Create Cloudflare ACL on Azure App Service

nbeam published 2 weeks ago in Azure, Cloud Security, Cloud Services, Firewalls, Information Security, Microsoft, Network Security, Powershell, Web Administration, Web Hosting. Tags: , , ,

0

FIRST – I am stealing code here and re-sharing (with very little modification). All credit goes the fine gentleman that wrote these two articles, I would urge you to read them:

Bulk Add IP Access Restrictions to Azure App Service Using AZ Powershell

Bulk Add Cloudflares IPs to Azure App Service Access Restrictions Using AZ Powershell

I made a few minor modifications the provided code. First, I like to just run a lot of my Azure Powershell stuff from an ISE session and don’t like encapsulating everything in new commands. Partly because I am not all that familiar with working that way even though it is probably a MUCH better way of doing things.

Before we get to the code though, what is this for exactly?

If you use cloudflare as a protection and CDN layer for a website it works by acting as a reverse proxy for your site. I.E. client connects to your site by a cloudflare hosted DNS record… instead of connecting directly to your server, their connection terminates at Cloudflare, they do things, then the pass the connection along to your actual service. ‘Nuff said, google if you need more info.

In the case of an Azure Web App (or any other web server I supposed), the app is hosted/available on some public IP and/or azure domain name that azure provides when you create the app…

What this means is that someone can easily bypass your cloudflare layer (and the associated performance enhancements and protections like web application firewalls) if they know your source systems IP address and in the case of azure, your azure provided domain name for your app.

So what that means is that you need to setup an ACL (Access Control List) on your source system to say “Allow traffic from all Cloudflare IP ranges and block everyone else”.

Cloudflare has like 20 IP ranges… And setting up that ACL by hand on a web app in Azure is arduous at best. But that is why we have scripting… to make things that are generally a pain in the rear… NOT a pain in the rear. (more…)

VSSAdmin Delete Shadows FAIL – DiskShadow to the Rescue

nbeam published 1 month ago in Microsoft, Server 2008 R2, Server 2012, Server 2012R2, Storage, Windows Administration. Tags: , , ,

0

I won’t go into great detail here but in short, if VSSAdmin is not letting you delete shadow copies and is throwing this message:

Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the backup application which created them.

There is another (less safe…) program called DiskShadow which will.

It’s built into windows server… and using it to get rid of pesky shadow copies that won’t otherwise goes away looks like this:

C:\DiskShadow
DISKSHADOW> Delete Shadows All

and away they go…

One of the best blog articles I came across that details both VSSADMIN and DiskShadow tool and why VSSAdmin sometimes falls short is here:
https://danblee.com/diskshadow-vssadmins-best-friend/

Cheers!

Remove Dead RDS Session Host Server – Otherwise You Can’t Manage Remote Desktop Services

nbeam published 1 year ago in Microsoft, Remote Desktop Services, Server 2012R2, Windows Administration. Tags: , , , , ,

6

After working with RDS (Remote Desktop Services, previously known as “Terminal Services”, also referred to “The biggest pain in the rear and the only way to get more than two remote desktop sessions on a server because Microsoft either hates admins, hates this product, or both”) I have come to the conclusion that Microsoft really needs to make something which should be simple, simple. Alas it isn’t simple. And today’s topic…

You have an RDS licensing and management server… you have several Session Host servers as part of your deployment. At some point one of those servers died and was henceforth removed from the domain. It’s gone, never to return. You login to manage Remote Desktop Services licensing… and are told that a bunch of servers are missing from the management pool.

Something along these lines:

The following servers in this deployment are not part of the server pool:
servername.domain.local
The servers must be added to the server pool.

Instead of MS just letting you manage RDS, you have to fix this first. Fine… you go to add them back in but wait…. you have that server which was a session host which died a horrible death and therefore cannot be added back in… What now?
(more…)

Missing your Windows 7 OEM Install Media? – Get it from here!

nbeam published 1 year ago in Consumer Tech, Microsoft, Windows 7, Windows Administration. Tags: , , , ,

0

Several years ago Microsoft provided Windows 7 operating system ISO file downloads easily through a site called Digital River. Legitimate, clean copies of all versions of Windows 7.

Then they stopped.

Why is this a problem?

I refurbish a lot of older desktops and laptops; often to give them away. Those systems usually have a legal OEM (original equipment manufacturer) license. OEM licenses are unique in that they are lower cost licenses provided to system vendors (Dell, HP, etc.) that are tied to the hardware (i.e. they can only be used on the box that they came pre-installed on).

OEM Licenses then are a real blessing, low cost Windows OS for the masses… However if you lose your system disk (or if the OS on your manufacturers media is pre-service pack 1 making it a pain in the rear once installed) and need to get a copy to reinstall on your computer things are no longer as easy as they used to be. Microsoft shut down Digital River and if you want to get install media you now have to enter a license key and have it checked before you can download. Fine… but not fine… if you enter an OEM key you get a really helpful message to contact the manufacturer… Great, if you call Dell, HP, Gateway, etc. they will often tell you that you are out of luck or, at best, charge you some ridiculous fee to ship you an install disk.

Let me reiterate that if you have an OEM key and are using it on the original system with which the key came then you have a legal right to use the operating system. You just need to find install media which is now a royal pain.

Thankfully a kind soul grabbed all of the original Digital River and Technet (another now deprecated option for getting install media) Windows 7 ISO files and provides them via Bittorrent. (more…)

How to get your Windows Activation Key from UEFI BIOS

nbeam published 1 year ago in Microsoft, Windows 10, Windows Administration. Tags: , ,

0

If you got a new computer system recently then it probably is using UEFI bios and it didn’t come with Windows installation media or a product license activation key. What gives?

Manufacturers are now embedding the activation key in the UEFI BIOS. You can retrieve the key by running this command from within a Windows powershell session:

wmic path softwarelicensingservice get oa3xoriginalproductkey

I moved my hard drive to a new Dell OEM PC (new motherboard/chassis/etc.) recently and had to activate windows 10 again once I was up and running. The activation kept failing. I found this out and went to the activation window, hit the “Change key” option and then ran the above command and pulled the key out of UEFI Bios on the new system and it worked without a problem. I had to change the key in my Windows 10 install to match the key stored in the UEFI Bios on the system. Thankfully my Windows 10 install from my old system was the “Pro” SKU and that is what the Dell workstation originally came pre-loaded with.

Easy!

Reference:
https://community.spiceworks.com/how_to/125321-pull-windows-key-from-uefi-bios