Hyper-V Archives - Flemming Riis's System Center Blog

May

Protecting your assets with Windows Server 2016 Device Guard Part1

Categories: AppLocker, Backup, Device Guard, Hyper-V, Security, Veeam

Comments Off

With Windows Server 2016 we get device guard https://www.microsoft.com/en-us/cloud-platform/windows-server-security

Enhance the protection of your applications on-premises or running in the cloud. Help ensure only trusted software runs on the server with Device Guard.

This means that we can now create policies on what are allowed to run on our servers in a more secure way than we know from applocker on desktops

In this example we have a Windows Server 2016 with Veeam installed and we want to protect against rouge applications / ransomware (this is not a veeam problem but just used as a example)

First off we block SMB in the firewall so don’t have a risk from a compromised workstation.

To get started with device guard i highly suggest the blogs from Matt Graeber @mattifestation / http://www.exploit-monday.com

A big thank you to Matt for posting his amazing content online

Windows Device Guard Code Integrity Policy Reference

http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html

Device Guard Code Integrity Policy Auditing Methodology

I have been following his guidelines on merging different policy’s to allow Veeam to function under the lockdown of the host

This post will show the start and the end result of the policy and additional post will show anything in between , its not a five minute now everything is working plan , there are mutiple issues with application spawning scripts and dynamic unsigned applications , but for many workloads this is very fast to get start with and give a very high return on time used

Following the procedure for whitelisting , i found that all of Veeam’s own binarys was signed with a few different certificates to they was easy to add to the policy

That left some files that looks to be from 3rd parties that wasn’t signed they have been added to the allow list on a file hash level , this means when there is new update our for veeam we need to add any updated files to the policy and reapply it

On the server running veeam we enabled device guard

Select a policy file that will be generated from the xml file with rules , from a security point of view anyone locally on the box can change the policy file so ACL needs to apply if logged on the box , or move to default system32 and for added security the policy can be signed

So with our policy applied and server rebooted , we have a functioning veeam and windows install

Now imagine a few the steps you have to go though to loose your data

1 , Logon on the veeam server

2, Open outlook is installed of some odd reason / Open webmail (if the server have internet acess for some off reason)

Download the odd worded email , click on the hml link that downloads a zip file and have a java script inside

Ignore the warning and click once more

and a few seconds later we have encrypted all our files including the backup data (bypassing both local defender client and firewall scanning)

Again the numbers of crazy decisions you have to go though to get this far is crazy, and still we see it

So what happends on our device guard protected server

We do the same as before

But with a different result

And we can see that device guard prevented the script from running and saving the day

Dec

Displaying Windows Performance Counters with Grafana and Influx DB with Windows Backeend

Categories: Grafana, Hyper-V, InfluxDB

Comments Off

Matthew Hodgkins published a blog earlier this year showing how to setup grafana and influxdb on a ubuntu server to publish performance counters from windows

https://hodgkins.io/windows-metric-dashboards-with-influxdb-and-grafana / https://twitter.com/matthodge

Following his guide to make this below was very smooth , and this is a crude step by step on trying to replicate the feature set in Windows

Credit : Matthew Hodkins

I wanted to try out the same with a windows backend instead of ubunu , please note this is thrown in with a showel , paths/users/logs nothing is changed and running as user processes , will created a updated post just wanted to get the first parts working

Heading to https://www.influxdata.com/downloads/ to download Telegraf and InfluxDB

I installed a Windows Server 2016 downloaded InfluxDB and copied in the files to Program Files

Started the influxd , and 15 seconds later we have a default installed influxdb ready for use

On the same box i downloaded newest version of grafana http://grafana.org/download/

And started up the services

on the 2 hyper-v hosts used in the test i installed the telegraf clients and used the default performance counters it picked up , only change was adding the hostname where it should deliver the counters

Logging into Grafana with admin/admin

In Grafana go to datasources and add data source , select influxdb

add localhost:8086 for influx db and telegraf for database and a dummy username / password

And we know have a datasource we can use

In dashboards , select create new

Select Graph Style

It now creates a default view , double click on “Panel Title” and select edit

Delete the fake datasource and add our LocalInfluxDB as datasource

and select win_cpu / Percent_Processor_Time , and group by tag (host) , and to $tag_host

Setting Y-Max to 100 will show the util as 0-100 instead of the max load

Adding a thredshold to show warning/critical (V4 of Grafana supported alerting will get back to that in next post)

And the end result , cpu util displayed for the 2 hosts

Jun

Deploying Data Protection Manager in a dedicated domain

Categories: Active Directory, Data Protection Manager, Disaster Recovery, DPM, Hyper-V

Comments Off

Data Protection and the ability recover data is key to keeping your job and your company alive.

The demo setup thats is going to be used in this post are

PROTECTDC01 Domain Controller in the PROTECT Forest
PROTECTDC02 Domain Controller in the PROTECT Forest
PROTECTDDPM01 Data Protection Manager Server in the PROTECT Forest
FABRICDC01 Domain Controller in the FABRIC Forest
FABRICDC02 Domain Controller in the FABRIC Forest
FABRICHV01-04 Hyper-V HyperConverged Instal
FABRICHVC01 Hyper-V Cluster with member FABRICHV01-04
WORKLOAD01-05 Virtual Workload in the FABRIC Hyper-V Cluster

As this is a test enviroment everything are stuck on one box.

For the real world deployment the FABRIC and PROTECT domain must be seperated , the whole point in this post will be if you for some reason get compromised in your FABRIC domain , you will still have access to the PROTECT domain and maintain the ability to recover your data.

This also means that in a larger enviroment you can easier seperate the roles so one team wont have access to both source and target of backup data

We do in the example log in interative on the fabric domain , so if the host is compromised before agent install the protect domain is going down the same path , so there is still some work to be done but beats having everything in one domain.

On the PROTECT domain setup DNS forwarders to the FABRIC domain

And in Reverse to get name resolution up and running up between the two forests

Setting up the trust

for this test forest-wide is used , tighter security can be used with selective authentication

On the 4 Hyper-V Hosts we add the DPM account from the protect domain

We then add the DPM agent to all Hyper-V hosts and run the

SetDPMServer –dpmservername protectdpm01.protect.azurestack.coffee , this connects the Hyper-V host to the remote DPM server

On the data protection manager , we use Attach Agents

And we add the 4 Hyper-V hosts manually

And we now have all 4 servers

use credentials in the fabric domain or the dpm account to attach the agent

Sucess

Create a protection group browse to the VM’s and add them

And we can now backup from a dedicated domain from the Fabric domain

Jan

Enabling AzureStack test enviroment using Nested Hyper-V

Categories: AzureStack, Hyper-V, Nested, Unsupported

Comments Off

So with preview software the 2nd thing to do is go down the unspported/untested path

So after baremetal deployment on a few different host we move on to do nested AzureStack install , this is to enable faster deployment and rollback when we break something on purpose to test.

But always follow support guide lines for testing and use a dedicated phsycial machine , (we does this on mutiple other install in our testing setup)

Time from VM creation to AzureStack running 2 hours 15 minutes Smile

NOTE : Do not count this as stability testing always use supported hardware for that

So say Hello to our Little VM

16 Cores , 256Gb Memory , 5 drives at 300G

Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Enable-NestedVm.ps1 -OutFile ~/Enable-NestedVm.ps1

~/Enable-NestedVm.ps1 -VmName “STACK10”

Enable it for nesting Hyper-V

Install a Windows Server TP4 with US locales

For now GUI only (Sorry Snover)

And we can see all our drives

Add a static IP address and add DNS/Gateway for access to Azure Active Directory

And rename to the next stack install Smile

I prefeer to online the drives and initialize them

Time to jump to Azure Active Directory and create a tenant admin user

Extract the 9GB file and run the Azure Stack Installer

This leaves us with a few files Smile

Add local credentials , and verify that all prereq are met , note the space warning is not seen on bare metal installs , need to see if its because the drives are initialised but everything is fine for install