Tag Archives: administrators

Windows Server System Insights steers admins from trouble

Transcript – Windows Server System Insights steers admins from trouble

This video will show you the Windows Admin Center and the System Insights feature.

The Windows Admin Center is a relatively new graphical environment for managing Windows Server, but you can also use it to manage Windows 10 machines as well as your VMs.

Right now, I’m connected to a specific server. If I click on Windows Admin Center, then I’m taken back out to the list of servers I’ve imported. I’ll click on one and then from there click on System Insights in the menu off to the left.

You have to install System Insights before you use it for the first time, so click the Install button and it takes just a few minutes to set up.

Once the installation process finishes, you’ll notice we have a list of various capabilities: CPU capacity forecasting, network capacity forecasting, total storage consumption forecasting and volume consumption forecasting.

The System Insights tool monitors your system and then gives you a forecast based on your levels of resource consumption, so let’s look at how this works.

I’m going to click on CPU capacity forecasting and go into settings. We can schedule this to run now, but it’s set to run at 3 a.m. by default. Ideally, you want to run this when the system isn’t under much of a load so you’re not disrupting any business processes.

I’m going run this manually now. We’re probably not going to have enough data to make a forecast, but let’s go ahead and take a look at how this works. Click on CPU capacity forecasting and then click Invoke which gives a message to check back later because there is not enough recent data to make predictions. I’m going to invoke the rest of these capabilities and pick it up here later.

Initially, System Insights didn’t have enough data available to make any kind of forecast, but several weeks have passed [and] we have enough data for System Insights to analyze my server’s usage and make a resource consumption forecast.

If you look at the status column, you can see that we have green OK icons for each of the various capabilities. That’s good news. If you look at the status description, you can see that all the various resources have been forecast to remain within the available capacity.

I’ll go ahead and click on CPU capacity forecasting. When I do that, the first thing you’ll probably notice is [the] large graph that shows the system resource usage over time. If I scroll down, you can see that initially System Insights wasn’t able to make any kind of prediction but over time it collected enough data to make capacity forecasts.

Another thing you’ll notice is [that] the capacity forecasts aren’t just generated one time. System Insights monitors the server over time so it can see how resource consumption changes with use over an extended period of time. This is something you’ll want to check back on from time to time to see just how much of your server’s resources are being consumed and what the capacity forecast looks like.

+ Show Transcript

Go to Original Article
Author:

What are 5 top Microsoft 365 backup considerations?

With Office 365 becoming Microsoft 365, administrators are wondering what this evolution changes regarding their data protection needs.

As it stands right now, not much has changed from a backup and recovery standpoint. The tools and best practices used for backing up Office 365 are still valid for Microsoft 365 backup.

So, what are some of those best practices? No. 1 is to simply make sure that you are backing up 365. Microsoft only provides infrastructure-level protection for 365. It is up to you to make sure that your data is protected. It’s a similar story with other popular software-as-a-service applications — you must back up your data and not rely on the SaaS providers.

While Microsoft presumably takes steps to prevent data loss related to a catastrophic failure within its data center, the company doesn’t protect you from data loss related to the accidental deletion or overwriting of your data. Therefore, it’s up to you to make sure that you have Microsoft 365 backup.

Periodically check that your backup tools can back up all the required Microsoft 365 data. Early on, a lot of the Office 365 backup products focused solely on Exchange Server, with some also supporting SharePoint. However, there are other data sources that need protection, such as OneDrive and Azure Active Directory.

Choose a Microsoft 365 backup product that will enable you to recover data at a granular level. At a minimum, you need to be able to restore individual files, email messages and SharePoint sites. You shouldn’t have to restore an entire Exchange mailbox just to recover a single message.

Your Microsoft 365 backup product should enable you to restore your data to a location of your choosing. In most cases, you will probably be restoring data back to the Microsoft 365 cloud. Certain circumstances may require you to restore to a different Microsoft 365 subscription, or perhaps even to a server that is running on premises.

Finally, backup and restore operations are often tightly intertwined with an organization’s compliance initiatives. Make sure that your backup software meets the required service-level agreements and that it provides the level of reporting needed to satisfy compliance auditors.

Go to Original Article
Author:

Updated Exchange Online PowerShell module adds reliability, speed

PowerShell offers administrators a more flexible and powerful way to perform management activities in Exchange Online. At times, PowerShell is the only way to perform certain management tasks.

But there have been widespread concerns by many Exchange administrators who have not always felt confident in Exchange Online PowerShell’s abilities, especially when dealing with thousands of mailboxes and complicated actions. But Microsoft recently released the Exchange Online PowerShell V2 module — also known as the ExchangeOnlineManagement module — to reduce potential management issues.

New cmdlets attempt to curb PowerShell problems

Moving the messaging platform to the cloud can frustrate administrators when they attempt to work with the system using remote PowerShell without a reliable connection to Microsoft’s hosted email system. Microsoft said the latest Exchange Online PowerShell module, version 0.3582.0, brings new enhancements and new cmdlets to alleviate performance and reliability issues, such as session timeouts or poor error handling during complex operations.

Where a spotty connection could cause errors or scripts to fail with the previous module, Microsoft added new cmdlets in the Exchange Online PowerShell V2 module to restart and attempt to run a script where it left off before issues started.

Microsoft added 10 new cmdlets in the new Exchange Online PowerShell module. One new cmdlet, Connect-ExchangeOnline, replaces two older cmdlets: Connect-EXOPSSession and New-PSSession.

Microsoft took nine additional cmdlets in the older module, updated them to use REST APIs and gave them new names using the EXO prefix:

  • Get-EXOMailbox
  • Get-EXORecipient
  • Get-EXOCASMailbox
  • Get-EXOMailboxPermission
  • Get-EXORecipientPermission
  • Get-EXOMailboxStatistics
  • Get-EXOMailboxFolderStatistics
  • Get-EXOMailboxFolderPermission
  • Get-EXOMobileDeviceStatistics

Microsoft said the new REST-based cmdlets will perform significantly better and faster than the previous PowerShell module. The REST APIs offer a more stable connection to the Exchange Online back end, making most functions more responsive and able to operate in a stateless session.

Given that administrators will develop complex PowerShell scripts for their management needs, they needed more stability from Microsoft’s end to ensure these tasks will execute properly. Microsoft helped support those development efforts by introducing better script failure with functionality that will retry and resume from the point of failure. Previously, the only option for administrators was to rerun their scripts and hope it worked the next time.

