Microsoft Azure

What's New with Azure – September 2021

Microsoft recently announced that their Ignite (online only) conference will be running again on November 2-4. That means we are approaching peak season for announcements, new public preview releases, and general availability. “Q3” in announcements and roadmaps will often mean between early September and maybe the third week of October – a code freeze will probably kick in to avoid instabilities during live demonstrations – if the past is a good guide.

OMIGOD!

I guess the worst kind of “supply chain” attack is one that comes via functionality rendered by your cloud services provider. Wiz disclosed a “quartet of zero-days” (vulnerabilities) on September 14th. Since then, there’s been update after update and news story after news story about possible attacks to Linux-based workloads via an Open Management Infrastructure (OMI) agent if they use management features including (but not limited to):

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Container Insights

Those of you running a secure Azure network (limited public IP addresses and micro-segmentation) are probably OK – OMI listens on ports such as 5985, 5986, 1270 – that traffic shouldn’t be allowed from exposed networks!

Apparently, Microsoft ran an auto-update to upgrade the affected agent and that process was due to finish on September 22nd. Since then, Microsoft has shared guidance on how to detect and update affected agents. I would recommend running the detection script – those of you with a SIEM solution might be able to use “threat hunting” to automate this.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Private Link Developments

Based on the queries I’ve seen/received over the last few weeks, Private Link (typically used to connect PaaS resources to a subnet) is getting more adoption. And with that adoption, people are finding that there are issues.

There have been two feature gaps that are hurting customers that are implementing good network security practices:

  • Micro-segmentation limits the reach of a workload/attacker and the blast area of a successful penetration
  • The first step in security is a DMZ in the form of a hub that contains a firewall. The firewall normally (not in Azure Virtual WAN) relies on user-defined routes to force flows from a spoke subnet through the firewall to route to other spokes using the DMZ.
  • The second step is to use Network Security Groups (NSGs) to protect workload resources at the subnet.

There have been two issues with this and Private Link:

  1. User-defined routes are not supported. Those of you being clever with your BGP route propagation in Azure Virtual Network won’t care about this one.
  2. Inbound rules in NSGs are not implemented with Private Endpoints (the instantiation of Private Link)

Both of those feature gaps have been addressed with limited region public previews:

Be Careful What You Ask For

Everyone wants to go full platform with Active Directory. I’m one of the hold outs that still prefers a good ol’ fashioned VM-based domain controller. But people want to push as much to Azure AD Domain Services, and even Azure AD-only, as much as possible.

To answer that ask, Azure Virtual Desktop now supports virtual machines that are joined only to Azure AD. By the way, one can hold a loaded weapon to one’s own head with the safety off, but that is not typically recommended.

Microsoft has shared some known limitations of this new support:

  • Azure Virtual Desktop (classic) doesn’t support Azure AD-joined VMs.
  • Azure AD-joined VMs don’t currently support external users.
  • Azure AD-joined VMs only supports local user profiles at this time – no FS Logix or roaming profiles.
  • Azure AD-joined VMs can’t access Azure Files file shares for FSLogix or MSIX app attach. You’ll need Kerberos authentication to access either of these features.
  • The Windows Store client doesn’t currently support Azure AD-joined VMs.
  • Azure Virtual Desktop doesn’t currently support single sign-on for Azure AD-joined VMs.

Let’s not forget Group Policy, a very necessary feature to manage the configurations of these machines, the login experience, and the configuration of the profile, user folders & user settings. And then there’s the sticky topic of legacy third-party software – the migration of which to Azure that is causing you to deploy Azure Virtual Desktop – that will expect to see a traditional domain, but those companies are usually pretty flexible with support – NOT!

My guess is that this new feature is used under the covers by Windows 365 – which is powered by Azure Virtual Desktop – and Microsoft just surfaced Azure AD support for Azure Virtual Desktop customers.

Other Announcements from Microsoft

Azure Storage

Networking

Azure Virtual Machines

Azure Virtual Desktop

App Services

Azure Backup & Site Recovery

Management

Governance

Azure Automation

Miscellaneous

And Now for Something Different

Just in case you missed the very subdued announcement, Windows Server 2022 is now generally available. Once upon a time, I used to gather all the new Hyper-V and related features that I discovered and keep the list on my own blog. Today, I struggle to find much news across the entire operating system.

That’s because Windows Server is just a part of Azure Stack HCI – a hyper-converged Hyper-V/Azure Kubernetes Services cluster designed to run on-premises with possible integration into Azure using Azure Arc. Unlike most of you reading this post, I cannot remember the last time I installed Windows Server – all my Windows machines have come from the Azure Marketplace over the last several years.

A lot of what I have read about as a new Windows Server feature usually ends up being an Azure service, so I don’t really think of it as a Windows Server feature – it’s Marketing playing “look over here at this shiny thing”.  But there are new features spanning areas such as:

  • OS security, including TPM 2.0 usage, for better protection of the OS, secrets, and Hyper-V guest operating systems.
  • Network security, including SMB improvements, TLS 1.3 is enabled by default, and Secure DNS.
  • Hybrid capabilities – look over here at this shiny thing!
  • Application hosting, including Windows Containers and group managed services accounts.
  • Hyper-V, including nested AMD virtualization, and Receive Segment Coalescing in the virtual switch.
  • Networking performance, where UDP and TCP are faster.
  • Storage is improved a lot for HCI, including adjustable storage repair speed, SMB compression, and storage migration.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: