Browsed by
Author: Amal Mammadov

Tagging Azure Resources

Tagging Azure Resources

Tag Limits Not all resource types support tags. This means that you will not be able to apply tags to everything in Azure. A resource or resource group is limited to 15 tags. Each resource can have different tags. Tag names cannot exceed 512 characters. For storage accounts, tag names are limited to 128 characters. Tag values cannot exceed 256 characters. VMs cannot exceed 2048 characters for all tag names and values combined. Tags are not inherited by child resources….

Read More Read More

Decode Windows Autounattend.xml password using PowerShell

Decode Windows Autounattend.xml password using PowerShell

Recently I needed to recover the password that I forgot from Windows unattended installer file Autounattend.xml. Password is stored in this file as Base64 encoded value which can be easily decoded with following lines of Powershell script. $EncodedText = “UABhAHMAcwB3AG8AcgBkAA==” $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) $DecodedText To encode using PowerShell: $EncodedText = “UABhAHMAcwB3AG8AcgBkAA==” $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) $DecodedText

Securing Azure Storage Account

Securing Azure Storage Account

In this post, we will look into possible options to secure an Azure storage account. I will describe security following two security controls Network-level security Access Security Storage Account Access Keys Access Keys Shared Account Signatures Encryption Azure Storage automatically encrypts your data with 256-bit AES encryption. Data in Azure Storage is encrypted and decrypted transparently. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. All Azure Storage account tiers and deployment models…

Read More Read More

Secure DevOps Kit for Azure

Secure DevOps Kit for Azure

Today we will look at how to install and run Azure infrastructure assessment using Secure DevOps Kit for Azure which is developed by Microsoft to secure its Azure infrastructure. $PSVersionTable Install-Module AzSK -Scope CurrentUser Install-Module AzSK -Scope CurrentUser -AllowClobber Get-Module -Name Az.* -ListAvailable   The cmdlet below scans all Azure resources in the specified resource groups within a subscription and generates a status report: Get-AzSKAzureServicesSecurityStatus -SubscriptionId <SubscriptionId> -ResourceGroupNames <ResourceGroupNames> The parameters required are: SubscriptionId – Subscription ID is the identifier…

Read More Read More

Azure AD Roles

Azure AD Roles

There are three main types of administrative/security roles for Azure. These include classic subscription administrator roles, Azure role-based access control (RBAC) roles, and Azure AD administrator roles. Classic subscription administrator roles: – Historical administrator: Roles which were originally used by Azure Service Manager – Account administrator: Can manage/create/cancel subscriptions and change service administrator – Service administrator: Can manage services within the Azure portal and co-administrators – Co-administrator: Same permissions as service admin, but cannot manage classic admin roles Azure role-based…

Read More Read More

Configuring F5 Big-IP Web Application Firewall (WAF)

Configuring F5 Big-IP Web Application Firewall (WAF)

I decided to share my experience in configuring F5 devices. This is the first of my articles about the configuration of F5 Big-IP WAF and Balancer solutions. 1. F5 Big-IP ASM Module WAF functionality in F5 devices is implemented by ASM Module which needs to be additionally enabled on balancers after installation of the respective licenses. This module adds a new “Security” menu to the F5 balancer’s main menu and all WAF related troubleshooting and manipulations are possible under this…

Read More Read More

DNS Security – DNSSEC

DNS Security – DNSSEC

Technorati Tags: 70-744 DNSKEY This record stores the public key that is used to crytographically validate signed DNS records. In public key infrastructure (PKI), the DNS server signs the records with its private key, and validates the records’ integrity by using its corresponding public key. Note that in DNSSEC it’s the DNS server that performs the record validation on behalf of DNS clients. Technorati Tags: dnssec RRSIG This record is the digital signature for a particular DNS record. If a…

Read More Read More

Hyper-V Just-Enough-Administration (JEA)

Hyper-V Just-Enough-Administration (JEA)

I decided to write series of articles about Securing Windows Server what I  frequently do. This is first one in this topic. Problem Statement: Company owns virtualization infrastructure with some Virtual Machines. Hyper-V Admins are responsible for overall company virtual machines and have full access to Hyper-V host servers. Together with this admins company has group of other admins that are responsible only for particular Virtual Machines and need control them. In our case this is Monitoring VM. Until JEA…

Read More Read More