There are cases where some properties are queried during a script execution that can generally impact the overall response and performance of the script given the size of the objects and their properties. To help optimize these scenarios, Microsoft introduced a way for a PowerShell process to run against Exchange Online to only retrieve relevant properties of objects needed during the execution process.  An example would be retrieving mailbox properties that would be the most likely to be used, such as mailbox statistics, identities and quotas.

Microsoft removed the need to use the Select parameter typically used to determine which properties are needed as part of the result set.  This neatens scripts and eliminates unnecessary syntax as shown in the example below.

Before:

Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Select WhenCreated, WhenChanged | Export-CSV c:tempExportedMailbox.csv

After:

Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox  -PropertySets Quota -Properties WhenCreated, WhenChanged | Export-CSV c:tempExportedMailbox.csv

How to get the new Exchange Online PowerShell module

To start using the latest Exchange Online PowerShell capabilities requires the installation or upgrade of the ExchangeOnlineManagement module. This can be done from a PowerShell prompt running under administrator settings and executing one of the two following commands:

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

Or:

Update-Module -Name ExchangeOnlineManagement
Exchange Online PowerShell module install
New Exchange Online PowerShell module users can use the Install-Module command to start working with the new cmdlets.

Exchange Online PowerShell V2 module commands offer speed boost

IT pros who use the new Exchange Online PowerShell module should see improved performance and faster response time.

We can run a short test to compare how the current version stacks up to the previous version when we run commands that provide the same type of information.

First, let’s run the following legacy command to retrieve mailbox information from an organization:

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Select DisplayName, ProhibitSendReceiveQuota, WhenCreated, WhenChanged

The command completes in 2.3890 seconds.

Exchange Online PowerShell mailbox command
One typical use of PowerShell on Exchange Online is to use the Get-Mailbox cmdlet to retrieve information about mailboxes used by members of the organization.

This is the new version of the command that provides same set of information but in a slightly different format:

$RESTResult = Measure-Command { $Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox -PropertySets Quota -Properties WhenCreated, WhenChanged

The command completes in 1.29832 seconds, or almost half the time. Extrapolate these results to an organization with many thousands of users and mailboxes in Exchange Online and you can begin to see the benefit when a script takes half as much time to run.

Use the following command to get mailbox details for users in the organization:

Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox -PropertySets Quota -Properties WhenCreated, WhenChanged
Exchange Online mailbox details
The updated Get-ExoMailbox cmdlet fetches detailed information for a mailbox hosted in Exchange Online.

The following command exports a CSV file with details of mailboxes with additional properties listed:

Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox -PropertySets Quota -Properties WhenCreated, WhenChanged | Export-CSV c:tempExportedMailbox.csv

Be aware of the Exchange Online PowerShell module provisions

There are several caveats Exchange administrators should know before they use the latest ExchangeOnlineManagement module:

  • The new Exchange PowerShell Online module only works on Windows PowerShell 5.1 with support coming for the new cross-platform version of PowerShell.
  • Data results returned by the latest cmdlets are in alphabetic order, not chronologically.
  • The new module only supports OAuth 2.0 authentication, but the client machine will need basic authorization enabled to use the older remote PowerShell cmdlets.
  • Some results may require additional formatting or adjusting because the new cmdlets give output alphabetically.
  • Administrators should use Azure AD GUID for account identity.

How to give Microsoft feedback for additional development

As Microsoft continues to improve the module, administrators will continue to see more capabilities that will allow them to have a much more improved experience with PowerShell to manage their Exchange Online environment.

There are three avenues for users to provide feedback to Microsoft on the new PowerShell commands. The first one is to report bugs or other issues during the processing of the different scripts from within PowerShell. To do this, run the following command:

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath <Path to store log file> -LogLevel All

The second option is to post a message on the Office 365 UserVoice forum.

Lastly, users can file an issue or check on the status of one with the Exchange Online PowerShell commands on the Microsoft Docs Github site at this link.

Go to Original Article
Author:

7 PowerShell courses to help hone skills for all levels of expertise

PowerShell can be one of the most effective tools administrators have for managing Windows systems. But it can be difficult to master, especially when time is limited. An online PowerShell course can expedite this process by prioritizing the most important topics and presenting them in logical order.

Admins have plenty of PowerShell courses from which to choose, offered by well-established vendors. But with so many courses available, it isn’t always clear which ones will be the most beneficial. To help make the course selection process easier, here we offer a sampling of popular PowerShell courses that cater to varying levels of experience.

Windows currently ships with PowerShell 5.1, but PowerShell Core 6 is available for download, and PowerShell 7 is in preview. PowerShell Core is a cross-platform version of PowerShell that runs on multiple OS platforms. It isn’t an upgrade to Windows PowerShell, but a separate application that runs on the same system.

Some of the PowerShell courses listed here, as well as other online classes, specify the PowerShell version on which the course is based. But not all classes offer this information, and some courses provide only a range, such as PowerShell 4 or later. So, before signing up for an online course, be sure to verify the PowerShell version.

Learning Windows PowerShell

This popular PowerShell tutorial from Udemy is designed for beginners. This course targets systems admins who have no prior PowerShell experience but want to use PowerShell to manage Windows desktops and servers. This course is based on PowerShell 5. But this shouldn’t be an issue when learning basic concepts, which is the primary focus of this PowerShell tutorial.

Admins have plenty of PowerShell courses from which to choose, offered by well-established vendors.

The course provides background information about PowerShell and explains how to set up the PowerShell environment, including how to configure the console and work with profiles. The course introduces cmdlets, shows how they’re related to .NET objects and classes, and explains how to build a pipeline using cmdlets and other language elements. With this information, systems admins will have the basics they need to move onto the next topic: PowerShell scripts.

The tutorial on scripting is nearly as extensive as the section on cmdlets. The course examines the details of script elements, such as variables, constants, comparison operators, if statements, looping structures and regular expressions. This is followed by details on PowerShell providers and how to work with files and folders, and then a discussion of administration basics. This course can help provide participants with a solid foundation in PowerShell so they’re ready to take on more advanced topics.

Introduction to Windows PowerShell 5.1

This Udemy tutorial is based on PowerShell 5.1, so it’s more current than the previous course. The training is geared toward both beginner PowerShell users and more experienced admins who want to hone their PowerShell skills. The course covers a wide range of topics, from understanding PowerShell syntax to managing Active Directory (AD). Participants who sign up for this course should already know how to run PowerShell, but they don’t need to be advanced users.

