Microsoft Azure AZ-800 — Section 9: Manage Windows Servers in a hybrid environment Part 2
69. Configure a target machine for Windows Admin Center
So now that we have Windows admin center installed on NYC Server one, we can get to it by opening up our browser and going to this link here. In this cases in which I see their server one exam, lab practice, .com. And then we have to log on and our server is here.
So, we have our one target server we have in place is our gateway itself, which is NYC server one. And I can click on that and go into it and I can manage the different pieces of it right within this, this browser using WACC Windows Admin Center. All these different items that I can choose from here that I want to manage. However, if I want to add a target server, in other words, I want to manage another server, another Windows computer. I can go back to the Windows Admin Center button here and I can click Add. And if I want to specify, I want to do a server, Windows PC, server clusters, even Azure virtual machines. As long as you have connectivity with those, you can actually add Azure virtual machines as well. All right, I’m going to add my NYC DC one server, so, I’m going to click Add. And then from there, I will just put in NYC D.C. one.
OK, it’s going to search for it and it’s going to tell me I need to put some credentials in, so, I’m going to put in my credentials here. Exam lab practice slash administrator put in my password and I should build, say, add with credentials and it should work.
So, it’s going to go ahead and double check authentication with that. And once that’s done, it should be good to go. And as you can see, it’s validating it.
So, it is working. All right. And then I’m going to go ahead and click Add Server. And I’ve now officially added my target server and I can now click on it in my CDK1. Go ahead and connect to it. And I have access to all of these resources here within the server manager, part of Windows Admin Center.
So very cool. As you can see, if I’ve got my hybrid, I can look at the hybrid environment. There’s Azure Backup Azure file sync that gets into the backing up and file synchronization, not getting really into any of that stuff right now. That’s not really what this little lesson is about, but have all these items here that that I can look at, including certificates. I can look at devices.
So he’s given me a lot of information involving this machine. As you can see here, I can look at local users and groups. Of course, this a domain controller, so you’re going to get this message here when you try to do that. All right.
So you’ve got roles and features, just like you would in server manager, OK again, and I could add add as many servers here as I want in machines I want. And so, If you look closely here, I’ve got all these different these different items here tells you what’s installed, what’s not installed. I could expand this out if I wanted install a say, I want an install certificate services on the machine, I could go right here and click install and I could go ahead and do that.
OK, so, I get if I want to install any of these other services, I could. All right. I’ve already got some of these installed. As you can see DNS and all that’s already installed.
OK, so you got scheduled tasks that are on this machine. You can look at those.
So this a great way to definitely be able to just connect into a machine and see what’s out there. It’s all web based. And again, the beautiful thing about it is if you set up connectivity with Azure in the environment, you can use what’s called a VPN gateway, or you can use what’s called direct the express route. You can actually your company can be connected directly to the Azure datacentres, and you can interact with your volumes and stuff like that, and you can add your virtual machines also. But ultimately, this a very easy tool to use and implement, and it can definitely make your life as an administrator a whole lot easier as you can very easily get in and manage these different machines.
70. Configure PowerShell Remoting with Windows Admin Center
One of the features that’s really great about using the Windows admin center is how easy it is to connect in and utilize PowerShell with the various machines that you’re connecting and managing with on the Windows admin center.
So you might be shocked really at how easy this. But let’s let me demonstrate so, I’m in front of NYC Server one, which is my Windows Admin Center Gateway, and I’m just going to connect. I’ve already added in easy one as a target server, so was going to go in and click on NYC DC one here. And if I scroll down just a little bit, you’re going to notice that I have this option here called PowerShell. I’m just going to click on PowerShell and it’s going to immediately connect in to PowerShell. All right. And of course, I am going to have to authenticate, So, it’s going to require me to put my password in there.
OK, but look how easy that was. Look how simple it was. I got right in and I’m now able to, you know, connect to start utilizing PowerShell just like I would if I was physically sitting at the machine.
Now I would like to point out, and you may have heard this already, but you still have to. You do have to have the are in service running on the machine.
