it security list

How to Put Out Fires Before They Start or General Principles of IT Security

Having examined the effect of the WannaCry and Petya viruses and how the attacks affected our customers, we would like to share our findings and give general cybersecurity recommendations. These tips will be especially helpful for Windows system administrators as we know they have suffered due to these viruses.

Server protection:

  • The Active Directory forest must be at least 2012 R2, and users must be in a protected user group. This prevents passwords from being intercepted using Mimikatz;
  • Shared file access must be implemented through a versioning system or snapshots, e.g. Sharepoint + OneDrive for Business;
  • Secure Boot must be enabled on hypervisors, so cryptolockers will fail to start instead of the native OS;
  • Email server settings must prohibit receiving executable files and corrupted archives. As an extreme measure, you could change the email format to plain text to eliminate links in the message body;
  • Updates must regularly be installed at least once every two weeks. Regularly update the servers’ OS, drivers, and firmware. This is one of the most important information security measures that will considerably strengthen your protection. You must have a clear update plan with the date of the latest update and who performed it;
  • Locate the backup system outside of the current environment. Configure replication to the backup site.

Workstations:

  • Client computers must run Windows 10 LTSB. The LTSB version has fewer potentially dangerous components and, theoretically, does not spy on users, though disabling telemetry is still a good practice;
  • Enable UEFI and Secure Boot. Like with the servers, these precautions will prevent ransomware from running instead of blocking the native OS. The Petya virus reboots the machine to start encryption. The two settings will prevent this. There is a large chance that future cryptolockers will use this strategy;
  • Automatically update not only the operating system, but also all applications, especially MS Office. It does not matter if you use WSUS or update directly from Microsoft servers. This paragraph requires no explanations. The servers should be updated manually with proper supervision to avoid downtime, while workstations should be updated automatically;
  • System administrators should not work on workstations using domain administrator rights;

General recommendations:

  • Separate the working environment from web surfing, and separate different company’s departments into isolated environments, for example, as demonstrated here;
  • Separate the infrastructure environments using VLANs with traffic filtering in between. In this case, blocking access to certain ports can stop malware from spreading through the network. In the case of Petya, to prevent the ransomware from spreading, outside access to TCP ports 135, 139, and 445 (the ports used for SMB and WMI services) must be blocked;
  • It is advisable not to use server software that requires network access to shared folders. Business software, such as 1C must be on SQL Server;
  • Workstations and servers must have a network filter configured to block outbound access to any applications except those required. Detailed information on how and why to do this may be found here;
  • Disable SMBv1 and, if possible, SMBv2 on workstations and servers;
  • Specialized and rare programs like M.E.doc Internet banking (especially Java applications), should run on a separate virtual machine with a strong firewall;
  • Don’t rely on antivirus software, which creates a false sense of security. Consider the latest viruses and how the leading manufacturers responded: even the standard Windows Defender was one of the first to be updated.
  • Help your IT personnel get technical certifications. Choose an outsourcer with valid certifications in the professional areas you need;
  • Conduct training and other activities to increase the level of IT awareness among all your employees; provide examples of real-life security breaches and demonstrate potential consequences.

More articles about IT security

shielded vms logo

How to protect Virtual Machines hosted in Data Centers

In today’s age of Cloud Computing, each user has their own cloud storage for photos and an ever increasing number of companies rent cloud servers. This raises critical questions about the security of the stored information. Users can trust the cloud or crypto containers to protect their data, but companies are in a much worse position, because they are transferring not only data, but also computation to the cloud.

Virtual machines are especially vulnerable, since hackers can easily access VMs if the host is compromised. Until recently, existing hypervisors, including VMware, Xen, and Hyper-V hypervisors, have not been able to offer comprehensive VM protection.

If an attacker acquires physical access to the server, then disk encryption is the only hope, but even that is not always enough. Certainly, a data center assumes some responsibility for security when it leases a server, but then you must trust the data center’s administrators.

After Windows Server 2016 was released, Microsoft decided to pay more attention to the security of host and virtual infrastructure. Now it is possible to isolate VMs from a Hyper-V host administrator. Virtual TPM encryption enables data encryption using BitLocker.

Thus, new technologies make it possible to put virtual machines on secondary servers or in corporate data centers while simultaneously increasing security by separating roles for physical and virtual access.

Used technologies

Shielded VM is a technology to isolate virtual machines from the host and protect VMs from accidental or deliberate actions by a host administrator and malware.

Shielded VM requires a Host Guardian Service (HGS) server which provides an access key and checks the health of the Hyper-V host.

HGS supports two types of attestation:

HGS supports attestation

  1.  TPM-trusted attestation, where verification is based on the TPM identity, OS boot sequence, and code integrity policy. So, you can be sure that the hosts are running only approved code.
  2.  Admin-trusted attestation, where verification takes place according to AD security group membership.

When launching the virtual machine, the protected host is attested by the HGS server, which decides whether to grant an access key for the virtual machine.

Admin-trusted attestation should be used within an enterprise when you want to isolate administrators from VM access.

TPM-trusted attestation is best used when placing a VM on a server to isolate the data and VM from the data center’s employees.

The connection between the HGS server and the protected host is carried out via HTTP/HTTPS protocol. HTTPS is not required for secure communication, but if you want to enable HTTPS, you will need an additional certificate. In case of AD certification, you need to configure a one-way domain trust.

Virtual Secure Mode (VSM) is a technology based on virtualization which allows you to isolate security-critical operations into a mini OS.

There are two other technologies that work in VSM:

technologies that work in VSM

  1.  Device Guard – data validation of UEFI firmware and kernel-mode drivers (code integrity monitoring);
  2.  Credential Guard – isolation of the user authentication process (LSA).

How VSM works:

The main OS runs in a virtual environment. A hypervisor acts as a host OS, thereby limiting access to RAM. As a result, malicious software running on the host cannot access the VSM memory, even with administrator rights. Also, this arrangement should protect against DMA attacks.

How to deploy Shielded VM

Ordering Shielded VM assumes that the Hyper-V host and HGS server are located in the data center facilities (as in Microsoft Azure). In this case, a shielded virtual machine can be created independently or using a provided template.

To create a Shielded VM independently, a customer deploys and configures a virtual machine on his or her PC, and then encrypts it with a key issued by the data center. After that, the VM is transferred to the data center.

In the second case, the customer only creates a PDK file, which protects the VM created from a template. The PDK file connects the template file with the HGS server. But you need to make sure that the template does not contain any malware.

The first method appears more secure, since a VM file arrives on the host already encrypted. In any case, data center admins will not receive open access to the VM.

