Posts

Showing posts from 2018

IIS Client Certificate Revocation Check Disable

Image
A couple of weeks back, a certificate was approaching it's expiration date on an IIS server and the update - although pretty straight forward, caused a major issue for the service running on that server.

I had the new certificate in PFX format, I've installed it on the computer certificate store and it was available in the IIS Manager console. All the certificates for the Root and Intermediate authorities were property installed and the clients had access to the CRL urls.

However, when I switched the certificate, the clients were not able to communicate property with the website. After going through the logs on the clients and the application, I discovered that the clients were using client certificates in order to authenticate and the validation process was failing for those certificates since my server could not check their revocation.

I opened up a command prompt to get more information on the bindings on the website since there are settings that are not available when usin…

Building a PowerShell cmdlet using C# - Part 2: Debugging

Image
On the previous article of the series, we created a Visual Studio project for a cmdlet and added the base code. This article is going to be about debugging the code, an ability that will greatly reduce the time taken to troubleshoot.

Right click your project and select "Properties". On the properties tab, click "Debug" to go to debug settings.


Here we are gong to select the "Start external program" option and browse to the powershell executable located at "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". This way, when we start the debugger, a PowerShell window will start.

We also want our module to be loaded to that PowerShell host so fill the following in the "Command line arguments" box: -noexit -command "&{ import-module .\DemoCmdlet.dll -verbose}"

Replace the name of the dll with the one created for your project. You can find it by browsing to the bin/Debug folder in your project.


When you hit "Start&…

Building a PowerShell cmdlet using C# - Part 1: Basic Code and Requirements

Image
As PowerShell evolved, it gave administrators more are more options when creating functions. The latest addition in PowerShell 5 was classes which along with the ability to use .NET classes allows us to build functions for even the most complicated tasks.

The use of classes and .NET objects however is much easier in C# and the fact that the code is faster and strongly typed makes C# a better choice when building complicated functions. In this article, we are going to create a cmdlet using Visual Studio. Let's get started!

Fire up Visual Studio and create a Class Library project:


When the project is created, it will contain a class file that is going to hold the code for our cmdlet.


Before starting to write the code, we have to add a package that will provide all the necessary tools to create the cmdlet. Right click the solution in the Solution Explorer and select "Manage NuGet Packages for Solution".


When the package manager tab has opened, click "Browse" and s…

How to Configure Message Forwarding on a Mailbox Level

Image
The Set-Mailbox cmdlet has two parameters to configure forwarding for a mailbox: ForwardingAddress and ForwardingSmtpAddress. Those two parameters serve the same puspose but in two different ways. There is also a third parameter called DeliverToMailboxAndForward that when set will leave a copy of the message on the mailbox.

The "ForwardingAddress" accepts RecipientIdParameter input which means that you have to use the identity of an existing object on your organization such as another mailbox or a mail contact.

The "ForwardingSmtpAddress" accepts input in a proxy address format such as plain old email addresses. Although this is pretty straight forward, there's a catch you need to be aware of. This will only work if the remote domain of the recipient is configured to allow message forwarding. Let me elaborate.

There's a thing on Exchange, called Remote Domains. Those are used in order to define settings for the communication between your Exchange server and…

Catching Exceptions in PowerShell

Things can go wrong even on the simplest tasks. A network failure, a fail over, inadequate permissions and many other factors can make your scripts and functions fail. Let's see how we can control failure!

There are two statements in PowerShell that help to control failed commands. These are "try" and "catch". Their usage is pretty straightforward, you wrap the commands that might fail in a try block and specify the actions to be executed upon the failure in the catch block.

Below is a simple try/catch block in a function:

try { Remove-Item -Path myfile.txt -ErrorAction Stop } catch { Write-Host"Cound not remove item" }
Here, if the Remove-Item command fails, the string "Could not remove item" will be written on the console.

A couple of things to notice here. First, the -ErrorAction preference is set to Stop for the command since this way the command will generate and exception instead of just writing to the error stream. If an exce…

Monitoring Azure Activity Log using OMS

Image
Although Azure OMS is a great tool to collect and analyse logs and counters from various kinds of systems, it's functionality is not limited to these. Recently, the ability to log the activity of your Azure subscription, such as resource creation and removal and delegation actions was added to OMS.

To get such information logged in OMS, you have to connect your subscription to the workspace. Navigate the the workspace blade and select "Azure Activity Log" under "Workspace Data Sources".


The subscription is connected, so let's take the creation of a virtual machine for example.

The below query for activity log regarding the resource group "BlogVirtualMachines" brings back a lot of results related to the deployment, the storage account, the networking components, the virtual machine and many others within that resource group.


Let's expand a few to see the information inside. The "Create Deployment" record shows that a deployment has st…

Converting Certificates using OpenSSL

Image
Certificates are an integral part of every IT infrastructure and service since they can be used to encrypt data, secure the communications, verify identities and provide trust. In this article I'm going to demonstrate a number of conversions you may have to perform in order to prepare a certificate to be imported to a system. Before moving on to the actual part about the conversion, a few words about the certificates and their file extensions.

Encodings
There are two different kinds of encoding for an X509 certificate, DER and PEM. DER encoded files are binary in contrast to PEM which are Base64 encoded and human readable.

File Extensions
The most commonly used file extensions for certificate and key files are:
.crt - Used for certificates in DER or PEM format..cer - Also used for certificates, alternative to crt.key - Used for private key files.pfx - Used for certificate and private key bundles. Used different format from the others (pkcs12)Conversion
When it comes to certificate co…

PowerShell Custom Object Formatting

On this article I'm going to touch a field of PowerShell development that most are not aware of. That is formatting. Every PowerShell user has used the "Format-Table" and "Format-List" cmdlets or even the "Format-Custom" to display data in a manner that suits them. What happens though when you have objects that you'll like to format a bit differently or set the default view for? Then its time to use formatting.

To start off, we're going to create a custom module. Pick a name for the module - mine is going to be "TestModule" - and create a directory with that name. Then create the module manifest using the "New-ModuleManifest" cmdlet and a script file with the ".psm1" extension. You should end up with a structure like the following:

PS C:\> New-Item -ItemType dir -Name TestModule

    Directory: C:\Users\cpolydorou\Desktop

Mode        LastWriteTime  Length Name
----        -------------  ------ ----
d----- …

Configuring Virtual Machines using Azure Automation DSC

A few days ago, I published an article on how to apply a DSC configuration on an Azure Virtual machine. Although there's nothing wrong with publishing a configuration on an Azure Storage Account and having the machines apply it, there's a better way.

Azure offers a service called Automation Accounts, that among  other things, let's you publish configurations, register nodes in order to apply them and report on the node status. Let's see how to get it working!

We are going to need and Azure Automation Account to host the configurations, so let's create one:

PS C:\> New-AzureRmAutomationAccount -ResourceGroupName "Blog-DSC" `
                                     -Name "BlogDSCAutomationAccount" `
                                     -Plan Free `
                                     -Location WestEurope

SubscriptionId        : e******a-8**c-4**3-9**7-b**********9
ResourceGroupName     : Blog-DSC
AutomationAccountName : BlogDSCAutomationAccount
L…

Monitoring Microsoft SQL using OMS

Image
Moving on to the next article about Microsoft Operations Manager Suite, we're going to take a look on a solution for Microsoft SQL servers.
The SQL Health Check solution will provide useful information about the status of your SQL servers regarding security, compliance, availability, performance and many other aspects.
As you may see below, I have a lot of recommendations for my lab servers, including the accounts used by the SQL services, the performance of the tempdb and even the power settings on the servers!
Two of the below stand out, the suggestion to check the logins on the servers - since they are members of an availability group and missing logins can cause application downtime and the suggestion to limit the memory of the SQL server in order to avoid consuming memory needed by the operating system.

The solution also provides information about the upgrade and migration status, change management and operations and monitoring.

Here, I'm warned that Remote Desktop is no…

Assessing Security using OMS

Image
Having all this information such as application and security logs, installed updates and anti malware status on OMS, gives you the perfect opportunity to assess the security status of your organization and reduce your risk surface.

Fortunately, you don't have to write the queries yourself - although you could - since solutions that can produce security reports are just a few clicks away.

The "Security and Audit" solution performs multiple checks regarding update and anti malware status, applied security settings and even failed logon attempts. Below is a sample of the report:


The "Antimalware Assessment" solution is all about the health of your machines. It provides status reports, the threats that have been detected and the unprotected machines.


The above solutions, when combined, provide a full and detailed view on your organization's security status and give you the ability to tighten your overall security and discover trends and issues.

Related articles

Configuring Azure VMs using Desired State Configuration

Image
Lately I've been working on a project to automate the provisioning of virtual machines on Azure using Azure Resource Manager. The need to apply configuration on the OS level came up and the proffered way was Desired State Configuration. On this article, we are going to publish a configuration and configure a virtual machine to apply it.

First we are going to log in and select the subscription that we are going to use:

PS C:\>Login-AzureRmAccount
Account          : c******s.p******ou@*******
SubscriptionName : Pay-As-You-Go
SubscriptionId   : e******a-8**c-4**3-9**7-b**********9
TenantId         : 5******f-d**2-4**4-a**e-7**********7
Environment      : AzureCloud

PS C:\>Get-AzureRmSubscription |
           Out-GridView -PassThru -Title "Select the subscription to use" |
               Select-AzureRmSubscription

Name             : [c*****s.p******ou@*******, e*******a-8**c-4**3-9**7-b**********9]
Account          : c******s.p********u@********
SubscriptionName : Pay-…