my personal blog about systemcenter

All posts in Hyper-V

Protecting your assets with Windows Server 2016 Device Guard Part1

Categories: AppLocker, Backup, Device Guard, Hyper-V, Security, Veeam
Comments Off on Protecting your assets with Windows Server 2016 Device Guard Part1

With Windows Server 2016 we get device guard https://www.microsoft.com/en-us/cloud-platform/windows-server-security

Enhance the protection of your applications on-premises or running in the cloud. Help ensure only trusted software runs on the server with Device Guard.

This means that we can now create policies on what are allowed to run on our servers in a more secure way than we know from applocker on desktops

In this example we have a Windows Server 2016 with Veeam installed and we want to protect against rouge applications / ransomware (this is not a veeam problem but just used as a example)

First off we block SMB in the firewall so don’t have a risk from a compromised workstation.

To get started with device guard i highly suggest the blogs from Matt Graeber @mattifestation / http://www.exploit-monday.com

A big thank you to Matt for posting his amazing content online

Windows Device Guard Code Integrity Policy Reference

http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html

Device Guard Code Integrity Policy Auditing Methodology

I have been following his guidelines on merging different policy’s to allow Veeam to function under the lockdown of the host

This post will show the start and the end result of the policy and additional post will show anything in between , its not a five minute now everything is working plan , there are mutiple issues with application spawning scripts and dynamic unsigned applications , but for many workloads this is very fast to get start with and give a very high return on time used

Following the procedure for whitelisting , i found that all of Veeam’s own binarys was signed with a few different certificates to they was easy to add to the policy

image

That left some files that looks to be from 3rd parties that wasn’t signed they have been added to the allow list on a file hash level , this means when there is new update our for veeam we need to add any updated files to the policy and reapply it

On the server running veeam we enabled device guard

image

Select a policy file that will be generated from the xml file with rules , from a security point of view anyone locally on the box can change the policy file so ACL needs to apply if logged on the box , or move to default system32 and for added security the policy can be signed

So with our policy applied and server rebooted , we have a functioning veeam and windows install

Now imagine a few the steps you have to go though to loose your data

1 , Logon on the veeam server

2, Open outlook is installed of some odd reason / Open webmail (if the server have internet acess for some off reason)

3,

clip_image002

Download the odd worded email , click on the hml link that downloads a zip file and have a java script inside

clip_image004

Ignore the warning and click once more

clip_image006

and a few seconds later we have encrypted all our files including the backup data (bypassing both local defender client and firewall scanning)

Again the numbers of crazy decisions you have to go though to get this far is crazy, and still we see it

So what happends on our device guard protected server

clip_image010

clip_image012

We do the same as before

clip_image008

But with a different result

clip_image016

And we can see that device guard prevented the script from running and saving the day

Displaying Windows Performance Counters with Grafana and Influx DB with Windows Backeend

Categories: Grafana, Hyper-V, InfluxDB
Comments Off on Displaying Windows Performance Counters with Grafana and Influx DB with Windows Backeend

Matthew Hodgkins published a blog earlier this year showing how to setup grafana and influxdb on a ubuntu server to publish performance counters from windows

https://hodgkins.io/windows-metric-dashboards-with-influxdb-and-grafana / https://twitter.com/matthodge

Following his guide to make this below was very smooth , and this is a crude step by step on trying to replicate the feature set in Windows

image

Credit : Matthew Hodkins

I wanted to try out the same with a windows backend instead of ubunu , please note this is thrown in with a showel , paths/users/logs nothing is changed and running as user processes , will created a updated post just wanted to get the first parts working

Heading to https://www.influxdata.com/downloads/ to download Telegraf and InfluxDB

image

I installed a Windows Server 2016 downloaded InfluxDB and copied in the files to Program Files

image

Started the influxd , and 15 seconds later we have a default installed influxdb ready for use

image

On the same box i downloaded newest version of grafana http://grafana.org/download/

image

And started up the services

image

image

image

on the 2 hyper-v hosts used in the test i installed the telegraf clients and used the default performance counters it picked up , only change was adding the hostname where it should deliver the counters

image

Logging into Grafana with admin/admin

image

In Grafana go to datasources and add data source , select influxdb

image

add localhost:8086 for influx db and telegraf for database and a dummy username / password

image

And we know have a datasource we can use

image

In dashboards , select create new

image

Select Graph Style

image

It now creates a default view , double click on “Panel Title” and select edit

image

Delete the fake datasource and add our LocalInfluxDB as datasource

and select win_cpu / Percent_Processor_Time , and group by tag (host) , and to $tag_host

image

Setting Y-Max to 100 will show the util as 0-100 instead of the max load

image

Adding a thredshold to show warning/critical (V4 of Grafana supported alerting will get back to that in next post)

image

And the end result , cpu util displayed for the 2 hosts








Deploying Data Protection Manager in a dedicated domain

Categories: Active Directory, Data Protection Manager, Disaster Recovery, DPM, Hyper-V
Comments Off on Deploying Data Protection Manager in a dedicated domain

Data Protection and the ability recover data is key to keeping your job and your company alive.

The demo setup thats is going to be used in this post are

  • PROTECTDC01 Domain Controller in the PROTECT Forest
  • PROTECTDC02 Domain Controller in the PROTECT Forest
  • PROTECTDDPM01 Data Protection Manager Server in the PROTECT Forest
  • FABRICDC01 Domain Controller in the FABRIC Forest
  • FABRICDC02 Domain Controller in the FABRIC Forest
  • FABRICHV01-04 Hyper-V HyperConverged Instal
  • FABRICHVC01 Hyper-V Cluster with member FABRICHV01-04
  • WORKLOAD01-05 Virtual Workload in the FABRIC Hyper-V Cluster

As this is a test enviroment everything are stuck on one box.

For the real world deployment the FABRIC and PROTECT domain must be seperated , the whole point in this post will be if you for some reason get compromised in your FABRIC domain , you will still have access to the PROTECT domain and maintain the ability to recover your data.

This also means that in a larger enviroment you can easier seperate the roles so one team wont have access to both source and target of backup data

We do in the example log in interative on the fabric domain , so if the host is compromised before agent install the protect domain is going down the same path , so there is still some work to be done but beats having everything in one domain.

image

On the PROTECT domain setup DNS forwarders to the FABRIC domain

image

And in Reverse to get name resolution up and running up between the two forests

image

Setting up the trust

image

Setting up the trust

image

for this test forest-wide is used , tighter security can be used with selective authentication

image

On the 4 Hyper-V Hosts we add the DPM account from the protect domain


image

We then add the DPM agent to all Hyper-V hosts and run the

SetDPMServer –dpmservername protectdpm01.protect.azurestack.coffee  , this connects the Hyper-V host to the remote DPM server

image

On the data protection manager , we use Attach Agents

image

And we add the 4 Hyper-V hosts manually

image

And we now have all 4 servers

image

use credentials in the fabric domain or the dpm account to attach the agent


image

Sucess

image

Create a protection group browse to the VM’s and add them

And we can now backup from a dedicated domain from the Fabric domain



Enabling AzureStack test enviroment using Nested Hyper-V

Categories: AzureStack, Hyper-V, Nested, Unsupported
Comments Off on Enabling AzureStack test enviroment using Nested Hyper-V

So with preview software the 2nd thing to do is go down the unspported/untested path

So after baremetal deployment on a few different host we move on to do nested AzureStack install , this is to enable faster deployment and rollback when we break something on purpose to test.

But always follow support guide lines for testing and use a dedicated phsycial machine , (we does this on mutiple other install in our testing setup)

Time from VM creation to AzureStack running 2 hours 15 minutes Smile

NOTE : Do not count this as stability testing always use supported hardware for that

So say Hello to our Little VM

image

16 Cores , 256Gb Memory , 5 drives at 300G

Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Enable-NestedVm.ps1 -OutFile ~/Enable-NestedVm.ps1

~/Enable-NestedVm.ps1 -VmName “STACK10”

Enable it for nesting Hyper-V

image

Install a Windows Server TP4 with US locales

image

For now GUI only (Sorry Snover)

image

And we can see all our drives

image

Add a static IP address and add DNS/Gateway for access to Azure Active Directory

image

And rename to the next stack install Smile

image

I prefeer to online the drives and initialize them

image

image

Time to jump to Azure Active Directory and create a tenant admin user

image

Extract the 9GB file and run the Azure Stack Installer

image

This leaves us with a few files Smile

image

Add local credentials , and verify that all prereq are met , note the space warning is not seen on bare metal installs , need to see if its because the drives are initialised but everything is fine for install

image

Sign in with the Azure Active Directory Admin user

image

And accept the AAD

image

And we are ready to install

image

Installer is a very very cool powershell scripts series that does everything for us , it reboots a few times but signing on gives us the progress bar

image

First off is creating a domain , and joining the host to it

image

After that a Virtual Disk is created through storage spaces

image

And 2 hours later we are done Smile

image

And ready to roll

and while we are playing we might as well dedupe it

image

Smile , not really fair as there are many other installs on the same host but still fun Smile

Playing with Data Protection Manager and Deduplication in Widows Server 2016

Categories: Data Protection Manager, Deduplication, Hyper-V, Windows Server 2016
Comments Off on Playing with Data Protection Manager and Deduplication in Widows Server 2016

In this perfect world setup i created 100VM using powershell and powershell direct , they each have a roughtly 10gb disk usage

Due to the way DPM currently uses disk space we have consumed 2tb disk space

image

image

We have assigned 5 drives at 512gb each and usage is now at 80%

image

The drives are thin provisioned through Hyper-V so data fill isnt anywhere near whats reported in DPM

image

And we can see that DPM allocated alot of whitespace so there is room to grov

So just with using virtual DPM servers we have roughly 1tb disk usage compated to 2tb , so virtual gives us a 50% saving

image

image

And we now enable deduplication and start the process

image

again perfect world , 100->1 in deduplication Smile