Why technology will doom us all

As much as I like and make a living from technology, I have always maintained a healthy interest in all aspects of digital security. I have written plenty of previous articles about how technology is pretty devoid of good security in my opinion, such as:

Here’s another recent personal episode that once again proves my point that we are headed to a very bad place with technology due to a lack of focus and understanding of the real value of security.

While visiting a family member they informed me they feared their PC had been hacked. The reason sighted was they saw a message appear on the screen, while browsing the Internet, that told them their system had been hacked. They immediately panicked and turned the whole system off awaiting my arrival.

Time to investigate.

I powered the machine back up and ran a few scans and checked the logs and couldn’t see anything nasty. The family member told me that had been searching the Internet and viewing the resultant sites. The last one they remember visiting was:

Tasmanian Air Adventures

Rather the visting the site I ran my own search on the name of the business.

Above is the first result that was returned. If you look closely you’ll see that results returned are just ‘default text’ ( i.e. Donec ullamcorper…). This indicates to me that site still has some ‘defaults’ set somewhere. If that is the case then the site also probably has ‘default’ security, which really means no security!

After a little more digging I turned up the suspect HTML page and the above image from the browser cache which is what the user remembered seeing.

The suspect HTML also revealed that the exploit used was against an outdated Mailchimp WordPress plugin.

After some further checking I was confident that the exploit targeted the insecure server not client browsers. I re-assured the user that all was good and they didn’t have anything to worry about (for the reasons I’ll point out a bit later).

After some more digging it turns out that the company whose web site it was actually went into liquidation a while back.

Tasmanian Air Adventures in liquidation

That was about 10 months ago as of today.

So here are my comments/questions:

1. Why the hell is an insecure web site still allowed be to be running when that company was liquidated 10 months ago?

2. Who the hell is paying for that server to be still running?

3. If that web server was actually shared amongst others that insecure account now potentially makes all accounts on that server vulnerable.

I could go on but ….

My point here is that as we race towards making technology more and more part of our lives and our businesses, including connecting them all together all the time, we make ourselves more vulnerable to any single insecurity.

The Internet of Things sure sounds great but it will open a Pandora’s box of pain for everyone by connecting every device we see to the Internet. Why? Because all it requires is one insecurity in any of these connected system to give the bad guys a foot hold. In fact, I would contend that it is too late, they already well entrenched.

I’m scared. I really am. We are building a world that is going to fail, and fail potentially castastrophically. It is going to make us more vulnerable. It’s a world were the financial incentive is heavily stacked towards doing evil rather than good.

It is pretty much impossible these days to go totally unibomber and unplug. Thus, our only realistic option is to deal with the world we have created. That means taking total ownership of your own security.

Case in point, the family member who experience this issue was running a FULLY patched AUTOMATICALLY updating version of Windows 10 with other security measure in place thanks to your truly. Many people complain about the change Microsoft made to have Windows and Office automatically update. I, however, think that is GREAT! It is one thing EVERY piece of software MUST do in my opinion. Otherwise, we leave holes that the bad guys can crawl into and never be removed once they are in.

The reality, which I believe fails to be grasped, is that technology security is a losing equation. Every day more and more software and devices become vulnerable because they are not being updated YET they remain connected, just like the web server my relative was visiting.

I’m sorry, we are all doomed and technology is to blame. You have been warned.

Enabling Customer Lockbox

Microsoft already has a very secure process about when and how support staff may access your Office 365 tenant data. Here’s a great video that explains this:

The recent addition of Customer Lockbox provides additional control for the customer.

Basically, once Customer Lockbox has been enabled the user has the final say over when and for how long Microsoft may access the tenant data to provide support.

To enable Customer Lockbox you’ll need to have the appropriate license (i.e. the new E5 SKU includes Customer Lockbox for example), then you’ll need to login as an administrator to the Office 365 admin center.

If you then locate and expand the Service Settings option on the left hand side of the screen, you should see the list shown above. In the list is the option Customer Lockbox, which you should select.

Now on the right you should see the above screen. To eanble Customer Lockbox simply change the switch to ON (i.e. move to right).

You’ll then receive the above warning. Select Yes to enable.

You should now see that Customer Lockbox is enabled as shown above.

To find out more about Customer Lockbox visit:

Office 365 Customer Lockbox Requests

and note once Customer Lockbox has been enabled:

If a content access request is denied or isn’t approved within 12 hours, the request expires. If this happens, you might continue to experience a specific service issue that could be resolved by allowing an engineer to access the content. We’ll (Microsoft) let you know if this happens.

So in summary, Customer Lockbox is a feature you can add on to Office 365 to prevent Microsoft accessing your data with out your specific permission once enabled.

