Check This Out! (CTO!) Guide (December 2022)

January 7, 2023

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.

These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.

From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!

Title: So, you say your DC’s memory is getting all used up after installing November 2022 security update

Source: Ask the Directory Services Team

Author: Chris Cartwright

Publication Date: December 13, 2022

Content excerpt:

After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service). This could affect domain controller performance, cause operational failures, and/or reliability issues.

If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time.

Title: What happened to Kerberos Authentication after installing the November 2022/OOB updates?

Source: Ask the Directory Services Team

Author: Chris Cartwright

Publication Date: December 13, 2022

Content excerpt:

With the November 2022 security update, some things were changed as to how the Kerberos Key Distribution Center (KDC) Service on the Domain Controller determines what encryption types are supported by the KDC and what encryption types are supported by default for users, computers, Group Managed Service Accounts (gMSA), and trust objects within the domain.

Title: Having issues since deploying November 2022 Security Updates to your domain controller?

Source: Ask the Directory Services Team

Author: Chris Cartwright

Publication Date: December 13, 2022

Content excerpt:

Hello, Chris Cartwright here from Directory Services support team. Taking a breather from the phone calls. In the past few weeks, there has been a large number of questions, rumors, and suggestions thrown around about the November 2022 security updates.

Microsoft Support recommends that you read these articles to gain the most understanding of topics discussed in this and related blogs:

Techcommunity: Decrypting the Selection of Supported Kerberos Encryption Types provides an understanding of etypes
TechCommunity: November 2022 Out of Band update released! Take action!
Microsoft KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
Windows Release Health Message Center: Take action: OOB update to address an issue with sign in and Kerberos authentication

Title: Armchair Architects: So, you want to build a platform…

Source: Azure Architecture

Author: Eric Charran

Publication Date: December 8, 2022

Content excerpt:

In this episode of the Azure Enablement Show, David Blank-Edelman talks to our Armchair Architects, Uli Homann and Eric Charran about what architects think about different platforms: What are the different kinds of platforms? When should you build one? What factors should be considered when designing them? What business problems can they solve?

Title: Azure portal November 2022 updates

Source: Azure Governance and Management

Author: Allison Cordle

Publication Date: December 21, 2022

Content summary:

A look at updates for November 2022 for the Azure portal

Title: Develop your network integration skills with our new ramp guide

Source: Azure Networking

Author: Lanna Teh

Publication Date: December 12, 2022

Content excerpt:

As the cloud continues to evolve, your work as a network engineer will only get more stimulating—and challenging. Your role overseeing your company’s computer infrastructure is as demanding as it is essential, and that’s why we’ve developed a new Azure Skills Navigator guide dedicated to helping network engineers like you not only get started on Azure, but develop your specialty in networking solutions.

Title: Building a POC for TLS inspection in Azure Firewall

Source: Azure Network Security

Author: Deepak Maheshwari

Publication Date: December 2, 2022

Content excerpt:

This blog post will provide a step-by-step guide to build a Proof of Concept (POC) Lab that uses the Transport Layer Security (TLS) Inspection feature of Azure Firewall Premium by using the Certification Auto-Generation mechanism, which automatically creates the following three resources for you:

Managed Identity
Key Vault
Self-signed Root CA certificate

Title: Zero Trust with Azure Network Security

Source: Azure Network Security

Author: Saleem Bseeu

Publication Date: December 5, 2022

Content excerpt:

As more organizations continue to migrate workloads into the cloud and adopt hybrid cloud setups, security measures and controls can become complicated and difficult to implement. The zero-trust model assists and guides organizations in the continuous digital transformation space by providing a reliable framework to manage complexity, secure digital assets and manage risk.

The Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network regardless of where the request originates or what resource it accesses, instead of believing everything behind the corporate Firewall is safe. For this blog, we will guide you through strengthening one of Zero trust principles - Assume breach. To read more about Zero Trust principles see Zero Trust implementation guidance | Microsoft Learn

Title: What’s new for Azure Stack HCI in Windows Admin Center v2211

Source: Azure Stack

Author: Eleanor Cohen

Publication Date: December 13, 2022

Content excerpt:

Windows Admin Center (WAC) version 2211 is now generally available! In this release, we've added new tools for Azure Stack HCI such as the GPU partitioning tool, Azure Arc tool, and a new Cluster properties page. We've also made improvements to existing features including the Volumes tool, Software Defined Networking tools and Settings search. You can find the 2211 update in the Updates section of Windows Admin Center settings. In addition to the improvements made to the Azure Stack HCI cluster management experience, WAC v2211 includes platform and extension updates.

Title: How to automate On-Demand Azure Backup for Azure Virtual Machines using PowerShell

Source: Azure Storage

Author: Srinath Vasireddy

Publication Date: December 6, 2022

Content excerpt:

Azure Backup supports multiple backups of Azure Virtual Machines per day using Enhanced Policy. For hourly backup, the minimum RPO is 4 hours and the maximum is 24 hours. You can set the backup schedule to 4, 6, 8, 12, and 24 hours respectively. Learn how to back up an Azure VM using Enhanced policy. This feature is only available to unprotected VMs that are new to Azure Backup. VMs that are already protected with existing policy can't be moved to Enhanced policy. To overcome this, you can run an multiple on-demand backup of a VM per day after you set up its protection.

Title: Software Installation Using Machine Configuration and Azure Policy

Source: Core Infrastructure and Security

Author: Anthony Watherston

Publication Date: December 26, 2022

Content excerpt:

I did a post a while ago on installing software onto virtual machines using policy state change events as the trigger. Now with the general availability of Azure Automanage Machine Configuration (formerly Azure Policy Guest Configuration) it’s time for a bit of an update to that post. In this guide I’ll again be installing PowerShell 7 – however I’ll use Machine Configuration and Azure Policy to handle the installation.

Title: Azure Update Management Windows Update Desired State Configuration

Source: Core Infrastructure and Security

Author: Werner Rall

Publication Date: December 19, 2022

Content excerpt:

Even though the Azure Update Center is already in preview many of our customers are still using Azure Update Management (the solution that uses Automation Account and Log Analytics workspace) to patch their servers. During one of these engagements, we realized that some of the Operating System Settings for Windows Update was not configured the way business required and this leads to erratic reboots and servers not patching on their expected schedules. We needed a way to ensure our machines have the appropriate settings.

Title: Azure Monitor: Manage Data Access for Your Log Analytics Workspace

Source: Core Infrastructure and Security

Author: Bruno Gabrielli

Publication Date: December 12, 2022

Content excerpt:

I am back with another important topic arising from my customers’ visits. How can I give very specific access to Log Analytics data, whether they be Security or Monitoring data?

Tricky one, isn’t it? A very simplistic answer could be: “manage your access list through IAM on the workspace”, but this is not enough. Say, for instance, that you would give scoped access to data coming from specific resources or, even more complicated, you would like that given the same resource one team can see some info and another one all the rest.

Looks complicated, but hey … good news: this is doable

Title: Creating MFA Policies with Zero Trust Advanced Deployment Guide in Microsoft 365

Source: Core Infrastructure and Security

Author: Atil Gurcan

Publication Date: December 8, 2022

Content excerpt:

As you most probably know, there are Advanced deployment guides available for you on your Microsoft 365 tenant. These are basically deployment guides that help you to configure different settings and onboard services based on your requirements and scenarios. Advanced deployment guides are accessible from Training, guides & assistance card on the Microsoft 365 tenant.

Title: Quick Reference: Understanding Azure Reservations vs Savings Plans

Source: Core Infrastructure and Security

Author: Brandon Wilson

Publication Date: December 5, 2022

Content excerpt:

Hi everyone! Brandon Wilson (Cloud Solution Architect/Engineer) here today to discuss some of the higher-level points of Azure Savings Plans, a new offering to help customers save, and Azure reservations (ie; reserved instances). This post isn’t intended to be a deep dive into the components, more of a high-level wade through a kiddie pool to help you understand the new savings plans compared to the Azure reservations, and if you’ve never heard of neither, well hopefully this helps you gain a little bit of insight.

Title: How Azure Front Door cache can help protect against DDoS attacks

Source: FastTrack for Azure

Author: Daniel Larsen

Publication Date: December 27, 2022

Content excerpt:

Recently at work I have been helping customers protect websites that have been impacted by DDoS attacks, specifically layer 7 application attacks, which take a website offline by overwhelming it with HTTP requests. These types of attacks are relatively easy for attackers to automate and execute via bot networks, and are particularly effective against web services that use older web frameworks and content management systems. A DDoS attack can completely disable a website that is not adequately prepared.

The good news is that cloud computing platforms like Microsoft Azure provide global services like Azure Front Door that help protect from DDoS attacks, providing several layers of defense to reduce the impact of an attack and deter attackers.

Title: Azure App Service Patterns and Features for the Azure Well-Architected Framework

Source: FastTrack for Azure

Author: Marc Mercier

Publication Date: December 21, 2022

Content excerpt:

Azure App Service is a fully managed Platform as a Service (PaaS) offering from Microsoft that enables developers to build, deploy, and scale web, mobile, and API apps quickly and easily. In this post, we'll look at how Azure App Service aligns with the Microsoft Well-Architected Framework and how it can help organizations to achieve operational excellence, security, reliability, performance efficiency, and cost optimization.

The Azure Well-Architected Framework (WAF) is a set of best practices and design principles for building cloud solutions. It helps organizations to understand the trade-offs and considerations involved in cloud design, and to design solutions that are reliable, secure, efficient, and cost-effective. 

Title: Comprehensive End-to-End Testing in Azure: Introduction

Source: FastTrack for Azure

Author: Mauro Contreras

Publication Date: December 12, 2022

Content excerpt:

End-to-end testing, also known as E2E testing, is a type of software testing that involves testing the entire solution, from start to finish, to ensure that it functions as expected. This includes testing all components, subsystems, and interfaces, as well as all end-user scenarios and use cases.

Title: Generate Azure Policy Compliance Alerts By Sending Custom Data to Log Analytics

Source: FastTrack for Azure

Author: DJ Bartles

Publication Date: December 2, 2022

Content excerpt:

Many organizations use Azure Policy to track, measure, maintain, and enforce regulatory policy compliance. These regulatory compliance initiatives could be standard baseline initiatives that have been assigned or they could be customized regulatory compliance initiatives, created just for that particular organization. Regardless of the regulatory compliance initiative type, organizations have prioritized not just compliance to a regulatory compliance initiative but also when a policy state change occurs. A common question we hear is “How can I be alerted when my policy compliance state changes?”. If an organization would rather use automation instead of a manual method, this article will describe an alerting mechanism that will notify you about what policy changed, when that policy changed, and how you want to be notified about that change.

Title: Configuration as Code for Microsoft Intune

Source: Intune Customer Success

Author: Dave Randall and Nina Desnica

Publication Date: December 21, 2022

Content excerpt:

Microsoft wants to help IT pros do more with less. This sounds great, but how can you put it into action? For Microsoft Intune, we can apply the principles and practices of Configuration as Code. Configuration as Code is the process of applying standardized software development best practices to manage and deploy specific configurations or settings for an application. When done correctly, Configuration as Code helps you:

Maintain a secure repository of configurations that represent both current and historical state.
Manage configurations and settings across multiple tenants.
Automate the deployment of configurations and settings.

Title: What's New in Azure Networking - Updates December 2022

Source: IT Ops Talk

Author: Michael Bender

Publication Date: December 20, 2022

Content excerpt:

Azure Networking is the foundation of your infrastructure in Azure. So @pierre and I decided we’d bring you a monthly update on What’s new in Azure Networking. In this blog post, you’re introduced to the topics from our show,

, with helpful links for you to dive deeper into each of the topic areas.

This month, we cover a few items to round out the year, and some things for you to look forward in 2023.

Title: How-to use Microsoft Defender for Cloud Ransomware alerts to preserve Azure Backup recovery points

Source: Microsoft Defender for Cloud

Author: Vasavi Pasula

Publication Date: December 9, 2022

Content excerpt:

Ransomware attacks deliberately encrypt or tamper data to force your organization to pay money to attackers. These attacks can target your data and your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems. You can leverage Azure native ransomware protection capabilities and implement the best practices to ensure your organization is optimally positioned to prevent, protect, and detect potential ransomware attacks on your Azure assets.

Title: End user passwordless utopia

Source: Microsoft Entra (Azure AD)

Author: Tarek Dawoud

Publication Date: December 15, 2022

Content excerpt:

My goal is to demonstrate how a user can securely open their device and access corporate applications and data without a password, credential prompt, or traditional MFA prompt, while remaining secure.

Let’s start with two common issues that we’re trying to combat:

1. Authentication fatigue

As users, we’ve been conditioned for about 20 years to enter username and password credentials whenever our device prompts us to do so. This is the very behavior bad actors rely on when phishing a user, often sending links that lead to fake sign in pages, where users enter their credentials.

2. MFA fatigue

Microsoft statistics show 99.9% of accounts that have been compromised in Azure AD have been on accounts that didn’t enforce MFA.

Title: Microsoft brings FIPS 140 Compliance to Authenticator supporting Federal Agencies

Source: Microsoft Entra (Azure AD)

Author: Alex Weinert

Publication Date: December 8, 2022

Content excerpt:

Many customers work in environments with security and compliance concerns requiring authenticators to use cryptography validated by the Federal Information Processing Standards (FIPS) 140 (reference NIST SP 800-63B). We're excited that Microsoft Authenticator on iOS is now FIPS 140 compliant (Android coming soon). Authenticator version 6.6.8 and higher on iOS is FIPS 140 compliant for all Azure Active Directory (Azure AD) authentications using push multifactor authentications (MFA), Passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP). 

Title: New Admin Center Unifies Azure AD with Other Identity and Access Products

Source: Microsoft Entra (Azure AD)

Author: Kristina Hotz

Publication Date: December 1, 2022

Content excerpt:

Microsoft’s vision for identity goes beyond traditional identity management to give our customers an entire toolset to secure access for everyone and everything in multicloud and multiplatform environments. Earlier this year, we significantly advanced this vision with the launch of Microsoft Entra and the new Microsoft Entra admin center.

We’re now pleased to announce the staged rollout of the Entra admin center for Microsoft 365 and Azure Active Directory (Azure AD) customers. Starting this month, waves of customers will begin to be automatically directed to entra.microsoft.com from Microsoft 365 in place of the Azure AD admin center (aad.portal.azure.com).

Title: What’s new in Microsoft Intune - 2212 (December) edition

Source: Microsoft Intune

Author: Ramya Chitrakar

Publication Date: December 16, 2022

Content excerpt:

The December (2212) service release of Microsoft Intune includes the general availability of the capability to fully control and schedule feature update deployments along with the ability to expedite critical quality updates. Additionally, we’re making it easier for admins to find the latest version of apps to ensure they are easy to install on Windows-managed devices. I hope you appreciate these enhancements as deployment wraps up for the month.

Title: Accelerate your digital transformation with Microsoft Assessments

Source: Microsoft Learn

Author: Davis Joseph

Publication Date: December 8, 2022

Content excerpt:

Through volatile markets, economic uncertainty, and supply chain disruption, companies in a wide variety of industries are learning to adapt quickly, innovate sustainably, and speak to customers in more engaging and personalized ways. Organizations that aren’t actively working to modernize their data management, automation, and security processes are at risk of falling behind with 95% of the top 100 largest enterprise software companies reporting the integration of "smart" tech into their products in 2020. But it can be challenging to know where to start.

As a resource for individuals and organizations looking to solve complex business issues, Microsoft Assessments offer the ability to examine your goals and existing practices to identify opportunities that accelerate your digital transformation.

Title: Introducing Personal Data Encryption, securing user data before login and under lock

Source: Security, Compliance, and Identity

Author: Rohith Honnegowda

Publication Date: December 8, 2022

Content excerpt:

Personal Data Encryption (PDE) is a security feature introduced in Windows 11 22H2. PDE provides an easy to manage, simple to use, user authenticated data encryption mechanism. PDE relies on Windows Hello for Business for user authentication, this eliminates the need for IT Admins to manage another set of login credentials for encryption, thereby reducing the overall burden for Enterprise IT admins. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials.

Title: December 2022 monthly security updates for Hyper-V servers impacts SCVMM SDN deployments

Source: System Center

Author: Molishvinayagan R

Publication Date: December 13, 2022

Content excerpt:

Monthly security updates (KB 5021249 and KB 5021237) for Hyper-V hosts released on Dec 13th, 2022, have known issues that impacts SCVMM managed SDN (Software Defined Networking) deployments and this creates failures with new VM creation and virtual network assignment.

Title: Windows Admin Center version 2211 is now generally available!

Source: Windows Admin Center

Author: Trung Tran

Publication Date: December 13, 2022

Content excerpt:

In this release, we’ve made improvements across our entire product! From updates to our platform, to enhancing your Azure Stack HCI management tooling, to introducing unique new features to Windows Admin Center in Azure, and so much more. This is a long blog post, but we hope you’ll read on and share our excitement for the new features we’re introducing this winter. If you’re impatient like me, you can download right away!

Title: Feature and expedited update management in Intune now generally available

Source: Windows IT Pro

Author: David Guyer

Publication Date: December 16, 2022

Content excerpt:

We are excited to announce that Windows feature updates and expedited quality updates in Microsoft Intune are now generally available! These features use the Windows Update for Business deployment service to provide greater control over specifying updates to devices. Additionally, you can take advantage of rich reporting that provides detailed status and error state for each device in the policy.

Title: New on Microsoft Learn: Advance your security posture from chip to cloud

Source: Windows IT Pro

Author: Thomas Trombley

Publication Date: December 1, 2022

Content excerpt:

Where do you start with improving your organization's security posture? You've heard about growing cyber threats and security statistics, hardening, and Zero Trust. Now a new learning module brings it all together with practical guidance to help secure your environment from chip to cloud.

Just to give you an idea of what's in the learning module, this article outlines:

The basics of Zero Trust from chip to cloud
Leveraging Microsoft Intune's capabilities as an example of how to advance your security posture
Tools to monitor and report on your security posture