User Profile
bryanb
Brass Contributor
Joined Aug 09, 2018
User Widgets
Recent Discussions
Azure ATP Sensor - Update Process Large Number of Domain Controllers
Hello, this question may have already been asked/answered but I have not been able to find a previous thread. I have a customer with a large number of domain controllers (over 1000). The DCs are located in branch office locations as well in data centers. The customer is currently evaluating moving from ATA to ATP. I understand there are two update update options for the Sensor, Immediate and Delayed. We are concerned with hundreds of domain controllers attempting to download/install updates at the same time. Are there any other sensor update configuration options such as creating collections of servers? Another thought we had was to disable the automatic update and use another mechanism (SCCM) for deploying the updates more granular. We were also wondering if there is a way to schedule the upgrade time period? Does any one else in the Tech Community have experience with ATP in a large ADDS count environment? Thanks!Domain synchronizer process "all entities from a specific Active Directory domain proactively"
Hello, The MS docs for the ATP Sensor (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture) mentions the "Domain synchronizer process". I understand one of the functions of this process is to identify ADDS servers that do not have the ATP Sensor installed. The other function this performs is the synchronizing of entities. I'm trying to understand what "all entities" is referencing in the following statement: "The domain synchronizer process is responsible for synchronizing all entities from a specific Active Directory domain proactively (similar to the mechanism used by the domain controllers themselves for replication)." Is this process replicate any ADDS object attributes to the ATP instance? Or, is the purpose of this role only to look for infrastructure changes within the domain/forest, such as domain controllers being added? Thanks1.8KViews0likes4CommentsRe: Does Windows Admin Center protect Domain Administrator passwords
LL10890 I asked the same question to Microsoft and below is their response, I hope it helps Credentials are not stored - anywhere. They are ephemeral from the gateway’s perspective but may live encrypted within browser memory during the user’s current session. The UI sends credentials by: Encrypting the text with the Json Web Key (JWK) specification using: RSA asymmetric encryption A 2,048 key size SHA-512 hash The encrypted value is sent in a HTTP header which is further encrypted by TLS/SSL The server decrypts the value, when present and stores it in memory using the Windows Data Protection API (DPAPI) When connecting to a resource, the gateway uses one of the following methods: Uses a type of Windows logon that only allows the credentials to be used to authenticate against a remote target Scenarios for this include non-PowerShell paths such as SMB operations such as file uploads or downloads WinRM calls for PowerShell/WMI to include the credentials explicitly in each connection The connection protects the values using DPAPI on the client and target server WinRM connections use their own compression and symmetric encryption by default3.3KViews1like1CommentWAC 2007: Powershell Cmdlets no longer work: Get-Extension, Install-Extension, Uninstall-Extension
I recently upgraded from 1910.2 to 2007 and noticed the PowerShell cmdlets for managing extensions (Get-Extension, Install-Extension, Uninstall-Extension, Update-Extension) no longer work. I reinstalled 1910.2 and confirmed the cmdlets worked. Upgraded same server to 2007 and they stopped working.. The cmdlets do not fail or return any data. The cmdlets for feed management (Get-Feed, Add-Feed, Remove-Feed) work fine. Has any one had this issue and have a workaround? Thanks760Views0likes1CommentUnable to Remove Feed from WAC and UAC
Hello, I have WAC (Desktop and Gateway) that I'm not able to modify the Feed settings. PS C:\temp> get-Feed https://aka.ms/sme-extension-catalog-feed https://mynexusrepo.com/repository/windowsadmincenter_ext_group/ I configured a secondary Feed (Nexus Repo). This source was working find but not I WAC receives the following error: Couldn't update extension catalogs. Error: The remote server returned an error: (404) Not Found. I believe the nexus repo I'm using was recently updated. However, I can't remove the 2nd Feed. In the interface the options are grayed out (see attached). I've a read a few posts about having to run WAC as elevated or use Edge inprivate Window, I've had mixed results using either. The PS remove-feed doesn't allow me to remove the feed with an issue. Is there a way to reset the Feed configuration without having to remove/Install the product?1.4KViews1like0CommentsExtension Feeds - Unable to Remove Feed
Hello, We have been evaluating WAC for several months. We have version 2007 installed. We have a nexus repo feed working for several months. get-Feed https://aka.ms/sme-extension-catalog-feed https://drpmga01.publix.com/repository/pblx_windowsadmincenter_ext_group/ Now, I receive the following error when accessing Extensions under Settings. Error: The remote server returned an error: (404) Not Found. However, I'm not able to manage any Feeds Settings. The options to manage the settings are grayed out. This occurs on a desktop install of WAC and Server install (gateway). I uninstalled/Installed WAC and was able to edit the Feed option. Once I added a 2nd feed the error above logged again and I was no longer able to edit the Feeds. I attempted to use PS to remove the FEED and it fails with the following: nvoke-WebRequest : 404 - Nexus Repository Manager (new Image).src="https://xxxx.xxxx.com/favicon.ico?3.25.0-03" Nexus Repository Manager OSS 3.25.0-03 Error 404 Not Found Not Found At C:\Program Files\windows admin center\PowerShell\Modules\ExtensionTools\ExtensionTools.psm1:102 char:17 + $response = Invoke-WebRequest @params + ~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand Failed to get the feeds At C:\Program Files\windows admin center\PowerShell\Modules\ExtensionTools\ExtensionTools.psm1:104 char:9 + throw "Failed to get the feeds" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (Failed to get the feeds:String) [], RuntimeException + FullyQualifiedErrorId : Failed to get the feeds PS C:\WINDOWS\system32> Is there another way to remove the Feed settings? Is there a way to reset the WAC configuration?1.4KViews0likes0CommentsRe: Windows Admin Center with proxy
Hi boxikg I don't have any experience with Squid Proxy. I can tell you I've had problems with using other proxies. I too have secure environments where we don't allow any external access. I was able to use the procedures for installing extensions offline pretty successfully. Also, I recently was able to use a NuGet repo we have on-prem. Configure the repo to pull the ext from MS. The GW servers then used on the on-prem repo for extensions. We are still testing but so far it works great.6KViews0likes0CommentsWindows Admin Center "Files" Network Port Requirements
Good morning, I'm working on a WAC gateway server deployment and I have a question regarding the WAC "Files" transfer process. For "File" Tool, or really any of the tools, I need to document which protocols/ports are used between the UI, WAC Gateway Server and managed node. With the File tool, I confirmed the system with the browser needs SMB access to the network location the files are being copied to/from. The files then appear to use HTTPS from the UI to the Gateway using HTTPS. What protocol is used to transfer the files from the GW to the managed endpoint, WSMAN? I see SMB traffic in the capture but I was wondering if WINRM is used (PowerShell Copy-Item) from GW to Endpoint? I understand SMB is required for other Tools like Cert management. Thank you.1.1KViews0likes0CommentsRe: SAMR Discovery Process
EliOfek Hi Perhaps I'm not explaining myself correctly. CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2. Therefore, CL1 will never authenticate to BODC1. In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?4.5KViews0likes1CommentRe: SAMR Discovery Process
EliOfek Thanks for the reply! Correct, the gMSA will be used. We have a highly segmented environment. A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules. We to allow domain members in a site access to the DC in that site and the DCs in our hub site. If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules. In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right?4.5KViews0likes3CommentsSAMR Discovery Process
For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation. My question is around the SAM-R process from the sensors to the domain members and network access rules (FW). Our AD site is a standard hub and spoke with several dozen branch office locations. What determines which ATP sensor is used to queries a domain members? Does the Sensor only perform the SAMR discovery against the domain members in its AD site or some other discovery mechanism? Does each domain sensor need SAM-R/SMB access to ALL domain members? Example: AD-Branch1 server only requires TCP445 to networks in Branch1. Thank you4.6KViews0likes5CommentsRe: Network Capacity Planning Azure ATP Sensor to Azure
EliOfek Thanks for the response. We have several hundred domain controllers and we need to make sure we forecast the impact to our WAN and outbound internet connections. Is there a better way to estimate outbound traffic capacity? Bryan1.3KViews0likes3CommentsNetwork Capacity Planning Azure ATP Sensor to Azure
Hello, Can you tell me if the capacity information "we send only 1-3% of the total traffic to the service for processing." is current? If so, would I use the network performance data captured in the capacity planning tool? https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning Would I use 1-3% of Max Packet /secs column? Thank you1.4KViews0likes5CommentsRe: Azure ATP network traffic
Astrid McClean Hi Astrid, Can you tell me if the capacity information "we send only 1-3% of the total traffic to the service for processing." is current? If so, would I use the network performance data captured in the capacity planning tool? https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning Would I use 1-3% of Max Packet /secs column? Thank you2.3KViews0likes1CommentWindows Admin Center - Nexus Repo
Hello, We are implementing Windows Admin Center servers. The WAC servers will not have internet access to install Extensions from the URL. We are looking at using our Nexus environment to host the extensions internally. It appears this configuration is supported "NuGet feed that supports the NuGet V2 APIs". We have not been successful in implementing this configuration. We have tried the various repo types but they all fail with a invalid nuget feed error. Does anyone have any guidance for setting up WAC to use a Nexus repo? Thank you Bryan926Views0likes1CommentRe: Azure ATP Group Managed Service Account (gMSA)
Or Tsemah Thanks for the response. Something else we found during testing. We have read-only domain controllers so that is a different group that needs to be added to gmsa properties. We had to grant the gMSA logon rights as service to each domain controller. A standard account did not require this OS right on the ADDS servers.11KViews0likes3Comments
Recent Blog Articles
No content to show