In previous posts, I’ve talked about implementing web security features such as HTTPS, CSP, HPKP and HSTS. Almost all of these are things we can configure ourselves within our web applications responses to client requests however one of these features, HSTS requires a little more work to fully implement.
HSTS is a technology of two halves. HTTP Strict Transport Security (HSTS) is a feature which allows a website to instruct the client that it should never be downgraded to HTTP and should only ever request and receive data from the site over HTTPS. We can easily implement this, in the case of Windows and IIS, using a web.config file outbound rewrite rule which I covered in the previous post, Working Hard on Web Security.
The trouble is, this is only half the battle. If a client repeatedly visits your site, their browser will know as a result of previous visits to always use HTTPS due to having previously seen the HSTS header but what about new visitors? What happens if your site is victim of a downgrade attack between you implementing HTTPS and HSTS and the first time a user visits? Their browser doesn’t know it should be using HSTS already so we have a problem.
In case you haven’t gathered from previous posts, I’m quite into Z-Wave and Home Automation right now. Our existing wireless doorbell gave up the ghost a little while ago and I thought it was the perfect opportunity to get a Z-Wave doorbell so that I could integrate it into some areas of the house instead of just a dumb chime unit nowhere near the living areas where we stand a chance of hearing it.
I used the article Do You Sell a Z-Wave Doorbell over at my favourite Z-Wave UK reseller, Vesternet for a little inspiration but since the article was written things have moved on a little.
If you have a wired doorbell running on mains voltage then this is actually a bit easier to accomplish as you can use the Fibaro Binary Sensor however I don’t have an existing wired doorbell as there is no wiring to support one so it’s wireless all the way. Since speaking to Vesternet about the project originally, Fibaro have released the new Universal Door and Windows Sensor which is a Generation 5 Z-Wave device meaning longer range and improved battery life so this is obviously the device I purchased for the project. It also has some differences from the previous model.
Follow me beyond the fold for the what parts I used and how I bond them all together.
This week, I’ve been studying some topics ahead of my 70-533 exam and one of the topics that I covered which I though would make a really relevant and hopefully not too long of a post would be the subject of restricting Azure resource deployment to specific regions.
Many organisations have considerations around data privacy and sovereignty. For me and many folks in the UK, right now that means your data is probably living in an Azure region in Europe. Either Dublin or Amsterdam. With the UK datacentres being brought online fairly recently and the available features growing month by month, it makes using those regions more appealing. With the prospect of Brexit and how your data soverignty may be effected by that shake up could potentially make those UK datacentres even more appealing in the months and years to come.
With an out of the box Azure subscription, we have the power to deploy resources to any region we like be it UK, US, South America or Asia but with these privacy and data protection concerns wouldn’t it be great if you could limit this so that even the most well trained administrators and users cannot accidently place your data on the wrong side of a pond?
Read on below the fold and I’ll explain how to create an Azure Resource Policy and how to apply that to your evironments.
This is a really quick post but one I thought was worthy of getting down somewhere.
I’m starting to use GitHub more and more as a source for content and as I find myself wanting to produce the odd piece of content as well, I figured GitHub is where everyone else is sticking their Azure Resource Manager code so I should do the same.
For anyone that has looked on the official Azure team GitHub Repositories, you will have seen the blue Deploy to Azure button which is really nice as it directly takes you from GitHub over to Azure and links back to the GitHub Repository to start deploying the Resource Manager template without you having to download it and deploy it manually first.
The Azure team have a blog post over at https://azure.microsoft.com/en-gb/blog/deploy-to-azure-button-for-azure-websites-2/ which explains how you can use the Deploy to Azure button in your own repositories or even have it on your own website with a link back to a repository. It’s a nice touch, dead simple to implement by adding a line to the readme.md file and gives you that factory feel.
With the weather starting to warm up and the sun out for longer, the worst of winter is behind us and we have spring to look forward to so what better time to wrap up 2016 with a recap of some of the new features to drop.
What’s New in General Availability
The all important GA milestone means these services are ready for prime time so here’s what’s new in the world of Azure since Al’s last update.
Since the dawn of infrastructure as a service in Microsoft Azure, Storage Account management has been one of the burdens that stayed with us into the cloud. Like managing LUN mapping and disk tier balancing from on-premises SAN arrays, we had to get the right number of Storage Accounts with the right capacity and number of IOPS in each.
Managed Disks now allows us to offload that burden to Microsoft and means we can provision IaaS VMs with the storage complexity of PaaS (read none). When we provision a machine and select the option to use Managed Disks, the platform with create everything behind the scenes.
Managed Disks are available in Premium and Standard storage flavours but the gotcha here is that for standard, you pay for the fully provisioned disk size, not the thin provisioned in use size as you do with traditional Storage Accounts so some customers may wish to continue using the conventional methods for storage.
For the full story on Managed Disks, read on at https://azure.microsoft.com/en-us/blog/announcing-general-availability-of-managed-disks-and-larger-scale-sets/.
Sitting on the train yesterday evening, I was glancing across my Twitter feed when I noticed this beauty that I had to share.
Granted, the feature may be in preview right now so doesn’t quite have it’s game face on just yet but it’s still really worth looking at.
You now have ability to assign Office 365 licenses based on either Azure Active Directory or on-premise synchronised Active Directory group membership (a security group to be specific). No longer do we need to assign the licenses to each user individually or use PowerShell scripts to bulk assign the membership. Simply assign the proper licenses to the group and then make sure everyone is a member of that group. When a user is added to the group, they get the licenses and when the user is removed from the group, they get the licenses taken away, simples.
This may seem like a small feature but for customers’ adopting Office 365 from scratch or for existing customers who are buying up new features or activating license sub-components as part of a progressive Office 365 rollout, this will be an invaluable time saver. You can even have multiple groups and use dynamic group membership to have the groups populated based on attributes of a user object.
I see a real use case for this group based license assignment in scenarios where you have a limited number of licenses available for a particular product and you need to re-assign them from one individual to another. A would be a great example where one department need to use Power BI Pro but another does not and as a users’ department attribute changes from Sales to Operations (as an example), the licenses get moved around. For customers automating their starter and leaver processes, no longer will you need PowerShell Cmdlets which connect to Office 365 and assign the licenses. Just make sure the user is created as a member of the relevant groups and off they go.
I look forward to seeing this feature go into general availability and being used by customers in the field.
In my previous post, List Updates on Windows Nano Server 2016, I talked about reporting the updates which are installed or missing from your Nano Servers. With that information in hand, you can now move to the more powerful aspect of actually patching them.
In my environment, I don’t want my hosts going out to Microsoft Update on their own, nor do I want to run an entire WSUS server just for a couple of Nano Servers so I patch them manually and this manual patching effort is something which will possibly resonate with others so I thought I would share it.
As it stands, the script requires you to fetch the updates yourself. I am going to work on something using Invoke-WebRequest in PowerShell to automate that step too, but that’s a small price to pay given the minimal number of updates Nano Server requires. Use the Microsoft Update Catalog at https://catalog.update.microsoft.com to obtain any updates you need. Something that was pointed out by Thomas Maurer in his Nano Server updates post at http://www.thomasmaurer.ch/2016/10/how-to-install-updates-on-nano-server/, there is an update for your Nano Servers which is not actually listed and this is the Servicing Stack Update for Windows 10 Version 1607, KB3176939 which you can download from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3176936. This update is designed to be installed first and it improves the reliability and stability of the servicing stack in Windows which is used by the update process.
Windows Server 2016 introduced the new SKU, Nano Server. Nano Server is an extremely low footprint operating system designed for micro services and rapid deployment and provisioning and currently supports roles including Failover Clustering, Hyper-V, File Server, Web Server and DNS Server.
With Nano Server being completely headless and at this moment in time, not supporting a Configuration Manager agent for managing operating system patches, there needs to be a way for you to to track and manage patching on them. At home I run two Nano Server hosts using Hyper-V to host some virtual machines and a third running inside a VM for some testing workloads. I decided I wanted to script a way of at least going some way to automate the patching.
The first script below lists the updates that your Nano Server has installed already for reporting purposes. The second lists the updates which are available and require installation. It’s worth noting that for this to work, your Nano Server machines will need access to an update service to find out what updates are available, be it Microsoft Update or WSUS. If you are reading this thinking that you didn’t know Nano Server could use WSUS, well sure it can, you just need to populate the same registry keys you would on a normal Windows machine.
The code for returning the list of updates comes direct from the Microsoft Blog at https://blogs.technet.microsoft.com/nanoserver/2016/10/07/updating-nano-server/ however this assumes a manual process so I have wrapped this up to provide a level of automation.
For a little while now, I have been buying Philips Hue light bulbs for home. I haven’t gone too overboard just yet but one of the starting factors was being able to set some coloured lighting in the living room and in the kitchen to be able to provide a bit of flashing light action for those long summer nights with a drink or two and friends.
At Christmas, I was able to get myself a Vera Edge Z-Wave controller as I really wanted to start making better use of the Hue bulbs and integrating it with Z-Wave to setup some nice home automation scenarios. After getting Vera online and getting the Hue2 plugin installed and control of the bulbs, I started to struggle. What I quickly noticed was that when trying to use Z-Wave Scenes in Vera to operate groups of Hue bulbs, I wasn’t able to and instead had to chain up actions which had an undesired effect of each bulb turning on in order with a second or so delay between each. Compared with Hue scenes where you press it and the whole room lights up, this wasn’t great.
Tonight however, I managed to find the answer and get it working just so with a little bit of effort here and there. I wasn’t able to find this information easily on the MiCaseVerde forums so I thought I would post it here in the hope that someones Google search turns it up for them.
Earlier this morning, I was working with our support team to work out an issue they were having in an environment where Remote Desktop Services had stopped working. Trying to connect to a server via RDS simply failed with a Network Level Authentication warning, strange, given it was a domain environment and everything should be trusted and all good. The issue started life as support seeing Event ID 1058 and Event ID 36870 errors in the event log and they had been looking at https://blogs.technet.microsoft.com/askperf/2014/10/22/rdp-fails-with-event-id-1058-event-36870-with-remote-desktop-session-host-certificate-ssl-communication/ for guidance to this point with no success.
I quickly discovered that a GPO had recently been implemented that enforced NLA for RDS and also assigned a certificate template to use for Remote Desktop instead of the default self-signed version. I hopped onto the certificate authority to check out the certificate template that had been configured and compared it to the recommendations of the Microsoft article for assigning certificates to RDS sessions at https://blogs.technet.microsoft.com/enterprisemobility/2010/04/09/configuring-remote-desktop-certificates/ as this is an article I have referred to before and know it works.