Here is also an overview video from Microsoft:

Introduction to Azure

I have blogged and done plenty of presentations about different Azure services (i.e. Azure SMB File Shares recently), but when I looked through my list of YouTube videos I didn’t have a basic video that provided just an general overview of what Azure is.

So I took some content from a recorded webinar and packaged it up to the video you’ll see above and at:

What is Azure?

It runs for about ten minutes and hopefully provides a good resource for those who are still trying to understand what Azure is all about.

From there, I’d suggest you take a look at my online training academy which has a few courses on Azure but probably the most relevant one is:

Introduction to Azure

which has about 19 lessons that are aimed at giving you basic information about some of the most relevant features of Azure for IT Professionals.

You can also search all my blog posts on Azure using the Azure tag. The results of that are:

CIAOPS blog Azure posts

which you can use now or any time in the future as I aim to continue to tag each article which deals with Azure.

If you are still struggling with Azure, don’t hesitate to contact me with your questions and I’ll do my best to help shed some light on what at times, I understand, can be somewhat confusing. If you’d also like to see me write or present about something in Azure just let me know and I’d be happy to make it happen. All you gotta do is ask.

Disabling Delve per user

A while back I wrote a post about how to turn off Delve.

Disabling Delve

that information is echoed in the Microsoft documentation

Can I turn off Delve?

However, upon revisiting my tenant now I find the options somewhat different.

The first step is to select your user icon in the top right of the Office 365 portal. That will display the menu shown above from which you select About me.

This will take you to your Delve profile as shown above.

If you now select the COG in the cupper right you should see the menu shown. From this, select Features settings.

This displays the above information with the option to turn off documents in Delve.

[image%255B18%255D.png]

This is somewhat different to what it used to be as shown above which gives you the option to Turn off Delve and hide my activity from others.

Unfortunately the Learn more link in the current Delve settings, which resolves to:

http://go.microsoft.com/fwlink/?LinkId=715632&clcid=0x409

appears to navigate to a non existant page.

Some of this confusion maybe because I have my tenant set to First Release which means I get newer features faster but I feel that things are not quite as clear as before when it comes to disabling Delve if needed.

Previously, it spoke about not sharing your “activity” whereas now it only speaks about preventing your docuements howing up in other people’s Delve.

Now your “activity” could now just be documents in Delve. That is, they are one in the same, but for the paranoid amongst us this lack of clarity could be a privacy concern. I think using “Don’t share my activity” is a much clearer and potentially wide ranging option.

I can’t really see any benefits to users disabling Delve but there are a small minority who might and I think that somewhat clearer messaging around disabling Delve would prevent confusion in regards to privacy concerns. I however have no doubt that these setting will appear as the service conftinues to improve over time, however for the time being you only seem to be able to disable document sharing in Delve is as I have outlined above.

Azure Backup Server for Applications configuration

I have written before about how Azure can be used to backup files and folders quickly and shown how to set all that up here:

Azure Desktop Backup

Recently, Azure Backup was extended to now be able to do server services like Exchange, SQL, SharePoint etc:

Azure backup now does servers

This involves a different process to setup and so here is the walk through process of setting Azure Backup Server for Applications.

You’ll need to have an Azure Backup Vault already in place as the destination for your backups. You create this Azure Backup Vault in the Azure management console under the Recovery Services option. You can have as many Azure Backup Vaults as you wish and my personal practice is to have a separate vault for each machine. If you need to create a new vault I have detailed how to do this previously.

Once the vault has been created you’ll need to download the Azure Backup software. You can find this in the details for the Backup Vault as shown above. You need to download the Microsoft Azure Backup for Applications.

This will in effect take you to the following download link:

https://www.microsoft.com/en-us/download/details.aspx?id=49170

Which will allow you to download the software. Beware that the Backup for Applications software is about 3.2 GB in size. Why? Because it includes the Microsoft Data Protection Manager (DPM) and SQL 2014.

There are number of different files you need to download, as shown above. Place them all the same directory and then run MicrosoftAzureBackupInstaller.

The installation process will now commence. Select Next to continue.

The next step in the process is to expand the downloaded files into a single installation directory. You can customise this directory if desired. Select Next to continue.

Select Extract to continue.

The files will now commence extracting into the directory that you nominated.

Be patient, the extraction process will take a few minutes.

When the extraction process is complete you are given the option to Execute setup.exe to install the software. Leave this option selected and press Finish.

The setup splash screen should now appear as shown above. From this screen select Microsoft Azure Backup under the Install column on the left.

The C++ Runtime will now be installed.

