Microsoft is continuously improving and fixing issues on the Azure Connected Machine agent for Azure Arc Enabled Servers.
Before you make your Servers in your datacenter Hybrid with Azure Arc Connected Machine Agent, you can have a look at Security first when you want to be in Controle of the Azure Arc extensions. For example, who can install Azure Arc Extensions? and which Extensions should be installed and which not. Or in the latest Azure Connected Machine Agent Version 1.35 of October 2023 No Extensions allowed to install on this Server.
With Azure Arc Connected Machine Agent version 1.35 you can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to “Allow/None”. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn’t need to allow any extensions to be installed.
Users and applications granted contributor or administrator role access to the resource can make changes to the resource, including deploying or deleting extensions on the machine. Extensions can include arbitrary scripts that run in a privileged context, so consider any contributor on the Azure resource to be an indirect administrator of the server.
The Azure Connected Machine Onboarding role is available for at-scale onboarding and is only able to read or create new Azure Arc-enabled servers in Azure. It cannot be used to delete servers already registered or manage extensions. As a best practice, we recommend only assigning this role to the Microsoft Entra service principal used to onboard machines at scale.
Users as a member of the Azure Connected Machine Resource Administrator role can read, modify, re-onboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.
Identity and Access Management (IAM) in Azure to Configure Roles.
Azure Arc Portal Agent version.
With AZCMAGENT CLI command, you can see more information from the Arc enabled Server and is handy for
the Administrator to know:
azcmagent check
azcmagent Config get config.mode
azcmagent show
azcmagent logs
in ProgramData you will find the Azure Arc Connected Machine Agent Logs
Guest config logs of Azure Arc extensions
The Azure Connected Machine agent command line tool, azcmagent, helps you configure, manage, and troubleshoot a server’s connection with Azure Arc. I just showed you some azcmagent commands I use for troubleshooting or to just get the right information.
Here you find the complete Azure Connected Machine Agent Command line reference
Hope this information is useful for you and keep your azcmagent up-to-date for fixes and new innovated features!
Yesterday Microsoft Windows NT Server version 3.1 had his 30 years anniversaryon July 27, 2023.
At that Time I was working for a Computer Broker as an IT technician, working with IBM mainframes like
System 36 and AS/400 with PC connections and going from OS/2 to Microsoft Windows NT.
The biggest change was Microsoft Windows NT 4 Server and Windows NT 4 Workstation making small networks and
Enterprise Datacenters here in the Netherlands. Doing early Beta programs with Windows Server 2000 and Windows 2003 Server instead of Windows NT 4 in production. In the Netherlands we made one of the first Microsoft Windows 2008 R2 Hyper-V Clusters in the Datacenter with Blade Server Technology to virtualize almost every physical Server.
Doing Upgrades to Windows Server 2012 R2 and making the first connection with Microsoft Azurewith a System Center Data Protection Manager (DPM) 2012 R2 and Azure Vault. At this time lot of companies are doing migrations from Windows
Server 2012 R2 to Windows Server 2019 or Windows Server 2022. Or they are innovating to the Microsoft Azure Cloud. Microsoft Azure Stack HCI Clusters is a New way to work Hybrid with Azure Cloud technology.
As a Microsoft MVP for Cloud and Datacenter Management and Windows Insider MVP, I work every day with Windows Servers
in Datacenters and now also in the Microsoft Azure Cloud. What I really like is the Microsoft Windows Server Insider Program
Here you can test the Newest Microsoft Windows Server Insider Preview Builds from the Windows Server product group and give your opinions / ideas and Feedback on the new features in Windows Server but also in Windows.
You can build your own Test Lab like I did in Microsoft Azure with Virtual Machines:
Windows Server 2022 Insider Preview Datacenter Azure Edition Build 25379
Here you see my Azure Virtual Machine with Windows Server 2022 Insider Preview Build Azure Edition.
More information about Microsoft Windows Server Azure Edition is here
Today it’s a Hybrid Cloud World to get the benefits of Microsoft Azure Cloud together with your on-premises DataCenters.
You can connect your Windows Servers with Microsoft Azure Arc agent for central Cloud Management features, Security with
Azure Defender for Cloud, Azure Monitor and Log Analytics. Here you find all the Microsoft Azure Arc Service docs.
I’m really curious about the future of Microsoft Windows Server in a world where you have Azure Open AI
Microsoft Technology is going fast, but I really liked the 30 years I worked with Microsoft Windows Server and the
Product Groups also with the Windows Insider Program Team 🙂
Going for the Next 30 years of Microsoft Windows, Server, Clusters, and Containers
I like to thank you Community for Supporting, Sharing and Reading New Microsoft technologies on my Blog, Twitter, Facebook and
LinkedIn Community Groups 💗 I wish you all happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
I’m very proud and Honored on the Microsoft Global MVP Awards 2022-2023 !
