headerpic
« Hem

Azure Information Protection – Protect all documents from unauthorized users!

Skrivet av: Simon Öhman
July 9, 2018

AIP should be used by all companies to protect their valuable documents and e-mail as has been shown these last years with massive leaks of documents from several companies.

What is AIP? It brings you the possibilities to classify documents with appropriate labels regarding which content the document contain. The labels can be customized to enable that only users in your domain is able to read the content or a specific person.

AIP uses the existing Azure Rights Management which is already integrated with cloud services Office 365 and Azure Active Directory, data is protected by encryption, identity and authorization policies.

What can be done with AIP? Start by setting a policy and choose if is for the whole tenant or for a specific group. In the policy settings it is possible to set how the labels are presented to the users, as an example if the users need to choose a policy to send an e-mail.

Then start by defining what types of labels and sub-labels that is needed in the organization. Microsoft has a standard of Personal, Public, Confidential, Highly Confidential and General labels. As an example, we can make a sub-label for Highly Confidential that automatically is chosen when a user writes a personal identification number or a credit card number.

There the e-mail is only possible to read for a day and who can read the e-mail, it can be the recipient of the mail or a group of users that is configured for this label. This would protect the confidential info from getting in to the wrong hands.

 

A useful tool is using the Azure RMS Portal where you can track your protected documents and see where in the world the document has been opened or how it has been shared. As a global admin it is possible to track all the documents from your organization and revoke access if the document has gotten in to the wrong hands.

How do you get to use AIP? A licensing of Enterprise Mobility and Security E3 or a subscription of Office 365 that includes Azure Rights Management.

Postad i: Azure | Säkerhet |

Lämna en kommentar


Periodic backup and restore in Service Fabric standalone (Preview)

Skrivet av: Andreas Andersson
April 30, 2018

In this blog I’m going to go through how to set up backup and restore for Service Fabric standalone (on premise) to a file share.

First we need to use the Service Fabric runtime version 6.2.262.9494. So first upgrade your cluster, to do that first we need to connect to the cluster. In this example I will be using Windows as ClusterCredentialType instead of a certificate but this will work either way.

 

Check the available versions:

Connect-ServiceFabricCluster -ConnectionEndpoint ‘localhost:19000’ -WindowsCredential

 

Check the available versions:

Get-ServiceFabricRuntimeSupportedVersion -Latest and note the version number.

 

Start the upgrade:

Start-ServiceFabricClusterUpgrade -Code -CodePackageVersion ‘Version’ -UnmonitoredAuto

 

Monitor your upgrade with Get-ServiceFabricClusterUpgrade It should say

UpgradeState: RollingForwardCompleted when done

 

After the cluster is upgraded to at least version 6.2 we need to change some things in the cluster configuration.

Open up your current cluster configuration if you have it saved (you should) or you can get it from the cluster itself by executing this command:

Get-ServiceFabricClusterConfiguration

 

Enabling Backup and Restore service

Open the cluster configuration in your favorite editing software and check that the apiversion is

10-2017, if not update it and also remember to update the clusterConfigurationVersion otherwise we can’t update the cluster configuration as it does not allow the same version as before.

It should look something like this:
{

“apiVersion”: “10-2017”,

“name”: “CLUSTERNAME”,

“clusterConfigurationVersion”: “1.0.0”,

}

We then need to add the backup and restore service and we do that by adding the addonFeatures from the snippet below.

“properties”: {

“addonFeatures”: [“BackupRestoreService”],

“fabricSettings”: [ … ]

}

If you plan or is using a X.509 certificate you also need to add the certificate thumbprint, you can see an example in this snippet.

“properties”: {

“addonFeatures”: [“BackupRestoreService”],

“fabricSettings”: [{

“name”: “BackupRestoreService”,

“parameters”:  [{

“name”: “SecretEncryptionCertThumbprint”,

“value”: “[Thumbprint]”

}]

}

}

 

When you have done this save the document and update your cluster configuration, connect to the cluster if you are not connected.

Connect-ServiceFabricCluster -ConnectionEndpoint ‘localhost:19000’ -WindowsCredential

After you make sure you are connected start the upgrade.

Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath ‘Path to config file’

 

Monitor the upgrade progress with this cmdlet:

Get-ServiceFabricClusterConfigurationUpgradeStatus it should say RollingForwardCompleted when done.

 

You can now check you cluster to see if the BackupRestoreService now is under system.

Http://localhost: 19080/Explorer/index.html

Create a backup policy

Now we need to create a backup policy for our application:

$ScheduleInfo = @{

Interval = ‘PT15M’

ScheduleKind = ‘FrequencyBased’

}

$StorageInfo = @{

Path = ‘ \\172.21.3.182\BackupRestoreService’

StorageKind = ‘FileShare’

}

$BackupPolicy = @{

Name = ‘GettingStartedApplication’

MaxIncrementalBackups = 20

Schedule = $ScheduleInfo

Storage = $StorageInfo

}

$body = (ConvertTo-Json $BackupPolicy)

$url = “http://localhost:19080/BackupRestore/BackupPolicies/$/Create?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential)

 

This policy will backup every 15 minutes for a maximum of 20 incremental backups.

In the invoke-WebReqeust I have -Credential (Get-Credential) since the cluster is using windows as a credential type but you can replace the -Credential (Get-Credential) with  -CertificateThumbprint ‘Thumbprint’.

 

Enable the backup policy

Now we need to enable the backup policy for our application and the application I’m using is called fabric:/GettingStartedApplication

So the name in the url we will be using is only GettingStartedApplication (we will be using the applicationname in the url from this point forward) and then use the name of the policy we created earlier.

$BackupPolicyReference = @{

BackupPolicyName = ‘GettingStartedApplication’

}

$body = (ConvertTo-Json $BackupPolicyReference)

$url = “http://localhost:19080/Applications/GettingStartedApplication/$/EnableBackup?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential) or use -CertificateThumbprint ‘Thumbprint’

The policy will now be triggered after 15 minutes and you should be able to see it in the file share we specified earlier:

List the backups

You can now list the backups with PowerShell.

$url = “http://localhost:19080/Applications/GettingStartedApplication/$/GetBackups?api-version=6.2-preview”

$response = Invoke-WebRequest -Uri $url -Method Get -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

$BackupPoints = (ConvertFrom-Json $response.Content)

$BackupPoints.Items

Restore Partition

To restore a partition we need to get some information from the previous snippet when we listed the backups. What we need is BackupID and BackupLocation. In the BackupLocation we will see what service and what partition ID we can backup.

In my example I will use StatefulBackendService from the application GettingStartedApplication.

$StorageInfo = @{

Path = ‘\\172.21.3.182\BackupRestoreService’

StorageKind = ‘FileShare’

}

$BackupInfo = @{

BackupId = ‘f5367d0f-58f1-45d3-bf3b-b3cb7a7cfae8’

BackupLocation = ‘GettingStartedApplication\StatefulBackendService\fd9a836b-6218-44c6-b612-3d90fb484dc0\2018-04-27 13.42.42.zip’

BackupStorage = $StorageInfo

}

$body = (ConvertTo-Json $BackupInfo)

$url = “http://localhost:19080/Partitions/fd9a836b-6218-44c6-b612-3d90fb484dc0/$/Restore?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

 

Monitor restore progress

To monitor the progress you can send a GET against the partition id we restored and get back Accepted, Succeeded or Failure.

$url = “http://localhost:19080/Partitions/fd9a836b-6218-44c6-b612-3d90fb484dc0/$/GetRestoreProgress?api-version=6.2-preview”

$response = Invoke-WebRequest -Uri $url -Method Get -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

$RestoreProgress = (ConvertFrom-Json $response.Content)

$RestoreProgress.RestoreState

Postad i: Service Fabric |

Lämna en kommentar


Azure Resource Manager (ARM) – Templates

Skrivet av: Patrik Lundin
July 1, 2016

Att använda Azure som plattform för sin infrastruktur har dom flesta förstått kan ge stora fördelar inom flera segment och är det något som jag gillar extra mycket så handlar det om effektivisering i form av tid. Att skapa och konfigurera infrastruktur i Azure har länge varit enkelt, smidigt och kostnadseffektivt, men hur kan man göra det mer effektivt, automatiserat och samtidigt få det dokumenterat fullt ut?
Många har enda sedan starten av Azure försökt bygga script med hjälp av Powershell för att få en automatiserad process för provisionering och konfigurering av sin infrastruktur vilket har fungerat bra, men sedan lanseringen av Resource Manager i Azure kan man nu på ett enkelt sätt använda sig av mallar i .json format i kombination av Powershell.

Vad betyder det här i praktiken då? Det innebär att vi kan förkonfigurera vår infrastruktur i mallar, dessa mallar kan vi sedan använda för att provisionera infrastruktur direkt i Azure. Mallarna kan vi sedan versionshantera vilket innebär att om det i framtiden (vilket det troligtvis gör) sker förändringar i miljön så kan vi använda samma mallar för att göra uppdateringen, ARM kommer att känna igen vilken befintlig infrastruktur som finns i miljön och bara ändra dom parametrarna som vi har sagt ska ändras, uppdateras eller ta bort, utan att vi gör några andra typer av konfigurationer i vår provisionering.
För att ge ett litet smakprov så har jag konstruerat nedanstående script i Powershell som använder sig av .json mallar för att skapa infrastruktur i Azure.

Param(
    [string] $ResourceGroupLocation = "westeurope", #Ändra till det datacentret som din infrastruktur ska provisioneras till
    [string] $ResourceGroupName = 'Molnbolaget-ILB', #Sätt namnet för din resursgrupp
    [string] $TemplateFile = "http://www.molnbolaget.com/wp-content/uploads/2016/06/molnbolaget.deploy.json",
    [string] $TemplateParametersFile = "http://www.molnbolaget.com/wp-content/uploads/2016/06/molnbolaget.parameters.json",
    [string] $SubscriptionId = "fae91d35-f0d5-42ca-83b5-a0c1e3s8a256" #Ändra till rätt ID för din prenumeration i Azure
)

#Logga in med ditt konto i Azure Active Directory
Add-AzureRmAccount

#Prenumeration väljs utifrån det ID som du har angett i $SubscriptionId parametern
Select-AzureRmSubscription -SubscriptionId $SubscriptionId

#Skapandet av resursgruppen som övriga resurser ska hamna i
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force -ErrorAction Stop

#Skapandet av infrastrutkuren sker utifrån Paramater och Templatefilen.
New-AzureRmResourceGroupDeployment -Name ("Deploy" + '-' + ((Get-Date).ToUniversalTime()).ToString('MMdd-HHmm')) `
                                   -ResourceGroupName $ResourceGroupName `
                                   -TemplateUri $TemplateFile `
                                   -TemplateParameterUri $TemplateParametersFile

Vad kommer då att skapas om man kör ovanstående script rakt av under förutsättning att man loggar in med ett konto i Azure Active Directory som har rättigheter att skapa resurser i den angivna prenumerationen? Svaret är följande:
ARM-create

En kort sammanfattning över vad som skapas är två virtuella servrar som tillsammans skapar ett internt NLB-kluster över port 80/tcp. Förutsättningen för att det ska fungera är bland annat ett Storage Account, Network Interface, Virtual Network, Availability set samt en Load Balancer vilket också skapas via ovanstående mall.

Namnsättning, vad som skapas och hur är definerade i Deploy samt Parameter filerna, självklart går det bra att modifiera innehållet efter eget tycke och smak.

Jag hoppas att det här skapar en större förståelse över hur man nu och framåt kan skapa och hantera sin infrastruktur med hjälp av kod.

Mvh
Patrik

Postad i: ARM | Azure | Public Cloud |

Lämna en kommentar