Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: A Print Nightmare Artifact - krbtgt/NT Authority
Source: Ask the Directory Services Team
Author: Jesse Vurgason-Graham
Publication Date: 3/2/2023
Content excerpt:
The term “Print Nightmare” is related to the security vulnerability fixed in the July 6 2021 (7B.21) update. What is described in this blog post is a situation that can develop as a result of the fix for the so-called Print Nightmare vulnerability.
Common symptoms are, slow or sluggish DCs, slow or sluggish printer servers, print clients being slow, unable to connect to print queues and the like.
Title: How do AKS and AKS on Azure Stack HCI compare?
Source: Azure Arc
Author: Abhilasha Agarwala
Publication Date: 3/13/2023
Content excerpt:
This blog is an update to the original blog published comparing AKS in Azure and on Azure Stack HCI, a year ago. Since then, we’ve released multiple features and fixes aimed at improving AKS consistency between Azure and on-premises that warranted a fresh blog.
Title: Generally available: Immutable vaults with Azure Backup
Source: Azure Governance and Management
Author: Utsav Raghuvanshi
Publication Date: 3/29/2023
Content excerpt:
Azure Backup recently announced the general availability of immutable vaults that offer improved protection for your backup data better against ransomware attacks and other malicious actors. Immutable vaults protect your backups by blocking any operations that could lead to loss of recovery points if misused. Further, you can lock the immutability setting to make it irreversible, which can prevent malicious actors from disabling immutability and deleting backups.
Immutability is generally available for Recovery Services vaults as well as Backup vaults.
Title: Authenticating Active Directory users to an Azure CycleCloud HPC cluster
Source: Azure High Performance Computing (HPC)
Author: Vinil Vadakkepurakkal
Publication Date: 3/1/2023
Content excerpt:
Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High-Performance Computing (HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale.
There are two primary mechanisms for enabling login access to cluster nodes, through CycleCloud's built-in authentication, or by integrating nodes with a directory service such as Active Directory or LDAP. For enterprise production clusters, it is recommended that user access be managed through a directory service such as LDAP, Active Directory, or NIS.
In this blog, we are discussing how to integrate Active Directory into the CycleCloud cluster (Node Authentication) for User management, using a custom project called cyclecloud-adauth.
Title: Azure Hybrid Benefit for SQL Server in Azure VMware Solution
Source: Azure Migration and Modernization
Author: Amy Colyer
Publication Date: 3/15/2023
Content excerpt:
Azure Hybrid Benefit (AHB) for SQL Server in Azure VMware Solution (AVS) is now Generally Available (GA). This new capability enables customers to create an Azure VMware Solution placement policy and specify the number of hosts using the Azure Hybrid Benefit. With this enabled, it will unlock unlimited virtualization through the SQL Server licenses with Software Assurance.
With this release, customers can take advantage of Azure Hybrid Benefit on their Azure VMware Solution nodes by running their SQL Server workloads on AVS by applying existing paid SQL Server Enterprise licenses with active Software Assurance. As a result of this, the VMs on the nodes running SQL Server will be licensed using the unlimited virtualization benefit available with SQL Server licenses that have Software Assurance. To get started, customers can use the Azure portal to configure and enable VM-Host affinity placement policies through the AVS menu and create placement policies with APIs.
Title: Enhancements to Azure WAF for Application Gateway now in General Availability
Source: Azure Networking
Author: David Frazee
Publication Date: 3/10/2023
Content excerpt:
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection for your web applications against common vulnerabilities and exploits. Web applications are increasingly targeted by malicious attacks that vulnerabilities. SQL Injection (SQLi) and Cross-Site Scripting (XSS) are examples of some well-known attacks. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching, and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application developers and security teams against threats or intrusions.
Title: Azure WAF Tuning for Web Applications
Source: Azure Networking
Author: tobiotolorin
Publication Date: 3/22/2023
Content excerpt:
Azure Web Application Firewall provides a comprehensive solution for protecting web applications from various types of application attacks, ensuring high availability and optimal performance. It is critical to configure WAF in such a way as to reduce the likelihood of false positives while still providing sufficient protection against actual threats.
False positives occur when a Web Application Firewall (WAF) erroneously detects legitimate web traffic as malicious and subsequently denies access. For instance, an HTTP request that poses no threat may trigger WAF to classify it as an SQL injection attack due to how characters are passed through the request body, thereby causing the request to be rejected and denying access to the user.
The first step in reducing false positives is to understand the logs and how to configure and tune WAF rulesets (Managed ruleset, Bot Ruleset and Custom rules).
Title: Cost saving with Standard SSD Billing Caps
Source: Azure Storage
Author: Alec Becker
Publication Date: 3/6/2023
Content excerpt:
As part of our commitment to continuously delivering increased value for our Azure Disk Storage customers, we are excited to introduce a cap on the number of billable Azure Standard SSD transactions. As a result, we have made changes to the billable transaction costs per hour that can result in additional cost savings.
The total cost of Azure Standard SSD Disk Storage depends on the size, number of disks, and the number of transactions. The number of transactions a disk can execute/perform/process is unchanged, so your disk will work as it always has been. However, the cost associated with these transactions is now limited and can help avoid greater costs.
Title: Protect Your Data in Azure to Be Ready to Recover
Source: Azure Storage
Author: vmiss33
Publication Date: 3/8/2023
Content excerpt:
We have heard a lot of buzz about the cloud of the last several years as more and more organizations begin to move existing workloads to the cloud, or deploy new ones there. One thing that can sometimes be overlooked is data protection in the cloud.
There’s lots of things that can happen to your data, from an accidental deletion to someone maliciously deleting files, not to mention the ever present threat of ransomware. Let’s face it, sometimes things also just happen, like an application upgrade goes awry and we need to roll back to an earlier point in time.
No matter what the case, data protection remains one of the most critical but overlooked aspects of a successful cloud deployment, and successful future operations. We’ve seen the gaps when it comes to data on-premises, and they have sometimes followed their workloads into the cloud.
Title: Enabling Remote Help and Supporting Users with Intune
Source: Core Infrastructure and Security
Author: Atil Gurcan
Publication Date: 3/6/2023
Content excerpt:
Remote help for Intune is a premium add-on that is licensed separately. So, first step in enabling Remote help is either purchasing its license for the end users or having a trial for Remote help feature. Once you have licenses available, it would be possible to enable Remote help for tenant.
Title: Monitoring Storage Replication - Part 2
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: 3/7/2023
Content excerpt:
This is part 2 of Monitoring Storage Replication, if you missed part 1 you can find it HERE.
In part 1, we configured an Automation Runbook to collect replication data for Storage Accounts and stored it in a custom table in a Log Analytics workspace.
In this post, I will demonstrate how you can leverage that data stored in Log Analytics to generate Azure Alerts which trigger a Logic App and send a customized email to the owner of the Storage Account which is defined as a tag value of the Storage Account.
Title: Field Tips for AKS Storage Provisioning
Source: Core Infrastructure and Security
Author: Joji Varghese
Publication Date: 3/10/2023
Content excerpt:
In an Azure Kubernetes (AKS) cluster, Pods can access physical storage resources such as disks or volumes using Persistent Volumes (PV). To use these resources, Pods need to make a Persistent Volume Claim (PVC), which requests a specific amount of storage from a storage class. This claim can then be matched to an available Persistent Volume. Azure offers several storage solutions that can be used to provision Persistent Volumes in an AKS cluster.
This article will provide real-world guidance on securely using Container Storage Interface (CSI) drivers to provision Azure File Shares and Azure Blob storage in an AKS cluster.
Title: Automating Block Blob Backup
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: 3/14/2023
Content excerpt:
This post is about how you can automate the backup of Block Blob Storage using Azure Backup Vault (not to be confused with Azure Recovery Service Vault). I specifically mention Block Blob because append and page blobs are not supported.
By automating the backup process of your Block Blob Storage, you can rest assured that your data is safe and secure in case of unexpected data loss.
Title: How To Upgrade/Change the Operating System Which Hosts Microsoft Configuration Manager
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 3/15/2023
Content excerpt:
So, what's the story - you implemented a well running ConfigMgr-Environment. New Solutions to deploy, changes in the Organizations, new Features implemented and -
well time flies by and you are in a situation where your Operating System which Host Configuration Manager is out of date - or close to the end of the Mainstream Support.
Search Product and Services Lifecycle Information - Microsoft Lifecycle | Microsoft Learn
Maybe you cannot change your Management Solution entirely to Microsoft Intune and you need a Transition time through Co-Management and Tenant-Attach.
Title: Change Configuration Manager Site Server OS – Disaster Recovery Reference
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 3/17/2023
Content excerpt:
In this Blog we want to explain what is necessary to change the Operating System for a Server which host the Configuration Manager by a Disaster Recovery Procedure.
We all know this sentence from the past – never touch a running system – but frankly speaking Configuration Manager is not different to any other Service. And a Service must be able to be recovered. So do not fear this. Be serious and cautious and know what is necessary to restore your Service. We advise and recommend that you test your Backup & Recovery Procedure on a regular basis. If those tests are with production data even better – because only a test with production data is a valid test.
Title: Decision Flow to Estimate Pod Spread on AKS
Source: Core Infrastructure and Security
Author: Joji Varghese
Publication Date: 3/19/2023
Content excerpt:
In Azure Kubernetes Service (AKS), the concept of pod spread is important to ensure that pods are distributed efficiently across nodes in a cluster. This helps to optimize resource utilization, increase application performance, and maintain high availability.
This article outlines a decision-making process for estimating the number of Pods running on an AKS cluster. We will look at pod distribution across designated node pools, distribution based on pod-to-pod dependencies and distribution where pod or node affinities are not specified. Finally, we explore the impact of pod spread on scaling using replicas and the role of the Horizontal Pod Autoscaler (HPA). We will close with a test run of all the above scenarios.
Title: Change Configuration Manager Site Server OS – In-place Upgrade Reference
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 3/22/2023
Content excerpt:
In this Blog we want to explain what is necessary to change the Operating System of a Server which hosts the Configuration Manager through an In-place Upgrade.
Since the early Versions of Configuration Manager Current Branch, it is supported to upgrade the Operating System to a newer Version through an In-place Upgrade:
Upgrade on-premises infrastructure - Configuration Manager | Microsoft Learn
Title: Change Configuration Manager Site Server OS – High Availability Reference
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 3/24/2023
Content excerpt:
In this Blog we want to explain what is necessary to change the Operating System of a Server which hosts the Configuration Manager through the High Availability Feature.
The High Availability Feature was very long requested since SCCM 2007 Times. We can set up a SQL-Cluster, install multiple Management Points, Distribution Points, SMS Provider – but all this never helped when the Site Server was down.
Title: Change Configuration Manager Site Server OS – Side-by-Side Migration Reference
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 3/27/2023
Content excerpt:
In this Blog we want to explain what is necessary to change the Operating System of a Server which hosts the Configuration Manager by a Side-by-Side Migration.
To be more exact – it is not a change of the Operating System of your current Infrastructure – You set up a completely new Site in your Domain where you implement Current Best Practices. Maybe you want to implement a general new Design, based on your experience with the current Environment. Even with a fresh new Site – you made a lot of investment regarding Applications, Packages, Task Sequences, and other configurations which you do not want to rebuild again. And here you can use the Side-by-Side Migration, to keep this investment in your new Site too. It is also necessary to reassign all your clients from the old to the new Site – probably you will not catch all clients in the first run – so there will be a period when you must run in parallel.
Title: Migrating from Office 2016\2019 to Microsoft 365 Apps
Source: Core Infrastructure and Security
Author: Dave Guenthner
Publication Date: 3/28/2023
Content excerpt:
The purpose of this blog is to share a concern from multiple customers and provide suggestions and reference documentation for resolution. The issue is that after October 10, 2023, older perpetual versions of Office 2016 and Office 2019, which are no longer in mainstream support, .... While this sounds dire, please note “Microsoft won’t take any active measures to block older Office versions from connecting to Microsoft 365 services if they're in extended support and are kept up to date”.
Title: Managing and Optimizing Your Azure Hybrid Benefit Usage (With Tools!)
Source: Core Infrastructure and Security
Author: Arthur Clares
Publication Date: 3/31/2023
Content excerpt:
As more businesses shift their operations to the cloud, one of the challenges they face is optimizing licensing costs for their virtual machines (VMs) in the cloud. Microsoft's Azure Hybrid Benefit (AHUB) is a licensing benefit that can help businesses save money on their Azure VMs by using their existing on-premises licenses. However, in some cases, it can be hard to keep track of which VMs have the benefit enabled, how to prioritize VMs to have AHUB and how many CPU Cores are being consumed in the environment.
With this challenge in mind, I have developed this Workbook that will help you manage your AHUB usage.
In this blog post, I will cover the basics of AHUB and explain to you how to deploy and use this Workbook.
Title: Azure Policy for Azure Container Apps? Yes, please
Source: FastTrack for Azure
Author: Paolo Salvatori
Publication Date: 3/22/2023
Content excerpt:
This article describes how to use built-in and custom Azure Policy definitions to implement governance for Azure Container Apps. Any contribution is more than welcome. You can find the policy definitions in this GitHub repository. Feel free to submit a pull request to add or update custom policy definitions.
Title: Support tip: Windows Server devices will now be identified as a new OS platform in Microsoft Intune
Source: Intune Customer Success
Author: Intune Support Team
Publication Date: 3/14/2023
Content excerpt:
Currently devices on the Windows Server platform don’t support mobile device management (MDM) and can’t enroll in Intune. With the Microsoft Defender for Endpoint Security Management feature, Windows Servers can receive security management policies from Intune as outlined in Use Intune to manage Microsoft Defender for Endpoint Security on devices not enrolled with Microsoft....
Today, Windows Servers are labeled as “Windows” for the attributes that refer to its operating system (OS) platform. This non-specific label makes it difficult to manage these devices when it comes to granular visibility and targeting. Keep reading to see how we’re making improvements and what actions you may need to take.
Title: Configuring BitLocker via Microsoft Intune settings catalog
Source: Intune Customer Success
Author: Intune Support Team
Publication Date: 3/17/2023
Content excerpt:
This is the sixth in the six-part series about using BitLocker with Intune. BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions.
Title: New Microsoft Intune Devices experience
Source: Intune Customer Success
Author: Intune Support Team
Publication Date: 3/24/2023
Content excerpt:
The Devices pane within the Microsoft Intune admin center has an updated look that provides a more consistent user interface (UI), that includes more capable controls and an improved navigation structure to help you find the information you need faster.
Title: What’s new in Microsoft Intune - 2303 (March) edition
Source: Microsoft Intune
Author: Ramya Chitrakar
Publication Date: 3/24/2023
Content excerpt:
In the Intune March (2303) service release, we have some exciting new developments, including two that will help IT admins be more productive administering the service and one that will improve your frontline worker's experience too. We're introducing a more consistent user interface (UI) and navigation in the Intune admin center. This will make daily device management easier. We've also added a frequently requested Autopilot app capability, which allows apps to be optional in the pre-provisioning technician phase. Finally, we're bringing a similar frontline worker experience for Android shared device mode to iOS and iPadOS.
Title: Prep for certification exams with free Practice Assessments on Microsoft Learn
Source: Microsoft Learn
Author: Puja Aneja
Publication Date: 3/6/2023
Content excerpt:
As a tech professional moving ahead in your field, you know that Microsoft Certifications are essential building blocks in your career portfolio. These globally recognized and industry-endorsed certifications validate your knowledge and expertise and prove that you’re keeping pace with today’s technology.
Whether you’re a learner or you’re part of an organization that needs to empower its teams to validate their skills, you know that passing a certification exam demands an investment of time and effort. To help you increase your chances of succeeding, Microsoft Learn provides a wide array of exam readiness resources, including: prep videos in the Exam Readiness Zone; and study guides, an exam sandbox, tips, and strategies on the details page of the certification exam you’re exploring.
Now we’re introducing a powerful new resource designed to help you prepare for exam day: free Practice Assessments on Microsoft Learn. These assessments offer you a no-cost, no-risk way to test your skills, assess your knowledge and strengths, and gauge your readiness for a Microsoft Certification exam.
Title: Leverage Azure Recovery Services Vault for rapid recovery
Source: Security, Compliance, and Identity
Author: Erik Thie
Publication Date: 3/24/2023
Content excerpt:
You might think that the likelihood of needing a full Active Directory recovery is small. Today, however, the risk of a cyberattack against your Active Directory is higher than ever, hence the chances of you needing to restore it have increased. We now even see ransomware encrypting Domain Controllers, the servers that Active Directory runs on. All this means that you must ensure readiness for this event.
Readiness can be achieved by testing your recovery process in an isolated network on a regular basis, just to make sure everything works as expected, while allowing your team to practice and verify all the steps required to perform a full Active Directory recovery.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)