Page 14 – blog.azureinfra.com

Microsoft BitLocker Administration & Monitoring – intro

By rzomerman | September 21, 2011 | No Comments | Other

Why we should BitLocker (or any other drive encryption) should be clear. A stolen laptop is only worth as much as the retrievable data on it + the value of the laptop. In large enterprises this could be millions of dollars, but for personal use this could lead to embarrassment or worse.

But enterprises seem to struggle with the implementation of BitLocker, amongst the pain points:

No auditing – unsure which laptops have it enabled or which ones don’t
Administrative overhead – administrators must manually enable it
Scripting – if enabled during deployment scripting is required
Storage of keys in Active Directory – clear text storage of recovery keys

In order to cope with these and other challenges, Microsoft has released the BitLocker Administration and Monitoring toolkit. For the ones that try to download it on the website, sorry, it is only available in the Microsoft Desktop Optimization Pack which comes with a software assurance agreement with Microsoft.

This post goes into the architecture, what users see of it.. and more in depth knowlegde.. soon, the post with the install instructions!

2FA via the cloud – Cryptocard

By rzomerman | September 15, 2011 | No Comments | Kerberos, Other

So many of you probably have been wondering what type of 2FA I am using for my tests. Instead of setting up internal servers, dealing with encryption keys and various tokens, I stumbled upon a cloud service that handles all of this for you. Now before we dive into the “commercial” part (although I did not see any money from them) the basics for configuring TMG with radius are also covered in this post, so if you prefer another vendor, your own radius/2FA solution, this post still applies.

Office 365 – OWA Access

By rzomerman | September 15, 2011 | No Comments | Office 365

When migrating to Office 365 users must retain access to Outlook Web Access. While the guides for the OWA access are present, users see themselves being challenged for username and password multiple times. This is even worse when most users are located on Exchange 2007 in a mixed environment.
In order to cope with this problem TMG can be setup to only authenticate users once. Even more, users can also be authenticated already when they are sent to the Office365 OWA site and need to request a token from the ADFS server.

Office 365 – Two Factor authentication

By rzomerman | August 24, 2011 | No Comments | Office 365

As we have seen, passive clients have a different connection scenario than active clients. As passive clients can actually input data, this can be used to configure the request for additional authentication data. When users are accessing Outlook Web Access they are redirected to the federation services to retrieve their token. This is where we can add the additional authentication hop. Users who reside within the internal network are not required to add additional information as their device and location are already in a trusted location. Therefore this authentication path is excempted from the picture below and described later.

Office 365 – Exchange interaction Design

By rzomerman | August 24, 2011 | No Comments | Office 365, Other

Office 365 is booming.. everyday new companies decide to make the switch to easy online messaging and collaboration services on the cloud. While the cloud should make life easier for administrators, setting up the co-existence environment seems a bit harder. Although Microsoft has tons of help material available .This post is to clearify the interaction when settings up a co-existence environment with Office 365.

For this example I have added a TMG server to validate the requests. As many companies have additional firewalls in front of the TMG server, this is also displayed. And the TMG server serves another role to in the advanced setup, where we explain that it is possible to have OWA users use two-factor authentication while ActiveSync users can continue to authenticate against the federation server with their “passive” clients. (see the next post)

Import/Export Active Directory data…

By rzomerman | January 13, 2011 | No Comments | Active Directory, Scripting

I was trying to get a test environment up and running that should reflect the production environment of my customer (off course at the customers site.. secured and all).. one task was to duplicate the OU structure, group structure and user information (without passwords). Browsing through the web I found a VBS script that can […]

SharePoint to retrieve data from two LDAP directories

By rzomerman | December 16, 2010 | No Comments | Other

So no posts for a long time, been busy though.. and the latest addition to this blogpost is about SharePoint. Who would have thought.. In my case the customer wanted to enrich the User profiles that came from Active Directory with Novell attributes that where in a central identity store. While SharePoint is capable of […]

Office 365… where to get your information

By rzomerman | November 9, 2010 | No Comments | Azure

So this post is more of an advertisement.. Office 365, the latest version of BPOS (Business Productivity Suite Online) is in beta stage at the moment and more enterprises decide to go for it. It is based on Exchange 2010, Lync (new OCS), SharePoint 2010 and lots more.. My colleagues have decided to create a […]

Windows Firewall through policies + SCM

By rzomerman | June 1, 2010 | No Comments | Other, Windows 2008 R2

So everybody should enable firewall policies in order to keep their environment secure. Best practice is to manage the firewalls through policies.. keep a default policy to enable the firewall and do not allow incoming connections.. then based on server role add exceptions and ports. That way, each server added to the domain is secured by the firewall by default, but additional policies can enable applications to receive traffic.

CCF 2009 simple architecture

By rzomerman | April 29, 2010 | No Comments | Azure

I’ve been working with CCF the last days, CCF you say what is that? Well its a product from Microsoft that can be used to enhance the experience of users when working with multiple applications that require the same input. Say we have a call center with many applications. When a customer calls the agent asks for your zip code or address. Then you state your problem and the agent needs to open a different program and re-enter your zip code, then the company needs to send you a package and for that application he again needs your address details.. annoying for you (every time the agent asks you for your creds and even more annoying for the call center agent since he/she has to type the same info multiple times.

So CCF can help you with that..it requires a lot of programming to integrate all the apps, but it could be worth it.. are you designing CCF? are you interested in the architecture.. check out this post …