MVP Award for Cloud and Datacenter Management
MVP Award for Windows Insiders
MVP Award for Azure Hybrid
Thank you Microsoft Product Groups, MVP Award Program, Windows Insider Team, Azure Hybrid Team, Windows Server and Azure Stack HCI Team for all your support, NDA PGI sessions, and for the Awesome software, Features, solutions you are building 🙂
Wish you all Happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
Here are some Great links for Reading and Sharing :
JOIN these LinkedIn Community Groups for free and Share New Microsoft Technologies Together:
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems. Here you can see the versions of MS-CIFS and download free white papers
Today SMBv1 is a not save protocol and will be used by hackers for man in the middle attacks to compromise your data and systems. SMBv1 is a weak protocol and should not be used in your environment. There are still a lot of Windows Servers 2012 R2 in the world running in datacenters with SMBv1 by Default enabled. To make your Windows Server more secure, you can disable SMBv1 protocol via a Group Policy Object (GPO).
In the following steps we will disable SMBv1 on Windows Servers via GPO.
Open Group Policy Management in your Domain.
Click on Group Policy Object with your right mouse button.
Click on New.
Give your policy a Name.
I made also an temporary Exception policy.
Right click on your new Policy Object.
Click on Edit.
Go to Computer Configuration => Preferences => Windows Settings
Click on Registry.
Click on New and then on Registry Item.
Here you have to add the following Registry Properties:
Set these settings.
Set Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Click on Apply for these Registry settings.
SMBv1 Disable setting is set in the Policy Object.
This is the path where we push the policy via GPO.
Here we Link the Existing GPO to the OU with the Windows Server 2012 R2
to disable SMBv1 Protocol.
Select your new Policy to disable SMBv1 Protocol.
We have now Linked the new GPO to Disable SMBv1
GPUpdate /force on your Server to disable SMBv1
To get the new GPO active on your Server.
When the Server gets a reboot, SMBv1 will be disabled by GPO again.
When you have maintenance window for updates for example, you can un-install the SMBv1 Feature in Server Manager. This procedure needs a restart of the Windows Server.
Go to Server Manager remove features.
Click on Remove Roles and Features.
Remove the mark at SMB 1.0/CIFS File Sharing Support Feature.
Click on Remove.
Click on Close and Reboot the Server
Now SMBv1 protocol on the Windows Server is disabled and will use a higher version of SMB like version 2.x or 3.x.
SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:
All packets are always encrypted and handshake is authenticated with TLS 1.3
Parallel streams of reliable and unreliable application data
Exchanges application data in the first round trip (0-RTT)
Improved congestion control and loss recovery
Survives a change in the clients IP address or port
SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.
Client Server Handshake and Data transfer differences.
When you still have Windows Servers running with SMBv1 by default enabled, for security you should disable SMBv1 protocol as soon as possible! Otherwise you make it easy for hackers to compromise your data with man in the middle attacks. In Windows Server 2019 and higher SMBv1 is disabled by default. Have a look at SMB over QUIC in your test environment and learn how secure it is and how it works for your security and data.
Packet monitoring allows you to diagnose your server by capturing and displaying network traffic through the networking stack in a log that is filtered, organized, and easy to follow and manipulate.
Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
In Windows Admin Center Security you can Configure Secured-Core :
Secured-Core in Windows Admin Center 21.10
You can activate 6 secured-Core feature :
Hypervisor Enforced Code Integrity (HVCI)
Boot DMA Protection
System Guard
Secure Boot
Virtualization-based Security (VBS)
Trusted Platform Module 2.0 (TPM2.0)
You now can simply activate the Security Feature.
Needs a Reboot
Hypervisor Enforced Code Integrity (HVCI) is enabled.
Security by Design is increasingly becoming the mainstream development approach to ensure security of software systems. Security architectural design decisions are based on well-known security tactics, and patterns defined as reusable techniques for achieving specific quality concerns. In the following steps we will make a security baseline for Windows Servers with different tools.
1.Microsoft Security Compliance Toolkit
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. A lot of hacks are based on registry settings, so that’s why Windows Server Security Baseline is important.
You can download the Microsoft Security Compliance Toolkit here
2. Windows Defender Firewall with Advanced Security
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. So set only the firewall ports you need end to end.
Windows Security Setting Firewall & Network Protection
Select Advanced settings
Windows Defender Firewall Advanced settings Set only active what you need!
3. Windows Defender Security Virus & Threat Protection
Schedule a Full Scan in the Night for Threats
and Set the Windows Security options.
Keep your Defender and Virus definition files up-to-date.
