One Bastion to access them all


azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month ($1500/Bastion/Year)
This have now changed. Now, $1500/customer/year is enough (Well worth it!).

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

 
References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

 


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts


azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to  do the following:

  • Delete all accounts except the default administrator (Disable default on 2016)
  • Rename the default to a different name
  • Set a new ‘impossible’ password that nobody knows (45chrs)
  • Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin"
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
$UserName = ($Admin.Name).ToString().split("\")[1]
Disable-LocalUser $UserName
If ($UserName -ne $DefaultAdmin) {
Remove-LocalUser $UserName
Write-Host "Removed Admin: $UserName"
}
else {
$Random = ConvertTo-SecureString ((1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
Set-LocalUser -Name $DefaultAdmin -Password $Random
Write-Host "Default Admin password reset to 45 chrs long random string"
if ($DefaultAdmin -ne $NewAdminName){
Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
Write-Host "Renamed default Admin: $UserName to $NewAdminName"
}
}
}
Write-host "Done - Server secured :-)"
 
– – – – – – – – – – – – – – – – – – – –
Pre Windows Server 2016:
 
# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin"
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")

foreach ($LocalUser in $LocalAdmins){
$UserName = $LocalUser.Name
$UserSID = $LocalUser.SID
$userDomain = $LocalUser.Domain
if ($LocalUser.Domain -eq $Env:Computername)
{

If ($userSID -like "S-1-5-21-*-500"){
Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
If ($UserName -ne $NewAdminName){
$LocalUser.Rename($NewAdminName)
}

$Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
[adsi]$User = "WinNT://./$NewAdminName,user"
$User.SetPassword($Random)
$User.SetInfo()
}
else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
[ADSI]$server = "WinNT://$Env:computername"
$server.delete("user",$UserName)
}
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}
 
Happy PowerShell scripting!
 

References
Not this one


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

TCP/IP Ports of SharePoint 2016


SharePoint 2016 huh?!
(Long time since I last posted anything real here…)

Actually, this post is by popular demand 🙂 This is the 2016 version of the post a wrote when SHarePoint 2013 was new, as you can see, not much has changed…I have updated a few lines with what I know now that I did not know then, thats it. Please let me know if I missed something.

The recommended approach is to create a GPO with these firewall rules and apply that rule to the SharePoint servers in your farm. Add all of them, best that way to avoid extreme t-shooting in the future.

Another but related recommendation is to configure the Loopback check funktion in Windows server to allow the FQDN’s of your web applications (Use the Loopback check tool).

List of ports used by SharePoint 2013 and its related services.
Reference links at the end.

Protocol Port Usage Comment
TCP 80 http Client to SharePoint web server traffic
(SharePoint – Office Online Server/Office Web Apps communication)
TCP 443 https/ssl Encrypted client to SharePoint web server traffic
(Encrypted SharePoint – Office Online Server/Office Web Apps communication)
TCP 1433 SQL Server default communication port. May be configured to use custom port for increased security
UDP 1434 SQL Server default port used to establish connection May be configured to use custom port for increased security
TCP 445 SQL Server using named pipes When SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP port 445
TCP 25 SMTP for e-mail integration Cannot in 2016 be configured (Use SMTP ports other than the default (25).)
TCP 16500-16519 Ports used by the search index component Intra-farm only
Inbound rule Added to Windows firewall by SharePoint. (GPO may override this change)
TCP 22233-22236 Ports required for the AppFabric Caching Service Used by the Distributed Cache…
TCP 808 Search – Query processing component
Windows Communication Foundation communication
Search – Query processing component
(WCF)
TCP 32843 Communication between Web servers and service applications http (default) To use custom port, see references section
Inbound rule Added to Windows firewall by SharePoint
TCP 32844 Communication between Web servers and service applications https
Inbound rule Added to Windows firewall by SharePoint
TCP 32845 net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application)  Custom Service Applications
Inbound rule Added to Windows firewall by SharePoint
TCP 32846 Microsoft SharePoint Foundation User Code Service (for sandbox solutions)  Inbound on all Web Servers
Inbound rule Added to Windows firewall by SharePoint
Outbound on all Web and App servers with service enabled.
TCP 636 User Profile Synchronization Service/Active Directory Import Synchronizing profiles between SharePoint 2016 and AD using SLDAP (Secure LDAP)
TCP 5725 User Profile Synchronization Service Synchronizing profiles between SharePoint 2016 and Active Directory Domain Services (AD DS)
TCP + UDP 389 User Profile Synchronization Service LDAP Service
TCP + UDP 88 User Profile Synchronization Service Kerberos
TCP + UDP 53 User Profile Synchronization Service DNS
UDP 464 User Profile Service Kerberos change password
TCP 809 Office Online Server/Office Web Apps Office Online Server/Office Web Apps intra-farm communication.

References:

Security for SharePoint Server 2016
https://technet.microsoft.com/en-us/library/mt683473(v=office.16).aspx

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

 


___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn