in my example, that will work…

Have a look at the tasks in the .NET Framework container. Select the task at the top and make sure that it is a task running as System by checking its properties.

The properties at the bottom will show you if the task is configured to run as SYSTEM. If the task selected is not, pick another task in the list until you find one that is.

Right-click on the task and select export.

Save the file to a good location locally on the server and give it a good name.

Replace the default name with something of your own:

Save the file, then back in Task Scheduler, select the top of the tree, Task Scheduler Library.

Right-click on Task Scheduler Library and select Import Task…

Browse to the file you just exported.

Click on Open to start the import of the task. Name the new task with the name you want, you now have an exact copy of the default .NET framework task, now we need to make modifications so that it will suit your needs.
Right-click on the task, select Properties to make all the settings available for change.
In my example, I want the task to start a PowerShell script as system.
In order to do that, go to the Actions tab.

Delete the existing action, in my example ‘Custom handler’ and add your own.

If you like me, want to run a PowerShell script, type powershell in the program field and type the path to your .ps1 file in the Add Arguments field.
Save the new action and verify the values.

Now, change all the parameters to suit your needs. For example, you might want to add a scheduled trigger.
Click on the Triggers tab and add the Schedule you need.

In my example, I added a Schedule that starts the task at 07:00 every day and keeps doing this forever…

Now, as a last step, select the completed task under the Task Scheduler Library and verify all the settings, especially, make sure that it is configured to run as SYSTEM!
I also selected Run with highest privilieges in my example because the script I had writted required Run as Administrator to function properly.

Thats all, you’re done! Good luck!
References:

Thanks to:

Me, Myself and I!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Loopback Check configuration Tool released – free download

Hi All.

It is here! Free for all! DOWNLOAD

I am happy to announce that the Loopback Check Tool has finally been made available at Codeplex – https://loopbackchecktool.codeplex.com
No more last minute t-shooting the loopback check and ending up disabling it, trying to find the KB or a decent blog post on how to do it.

This Tool takes care of it all for you. Download the exe, put it on your servers, run it to configure the Loopback Check feature simple and easy.

Its simple.
Its small (21kb zipped)
Only click and make it happen
No installation, one single exe that works on most Windows Servers (and clients)
Disable the Loopback check completely (Not recommended)
Enable or Disable the Loopback Check function
Enable it and add excluded URLs (Recommended, now easy to do)

This is a preview image of what the tool looks like

The tool works fine on:

Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows 8
Windows 8.1
And probably a few more…

References:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861/en-us

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

DisableLoopbackCheck & SharePoint: What every admin and developer should know.
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Thanks to:

Herakles and Gutke!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Create a bootable Windows Server 2012 R2 installation USB flash drive

Hi Windows connoisseurs! (wiki)

(This is essentially a remake of my Create a bootable Windows 8.1 installation USB flash drive post.) The setps are the same so you can easily follow that post or use this slightly updated version.

In this guide I will help you find a way to install Windows Server 2012 R2 quick and easy, from a simple USB flash drive. It’s really easy, but you still need to Think about a few things.
I’ll list them here and if you want, you can follow the step by step guide below.

Quicksteps:

1. Get a USB Flash drive formatted with FAT32, it has to be AT LEAST 8GB! (The Windows Server 2012R2 installation bits will not fit on a 4GB USB drive…)
2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store here or Codeplex here (It is an official Microsoft tool, totally wierdly named from the Windows 7 release but still very much valid!)
3. Download or locate a ‘Windows Server 2012 R2’ .iso file and store it locally on your harddrive.
4. Start the Windows 7 USB/DVD Download tool (from startbutton or ‘windows 8/Metro’ style startmenu’?)
5. Complete the steps 1-4
6. Insert the USB flash drive into the powered off PC to install, Power on and boot from USB drive (F9 at HP logo on HP Machines).
7. Install Windows Server as you would normally.
8. Done!

This guide in its entirety works just as well if you replace the Windows Server 2012 R2 .iso file with Windows 8.1, Windows 7, Windows Server 2012 or plain Windows 8 (Windows Server 2008 R2 not verified but willmost likely also work)

Step by step:

1. USB Flash Drive

Prepare a USB flash drive for installation, is has to be at least 8 GB in size and it has to be formatted with FAT32. It does not have to be erased, the tool will do that for you if needed.

Before

2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store or Codeplex. The Links are as follows:

http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe
or
http://wudt.codeplex.com

Run the .exe file, you will have to be a local administrator on your machine for it to install properly.

Click Next

Click Install

Click Finish

3. Locate a Windows Server 2012 R2 .iso file. This file should be placed on a local harddrive. It does not matter where you put it, as long as it is on a local HD and it is accessable to you when running the tool, meaning that you have access to where the file is stored in the filesystem.

4. After the installation of the tool has completed, you will suddenly notice this tile:

You can also just use the search function, in ‘metro mode’ simply type Windows 7 and you will see it and its uninstall app.
Start the tool
Click Ok at the User Account Control popup dialog
The first screen should now look like this:

5. Hit the Browse button to locate your Windows Server 2012 R2 installation iso file.

In my test, I’m using an .iso file downloaded from TechNet Subscriber downloads (soon to be no more)
It does not have to be from TechNet, it can be MSDN or Volume Licensing or really any form of Windows Server 2012 R2 installation iso.

Click ‘Next’

Click on ‘USB device’
If you see the window below, that means that the USB drive is either not plugged in properly, or it has the wrong formatting or insufficient storage or similar. Make sure that you have a USB flash drive that meets: 4GB minimum+FAT32.

Insert a USB drive that meets the requirements and press the refresh button
Now, click on the ‘Begin copying’ button.

If the USB drive was ok, the copying will begin, but if not, if it still had files still on it, you will see this dialog:

Click Erase to continue

Click Yes and the formatting and copying process will begin.

Let it do its thing until it reaches 100%

When it has finished formatting and copying files, you are done.

After!

6. Next step, is to insert the USB drive into the PC you want to install Windows Server 2012 R2 on, Power it off completely and Power on again.
Use BIOS settings to select ‘boot from USB’ or like on a HP machine, hit F9 at the HP logo screen to boot directly from USB.

7. Let the Installation begin! The Windows installation is pretty much standard. A Clean install is described here. The setup of Windows 8, which is pretty much the same, is described here

8. Done!

References:

Install and Deploy Windows Server 2012 (R2)
http://technet.microsoft.com/en-us/library/hh831620.aspx

Thanks to:

Herakles and Gutke!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn