ITtelligence

Azure Functions is a solution for easily running small pieces of code, or “functions,” in the cloud.
This article shows how to create one of these functions to write directly to Azure Table Storage.

1) Create Function App

 

From Azure Portal,

Click New

Search for Function App

Click Function App in Results

Click Create

 

 

Supply App name, Subscription, Resource Group, Hosting Plan, Location and Storage and click Create

 

2) Create Function

 

After Function App is created, navigate to it.

From here we’ll use a pre-made function and alter it to write to Table Storage.

 

Select Webhook + API, C# as the language and click Create this Function

 

 

3) Add Azure Table Storage

 

From the Integrate option, add Azure Table Storage. Note the Table parameter name.

 

4) Edit Function

 

Add file item.csx (Click Save and Run to ensure no errors)

This is an object that inherits TableEntity and adds ItemName

#r "Microsoft.WindowsAzure.Storage"
using Microsoft.WindowsAzure.Storage.Table;
public class Item : TableEntity
{
public string ItemName {get;set;}
}

 

Add a reference to item.csx to run.csx(Click Save and Run to ensure no errors)

This allows Item object to be used in run.csx

#load "item.csx"

 

Change into Synchronous Function (Click Save and Run to ensure no errors)

This is required for the next step, out is not allowed on Asynchronous functions

...
public static HttpResponseMessage Run(HttpRequestMessage req, TraceWriter log)
...
dynamic data = req.Content.ReadAsAsync<object>().Result; 
...

 

Add an out variable and assign value (Click Save and Run to ensure no errors)

Add out item with the name of the table parameter name

...
public static HttpResponseMessage Run(HttpRequestMessage req, TraceWriter log, out Item outputTable)
...
outputTable = new Item() {PartitionKey = "some-partition-key", RowKey=Guid.NewGuid().ToString(), ItemName = name ?? "No name"};
...

 

Here is complete listing of run.csx

#load "item.csx"

using System.Net;

public static HttpResponseMessage Run(HttpRequestMessage req, TraceWriter log, out Item outputTable)
{
log.Info("C# HTTP trigger function processed a request.");

// parse query parameter
string name = req.GetQueryNameValuePairs()
.FirstOrDefault(q => string.Compare(q.Key, "name", true) == 0)
.Value;

// Get request body
dynamic data = req.Content.ReadAsAsync<object>().Result;

// Set name to query string or body data
name = name ?? data?.name;

outputTable = new Item() {PartitionKey = "some-partition-key", RowKey=Guid.NewGuid().ToString(), ItemName = name ?? "No name"};

return name == null
? req.CreateResponse(HttpStatusCode.BadRequest, "Please pass a name on the query string or in the request body")
: req.CreateResponse(HttpStatusCode.OK, "Hello " + name);
}

 

5) Verify Data

 

Every time this function runs, an entry will be created in the Azure Table Storage.

You can use Microsoft Azure Storage Explorer to view these entries.

 

 

 

 

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory.
If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material

1) WMI Filters

Create WMI filter that will identify devices for each tier. In the article three tiers are used, domain controllers, servers and workstations. This provides a balance between security and simplification but this can easily be extended to other devices
or server types.

 

 

 

 

2) Groups

Create a group for each tier. This will hold the members for each tier.

 

 

3) Group Policies

Create a group policy for each tier. It should filter based on the tier type and will contain the allow/deny rules.

 

 

 

 

 

 

 

4) Add members to tier groups

Finally, add your dedicated DA accounts to tier 0 group, dedicated server administrators accounts to tier 1 group. Accounts will now only be able to log in locally or via RDP if they are meant for the specific tier

 

 

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.

Suppose we have a computer to which we cannot Remote Desktop to but we are unsure which policy configured this.

This article shows the method of using the Resultant Set of Policy Tool to locate these settings with ease.

Step 1) Open RSOP.msc and change query to the user and computer to which the
setting, Allow log on through Remote Desktop Services is this case, is applied to

 

From the Properties Menu on the root of the RSOP tree, select Change Query

From the Resultant Set of Policy Wizard specify the computer to generate RSOP
report for. If the RSOP is for the local computer, select the This computer option and click Next

From the Resultant Set of Policy Wizard specify the user to generate RSOP
report for. If the RSOP is for the current computer, select the Current user option and click Next, Next and Finish

Step 2) From the Resultant Set of Policy Main Screen (1),
browse to the setting to which the Group Policy is unknown, Allow log on through Remote Desktop Services (2) is this case. As seen below, this setting originates from the Problematic GPO (3)

Step 3) Editing GPO Problematic GPO via Group Policy Management Editor shows that indeed, the setting is part of this policy

This article explains the steps required to use the default Photos screensaver to display branding/corporate images

1) On reference computer, configure the default Photo screensaver including location. This is done because this value is stores as an encrypted value within the Registry. In the article C:\Winstoredranding\Dundermifflin is used.

2) Open Regedit and browse to HKCU\SOFTWARE\Microsoft\Windows Photo Viewer\Slideshow\Screensaver and record value for EncryptedPIDL

3) Store images that will be used for the screensaver in a network location The Domain DFS is perfect for small
files like these

4) Create a new policy and add the EncrypedPIDL registry value to User Configuration > Preferences > Windows Settings > Registry
5) From the Common tab enable the Remove the item when it is no longer applied option

6) Add the images to  User Configuration > Preferences > Windows Settings > Files. The
Source File(s) should be the network location used in Step 3.

TIP: Press F3 to open Variable Reference List

7) For the Destination File, specify filename with location from Step 1

8) From the Common tab enable the Remove the item when it is no longer applied option

9) Configure the rest of the policy as per norm for screensaver.

10) For the Force specific screen saver specify %Systemroot%\System32\PhotoScreensaver.scr

 

This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.

In the article I will show how it applies to Active Directory

This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.

Delegation Group

Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.

 

Characteristics

• Can only contain Role Groups
• Cannot be members of any groups

Some examples of a built-in Delegation Group

• Domain Administrators
• Account Operators

Some examples of a custom Delegation Group

• Password Reset
• Manage Group Memberships

 

Role Group

Role groups should be created based on a specific role that group of people fulfil.

 

These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.

It is worth noting that this delegation is not limited to AD permissions.

 

If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the
Help Desk Role group.

 

Characteristics

• Can only contain privileged user accounts
• Can only be member of Delegation Groups

Some examples of a Role Group

• Help Desk
• Server Administrators

Benefits

• No delegation against individual user accounts
• Reuse of Delegation Groups
• Easy to manage
• Quick to determine permissions
• Uncomplicated to assign correct permissions to an individual based on their function

 

Real world example

Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:

 

1. Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
2. Delegate the Reset Password permission to the DG-ResetPassword group.
3. Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group

By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain,
modify group and reset password rights.

 

It also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk,
DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.

 

The reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking
at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.

 

 

This article outlines the process to identify and resolve account lockout in an Active Directory environment.

Process

1) Change lockout policy according to Microsoft Recommendation

 

The lockout policy’s ultimate goal is to protect against automated password guessing (brute-force attack) and as such, the value should be high enough so that accounts are not accidentally locked out by an end user or incorrect saved password.

 

 

 

As per the following articles, I would recommend the following lockout settings

 

• Account lockout threshold 50
• Reset account lockout counter after 10 minutes

 

https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx

 

2) Enabling Auditing

 

Identifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.

 

Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file size

 

 

3) Identify source device that lockout occurred on

 

3.1) Event Comb

 

 

Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465

 

Still a useful tool in a pinch.

Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the list

 

For details on these events, see

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=676

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=681

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

 

 

All gathered events from selected domain controllers will be saved into text files in the temp folder

3.2) Lockout Status

 

 

Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465

 

When you start tool you specify the user account to inspect.

 

Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name

 

3.3) AD Audit

 

 

See https://www.manageengine.com/products/active-directory-audit

 

My personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports

 

 

4.1) Powershell

 

Get-LockedOutLocation

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab

 

4) Identify source process that locked account

 

4.1) NetWrix Account Lockout Examiner

 

 

See https://www.netwrix.com/account_lockout_examiner.html

 

Install NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that generates lockouts.

