I'm presenting at Cloud Camp, Modern Cloud Edition

Cloud Camp, Modern Cloud Edition

Recently, I was contacted with an invitation to present at the Irish Cloud Camp event on November 16th. Of course, I said "Yes".

About Cloud Camp

Cloud Camp is Ireland's conference for Microsoft Cloud, sponsored by Microsoft, MicroWarehouse and Nexus. The next edition of Cloud Camp, dubbed the Modern Cloud Edition, is organized on November 16th, 2021 from 9:30 AM to 5PM as a virtual event.

We live in a time of rapid changes to the cloud. It's easy to fall behind with the continuous and frequent changes to Windows Server, Azure and Microsoft 365, the ever increasing importance to security and the challenges of compliance.

Cloud Camp brings together international speakers to one event where you will learn the latest about digital transformation, IT modernization, productivity, security, compliance and governance.

The event features a panel of Irish and international speakers who will be sharing their expertise with the audience at Cloud Camp. Others speakers include Karel de Winter, Wim Matthyssen, Freek Berson, Tiago Costa, Ben Whitmore and Neil McLoughlin.

About my session

I'll present a 60-minute session:

Eight common mistakes with Hybrid Identity

Tuesday, November 16, 2021 3:15 PM – 4:15 PM

Do you wish a seasoned expert would tell you all the mistakes to avoid before you begin your Hybrid Identity journey? Or do you need substantial, real-world proven tips for your current setup of Active Directory and Azure AD?

Then this session is for you!

When you link your on-premises Active Directory Domain Services (AD DS) environment to Azure AD, you create the Hybrid Identity. Colleagues depend on a reliable, yet cost-effective deployment of the technologies, trustworthy processes and it’s our jobs as IT Pros to make it happen. This session covers the eight most common mistakes we see in the field in organizations that have deployed Hybrid Identity. Learn from their mistakes, whether you’ve already deployed Hybrid Identity and want to make your implementation more robust or holding off deploying Hybrid Identity to not step into these pitfalls.

Join us!

Tickets for Cloud Camp, Modern Cloud Edition on November 16th are still available.
You can buy tickets here for EUR 25.

After the event attendees have access to all of the day's content by video, included in the above ticket price.

0  

On-premises Identity-related updates and fixes for October 2021

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

These are the Identity-related updates and fixes we saw for October 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5006669 October 12, 2021

The October 12, 2021 update for Windows Server 2016 (KB5006669), updating the OS build number to 14393.4704 is a monthly cumulative update.

This security update addresses three Active Directory vulnerabilities and three vulnerabilities in AD FS and includes the following Identity-related quality improvements:

  • It addresses an issue that might prevent users from signing in to a domain controller using Directory Services Restore Mode (DSRM) over a Remote Desktop or a Hyper-V enhanced session.
  • It addresses an issue that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.
  • It addresses an issue regarding a non-paged pool (NPP) leak from the UxSF pool tag. This leak occurs when lsass.exe stops processing asynchronous Security Support Provider Interface (SSPI) calls.
  • It adds the ability to configure period or dot (.) delimited IP addresses interchangeably with fully qualified host names in the Package Point and Print – Approved Servers and Point and Print Restrictions Group Policy settings.

This update also introduces the RestrictDriverInstallationToAdministrators registry value with data configured as 1 in HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5006672 October 12, 2021

The October 12, 2021 update for Windows Server 2019 (KB5006672), updating the OS build number to 17763.2237 is a monthly cumulative update.

This security update addresses three Active Directory vulnerabilities and three vulnerabilities in AD FS and includes the following Identity-related quality improvements:

  • It addresses an issue that causes the system time to be incorrect by one hour after a daylight saving time (DST) change.
  • It addresses an issue with a non-paged pool (NPP) leak from the UxSF pool tag. This leak occurs when lsass.exe stops processing asynchronous Security Support Provider Interface (SSPI) calls.
  • It addresses an issue that causes the configuration for multiple artifact DB support across datacenters to fail for Security Assertion Markup Language (SAML) artifacts.
  • It addresses an issue that causes the LsaLookupSids() function to fail. This occurs when there are security identifiers (SID) for users that no longer exist in a group that contains cross-domain trusted users.
  • It addresses an issue that fails to apply the post_logout_redirect_uri= parameter when you use an External Claims Provider.
  • It addresses an issue that might create duplicate built-in local accounts, such as an administrator or guest account, during an in-place upgrade. This issue occurs if you previously renamed those accounts. As a result, the Local Users and Groups MMC snap-in (lusrmgr.msc) appears blank with no accounts after the upgrade. This update removes the duplicate accounts from the local Security Account Manager (SAM) database on the affected machines. If the system detected and removed duplicate accounts, it logs a Directory-Services-SAM event, with ID 16986, in the System event log.
  • It adds the ability to configure period or dot (.) delimited IP addresses interchangeably with fully qualified host names in the Package Point and Print – Approved Servers and Point and Print Restrictions Group Policy settings.

This update also introduces the RestrictDriverInstallationToAdministrators registry value with data configured as 1 in HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates.

KB5006744 October 19, 2021 Preview

The October 19, 2021 update for Windows Server 2019 (KB5006744), updating the OS build number to 17763.2268 is a preview update.

It includes the following Identity-related quality improvements:

  • It addresses an issue that causes the DnsPsProvider.dll module to leak memory within a WmiPrvSE.exe process.
  • It addresses a memory leak issue in lsass.exe on domain controllers in the forest root domain that occurs when you have multiple forests and multiple domains in each forest. The SID-Name mapping functions leak memory when a request comes from another domain in the forest and crosses forest boundaries.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5006699 October 12, 2021

The October 12, 2021 update for Windows Server 2022 (KB5006699), updating the OS build number to 20348.288 is a monthly cumulative update.

This security update addresses three Active Directory vulnerabilities and three vulnerabilities in AD FS.

KB5006745 October 26, 2021 Preview

The October 26, 2021 update for Windows Server 2022 (KB5006745), updating the OS build number to 20348.320 is a preview update.

It includes the following Identity-related quality improvements:

  • It addresses an issue that sometimes causes the lock screen to appear black if you set up slideshow.
  • It addresses an issue in Safe Mode that prevents users from signing in if Web Sign-in is enabled.
  • It addresses a reliability issue with LogonUI.exe, which affects the rendering of the network status text on the credentials screen.
  • It addresses a memory leak issue in lsass.exe on domain controllers in the forest root domain that occurs when you have multiple forests and multiple domains in each forest. The SID-Name mapping functions leak memory when a request comes from another domain in the forest and crosses forest boundaries.
  • It reduces the Lightweight Directory Access Protocol (LDAP) bind for CPU utilization.
  • It addresses an issue that causes Server Message Block (SMB) Query Directory Requests to fail when the buffer size is large.
0  

I'm co-presenting KNVI's 'Never-ending Stories for IT Pros' event

Hitland

Last month, Raymond Comvalius and I were approached by the Royal Dutch Association of Information and IT Professionals (KNVI). Many of their members listen to the IT Bros podcast. The board thinks we have a pretty clear view of the challenges IT Pros face and asked us to present the 'Never-ending Stories for IT Pros' event.

About the IT Bros podcast

Raymond and I host a weekly podcast: The ITBros.nl Podcast Dutch. We discuss many returning topics that might be of interest to Microsoft-oriented systems administrators, engineers, IT architects both in their professional work and as service desk for their families.

Each week, we discuss the most recent news, look at upcoming events and share an IT Pro productivity tip.

About KNVI

KNVIThe Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members.

Never-ending Stories for IT Pros

On November 9th, KNVI organizes the 'Never-ending Stories for IT Pros' event for its members at the Hitland Golf Club in Nieuwerkerk aan den IJssel.

Starting at 5:30 PM, we're gathering for some drinks and dinner. From 7PM to 8:30PM, Raymond and I share our views on the role of the IT Pro in the cloud era.

If you think IT Pros had less work to do when their organizations migrate to cloud services, you're mistaken. Increasingly, systems administrators, consultants and engineers are having a hard time keeping up with the latest releases, the latest recommendations and the latest insights. GDPR and Zero Trust only add to this mix.

Our solution is simple: listen to the ITBros.nl Podcast.

You can do it online, but you can also listen to us during this evening. With 55 years of combined IT Pro consultancy experience, Raymond and I know what we're talking about, but we're not shying away from uplifting others. After this evening, you'll return to your desk with a clear picture of the world of the IT Pro, what you can do to be successful as an IT Pro and what changes you need to prioritize.

From 8:30PM onwards, we'll have some closing drinks.

Join KNVI and the event!

It’s not too late to join KNVI Dutch.
This is a prerequisite to being able to attend the KNVI "Active Directory, What’s Cooking?" event.

Subscriptions to KNVI for students are a mere EUR 30 per year. Subscriptions for individuals start at EUR 99,00 per year for members aged 27 and below, for retirees and for unemployed people. Other individual subscriptions set you back EUR 165 per year. Organizational subscriptions are available upon request.

0  

From the field: The Case of Raising the DFL to make all fail-over clusters inaccessible

From The Field

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully.

This week I experienced an issue at a customer, when they raised their Active Directory domain functional level beyond Windows Server 2012 R2.

 

The situation

The customer has an Active Directory Domain Services environment that dates back to 2004. It has been upgraded in the past. Its domain controllers have recently been upgraded to Windows Server 2016 and Windows Server 2019.

The company uses fail-over cluster to offer scale-out file servers. These implementations are based on Windows Server 2016.

Admins have placed many users in the Protected Users security group to prevent cached logons and restrict token lifetimes.

They raised the domain functional level (DFL) to Windows Server 2016.

 

The issue

All the fail-over clusters became inaccessible when connecting to the cluster name and current remote desktop connections were terminated when connected to the cluster name:

RemoteApp Disconnected - A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.

However, connections to the individual hostnames of the cluster nodes were successful.

 

The cause

When implementing the Windows Server 2016 DFL, the domain controller protections for the Protected Users security group kicked in, as these are unlocked with the Windows Server 2012 R2 DFL. The domain controller protections include the inability to authenticate using NTLM, the inability to encrypt Kerberos pre-authentication with DES or RC4 and the inability to cache Windows digest passwords.

When connecting to the fail-over cluster name NTLM is used, instead of Kerberos. Fail-over clusters use NTLM, unless they run Windows Server 2019, and up.

 

The solution

The admins at this company removed people that need access to the fail-over clusters out of the Protected Users security group, while they're upgrading their fail-over clusters to Windows Server 2019..

 

Further reading

Ten things you need to be aware of before using the Protected Users Group
New features in AD DS in Windows Server 2012 R2, Part 2: Protected Users
From the Field: The case of the unreachable forest on a domain-joined Azure AD Connect installation
From the Field: The case of the randomly rebooting Domain Controllers
From the field: The Case of the Unstable AD FS Farm

0  

Azure AD Connect v1.6.16.0 addresses two issues

Azure AD Connect Splash Screen

For Hybrid Identity admins still stuck with Azure AD Connect v1.x installations on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and/or Windows Server 2012 R2, Microsoft released a new version of Azure AD Connect that addresses two issues.

What's Fixed

AutoUpgrade reliability

Microsoft addressed an issue where the Autoupgrade process attempted to upgrade Azure AD Connect installations running on Windows Server 2008 and/or Windows Server 2008 R2 and failed. These versions of Windows Server are no longer supported.

Starting with this release Azure AD Connect only attempts to automatically upgrade on hosts that run Windows Server 2012, or newer version of Windows Server.

As I've explained before, the Automatic Upgrades feature only works in supported configurations in terms of Windows Server versions, .NET Framework versions, etc.

Synchronization Service Manager Crashes

Microsoft addressed an issue where, under certain conditions, the Synchronization Service Manager (miisserver.exe) crashes due to an access violation exception.

Version information

This is version 1.6.16.0 of Azure AD Connect.
This release in the 1.x branch for Azure AD Connect was made available for download and for Automatic Upgrades as a 104,5 MB weighing AzureADConnect.msi on October 18, 2021.

Further reading

Azure AD Connect v1.x reaches end of support in 1 year      
Azure AD Connect v2.0.28.0 addresses four issues   
Azure AD Connect v1.6.13.0 and v2.0.10.0 solve a PHS issue in renamed AD forests

0  

Identity-related sessions at Microsoft Ignite 2021 Fall Edition

Microsoft’s Ignite 2021 Fall event kicks off in two weeks.

Exactly eight months after Microsoft Ignite 2021 Spring Edition (organized from Tuesday March 2nd to Thursday March 4th, 2021), Microsoft's Ignite 2021 Fall event takes place from Tuesday November 2nd to Thursday November 4th, 2021)

This is another virtual Ignite event. The big advantage for you, is that you can attend Ignite for free again, just like last three Microsoft Ignite events.

As Identity geeks, we encourage you to attend the following Identity-related sessions at Microsoft Ignite 2021 Fall Edition:

 

Core Theme Sessions

CTS04 Protect Everything with End-to-End Security

Speaker: Vasu Jakkal
November 2, 6:35PM-7PM CEST

Organizations around the world are facing a surge of sophisticated cyber threats. The hybrid work world is creating new opportunities for bad actors, and increased challenges for IT teams. Join us to learn how Microsoft’s integrated, comprehensive approach to security is helping customers become more secure and resilient. Discover new products and innovations that help you protect everything, from the endpoint to the cloud, across security, compliance, identity, device management, and privacy. See how Microsoft Security is helping organizations of all sizes be safe in the face of increased global cyber threats.

 

Breakout Sessions

BRK242 Strengthen resilience with identity innovations in Azure Active Directory

Speakers: Nadim Abdo, Joy Chik, Joseph Dadzie, Sarah Handler and Balaji Parimi
November 2, 9:30PM-10PM CEST

Nation states and criminal syndicates are applying significant resources to orchestrate multi-pronged attacks against critical services and infrastructure. No single organization can withstand these onslaughts alone. In this session, we’ll share investments we’re making in Azure AD to help you stay protected and productive: a resilient platform, teams and tools that detect and respond to hard-to-identify attacks, and systems that strengthen the security posture of your expanding digital estate.

 

BRK244 From Strong to Stronger: Phishing Resistant authentication methods

Speakers: Inbar Cizer Kobrinsky and Tarek Dawoud
November 3, 11:30PM-12:10AM CEST

Are you trying to figure out your Passwordless journey? Are you not sure what makes Phishing resistant authentication methods better than the traditional Multi-factor authentication (MFA) methods? Are you not sure why there are new regulations and standards around multifactor authentication?​

The Identity Divisions will take you on a deep dive journey of how next generation of authentication methods like FIDO2 and Windows Hello for Business are Phishing resistant and share some of the deployment best practices we've seen from customers all over the world.​

In this session you will learn how Phishing resistant authentication methods works under the hood and why they are more secure, you will learn deployment strategies and tips and how to show value to your leadership and you secure users.

 

Product Roundtables

PRT072 Multi-Cloud Permissions Management

Speakers: Steve Ball, Jasmine Betthauser, Amelie Darchicourt, Maya Neelakandhan and Mark Wahl
November 3, 6:30PM-7PM CEST

Come talk to the Azure AD engineering team about your challenges and needs in permissions management for on-premises and multi-cloud environments. Ask all your questions about our recent acquisition of CloudKnox, a leader in Cloud Infrastructure Entitlement Management (CIEM), and our plan for an integrated cloud identity and access control solution.

 

PRT100 Secure DNS in hybrid networking with comprehensive “Zero-trust” network security strategies

Speakers: Sergio Figueiredo and Sarah O'Connor
November 2 7:30PM-8PM CEST

Calling all networking professionals! In this session, we will be sharing and previewing new concepts for monitoring, protecting and controlling DNS querying behaviors within Azure virtual networks and your own networks. You will be sharing your current experience and challenges of monitoring DNS security, preventing DNS data exfiltration and mitigating attacks. You will also be providing feedback on our new product concepts! Your input will help us shape the future of our DNS products!

 

Connection Zone Sessions

CONATEBRK242 Ask the Experts: Strengthen resilience with identity innovations in Azure Active Directory

Speakers: Steve Ball, Tarek Dawoud, Sarah Handler, Adam Harbour
November 2, 10:30PM-11PM CEST

Nation states and criminal syndicates are applying significant resources to orchestrate multi-pronged attacks against critical services and infrastructure. No single organization can withstand these onslaughts alone. In this session, we’ll share investments we’re making in Azure AD to help you stay protected and productive: a resilient platform, teams and tools that detect and respond to hard-to-identify attacks, and systems that strengthen the security posture of your expanding digital estate.

 

CONATEBRK244 Ask the Experts: From Strong to Stronger: Phishing Resistant authentication methods

Speakers: Inbar Cizer Kobrinsky and Tarek Dawoud
November 2, 10:30PM-11PM CEST

Are you trying to figure out your Passwordless journey? Are you not sure what makes Phishing resistant authentication methods better than the traditional Multi-factor authentication (MFA) methods? Are you not sure why there are new regulations and standards around multifactor authentication?​

The Identity Divisions will take you on a deep dive journey of how next generation of authentication methods like FIDO2 and Windows Hello for Business are Phishing resistant and share some of the deployment best practices we've seen from customers all over the world.​

In this session you will learn how Phishing resistant authentication methods works under the hood and why they are more secure, you will learn deployment strategies and tips and how to show value to your leadership and you secure users.

 

CONATE104 Ask the Experts: Building a co-creative enterprise with ManageEngine IT management solutions

Speakers: Prem Maheswaran, Romanus Prabhu Raymond and Hary Sekar
November 3, 4:30PM-5PM CEST

Collaboration, cross-functioning and automation are the key driving factors in building a co-creative IT enterprise. ManageEngine tools are excellent IT management solutions which can be integrated with the Microsoft ecosystem. This will enable organizations to leverage their existing IT investments to achieve effective collaboration, automated endpoint orchestration and seamless identity management without having to leave their everyday Microsoft applications.

 

CONITS104 Windows Server Hybrid for Beginners

Speaker: Orin Thomas
November 3, 1130PM-12AM

File servers, network infrastructure, software updates, security, identity, backup, and disaster recovery. Managing and maintaining this Windows Server functionality roles has been a core IT Pro task since the days of Windows NT 3.51.

In this session you’ll learn about the basics of administering these core Windows Server roles and how you can use Azure hybrid technologies to enhance what you can accomplish with them by integrating them with the cloud.

 

CONLL110 Exploring the Zero Trust Security Model

Speakers: Tarek Dawoud and Mark Simos
November 2, 11:30PM-12:45AM CEST

Today's organizations need a new security model that effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, apps, and data where they're located. Microsoft is deeply inspired to enable people everywhere to do the important work of defending their communities and organizations in an ever-evolving threat landscape. Learn more about the concepts and principles of the Zero Trust model and how Microsoft 365 supports it.

 

On Demand Sessions

OD412 Enhancing Microsoft 365 Security, Identity and Compliance with Saviynt

Speakers: Persio Afonso and Chris Gregory

This session will show how Saviynt, together with Azure Active Directory (Azure AD), delivers an unmatched level of identity insight and control. Organizations concerned about industry and regulatory compliance, and those that cannot afford to risk failed audits, look to Saviynt and Azure AD to solve these challenges.

 

OD421 Revive Hybrid AD/Office 365 Control with Identity Resilience & Improved Security

Speaker: Robert Bobel

Microsoft hybrid AD is complex and error-prone, placing security, compliance, and IT efficiency goals at risk. Moreover, new security threats emerge constantly. How do you balance it all? In this session, discover the only unified platform that solves your most important IT problems. Learn how Cayosoft enables: – Least privileged granular delegation with roles & rules – Monitoring of unwanted/unintended changes to mitigate breaches – Immediate rollback of unwanted change for identity resilience.

 

OD437 Security considerations during an AD Migration

Speakers: Bryan Patton and Joe Sharmer

There are a lot of doors swinging open during an Active Directory migration or consolidation project, and this is a great time for attackers to target your organization. There are also many organizations consolidating already compromised systems. This session will focus on the security missteps to avoid before, during and even after an AD migration project.

 

OD444 Secure your hybrid workforce: Start with strong authentication

Speaker: Patrick Schiess

The global shift to remote work has increased the security risk as more workers require access to corporate resources outside the firewall and from varying device types. Make strong passwordless authentication the first step in the Zero Trust journey by securing user access with YubiKeys and Microsoft Identity and Access Management products.

 

OD451 The role of delegation and automation in IAM

Speaker: Vivin Sathyan

We will walk through the native delegation concepts that we have for an on-premise Active Directory and Azure Active Directory. Show you how to implement the least delegation model for IAM. How to best create a checklist for effectual Identity creation and management and automate your routine IAM tasks by exerting supervision.

0  

Pictures of NT Konferenca 2021

NT konferenca 2021

Two weeks ago, I traveled to Portorož in Slovenia to deliver two 60-minute sessions at NT Konferenca. It was refreshing to travel again after being grounded by Corona for nearly twenty months.

I started early for the last day of a 4-month engagement with a customer at 06:30 on Monday morning. After eight hours of work, I decided to drive to Schiphol airport. As I already saw notices of delays, I decided to take it easy and check in to KLM’s Crown Lounge for dinner.

With only 15 minutes delay, we arrived at Venice's Marco Polo airport, where a driver was waiting for me to drive me to the NIB Hotel, next to the Grand Hotel in Portorož, where we arrived at 01:00 AM. I finished my slides and demo environment and went to bed.

Entrance of the Grand Hotel Bernardin in Portoroz, Slovenia (click)

Do you want an NTK 21 bag? (click)Facemasks still reminding us of corona (click)

The next morning, I went for breakfast at the 10th floor of the Grand Hotel Bernardin, picked up my bag and delivered my session on Properly securing Azure AD Connect Sync and Azure AD Connect Cloud Sync in room Aurora on the ground floor.

Presenting at NTK 2021

Afterward, I went straight to the Speakers Cave. That's not a name I made up… and its actually not that bad. It's just the Pharos meeting room, with a great sign and a nice view.

I ran into a couple of old friends who I hadn't seen for a year and a half and we decided to get some work done and enjoy the weather outside. I had lunch and delivered my second session at 3 PM in room Mediteranea on the 11th floor.

FriendsView from the Speakers Cave (click)
View from the Aurora room (click)

After that, I had some drinks at the speaker gathering and did a 90-minute webinar with Randy Franklin Smith from the Speakers Cave.

Aleksandar, Jelena and I decided to get some dinner in Piran. We walked there, had some lovely views on the way over and had an incredible seafood diner. We walked back through the old center of Piran and caught a glimpse of the NTK Party going on. I decided to go to bed early.

Piran's harbor by night (click)

On Thursday, I had breakfast, hopped into Paula Januszkiewicz' session and then supported Aleksandar for his session on Microsoft Graph. We had lunch afterwards.

Unfortunately, I had to return to the Netherlands on Thursday afternoon already, so a driver drove me back to Venice and I had another uneventful flight back to Amsterdam Schiphol airport, where I was greeted by my family.

Further reading

Pictures of NT Konferenca 2019
I'm speaking at NT Konferenca 2021
I’m speaking at the 2020 NT Konferenca
I’m speaking at NT Konferenca 2019

2  

Support for vSphere 6.5 and vSphere 6.7 ends in one year

On October 18th, 2016, VMware announced vSphere 6.5 focusing on a simplified experience and improving security features. Today, we're seeing one year of support left for this great product that has served so many organizations well.

 

vSphere 6.5

To me, vSphere 6.5 was a milestone release. Sure, it didn't have the appeal as other vSphere releases, but it brought VM Encryption.

VM Encryption is a security mechanism that allows certain virtual machines to run on trusted hosts only. Trusted hosts are defined through encryption keys obtained from a KMIP 1.1-compliant Key Management Server (KMS) through manually enrolled vCenter Servers. VM Encryption protects virtual Domain Controllers on vSphere, wheres the No cryptography admin role places encrypted domain controllers out of reach of all but a handful of trusted admins.

 

vSphere 6.7

On April 17, 2018, VMware announced vSphere 6.7 focusing on simple and efficient management at scale, further improved security features, a universal application platform, and seamless hybrid cloud experience.

However, one security feature stood out to me: Virtualization-based Security (VBS). vSphere 6.7 was the first version of vSphere to support it and it brings secure boot, DMA protection, HVCI and CI policies to virtual domain controllers running Windows Server 2016, and up.

 

End of Support

As communicated as part of KB83223, the End of General Support for vSphere 6.5 and vSphere 6.7 is October 15, 2022. Today, this date is only 1 year away.

Technical Guidance for vSphere 6.5 is available until November 15, 2023 primarily through the self-help portal. During the Technical Guidance phase, VMware does not offer new hardware support, server/client/guest OS updates, new security patches or bug fixes unless otherwise noted

 

Recommendations

To maintain a full level of support and subscription services, VMware recommends upgrading to vSphere 7.0.

vSphere 7.0 was introduced on March 10, 2020. vSphere 7 has reached Update 3 last week as part of its 6-month update cycle.

Further reading

Building a straight-forward vSphere delegation model for running virtual Domain Controllers safely
Protecting virtual Domain Controllers on vSphere with VM Encryption
Protecting virtual Domain Controllers on vSphere with Virtualization-based Security
Two improvements in VMware vSphere 7.0 Update 2 are welcome news for Microsoft-oriented Identity-focused admins
VMware vSphere 7.0 Update 1 introduces an interface for advanced time synchronization configuration
vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA
vSphere 7’s vMotion interface notifies for time differences between vSphere hosts

0  

What's New in Azure Active Directory for September 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2021:

What's Planned

Limits on the number of configured API permissions for an application registration enforced starting in October 2021

Service category: Other
Product capability: Developer Experience

Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, Microsoft is enforcing a limit on the total number of required permissions which can be configured for an app registration: 400 permissions, accross all APIs.

The change to enforce this limit starts mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs.

Single Page Apps using the spa redirect URI type must use a CORS enabled browser for authentication

Service category: Authentications (Logins)
Product capability: Developer Experience

The modern Edge browser is now included in the requirement to provide an Origin header when redeeming a single page app authorization code. A compatibility fix accidentally exempted the modern Edge browser from Cross-Origin Resource Sharing (CORS) controls. That bug is being fixed during October.

A subset of applications depend on CORS being disabled in the browser, which has the side effect of removing the Origin header from traffic. This is an unsupported configuration for using Azure AD, and these specific apps can no longer use modern Edge as a security workaround. All modern browsers must now include the Origin header per HTTP spec, to ensure CORS is enforced.

What's New

Access packages can expire after a number of hours General Availability

Service category: User Access Management
Product capability: Entitlement Management

There is now an additional option for advanced expiration settings in entitlement management. It's possible to configure an access package that'll expire in hours, in addition to prior settings.

On the My Apps portal, users can choose to view their apps in a list General Availability

Service category: My Apps
Product capability: End User Experiences

By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list.

New and enhanced device-related audit logs General Availability

Service category: Audit
Product capability: Device Lifecycle Management

Admins can now see various new and improved device-related audit logs. The new audit logs include:

  • create and delete passwordless credentials (Phone sign-in, FIDO2 key and Windows Hello for Business)
  • register/unregister device
  • pre-create/delete pre-create device

Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details.

Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator General Availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users will also be able to change their Azure AD account passwords and update the account's security information.

New MS Graph APIs for role management General Availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

The new APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of the old directory roles, use unifiedRoleDefinition and unifiedRoleAssignment.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Federated Apps available in Azure AD Application gallery

In September 2021, Microsoft has added following 44 new applications in the Azure AD App gallery with Federation support:

What's Changed

Gmail users signing in on Microsoft Teams mobile and desktop clients sign in with device login flow

Service category: Azure AD B2B
Product capability: B2B/B2C

Since September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts have an extra login step. Users are now prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients.

Improved Conditional Access Messaging for Non-compliant Device

Service category: Conditional Access
Product capability: End User Experiences

The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, Microsoft has streamlined the flow for a user to open their device management portal. These improvements apply to all Conditional Access-supported Operating System (OS) platforms.

What's Fixed

My Apps performance improvements

Service category: My Apps
Product capability: End User Experiences

The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service.

0  

Three Active Directory vulnerabilities were addressed in the October 2021 Updates

Windows Update

When looking at the October 12th, 2021 updates today, I noticed three updates that specifically address vulnerabilities in Active Directory Domain Services and DNS. These vulnerabilities affect domain controllers at the heart of many networking infrastructure environments.

About the vulnerabilities

Three vulnerabilities were addressed:

CVE-2021-40460 RPC Runtime Security Feature Bypass Vulnerability

CVE-2021-40460 is a vulnerability that could allow an attacker to bypass Extended Protection for Authentication provided by servicePrincipalName (SPN) target name validation over the network. The CVSSv3 score of this vulnerability is 6.5/5.7.

An update is available for all supported Operating Systems.

CVE-2021-40469 DNS Server Remote Code Execution Vulnerability

CVE-2021-40469 is a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network. The CVSSv3 score of this vulnerability is 7.2/6.5.

Proof of Concept (PoC) code for attacking this vulnerability already exists.

An update is available for (domain controllers running as) DNS servers running Windows Server 2008, and up.

CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability

CVE-2021-41337 is a vulnerability that could allow an attacker to bypass Active Directory domain permissions for the Key Admins and Enterprise Key Admins groups over the network. The CVSSv3 score of this vulnerability is 4.9/4.3.

An update is available for domain contollers running Windows Server 2016, and up, as the above groups were introduced with Windows Server 2016.

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

0