The HGS server is the only place exposed to attacks because:

  • The HGS administrator can relax the requirements of the security policy;
  • An attacker with administrative privileges can try to get access keys;
  • HGS requires AD but TPM is not mandatory, so keys are most likely to be stored in the clear.

Considering this, we came up with an idea to check how Shielded VM would work if the HGS server is located in its infrastructure. This will protect virtual machines even better. This method can also be used if the data center does not provide Shielded VM service. The disadvantage of this approach is that this structure must be administered manually.

The question of a hypervisor administrator replacing an HGS server may arise – after all this simply requires setting a new address. Protection against this is implemented in a rather simple way. The created VM is encrypted using the HGS’s public key, so a different HGS server cannot issue a key to start it.

You should also understand that Shielded VM only encrypts VM configuration files. The VHDX file remains unencrypted. To encrypt it, you must enable vTPM and encrypt the disk using BitLocker.

This combination of new technologies provides reliable protection:

  • The human factor is eliminated;
  • Keys are transmitted in encrypted form;
  • Servers are protected by new technologies that check code integrity;
  • Allowed applications are whitelisted;
  • The VM is isolated from the host.

All these aspects make it possible to protect against malicious software targeting the Hyper-V host and grant access to a virtual machine only to the owner, safeguarding it from the actions of administrators or anyone who has obtained administrator privileges.

Requirements for Hyper-V and HGS servers

The following requirements are specified for TPM attestation. AD attestation is less demanding, but it provides much less protection.

HGS:

  • Window Server 2016

Hyper-V:

  • Windows Server 2016 Datacenter Edition
  • UEFI Secure Boot
  • TPM v2
  • IOMMU (VT-d)

How to setup

Suppose you have leased a dedicated server and want to protect it. TPM attestation will be used. The connection between the host and HGS will be established through HTTP. If the HGS server does not have a white IP address, you will need to use port 80 or a reverse proxy.

Server HGS role setup and configuration

HGS Setup and Domain Creation

Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart

HGS requires a domain. It can be connected to an existing domain, but it is recommended to create a separate domain to improve security. Before executing the following commands, be sure the computer is not connected to a domain.

$adminPassword = ConvertTo-SecureString -AsPlainText '' -Force
Install-HgsServer -HgsDomainName 'relecloud.com' -SafeModeAdministratorPassword $adminPassword -Restart

HGS Setup and Domain Creation

Creating self-signed certificates

For testing purposes, we created self-signed certificates, but in the real environment it is better to use a PKI.

$certificatePassword = ConvertTo-SecureString -AsPlainText '' -Force

$signingCert = New-SelfSignedCertificate -DnsName "signing.relecloud.com"

Export-PfxCertificate -Cert $signingCert -Password $certificatePassword -FilePath 'C:\signingCert.pfx'

$encryptionCert = New-SelfSignedCertificate -DnsName "encryption.relecloud.com"

Export-PfxCertificate -Cert $encryptionCert -Password $certificatePassword -FilePath 'C:\encryptionCert.pfx'

Creating self-signed certificates

Creating self-signed certificates

Initializing the HGS server

Specify the encryption certificates and signatures. Select the attestation method.

$certificatePassword = ConvertTo-SecureString -AsPlainText '' -Force

Initialize-HgsServer -HgsServiceName '' -SigningCertificatePath 'C:\signingCert.pfx' -SigningCertificatePassword $certificatePassword -EncryptionCertificatePath 'C:\encryptionCert.pfx' -EncryptionCertificatePassword $certificatePassword [-TrustActiveDirectory | -TrustTPM]

Initializing the HGS server

Initializing the HGS server

Adding a protected Hyper-V host

Get the TPM identity

This procedure must be performed for each protected host.

(Get-PlatformIdentifier -Name '').InnerXml | Out-file .xml -Encoding UTF8

Get the TPM identity

Add the resulting file to the HGS server.

Add-HgsAttestationTpmHost -Path .xml -Name  -Force

Get the TPM identity

Create and apply a Code Integrity policy

While creating a policy, all the installed programs are scanned and added to the whitelist. Before creating a policy, make sure that:

  • The system is free from viruses and malware;
  • The required software is reliable and already installed.

We recommend checking the policy in audit mode first. In doing so, executables prohibited by the policy will be displayed in a log.

Note that this scanning takes time.

New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath 'C:\temp\HW1CodeIntegrity.xml' -UserPEs
ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity.p7b'

Code Integrity policy

Code Integrity policy

Rename the .p7b file to SIPolicy.p7b and copy it to the C:\Windows\System32\CodeIntegrity\SIPolicy.p7b folder.

Reboot the PC and check the system performance under an expected typical load. Turn off audit mode after a successful check.

Set-RuleOption -FilePath 'C:\temp\HW1CodeIntegrity.xml' -Option 3 -Delete

ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity_enforced.p7b'
Copy-Item -Path '' -Destination 'C:\Windows\System32\CodeIntegrity\SIPolicy.p7b'

Restart-Computer

If you are planning to defend multiple identical hosts, you can create just one CI policy.

We recommend saving the original XML file to eliminate the need to rescan if you make changes to the policy.

When the policy is applied, be careful while updating or adding kernel-mode drivers, as this can result in system boot failure.

Register the policy on the HGS server

Add-HgsAttestationCIPolicy -Path  -Name ''

Register the policy HGS server

Create a TPM baseline policy

This policy is based on PCR registers (Platform Configuration Registers) located in the TPM module. They store values to check the integrity of system metrics, from loading the BIOS to system shutdown. For example, if the boot order is changed by a rootkit, this will be reflected in the PCR registers.

A policy is created for a class of identical hardware hosts. You must have Hyper-V installed.

To execute the following command, you must enable Secure Boot, IOMMU (VT-d), and Virtualization Based Security:

Install-WindowsFeature Hyper-V, HostGuardian -IncludeManagementTools -Restart

Get-HgsAttestationBaselinePolicy -Path 'HWConfig1.tcglog'

You can use the -SkipValidation flag, which runs the command without correcting errors.

Create a TPM baseline policy

Add TCGlog on the HGS server

Add-HgsAttestationTpmPolicy -Path .tcglog -Name ''

Add TCGlog on the HGS server

Check the HGS server status

This is the final step for HGS server configuration. To check if everything is correct, run diagnostics.

Get-HgsTrace -RunDiagnostics

Check the HGS server status

Check the HGS server status

Connect the Hyper-V host to the HGS server

To connect a protected host to the HGS server, it is sufficient to specify the server URL.

Set-HgsClientConfiguration -AttestationServerUrl 'http:///Attestation' -KeyProtectionServerUrl 'http:///KeyProtection'

Hyper-V host to the HGS server

Correct configuration output should display:

  • IsHostGuarded: true
  • AttestationStatus: passed

If configuration fails, AttestationStatus will display the error details.

How to create a shielded virtual machine

Get the HGS description file required to bind the Virtual Machine to the server.

Invoke-WebRequest http://<"HGSServer">FQDN>/KeyProtection/service/metadata/2014-07/metadata.xml -OutFile C:\HGSGuardian.xml

create a shielded virtual machine

You need to create a VM on a standalone machine running Windows Server 2016, which is not configured to use HGS.

Create a new 2nd generation virtual machine and install the operating system on it. Configure RDP settings, ensure it works properly, and encrypt it with BitLocker.

create a shielded virtual machine

Creating a Shielded VM

Enter the VM name:

$VMName = 'SVM'

Stop the VM:

Stop-VM –VMName $VMName

Create an owner certificate:

$Owner = New-HgsGuardian –Name 'Owner' –GenerateCertificates

Import the server certificate:

$Guardian = Import-HgsGuardian -Path 'C:\HGSGuardian.xml' -Name 'TestFabric' –AllowUntrustedRoot

Create a Key Protector:

$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot

Enable Shielding:

Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData
Set-VMSecurityPolicy -VMName $VMName -Shielded $true

Enable the vTPM on the virtual machine:

Enable-VMTPM -VMName $VMName

Creating a Shielded VM

After you finish the configuration and the VM protection is turned on, move the VM to a secure host. To do this, export the machine, move the files to the host, and import it in the Hyper-V console.

At this stage the setup is complete, the VM is shielded.

Check the Shielded VM

When attempting to connect to the VM via the Hyper-V console, you will see this message:

Check the Shielded VM

Also, VM settings will display a warning that it is impossible to change the security policy:

Check the Shielded VM

The virtual machine is protected by BitLocker:

Check the Shielded VM

Thus, we have configured Shielded VM, which provides higher security for virtual machines. If you have any questions, feel free to post them in the comment section below.

More articles at Servilon

azure mfa for rdg

Remote Desktop Gateway client two-factor authentication via Azure Multi-Factor Authentication

Users and Security Methods

Typical users have a lightminded attitude for password security. Our experience shows that even if a company uses strict policies, provides user training, etc., unencrypted devices still make their way outside the office. Review the product list of a well-known company, and you will understand that cracking passwords for unencrypted devices is only a matter of time.

In order to control cloud access from these devices, some companies block remote access by setting up tunnels between the cloud and the office. We believe that this is not the optimal solution. First, you lose some advantages of cloud solutions. And secondly, as noted in the article, there are productivity issues.

Using a terminal server and Remote Desktop Gateway (RDG) is more flexible, because you can set up a high level of security. This method lets you prevent transmitting data from the cloud, and you can simultaneously impose limitations on a user’s work. However, this doesn’t solve the problem of authentication, which is a DLP solution.

Two-factor authentication is probably the best way to guarantee that an intruder doesn’t work under a user’s account. The MFA setup provided by Microsoft and Google for client VPNs is a good choice, but 1) it requires CISCO ASA, which is not always easy to implement, especially in budget-conscious clouds and 2) working via a VPN is inconvenient. Working with a terminal session via RDG is significantly more convenient, and the SSL encryption protocol seems to be more universal and reliable than a CISCO VPN.

There are many solutions for a terminal server with two-factor authentication. For example, here is a free solution . Unfortunately, this solution does not work via RDG.

The advantages of the Microsoft Azure Multi-Factor Authentication Server (MFAS) are described in the article mentioned above, so I won’t repeat them here. Instead, let’s directly with the settings.

To keep this article short, we will skip the process for initial installation and configuration of the RDG server that authorizes users based on a username and password.

For clarity, we will outline the RDG request authentication scheme used by Azure MFA. The Network Policy Server (NPS) role is started on the RDG server, making it possible to redirect Radius requests. The MFA server will be deployed on a separate virtual machine in the company’s internal structure.

The RDG server requests authorization from the MFA server. MFA calls, sends an SMS, or sends a request to the mobile application, depending on the chosen authentication method. The user then confirms or rejects the access request and the MFA server returns the result of the second authentication factor to the RDG server.

For clarity, we will outline the RDG request authentication scheme used by Azure MFA. The Network Policy Server (NPS) role is started on the RDG server, making it possible to redirect Radius requests. The MFA server will be deployed on a separate virtual machine in the company’s internal structure.

rdg request authentication scheme

The RDG server requests authorization from the MFA server. MFA calls, sends an SMS, or sends a request to the mobile application, depending on the chosen authentication method. The user then confirms or rejects the access request and the MFA server returns the result of the second authentication factor to the RDG server.

Azure Multi-Factor Authentication Server setup and installation

Creating an Authentication Provider in the Microsoft Azure Portal

Sign in to Microsoft Azure (the account must have a subscription or trial version) and find Multi-Factor Authentication (MFA).

For now, there is no MFA management in the new version of the Azure portal, so the old version will open.

To create a new multi-factor authentication provider press “Create ->Application services -> Active Directory -> Multi-factor authentication provider -> Quick start”. Specify the name and usage model.

The form of payment depends on the usage model: either based on the number of users, or based the number of authentications.

create mfa provider

Once created, MFA will be displayed in the list. Next, go to Control by clicking the corresponding button.

azure active directory

Go to “Downloads” and download the MFA server.

download mfa server

Deploying the MFA server

You must install the MFA server on a virtual machine separate from the RDG server. MFA supports OSes older than Windows Server 2008 or Windows 7. Microsoft .NET Framework 4.0 is also required.
These addresses should be accessible on port 443:

  • https://pfd.phonefactor.net;
  • https://pfd2.phonefactor.net;
  • https://css.phonefactor.net.

While installing the MFA server, do not use the setup wizard.

On first launch, you must enter credentials that need to be generated on the server’s load page.

mfa credentials

Next, add users. Go to “Users” and click “Import from Active Directory,” then select users to import.

mfas add users

mfas add users

If needed, new users can be automatically added from AD:

“Directory Integration -> Synchronization -> Add”. This process can also add a directory that will be automatically synchronized at a specified time interval.

new users added from AD

Test that the MFA server is working correctly. Go to “Users”. Specify the phone number (if not already set) and select the authentication method “Phone Call”. Click “Test” and enter the username and password. MFA Azure will call the phone. Answer and press #.

test MFA server

Configuring the MFA server to work with Radius requests

Go to “Radius Authentication” and check “Enable RADIUS Authentication”.

Add a new client and specify the IP address of the NPS server and the shared secret. If authentication needs to be performed for all users, check everyone (in this case, all users should already be added to the MFA server).

