Lumagate NAOur corporate blog
Lumagate is happy to offer Microsoft MVPs a free Production license for SIMON, the first AI-powered chatbot designed to help manage Microsoft cloud services. You can learn more about SIMON in the short 90-second video at https://lumagatena.com/simon.
And as the word “Production” indicates, you can use SIMON in your live environment where it will be most useful to you!
Eligible MVP Categories
Eligible MVP categories are active MVPs in the following categories, corresponding to cloud services SIMON interacts with (Azure, Azure AD, Office 365, and Intune):
- Cloud and Datacenter Management
- Enterprise Mobility
- Microsoft Azure
- Office Apps & Services
If you are an MVP in another category and still want to give SIMON a try, email us at “simon AT lumagatena.com” for an exemption. We’re happy to give ANY MVP truly interested a license so they can leverage SIMON.
Claiming your free license
SIMON can validate your MVP status and allow you to claim your free license automatically. Just follow the steps below.
Add SIMON to your Teams client, as explained in the SIMON QuickStart Guide.
Type “Show subscription” to get the Subscription Detail screen, shown below.
- Then click the Payment Details button, followed by the I’m an MVP button, as shown below.
Review the eligible MVP categories. If you are an MVP in an eligible category, click the I’m Eligible button.
You will then be prompted to sign in with the ID for your MVP Profile so SIMON can validate your MVP status with the MVP API.
NOTE: For most MVPs, SIMON will verify your status immediately. However, if your MVP sign-in does not match the primary email address on your MVP profile, the MVP API will not allow SIMON to validate your ID. But no worries, SIMON will ask you to paste the URL to your public MVP profile, as shown below. (Replace my public profile URL with your own of course!)
SIMON will verify your MVP status and add your free license.
Your MVP benefit will be confirmed in the Discount field, as shown below. Your initial trial will end in 30 days, and 11 months will automatically be added to your subscription.
You are eligible to renew your free SIMON license benefit every year, as long as your MVP status is active!
Have feedback? Need help?
Enjoy SIMON, and be sure to let us know of any new features you would like to see in the SIMON Feature Request Form, which sends your suggestions straight to our backlog for discussion!
If you need help, email us at “simon AT lumagatena.com” or simply type “Help” in SIMON to initiate SIMON’s help dialogue.
NOTE: While you’re here, check out SIMON, the AI-powered bot, built on the Microsoft Bot Framework, Designed for IT Operations. Learn more at http://lumagatena.com/simon.
Need to share data hosted in Azure Storage? With two very different options for granting, you may ask “which option is best?”. It pays to know your options, and the capabilities (or limitations) of each.
Shared Key is exactly what it sounds like: a key (in cryptographic terms, a string of bits used by an algorithm) you share with those to whom you would like to delegate access. This is equivalent to giving root access to a storage account. It grants all privileges to whomever has the key, from anywhere at anytime until the key is revoked or rolled over.
HOW-TO: Authorize with Shared Key
Shared Access Signatures (SAS)
Shared Access Signatures allow you to scope duration, privileges, and even which IP addresses are allowed to connect. By distributing a shared access signature URI to a client, you can grant them access to a resource for a specified period of time, with a specified set of permissions. You can scope access at the account-level SAS (one or multiple services in the storage account) or Service-Level SAS, which delegates access to resource in just one service (like Queues only, Files only, etc.). Additionally, a service SAS can reference a stored access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary. SAS is the route that offers the tightest control over access scope and duration.
Which is best?
Given the option of these two GA mechanisms, you should probably always take the route of Shared Access Signatures.
Option 3: Azure AD Authentication (in Preview)
There is a new method currently in preview that allows using Azure AD to grant authorization. Unfortunately it’s only supported for Blob and Queue services, so if you use Table Storage, this wont help. For the services it supports, it’s no doubt going to become a preferred method of granting access.
Azure Data Plane security: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#data-plane-security
Authenticate access to Azure Storage using Azure Active Directory (Preview): https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad
So, next time you need to grant storage access to a developer, or a partner, or customer, choose the most secure option that supports the storage services you need to share.
NOTE: While you’re here, check out SIMON, the AI-powered bot, built on the Microsoft Bot Framework, Designed for IT Operations. Learn more at http://lumagatena.com/simon.
