FAQs: Using a KMS Server; Securing Virtual Networks and Physical Machines
Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions. Read through the FAQ archives, or send him your questions via email. This batch: how to quickly configure a machine to use a specific KMS server, and how to apply a default NSG to every virtual network in your environment.
November 11, 2017
Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
Read through the FAQ archives, or send him your questions via email.
In this group of FAQs we tackle setting a KMS server and then some good security tips to give you safe and locking down virtual networks in Azure.
Q. How can I quickly configure a machine to use a specific KMS server?
A. To quickly configure a specific KMS server and activate run the following two commands from an elevated command prompt:
cscript slmgr.vbs /skms
cscript slmgr.vbs /ato
Q. I want to apply a default NSG to every virtual network in my environment, how can I do this?
A. I recently wanted to apply rules to every virtual network in my environment to allow inbound 80 and 443 and RDP/SSH from known IP spaces (my organization). To do this, I created a script that looked at all virtual networks, created an NSG in each region where a virtual network existed (since the NSG must be in the same region as the virtual network), then applied all the rules I described. It prompts should it auto-apply to all networks or you can apply on a network and subnet basis.
Be VERY careful running this in production as obviously it would block access. You would want to modify as required including the ranges of IP addresses from your location, i.e. the public IP addresses that NAT traffic from your internal network. Note ideally you should NOT have RDP/SSH open to the Internet and instead use a private connection such as S2S VPN or ExpressRoute but this was required for access to virtual networks that were sandboxes with no other connectivity.
<#NSGStandardCreateandApply.ps1 John SavillScript to automatically create and apply a standard NSG to allow certain connections from the Internet and RDPonly from known IP ranges.Note:Often output is saved to a variable just to suppress going to screen. Could have used $null but that just seems rude#>$AllIPRanges = "55.55.0.0/16","55.54.0.0/16" #Change this to YOUR set of Public IPs that traffic to Azure would originate from$CoreNSGRGName = "RG-LABCore-NSGs"Write-Output "Getting a few things ready...`n"$coreNSGRG = Get-AzureRmResourceGroup -Name $CoreNSGRGName -ErrorAction SilentlyContinueif($coreNSGRG -eq $null){ #Create the resource group to house Write-Output "Creating core NSG resource group ($CoreNSGRGName)" New-AzureRmResourceGroup -Name $CoreNSGRGName -Location eastus}#Check if the standard RG exists into which all the core NSGs for regions are created#What permissions are needed to let anyone use them?#Create an array of all rules that will be used$NSGRules = @()$NSGRule = New-AzureRmNetworkSecurityRuleConfig -Name 'WEB-HTTPS' -Direction Inbound -Priority 100 ` -Access Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' ` -DestinationAddressPrefix 'VIRTUALNETWORK' -DestinationPortRange '443' -Protocol TCP$NSGRules += $NSGRule$NSGRule = New-AzureRmNetworkSecurityRuleConfig -Name 'WEB-HTTP' -Direction Inbound -Priority 101 ` -Access Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' ` -DestinationAddressPrefix 'VIRTUALNETWORK' -DestinationPortRange '80' -Protocol TCP$NSGRules += $NSGRule$PriNumber = 110foreach($IPRange in $AllIPRanges){ #Replace / in name of the the IP range $CorrectIPRange = $IPRange.Replace("/","-") $NSGRule = New-AzureRmNetworkSecurityRuleConfig -Name "RDP_$CorrectIPRange" -Direction Inbound -Priority $PriNumber ` -Access Allow -SourceAddressPrefix "$IPRange" -SourcePortRange '*' ` -DestinationAddressPrefix 'VIRTUALNETWORK' -DestinationPortRange '3389' -Protocol TCP $NSGRules += $NSGRule $PriNumber++ $NSGRule = New-AzureRmNetworkSecurityRuleConfig -Name "SSH_$CorrectIPRange" -Direction Inbound -Priority $PriNumber ` -Access Allow -SourceAddressPrefix "$IPRange" -SourcePortRange '*' ` -DestinationAddressPrefix 'VIRTUALNETWORK' -DestinationPortRange '22' -Protocol TCP $NSGRules += $NSGRule $PriNumber++}$VirtNetworks = Get-AzureRmVirtualNetwork#Check if want to apply to all networks automatically$confirmation = Read-Host "Do you wish to apply to all networks automatically (y/n):"if ($confirmation -eq 'y') { $AutoNetworkApply = $true}else{ $AutoNetworkApply = $false}#Loop through themforeach($VNet in $VirtNetworks){ $skipNetwork = $false $AutoSubnetApply = $false #Calculate the name for the NSG in the location $NSGName = "NSG-LABCore-$($VNet.Location)" Write-Output "`nChecking network $($VNet.Name) in location $($VNet.Location)" Write-Output "Checking for NSG existence $NSGName" #Check if the NSG for this location already exists $NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $CoreNSGRGName -ErrorAction SilentlyContinue #Create is missing if($NSG -eq $null) { #Create the NSG for the location Write-Output "Creating the $NSGName NSG" $NSG = New-AzureRmNetworkSecurityGroup -Name $NSGName -Location $($VNet.Location) -ResourceGroupName $CoreNSGRGName ` -SecurityRules $NSGRules } if(!$AutoNetworkApply) { $confirmation = Read-Host "Do you wish to apply to all subnets in VNet $($VNet.Name) (y(es)/n(o)/s(kip)):" if ($confirmation -eq 'y') { $AutoSubnetApply = $true } if ($confirmation -eq 's') { $skipNetwork = $true } } #Enumerate all subnets and apply depending on choices if(!$skipNetwork) { $subnets = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $Vnet foreach($subnet in $subnets) { $subnetApply = $false if(!$AutoNetworkApply -and !$AutoSubnetApply) { $confirmation = Read-Host "Do you wish to apply to subnet $($subnet.Name) in VNet $($Vnet.Name) (y/n) :" if ($confirmation -eq 'y') { $subnetApply = $true } } else #auto apply { $subnetApply = $true } if($subnetApply) { Write-Output "Applying NSG to subnet $($subnet.Name) in VNet $($Vnet.Name)" $UpdateSubnet = Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name $subnet.Name ` -AddressPrefix $subnet.AddressPrefix -NetworkSecurityGroup $NSG } } #Apply the changes $VNetUpdate = Set-AzureRmVirtualNetwork -VirtualNetwork $VNet }}
Q. What are some good things to try and avoid a machine being compromised?
A. It's very difficult to be 100% protected from attackers but there are some things you can do to minimize your attack surface and reduce the change of attack and the lateral movement of attackers if you are compromised. Below are some key points but please add comments on key items you think are useful!
Educate users on common social attacks: Phone calls from people pretending to be support techs asking for passwords and asking to install remote desktop software then giving them permission; links in official-looking emails; wariness around email attachments from unknown senders (although services can help by pre-checking attachments and links like Office 365 Advanced Threat Protection).
Make sure systems are patched.
Limit systems with public IP addresses and always use an edge firewall to reverse proxy connections where possible.
Where possible limit public endpoints to specific sets of client IPs.
Ensure you have complex passwords and policy to enforce complex passwords, password change and account lockout.
Don't use default administrator name for local or domain accounts.
Install anti-malware and keep definitions up to date.
Use Server Core to reduce the attack surface and don't visit web sites etc. on Servers.
Upgrade to Windows Server 2016 which has improved security features including Credential Guard and Device Guard to limit credential theft and processes running they shouldn't. Server 2016 also includes anti-malware with Windows Defender.
Ensure the Firewall is enabled on all operating systems with exceptions only as needed.
Ensure the Guest account is disabled.
Monitor your Security log for logon failures and successes.
Use federation to access cloud services rather than every user have 20 different accounts which may all have the same password. If one site in the supply chain is compromised so to is the credential everywhere if the password is the same. Azure AD can help with this.
Use multi-factor authentication for your accounts.
Use a service that monitors the Internet for your organizations credentials and also anomalous behavior (strange logon hours, strange locations, impossible travel etc).
Make sure mobile devices are patched/managed and use encryption.
Have backups that are offsite so if the worse happens and data is corrupted/encrypted you still have it elsewhere.
About the Author
You May Also Like