WindowsNetworking.com - Monthly Newsletter - September 2016

Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com

 

1. Reigning in the Admins with Windows Server 2016

Administrators – time to ‘fess up. We’re among friends here, just a bunch of IT pros, far from the listening ears of all those pesky users who accuse us of being power-mad control freaks. But let’s be honest: we do like being in control; otherwise why would we ever want to take on the responsibilities of this job? And yes, sometimes some admins get a little carried away with all that power. Not us, of course, but some of those fellow administrators we’ve had to work with over the years.

We’ve also known admins who had perhaps grown a tad complacent and who, sort of like the long-time police officer who is used to handling weapons every day and gets careless with his gun, no longer fully appreciate just how dangerous those administrative privileges can be – especially if they fall into the wrong hands.

Finally, there are some who work themselves into the position of IT administrator because they have ulterior motives. That could include corporate espionage, embezzlement of company funds, revenge for real or imagined wrongs, or any myriad of reasons. With admin access, they have the ability to wreak havoc on a system or an entire network. Again, I’m not talking about us or any of our friends, but we all know it does happen.

Admins don’t have to be malicious to cause problems, though. We all make mistakes, and when those with administrative privileges mess up, it can have serious ramifications. They may inadvertently make changes to critical settings, causing servers to behave in unexpected ways or important data to be exposed or lost.

Powerful tools like admin rights need to be carefully controlled, but it hasn’t always been easy to keep a handle on those accounts, especially if you have a number of different people in the organization who need to exercise administrative privileges either on a daily basis or from time to time. With the latest version of Windows Server, 2016, Microsoft is helping to make that easier.

The Principle of Least Privilege has long been a guiding standard for assigning user rights, but we haven’t always been diligent in applying that principle to administrators. Windows Server 2016’s new Privileged Access Management (PAM) technology – not to be confused with IPAM, which is IP Address Management – you have more control over all those stray admins who may be wandering around your network because at some point in time, they needed some type of administrative privileges to get their jobs done.

PAM incorporates two concepts:

• Just in Time (JIT) administration
• Just Enough Administration (JEA)

Note: Don’t ask me why the first one isn’t JITA. We’re talking about Microsoft naming here – surely you know by now it doesn’t have to make sense.

Just in Time administration is about limiting the time that a person can operate as an administrator. Instead of a bunch of full-time admins, we can have accounts that will have those privileges only when and for the amount of time they’re actually needed. The user requests the desired privileges when needed, and they’re granted for a specific period of time.

Just Enough Administration is about limiting the scope of the administrative privileges that a person is granted. The concept of JEA was introduced way back in Windows Server 2008 R2, but is more powerful when combined with JIT. JEA allows you to assign limited, specific admin privileges that a user needs to perform a particular function, and no more. JEA enables a more secure iteration of role-based access control (RBAC) for a more secure network environment.

JEA is part of the Windows Management Framework 5.0 and is available on Windows Server 2016 and Windows 10 (1511 and above), as well as Windows Server 2008 R2, 2012 and 2012 R2 and Windows 7, 8 and 8.1, with WMF 5.0 installed.  You can define and control the tasks that users are allowed to perform and their access to the server, and manage these from a central configuration server, using Windows PowerShell Desired State Configuration.

What it all boils down to is that we’re becoming more aware of the importance of addressing internal threats as well as those that come across the Internet from outsiders. Administrative accounts pose the biggest “insider” threat because they have the ability to do the most harm. Server 2016 is making it easier to get a handle on those admin accounts and reduce the potential for them to be used inappropriately. And, reluctant as we might be to give up any of our “super powers,” that’s a good thing.
‘Til next time,

‘Til next time,
Deb

dshinder@windowsnetworking.com

=======================

Quotes of the Month

Nearly all men can stand adversity, but if you want to test a man’s character, give him power. – Abraham Lincoln

Power tends to corrupt and absolute power corrupts absolutely. – Lord Acton

The less effort, the faster and more powerful you will be. – Bruce Lee

=======================

2. Windows Server 2012 Security from End to Edge and Beyond – Order Today!

Windows Server 2012 Security from End to Edge and Beyond By Thomas Shinder, Debra Littlejohn Shinder and Yuri Diogenes From architecture to deployment, this book takes you through the steps for securing a Windows Server 2012-based enterprise network in today’s highly mobile, BYOD, cloud-centric computing world. Includes test lab guides for trying out solutions in a non-production environment. Order your copy of Windows Server 2012 Security from End to Edge and Beyond. You'll be glad you did

Click here to Order your copy today

 

3. WindowsNetworking.com Articles of Interest

This month on WindowsNetworking.com, we bring you a new installment for two popular article series, along with three brand new standalone articles.

Building a PowerShell GUI (Part 9)

If you’ve been along for the ride on this series, you know it’s been a long one, and now Brien Posey brings you Part 9 in his discussion of how to create a PowerShell graphical user interface, this time demonstrating techniques for removing interface objects from the screen and creating list boxes.

Hyper-V Windows Failover Clsuter and IsAlive Operation (Part 2)

Nirmal Sharma began this series with an overview of the Hyper-V cluster issue and explained the DNS registration process invoked by the IsAlive call executed by the failover cluster. In this second installment, he explains the Windows failover cluster interaction with resources and how the whole failover cluster is implemented to monitor the resources in a Windows failover cluster.

Optimize VPN in Windows Server 2012 R2

Richard Hicks builds on a previous article that described in detail how to implement a client-based remote access VPN solution using Windows Server 2012 R2, and this time provides us with some valuable guidance for optimizing the protocol support and security for such VPNs.   

What’s new in Windows 10 Anniversary Update (v1607)

The latest Windows 10 update (Version 1607), aka the Anniversary Update, was released on August 2, 2016. It’s in the Current Branch (CB) release process now and will be in the Current Branch for Business (CBB) near the end of 2016. Like other major Windows 10 updates, this is more of a Windows upgrade, and there are numerous changes and new features included. In this article, Eric Geier discusses these with a focus on what they mean to IT and networking professionals.

DevOps in the Cloud

Developers and IT operations specialists have long worked in parallel to keep the business computers and networks of the world running. The two tend to have different skill sets and personality types, so it’s no surprise that management’s new “agile” philosophy, which pushes them into a sort of uneasy cross-training through the rise of a new role called DevOps, has caused some discomfort on both sides. The cloud has complicated matters even further. In this article, Deb Shinder looks at how the new DevOps trend aims to combine the skills of IT professionals and developers.

4. Administrator KB Tip of the Month

Avoiding Data Loss with Virtual Disks

The following tip is excerpted from Mitch Tulloch’s book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press:

Do not compact, convert, expand, shrink, or merge a virtual hard disk when any of the following conditions apply:

• The disk is associated with a virtual machine that has snapshots.
• The disk is associated with a virtual machine that has replication enabled.
• The disk is associated with a chain of differencing disks.

If you perform any of these actions under such conditions, data loss or corruption might occur.

The above tip was previously published in an issue of WServerNews, a weekly newsletter from TechGenix that focuses on the administration, management and security of the Windows Server platform in particular and cloud solutions in general. Subscribe to WServerNews today by going to http://www.wservernews.com/subscribe.htm

5. Windows Networking Links of the Month

So your company’s been hacked: How to handle the aftermath
Sure, your goal is to prevent it from happening in the first place, but despite all our best efforts, sometimes the bad guys get past the defenses. What then?

Understanding the differences: VR, AR and MR
We keep hearing that virtual reality is the Next Big Thing in business as well as consumer computing, but do you understand the different flavors? This article explains how VR and its cousins, AR (augmented reality) and MR (mixed reality) work and some of the practical implementation considerations of each.

Serverless architecture pros and cons
An IT admin without a server is like a day without sunshine – or maybe it’s the ultimate freedom. For better or worse, this latest trend (which doesn’t actually do away with servers, of course, but takes the task of managing them off your shoulders) is gaining ground, and comes with both advantages and disadvantages. 

How to get your network and security teams working together
The most difficult part of being a leader is bringing together people with different viewpoints, communication styles, objectives and priorities, and facilitating them in working together for the benefit of all. Since network performance/convenience and network security are at opposite ends of a continuum (the more you have of one, the less you have of the other), getting those two teams to work together can be particularly challenging – but meeting challenges is what good management is all about.

How to become a network architect?
Despite fears that the cloud would do away with the job of the IT professional, we’ve seen that the position is evolving instead of disappearing. Looking to enhance your skill set and up your game? Consider the lucrative field of network design and architecture. This article is a good starting point for an overview of what the job involves, education and experience requirements, certifications and more.

6. Ask Sgt. Deb

Security information regarding Microsoft services

QUESTION:

Hi, Deb – I’ve finally talked my company into considering a move “to the cloud” and we’re looking at Microsoft’s Azure and Office 365 and the powers that be are pretty close to being won over by some of the features and of course the cost factor of not having to run all of our own servers. BUT we have a couple of people in management who are concerned about, what else, security and privacy and that sort of thing. It’s my job to soothe their fears and show them that Microsoft is diligent about protecting our “stuff” if we put it in the cloud.

I’ve done some research on TechNet and there are a lot of white papers and web pages out there with information about different security features and I know you wrote a little about Azure Security Center here, but what I really need is a good “one stop” resource (or maybe two stops – but not different papers scattered all over the place and some of them pretty old and maybe outdated). Any help there? Thanks! – Alexander J.

ANSWER:

Hi, Alex. As a matter of fact, I can help you out on that front. Full disclosure here: I have been working on a contract project for Microsoft and it involves writing content for the Microsoft Trust Center, so I’m pretty familiar with the site and I think it’s just the starting point you’re looking for. We have pages there for many of the main Microsoft services and products with overviews of how they’re secured, and a curated list of additional helpful articles that the product groups and subject matter experts for each service has reviewed and recommended so you know that the information there is up to date. There are sections pertaining to security, privacy, compliance and transparency, and it’s written in a way designed to be understandable by C-level managers and other decision-makers who might not have an in-depth mastery of the technical jargon. The site is currently in the process of a full rewrite as I write this, but the new content will be up soon so check it out and check back often: Microsoft Trust Center.