 

4.2) ADAudit

 

 

See https://www.manageengine.com/products/active-directory-audit

 

As I said before, my personal favorite. After finding source account that locks device using built-in reports, the Account Lockout Analyzer can show the source process that locks accounts

 

 

5) Implement processes to prevent future lockouts

 

5.1 Windows Services, Scheduled Tasks and COM Objects

Utilize service accounts with strong non-expiring passwords or managed service accounts.

5.2 Drive Mappings

Do not map drives with explicit username and password. Utilize Group Policy User Drive Map Preference to map the drive mappings.

5.3 Logon Sessions

Implement RDP inactive/idling session logoff.

 

 

5.4 Credential Manager

 

Disable Credential Manager service. This will prevent users from saving/using stored passwords

 

Tips

If your account that you are using for the investigation is locking, rename your username for the duration of the investigation

 

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project

1) Get a Theme

a) The first step is to have an HTML theme ready to be applied to an ASP.NET MVC project. If you do not have a theme, I recommend that you look at http://wrapbootstrap.com/. WrapBootstrap have loads
of affordable themes to choose from.

 

For this article, I will be using the Unify theme

 

b) These themes are downloaded as a ZIP file, extract it to a convenient

 

Most themes have multiple different pages, browse theme from the Index.html page and find one to use

 

c) Open the page in a text editor and copy content to clipboard

 

2) Create ASP.NET MVC project

a) Open Visual Studio. From the “New Project” windows, select “Web” then “ASP.NET Web Application” and click “OK”

 

b) In the “New ASP.NET Project” windows, select MVC and click “OK”

 

c) Open the “_Layout.cshtml” file from the “Views”, “Shared” folder in the “Solution
Explorer”

 

3) Integrate Theme

a) Paste the content from the HTML theme page below the last line of the “_Layout.cshtml” file

 

b) Most themes have a folder that contains all the resources used by the HTML page. In the case of the Unity
theme, the folder is called “assets”. Copy this folder.

 

c) From within Visual Studio, past the “assets” folder to the “Content” folder

 

d) Notice that the “asset” folder references in the “_Layout.cshtml” page incorrectly
points to “assets/plugins/…” for example

 

e) Press “CTRL+H” to open the replace toolbar. In this example, the resources that start with “assets/”
should be changed to start with “~/Content/assets/”

 

4) Rendering links

a) The “_Layout.cshtml” file contains a series of rendering links. These are entries that start with @ for example “@ViewBag.Title – My ASP.NET Application”. These links have to be moved to the correct location in the copied text from
the theme HTML. Below shows where to copy the “@ViewBag.Title – My ASP.NET Application” value.

 

b) HTML themes have a content section, copy the “@RenderBody()” value to this part in HTML text,
replacing all demo content

 

c) Below shows where to copy the ‘@Styles.Render(“~/Content/css”)’ and ‘@Scripts.Render(“~/bundles/modernizr”)’
values

 

d) Below shows where to copy the ‘@Styles.Render(“~/bundles/jquery”)’ and ‘@Scripts.Render(“~/bundles/bootstrap”)’
values, directly above the “</body>” tag

 

e) Find an appropriate location for the login partial view. In the example below the ‘@Html.Partial(“_LoginPartial”)’
value is added to the top bar, overwriting all existing values

 

f) Copy the ActionLinks from the “_Layout.cshtml” file into the navigation section of the HTML
theme.

Note that themes use different navigations but you will have a few example menu items to work from

 

g) The final step is to delete the original text from the “_Layout.cshtml” file. The project should
be ready to run

 

5) The Result

Even though other changes are required to get this page to the ideal state, this should at least provide a good starting point for your projects.

 

 

 

This article runs through the process of deploying a single EXE application selectively to a group of user.

Read full article

Usage : CircularLogArchiver.exe GO [/LP:LogPath] [/LE:LogExtention] [/AI:ArchiveInterval] [/AOT:ArchiveOlderThan] [/DAOT:DontArchiveOlderThan] [/DOT:DeleteOlderThan]
Example : CircularLogArchiver.exe GO /LP:”C:\Logs” /LE:”*.log” /AI:”M” /AOT:”1″ /DAOT:”3″ /DOT:”3″
Example above will archive all files in “C:\Logs” with *.log extention that are between one and three months old and delete files older than three months

Attachment(s):
[list-attachments]

Before

After

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display

Step 1 – Creating Backgrounds

Designing backgrounds are out of scope for this article but a few guidelines are listed below

 

Using information from https://en.wikipedia.org/wiki/Display_resolution we can conclude that we mainly need to cater for 16:9, 16:10, 4:3 and 5:4 aspect ratios with a maximum width of 7680px.

 

If the required background is mainly horizontal, use this guide to create four different versions of background image

Alternatively, if the image is mainly vertical, start with a 10 924px x 6144px
image and crop to create four different versions of background image

 

Step 2 – User Environmental Variables

After creating the four different versions of the background, we need a way to control which version of background is pushed to the computers.

 

Create four user environmental variable objects using GPO User Environmental Preferences

 

Here is the values required to create the four entries

• 16:9 – PrimaryScreenAspectRatio = 1.778
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’720′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1600′ and ScreenHeight=’900′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1920′ and ScreenHeight=’1080′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’2560′ and ScreenHeight=’1440′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’3840′ and ScreenHeight=’2160′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’7680′ and ScreenHeight=’4320′
• 16:10 PrimaryScreenAspectRatio = 1.6
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’800′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1440′ and ScreenHeight=’900′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1680′ and ScreenHeight=’1050′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1920′ and ScreenHeight=’1200′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’2560′ and ScreenHeight=’1600′
• 4:3 PrimaryScreenAspectRatio = 1.333
  • Select * from Win32_DesktopMonitor where ScreenWidth=’320′ and ScreenHeight=’200′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’640′ and ScreenHeight=’480′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’800′ and ScreenHeight=’600′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1024′ and ScreenHeight=’768′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1152′ and ScreenHeight=’864′
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1600′ and ScreenHeight=’1200′
• 5:4 PrimaryScreenAspectRatio = 1.25
  • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’1024

A C# application can be deployed as an addition to the GPO User Environmental Variables Preference Items as a GPO User File Preference. This is useful on RDP sessions and Hyper-V consoles where the WMI objects are not populated properly.

 

using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace SetXRes
{
    class Program
    {
        static void Main(string[] args)
        {

            double primaryScreenAspectRatio;
            Rectangle resolution = Screen.PrimaryScreen.Bounds;
            primaryScreenAspectRatio = Math.Round(((double)resolution.Width / (double)resolution.Height), 3);

            Console.WriteLine(resolution.Width);
            Console.WriteLine(resolution.Height);
            Console.WriteLine(primaryScreenAspectRatio.ToString().Replace(',', '.'));

            Environment.SetEnvironmentVariable("PrimaryScreenAspectRatio", primaryScreenAspectRatio.ToString().Replace(',','.'), EnvironmentVariableTarget.User);
        }
    }
}

 

 

Step 3 – Background File Deployment

Create four file objects using GPO User Files Preferences

 

Based on the User Environmental Variable set in the previous step, an appropriately ratioed background file will be pushed to computers

Here is the values required to create the four entries

• 16:9 – Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\16-9.PNG
  • the environment variable %PrimaryScreenAspectRatio% is 1.778
• 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\16-10.PNG
  • the environment variable %PrimaryScreenAspectRatio% is 1.6
• 4:3 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\4-3.PNG
  • the environment variable %PrimaryScreenAspectRatio% is 1.333
• 5:4 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\5-4.PNG
  • the environment variable %PrimaryScreenAspectRatio% is 1.25

The target file for all of these entries is %AppDataDir%\Branding\Background\Background.png

Step 4 – Applying Background

Now for the easy bit, just configure the background %AppData%\Branding\Background\Background.png.

Because the background is dynamically assigned, it will always have the same path on the computers