So that that server must have the winner in service running in order for this to work. All right. When Oreum also uses Port fifty nine eighty five for the HD version and fifty nine eighty six for the STPs version, if you’re not sure that it’s running, you can always go to that server and just type the command winner in quick config on the machine, and that will configure what you need the course. You need to do that before you try to connect in Windows Admin Center, but when our aim is already set up and I’m now in the machine and I can utilize it as though I was physically sitting there, including I can type get process and I can see the processes that are running on the machine. I can type get service. I can see the services that are running on the machine.
OK. And I have all the bells and whistles that I would if I was physically sitting in the machine utilizing PowerShell, so very easy to use, very friendly and definitely something you should you should try out.
71. Understanding CredSSP or Kerberos delegation for second hop remoting
I now like to go over the concept known as second heart promoting with PowerShell.
So what exactly is that? Well, in order to understand what this, you’ve got to understand something known as the second heart problem. The second hot problem essentially involves sitting in a machine, reloading into one machine and then from that machine needing to remote into another machine, for example, let’s say you are. You have three servers server a server B, server c k. You’re maybe you’re log in Server A. And then you use PowerShell reloading to get into Server B and then server needs to communicate with Server C on your behalf and acts as a resource. Or maybe you’re trying to remove from Server B directly and Server C and you’ve got to authenticate. The problem is, is that when you authenticate to A to B, there’s no problems there. B does not cache your authenticated credentials by default.
So, if you’re trying to go from B to Server C, it’s not going to be able to do that because it’s not going to pass those authenticating credentials across to see.
OK, so, in other words, you can go from a to B. No problem. You could even go from a directly to see no problem as long as there’s connectivity. But if there was no connectivity from A directly to C and you needed to go through B to do that, it’s not going to work.
OK.
So Microsoft actually has a couple of solutions for this. Probably the easiest solution is to use something called Pred as P Great SSP stands for credential security support provider, and what credit SSP does is it enables the middle man server, if you will, to cache your credentials.
So, in other words, Server B could cache the authenticated credentials from server to Server B and then from there, once those credentials are cache, Server B could then pass those credentials onto Server C..
Now, of course, there’s a catch to this. The catch the biggest catch this if Server B was ever compromised. Those credentials are cached on the machine.
So, if a hacker was to get access to Server B and was able to access those crash credentials, they’re going to have access to your credentials. As scary as that sounds, that’s not a major big issue unless that server is really exposed somehow, unless you got a lot of traffic going in and out of your environment. Ultimately, if that server as well monitor this not something that I would really stress over a whole lot. But, you know, in high security environments, this definitely could be seen as a security risk. And when you look at the pros and cons here, pros and cons, you can see that you know the big pro is this a by Windows Server 2008 or later. The big con, of course, is the security vulnerabilities.
OK. The other thing is that in order to support this, you do have to enable it on both sides so that the client side being the machine you’re sitting at and then the server as well. All right.
So credit. That’s one way you can do it. The in order to enable this, you would run the following commands you could run on server. You would run the enabled SWC man criticism command. You can see an example of that right there.
So the enabled SWC may increase ASP roll client, delegate computer and then start it and whatever your domain name is, slash dashboards now in Server B to permit the delegation, you would need to run enable -WC and may create a special roll server and then forest. There is a step by step guide for you right there. If you were to type that link in, you can. You can go through the step by step a little bit more detailed. Look at it. The main thing is test wise, you’re taking the exam. You just need to know what criticism is. They’re not going to beat you to death on memorizing all these commands or any of that. All right now, the other alternative to this to use Kerberos delegation corrosive delegation. This a feature that was introduced with Windows Server 2012, so you must be running at least Windows Server 2012 in order to do this. And essentially what you’re going to do there, and I will also kind of warn you this one’s a little bit more intensive as far as the steps go, a little bit more of a pain in the butt to enable it, but it doesn’t necessarily have to do any kind of cache credential, so you’re not vulnerable to that. But what you’re basically doing is you’re going to allow you’re going to tell Kerberos on your domain controllers to allow delegated access. Delegated access is going to allow a pass through authentication request from one server to another.
So, in other words, Server B, you can authenticate Server B in the form from their server beacon, authenticate you to go to communicate the Server C.