The setup screen should now appear as shown above. Select Next to continue.

Select the Check button in the top right to ensure all the prerequisite software is installed.

If the prerequisites are met you should see a message confirming that as shown above. Select Next to continue.

You’ll now need to specify an SQL server as part of the configuration. You can configure an existing SQL server on your network or you can elect to install a new instance on the current machine. If you select an existing SQL Server it will need to be running SQL 2014.

In most cases you’ll want to install a new instance of SQL 2014, so ensure that option is selected. Now select the Check and Install button in the top right.

Your system will then be checked. This should only take a minute or two.

You’ll then see a report of the results. A couple of things to notice here:

– You need to install this software on a domain joined server

– You need to have .Net 3.5 SP1 installed

– You can install this software on a domain controller but if you do you’ll need to follow this guidance before proceeding:

https://technet.microsoft.com/en-us/library/ff399416.aspx

In this case the installation is on a member server and no critical issues were detected. Select Next to continue.

You’ll then be prompted to confirm your installation configuration.

Once you have made any modifications here select Next.

Now provide a password for the two accounts required to run services. Remember to record this password!

Select Next once you have entered a suitable password.

Select how you wish to manage updates and then Next to continue.

The configuration information is displayed. Select Install.

The selected software components will now be installed.

You’ll now be prompted to complete the Azure Recovery Services Agent Setup Wizard as you would with the normal Azure Backup option.

Enter any proxy details and select Next.

If additional software is required to support this agent it will be displayed.

Select Install.

Supporting software will then be installed.

When the required supporting software has been installed select Next.

You’ll then be prompted for the location of the Vault credential file.

You download this file from the console of the Backup Vault as shown above by selecting the Download vault credentials link.

Once the vault credential file has been verified select Next.

You’ll now need to generate a unique encryption key for this backup. In most cases you will select the button Generate Passphrase to create a secure key.

You will also be prompted for a location to save a text file of this encryption key. Ensure that this key is recorded and a copy of the file is saved to another system so it can be used if recovery is required.

When all this is complete, select Next.

The installation process will continue.

You will receive a confirmation message as shown above that the process is complete.

Press the Close to complete the installation.

You should now find an icon on your desktop like that shown above for Microsoft Azure Backup Server. Double click this to launch.

The Microsoft Azure Backup console should now launch as shown above.

Here’s the Microsoft documentation on this configuration process:

Preparing to back up workloads using Azure Backup Server

I’ll look at covering how to use Azure Backup Server to backup and restore files in an upcoming post.

Just when you think you need to restore

Had a bit of a heart stopper with my Surface 3 Pro refusing to boot past the initial screen shown above.

Long story short, this site provided the solution:

Surface turns on, but Windows won’t start

This is what worked for me:

Solution 3: Two-button shutdown (Surface Pro models only)

Important

Don’t use this process on Surface RT, Surface 2, or Surface 3.

Use this two-button shutdown process to ensure that your Surface is turned off completely. Here’s how:

Step 1:
Press and hold the power button on your Surface for 30 seconds and then release it.

Step 2:
Press and hold the volume-up button and the power button at the same time for at least 15 seconds and then release both.
The screen may flash the Surface logo, but continue holding the buttons down for at least 15 seconds.

Step 3:
After you release the buttons, wait 10 seconds.

Step 4:
Press and release the power button to turn your Surface back on.

Phew! So if you didn’t know there is a two button process to ensure the Surface Pro 3 is off completely!

Hoppefully, this get someone out of a similar jam and prevents them from trying lots and lots of things before discovering this process.

Enabling Office 365 Planner Trial

The information is thanks to fellow Microsoft MVP Darrell Webster and his original blog post on the topic here:

http://webster.net.nz/2016/01/provision-office-365-planner-preview/

I’ve been busting to get a look at Office 365 Planner. I know it has now become available and that I need to have First Release enabled for my whole tenant turned. However, I still hadn’t seen it appear. Then along came Darrell’s blog post to the rescue.

The first step to enable Office 365 Planner Preview is to open a new browser using in-private or incognito mode. This will ensure that you don’t automatically log into an existing tenant because we want to all the Planner Preview to an existing Office 365 tenant.

In this new browser window navigate to:

Office 365 Planner Preview Trial

You should see the page above displayed. In the top right corner select the Sign In option to add Planner to an existing tenant.

You should be then taken to the familiar Office 365 login page as shown above. Login here as a global administrator.

You’ll then be asked to confirm adding Planner to this tenant. Select the Try now button to continue.

You’ll then be given a summary of the order. Select the Continue button.

This will then complete the process and take you to the Office 365 admin center.

