First published on TechNet on Mar 12, 2015
Hey y’all Mark, Tom and Hilde back for another mailbag Friday. Keep the questions coming and we’ll keep answering them. This week we are getting back into the Hyper-V pool and always some ADFS goodness. Let’s get into it.
FREE Security & The Cloud Virtual Even t
Domain Admin credentials while installing ADFS
.NET versions and support life cycle
Hardened OS with Hyper-V cluster
Querying VMs and determine if they are running in Azure
Question
Is there any free Security and the cloud events taking place I need to know about?
Answer
There happens to be some right around the corner. March 25th 2015 is a online virtual event. You can register here .
Question
I run a tight ship with my Domain Admin credentials. If ADFS needs DA to install it must be changing something in AD. What is it?
Answer
Two things. First, We create the DKM container to protect the keys that allows sharing of token signing & token decryption certs when you are using self-signed certs. Second, also set the SPN on the service account with HOST/adfs.contoso.com for windows integrated authentication to work.
Question
I am trying to get a handle on .NET versions and support lifecycle - got any tips?
Answer
Here is a FAQ for .NET versions and OS support: http://support.microsoft.com/gp/Framework_FAQ
Question
I want to run Hyper-V on a Cluster but I'm running into issues with our 'hardened' OS build. Any insight?
Answer
I recently worked a couple of tripping points for Hyper-V and Clustering with some common hardening steps:
- The "Create symbolic links" User Right is often restricted and set to <blank> or no one.
- For a Hyper-V host, the following needs to have that user right:
- “NT VIRTUAL MACHINE\Virtual Machines”
- The "Deny access to this computer from the network" User Right is often set to include the "Local account" group to restrict local accounts from accessing the computer remotely. There is a non-administrative local account created by Failover Clustering and it needs this right (due to the Failover Cluster Virtual Adapter that provides cluster communications).
- You CAN restrict this user right to local accounts that are also local admins via a new group added to 2012 R2 called “Local account and member of Administrators group”
Question
We have a large deployment of Azure VMs domain-joined to our on-prem AD. How can I query VMs and determine if they are running in Azure?
Answer
Here are a couple of methods...
1) Use the script here to query for a specific DHCP option that is used in Azure -
- This is the method our Azure support staff uses and is your best bet - you may not need to go any further
- https://gallery.technet.microsoft.com/scriptcenter/Detect-Windows-Azure-aed06d51
2) If your looking for something a bit more 'light weight', you can query for some aspect of the VM Agent (assumes the VM Agent is installed on the guest).
- Query for "Windows Azure" services on the VM:
- Query for the existence of this folder on the VM: "C:\WindowsAzure\"
Stuff from the Interwebs
-There is a Mexican wrestling league that has 3, that’s right 3, different groups of Teenage Mutant Ninja Turtles feuding with each other .
-Marvel’s Avengers: Age of Ultron trailer came out if you missed that.
-It’s almost baseball season here in America which means teams are at spring training. Will Ferrell is playing all 9 positions in 8 games .
-Daylight savings started this past Sunday which explains why everyone is sort of in a bad mood. John Oliver on Last Week Tonight, which is probably my favorite show on Sundays, asks “ How is this still a thing?”
Mark “perpetually tired” Morowczynski, Tom “farm people” Moser and Michael “Cowabunga” Hildebrand
Updated Feb 20, 2020
Version 3.0Mark Morowczynski
Microsoft
Joined February 01, 2017
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity