Trying to gather resources that can help to secure Azure environment;
There are three most essential areas in Microsoft Azure, RBAC, Storage and Networking, everything in Azure depends on these three main pillars, and considering these areas, I identified the 3 topmost dangerous cyberattacks, below the TOP Parade:
Privilege escalation to Azure PIM and the Global Admin Account;
Ransomware Attack;
Attack to the public and private IP addresses;
All these attacks are extremely dangerous and effective. However, the privilege escalation is the most dangerous because it can escalate a top-level, which means no more control in the entire cloud and company.
One of my developer started getting Git Credential Manager for windows popup and received Authentication failure message. The work around was;
Check the Git for Windows in the Tools – Get Tools and Features…), go to “Individual Item” tab, check “Git for Windows”, and click “Modify”. Then it will ask you to update vs2017 to latest version, for example 15.9.36.
If your organization was created with a Microsoft account, connect your organization to your Azure Azure AD. Sign in to Azure DevOps Services with the same username and password that you use with your Microsoft services. Enforce policies for accessing your team’s critical resources and key assets.
There’s no downtime during this change, but users are affected. Let them know before you begin.
Compare Azure DevOPS email list with your Azure AD email list. Create an Azure AD email address entry for every user who’s in the Azure DevOPS organization and not in the Azure AD.
Connect organization to Azure AD by selecting Azure Active Directory.
Click on Connect directory;
2 out of 6 members(s) are the members that doesn’t exist in Azure AD. They are guest developers using their hotmai/gmail account. If we want to allow them to use Azure DevOPS, we need to create their accounts as Guest in Azure AD.
Sign out of Azure DevOPS.
Sign in with your Azure AD account. If you click on Organization Settings -> Azure Active Directory, you will see this page;
Clicking on Download will download your organization info, Azure DevOPS info and Owner of Azure DevOPS environment and any errors in the connect. This ensures that Azure DevOPS is connected with Azure.
The settings for controlling comments in WordPress is available under Settings > Discussion. Please note that this is the manual method of preventing/combating spam and is usually the most effective when you have a few comments every day. However, if you have over 1000 daily comments, it is more feasible to use an antispam plugin.
Let’s discuss certain ways to use these default WordPress settings to prevent spam. We will discuss one section at a time.
Default Article Settings
Simply disable trackbacks and pingbacks to save yourself from half the spam traffic. Only allow people to post comments on new articles.
Other Comment Settings
It is almost always necessary for the comment author to enter his name/email before commenting. WordPress enables this by default. If you require users to log in before leaving comments then this will cut down on a significant amount of spam This step might be a turn off for few legit readers who want to leave a comment but don’t want to sign in. Therefore you must carefully analyze before enabling this feature.
You should disable comments on posts older than 90 days in a fairly active blog. However, if you keep updating articles, make sure to change the published date so that the 90 days boundary doesn’t overlap. Keep Threaded comments to the default or increase it if required.
E-mail Me Whenever
You can use this feature if you don’t get thousands of comments on your posts. You will get email notifications for every comment that pops up and you can mark it spam right away cutting down on a section of spam comments.
Before a Comment Appears
Allowing readers who have previously left a comment, to leave a comment again without requiring any approval, will help you cut down the legit comments in the moderation queue. You’ll only have to focus on the remainder of users, mostly of which will be spam.
Comment Moderation
I suggest you use a value of 2. This ideally allows guest bloggers to leave at most one outgoing link (link bait) in their comment. Building an effective comment moderation blacklist is a very time-consuming process, with equally beneficial payoffs. However, you can leverage this setting as an effective profanity filter. Simply add the profane words to the list and all such comments will be added to the moderation queue.
Comment Blacklist
Comment Blacklist is stricter version of the Comment Moderation Blacklist, where if a comment contains a blacklisted word, it is sent to the spam queue, instead of the moderation queue. The benefit – saves your time.
By default, SQL Server services run under these accounts;
Sometimes administrator might have changed these service accounts to window accounts for management reasons. To get them back to default accounts, right click on service and change them to NT Service\[Account Name] where [Account Name] is above listed account without any password. Windows know how to setup the password.
We would like to create a windows proxy account so that we can use it inside SQL server. The intent is to use this account to read/write from windows file system.
I am using my local laptop for this demo but you can use a domain account. The only difference would be to change [ComputerName]\[AccountName] to [DomainName[\[AccountName].
You might have received this user from your domain administrator. If not then create a Windows user “SQLService” on your local computer and make him member of “Users” group only.
Next Open SIMS -> Security -> Login -> New Login.
Server Role -> public.
User Mapping -> msdb -> db_ssisoperator, public
User Mapping -> SSISDB -> ssis admin, public
Next Security -> Credentials -> New Credentials
Next SQL Server Agent -> Proxies -> SSIS Package Execution -> New Proxy
I have selected “Operating system (CmdExec) and “PowerShell” additional subsystems. You might not need these.
Under Principals, Select your windows service account;
Deploy your integration service packages. You will be able to see them under SSISDB->[Folder Name]\[Project Name]. Run your package. It will successeded because you are running them under your security context;
Create a job with a job step in SQL Server Agent. Make sure to change the context “Run as: SQLServiceProxy”;
When you run the job, it will fail. The reason, its running under the context of SQLService account. Connections within integration services are made with integrated security not SQL server.
Since we will be using SQL Login so I am going to change SSIS connection string in environment variables.
Now when you run the package, it will succeed.
Its time to check file system access. Open c:\windows\temp folder and see effective permission of SQLService account;
Grant full permission on this folder;
Script tasks require access to this folder for .NET framework and other temporary operations.
Still if you get this error;
The cause, SQLService windows account is not part of “Distributed COM Users” group on the machine where SSIS is installed. Add SQLService account to this windows group. You can read more about this here;
If the package fails again on server and you see this error in windows event viewer;
Make sure your SSIS project is targeting correct SQL Server Version. Right Click on your SSIS project -> Properties;
Deploy your project.
For SQL Server 2019 you need to set “False” for Azure-Enabled Project. As of this writing Azure-Enabled Project works with SQL Server 2017 only.
Run the package and everything should be Green now (hopefully :). We are done.
The above setup will work if we are reading/writing files in a domain controller environment or on a single server.
Setting up Azure Storage for reading/writing files
Service accounts are normally not interactive accounts. If we are using Azure Storage for reading/writing files with SAS then we would need to save Azure credentials in Credential Manager. To get to Credential Manager we need to login on server with our service account that will make it interactive.
Follow these steps;
Login to server with [servername]\SQLService account. If you are doing RDP, make sure this account is member of “Remote Desktop users” user’s group. Search for credential manager.
Remove this account from “Remote Desktop users”. Run agent, still fails.
Try to Run SQL Server Agent under windows service account;
This time this started working. This is an alternative approach. We are using service account to run SQL Server agent. If this is the case then we don’t need to setup credentials and proxy accounts in SQL Server.
What happened behind the scene. Windows service account is granted “Log on as service permission” by windows. We can verify this following “Enable service log on through a local group policy” section below.
If we want to revert to “NT Service\SqlServerAgent” as service account, simply change your service account from windows service to SqlServerAgent and it would still work.
Follow this to allow an account “Login as service” permission manually if required;
Enable service log on through a local group policy
Follow these steps:
Sign in with administrator privileges to the computer from which you want to provide Log on as Service permission to accounts.
Go to Administrative Tools, click Local Security Policy.
Expand Local Policy, click User Rights Assignment. In the right pane, right-click Log on as a service and select Properties.
Click Add User or Group option to add the new user.
In the Select Users or Groups dialogue, find the user you wish to add and click OK.
Click OK in the Log on as a service Properties to save the changes.