You also need to confirm that the ports specified for the connection correspond to the ports indicated on the NPS server and are not blocked by the firewall.

enable RADIUS Authentication

Go to “Target” and add the Radius server.

add radius server

Note: If there is no central NPS server in the network, the Radius client’s and Radius server’s IP addresses will be the same.

Configuring RDG and NPS servers to work with MFA

The Remote Desktop Gateway must be configured to send Radius requests to the MFA server. To do this, open the RDG properties and go to the “RDG CAP Store” tab. Select “Central server running NPS” and specify the MFA server address and shared secret.

RDG CAP Store

Next, configure the NPS server. Expand the “Radius clients and servers -> Remote Radius server groups” section. Open “TS gateway server group” properties group (this group is created when you configure the RDG server) and add the MFA server.

When adding the server, increase the server timeout limits on the “Load Balancing” tab. Set the “Number of seconds without response before request is considered dropped” and “the Number of seconds between requests when server is identified as unavailable” in the range of 30-60 seconds.

In “Authentication/Accounting”, check the accuracy of the specified ports and set the shared secret.

Edite Radius Authentication/Accounting

Edite Radius Authentication/Accounting

Go to “Radius clients and servers -> Radius clients” and add the MFA server by entering a “Friendly name”, address, and shared secret.

edite radius clients

Next, go to “Policies -> Connection request policies”. This section should have the policy created during configuration of RDG. This policy directs Radius requests to the MFA server.

Copy the policy and open its settings. Add a condition comparing “Client Friendly Name” with the “Friendly name” specified in the previous example.

copy policy properties Radius

On the “Settings” tab, replace the Authentication service provider with a local server.

policy properties settings Radius

This policy will guarantee that when you receive a Radius request from the MFA server it will be processed locally and prevent request loops.

Check that this policy is placed above the original policy.

network policy server

For now, the RDG and MFA link is ready. The following steps are necessary for those who want to authenticate via a mobile app or let users access several multifactor authentication configurations through the user portal.

Installing the SDK, mobile app web services, and user portal

The connection to these components is made via HTTPS. Therefore, you must install an SSL certificate on the server where they are deployed.

The user portal and web-service mobile app use the SDK to communicate with the MFA server.

SDK installation

The SDK is installed on the MFA server and requires IIS, ASP.NET, and Basic Authentication, which must be installed beforehand using the Server Manager.

To install the SDK, go to “Web Service SDK” in “Multi-Factor Authentication Server” and follow the instructions of the installation wizard.

SDK installation

Mobile app web-service installation

The following service is necessary for the mobile app to interact with the MFA server. For the service to function properly, the computer it is installed on must have Internet access and an open 443 port to connect to the internet.

The service installation file is located in C:\Program Files\Azure Multi-Factor Authentication on the computer with MFA installed. Run the installer and follow the installation wizard. For convenience, you can replace the name of the virtual directory “MultiFactorAuthMobileAppWebService” with a shorter one.

After installation, go to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService and change the file web.config. In this file, you need to specify the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD parameters that correspond to the “PhoneFactor Admins” security group. This account will be used to connect to the SDK.

Mobile app web service installation

In the same file, indicate the URL where the SDK is available.

Note: The connection to the SDK is made via the SSL Protocol, so you must reference the SDK by the server name (specified in the SSL certificate) rather than an IP address. If a call is made using a local name, you must add a corresponding entry to the hosts file in order to use the SSL certificate.

mobile-app-web-service-installation-01

Add the URL where the mobile app web service is available to the Multi-Factor Authentication Server app in the Mobile App tab. This is necessary to properly generate a QR code in the user portal in order to connect to mobile apps.

You can also check “Enable OATH tokens”. This lets you use the mobile app as a software token to generate time-based one-time passwords.

User Portal Installation

Installation requires IIS, ASP.NET, and the IIS 6 Metabase Compatibility role (for IIS 7 or later).

If the portal is installed on the MFA server, just go to the “User Portal” in the Multi-Factor Authentication Server, press “install,” and follow the installation wizard. If the computer is joined to a domain, a user belonging to the PhoneFactor Admins security group will be created during installation. This user is required for a secure connection to the SDK.

user portal installation azure mfa

When installing on a separate server, copy the installation file from the MFA server (the installation file is located in C:\Program Files\Multi-Factor AuthenticationServer). Perform the installation and edit the web.config file located in C:\inetpub\wwwroot\MultiFactorAuth. Change USE_WEB_SERVICE_SDK from false to true. Specify the credentials for the account in the PhoneFactor Admins group in the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD parameters. Specify the URL of the SDK service, and don’t forget to correct the hosts file, if necessary, to make the SSL protocol work.

In the “User Portal” section, add the URL at which the user portal will be available to the Multi-Factor Authentication Server application.

Demonstration of using Azure MFA to authenticate RDG connections

We will consider what MFA does from the user’s perspective. In our case, the second authentication factor will be a mobile app, since cellular networks have a number of vulnerabilities that allow for easy interception of calls and texts.

First of all, the user must log in to the user portal, provide his or her phone number (if not specified in AD), and sync his or her account to the mobile app. Log in to the portal with your own account and answer the security questions (in case we need to recover access to the account).

MFA user log in

Then, select the authentication method (in our case, mobile app) and press “Generate New Activation Code”. A QR code will appear that must be scanned in the mobile app.

generate-new activation code azure mfa

Because PIN authentication was used when importing users to the MFA server, you will be asked to create a PIN code. Enter the desired PIN code and click “Authenticate”. Confirm the request in the mobile app. After taking these steps, you have an app linked to the account and full access to the portal in order to change personal settings.

change personal settings azure mfa

Note: The list of settings that the user may change through the portal is specified by the administrator in the Multi-Factor Authentication Server app.

Next, we will look at connecting through the RDG.

Create an RDP connection by specifying your RD Gateway and connecting.

RDP connection

RDP connection

Enter the credentials to access the RDG server.

credentials access RDG server

Confirm the request in the mobile app.

RDG server mobile-app

Enter the credentials to sign in on the local PC and wait for a connection.

credentials local PC

credentials local PC

Note: If the phone is equipped with a fingerprint sensor, the Authenticator application will prompt you to associate the PIN code with a fingerprint to subsequently authenticate by simply touching the phone.

Authentication methods offered by Azure MFA:

  • Phone call
    • press #
    • enter the PIN code and press #
  • SMS – you can use OTP or OTP + PIN
    • One-Way – while authorizing, enter the received code into the auxiliary field
    • Two-Way – send the received code back by SMS
  • Mobile app
    • Simple confirmation
    • You must enter the PIN code to confirm
  • OATH token – you will need to enter the code from the token screen into the auxiliary field when authorizing. You can use the mobile app as a software token.

The SMS One-Way and OATH token methods are not universal, since they require an auxiliary field for entering the code during authorization.