In spite of the fact that many organizations have modernized their file sharing strategy through Office 365, SharePoint, and OneDrive, the old school file server backed by the corporate SAN persists in most organizations. However, innovations in cloud storage are rapidly bringing us closer to the day when we trade another hardware refresh for a move to the cloud. Fortunately, Microsoft’s recent work includes a number of features that allow enterprises to adopt a hybrid strategy, enabling a gradual, transparent transition to cloud storage.
Here are four Azure storage features that may ultimately replace the corporate SAN.
#1 Azure Files
Azure Files offers fully managed file shares in the cloud that are accessible via the familiar standard Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
- Replace or supplement on-premises file servers. Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices. Windows, macOS, and Linux can directly mount Azure file shares wherever they are in the world.
- “Lift and shift” applications. Azure Files makes it easy to “lift and shift” applications to the cloud that expect a file share to store file application or user data
- Simplify cloud development. Azure Files can also be used in numerous ways to simplify new cloud development projects
Read more on the capabilities of Azure Files HERE.
#2 – Azure File Sync
Azure File Sync tackles the challenges of the old school file server, for scenarios not already wiped out by modernization efforts in Office 365, SharePoint, and OneDrive. The primary function of Azure File Sync is to synchronize file shares, including both data and ACLs, to an Azure general storage account using the Azure Files service. It looks a lot like a modernized version of StorSimple functionality without the hardware.
Azure File Sync provides secure, centralized file share management in the cloud. You install the File Sync agent on your Windows Servers, which can replicate and store less frequently accessed files in the cloud, while keeping more frequently accessed data on local file shares, and will be able to deliver consistent file share performance with no configuration or code changes. Centralizing file share management with File Sync could also lower the IT support requirements for branch or remote office locations including centralized backup and multi-site replication.
Learn more about Azure File Sync HERE.
#3 – Tiered Storage (hot, cool, & archive)
Azure storage offers three storage tiers for Blob object storage so that you can store your data most cost-effectively depending on how you use it. The Azure hot storage tier is optimized for storing data that is accessed frequently. The Azure cool storage tier is optimized for storing data that is infrequently accessed and stored for at least 30 days. The Azure archive storage tier is optimized for storing data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours), much like the AWS Glacier service.
Various enterprise data access scenarios benefit from a different storage tiers optimized for particular access patterns. With hot, cool, and archive storage tiers, Azure Blob storage addresses this need for differentiated storage tiers with separate pricing models to help manage costs.
Read up on the details of Azure storage tiers HERE.
#4 – Azure Import/Export Service
For the odd occasion you need to move a LOT of data to or from Azure, there is Azure Import/Export Service. This service enables you to transfer large amounts of data to and from Azure using hard disk drives, so it’s faster and more cost effective for moving big data sets than transferring the data over internet. It enables you to transfer data to Azure by the secure transport of hard disk drives to our data centers, and by using a high-speed, secure internal network.
Get the scoop on the Azure Import/Export Service HERE.
Have an Azure storage feature you’re leaning on to modernize your enterprise storage strategy? Tell us about it by leaving a comment below
While you’re here, check out SIMON, the AI-powered bot, built on the Microsoft Bot Framework, Designed for IT Operations. Learn more at http://lumagatena.com/simon.
At this point, admins at most companies I work with are familiar enough with Azure Automation. Often, I find they just don’t have a great use case in mind. In general, there are a couple of ground rules for getting started:
- Start small. Look for a quick win. Preferably, a project you can knock out on a Friday afternoon.
- Start in Test/Dev. The quick win needs to be a win…not a black eye for the IT department because you took something down in production.
- Pick something with an ROI story. Management loves to share ROI stories with corporate leadership. Get a win you can evangelize to your IT management org to fuel desire for additional automation work.
With that out of the way, here are four use cases where you can get started quickly (and safely) with Azure Automation.
We’re talking about Azure here, so this is the most obvious application to Azure Automation and it can save a lot of money! You can run VMs just during working hours, shutting them down and deallocating at the end of the day, or you can start VMs based on need – when a certain job is started, the VM can boot, process the data, then shut down when it’s not needed. This is great for end of period reporting, if there’s a lot of data to process, and for developer environments. There’s lots of ready-to-go runbooks with the ability to filter VMs based on tags, allowing you to schedule some, but not all VMs to shut down – this could be useful for applications that need many servers at certain times of the day, but fewer at off-peak times – provided you cannot set up the application in VM Scale Sets, of course.
Replace SQL Agent Jobs
Moving to Azure SQL Database is a great way to reduce server management tasks and costs when migrating to Azure. Unfortunately, the Azure DB service doesn’t have a SQL Agent available due to the nature of the service. You can migrate your SQL Agent jobs to Azure Automation, which can connect to your SQL Databases and easily run automated tasks. If the SQL Agent job needs to access VM data somewhere in your network, you can use Hybrid Runbooks to allow Azure to run the job locally, like a Task Scheduler job. The benefit to Hybrid Runbooks over Task Scheduler is that the job is more likely to run if a server is offline – provided you install more than one hybrid worker!
Did you know that Azure Automation has a native Update Management capability? You can manage your VM updates from a single pane of glass, without needing to invest in a complex configuration management solution. You can quickly onboard VMs and see what patches are missing, triage the most critical patches, and apply them – without having to log into the VM itself. You can schedule regular installation of updates, or apply the specific updates just once. There’s a rich reporting system that can tell you at a glance the current compliance across your servers, and a quick view into whether the installation was successful. The solution can even give you an estimate for how long a given patch will take to install, based on other agents that have installed the same update – that can be tremendously helpful when setting expectations with your business!
Windows is, naturally, supported – using WSUS or public Microsoft update, and some flavours of Linux are supported as well.
Respond to an event alert
Azure Automation can start a runbook when a webhook is called. When an event occurs, the source makes an HTTP request to the URL configured for the webhook, containing some data, and Azure Automation can be configured to parse the data and make a change based on that information. An example could be (returning to the first point) starting a VM if an infrequent task relies on the VM running – when a user starts the process, a webhook containing the VM name and the action (Start) could be sent to Azure Automation, and the VM would boot up in a few minutes. Another example of handling events, which has a more direct application for InfoSec and ITPros, is to respond to an event – for example, if a critical service stops on a VM, Azure Automation can run to reboot the VM or restart the service, or if CPU use gets too high, Azure Automation can scale up the application one server at a time. This isn’t limited to Azure VMs; hybrid runbook workers can run scripts inside AWS or on premises just as easily (though the capabilities are limited to what’s possible on the system you’re connecting to).
That’s for this installment. Have a “win” from your Azure Automation journey you’d like to share? Share in the comments below.
While you’re here, check out Simon, the AI-powered bot, built on the Microsoft Bot Framework, Designed for IT Operations. Learn more at http://lumagatena.com/simon.
We live in a world where Troy Hunt announces a new breach almost every week. There are millions of leaked credentials on the internet. Your spam mailbox is full of Nigerian princes asking the same questions that your mortgage application asks, and the media’s recommendations on how to secure your online life seem to keep changing. Here are five tips that can help ensure your private information remains private
1. Use a Password Manager
Password managers like 1Password and KeePass are a great solution to address the need for a unique password for every site – which will in turn resolve the need to change your password everywhere when one site announces a breach. Not only do they save you from having to remember passwords, they let you forget your username too. Password managers make it easy to have a unique, complex password for each website that you sign in to, so that if a site’s password list is breached, you don’t need to worry. Using the same password everywhere is really common, but it’s what everyone does simply because there’s too many things to remember in your life.
There’s a few password managers out there, so do your research and use one that’s well known. The better ones are usually somewhat expensive (1Password) but there’s free options available that are pretty good (LastPass). Some people think it’s a bad idea to use a notebook with usernames and passwords, but as long as you keep that notebook secure (in a safe place at home – no visits to the coffee shop!) you’re probably OK – unless someone’s targeting you.
2. Stay up to date
Updates can interrupt your work, which sucks, but they are really important to keeping your computer safe from hackers. Hackers move really quickly, and as soon as an update is released, they’re working to reverse-engineer it to find out what it fixes and discover any ways to use the bug to their advantage. Major updates, like upgrading from Windows 7 to Windows 10, are also really important. On the surface, it may look like Windows 10 is just an update for appearances’ sake, but there are some major architectural changes that are really significant in making your computer more secure.
3. Use an ad blocker
By far, the easiest way to install malware accidentally is by clicking on an ad that’s related to something that you’re looking for, or getting a drive-by download. Installing an ad blocker is recommended by most security experts as a basic first line of defense against bad people. Advertising networks are massive and complex. Some browsers, such as Chrome, have integrated ad blockers you can pick from their marketplace of browser extensions.
4. Be wary of unexpected communications – email, phone calls, texts
Emails from people that you don’t frequently talk to, or links you’re not expecting. There’s a multitude of ways that you can be targeted through your communications, from receiving a phone call pretending to be a bank, to receiving an email that looks like it’s from a company you do business with asking for you to PAY THIS OVERDUE INVOICE which you don’t remember receiving. The common thread with all of these types of attacks is to trust, but verify. If your bank calls you with a fraud alert and asks to validate your information, politely tell them you’ll call them back – and then call them back with the phone number on the back of your card. If your CEO texts asking for an urgent wire transfer (assuming that’s a normal part of your day) – call him up and verify each time. If you receive an email with a PDF or Office document, preview it in Office Online instead of using the full Office Suite. There’s a lot of backwards compatibility built into Office that makes it an excellent way to get into your computer.
5. Enable Windows Defender
Windows Defender is a great antivirus product included with Windows 10 for free. It’s quite capable of detecting the obvious and less-obvious malware. Like every other home antivirus product, it won’t be much use against a determined attacker, but it’s better than nothing. Windows Defender is quite reasonable about letting you use your computer, which has always been a problem with AV tools. Similar to the Stay up to date recommendation above – it’s there, it works well, and there’s really no reason to mess with the defaults.
Have tips to share on how you secure personal data online and protect your privacy? Share in the comments below.
Recently, I was playing with the Investigation feature in Azure Security Center, which allows you to visualize the scope of a security event, triage, and track down the root cause of potential security incidents. It reminded me a lot of Microsoft Advanced Threat Analytics (ATA) we recommend for customers in their own datacenter. A companion feature are security playbooks, which are collections of procedures that can be executed from Security Center once a certain playbook is triggered from selected alert. In effect, Microsoft is offering intelligent detection of potential security events with capability to automate incident response.
- Additional Reading. Notice the many hyperlinks in this article, which lead to additional reading on topics directly related to these features and duplicating this scenario in your own lab.
- Cost. Bear in mind that the feature only comes with the Standard tier of Security Center, which enables Advanced threat detection capabilities, which includes advanced analytics that leverage the Microsoft Intelligent Security Graph…the source of intelligence through analysis of signals via machine learning. The security playbooks leverage Azure Logic Apps, which carries a separate charge.
Exploring on your own
This spawned a security alert in the Security Center portal.
You could also easily trigger similar events with AppLocker bypass.
When you drill into the Security alerts tile in the Detection section of the dashboard above, you can see a list of events.
And clicking on an event in the list, you can see the details of the event, including the description, severity, resource type and details of the action. Notice the Investigate button at the bottom of the event details window.
Clicking on the Investigate button launches the Investigation Dashboard. The investigation consists of a graph , which is always focused on a specific entity, and presents the entities that are related to it. An entity could be a security alert, user, computer or incident. In this case, the “specific entity” is the suspicious process…Mimikatz.exe.
If we select the Suspicious process executed entity, you’ll see guidance on how to proceed with investigation. Most of the steps I found in various scenarios were fairly rudimentary.
If you click on the Playbooks tab at the right of the window, you’ll find the Run Playbooks based on this alert.
I did not find m(any) existing sample runbooks, but there is a tutorial with an example for creating your own Security Playbook in response to a suspicious process execution. As with the example, since more than 90% of malicious activities are observed once and never again, you may find your playbooks are driving expedited notification to the appropriate channels in your org.
If you have not yet spent time with the advanced features of Security Center present only in the Standard tier, it is worth a look. The story grows more compelling every month.
117 Barrett Ave
1000 N West St. Suite 1501