So, it’s going to allow the second half scenario to work from Saraid Server B, Server C Pros and cons of this credentials are not stored. That’s the big pro. That’s the big thing you want to remember.
So, for example, I give you a test question and you had an option to choose Credit ESP or Kerberos delegation, and one of the criteria was that you don’t. Want cash credentials stored, then Korea’s delegation is going to be the better. Definitely the better solution.
OK, so that’s a pro, you know, credentials are not stored. You can figure using you’re going to configure this using PowerShell commands. There’s no like special coding required or any, you know, you have to write any kind of scripting or any of that. You have to write any kind of special program to do. It does not require domain administrator access.
So, in order to do SSP, that was another thing. You do have to have domain admin rights, whereas this one does not for you to configure this. It also can work across domains and forest, which is good.
So there used to be an older version of this known as the unconstrained delegation, which could not work across multiple domains or forest of the newer version of this that we’ve got now server 2012 and later we can we can work across multiple domains and forest. Biggest cons Well, require server 2012 or later, which isn’t really a big deal considering how many years it’s got. That’s gone by since that came out does not.
Now, here’s the other thing does not support the second half for winter. And so, it it it’ll support authentication directly with Kerberos, but it’s not going to pass a win or M connection directly to it.
So what that basically means is you’re not going to be able to remote into B and then from B esTablish a winner in connection with C. The B can interact with C and access resources over and C, but it’s not going to directly use winner M to do that. All right. The other thing is it requires rights to update objects and service principal names. What does that mean? That just simply means that you have to delegate rights in order for it to do that if somebody was to get access to the server’s account and get access to the server’s password. That also means that that’s that hacker, for example, would be able to access service principal names and do some corruption to Active Directory.
Now the thing you got to understand there is scary as it sounds. It’s not really a big deal. Server passwords and all that. It’s very difficult to break a server password to get access to a server service principal name.
So, it really would add stress over that a whole lot. That’s a very my Newt. It’s scary as it sounds, it’s a very minor call on here to worry about.
Now there are articles out on the internet that you can look up. If you do a quick search on Kerberos delegation, you’re not going to be expected to memorize all the commands or any of that. You need to know the idea of the pros and the cons here. Test wise for taking the exam, but ultimately, here’s an example of the commands that you would run, but it’s not something that they’re going to beat you to death with.
OK, so, I wouldn’t stress over thinking you got to memorize all these PowerShell commands, but here’s an example of a training resource base. Kerberos constrained delegation set a computer identity the doors on Server C -principles allowed to delegate to account. That’s the most important switch right there. That goes with this because that’s what’s actually going to be flagging your server to be delegated.
So you’re setting the computer account for Server C and then the computer you’re delegating is Server B.
So Surbhi can communicate with Server C, OK? And then they’re creating a couple of variables, either creating a variable called X and this get a computer identity server C properties MSDS allowed to act on behalf of other identity. All right. And then from there they’re saying on line six, there you’ll see it, says Dollar Sign X Dot MSD’s allowed to act on behalf of identity dot access, giving access. And then the last thing there is check the value of the attribute. Indirectly, you’re just verifying basically that it’s turned off at that point.
OK.
Now again, test wise, there’s not too much here to stress over. Just know what it is in the real world. If you are wanting to enable this because I’m not getting into all the details here. Real world was there are step by step, guys. If you just do a quick search on a like a Google search on Kerberos delegation, you can see step by step guides of activating this in the real world. But ultimately those are your two methods here that for being able to connect from, let’s say, server to Server B to Server C, you can use credit ASP and you can use Kerberos delegation.
72. Configure JEA for PowerShell
I now like to talk about a pretty neat little feature that we have with PowerShell called GJ Eaeh, which stands for just enough administration, just enough administration is going to allow us to control exactly what commands are available to admins at certain times, for example, if you have somebody that is helping control a Microsoft domain and they need access to some admin commands, you can restrict exactly which commands they need or maybe their exchange, admin or school admin or whatever they are, and you want to restrict exactly what commands are available, then you can use JSA to assist you with this.
Now, the first thing to know here is that in order to support you, you do have to have at least PowerShell version five or higher.
So, if I actually come down here and I just and I’ve just opened up the ISC, so he’s going to PowerShell and type ISC, you can bring this up. If I type dollar sign P.S. If you kind of go down here, you’ll see version Table hit. Enter on that. You can see that I have the version five point one, so, I’m good. I’ve got the ability to utilize Jiya here.
OK, now the next thing I want to show you is I’m going to run a command. I’m going to put in parentheses, get Daash command dot count.
So, if I hit Enter on that, you can see I have two thousand one hundred and sixty seven commands available. Obviously, if I type get command fully, I can see all the commands that are currently in memory and maybe I want to restrict people from getting access to every one of these commands. All right.
Now there are a few commands that are just default, but everybody gets them. But you can restrict certain admin related commands, for example, maybe I want to restrict you the ability to restart the domain controller or shut the domain down or something. And maybe I want to. Maybe, I also want to allow you to run an external command such as Who am I? So, I want to show you a little bit about how we can do that now. The first thing that we need to do in order to configure this we need to run. We actually need to create this file called a role capability file. You know, in order to do that, we need to create a folder, a couple of folders actually inside of our windows environment.
So what I’m going to do is open up File Explorer. I’m going to go to the C drive here and then wind and then program files, and we’re going to go to where there’s Windows PowerShell and then modules. And we’re just going to create a folder in here is going to call it.
So this like a little test we’re going to do, which you can call it the C test, OK? And then I’m going to go into DC Test and I need to create another folder, and this folder is just going to be called roll capabilities. And of course, you do need to make sure you spell that correctly. Roll capabilities. All right. And then from there, we’re going to go ahead and hit Enter. And that’s it.
So now I can go back over here to PowerShell and I’m ready to run a command in the command that I’m going to run is called New Dash. Peace roll capabilities, file -path. And then we’re going to put in the Path C colon slash program files slash Windows PowerShell. There we go. Slash modules. Slash. DC test slash roll capabilities. All right. At that point, we’re going to do another slash. And I’m just going to call this, I think I’m just going to call it D.C. roll. The file is going to be called DC Roll Dot, and then you’re just going to put an extension called P s r c. All right. At that point, we’re going to hit Enter. And if everything went successfully, it should and shouldn’t throw an error.
So, we’ve now officially created our role capability file. We’re now going to open up the roll capabilities file, So, we’re going to go file open. All right. And then from there, we’re going to go see drive program files. Windows PowerShell modules, DC test roll capabilities, there’s the file right there, and here is what the file looks like.
OK, so as you can see, Microsoft basically just creates a little template for us to utilize. All right? And you can see the user that created the file that to me, the administrator. All that fun stuff. And you can alter some of the additional stuff here you want. But what I want to kind of hone in on right now. Is we’re going to come down here where it says command, let’s to make visible when applied to a session, OK, So, we’re just going to add a line here.
So, I’m just going to add this command visible command. Let’s equal so visible command, let’s equals and then you’re going to specify the command that you want to make available.
So, in my case, I’m going to do restart -computer. All right. That’s going to be the command that I make visible for now. Obviously, you could add a bunch of other commands if you wanted to. But I’m going to do the restart coming, the next thing, I’m going to do it and scroll down, I want to show you how to add an external command as well. All right.
So you’ll see that I have external command scripts and applications, and then I’m going to allow the WHO am I command? Now the reason I want to add this because I want to be able to show you that whenever you set this up and somebody connects in to this, when they actually make a connection, they get actually a virtual account and the virtual account logs them in. They get access to these commands. And then when they when they get disconnected from the session, it destroys that account. And this a security precaution that Microsoft has in place. I want to be able to show you that. All right.
So, we’re going to allow the WHO am I coming in, which is an external command.
So, we’re just going to go right here. In this time, I’m just going to copy this right here, and we’re just going to paste it right there.
So visible external commands and the command that I’m warning to use is C colon slash windows. Slash system 30 to slash. Who am I? XY OK, so secord slash windows slash system32 slash who am I? Not easy. And that is going to allow that external for me. All right.
OK, so at that point, I’m now going to save the file. The next step to this we’re going to create a session configuration file.
So, I’m going to type and I’m going to go see new -P. S Session configuration file. All right. And we’re going to say -Path, and we’re just going to put this on the C drive.