In conclusion, we will tell you about an MFA function that lets you track and protect against intruders who attempt to gain access without having the second authentication factor.

In the MFA control panel on the Azure portal, you may enable users to mark an incoming request as fraudulent. It is also possible to automatically block the user when receiving this message and send an email notification to support.

Azure MFA control panel

After enabling this function, users who have blocked the authentication request will receive a message asking them to notify support about an unauthorized login attempt.

MFA control panel

MFA control panel

The Azure MFA control panel has a report that shows fraud notifications:

Azure MFA control panel

If you need to find out the IP address from which an RDP session was initialized, look at the RDG server logs in the Event Viewer. If the second authentication factor was not passed, the event will have an “Error” status, and the description will indicate the IP address from which the RDP connection was established.

RDG server logs Event Viewer

References:
Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS
User Portal
Mobile App Web Service

Best regards,
The Servilon Team

More articles about two-factor authentication

Ferma VDI

Installing a white certificate on a Microsoft VDI farm

Many companies using VDI infrastructure for remote work from the uncontrolled personal workstations of the company’s employees. External users face the problem of distrusting the certificate issued by the corporate certifying authority when publishing a VDI farm to the Internet. As a result, security warnings appear when connecting remotely.

RD Connection

In this case, the warning appears twice: at the first connection the broker server is untrusted; at the second connection, the VDI farm virtual machine is untrusted.

To resolve this problem, many system administrators suggest either checking the “Don’t ask me again” checkbox and ignoring this message, or “whitelisting” the root certificate on user’s remote computer and publishing the corporate CA’s CRL. However, such methods don’t work if users connect from different locations each time or connect to different virtual machines.

Solving this problem requires you to use a “white” certificate issued for the VDI farm by the trusted certificate authority. The names of the external certificate and the VDI computers must match.

The solution

First of all, we need a wildcard certificate (*.yourcompany.com) issued by the trusted certificate authority.

Add a new DNS suffix to the domain:

Add a new Active Directory Integrated zone (yourcompany.com) to serve internal requests for new server names and VDI farm virtual machines on a domain controller in DNS.

To have an additional domain suffix in a domain you have to edit the msDS-AllowedDNSSuffixes attribute at the domain level. You must add the internal and external domain names as the attribute value. For example, yourcompany.local and yourcompany.com. Create a new group policy at the domain level to specify the DNS suffixes that can be added to short names in DNS queries.

edit msDS-AllowedDNSSuffixes attribute

Enable the following policy: Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS Client\ DNS suffix search list. Then add the internal and external domain name values, separated by commas.

DNS suffix search list

Setup certificate for RD server

You also have to change the DNS suffix of the planned RD servers to the external domain name before creating the VDI farm. Go to system properties and click “Change…”. Click “More…” on the “Computer Name/Domain Changes” tab and enter the new primary DNS suffix – yourcompany.com.

Computer Name/Domain Changes

Next create a new VDI farm based on the selected Microsoft Windows Server 2012 R2 servers. You can easily find information online about how to do this.

After you receive the certificate’s pfx file, you can install it on the new VDI farm. On the RD Connection Broker server, go to Server Manager > Remote Desktop Services > Overview. In the Deployment Overview field, select Edit Deployment Properties in the Tasks dropdown list.

RD Connection Broker server edit

Open the Certificates tab and set up the necessary *.yourcompany.com certificate for each farm service.

Add the certificate for each service role. Click “Select an existing certificate…”, then specify its file path and password.

RD Connection Broker server

In the end, the following certificates will be installed on the VDI servers, but not on virtual machines. The SSLCertificateSHA1Hash REG_BINARY parameter appears with the thumbprint certificate value in the registry on Connection Broker server at the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

This parameter determines which certificate will be used while the RDP session is being established. Add it to the registry on the client machine as well.

SSLCertificateSHA1Hash REG_BINARY

Installing the certificate on virtual machines

The following are required when using a white certificate on virtual machines:

  • Install the certificate in the personal certificate store on every machine.
  • Set the certificate key read permissions for each machine’s Network Service.
  • The SSLCertificateSHA1Hash REG_BINARY certificate parameter must have the thumbprint value.
  • Virtual machines names must match the certificate name (have the yourcompany.com suffix)

Create a new group policy at the Organizational Unit level, dedicated to the VDI farm’s virtual machines’ accounts.

This policy must run Startup Script ExportVDICert.bat on the virtual machines.

Startup Script ExportVDICert.bat

The script below uses the Microsoft Certutil and FindPrivateKey utilities. Certutil is a built-in utility. FindPrivateKey is provided as a Sample tool for developers and can be compiled independently. The script must be added to the policy.

The certificate and FindPrivateKey utility must be placed in the network folder where the script will grab the installation files. Here’s the script:

certutil -f -p “” -importpfx “” NoExport

c:

mkdir “c:\TempCertSecurity”

cd c:\TempCertSecurity”

xcopy “” “c:\TempCertSecurity”

FindPrivateKey.exe My LocalMachine -t

-a > tmp.txt

set /p myvar= < tmp.txt del tmp.txt del FindPrivateKey.exe cd \

rd “c:\TempCertSecurity”

cacls.exe %myvar% /E /G “NETWORK SERVICE”:R”

This script will install the new certificate with permissions after the virtual machine is rebooted.

The next part of the policy has to do with the SSLCertificateSHA1Hash installation option. The required key is configured via Preferences \ Windows Settings \ Registry

SSLCertificateSHA1Hash installation option

To change virtual machines’ Primary DNS Suffix in the policy in a central way, enable the Primary DNS Suffix and set yourcompany.com as the external domain name.

Primary DNS Suffix

The machine will receive the new FQDN and corresponding white certificate after being rebooted. After you perform all these operations, your users will no longer see the annoying security alerts.

Deleting / restoring Metro apps in Windows 10

Deleting / restoring Metro apps in Windows 10

No matter how many supporters of the old version of the OS exist at present, it’s high time to turn to Windows 10. Accordingly, I invite you to take a closer look at the preloaded Metro apps. You will agree with me that very few people use absolutely every application forced upon us by Microsoft. Most of them just take up space, and are sometimes even annoying. In this article I will share with you a way to “clean” the system of such needless apps on Windows 10.

Deleting

So let’s discuss deleting needless apps. I suggest you use a PowerShell script to display all installed Metro apps. Then it’s up to you whether to delete all or just some of them.

 

 

The script is as follows:

Function PSCustomErrorRecord
{
Param
(
[Parameter(Mandatory=$true,Position=1)][String]$ExceptionString,
[Parameter(Mandatory=$true,Position=2)][String]$ErrorID,
[Parameter(Mandatory=$true,Position=3)][System.Management.Automation.ErrorCategory]$ErrorCategory,
[Parameter(Mandatory=$true,Position=4)][PSObject]$TargetObject
)
Process
{
$exception = New-Object System.Management.Automation.RuntimeException($ExceptionString)
$customError = New-Object System.Management.Automation.ErrorRecord($exception,$ErrorID,$ErrorCategory,$TargetObject)
return $customError
}
}

Function RemoveAppxPackage
{
$index=1
$apps=Get-AppxPackage
Write-Host “ID`t App name”
foreach ($app in $apps)
{
Write-Host ” $index`t $($app.name)”
$index++
}

Do
{
$IDs=Read-Host -Prompt “Which Apps do you want to remove? `nInput their IDs by space (e.g. 5 12 17). `nIf you want to remove every possible apps, enter ‘all'”
}

While($IDs -eq “”)

if ($IDs -eq “all”) {Get-AppXPackage -All | Remove-AppxPackage -ErrorAction SilentlyContinue –confirm

$AppName=($ID -ge 1 -and $ID -le $apps.name)

if (-not(Get-AppxPackage -Name $AppName))
{
Write-host “Apps has been removed successfully”
}
else
{
Write-Warning “Remove ‘$AppName’ failed! This app is part of Windows and cannot be uninstalled on a per-user basis.”
}

}

else {

try
{
[int[]]$IDs=$IDs -split ” ”

}

catch
{
$errorMsg = $Messages.IncorrectInput
$errorMsg = $errorMsg -replace “Placeholder01”,$IDs
$customError = PSCustomErrorRecord `
-ExceptionString $errorMsg `
-ErrorCategory NotSpecified -ErrorID 1 -TargetObject $pscmdlet
$pscmdlet.WriteError($customError)
return
}

foreach ($ID in $IDs)
{
#check id is in the range
if ($ID -ge 1 -and $ID -le $apps.count)
{
$ID–
#Remove each app
$AppName=$apps[$ID].name

Remove-AppxPackage -Package $apps[$ID] -ErrorAction SilentlyContinue –confirm
if (-not(Get-AppxPackage -Name $AppName))
{
Write-host “$AppName has been removed successfully”
}
else
{
Write-Warning “Remove ‘$AppName’ failed! This app is part of Windows and cannot be uninstalled on a per-user basis.”
}
}
else
{
$errorMsg = $Messages.WrongID
$errorMsg = $errorMsg -replace “Placeholder01”,$ID
$customError = PSCustomErrorRecord `
-ExceptionString $errorMsg `
-ErrorCategory NotSpecified -ErrorID 1 -TargetObject $pscmdlet
$pscmdlet.WriteError($customError)
}
}
}
}

$result = 0;

while ($result -eq 0) {

RemoveAppxPackage

$title = “Delete Apps”
$message = “Do you want to continue?”

$yes = New-Object System.Management.Automation.Host.ChoiceDescription “&Yes”, `
“Yes, I want to remove another application.”

$no = New-Object System.Management.Automation.Host.ChoiceDescription “&No”, `
“No, all unnecessary applications are removed.”

$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)

$result = $host.ui.PromptForChoice($title, $message, $options, 0)

}

 

 

Save the script in .ps1 format or download it. I recommend creating a batch file for the script below in order to simplify running as an administrator (save it in .bat format and UAC will automatically request confirmation):

 

 

.bat script

@echo off
cls

echo Apps
echo.
echo press any key to continue…

pause > NUL

echo
echo.

PowerShell -NoProfile -ExecutionPolicy Bypass -Command “& {Start-Process PowerShell -ArgumentList ‘-NoProfile -ExecutionPolicy Bypass -File “”%~dp0.\app.ps1″”‘ -Verb RunAs}”

echo You deleted apps…
echo.
pause

Где app.ps1 – имя сохраненного power shell скрипта.

 

 

Note: When the script is run that way you may see a warning message: “Execution Policy Change”.

PowerShell Execution Policy Change

Choose “Yes” to make the change.

You will then see the following:

list of installed apps PowerShell

There is a list of installed apps on the screen. And asked to list (separated by spaces) the ones that you want to delete.

Let’s say you decide to delete Microsoft.BingNews. In that case, type in the corresponding application number. If the operation succeeds, you should get the following:

PowerShell operation succeeds

Please note that you can’t remove system apps. If you attempt to do so, you will receive the following message:

PowerShell administrator warning

This applies to applications such as:
• Microsoft.Windows.Cortana
• MicrosoftEdge
• ContactSupport
• PrintDialog, etc.
The screenshot below features a more detailed list of “immortal” apps:

list of

There is a way to remove all apps at once (except the “immortal” apps described above). To do so, type “all” instead of a specific app’s number, and confirm removal of all apps (Yes to All) or confirm each removal individually (Yes).

list of

Restoring

If you accidentally delete or subsequently decide you want to use a particular app, you can restore it through the Windows Store or use the following suggestions.

For example, if you want to restore the Store app, which happened to be deleted by the script above, you should run the following command in PowerShell with administrator permissions:

Add-AppxPackage -register "C:\Program Files\WindowsApps\*Store*\AppxManifest.xml" -DisableDevelopmentMode

You can restore other applications in a similar manner by putting their names between asterisks. If you need to restore a large number of apps, it’s better to use a script (add / remove lines as needed).

 

 

Script to restore apps:

Add-AppxPackage -register “C:\Program Files\WindowsApps\*Weather*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Finance*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Maps*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*News*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Sports*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Travel*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Camera*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Reader*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Xbox*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Alarms*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Calculator*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*OneNote*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*People*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*SoundRecoder*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*3dbuilder*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Store*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Photos*\AppxManifest.xml” -DisableDevelopmentMode
Add-AppxPackage -register “C:\Program Files\WindowsApps\*Phone*\AppxManifest.xml” -DisableDevelopmentMode

 

 

As before, save and, if necessary, edit the script and run it.

Alternatively, if you want to restore the entire set of pre-installed utilities, type the following line in PowerShell with administrative permissions. This means you don’t need to be afraid to experiment. Restoring the previous state is easy:

Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}

You may see warning messages while restoring apps. They refer to apps that are currently running.

Restoring Photo Viewer in Windows 10
Most users who install Windows 10 are dissatisfied with the lack of the photo viewing app – Windows Photo Viewer.
To restore Photo Viewer, you need to add some keys in the registry. To do this, save the following script with the .reg extension and run it. Then set the app as the default app for opening images: Settings – Default apps – Photo – Windows Photo Viewer:

Default apps Windows 10

 

 

Script to add keys to the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations]
“.jpg”=”PhotoViewer.FileAssoc.Jpeg”
“.wdp”=”PhotoViewer.FileAssoc.Wdp”
“.jfif”=”PhotoViewer.FileAssoc.JFIF”
“.dib”=”PhotoViewer.FileAssoc.Bitmap”
“.png”=”PhotoViewer.FileAssoc.Png”
“.jxr”=”PhotoViewer.FileAssoc.Wdp”
“.bmp”=”PhotoViewer.FileAssoc.Bitmap”
“.jpe”=”PhotoViewer.FileAssoc.Jpeg”
“.jpeg”=”PhotoViewer.FileAssoc.Jpeg”
“.gif”=”PhotoViewer.FileAssoc.Gif”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap]
“ImageOptionFlags”=dword:00000001
“FriendlyTypeName”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,\
00,65,00,72,00,5c,00,50,00,68,00,6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,\
65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,36,00,00,\
00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\DefaultIcon]
@=”%SystemRoot%\\System32\\imageres.dll,-70”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\shell\open]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Bitmap\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF]
“EditFlags”=dword:00010000
“ImageOptionFlags”=dword:00000001
“FriendlyTypeName”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,\
00,65,00,72,00,5c,00,50,00,68,00,6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,\
65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,35,00,00,\
00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\DefaultIcon]
@=”%SystemRoot%\\System32\\imageres.dll,-72”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\shell\open]
“MuiVerb”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,\
72,00,5c,00,70,00,68,00,6f,00,74,00,6f,00,76,00,69,00,65,00,77,00,65,00,72,\
00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,34,00,33,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.JFIF\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg]
“EditFlags”=dword:00010000
“ImageOptionFlags”=dword:00000001
“FriendlyTypeName”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,\
00,65,00,72,00,5c,00,50,00,68,00,6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,\
65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,35,00,00,\
00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\DefaultIcon]
@=”%SystemRoot%\\System32\\imageres.dll,-72”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\shell\open]
“MuiVerb”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,\
72,00,5c,00,70,00,68,00,6f,00,74,00,6f,00,76,00,69,00,65,00,77,00,65,00,72,\
00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,34,00,33,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Jpeg\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif]
“ImageOptionFlags”=dword:00000001
“FriendlyTypeName”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,\
00,65,00,72,00,5c,00,50,00,68,00,6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,\
65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,37,00,00,\
00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif\DefaultIcon]
@=”%SystemRoot%\\System32\\imageres.dll,-83”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif\shell\open]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Gif\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png]
“ImageOptionFlags”=dword:00000001
“FriendlyTypeName”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,\
00,65,00,72,00,5c,00,50,00,68,00,6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,\
65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,37,00,00,\
00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\DefaultIcon]
@=”%SystemRoot%\\System32\\imageres.dll,-71”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\shell\open]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Png\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp]
“EditFlags”=dword:00010000
“ImageOptionFlags”=dword:00000001

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\DefaultIcon]
@=”%SystemRoot%\\System32\\wmphoto.dll,-400”

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\shell]

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\shell\open]
“MuiVerb”=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,20,00,50,00,68,00,6f,00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,\
72,00,5c,00,70,00,68,00,6f,00,74,00,6f,00,76,00,69,00,65,00,77,00,65,00,72,\
00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,34,00,33,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\
6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,\
00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,00,65,00,73,00,\
25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,50,00,68,00,6f,\
00,74,00,6f,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,5c,00,50,00,68,00,\
6f,00,74,00,6f,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,00,64,00,6c,00,6c,\
00,22,00,2c,00,20,00,49,00,6d,00,61,00,67,00,65,00,56,00,69,00,65,00,77,00,\
5f,00,46,00,75,00,6c,00,6c,00,73,00,63,00,72,00,65,00,65,00,6e,00,20,00,25,\
00,31,00,00,00

[HKEY_CLASSES_ROOT\PhotoViewer.FileAssoc.Wdp\shell\open\DropTarget]
“Clsid”=”{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Photo Viewer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities]
“ApplicationDescription”=”@%ProgramFiles%\\Windows Photo Viewer\\photoviewer.dll,-3069”
“ApplicationName”=”@%ProgramFiles%\\Windows Photo Viewer\\photoviewer.dll,-3009”

 

 

Saving the results

To ensure that all this effort is not in vain, I recommend that you edit the registry to disable automatic installation of apps.
To do this, log in under an administrator account. In the registry, go to: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ WindowsStore \ WindowsUpdate.
And change the value of the setting (default 4):
2 – turn off automatic updates of user apps,
4 – turn on automatic updating of custom apps.

WindowsUpdate

Or you can use the following script to change the registry (save as a .reg file and run):
Here is a script to disable automatic updates when installing applications:

 

 

Here is a script to disable automatic updates when installing applications:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate]

“AutoDownload”=dword:00000002

 

 

P.S. I hope the proposed method of removing / restoring apps will make it easier for you to adjust Windows 10 on your PC. After making all of your changes, I also recommend that you reboot your PC.

More articles about OS WINDOWS 10

SharePoint + Office Online

Collaborate on documents: SharePoint 2016. Part 2. Configure external access

This post continues the series of articles about SharePoint Server. In the first part, we looked at features for collaborating using Office Online and the desktop version of MS Office programs. This article will show you how to start and publish using SharePoint + Office Online.

We consider the case when it is important for the company to keep all the infrastructure and data stored in it under their control. In other words, with an extensive on-premise SharePoint 2016 farm.

Let’s get started.

DNS

In our case, we use Split DNS where the names for internal and external areas are the same.

For example: External domain servilon.com, external names: sp2016.servilon.com and oos2016.servilon.com.

Solution: On the internal DNS, add two new Forward Lookup Zones with the corresponding names: sp2016.servilon.com and oos2016.servilon.com.

add two new Forward Lookup Zones internal DNS

Add an A amount of records indicating the local address of the server in each zone:

internal DNS new host

internal DNS new host

Certificate

Issue a certificate for both services right away. We added both names to the subject alternative name (SAN): sp2016.servilon.com and oos2016.servilon.com. To avoid problems on devices outside of the domain, you need to issue your certificate by a trusted certification authority.

Certificate

We will mention this certification three more times. It will be used on the SharePoint Server (in IIS), on the Office Online Server, and for Application Request Routing (ARR) for publishing sites.

 SP Settings

Here we will skip the SharePoint Server installation process, because this topic has been covered in numerous articles, walkthroughs, and TechNet. Note that Microsoft is pushing us to cooperate and communicate in its Windows 2016 Server – versioning settings are already configured to work together by default for a document’s library (Library> Library Settings> Versioning Settings)
Document Version History is set to “Create major versions”;

Require Check Out is set to “NO”.

