We’ve all heard of Microsoft LAPS. This stands for Local Administrator Password Solution and is already available from Windows Server 2008 R2. With Microsoft LAPS it is possible to periodically and fully automatically change the password of the local administrator account.
Microsoft recently launched Windows LAPS, as a successor to Microsoft LAPS. A number of new functionalities have been added and it is now also part of the Windows Server operating system (from Server 2019 April Update) and Windows 10 and 11.
In my previous post I explained what PIM for Groups is, what it takes to get started with PIM for Groups and how the configuration works. In this post, we are going to look at the different settings that are possible for activating PIM for Groups.
Sign in to the Azure portal and navigate to Azure Active Directory and select Groups. Find the right group, in this example the previously created group ‘PIM-for-Groups-example-group’. Select Privileged Access (Preview), then Settings.
Today, I’m going to show you how to install and configure Active Directory Domain Services on Windows Server 2022 Core edition on Azure.
I’ve used some ARM templates to deploy my two domain controllers in Azure, based on Windows Server 2022 Core edition. These servers are in a separate subnet within my Azure environment. In this example, Í’ve two domain controllers, mss-dc-core001 and mss-dc-core002.
When you deploy a new virtual machine, for example Windows Server 2016/2019 or 2022, you’ll get the C: drive with the operating system, the D: drive for the TEMP storage (most of the VM types) and a DVD drive.
The DVD drive is not needed in some situations, for example on domain controllers. This type of servers you want to harden the security as much as possible. So, for domain controllers we’re deploying in our customer environments, we want to disable the DVD drive.
We run the following command when deploying new domain controllers in Azure.
By default, every VM you’v e created within Azure has RDP (Remote Desktop Protocol) on port 3389 enabled. You can access you VM from anywhere in the world.
You can restrict RDP access on just that IP addresses you want, so you can limit the access. So for example, you can limit your company IP address and maybe you home address to access the specific VM in Azure.
To restrict access, I’ve created a NSG (Network Seciruty Group) with the following configuration:
1.) Create a new Inbound security rule with a priority of 4095 (every digit below the default of 65000 is fine!!) 2.) Configure the following rule:
Priority: 4096 Name: Deny-RDP-Access Source: Service Tag Source service tag: Internet Source port ranges: * Destination: VirtualNetwork Destination port ranges: 3389 Protocol: TCP Action: Deny
3.) Configure a second rule:
Priority: 4095 Name: Allow-RDP-Access Source: IP Addressess Source IP Addressess/CIDR ranges: YOUR IP ADDRESSESS Source port ranges: * Destination: Any Destination port ranges: 3389 Protocol: TCP Action: Allow
Now you can test your new configuration. RDP access is only allowed from your custom IP addressess!!
Last Tuesday, it was a great day again! Experts Live 2018 NL. The biggest community event in the Netherlands. Great sessions, great speakers, very high level of content, great demos and off course as always a great intro movie!! 🙂 Many thanks to the organization of Experts Live! See you next year!!