So, it’s easy to get to some of, say, C colon, c colon slash or to say DC Test Dot, and the file is going to be PSC.
So that’s going to be the extension, the file name extension.
So DC Tasker is C. We’re going to hit enroll on that and we’ve now officially created our session configuration file and we’re ready to open that up.
So, we’re going to go to the file menu here. We’re going to click Open and then we’ll go to the C Drive and there it is DC Test.
So double click on that and we’ve officially got our session configuration file opened.
So similar concept to what you just saw with the roll configuration file so, I can go down through here.
Now, the first thing I want to kind of illustrate here is it says certain types defaults to apply the social configuration file. In my case, you’ll notice that it gives you the option here to say restricted remote server. And that’s what we want to do. We want to make it. We’re winning admin. We’re making it. We’re admins can remote into the server here and we’re going to restrict what they can do when they remote in the server.
So, I don’t want to go with default. I’m actually going to change that to this right here.
So, I’m going to copy that and we’ll paste the restricted remote server in there.
OK. All right, so then at that point, the other thing that I recommend that you do is down here, they’ve got an option that is directly directory to play session transcripts in a transcript is going to basically record every command that the user types, and that’s a great idea to turn that feature on.
So, I’m actually going to just in this case, I’ll just remove the hash tag.
So, it’s no longer commented out. And it says transcript directory equals sequence Lestrange transcript.
So now we’ve got a nice little log of everything that is typed.
OK, so all that is now officially done. All right. And then finally, I’m going to scroll down and there’s another line here, whether this whether to run this session configuration as the machine’s virtual administrator account. I’m going to turn that on as well. Run as a virtual account. Set to true. And so that’s going to make it where when the when somebody authenticates is going to create them a virtual account, it’s not going to use their real account. And this just a security precaution. When the session is no longer valid, it’s going to just completely disconnect to that, OK? It’ll get rid of the account completely. All right. Lastly, we look down here, says user roles, security groups and role capabilities.
So from here, we’re just going to remove this hash tag here, and we’re they’ve got an example there. Can toSo slash sequel admins. In my case, this going to be Exame lab practice and then I’m going to put my. Username and here, administrator, this what’s configuring the role definitions for us, what they get access to. Exactly. In my case, though, to four role capabilities, I am just going to specify. DC Roll.
OK. All right. And so that’s my role capabilities. All right. And then just make sure that I close that out with the curly braces.
OK. All right. From there, I’m going to now save it.
So go to the save option here, and we are now ready to register the file.
OK, so, I’m going to type a command called Register -Piece Session Configuration, so, we’ll put in the name and I’m going to say DC admin. All right. And then -path and it’s going to be Seacole and the slash, and then it will be the DC test file. Right, and we’re going to go ahead and hit Enter.
OK, so you’re going to get a few warning messages, it’s going to tell you, OK, you in order to do this, to register it, you need to restart the winner in service as well, OK, because this registering with one hour. And So, we’re going to say a restart service and we’re just going to say when or M that’s going to restart our winner in service.
OK.
So remember, people can remote into your machine. That’s what you have to do this it’s registering with the winner room service because you’re allowing admins to remote in your machine.
OK, so finally, we are ready to actually try this out. And so for somebody to connect to you, what they would type is enter -session.
OK. And then, of course, the name of your computer, my cases in my CDC, one that I did this on. And then the configuration name, which is D.C. admin. Hit enter.
OK, we’re now connected now immediately, what I want to show you as you look to the right here, you can see which commands are available. Another thing I can do if I hit the up arrow a bunch of times here to clear this out. But if I go back to the beginning. I ran this command here. You’ll notice that commands not even available to me, so, I can’t I can’t even I can’t even see a count, but I can type. I tried typing get command. Those are the commands that are available. Namely, these are all default font what are called default functions that everybody gets. The only command lid available to me is restart computer, which I can’t run.
Now I also want to show you that who am I? Is also available and notice that I am logged on as a virtual user, so, I’m not actually logged on to a full blown administrator account or whatever. And so the restart computer command is the only command that I’ve got, and that is how we can use Jiya.