It is unlikely that the planner tile will appear immediately in your Office 365 app launcher as shown above. It may take up to 24 hours for this to appear.

You’ll need to then go into the users you want to give access to Office 365 Planner and assign them a license as shown above.

Until the tile appears you can access Office 365 Planner directly using:

https://tasks.office.com

You might need to login as a valid Office 365 user that is licensed for Planner. If all is good you should see the above screen and you are now ready, like me finally, to start using Office 365 Planner.

Once again, thanks to Darrell Webster for taking the time to document this.

More information about Planner once I’ve had a play.

Azure SMB File Share–Performance and price

So, in the last post I demonstrated how to create an SMB file share on Azure and use it as a mapped drive replacement for users who wanted such an arrangement, typically to mimic and existing on premises file server. That however is only half of the business case for such a solution. To make an informed decision we need to consider both the Azure SMB File Share performance and pricing.

Performance first. For this I used a standard set of files, about 83 MB in total that included small (1MB) Office documents (PowerPoints, Word, Excel, etc). I also include a few larger videos files (>10MB) in this group of files as my benchmark. I then uploaded these files from the local drive of my workstations (I tried on Windows 8.1 and Windows 10 to get a kinda “average”) using the same browser over the same connection (ADSL – download speed about 12 Mbps, Upload about 0.6 Mbps). During all the test the workstations were not doing anything and there was nothing else going to the Internet for the duration of the file transfer. Both the Office 365 destination tenant and Azure file share destination container were in the Australian data center region.

With that process as my baseline you can see the results that I got above when I transferred the same files to OneDrive Consumer, OneDrive for Business and the mapped Azure drive (using File Explorer).

Some general observations from this data are:

1. Uploads to OneDrive consumer were noticably slower. You get what you pay for clearly.

2. OneDrive for Business and Azure file share transfers are pretty much the same. This tell me that there not any loss in performance by electing to use Azure file shares over OneDrive for Business if you so choose.

As a comparision I copied the same data up to an Azure Windows 10 virtual machine running in the Australian region. The transfer of the data there using the RDP client took about the same amount of time as upload to OneDrive or Azure file shares but HOLY COW, look at the difference once the data is actually in an Azure virtual machine as the chart shows!

		Seconds
OneDrive Consumer		1,282
Azure Share		1,090
OneDrive Business		1,059
OneDrive consumer (VM)		32
OneDrive Business (VM)		20
Azure Share (VM)		5

Above are the raw figures for a comparision of just how much faster things are. In somes cases up to 200X.

Some general observations here:

1. Bandwidth MATTERS! The limiting factor for all my uploads to OneDrive and Azure file shares from my desktop is my connected bandwith up to the Internet.

2. If you are going to go through the pain of moving your data into the cloud, it is much better to access that data from a machine that is also in the cloud, preferably in the same datacenter.

3. If you want to migrate “totally” to the cloud not only should you consider your data but how that data is being access. If you move both your data and your desktops to the cloud you could potentially see a 200X performance improvement over accessing the data on a local desktop.

So in summary. Azure file share performance is no worse that using other methods of acessing files in the cloud but if you can also have virtuals desktops in the same data center, holy smokes is it quicker.

Now pricing. For this I used the standard Azure pricing calculator at:

https://azure.microsoft.com/en-us/pricing/calculator/

and here are the results based 100GB of stored data being overwritten every month.

The first requirement when pricing an Azure solution is the cost of storage which you can see above comes to the princely sum of A$18.60 per month for 100GB.

You then need to allow for data transfers. Azure only charges for data out of Azure not in and you also get the first 5GB to any region free. So for 100GB of tarnsfers you’d pay A$16.70 per month.

As you can see above, the grand total would be A$35.29 per month for 100GB of georedundant data storage using an Azure file share.

So let’s say an on premises server costs A$3,500. That means I could use Azure file share storage for 100 months, which is 8 years and 4 months, for the same cost. To be safe, lets divide that by two (50% margin of safety being the good engineer I am) and discard the remainder. By my rough costing estimates, you can use Azure file share storage for 4 years before it exceeds the price of on premises equipment purchased today. So, using Azure file share storage is no worse than the cost of shelling out for equipment today using this anaylsis.

So there you have it. Pretty conclsuive in my my opinion, even if these are rough calculations. Azure file share storage is no worse in regards to price and performance when compared to other storage solutions. However, Azure file share storage has a great many other benefits I’ll go into soon when compared to any on premises equivalent (like say the cost of actually running up and installing an on premises file server versus setting up Azure file shares) but hopefully I’ve at least made people question why the hell the need a server on premises any more?