Chapter 9 and further Flashcards
Remove ADDS from a server so you can install windows admin center
Remove Roles and Features > Uncheck AD > Demote this domain controller > force removal of domain controller > proceed with removal > enter admin pass > demote.
Manage romve roles and features
uncheck ADDS > next > remove > restart
Go to your DC > tools AD Users and Computers > delete SVR1 from Domain Controllers > delete this domain controller anyway…
Assign domain again
What is Windows Admin Center used for?
Manage things on premise and Azure -> WAC
Web Browser > google search Windows Admin Center > scroll to bottom and click download
Wizard > At the end you can copy the url to go to the Admin Center
What is a WAC gateway?
Multiple admins can connect to admin multiple on prem servers as well as AD
What is a target server?
How would you add it to WAC?
Server you can manage via Windows Admin Center
+ ADD
Server
Enter name of server
put in admin creds
Add
Click on it and you will connect
There’s a roles and features tab that lets you install things on the server
Open powershell via WAC
Click your server that you want on WAC > Powershell > this connects with powershell
WINRM must be running 5985 < http and 5986 < https
What is the Second hop problem?
Does second hop remoting have to be enabled on both sides?
Second Hop Problem:
You can remote to one server with your creds, but if the new server needs to access resources on behalf of you, it won’t work.
Two Second Hop Problem Options:
MUST BE ENABLED ON BOTH SIDES!
CredSSP - > Credential Security Support Provider - caches creds on remote server and it can pass it on to the next server. If remote computer is compromised you’re f*cked though.
Kerberos Delegation
Has to be 2012 and above server
You would configure server C to specify where it accepts delegated credentials. Less Vulnerable - PTA request basically - CREDS AREN’T STORED!
Doesn’t need domain admin rights
MUST BE ENABLED ON BOTH SIDES!
activate credssp
CredSSP - Credential Security Support
SERVER A:
Enable-WSManCredSSP -Role Client -DelegateComputer #.examlabpractice.com -Force
SERVER B:
Enable_WSMaCredSSP -Role Server -Force
https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credss/
Difference between CredSSP and Kerberos delegation
Kerberos Delegation -
Creds not stored
Configured via powershell
Doesn’t require domain admin creds
Works across domains and forests
requires server 2012 or later
Does not support the second hop for WinRM
Requires rights to update object and Service Principal Names <- you have to delegate rights to do this
CredSSP
Caches creds on server and passes them on
What is JEA?
What version of powershell is required?
What is file and folder is required to use this?
Show your powershell version
JEA - Just enough administration
Allows us to control what commands are available to admins at certain times
powershell 5 or later
$PSVersionTable
Role Capability File - also needs a couple folder
Allow the ability to restart using JEA
Allow the whoami command
Section 9 part 76
SET UP YOUR Role Capability FIle:
File explorer > This pc > C: > Program Files > WindowsPowerShell > Modules > New folder “dctest”
dctest > new folder “roleCapabilities”
via powershell >
New-PSRoleCapabilityFile -Path C:\Program Files\WindowsPowerShell\Modules\dctest\roleCapabilities\dcrole.psrc
Open your roleCapabilities file > Cmdlets to make visibile when applied to a session > add a line below > “VisibleCmdlets = ‘Restart-Computer’
External commands…. > add line > “VisibleExternalCommands= ‘c:\windows\system32\whoami.exe’”
via powershell
New-PSSessionConfigurationFile -Path c:\dctest.pssc
To view the config file
File > open dctest >
SessionType = ‘RestrictedRemotServer’
Turn on TranscriptDirectory by uncommenting <- records all commands that user types
RunAsVirtualAccount = $true <- when someone authenticates they’ll get a virtual account that is gotten rid of after they’re don
Uncomment RoleDefinictions, change sql admins to gamesharks\administrator
role capabilities = “DCrole”}}
Save script - now you can register it
type
register-pssessionconfiguration -name = DCadmin -path ‘C:\dctest.pssc’
restart-service winrm
enter-pssession -computername nyc-dc1 -configurationname DCAdmin
Manage Windows Servers by using ARC
ARC is used for managing servers on prem and on azure in one place.
portal.azure.com > lookup arc and click on it > + add > copy script and run it on the server you want to bring into ARC
Deploy policy setting out to your ARC servers
Can you assign multiple policies at a time?
Arc > click on the server you added > Go to policies in the left-hand corner > assign policy > policy definition click the elipsis and search for server and pick on you want > make sure it’s enforced > next > go to remediation > create a managed identity > system assigned > next >
remediation - turn something on or off or tell you something’s not compliant. If this feature isn’t turned on you can force it on.
Create a managed identity >
initiative - group of policies to assign
What are extensions?
Create a custom script from extentions
Extra software or agents for your servers, like an extra feature that the server doesn’t support
create powershell script on server
installwindowsfeature -name dns > save to desktop
Arc > server > go to your server > extension on left > +Add >Custom > create > browse > create storage account > > click on storage account created > + container and call it scripts > create > select the container > upload the script that’s stored on your computer
storage account - stores info
container - folder for storage account to be stored in
installwindowsfeature -name dns > save to desktop
Deploy updates to on prem and azure boxes on arc
What are the three things that are required to do this?
Automation account, a log analytics workspace (stores logs), and an agent ()
You’ll need an automation account
Search automation accounts in the search > +create > review and create > now you can get a Log analytics workspace which stores your log info (this costs money) > go to resource > click update mgmt > Drop down log Analytics workspace and “Create new workspace” >
create an agent:
Open your server connected to arc > go to portal.azure.com > resource groups > go to the one with the log analytics workspace > overview > Click on “Windows and Linux Agents Mgmt” under “Connect a data source” > Download the windows agent 64-bit > install that to your machine.
Wizard:
Select the box that connect the agent to Azure Log Analytics
DON’T select Connect the agent to System Center Operations Manager - this is an on premise analytic server that can gather data. > Copy and paste all the info from portal.azure.com > Use microsoft update when I check for updates
To change which log analytics workspace you’re connected to:
Control panel on server > Large Icons > Microsoft monitoring agents > Azure Login analytics > add
Open resource group where automation account is and click on it > click on inventory if you want to verify what workspace this is connected to. > click update management > click to manage machines > enable and wait from 15 minutes to an hour
Arc > server > your server > update Management > if there’s any missing updates you can decide here what to deploy
Integrate Windows servers with Defender for Cloud
Drop down hamburger menu top left > Azure Active Directory > Security on left > Click Security Center on left > Click the Windows Defender for Cloud hyperlink
Secure score can give you a score compared to others with how good your security is.
