I am setting up a multi-node High Availability server cluster on Windows Server 2019 with remote file system access. To provide both 'least required privileges' and a common security setup across all the nodes, the software is being run under a gMSA account.
The gMSA is getting a registry error trying to access "HKEY_PERFORMANCE_DATA".
The Network Service account doesn't have this error, but will require each server to be registered against remote resources, which is not an ideal solution.
What permissions will need to be applied to the gMSA to replicate the same level of access on the server as the Network Service account?
I've tried various server security groups and granted the gMSA access to the HKEY_USERS\S-1-5-20 group all without success.
The one success was when I tried the Administrators group to verify it was possible at all.
My research has indicated that the Network Service account is an account of 'least-privilege' and 'User + Network' but my testing indicates that 'User' is not equivalent to the 'Users' security role.
Related
Is there a way to restrict Azure Data Factory to be only accessible through Azure bastion host? To elaborate, I want anyone reaching the ADF URL to go through a Browser running in an azure bastion host?
As per the current Azure Security Baseline for data factory Documentation, it is suggested to Use privileged access workstations for Secured, isolated workstations are critical for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and Azure Bastion for administrative tasks.
Use Azure AD, Microsoft Defender ATP, or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:
Strong authentication
Software and hardware baselines
Restricted logical and network access
How do I restrict remote AAD (Work/School) connected personal machines with Group Policy enforced from the AADDS VM?
This client's company is fully remote and is looking for a cloud group policy solution.
Is there anyway to use AADDS to accomplish this task?
Thanks,
To manages machines/computers with group policy the machine should be joined with domain(on prem domain controller or azure adds) Once the machine is joined to domain you can apply group policies.
If you are looking to use azure ad ds managed instance . it gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.
If you want to manage group policy with adds managed instance, you need to create an additional vm with sevrer OS and you need to install required server roles to preform additional operations.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Or else you can use Azure AD registered devices, The goal of Azure AD registered devices is to provide your users with support for the bring your own device (BYOD) or mobile device scenarios.
You can find more information Here about device management in azure Azure AD.
I have two Win10 Pro machines in the workgroup.
A while ago I was able to connect from one to other through WMI with local account with admins rights. I use wbemtest to test the connection.
But now I have Windows 10 Pro 1803 on both and can't connect. Get Access Denied error.
I added key "AllowAnonymousCallback", checked firewall exception for WMI, WMI security rights for root and cimv2. WMI, DCOM and RPC services are running.
Checked Network access: Sharing and security model for local accounts to Classic - local users authenticate as themselfes and Network security LAN Manager authentication level to Send LM & NTLM responses, use NTLMv2 session security if negotiated.
Also I added hosts to winrm.
I can connect to Windows 7 machine with local admin account, without any problems bu not to Win10.
I can open network shares on Win10 with local admin credentials.
Did MS change something for local admins?
I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
Web Apps (public facing)
Virtual machines - Running apps and services
Sql Sever
Service Bus
Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.
Regarding access to the SQL server from your web apps:
They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those.
Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.
IIS 7.5 has new inbuilt identity called ApplicationPoolIdentity. IIS takes care of authentication and avoiding interference of other process running into Network Services.
I would like to know whether ApplicationPoolIdentity has more permissions or Local Services.
As per my understanding Local System has got higher privilege, then Network Service and Local Services then minimum privileges are given to ApplicationPoolIdentity.
But then if you are running your IIS application in ApplicationPoolIdentity then it can access network resources.
Can you please clarify which is with minimum privileges??
Thanks
Keshav