The course covers the basics of how to use both the PowerShell console and the Intelligent Scripting Environment (ISE). It explains what steps to take to get help and find commands. This is followed by an in-depth look at the PowerShell command syntax. The material also covers objects and their properties and methods, as well as an explanation of how to build a PowerShell pipeline.

Participants can move onto the section on scripting, which starts with a discussion on arrays and variables. Users then learn how to build looping structures and conditional statements, and how to use PowerShell functions. This course demonstrates how to use PowerShell to work with AD, covering such tasks as installing and configuring server roles.

PowerShell version 5.1 and 6: Step-by-Step

This tutorial, which is one of Udemy’s highest rated PowerShell courses, is geared toward admins who want to learn how to use PowerShell to perform management tasks. The course is broad in scope and covers both PowerShell 5.1 and PowerShell Core 6. Users who sign up for this course should have a basic understanding of the Windows OS — both desktop and server versions.

Because the course covers so many topics, it’s longer than the previous two training sessions and goes into more detail. It explains the differences between PowerShell and the Windows Command Prompt, how to determine the PowerShell version and how to work with aliases. The course also examines the steps necessary to run unsupported commands and create PowerShell transcripts.

This PowerShell tutorial also examines more advanced topics, such as working with object members, creating hash tables and managing execution policy levels. This is followed by a detailed discussion about the Common Information Model (CIM) and how it can manage hard drives and work with BIOS. In addition, participants will learn how to create profile scripts, functions and modules, as well as how to use script parameters and to pause script execution. Because the course is so comprehensive, admins should come away with a solid understanding of how to use PowerShell to script their daily management tasks.

Udemy course pricing

Udemy distinguishes between personal and business users. For personal users, Udemy charges by the course, with prices for PowerShell courses ranging between $25 and $200. Udemy also offers personal users a 30-day, money-back guarantee.

Udemy also offers two business plans that provide unlimited access to its courses. The Team plan supports between five and 20 users and costs $240 per user, per year. It also comes with a 14-day trial. Contact Udemy for details regarding its Enterprise plan, which supports 21 or more users. Udemy also offers courses to help users prepare for IT certifications, supporting such programs as Cisco CCNA, Oracle Certification and Microsoft Certification.

Windows PowerShell: Essentials

Pluralsight offers a variety of PowerShell courses, as well as learning paths. A path is a series of related courses that provide users with a strategy for learning a specific technology. This path includes six courses ranging from beginner to advanced user. Participants should come away with a strong foundation in how to create PowerShell scripts that automate administrative processes. Before embarking on this path, however, they should have a basic understanding of Windows networking and troubleshooting.

The beginning courses on this path provide users with the information they need to start working with PowerShell, even if they’re first-timers. Users will learn how to use cmdlets, work with objects and get help when they need it. These courses also introduce concepts such as aliases, providers and mapping network drives. The intermediate tutorials build on the beginning courses by explaining how to work with objects and the PowerShell pipeline, and how to format output. The intermediate courses also focus on using PowerShell in a networked environment, covering such topics as CIM and Windows Management Instrumentation.

The advanced courses build on the beginning and intermediate tutorials by focusing on automation scripts. Admins will learn how to use PowerShell scripting to automate their routine processes and tasks. They’ll also learn how to troubleshoot problems in their scripts if PowerShell exhibits unusual behavior. The path approach might not be for everyone, but for those ready to invest their time in a comprehensive program, this path could prove a valuable resource.

Practical Desired State Configuration

Those not suited to a learning path can choose from a variety of other Pluralsight courses that address specific technologies. This highly rated course caters to advanced users and provides real-world examples of how to use PowerShell to write Desired State Configurations (DSCs). Those interested in the course should be familiar with PowerShell and DSC principles.

DSC refers to a new way of managing Windows Server that shifts the focus from point-and-click GUIs to infrastructure as code. To achieve this, admins can use PowerShell to build DSCs. This process is the focus of this course, which covers several advanced topics ranging from writing configurations with custom resources to building dynamic collector configurations.

The tutorial demonstrates how to use custom resources in a configuration and offers an in-depth discussion of securing DSC operations. Participants then learn how to use the DSC model to configure and manage AD, covering such topics as building domains and creating users and groups. The course demonstrates how to set up Windows event forwarding. Although not everyone is looking for such advanced topics, for some users, this course might be just what they need to progress their PowerShell skills.

Pluralsight pricing

Pluralsight doesn’t charge by the course, but rather it offers three personal plans and two business plans. The personal plans start at $299 per year, and the business plans start at $579 per user, per year. All plans include access to the entire course library. In addition, Pluralsight offers a 10-day personal free trial and, like Udemy, courses geared toward IT certification.

PowerShell 5 Essential Training

Of the 13 online PowerShell courses offered by LinkedIn Learning — formerly, Lynda.com — this is the most popular. The course targets beginner and intermediate PowerShell users who are Windows systems admins. Although the course is based on PowerShell 5, the basic information is still applicable today, like other courseware written to this version.

The material covers most of the basics one would expect from a course at this level. It explains how to set up and customize PowerShell, and it introduces admins to cmdlets and their syntax and how to find help. This is followed by installing modules and packages. The course also describes how to use the PowerShell pipeline, covering such topics as working with files and printers, as well as storing data as a webpage.

The course moves onto objects and their properties and methods. Participants can learn how to create scripts that incorporate variables and parameters so they can automate administrative tasks. Participants are also introduced to PowerShell ISE and shown how to use PowerShell remoting to manage multiple systems at once, along with practical examples of administrative operations at scale.

PowerShell: Scripting for Advanced Automation

This course, which is also offered by LinkedIn Learning, focuses on automating advanced administrative operations in a Windows network. Those planning to take the course should have a strong foundation in managing Windows environments. As its name suggests, the course is geared toward advanced users.

After a brief introduction, the course jumps into DSC automation, providing an overview of DSC and explaining how to set up DSCs. Users can learn how to work with DSC resources, push DSCs and create pull configurations. The course then moves onto Just Enough Administration, explaining JEA concepts and best practices. In this part of the course, participants learn how to create role capability files and JEA session configurations, as well as how to register JEA endpoints.

The final section of the tutorial describes how to troubleshoot PowerShell scripts. The discussion begins with an overview of PowerShell workflows and examines the specifics of troubleshooting PowerShell in both the console and ISE. The section ends with information about using the PSScriptAnalyzer tool for quality control. As with any advanced course, not all users will benefit from this information. But the tutorial could provide a valuable resource for admins looking to refine their PowerShell skills.

LinkedIn Learning pricing

LinkedIn Learning sells courses individually, offers a one-month free trial and provides both personal and business plans. Individual PowerShell courses cost between $30 and $45, and individual subscription plans start at $20 per month. Contact LinkedIn Learning regarding business plans. LinkedIn Learning also offers courses aimed at IT certifications.

Go to Original Article
Author:

What are Windows virtualization-based security features?

Windows administrators must maintain constant vigilance over their systems to prevent a vulnerability from crippling their systems or exposing data to threat actors. For shops that use Hyper-V, Microsoft offers another layer of protection through its virtualization-based security.

Virtualization-based security uses Hyper-V and the machine’s hardware virtualization features to isolate and protect an area of system memory that runs the most sensitive and critical parts of the OS kernel and user modes. Once deployed, these protected areas can guard other kernel and user-mode instances.

Virtualization-based security effectively reduces the Windows attack surface, so even if a malicious actor gains access to the OS kernel, the protected content can prevent code execution and the access of secrets, such as system credentials. In theory, these added protections would prevent malware attacks that use kernel exploits from gaining access to sensitive information.

Code examining, malware prevention among key capabilities

Virtualization-based security is a foundation technology and must be in place before adopting a range of advanced security features in Windows Server. One example is Hypervisor-Enforced Code Integrity (HVCI), which examines code — such as drivers — and ensures the kernel mode drivers and binaries are signed before they load into memory. Unsigned content gets denied, reducing the possibility of running malicious code.

Other advanced security capabilities that rely on virtualization-based security include Windows Defender Credential Guard, which prevents malware from accessing credentials, and the ability to create virtual trusted platform modules (TPMs) for shielded VMs.

In Windows Server 2019, Microsoft expanded its shielded VMs feature beyond the Windows platform to cover Linux workloads running on Hyper-V to prevent data leakage when the VM is both static and when it moves to another Hyper-V host.

New in Windows Server 2019 is a feature called host key attestation, which uses asymmetric key pairs to authenticate hosts covered by the Host Guardian Service in what is described as an easier deployment method by not requiring an Active Directory trust arrangement.

What are the virtualization-based security requirements?

Virtualization-based security has numerous requirements. It’s important to investigate the complete set of hardware, firmware and software requirements before adopting virtualization-based security. Any missing requirements may make it impossible to enable virtualization-based security and compromise system security features that depend on virtualization-based security support.

At the hardware level, virtualization-based security needs a 64-bit processor with virtualization extensions (Intel VT-x and AMD-V) and second-level address translation as Extended Page Tables or Rapid Virtualization Indexing. I/O virtualization must be supported through Intel VT-d or AMD-Vi. The server hardware must include TPM 2.0 or better.

System firmware must support the Windows System Management Mode Security Mitigations Table specification. Unified Extensible Firmware Interface must support memory reporting features such as the UEFI v2.6 Memory Attributes Table. Support for Secure Memory Overwrite Request v2 will inhibit in-memory attacks. All drivers must be compatible with HVCI standards.

Go to Original Article
Author:

December Patch Tuesday resolves Windows zero-day

Administrators got an early holiday present with a fairly light patching workload on December Patch Tuesday, but they will have one Windows zero-day to wrap up as soon as possible.

Microsoft corrected 36 vulnerabilities on December Patch Tuesday in Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, Visual Studio and Skype for Business.

The Win32k elevation of privilege vulnerability (CVE-2019-1458) is rated as important and is being actively exploited in the wild. This Windows zero-day, discovered by Kaspersky Lab researchers, affects most supported versions of Microsoft’s operating system on both the client and server side. The attacker needs authentication to access the system to run malicious code in kernel mode to take control of a system. The attacker could then perform a range of tasks, including create new accounts with full user rights and install programs.

Administrators who base their patching priority on a combination of vendor severity and the Common Vulnerability Scoring System (CVSS) score might miss these types of vulnerabilities if they don’t account for additional factors. CVE-2019-1458 has a CVSS score of 7.8.

Chris Goettl, director of product management and security, IvantiChris Goettl

“If you’re not patching vulnerabilities rated important and above with a CVSS score lower than 8.0, then you could miss things being actively exploited,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

If you’re not patching vulnerabilities rated important and above with a CVSS score lower than 8.0, then you could miss things being actively exploited.
Chris GoettlDirector of product management and security, Ivanti

Multiple zero-day bugs this year met the same criteria as this most recent Windows zero-day, so companies need to make sure they examine additional metadata with the vulnerabilities as they formulate their patching prioritization, Goettl said.

Microsoft closes multiple Git-Visual Studio flaws

Microsoft resolved several security issues related to Git functionality and Microsoft Visual Studio. The company corrected six bugs (CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387) with most of them remote-code execution flaws rated critical. Companies that use Visual Studio for software development and connect to Git repositories will want to apply the December Patch Tuesday updates in short order.

Goettl said an enterprising attacker could do some investigative work to gather email addresses for developers in an organization, then construct a spear-phishing campaign to direct developers to a malicious repository that appears legitimate. Then the attacker could gain administrative rights to modify code in the organization’s development environment. While this scenario is theoretical, Goettl said, it’s not that far-fetched.

“Vendors are becoming a significant target as a way to attack many companies,” he said

Goettl cited a recent incident in which about 400 dentist offices were hit with ransomware through a vendor that handled data backups for the offices. Threat actors have learned that hitting multiple targets at once is a more effective and lucrative option than the piecemeal approach used in the early days of ransomware, he said.

“If I’m an attacker and I find a vertical that I want to go after, such as a vendor for a bunch of health care providers, and I get as much intel as I can about them, their developers and their development platform and any information about their repositories, then I could put together a valid spear-phishing attack,” Goettl said. “And if I can get into their code base, then I can construct an attack that hits all of their customers and makes for a more painful and more profitable ransomware scenario.”

Microsoft issues more servicing stack updates

Microsoft issued an advisory (ADV990001) related to servicing stack updates for Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. The first three operating systems will leave mainstream support after the next Patch Tuesday, on Jan. 14, 2020, and move into the extended support phase. Companies that have not migrated off these legacy systems will need to sign up for extended security updates (ESU) to receive support when the end-of-life (EOL) date passes.

“My guess is that these servicing stack updates for these older platforms are preparing for that switchover so the systems can check and get continued updates if you’ve got that [ESU] key,” Goettl said.

A recent survey from Ivanti indicates many organizations have lagged in their Windows 7 migration efforts for several reasons, such as lack of time and lack of application support. In the survey of more than 500 IT professionals published in October, 39% of the respondents indicated they would not have completed migrations off of Windows 7 before the EOL date.

Microsoft makes unusual move with bug for unsupported OS 

In an unusual twist, Microsoft released information for a Remote Desktop Protocol information disclosure vulnerability (CVE-2019-1489) rated important for Windows XP — an unsupported Windows operating system — but did not provide a patch.

“This one was kind of odd,” said Goettl, who noted Microsoft gave the CVE an exploitability assessment of 0, which typically means it is an actively exploited vulnerability, but Microsoft modified the designation to read “0 – unknown.”

“Microsoft took the time to create a CVE advisory for Windows XP. We can assume there was a reason to trigger that activity, ” Goettl said. “There is no update available, so people really need to get off XP unless they have an absolute necessity to keep it around.”

An attacker could exploit this flaw by connecting remotely to an XP system and running a specially crafted program. The Windows XP operating system went out of mainstream support in April 2009 and left extended support in April 2014.

Other security updates of note for December Patch Tuesday include:

  • A fix for a spoofing flaw (CVE-2019-1490) rated important for Skype for Business Server 2019, cumulative update 2. In the attack scenario, a user would have to click on a malicious link to a server that has been exploited. The threat actor could then launch cross-site scripting attacks on affected systems and run code in the security context of the exploited user. Microsoft’s update closes the loophole by properly sanitizing web requests.
  • A patch for a Win32k graphics remote code execution vulnerability (CVE-2019-1468) rated critical for supported Windows client and server operating systems related to improper handling of specially crafted embedded fonts. An attacker who exploits this bug — by getting a user to click on a link to a malicious site or open a specially crafted document — can take control of a system and run tasks based on the privilege level of the affected user. The update corrects how the Windows font library handles embedded fonts.
  • A fix for a Hyper-V remote code execution vulnerability (CVE-2019-1471) rated critical on Windows 10 and Windows Server 2019 that could allow an attacker to run a malicious application on a guest operating system to force the Hyper-V host to run arbitrary code. The update corrects the user input validation process.
  • A correction for a cross-site scripting vulnerability (CVE-2019-1332) rated important in the Microsoft SQL Server Reporting Services (SSRS) feature. To trigger the exploit, an authenticated user would need to click on a malicious link to an affected SSRS server. The attacker could then perform a range of tasks from deleting content to running malicious code. The patch corrects SSRS URL sanitization.
  • A patch for an information disclosure vulnerability (CVE-2019-1400) rated important in Microsoft Access related to a failure to handle objects in memory properly. The attacker would need to be authenticated on the system to run a malicious application to gather information on the user’s system.

Adobe and Google also release patches

Google updated its Chrome web browser on Tuesday to version 79, resolving 51 vulnerabilities.

Adobe released updates for Adobe Acrobat Reader, Flash Player, Photoshop, Brackets and ColdFusion. Administrators will want to patch Acrobat Reader to close 21 vulnerabilities, 14 of which are rated critical. The company released an update for Flash Player but not for security reasons.

“Adobe is really winding down their focus on Adobe Flash,” Goettl said. “I think it’s safe to say that rather than it just no longer being vulnerable, Adobe is putting so little effort into it that it’s not getting attention anymore. People should be focused on getting Flash Player out of their environments.”

Go to Original Article
Author:

What admins need to know about Azure Stack HCI

Despite all the promise of cloud computing, it remains out of reach for administrators who cannot, for different reasons, migrate out of the data center.

Many organizations still grapple with concerns, such as compliance and security, that weigh down any aspirations to move workloads from on-premises environments. For these organizations, hyper-converged infrastructure (HCI) products have stepped in to approximate some of the perks of the cloud, including scalability and high availability. In early 2019, Microsoft stepped into this market with Azure Stack HCI. While it was a new name, it was not an entirely new concept for the company.

Some might see Azure Stack HCI as a mere rebranding of the existing Windows Server Software-Defined (WSSD) program, but there are some key differences that warrant further investigation from shops that might benefit from a system that integrates with the latest software-defined features in the Windows Server OS.

What distinguishes Azure Stack HCI from Azure Stack?

When Microsoft introduced its Azure Stack HCI program in March 2019, there was some initial confusion from many in IT. The company offered a similarly named product called Azure Stack, which uses the name of Microsoft’s cloud platform, to run a version of Azure inside the data center.

Microsoft developed Azure Stack HCI for local VM workloads that run on Windows Server 2019 Datacenter edition. While not explicitly tied to the Azure cloud, organizations that use Azure Stack HCI can connect to Azure for hybrid services, such as Azure Backup and Azure Site Recovery.

Azure Stack HCI offerings use OEM hardware from vendors such as Dell, Fujitsu, Hewlett Packard Enterprise and Lenovo that is validated by Microsoft to capably run the range of software-defined features in Windows Server 2019.

How is Azure Stack HCI different from the WSSD program?

While Azure Stack is essentially an on-premises version of the Microsoft cloud computing platform, its approximate namesake, Azure Stack HCI, is more closely related to the WSSD program that Microsoft launched in 2017.

Microsoft made its initial foray into the HCI space with its WSSD program, which utilized the software-defined features in the Windows Server 2016 Datacenter edition on hardware validated by Microsoft.

For Azure Stack HCI, Microsoft uses the Windows Server 2019 Datacenter edition as the foundation of this product with updated software-defined functionality compared to Windows Server 2016.

Windows Server gives administrators the virtualization layers necessary to avoid the management and deployment issues related to proprietary hardware. Windows Server’s software-defined storage, networking and compute capabilities enable organizations to more efficiently pool the hardware resources and use centralized management to sidestep traditional operational drawbacks.

For Azure Stack HCI, Microsoft uses the Windows Server 2019 Datacenter edition as the foundation of this product with updated software-defined functionality compared to Windows Server 2016. For example, Windows Server 2019 offers expanded pooled storage of 4 petabytes in Storage Spaces Direct, compared to 1 PB on Windows Server 2016. Microsoft also updated the clustering feature in Windows Server 2019 for improved workload resiliency and added data deduplication to give an average of 10 times more storage capacity than Windows Server 2016.

What are the deployment and management options?

The Azure Stack HCI product requires the use of the Windows Server 2019 Datacenter edition, which the organization might get from the hardware vendor for a lower cost than purchasing it separately.

To manage the Azure Stack HCI system, Microsoft recommends using Windows Admin Center, a relatively new GUI tool developed as the potential successor to Remote Server Administration Tools, Microsoft Management Console and Server Manager. Microsoft tailored Windows Admin Center for smaller deployments, such as Azure Stack HCI.

Windows Admin Center drive dashboard
The Windows Admin Center server management tool offers a dashboard to check on the drive performance for issues related to latency or when a drive fails.

Windows Admin Center encapsulates a number of traditional server management utilities for routine tasks, such as registry edits, but it also handles more advanced functions, such as the deployment and management of Azure services, including Azure Network Adapter for companies that want to set up encryption for data transmitted between offices.

Companies that purchase an Azure Stack HCI system get Windows Server 2019 for its virtualization technology that pools storage and compute resources from two nodes up to 16 nodes to run VMs on Hyper-V. Microsoft positions Azure Stack HCI as an ideal system for multiple scenarios, such as remote office/branch office and VDI, and for use with data-intensive applications, such as Microsoft SQL Server.

How much does it cost to use Azure Stack HCI?

The Microsoft Azure Stack HCI catalog features more than 150 models from 20 vendors. A general-purpose node will cost about $10,000, but the final price will vary depending on the level of customization the buyer wants.

There are multiple server configuration options that cover a range of processor models, storage types and networking. For example, some nodes have ports with 1 Gigabit Ethernet, 10 GbE, 25 GbE and 100 GbE, while other nodes support a combination of 25 GbE and 10 GbE ports. Appliances optimized for better performance that use all-flash storage will cost more than units with slower, traditional spinning disks.

On top of the price of the hardware is the annual maintenance and support fees that are typically a percentage of the purchase price of the appliance.

If a company opts to tap into the Azure cloud for certain services, such as Azure Monitor to assist with operational duties by analyzing data from applications to determine if a problem is about to occur, then additional fees will come into play. Organizations that remain fixed with on-premises use for their Azure Stack HCI system will avoid these extra costs.

Go to Original Article
Author:

Azure Bastion brings convenience, security to VM management

Administrators who want to manage virtual machines securely but want to avoid complicated jump server setup and maintenance have a new option at their disposal.

When you run Windows Server and Linux virtual machines in Azure, you need to configure administrative access. This requires communicating with these VMs from across the internet using Transmission Control Protocol (TCP) port 3389 for Remote Desktop Protocol (RDP), and TCP 22 for Secure Shell (SSH).

You want to avoid the configuration in Figure 1, which exposes your VMs to the internet with an Azure public IP address and invites trouble via port scan attacks. Microsoft publishes its public IPv4 data center ranges, so bad actors know which public IP addresses to check to find vulnerable management ports.

The problem with the network address translation (NAT)/load balancer method is your security team won’t like it. This technique is security by obfuscation, which is to say it does not make things more secure. It’s more of a NAT protocol hack.

port scan attacks
Figure 1. This setup exposes VMs to the internet with an Azure public IP address that makes an organization vulnerable to port scan attacks.

Another remote server management option offers illusion of security  

If you have a dedicated hybrid cloud setup with site-to-site virtual private network or an ExpressRoute circuit, then you can interact with your Azure VMs the same way you would with your on-premises workloads. But not every business has the money and staff to configure a hybrid cloud.

Another option, shown in Figure 2, combines the Azure public load balancer with NAT to route management traffic through the load balancer on nonstandard ports.

NAT rules
Figure 2. Using NAT and Azure load balancer for internet-based administrative VM access.

For instance, you could create separate NAT rules for inbound administrative access to the web tier VMs. If the load balancer public IP is 1.2.3.4, winserv1’s private IP is 192.168.1.10, and winserv2’s private IP is 192.168.1.11, then you could create two NAT rules that look like:

  • Inbound RDP connections to 1.2.3.4 on port TCP 33389 route to TCP 3389 on 192.168.1.10
  • Inbound RDP connections to 1.2.3.4 on port TCP 43389 route to TCP 3389 on 192.168.1.11

The problem with this method is your security team won’t like it. This technique is security by obfuscation that relies on a NAT protocol hack.

Jump servers are safer but have other issues

A third method that is quite common in the industry is to deploy a jump server VM to your target virtual network in Azure as shown in Figure 3.

jump server configuration
Figure 3. This diagram details a conventional jump server configuration for Azure administrative access.

The jump server is nothing more than a specially created VM that is usually exposed to the internet but has its inbound and outbound traffic restricted heavily with network security groups (NSGs). You allow your admins access to the jump server; once they log in, they can jump to any other VMs in the virtual network infrastructure for any management jobs.

Of these choices, the jump server is safest, but how many businesses have the expertise to pull this off securely? The team would need intermediate- to advanced-level skill in TCP/IP internetworking, NSG traffic rules, public and private IP addresses and Remote Desktop Services (RDS) Gateway to support multiple simultaneous connections.

For organizations that don’t have these skills, Microsoft now offers Azure Bastion.

What Azure Bastion does

Azure Bastion is a managed network virtual appliance that simplifies jump server deployment in your virtual networks.

Azure Bastion is a managed network virtual appliance that simplifies jump server deployment in your virtual networks. You drop an Azure Bastion host into its own subnet, perform some NSG configuration, and you are done.

Organizations that use Azure Bastion get the following benefits:

  • No more public IP addresses for VMs in Azure.
  • RDP/SSH firewall traversal. Azure Bastion tunnels the RDP and SSH traffic over a standard, non-VPN Transport Layer Security/Secure Sockets Layer connection.
  • Protection against port scan attacks on VMs.

How to set up Azure Bastion

Azure Bastion requires a virtual network in the same region. As of publication, Microsoft offers Azure Bastion in the following regions: Australia East, East U.S., Japan East, South Central U.S., West Europe and West U.S.

You also need an empty subnet named AzureBastionSubnet. Do not enable service endpoints, route tables or delegations on this special subnet. Further in this tutorial you can define or edit an NSG on each VM-associated subnet to customize traffic flow.

Because the Azure Bastion supports multiple simultaneous connections, size the AzureBastionSubnet subnet with at least a /27 IPv4 address space. One possible reason for this network address size is to give Azure Bastion room to auto scale in a method similar to the one used with autoscaling in Azure Application Gateway.

Next, browse to the Azure Bastion configuration screen and click Add to start the deployment.

Azure Bastion deployment setup
Figure 4: Deploying an Azure Bastion resource.

As you can see in Figure 4, the deployment process is straightforward if the virtual network and AzureBastionSubnet subnet are in place.

According to Microsoft, Azure Bastion will support client RDP and SSH clients in time, but for now you establish your management connection via the Connect experience in Azure portal. Navigate to a VM’s Overview blade, click Connect, and switch to the Bastion tab as shown Figure 5.

Azure Bastion setup
Figure 5. The Azure portal includes an Azure Bastion connection workflow.

On the Bastion tab, provide an administrator username and password, and then click Connect one more time. Your administrative RDP or SSH session opens in another browser tab, shown in Figure 6.

Windows Server management
Figure 6. Manage a Windows Server VM in Azure with Azure Bastion using an Azure portal-based RDP session.

You can share clipboard data between the Azure Bastion-hosted connection and your local system. Close the browser tab to end your administrative session.

Customize Azure Bastion

To configure Azure Bastion for your organization, create or customize an existing NSG to control traffic between the Azure Bastion subnet and your VM subnets.

Secure access to VMs with Azure Bastion.

Microsoft provides default NSG rules to allow traffic among subnets within your virtual network. For a more efficient and powerful option, upgrade your Azure Security Center license to Standard and onboard your VMs to just-in-time (JIT) VM access, which uses dynamic NSG rules to lock down VM management ports unless an administrator explicitly requests a connection.

You can combine JIT VM access with Azure Bastion, which results in this VM connection workflow:

  • Request access to the VM.
  • Upon approval, proceed to Azure Bastion to make the connection.

Azure Bastion needs some fine-tuning

Azure Bastion has a fixed hourly cost; Microsoft also charges for outbound data transfer after 5 GB.

Azure Bastion is an excellent way to secure administrative access to Azure VMs, but there are a few deal-breakers that Microsoft needs to address:

  1. You need to deploy an Azure Bastion host for each virtual network in your environments. If you have three virtual networks, then you need three Azure Bastion hosts, which can get expensive. Microsoft says virtual network peering support is on the product roadmap. Once Microsoft implements this feature, you can deploy a single Bastion host in your hub virtual network to manage VMs in peered spoke virtual networks.
  2. There is no support for PowerShell remoting ports, but Microsoft does support RDP, which goes against its refrain to avoid the GUI to manage servers.
  3. Microsoft’s documentation does not give enough architectural details to help administrators determine the capabilities of Azure Bastion, such as whether an existing RDP session Group Policy can be combined with Azure Bastion.

Go to Original Article
Author:

Microsoft closes IE zero-day on November Patch Tuesday

Administrators will need to focus on deploying fixes for an Internet Explorer zero-day and a Microsoft Excel bug as part of the November Patch Tuesday security updates.

Microsoft issued corrections for 75 vulnerabilities, 14 rated critical, in this month’s releases which also delivered fixes for Windows operating systems, Microsoft Office and Office 365 applications, Edge browser, Exchange Server, ChakraCore, Secure Boot, Visual Studio and Azure Stack.

In addition to these November Patch Tuesday updates, administrators should also look at the Google Chrome browser to fix a zero-day (CVE-2019-13720) reported by Kaspersky Labs researchers. Google corrected the flaw in build 78.0.3904.87 released on Oct. 31 for Windows, Mac and Linux systems.

Microsoft plugs Internet Explorer zero-day

The Internet Explorer zero-day (CVE-2019-1429), rated critical for Windows client systems and moderate for the server OS, covers the range of browsers from Internet Explorer 9 to 11. The flaw is a memory corruption vulnerability that could let an attacker execute code remotely on a system in the context of the current user. If that user is an administrator, then the attacker would gain full control of the system.

On a system run by a user with lower privileges, the attacker would need to do additional work through another exploit to elevate their privilege. Organizations that follow least privilege will be less susceptible to the exploit until administrators can roll out the update to Windows systems. Exposure to the zero-day can occur in several scenarios, from visiting a malicious website to opening an application or Microsoft Office document that contains the exploit.

“[There are] a few different ways to exploit [the IE zero-day], such as going to a site that allows user-contributed content like ads that can be injected with this type of malicious content to serve up the attack,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

Chris Goettl, director of product management and security, IvantiChris Goettl

Organizations can take nontechnical measures, such as implement training that instructs users on how to avoid suspicious emails and websites, but the best way to prevent exploitation is to roll out the security update as quickly as possible because the vulnerability is under active attack, Goettl said.

Microsoft resolved a security feature bypass in Microsoft Excel 2016/2019 for macOS systems (CVE-2019-1457) rated important that had been publicly disclosed. The security update corrects a bug that did not enforce the macro settings for Excel documents. A user who opened a malicious Excel worksheet would trigger the exploit when it runs a macro. Microsoft’s advisory stipulated the preview pane is not an attack vector for this vulnerability.

Other security updates worth noting for November Patch Tuesday include:

  • A critical servicing update to ChakraCore to correct three memory corruption bugs (CVE-2019-1426, CVE-2019-1427 and CVE-2019-1428) that affect the Microsoft Edge browser in client and server operating systems. The remote code execution vulnerability could let an attacker run arbitrary code in the context of the current user to obtain the same user rights.
  • A remote code execution vulnerability in Exchange Server 2013/2016/2019 (CVE-2019-1373) that would let an attacker run arbitrary code. The exploit requires a user to run a PowerShell cmdlet. The update corrects how Exchange serializes its metadata.
  • A critical remote code execution vulnerability (CVE-2019-1419) in all supported Windows versions related to OpenType font parsing in the Windows Adobe Type Manager Library. An attacker could exploit the bug either by having a user open a malicious document or go to a website embedded with specially crafted OpenType fonts.
  • Microsoft resolved nine vulnerabilities affecting the Hyper-V virtualization platform. CVE-2019-0719, CVE-2019-0721, CVE-2019-1389, CVE-2019-1397 and CVE-2019-1398 relate to critical remote code execution bugs. CVE-2019-0712, CVE-2019-1309, CVE-2019-1310 and CVE-2019-1399 are denial-of-service flaws rated important.

Microsoft shares information on Trusted Platform Module bug

[There are] a few different ways to exploit [the IE zero-day], such as going to a site that allows user-contributed content like ads that can be injected with this type of malicious content to serve up the attack.
Chris GoettlDirector of product management and security, Ivanti

Microsoft also issued an advisory (ADV190024) for a vulnerability (CVE-2019-16863) in the Trusted Platform Module (TPM) firmware. The company indicated there is no patch because the flaw is not in the Windows OS or a Microsoft application, but rather in certain TPM chipsets. Microsoft said users should contact their TPM manufacturer for further information.
TPM chips stop unauthorized modifications to hardware and use cryptographic keys to detect tampering in firmware and the operating system.
“Other software or services you are running might use this algorithm. Therefore, if your system is affected and requires the installation of TPM firmware updates, you might need to reenroll in security services you are running to remediate those affected services,” the advisory said.
The flaw affects TPM firmware based on the Trusted Computing Guidelines specification family 2.0, according to Microsoft.

Microsoft releases more servicing stack updates

For the third month in a row, Microsoft released updates for the servicing stack for Windows client and server operating systems. Microsoft does not typically give a clear deadline when a servicing stack needs to be applied but has given as little as two months in some instances, Goettl said.

Servicing stack updates are not part of the cumulative updates for Windows but rather are installed separately.

Researchers say first BlueKeep exploit attempts underway

In security news beyond the November Patch Tuesday security updates, the first reports of the BlueKeep exploit targeting users began at the end of October when security researcher Kevin Beaumont spotted hacking attempts using the RDP flaw on his honeypots and reported the findings on his blog.

On May Patch Tuesday, Microsoft corrected the critical remote code execution flaw (CVE-2019-0708) dubbed BlueKeep that affects Windows 7 and Windows Server 2008/2008R2 systems. Due to the “wormable” nature of the vulnerability, many in IT felt BlueKeep might surpass the impact of the WannaCry outbreak. At one point there were more than a million public IPs running RDP that were vulnerable to a BlueKeep attack, which should serve as a wake-up call for IT to tighten up lax RDP practices, Goettl said.

“People should just be a little bit more intelligent about how they’re using RDP. You are opening a gateway into your network,” Goettl said. “There are people who have public-facing RDP that’s not behind a VPN, doesn’t require authentication. There are about four or five things people can do to better secure RDP services, especially when they’re exposing it to public IPs, but they’re just not doing it.”

Go to Original Article
Author:

Set up PowerShell script block logging for added security

PowerShell is an incredibly comprehensive and easy to use language. But administrators need to protect their organization from bad actors who use PowerShell for criminal purposes.

PowerShell’s extensive capabilities as a native tool in Windows make it tempting for an attacker to exploit the language. Increasingly, malicious software and bad actors are using PowerShell to either glue together different attack methods or run exploits entirely through PowerShell.

There are many methods and security best practices available to secure PowerShell, but one of the most valued is PowerShell script block logging. Script blocks are a collection of statements or expressions used as a single unit. Users denote them by everything inside the curly brackets within the PowerShell language.

Starting in Windows PowerShell v4.0 but significantly enhanced in Windows PowerShell v5.0, script block logging produces an audit trail of executed code. Windows PowerShell v5.0 introduced a logging engine that automatically decrypts code that has been obfuscated with methods such as XOR, Base64 and ROT13. PowerShell includes the original encrypted code for comparison.

PowerShell script block logging helps with the postmortem analysis of events to give additional insights if a breach occurs. It also helps IT be more proactive with monitoring for malicious events. For example, if you set up Event Subscriptions in Windows, you can send events of interest to a centralized server for a closer look.

Set up a Windows system for logging

Two primary ways to configure script block logging on a Windows system are by either setting a registry value directly or by specifying the appropriate settings in a group policy object.

To configure script block logging via the registry, use the following code while logged in as an administrator:

New-Item -Path "HKLM:SOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM:SOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force

You can set PowerShell logging settings within group policy, either on the local machine or through organizationwide policies.

Open the Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging.

Turning on PowerShell script block logging
Set up PowerShell script block logging from the Local Group Policy Editor in Windows.

When you enable script block logging, the editor unlocks an additional option to log events via “Log script block invocation start / stop events” when a command, script block, function or script starts and stops. This helps trace when an event happened, especially for long-running background scripts. This option generates a substantial amount of additional data in your logs.

PowerShell script block logging option
PowerShell script block logging tracks executed scripts and commands run on the command line.

How to configure script block logging on non-Windows systems

PowerShell Core is the cross-platform version of PowerShell for use on Windows, Linux and macOS. To use script block logging on PowerShell Core, you define the configuration in the powershell.config.json file in the $PSHome directory, which is unique to each PowerShell installation.

From a PowerShell session, navigate to $PSHome and use the Get-ChildItem command to see if the powershell.config.json file exists. If not, create the file with this command:

sudo touch powershell.config.json

Modify the file using a tool such as the nano text editor and paste in the following configuration.

{
"PowerShellPolicies": {
"ScriptBlockLogging": {
"EnableScriptBlockInvocationLogging": false,
"EnableScriptBlockLogging": true
}
},
"LogLevel": "verbose"
}

Test PowerShell script block logging

Testing the configuration is easy. From the command line, run the following:

PS /> { "log me!" }
"log me!"

Checking the logs on Windows

How do you know what entries to watch out for? The main event ID to watch out for is 4104. This is the ScriptBlockLogging entry for information that includes user and domain, logged date and time, computer host and the script block text.

Open Event Viewer and navigate to the following log location: Applications and Services Logs > Microsoft > Windows > PowerShell > Operational.

Click on events until you find the one from the test that is listed as Event ID 4104. Filter the log for this event to make the search quicker.

Windows Event 4104
Event 4104 in the Windows Event Viewer details PowerShell activity on a Windows machine.

On PowerShell Core on Windows, the log location is: Applications and Services Logs > PowerShellCore > Operational.

Log location on non-Windows systems

On Linux, PowerShell script block logging will log to syslog. The location will vary based on the distribution. For this tutorial, we use Ubuntu which has syslog at /var/log/syslog.

Run the following command to show the log entry; you must elevate with sudo in this example and on most typical systems:

sudo cat /var/log/syslog | grep "{ log me! }"

2019-08-20T19:40:08.070328-05:00 localhost powershell[9610]: (6.2.2:9:80) [ScriptBlock_Compile_Detail:ExecuteCommand.Create.Verbose] Creating Scriptblock text (1 of 1):#012{ "log me!" }#012#012ScriptBlock ID: 4d8d3cb4-a5ef-48aa-8339-38eea05c892b#012Path:

To set up a centralized server on Linux, things are a bit different since you’re using syslog by default. You can use rsyslog to ship your logs to a log aggregation service to track PowerShell activity from a central location.

Go to Original Article
Author: