Clues You Have Been Hacked

Source: SANS security tip
Some of the most common indicators that you may have been include the following. Your friends tell you that they have received odd emails or messages from you, messages you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. You receive a pop-up message informing you that the files on your computer have been encrypted and you must pay a ransom to recover them.
Clues You Have Been Hacked

Instant visibility & restore for Microsoft SharePoint

Source: Veeam

Microsoft SharePoint is an invaluable tool used by organizations worldwide for data sharing and collaboration among teams. SharePoint provides businesses with a way to increase teamwork and productivity to streamline their processes and improve their business outcomes. There are several deployment options available for SharePoint, such as on-premises, online through Office 365 or a hybrid deployment. Each option has its own benefits, however, this blog post focuses on Veeam Explorer for SharePoint being used in an on premises deployment model of Microsoft SharePoint. If you’re using SharePoint online, Veeam Explorer is available to you as well through Veeam Backup for Microsoft Office 365.

An on-premises SharePoint farm could consist of multiple servers with each server needing to remain operating to meet your end user’s expectation. To meet a user’s demands, it’s important to have an Availability strategy in place. Veeam meets these expectations by giving you the technology to browse the database, restore individual items, and gain instant visibility while still being easy to use.

Veeam Explorer for Microsoft SharePoint

Veeam has developed many powerful built-in Explorers in its software, and Veeam Explorer for Microsoft SharePoint is no different. From the Veeam backup of your SharePoint server, you gain the ability to browse the content database, recover necessary items without having to fully restore, and start the virtual machine hosting the content database. Like the other Veeam Explorers, this tool is available with all editions of Veeam Backup & Replication, even the Free Edition!

When you perform a backup of your SharePoint Server, remember to enable Application Aware Image Processing. This technology creates a transactional-consistent backup to guarantee the proper recovery of your applications running on VMs. Once you successfully created the backup or replica of your SharePoint Server, you can start using the Explorer. There are a couple options available to you when using the Explorer, these include: browsing the SharePoint database, restoring individual SharePoint items and permissions, exporting items (sending as an email attachment or saving them to another location), and the ability to restore SharePoint sites.

Instant Visibility

Once you’re ready to perform a recovery, the application item restore wizard will auto-discover the SharePoint farms that were backed up and initiate the mount operation. During this operation, Veeam Backup & Replication retrieves information about SharePoint sites, the corresponding database server VMs, and restore points.


Figure 1: Veeam SharePoint Item restore wizard

When first initiating the restore, the wizard shows you the list of available sites included in the backup, allowing you to choose which site you want to explore to find the items you need. The Application Aware Image Processing technology is how Veeam Backup & Replication auto-discovers the information about your SharePoint Servers. It is important to remember to select this option when first performing the backup.


Figure 2: Veeam Explorer for Microsoft SharePoint

Within the Explorer itself is where you can view the content databases, sites, subsites, libraries and lists. Depending on what you select, you can browse and view its contents to find what is needed to restore. If your restoring a document, you can even open and preview the document to ensure it’s the correct item needed to recover. Available in all the editions of Veeam Backup & Replication, Veeam Explorer for Microsoft SharePoint delivers granular browsing and search capabilities to find any item or multiple items stored in any number of Microsoft SharePoint databases. To support this capability, the guest file system of the VM is mounted directly from the backup to a staging Microsoft SQL Server. By default, Veeam will use the SQL Server Express instance that was installed when you deployed Veeam Backup & Replication. One thing to note, the staging system must be compatible or the same version as the Microsoft SQL server that hosts the Microsoft SharePoint Content databases. If it is not, you will need to identify a staging SQL Server that is compatible to be able to use the Explorer. This is available within the Veeam Explorer options, under the SQL Server Settings tab. For detailed instructions on this functionality, please refer to the user guide.

With the amount of visibility Veeam Explorer for Microsoft SharePoint provides, you may want to be able to keep track of who is accessing the Explorer, what they are looking at, and why they are performing restores. For this, Veeam offers another layer of visibility, especially when it comes to restore operations. This visibility comes in the form of Veeam ONE, specifically the Restore Operators Report allowing you to safeguard your data with the ability to see who is accessing your data, where it is being restored to, and what items are being restored.

Veeam ONE Restore Operators Report

Veeam offers powerful, useful tools to ensure Availability for your business. Sometimes, we need to take an extra step to ensure we are still meeting the security requirements for the business as well. Veeam ONE’s Restore Operator’s Report gives you a detailed description of who is accessing your backup data and what restores they are performing or not performing. This allows you to gain an extra layer of visibility by being able to view all types of restore actions performed across the Veeam Backup Servers.


Figure 3. Restore Operators Activity Report

The above report shows who is accessing the backup data and what restores they are performing. This is an easy way to ensure that the correct people who have permission to be accessing certain data, are only accessing that data when and how they’re supposed to. The above image shows the different users performing restores and what type of restore it is, if its application, full VM, files, or even a restore from tape.


Figure 4. Restore Operators Report Continued

Going deeper into the report, you can see which VMs the users are accessing and what restores they are performing, or if they’re even performing a restore. This report is very useful to double check to ensure your users are only accessing what they should be accessing.

Conclusion

Microsoft SharePoint is a valuable tool used in organizations today to increase collaboration among teams to improve teamwork and organizational knowledge to be able to make better decisions. Veeam Explorer for Microsoft SharePoint allows you to keep your business’ most important applications available to meet your end users demands. An added benefit is this Veeam Explorer for Microsoft SharePoint is even included in Veeam Backup Free Edition — allowing you to start using this powerful technology today!

The post Instant visibility & restore for Microsoft SharePoint appeared first on Veeam Software Official Blog.


Instant visibility & restore for Microsoft SharePoint

How to Build a Failover Plan in Veeam Availability Orchestrator

Source: Veeam

One of the most important components of Veeam Availability Orchestrator is the Failover Plan. The Failover Plan is an essential part of an organization’s disaster recovery plan. It contains the virtual machines to be protected, what steps to take during recovery, and other important information.

Now, we are going to take a look at the step-by-step process to creating your disaster recovery plan with Veeam Availability Orchestrator.

When you start the New Failover Plan Wizard, you will first be prompted to select a site. If you have multiple sites in your VAO environment, you would pick the production site of the application you are protecting.

Next, we want to give our Failover Plan a name. I like to use something that is clear and concise, such as the application name. You can also enter a description of your Failover Plan, as well as the contact information for the application you are protecting.

Next, we select the VM Group (or multiple VM Groups) containing the virtual machines of our application. As we mentioned in a previous post, VM Groups can be powered by VMware vSphere Tags. In this list, you can see the VMware vSphere Tags I have setup in my environment. In this case, I am going to select the applications with the HeliumRUN Windows Tag, since it has the virtual machines I am protecting with this Failover Plan.

Next are our VM Recovery Options. In this screen, we can decide how to handle a VM recovery failure in the unlikely event it happens. We can use VAO to run scheduled recovery tests on a regular basis, so this sort of failure would be a rare occurrence. We can also specify if we want to recover our VMs in a particular order, or at the same time, or finally how many VMs to recover simultaneously.

In the next screen, we are going to select the steps we are going to take for each VM during recovery. After we finish creating the Failover Plan, we will be able to add additional steps for individual VMs, including custom steps we upload to VAO. This is useful when we want to configure particular steps to verify the operation of an application such as Exchange, SharePoint, ISS, or SQL. For a complete list of Failover Plan steps included with VAO, be sure to take a look at the Veeam Availability Orchestrator official user guide here. Some steps, such as Verify SQL Database require credentials. If you select a step that requires credentials, you will be prompted to enter them for use.

One of the most important things to remember is that after we execute a disaster recovery plan, our disaster recovery site is now our production site. Because of this, it is very important that our applications receive the same level of protection they would on any other day. Luckily, Veeam Availability Orchestrator makes this easy by leveraging a pre-configured template job in Veeam Backup & Replication. At this screen, you can simply select the backup job you wish to use to protect your data at the disaster recovery site.

After ensuring your data is protected after your disaster recovery plan has executed, the next step is to configure Veeam Availability Orchestrator’s reporting capabilities. VAO has a completely customizable report template. These disaster recovery plan templates allow for the inclusion of all information needed during a disaster recovery plan execution, and can be scheduled to be sent to key stakeholders on a regular basis to ensure the environment is always ready for failover. For more about the reports included in VAO, be sure to check out this guide to VAO terminology.

By default, the Plan Definition Report and Readiness Check are scheduled to run daily, which is a great way to check the health of our disaster recovery plan. The Plan Definition Report includes all the information about the Failover Plan we just created, as well as a log of changes that have been made. The Readiness Check is a light-weight test that checks to ensure we are ready for a failover at a moment’s notice. If for some reason our Readiness Check has an error, we can then act to remediate it before a disaster strikes.

Finally, we are presented with a summary screen that shows us how our Failover Plan has been configured.  Once we click Finish, we have completed setting up our Failover Plan.

If we want to make any changes to our Failover Plan, it’s as simple as right-clicking on our Failover Plan and selecting “Edit,” or highlighting our Failover Plan and clicking “Manage” and then “Edit” on the navigation bar. The edit state is where we can add specific steps to each virtual machine, or to the failover plan in general. For example, I have uploaded a script to be run in the event of a disaster to make some DNS changes for my environment DNS changes.

This screen can be used to add either Pre or Post failover steps, or steps to each VM individually. The steps can also be put into a particular order if desired. The best part of this functionally is the ability to create a custom flow of steps as needed for each VM. For example, I may want to use the included steps of Verify Web Server Port and Verify Web Site (IIS) for a web server in the Failover Plan, and different steps on the SQL server. All of these steps will then be captured in a Plan Definition Report the next time it is run.

Congratulations, you are now protecting your application with Veeam Availability Orchestrator! If you want to take a look at creating your own Failover Plan, you can download a 30-day FREE trial of Veeam Availability Orchestrator.

The post How to Build a Failover Plan in Veeam Availability Orchestrator appeared first on Veeam Software Official Blog.


How to Build a Failover Plan in Veeam Availability Orchestrator

Microsoft LAPS deployment and configuration guide

Source: Veeam

If you haven’t come across the term “LAPS” before, you might wonder what it is. The acronym stands for the “Local Administrator Password Solution.” The idea behind LAPS is that it allows for a piece of software to generate a password for the local administrator and then store that password in plain text in an Active Directory (AD) attribute.

Storing passwords in plain text may sound counter to all good security practices, but because LAPS using Active Directory permissions, those passwords can only be seen by users that have been given the rights to see them or those in a group with rights to see them.

The main use case here shows that you can freely give out the local admin password to someone who is travelling and might have problems logging in using cached account credentials. You can then have LAPS request a new password the next time they want to talk to an on-site AD over a VPN.

The tool is also useful for applications that have an auto login capability. The recently released Windows Admin Center is a great example of this:

To set up LAPS, there are a few things you will need to do to get it working properly.

  1. Download the LAPS MSI file
  2. Schema change
  3. Install the LAPS Group Policy files
  4. Assign permissions to groups
  5. Install the LAPS DLL

Download LAPS

LAPS comes as an MSI file, which you’ll need to download and install onto a client machine, you can download it from Microsoft.

Schema change

LAPS needs to add two attributes to Active Directory, the administrator password and the expiration time. Changing the schema requires the LAPS PowerShell component to be installed. When done, launch PowerShell and run the commands:

Import-module AdmPwd.PS

Update-AdmPwdADSchema

You need to run these commands while logged in to the network as a schema admin.

Install the LAPS group policy files

The group policy needs to be installed onto your AD servers. The *.admx file goes into the “windowspolicydefintions” folder and the *.adml file goes into “windowspolicydefinitions[language]”

Once installed, you should see a LAPS section in GPMC under Computer configuration -> Policies -> Administrative Templates -> LAPS

The four options are as follows:

Password settings — This lets you set the complexity of the password and how often it is required to be changed.

Name of administrator account to manage — This is only required if you rename the administrator to something else. If you do not rename the local administrator, then leave it as “not configured.”

Do not allow password expiration time longer than required by policy — On some occasions (e.g. if the machine is remote), the device may not be on the network when the password expiration time is up. In those cases, LAPS will wait to change the password. If you set this to FALSE, then the password will be changed regardless of it can talk to AD or not.

Enable local password management — Turns on the group policy (GPO) and allows the computer to push the password into Active Directory.

The only option that needs to be altered from “not configured” is the “Enable local admin password management,” which enables the LAPS policy. Without this setting, you can deploy a LAPS GPO to a client machine and it will not work.

Assign permissions to groups

Now that the schema has been extended, the LAPS group policy needs to be configured and permissions need to be allocated. The way I do this is to setup an organizational until (OU), where computers will get the LAPS policy and a read-only group and a read/write group.

Because LAPS is a push process, (i.e. because the LAPS client on the computer is the one to set the password and push it to AD) the computer’s SELF object in AD needs to have permission to write to AD.

The PowerShell command to allow this to happen is:

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

To allow helpdesk admins to read LAPS set passwords, we need to allow a group to have that permission. I always setup a “LAPS Password Readers” group in AD, as it makes future administration easier. I do that with this line of PowerShell:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

The last group I set up is a “LAPS Admins” group. This group can tell LAPS to reset a password the next time that computer connects to AD. This is also set by PowerShell and the command to set it is:

Set-AdmPwdResetPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Once the necessary permissions have been set up, you can move computers into the LAPS enabled OU and install the LAPS DLL onto those machines.

LAPS DLL

Now that the OU and permissions have been set up, the admpwd.dll file needs to be installed onto all the machines in the OU that have the LAPS GPO assigned to it. There are two ways of doing this. First, you can simply select the admpwd dll extension from the LAPS MSI file.

Or, you can copy the DLL (admpwd.dll) to a location on the path, such as “%windir%system32”, and then issue a regsvr32.exe AdmPwd.dll command. This process can also be included into a GPO start-up script or a golden image for future deployments.

Now that the DLL has been installed on the client, a gpupdate /force should allow the locally installed DLL to do its job and push the password into AD for future retrieval.

Retrieving passwords is straight forward. If the user in question has at least the LAPS read permission, they can use the LAPS GUI to retrieve the password.

The LAPS GUI can be installed by running the setup process and ensuring that “Fat Client UI” is selected. Once installed, it can be run just by launching the “LAPS UI.” Once launched, just enter the name of the computer you want the local admin password for and, if the permissions are set up correctly, you will see the password displayed.

If you do not, check that that the GPO is being applied and that the permissions are set for the OU where the user account is configured.

Troubleshooting

Like anything, LAPS can cause a few quirks. The two most common quirks I see include when staff with permissions cannot view passwords and client machines do not update the password as required.

The first thing to check is that the admpwd.dll file is installed and registered. Then, check that the GPO is applying to the server that you’re trying to change the local admin password on with the command gpresult /r. I always like to give applications like LAPS their own GPO to make this sort of troubleshooting much easier.

Next, check that the GPO is actually turned on. One of the oddities of LAPS is that it is perfectly possible to set everything in the GPO and assign the GPO to an OU, but it will not do anything unless the “Enable Local password management” option is enabled.

If there are still problems, double check that the permissions that have been assigned. LAPS won’t error out, but the LAPS GUI will just show a blank for the password, which could mean that either the password has not been set or that the permissions have not been set correctly.

You can double check permissions using the extended attribute section of windows permissions. You can access this by launching Active Directory users and computers -> Browse to the computer object -> Properties -> Security -> Advanced

Double click on the security principal:

Scroll down and check that both Read ms-Mcs-AdmPwd and Write ms-Mcs-admpwd are ticked.

In summary, LAPS works very well and it is a great tool for deployment to servers, especially laptops and the like. It can be a little tricky to get working, but it is certainly worth the time investment.

See more

The post Microsoft LAPS deployment and configuration guide appeared first on Veeam Software Official Blog.


Microsoft LAPS deployment and configuration guide