What's New in Azure Active Directory for December 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for December 2021:

What’s Planned

Tenant enablement of combined security information registration

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for Self-service password reset (SSPR) and multi-factor authentication (MFA) at the same time was generally available for organizations to opt-in.

Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the combined registration experience for MFA and SSPR for existing Azure AD tenants.

What’s Deprecated

Pre-authentication error events removed from Azure AD Sign-in Logs

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft is no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user:

  • 50058 Session information is not sufficient for single-sign-on.
  • 16000 Either multiple user identities are available for the current request or selected account is not supported for the scenario.
  • 500581 Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.
  • 81012 The user trying to sign in to Azure AD is different from the user signed into the device.

Because these events happen before authentication, the service is not always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in the tenant’s sign-in logs. These logs are no longer visible in the Azure portal, and querying these error codes in the Graph API will no longer return results.

What’s New

Number Matching in the Authenticator App Public Preview

Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an multi-factor authentication notification in the Authenticator app. This feature adds an additional security measure to the Microsoft Authenticator app.


Azure AD Connect v2.0.91.0 offers a FIPS-compliant Health Component

Azure AD Connect

A mere month after the release of Azure AD Connect v2.0.89.0, Microsoft released an update to Azure AD Connect v2.x. that offers new functionality.

None of the Azure AD Connect v2.x releases are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

What’s New

Microsoft updated the Azure AD Connect Health component in this release from version to version 3.2.1823.12.

This new version provides compliance of the Azure AD Connect Health component with the Federal Information Processing Standards (FIPS) requirements.

About FIPS

The Federal Information Processing Standards (FIPS) is a set of requirements asserted by NIST in order to centralize and make uniform the ways in which the US government manages risks associated with securing and transporting sensitive information.

FIPS came into existence as part of the larger FISMA legislation in 2002. FIPS compliance requires that a computer system must meet the baseline qualities asserted in all numbered publications.

About Azure AD Connect Health

Azure AD Connect Health helps administrators monitor and gain insights into their Hybrid Identity implementations. It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services by providing monitoring capabilities for your key identity components:

  • Azure Active Directory Connect installations
  • Active Directory Federation Services (AD FS) servers
  • Web Application Proxies
  • Active Directory Domain Controllers

Azure AD Connect Health makes the key data points about these components easily accessible in the Azure AD Connect Health portal so performance monitoring, usage analysis, troubleshooting and gaining other important insights becomes easy.

Azure AD Connect Health for Sync

Azure AD Connect Health for Sync is integrated with every Azure AD Connect installations and automatically sends information to Microsoft, unless a web proxy blocks traffic to its endpoints.

Version information

This is version of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on January 19, 2021.

You can download the latest version of Azure AD Connect here.


Microsoft has released out-of-band updates to address Domain Controller boot loops

Windows Server

Last week, we mentioned that the January 11th, 2022 updates caused some Domain Controllers to restart unexpectedly. Our advice, then, was to uninstall the updates when encountering this problem. However, uninstalling these updates also rolled back other fixes that address critical vulnerabilities in Windows Server. It results in a situation where you don’t want to be in for several weeks or months.

Today, Microsoft offers a solution by releasing additional updates for the Operating Systems affected by the Domain Controller boot loops.


About the updates

The following optional updates are available for Windows Server installations as part of the January 17, 2022 updates:

Further reading

Windows Server 2019 OOB update fixes reboots, Hyper-V, ReFS bugs
Some Domain Controllers may restart unexpectedly after applying the January 11, 2022 Updates


Some Domain Controllers may restart unexpectedly after applying the January 11, 2022 Updates

When installing updates, there is always the risk of rogue updates; updates that break functionality, unannounced, unexpected and unsettling. Microsoft is currently researching such a possible side-effect with the January 11, 2022 updates on Active Directory Domain Controllers.

About the issue

Domain Controllers may reboot unexpectedly and keep rebooting. Event ID 1000 is triggered right before these reboots citing that lsass.exe had failed with stop error 0xc0000005 (access violation), status code -1073741819 and pointing to msv1_0.dll as the culprit.

The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users signing in to a Windows or Windows Server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. Forcible termination of lsass.exe will result in a restart of the Domain Controller. The restarts are the actual recovery process, not the problem.

Unconfirmed details and symptoms

At this time, there are a couple of unconfirmed details and symptoms about this issue:

  • Domain Controllers running Windows Server 2012 R2, Windows Server 2019 and Windows Server 2022 seem most affected.
  • Domain Controllers in environments with Exchange Servers seem most affected.
  • Read-only Domain Controllers seem unaffected.

About the updates

The following updates are available for Windows Server installations as part of the January 11, 2022 updates:


Active Directory admins experiencing continually rebooting Domain Controllers share that they have stopped the reboots by disconnecting the network connection and uninstalling the January 11th, 2022 update from these systems. They rebooted the systems and after this reconnected the network connection.

When installing security updates only on Domain Controllers running Windows Server 2012 R2, uninstalling KB5009595 also seems sufficient.

To uninstall these updates, run the following command line:

Windows Server 2012 R2: wusa.exe /uninstall /kb:5009624

Windows Server 2019: wusa.exe /uninstall /kb:5009557

Windows Server 2022: wusa.exe /uninstall /kb:5009555


I’m not a fan of not having critical updates installed, but in this case I feel it may be wise to wait 10 days before installing the January 11th, 2022 updates on Domain Controllers. My experience is that serious problems like the above problem are addressed within that timeframe.

Further reading

Microsoft pulls new Windows Server updates due to critical bugs
Windows Server: January 2022 security updates are causing DC boot loop 
January updates causing unexpected reboots on domain controllers : sysadmin


Going All-in with HornetSecurity 365 Total Protection

HornetSecurity Total Protection Enterprise Backup

Previously, I’ve shared my experiences with Altaro’s Office 365 Backup and Hornetsecurity’s 365 Threat Monitor. Both services add information security value on their own, but are also part of something bigger: HornetSecurity’s 365 Total Protection. 

Should you go all-in with HornetSecurity’s 365 Total Protection to face your Microsoft 365 challenges head-on?

The three flavours of 365 Total Protection

HornetSecurity offers its 365 Total Protection suite in three flavours:

  1. 365 Total Protection Business
  2. 365 Total Protection Enterprise
  3. 365 Total Protection Enterprise Backup

365 Total Protection Business offers everything an organization needs in terms of email security. It also offers individual and group email signatures.

365 Total Protection Enterprise includes all of the features of 365 Total Protection Business and adds advanced features like archiving, retention, eDiscovery and sandboxing.

365 Total Protection Enterprise is the all-in-one solution. It offers everything 365 Total Protection Enterprise offers, adds Office 365 Backup, and also adds backup for Windows-based devices.

365 Total Protection vs. Microsoft 365 E5/A5

Microsoft 365 E3 and Office 365 E3 seem to be the prevailing license subscriptions at organizations adopting Microsoft cloud services.

A lot of people responsible for information security at organizations may now ask themselves what the difference is between HornetSecurity’s 365 Total Protection and the additional benefits that Office 365 E5/A5 subscription licenses bring. I feel that for many organizations HornetSecurity’s 365 Total Protection offers answers to the common asks that drive organizations to subscribe to one or more of the following Microsoft subscriptions for their Exchange Online security challenges:

  • Microsoft 365 E5/A5
  • Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5/A5 Security
  • Office 365 E5/A5
  • Defender for Office 365

Safe attachments and safe links

The Safe Attachments and Safe Links functionality in Office 365 E5/A5 allow organizations to have Microsoft detonate attachments in sandboxes in Microsoft’s datacenters and rewrite URLs in messages so the recipient uses an intermediate process to access webservers. The same functionality is available in 365 Total Protection Enterprise through its ATP Sandboxing and URL Malware Control features.

Data loss prevention

Many organizations facing GDPR, CCPA and other regulations have embraced the idea of data loss prevention rules, helping people in the organization to handle PII data with care. You can define labels and apply data loss prevention policies based on these labels, but people have to apply the labels manually. Automatic labeling is a Microsoft 365 E5/A5 feature.

However, the main goal for many organizations that use Exchange Online to start dabbling with Data Loss Prevention is to have messages with PII data encrypted.  365 Total Protection’s Secure Cipher Policy Control and Global S/MIME & PGP Encryption features work together the provide that outcome. Just as Microsoft provides easy access to these encryption mechanisms, so does HornetSecurity. No hassle or self-hosted PKI, but an easy option to select.

Advanced Audit, Advanced eDiscovery and Threat Explorer

Part of Microsoft 365 E5’s benefits over its E3 capabilities are its Advanced Audit and Advanced eDiscovery features. Needless to say, organizations typically use these features in post-breach and legal situations.

365 Total Protection offers similar features. Its eDiscovery feature provides the same fine-grained search and export capabilities. However, its Forensic Analyses, Realtime Threat Report and Malware Ex Post Deletion focus specifically on post-breach situations, covering both external and insider threats.


Organizations that have chosen Office 365 E1, Office 365 Business or Exchange Online Plan 1 and work with non-subscription versions of Outlook may also benefit largely from a 365 Total Protection subscription. Their licensing setups do not include the full archiving functionality. 365 Total Protection offers fully automatic Email Archiving with a 10-year Email Retention.

365 Total Protection vs. other solutions

For some of the other functionality that 365 Total Protection offers, other organization provide solutions, too.

Safe mail

Many point solutions exist offering email encryption. This feature is also present in all 365 Total Protection plans and is named Websafe. It allows communications with organizations that do not offer email encryption and offers functionality similar to the functionality offered by Trustify, SmartLockr and Zivver.

Email signatures

Email signatures have led to recurring nightmares for email admins. It’s the reason many on-premises organizations have embraced Exclaimer. 365 Total Protection offers the same functionality as part of the overall solution, but also throws in a Company Disclaimer and Intelligent Ads. It’s what your organization always wanted in emails, but did not realize until now.

Office 365 Backup and Restore

Many organizations feel that the replicas within Microsoft’s infrastructure and the resilience in that infrastructure offer sufficient data availability guarantees. As many Office 365 backup vendors would point out, the responsibility of your organization’s data is a shared responsibility. The Enterprise Backup tier of 365 Total Protection offers backups of your data.

By creating backups of the data in Microsoft 365 services, your organization can handle incidentally deleted data, purposely deleted data and its exit scenario with ease. In its top tier, 365 Total Protection offers this functionality as a service.


However, restoring all data in case of a ransomware attack or even accessing your data when the Microsoft 365 services are unavailable is a pain. It always takes longer than you anticipate… 365 Total Protection’s Email Continuity Service provides the answer to these situations. Within seconds, your organization can get back to business as usual and have all the information they need right in their familiar Microsoft Outlook.

Windows Endpoint backup and restore

Microsoft’s vision for consuming data Microsoft 365 apps and services is focused on the device. Intune management may configure these endpoints with up to date Windows versions, up to data anti-malware measures and disk encryption, but it doesn’t help in situations where the device is otherwise encrypted, incapacitated or stolen. Productivity of your colleagues may depend on local data and settings on these devices and 365 Total Protection offers backups and restores, without the need for a VPN or other non-user-friendly setups.


There are no organizations that rely on Microsoft-only software. Every organization uses software from at least one more vendor. When standardizing on Microsoft 365 services, several vendors offer solutions, but HornetSecurity is a vendor that has a complete vision on what it takes to truly do that. In a world where every vendor and supply partner is a potential data leak to happen (just look at the issues with SolarWinds, Kaseya and Log4J, just in the last 12 months…) having one vendor assisting your admins within an optimized solution might prove invaluable in the long run.

When an organization leverages Exchange Online as the main service of the Office 365 services available to them, it makes perfect sense to consider 365 Total Protection as an alternative to upgrading licenses to Office 365 E5/A5.

However, 365 Total Protection does not offer the rich integration with other Microsoft 365 and Office 365 services. SharePoint and Teams are no focus for the 365 Total Protection suites (except for Enterprise Backup). When Teams and SharePoint Online are in (heavy) use, E5 licenses may provide more value though its rich integration with all services.


The End of Mainstream Support is a Time to make an important Decision about Windows Server 2016

Today, January 12th 2022, the Mainstream Support on Windows Server 2016 ended. This Windows Server Operating System (OS) has been with us for the past five years and will remain with us for the next five years, just not as it used to. Therefore, today is a time to make an important decision.

The most value

Any IT system, service and implementation offers the most value when its technical lifetime exceeds the deprecation period; it’s economic lifetime.

Organizations, from a finances point of view don’t book the purchase of new systems, new licenses or IT implementations at the time of purchase. From a financial point of view each system and license (at least in Europe) and its corresponding implementation has remaining value after a year, after two years, after three years and in some cases after four years. That’s why most IT implementation have a deprecation period of four years.

‘Free’ IT

This jigsaw way of booking costs to the organization leads to an almost steady line of expenses in large organization, but can still be seen at smaller organizations. The situation at larger organizations leads to IT that seems ‘free’ when it is in use beyond its deprecation period.

“There’s nothing as cost-effective as a 17-year old Novell Netware server.”

– Sander Berkouwer

However, when IT suddenly comes knocking to replace systems like hypervisor platforms, storage and licenses, this might be considered intrusive, obnoxious and even downright cheeky. Ironically, it’s the way that management look at IT that is cheeky.

All of this leads to the use of Windows Server 2008 and Windows Server 2008 R2 installations, today. These systems were installed with a distorted perspective on the economic lifetime. Either, these systems were installed with Windows Server 2008 R2 when it was already 2018, or these systems are used beyond the ‘normal’ server deprecation period of five years.

Stop deploying Windows Server 2016 today

Windows Server 2016 is in mainstream support starting today. Not only does this mean that this particular Windows Server only gets security updates going forward, it also means that all support ends in five years. To be exact: support ends on January 12, 2027.

This seems like a mighty long time away, but it isn’t. At least, it’s not from a deprecation period point of view: Every new Windows Server 2016 installation that you perform from today onward will not be able to offer the most value to the organization.

To be clear: Every new Windows Server 2016 installation from now on leads to the same pile as that we’re currently still trying to clean up in terms of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

The only way to break this cycle is to stop deploying Windows Server 2016 today.

But what if…

… We can skip two Windows Server versions doing it our way

At many organizations, IT managers believe that they can skip two Windows Server versions in their migration strategies. Therefore, they only have to buy Windows licenses every nine to ten years, right?

Don’t kid yourselves. Today, these organizations aren’t migrating from Windows Server 2012 (R2) to Windows Server 2022. Nah, “it is too new”. Also, they won’t be able to migrate all their systems. Not even all their servers are running Windows Server 2012 (R2). In the past ten years, several applications have probably already raised the need for interim Windows Server versions.

… Our applications need deprecated Windows Server versions

Sure, I’ve encountered some multi-million-dollar lab equipment that still only works with Windows XP and mainframe systems that still require SMBv1. I feel your pain. But also, I’ve been constructively dealing with these situations. All these systems have been isolated into their own networking environments, some with their own dedicated Active Directory implementations. When the benefits of doing so outweigh the costs, this is a way to tackle that. Ironically, costs really add up over time to isolate these systems the right way. Starting isolation today is way easier than starting in four years time.

… management doesn’t approve of our migration plans

“If management still sees IT as a cost of doing business, your business will ultimately fail.”

– Sander Berkouwer

This is the hill I’m prepared to die on. There is no such thing as ‘free’ IT. Successful organizations spend up to 4% of their revenue. Studies show that the more an organization spends, the higher its success. If your organization faces a temporary cashflow challenge, then I feel that’s the only reason not to embark on sensible IT journeys. However, I would GTFO, as I like some guarantees for my wages to be paid.


Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)

During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers.

About the vulnerability

CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.

The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.


This vulnerability is wormable and the attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.

Affected Operating Systems and configurations

AD FS servers running the following Windows Server versions are affected by this vulnerability:

  • Windows Server 2019
  • Windows Server, version 20H2
  • Windows Server 2022

HTTP Trailer support is enabled, by default, on AD FS servers running Windows Server 2022 and Windows Server version 20H2, but not on Windows Server 2019.

On Windows Server 2019-based AD FS servers, the feature needs to be manually enabled through the registry. Use the following line to check whether the HTTP Trailer support is enabled.

Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport

When the above registry item exists, the above line returns the value 1 and the Windows Server 2019-based AD FS server is vulnerable.

Call to action

I urge you to install the necessary security updates on Windows Server 2019, Windows Server version 20H2 and Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to these Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.

Further reading

CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability


Three Active Directory vulnerabilities were addressed during Microsoft’s January 2022 Patch Tuesday

During its Patch Tuesday on January 11th, 2022, Microsoft addressed three Elevation of Privilege (EoP) security vulnerabilities in Active Directory components and protocols that can be attacked over the network.

About the vulnerabilities

Three vulnerabilities were addressed:

CVE-2022-21857 AD DS Elevation of Privilege Vulnerability

CVE-2022-21857 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability is specific to Active Directory Domain Services environments with incoming trusts.

The CVSSv3 score of this vulnerability is 8.8/7.7.

An update is available for all supported Operating Systems. Prior to installing this update, an attacker could elevate privileges across the trust boundary under certain conditions.

CVE-2022-21913 LSA Domain Policy Remote Protocol Security Feature Bypass

CVE-2022-21913 is a vulnerability that could allow an attacker to bypass security features in the Local Security Authority’s domain policy.

Most likely, this vulnerability is along the same lines as Andrew Bartlett’s earlier discovery that Samba may map domain users to local users in an undesired way. Especially, as Proof of Concept (PoC) exploitation code is available.

The CVSSv3 score of this vulnerability is 5.3/4.8.

An update is available for all supported Operating Systems.

CVE-2022-21920 Kerberos Elevation of Privilege Vulnerability

CVE-2022-21920 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability allows a domain user to elevate privileges to a domain admin. The attack complexity for this vulnerability is rated low.

The CVSSv3 score of this vulnerability is 8.8/7.5.

An update is available for all supported Operating Systems.

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.

Further reading

CVE-2022-21920 – Windows Kerberos Elevation of Privilege Vulnerability 
CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability 
CVE-2022-21913 – Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass


A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed

Last week, Veeam identified a critical vulnerability in a component of its Backup for Microsoft Azure solution, that allows attackers to bypass authentication mechanisms and execute arbitrary code.


About Veeam Backup for Microsoft Azure

Veeam Backup for Microsoft Azure is a solution offered by Veeam to backup and restore Azure IaaS-based virtual machines and Azure SQL databases. The solution offers instance, volume and file-level recovery options.

The solution is available as a virtual machine instance from the Azure marketplace that stores snapshots in Azure blob storage tiers and offers a web-based management portal.


About the vulnerability

The Veeam Updater component of Veeam Backup for Microsoft Azure contains a critical vulnerability that allows attackers to bypass authentication mechanisms and execute arbitrary code.

Veeam has released a new version of the Veeam Updater component in Veeam Backup for Microsoft Azure. The vulnerability is addressed in version, and up. This version resolves the discovered vulnerability in Veeam Backup for Microsoft Azure.

The vulnerability was found during internal testing at Veeam. Veeam has assigned a CVSS v3 score of 10.0 to this vulnerability.

Affected products

The vulnerability was present in the Veeam Updater component in the following products:

  • Veeam Backup for Microsoft Azure 2.0
  • Veeam Backup for Microsoft Azure 3.0


Call to Action

Since January 6th, 2022, The Veeam Updater component will have automatically installed this fix during its daily check for updates and automatically resolved the vulnerability for implementations that are able to communicate to https://repository.veeam.com.

If the Veeam Backup for Microsoft Azure virtual machine instance does not have internet access, a manual update process is available. Please contact Veeam Support for assistance.

Further reading

KB4261: Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Native Azure Backup Software – Veeam Backup for Microsoft Azure


What's New in Microsoft Defender for Identity in December 2021

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What's New

In December 2021, three new versions of Microsoft Defender for Identity were released:

  1. Version 2.165, released on December 6th, 2021
  2. Version 2.166, released on December 27th, 2021
  3. Version 2.167, released on December 29th, 2021

New security alert

A new security alerts was added: Suspicious modification of a sAMNameAccount attribute.

In this detection, initially released with Microsoft Defender for Identity release 2.166, a security alert is triggered whenever an attacker is trying to exploit CVE-2021-42278 and CVE-2021-42287, commonly referred to as the SAM Name impersonation and KDC Bamboozing vulnerabilities.

Microsoft introduced this detection in response to the publishing of these CVEs and encourages Active Directory admins to also deploy the following updates on Domain Controllers:

improvements and bug fixes

All three December 2021 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.