SPF record

A Sender Policy Framework (SPF) record is a TXT record that you add to your domain to help your recipients’ email server verify where email from your domain should be …

Azure Firewall

Azure firewall is a stateful firewall that is managed and cloud-based for our Azure resources. It has been build for high availability that is built in so no need for …

Terraform – Build a VM

In this post, we will deploy a VM to Azure using Terraform, in the previous post we deployed the Resource Group and Virtual Network. Now we will build on this …

Terraform – State

Each time we run terraform it records the infrastructure created in a Terraform state file. It is a custom JSON format that maps the resources in Azure, AWS, Google, etc …

Terraform – list

In Terraform arguments can have a number of values assigned to it. These lists are surrounded by a couple of square brackets [] and are a sequence of comma-separated values. …

Terraform – Dependenices

In our last couple of posts on Building Infrastructure and modify we created a resource group within Azure and then modified the tags. Having a single resource group is not …

Terraform – Modify

In our previous post, we build a resource group in Azure. Below we are going to see what happens when we modify it. As companies grow or decrease, infrastructure constantly …

Terraform configuration

The files that are used to build the infrastructure are simply known as the Terraform configuration. The configuration declares the desired state and it is up to Terraform and the …

Installing Terraform (Windows 10)

Terraform is distributed as a binary package to install it on a Windows 10 machine The appropriate binary can be download from https://www.terraform.io/downloads.html. After downloading, and unzipping the file which …

Infrastructure as Code – Terraform

Infrastructure as Code (IaC) allows for the building and managing of infrastructure through the use of a file or files rather than manually configuring resources in a user interface. This …

Environment variables – Windows 10

To modify the environment variables path in Windows 10 Open the start search bar, type in Env and select “Edit the system environment variables” Click the “Environmental Variables..” button Under …

Azure IP address 1

Virtual machines and other resources such as Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways require an IP address. Create an IP – Portal Click Create a resource and search …

Azure VNet to VNet peering

Virtual network peering enables Azure virtual networks to be connected together. Once peered, the virtual networks appear as one, for connectivity purposes with the traffic between the peered virtual networks being …

Azure VNet to VNet VPN gateway

The VNet to VNet connection type is a way to connect VNets together and is similar to creating a Site-to-Site IPsec connection to an on-premises location in that it uses …

Azure storage firewall and vnet

An Azure storage account can have network rules defined so that only traffic from specified networks can access the data. This is defined on the Firewalls and virtual networks blade …

Azure Storage Replication

The data within the Azure storage account is always replicated to ensure that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive …

Azure Storage Authorization

Each time a HTTP/HTTPs request is made to Azure Storage, access must be authorized to ensure that the client has the right permission required to access that data. Azure Storage offers …

Azure Storage Account

Azure Storage is Microsoft’s storage solution in the cloud which can be scaled, durable and highly available. Azure Storage includes the following data services: Azure Blobs: A massively scalable object store for …

Azure Virtual Machine Scale Set

Azure virtual machine scale sets allow for the creation and management of an identical group of load balanced VMs that can automatically scale up or down on a schedule or …

Azure Availability Set

Availability Set can be used to increase the reliability and availability of Virtual Machines within Azure. These ensure that any VM deployed to Azure within an availability set is hosted …

Deploy ARM template – PowerShell

Azure PowerShell can be used to deploy resources to Azure using ARM templates. Prerequisites A template to deploy. This can either be stored locally or on a remote source control repository …

Azure Resource Manager (ARM) Template

The ARM template is JavaScript Object Notation (JSON) file that defines resources which will be deployed and is made up of different sections. In its simplest structure, a template has …

Azure Resource manager

Azure Resource manager is Azure’s resource and deployement service. This provides a constant management layer that whenever an action through the portal, Azure CLI, Powershell, REST API or client SDK …

DNS Zone aging and scavenging

DNS aging and scavenging allows for the automatic clean up of stale resource records. Aging is used for identifying stale DNS records and has two sections No-refresh interval – It is …

DNS SOA

Every domain must have a Start of Authority record, it is a type of resource record containing information about the zone and especially zone transfers. Structure Serial number – Increments every …

DNS records

The DNS server in Windows Server supports a very wide variety of resource records, the ones that are used the most  are: A An IPv4 host address record. AAAA An IPv6 …

DNS secondary zone

Secondary zones are not authoritative for a zone and are a read only copy. Secondary DNS zones depend on transferring the data for the zone from another DNS server. Powershell cmdlet to …

DNS primary zones

A Primary DNS zone is required for DNS name resolution and is both the authoritative for the zone and the primary point of contact for the zone. A secondary zone …

NPS RADIUS Proxy

A NPS can be configured as a proxy server, forwarding request for radius authentication to other RADIUS servers. To forward request to other RADIUS server, under Connection Request Policy. Open …

NPS Configure a RADIUS server

NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure …

FortiGate Geo-Location

A diagnose command can be used to view more information about geography based addressing. The command displays country and address information for the countries that have been added to firewall …

AD account lockout policy settings

The default domain policy has three account lockout policy settings. Account lockout threshold Sets the number of time a password can be entered in wrong before the account will be …

AD Kerberos policy settings

There are five Kerberos policy settings that are part of the Default Domain policy Enfore user logon restrictions Enabled by default, causes the Key Distribution Center (KDC) to validate every  …

AD local user password policy

Local user password policy can be for the local machine by either going to the Local security policy  or adding a GPO to the OU that the devise is in. …

AD Password Settings Objects (PSOs)

Password Settings Objects (PSOs) other wise know as  fine-grained password policies can be used to set different restrictions for password and account lockout policies to different sets of users in a domain. …

AD password policy settings

The Default Domain Policy’s password settings apply to all users in the domain except when a specific Password Settings Object has been applied. The default password policy can be modified …

AD Recycle Bin

Active Directory Recycle Bin can be used to recover deleted AD Objects, to be able to do this it first needs to be enabled.  Active Directory Recycle Bin requires a Forest …

AD perform Active Directory restore

There are two types of Active Directory restore, an authoritative and non-authoritative.  An authoritative restore is where the restored database is marked as authoritative for the domain, by  increasing the …

AD optimise an Active Directory database

Active Directory database can be optimised by defragmenting it. Active Directory normally does an online defragmentation but doing an offline one can recover space in the database.  The tool used …

AD Taking Active Directory offline

Active Directory can be brought offline in a couple of ways. The traditional was is to boot into Directory Services Restore Mode (DSRM), which is a safe mode boot option …

AD Backing up AD and SYSVOL

Windows standard server backup utility and also the backup command line tools can be used to backup Active Directory and SYSVOL. Active Directory database and associated log files are stored …

AD Service Principal Names

Service Principal Name is a unique identifier of a service instance and is used by Kerberos Authentication to link a service instance with a service logon account. SPNs have the …

AD domain controller cloning

Virtualized Domain Controllers can be cloned though copying of the VHD(x) is not supported. The cloning process must be followed to ensure domain and data integrity are kept. The following …

AD Kerberos Delegation

Kerberos Delegation allows for a front-end server to a access back-end resources by allowing a Kerberos ticket to be created for another service on the originating user’s behalf. Kerberos Delegation …

AD Group Managed Service Accounts

Windows 2012 introducted Group Managed Service Accounts (gMSA), it allows for stand-alone MSA accounts to be used across multiple computers. gMSA can be used for schedule task, IIS application pools, …

AD Managed Service Accounts

Managed Service Accounts (MSA) are Active Directory accounts that the password is managed and changed automatically every 30 days. This over comes that issue of service accounts that have passwords …

GPO import

The settings of a backed up GPO can be imported into an existing GPO. To do this via powershell the cmdlet is: import-gpo -BackupGpoName TestGPO -TargetName TestGPO -path c:\backups In …

GPO reset default GPOs

Best practice is not to modify the default domain policies but if they are ever need to be restored back to the original state the following command can be used. …

GPO configure item-level targeting

The power of preference extension come in Item-Level targeting. This can be used to narrow the scope of which the extension applies to, for example users in a certain security …

GPO Internet Explorer settings

Internet Explorer settings can be configured in preference extensions in the control panel section of both user and computers. It displays the same dialog box as IE internet options.  

GPO power options

Printer preference extension allows for the creation, modification and deletion of local, shared, and TCP/IP printers without having to create and maintain logon scripts.  Printers can be set in either computer or …

GPO network drive mappings

Drive maps preferences extension allow for the mapping of network drives. Action has the following options create, replace, update and delete. Location: type a fully qualified UNC path for the network …

GPO printers

This extension allow for the creation, modification and deletion of local, shared and TCP/IP printers. Above is adding a shared printer. In the actions drop down there is Create, Replace, …

GPO Group Policy preferences

Group policy preference allow you to manage drive mappings, registry settings, local users and groups, services, files, and folders without the need to learn a scripting language in the familiar Group Policy …

GPO copy

GPOs can be copied, to do this with powershell the cmdlet is: Copy-GPO -SourceName “TestGpo1” -TargetName “TestGpo2” It can also be done in GPMC by right clicking the GPO and …

GPO restore

GPO can be restored by powershell with the following cmdlet Restore-GPO -Name “Default Domain Policy” -path <path to GPO backups> As well as powershell, GPMC can be used to restore. …

GPO backup

GPO can be backed up either by powershell or GUI The cmdlet for backing up GPO is  Backup-GPO -All -Path <path to GPO backup> To backup via the GUI in …

GPO Filtering administrative templates

The list of administrative templates can be filtered, to do this first right click on Administrative templates and select Filter Options. Filtering based on properties You can filter based on …

GPO custom administrative template file

Extra administrative templates can be added by: Copying the admx and adml  files to the  PolicyDefinition folder Withing GPMC’s GPO right click on Administrative Templates and click Add/Remove Templates,  this …

GPO import security templates

Security templates are .inf files that contain security settigns.  Security Templates can be imported into a GPO via the GPMC. To import a security template Expand Computer Configuration/Policies/Windows Settings/Security Settings Right click …

GPO administrative template

Group policy administrative templates are a xml based file with admx file extension. The language specific template files have the adml file extension.  In the GPMC administrative template are found in the …

GPO scripts

GPO can be used to run script at computer startup and shutdown as well as User logon and logoff. These script can be windows powershell or any Windows Script Host …

GPO folder redirection

Folder redirection allows for redirecting certain user folders, for example My Documents, to a location on a file server. Files in the redirected folder are then available to the user …

GPO Force Group Policy Update

Group policy can be updated in individual devices by running the gpupdate  /Force command. The /Force  applies all policy settings, not just those that have changed. To remotely update Group …

GPO caching

Group Policy caching was created to improve processing under certain circumstances. It allows for Group Policies to be run locally instead of downloading over the network at startup or logon. This …

GPO client-side extension (CSE)

A client-side extension run on the client computer to implement Group Policy on that computer. In GMPC settings can be modified for slow link, background processing and process the policy …

AD Service Accounts

Traditionally service accounts have been user accounts at provide authentication and authorization for applications or services running on windows servers. After creating the account in Active Directory Users and Computers, we …

GPO software installation

Group policy can be used to deploy software to computers. The steps to do this involve Create a shared folder which the users or computers can access. The msi files …

GPO slow-link processing

When a user logs into their device, it contacts the domain controller for the latest GPOs.  There are mandatory GPOs that will always be applied but some will not if …

GPO Loopback processing

In Group policy loopback processing modifies the default processing order, it is a computer setting and applies different user settings to a user logged into the computer that the GPO …

GPO WMI Filtering

Windows Management Instrumentation (WMI) filtering can be used so that a GPO only applies if certain requirements are met, for example the Operating System is of a certain version or …

GPO Security filtering

By default GPO applies to all objects within the Organizational Unit, with the Authenticated Users group applied to the GPO. To control or limit what groups, users or computers that …

GPO enforce policies

Normally GPOs are process in the link order (see GPO processing order and precedence) and if Block inheritance is enabled high up GPOs are not processed  but when a GPO …

GPO blocking of inheritance

The default processing order of GPOs (see GPO processing order and precedence) can be modified, one of the ways is the blocking of inheritance. If blocking of inheritance is set …

GPO processing order and precedence

The processing order of Group Policies effects what settings are applied to the end user or computer.  The Local computer policy is first processed and then Active Directory policies from  …

FortiGate DNS FortiOS 5.6

DNS servers resolve domain names (For example www.alastair.co.uk) to IP address. The FortiGate uses DNS servers to resolve names to IP address. The settings for this is under Network > …

Disable SIP ALG

SIP ALG allows the firewall to dynamically open ports for audio traffic as well as the changing of IP address when NAT is used and the inspection of VoIP traffic.

Blackhole

An issue which I have had was when a site to site VPN dropped, traffic for the VPN would be routed out the default route and a session was created.