4. Windows Updates
When your Windows Server is ready for production, you have to keep it Up-to-Date with Windows Updates. It’s not only the Windows Security patches, but all the software that’s running on your Server. One software leak is enough for a hacker to compromise your Server.
Lot of Companies are using Microsoft WSUS Services or Microsoft Endpoint Configuration Manager to deploy the software Life cycle Management Security updates to Servers to keep them secure as possible. These are not only Microsoft Security Updates but also from third party Software vendors, like adobe, Google, etc.
5. Security Monitoring and Remediation
This Cycle is important for Security!
IT departments have multiple teams with different disciplines, so when the Windows Server is ready
for the Administrator it goes to the Application Admin in a different IT Team. They will install the Application software and maybe
some software connections with other Servers by a third IT Team. To get in control of those security steps is important, because when a IT Consultant of a third party vendor is installing old legacy software you will have hacker leaks again and that’s making your Server vulnerable. Here is where Azure Security Center and Azure Defender will support you in monitoring and remediation of security issues.
It doesn’t matter where your Windows Server is installed, in Azure Cloud or On-premises in your datacenter, it can connect securely via internet for monitoring the Server. When it’s on-premises you can install the Microsoft Arc agent
Microsoft Azure Arc Connected Machine Agent.
Azure Arc enabled Server from On-premises
When the Microsoft Azure Arc Agent is installed on the Server, you can use these Azure Services for example :
Azure Update Management
Azure Monitoring
Azure Security Center with Azure Defender
Azure Policies for Compliance
Change Tracking and Inventory
Insights
Automation of Tasks
These Microsoft Azure features are supporting you to keep your Server as safe as possible and your security Up-to-Date.
From here you can add the Windows Server to Microsoft Azure Security Center with the right log analytics workspace.
Microsoft Azure Security Center Recommendations
Remediate Security Configurations on the Arc enabled Server
Remediation of Vulnerabilities on your Windows Server (Arc Enabled)
Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on premises, and in other clouds. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services, and servers and integrates with your existing security workflows, such as SIEM solutions and vast Microsoft threat intelligence, to streamline threat mitigation.
Workflow of Azure Defender for Vulnerability Scanning.
When Azure Security Center and Azure Defender are installed, you can do a Vulnerability Assessment on your Azure Arc enabled Server which is on-premises datacenter before your Windows Server is going in Production.
Vulnerabilities after Assessment on Windows Server with Arc enabled with remediation
This happens a lot when there is third party software installed on the Server.
To get a list of your high security vulnerabilities, you can use the Azure Resource Graph explorer.
Azure Resource Graph Explorer
Here you can download your high risks into a CSV or Pin to a Dashboard.
6. Compliance and Security Policies
Learn how Microsoft products and services help your organization meet regulatory compliance standards.
When you have to manage a lot of Windows Servers or Linux Servers, you want them compliant with the right security policies.
With Azure Security Policy you can configure your Compliance.
in the following steps you will see an Sample alert :
Sample Alerts with Mitre ATT&CK Tactics
Take Action on the Security Alert.
Related entities
Mitigate the Threat
Prevent future attacks
Trigger automated response
or
Suppress similar Alerts.
Security by Design Conclusion
Before you begin with deploying Windows Servers in your datacenter or in the Azure Cloud, it’s good to make a High Level design with your security set for the right compliance of your new Windows Server. You can use all the security On-Premises for Windows Server but with Azure Security Center, Azure Monitor, Azure Arc Services, Azure Defender you get all the security Insights and remediation options when a vulnerability is discovered. Windows Server and Azure Security Center is better together for Security Management.
Microsoft Security
If you want to keep your Windows Servers secure as possible, you need to keep doing these steps above. Continuous Monitoring and remediate vulnerabilities is a on-going process for SecOps and Administrators. Make it hackers difficult to add ransomware on your Servers. One more important IT Service, is your Backup / Disaster Recovery solution. This should be secure from hackers and from ransomware encryption. I always say think of this rule :
With Windows Admin Center you can remotely manage Windows Server running anywhere—physical, virtual, on-premises, in Azure, or in a hosted environment.
The tool, available with your Windows Server license at no additional charge, consolidates and reimagines Windows OS tools in a single, browser-based, graphical user interface.
At Microsoft Ignite 2021 Global Virtual Event they launched Windows Admin Center version 2103. Here you find the download.
Set Proxy Server in Windows Admin Center Settings.
Open in a Separate Window
This is a Separate Window on my Second Screen, this works Awesome!
Windows Admin Center Virtual Tool improvements 🙂
Conclusion
Microsoft is working hard to make Hybrid IT Management better for Administrators to manage Hybrid Cloud datacenters. Windows Admin Center is a must have for managing
Windows Server Core, AzureStack HCI, and Cluster Services. I can say: I love to work with Windows Admin Center 🙂