Error: Policies attempted to append some fields which already exist in the request with different values

azure

In our current environment, this is starting to show up more and more.
We have a number of policies in Azure, among them are ‘resources-tag-enforcement’, the one that adds a number of required Tags on resources on our production Resource Groups. Because we have them and they are required on all resources on the groups, things fail.
It is changes that start to fail, unrelated to the Tag policy really…
Example 1: We tried to change pricing tier on an App Service plan – Fail
Example 2: We deleted a rule in Azure Firewall – Fail
Example 3: We resized a VM – Fail

All due to one thing, the Resource Manager seems to think in the backend, that these changes are really not just changes, but we are adding new resources to the resource groups, triggering the policy, and that fails to append the Tags since the Tags are already there…
Same scenario with a ‘Allowed location’ policy, if a resource was once created outside of the allowed scope, changes are not allowed since the RM seems to think that you are really adding new resources, not just making adjustments.

The error you will see from the Tag policy is this:

Failed to resize virtual machine ‘XXX-NNNN’ to size ‘Standard DXXX’. Error: Policies attempted to append some fields which already exist in the request with different values. Fields: ‘tags[nnn1],tags[nnn2]’. Policy identifiers:'[{“policyAssignment”:{“name”:”Assignment – resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyAssignments/Assignment – resources-tag-enforcement”},”policyDefinition”:{“name”:”resources-tag-enforcement”,”id”:”/subscriptions/nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/providers/Microsoft.Authorization/policyDefinitions/resources-tag-enforcement”}}]’. Please contact the subscription administrator to update the policies.

Resolution:
Temporarily Disable the assignment of the policy. Look up the Resource Group, go to policys, assignments, then the correct policy and open it.
A bit down, you have to switch to disable it.

Set it to Disabled and Review+Save, then Save.
Done.

Remember to enable it again after you are done.

Good luck!

References

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Error: Policies attempted to append some fields which already exist in the request with different values

azure

The error you will see from the Tag policy is this:

Set it to Disabled and Review+Save, then Save.
Done.

Remember to enable it again after you are done.

Good luck!

References

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

One Bastion to access them all (All peered vNets)

azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month, $1500/Bastion/Year. (10 vNets = $15.000)
This have now changed. Now, $1500/customer/year is enough (Well worth it!). (10 vNets = $1.500)

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts

azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to do the following:

Delete all accounts except the default administrator (Disable default on 2016)
Rename the default to a different name
Set a new ‘impossible’ password that nobody knows (45chrs)
Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
  $UserName = ($Admin.Name).ToString().split("\")[1]
  Disable-LocalUser $UserName
  If ($UserName -ne $DefaultAdmin) {
    Remove-LocalUser $UserName
    Write-Host "Removed Admin: $UserName"
  }
  else {
    $Random = ConvertTo-SecureString ((1..45 | ForEach-Object   {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
    Set-LocalUser -Name $DefaultAdmin -Password $Random
    Write-Host "Default Admin password reset to 45 chrs long random string"
    if ($DefaultAdmin -ne $NewAdminName){
      Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
      Write-Host "Renamed default Admin: $UserName to $NewAdminName"
    }
  }
}
Write-host "Done - Server secured :-)"

– – – – – – – – – – – – – – – – – – – –

Pre Windows Server 2016:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")
foreach ($LocalUser in $LocalAdmins){
  $UserName = $LocalUser.Name
  $UserSID = $LocalUser.SID
  $userDomain = $LocalUser.Domain
  if ($LocalUser.Domain -eq $Env:Computername)
  {
    If ($userSID -like "S-1-5-21-*-500"){
      Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
      If ($UserName -ne $NewAdminName){
        $LocalUser.Rename($NewAdminName)
      }
      $Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
      [adsi]$User = "WinNT://./$NewAdminName,user"
      $User.SetPassword($Random)
      $User.SetInfo()
    }
    else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
    [ADSI]$server = "WinNT://$Env:computername"
    $server.delete("user",$UserName)
  }
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}

Happy PowerShell scripting!

References
Not this one

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Office 365 News – First release for select users

First release can now be offered to a select group of users!

(Including a funny mistake by a Microsoft developer)

‘

Life made even simpler for the admins

First release has until now been something that you do not want to enable in a production tenant for the organization, because the impact can be to big with untested changes and additions made regularly.
The common option for the administrator thirsting for knowledge has been to create an evaluation tenant and enable First Release there.
Cumbersome and difficult…is what that was!
A drawback has also been that you could not test anything with the real users, real data or real life scenarios.

No more so, now, the option to enable First Release for only selected users are available.

This is how you do it:

1. Log into your tenants Admin portal: https://portal.office.com/admin/default.aspx
2. Go to Service Settings, Updates.
3. Under First Release, check Select People, you will get a popup asking if you are sure, click Yes.
4. Locate the users you want to set as first release users.
5. Select the users in the box below and click on save (It does not have to be administrators).
5.5 Bulk update (You can also create a list of UPN’s and sumbit it as a bulk update.)
6. Done!
7. Undo

In Pictures:

1. Log into your tenants Admin portal: https://portal.office.com/admin/default.aspx

2. Go to Service Settings, Updates.

3. Under First Release, check Select People, you will get a popup asking if you are sure, click Yes.
(Entire organization is the old choice, this affects everyone in the tenant)

Like I said, select Yes in the popup dialog.

4. In the dialog to your right, search for the user/users you want to set as First Release users.

a. Start typing aname to search for the user…

b. Located users are moved to the userslist.

c. Select all users in the list.

5. Select the users in the box below and click on save (It does not have to be administrators).
(You can also create a list of UPN’s and sumbit it as a bulk update.)

You do not get any conformation that it is changed, but it is.

5.5 Bulk update

For a bulk update, do this:

a. Create a list of the users UPN’s, User Principle Names (i.e. Emailaddresses) and save it as a textfile (.txt)
The file can named anything and can be saved anywhere you like.

b. In the Admin portal, Service Settings, Updates, Click on Bulk add people

c. Browse to your userlist

d. Select the file and click Open

Note the path…(someone at Microsoft made a mistake…\fakepath\ ??). The path shown does not matter, it will work, trust me!

e. Now click on Next to finish

f. As you can see, the result is shown in the resultlist, success and fail are listed. You can also get a view of a very simple logfile.
Click on finish when you are ready.

Bulk import Done!
6. All Done!

7. Undo

To reset the tenant and go back to noone having first release, do this:

In the Admin portal, Service Settings, Updates, Click on Standard

Agree to the popup

And you’re back to normal!

I’

Credits

Niklas Danell, Microsoft Sweden
Erik Fryksén, Xperta AB

References

Microsoft Support on the First Release options

‘ _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 News – Office 365 Limited Admin Roles are here

Finally! Office 365 Limited Admin Roles are here!

(2015-05-22: In my tenant, this option has now gone away…)

‘

SharePoint administrator
Exchange Administrator
Lync Administrator
User/AD Administrator
Helpdesk Administrator
Support Administrator

This has been one of the major missing features in Office 365, one that many has asked for, it has been on the roadmap and ‘In Development’ and ‘Rolling Out’ for a very long time as well. Now it is HERE! In a ‘First Release’ tenant. (Coming to all tenants in due time) To use the limited roles, do this:

1. Go to the Office 365 Admin Portal https://portal.office.com/admin/default.aspx

2. Select Users -> Active Users

3. Locate a user using search

4. On the Righthand side, Click on Edit User Roles

‘‘

5. Next, select Limited Admin Role and then check the roles you want the user to have, one or many.

Meg Ryan gets to be a SharePoint Admin only

6. Enter an alternate email, same as you do/did for a Global Administrator account

It cannot be a email address that residen within the tenant

7. Save and you are done!

‘

References and Credits

Myself, I get all the credit this time! 🙂

‘ _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint Security – State of the Union

SharePoint Security – State of the Union

A call to action regarding SharePoint and Security

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Keep the Windows Firewall On (Ports-Link/Conf-Link).

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

Keep the IE ESC On – Internet Explorer Enhanced Security Configuration.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:
Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:
Live Demonstration: Hacker Tools You Should Know and Worry About
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Configure Loopbackcheck (Link) In a PowerShell prompt running as administrator: Get-Item -path ”HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString” (Replace mine with your own URL’s and add more using double quotes and a comma and space as separator) Make the changes stick with: Restart-Service IISADMIN

Configure IE ESC (Link) In a PowerShell prompt running as administrator: function Disable-IEESC { $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer } Disable-IEESC (You have to hit enter twice after pasting the script)

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator: Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…

References:

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

Configure automatic password change in SharePoint 2013 using PowerShell
https://blog.blksthl.com/2013/05/14/configure-automatic-password-change-in-sharepoint-2013-using-powershell/

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

A guide to https and Secure Sockets Layer in SharePoint 2013
https://blog.blksthl.com/2012/12/20/a-guide-to-https-and-secure-sockets-layer-in-sharepoint-2013/

How to disable IE Enhanced Security in Windows Server 2012
https://blog.blksthl.com/2012/11/28/how-to-disable-ie-enhanced-security-in-windows-server-2012/

The first Kerberos guide for SharePoint 2013 technicians
https://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

Thanks to:

Hasain Alshakarti – TrueSec
Marcus Murray – TrueSec
TrueSec Sweden / TrueSec US
Spencer Harbar – harbar.net
Andrija Marcic – Microsoft

___________________________________________________________________________________________________

Consider?

Regards

Twitter | Technet Profile | LinkedIn