SharePoint Server settings

It’s time to remember security and our certificate, so we specify it in the Bindings for our SP site.

Bindings for SP site

OOS Settings

MS says the minimum hardware requirements are identical to the requirements for SharePoint Server 2016:

  • RAM: 12GB
  • Processor: 64-bit, quad
  • HDD: 80GB

In reality, the test environment RAM can be significantly cut back.

  1. Install the .NET Framework 4.5.2 on the server;
  1. Install the necessary components by OS command below:

Install-WindowsFeature Web-Server, Web-Mgmt-Tools, Web-Mgmt-Console, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Static-Content, Web-Performance, Web-Stat-Compression, Web-Dyn-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Includes, InkandHandwritingServices, Windows-Identity-Foundation

  1. After installation is finished, reboot the system;
  2. Run the OOS installation, the installation wizard only asks to specify the installation path;
  3. Configure the OOS farm (using a secure connection – https):
    • Import the previously issued certificate.
    • Create the OOS farm using a PS command:

New-OfficeWebAppsFarm -InternalURL “https://oos.contoso.com” -ExternalURL “https://oos.contoso.com” -CertificateName “Certificate Friendly Name”

create the OOS farm

To enable editing mode on OOS, use the following PS command:

Set-OfficeWebAppsFarm -EditingEnabled

InternalURL and ExternalURL are identical as configured by Split DNS.

Back on the SharePoint server, there are just two commands:

1. In SharePoint 2016 Management Shell run the following command as an administrator:

New-SPWOPIBinding -ServerName “OOS server name”

SharePoint 2016 Management Shell administrator

2. Since our SharePoint is used both internally and externally, you should change the infrastructure zone to external-https:

Set-SPWOPIZone -zone “external-https”

SharePoint 2016 Management Shell administrator

Configure publishing on ARR

  1. Import our certificate in IIS.
  1. Specify its other Bindings.

Configure publishing on ARR

Configure publishing on ARR

Create 2 farms for sp2016.servilon.com and oos2016.servilon.com.

Edit URL Rewrite at the server level

Configure publishing on ARR

Configure publishing on ARR

For SP:

  1. Add a Condition

add a condition SP

  1. Paste https:// in Action Properties

Repeat the same actions for OOS.

As a result, we get the following settings:

After editing IIS, restart the service using the following command – iisreset.

You’re done! Now you have oos2016.servilon.com server as a server used for running in a browser and on mobile devices, and sp2016.servilon.com as a connection point to the SharePoint site.

In the next part, I will try to answer questions asked about OneDrive for Business.

More articles about SharePoint

SharePoint 2016

Collaborate on documents with Microsoft: SharePoint 2016, Office Online and everything else. Part 1: What is it?

But Microsoft has been unfailingly persistent – they continue to improve their products all the time, on multiple levels as a result, now we can talk about the established infrastructure of document collaboration offered by Microsoft. It has two classes of software:

  1. Means of public access to documents, including cataloging, version control, distribution of rights and other similar server features. These tools are divided into cloud solutions (OneDriveSharePoint Online) and on-premise – the SharePoint 2016 Server – deployed in the infrastructure of the customer.
  2. Document editing tools. These include the desktop suite of Microsoft Office application (which was also updated recently), newly-minted mobile versions of Office, initially focused on co-authoring documents, and, the cherry on the cake – its own implementation of server online editing Office Online apps documents (previously known under the name of Office Web Apps).

All this splendor probably does not make Microsoft quite the “Google Docs killer” of so much repute among tech-journalists, but provides a good alternative to the consumer. This is especially true of corporate customers who, already have the MS infrastructure (AD, Exchange, Skype for Business), and those who need, for security-purposes, to store all or part of their information locally. For such customers, new opportunities to work with documents from Microsoft look particularly attractive.

As a result, we thought that we should inform our prospective clients and the general public about these developments, and how to install and configure all this stuff. We’ll also try to get to a comparison with alternative services. Not everybody has time for such a long read, so we’ve decided to split this post into several articles. This is the first one. Here, we’ll go through the MS features in each of the Microsoft products that enable document co-editing: Office Online, MS Office for desktop and also for mobile devices. It is at this point that we warn you – there will be a lot of attention to the finer points of this, so an impatient reader can go directly to “conclusions” at the end of the post. For everybody else, fasten your seat-belts!

Office Online

Office Online Server is quite an interesting application, not yet well known to everyone. Firstly, it allows users to reduce the number of licenses and MS Office installations. Secondly, it enables more ways to access and edit documents – in a nutshell, you only need a browser. Thirdly, it features the best suite of Microsoft collaboration tools to date. Let’s take a closer look.

Word Online

Word Online

Editing of the document in Office Online can be done by multiple users at the same time, with the changes and the username corresponding to each edit appearing instantly to the other co-authors. Users can simultaneously edit the same section of text, even in one paragraph.

see when someone changing data the same time

Excel Online

Edit in Exel Online icon

In Excel Online, changes in the cell will be displayed to the other co-authors only after an author moves to the next cell. In the meantime, this cell remains active and can be changed by multiple users.

Co-authoring in Exel Online

PowerPoint Online

Edit in PowerPoint Online icon

PowerPoint Online allows you to work simultaneously on one slide, but it is better to work on different elements, otherwise users will not see each other’s real time changes.

PowerPoint Online allows you to work simultaneously on one slide

Office Desktop Version

Working with documents through Office Online is a pleasant experience, except when it comes to significant changes to the formatting. If you want to insert a chart, smart art, table of contents, macros, format tables, use a formula, etc. then you have to use the desktop version of the software. We could write a separate article about the difference between desktop and online functionality. Here, we will review the differences related to the co-authored work.

MS Word

In this application, it is not possible for two different people to edit the same paragraph of text simultaneously.

co-autoring word 2016

The changes will be visible to the other co-authors only after the author saves them and other users update the document.

Save and update is integrated into the Save icon  (Ctrl + S)f315bee01822438387a5e08b0ba77f6f. Available updates are displayed in an icon next to the author’s name.

co-autoring word online 2016

MS Excel

In Excel, simultaneous editing of the same document is not possible. Two options are possible – use the online version,

Someone else has this workbook locked error

or get in line.

File in use by someone else

MS PowerPoint

On the contrary, in PowerPoint, simultaneous co-editing is possible. Co-editors can see that someone else is working on a presentation through the “Share” panel.

PowerPoint co-editing is possible

Available updates are signaled by the inconspicuous ‘Updates Available” status. The status appears only after the author saves changes, while the changes themselves appear after a document has been updated using the Save icon (Ctrl + S).

Status of co-editing of file

Mobile devices

Microsoft Word App and Microsoft PowerPoint App

When working on Android, a paragraph or element on which you are working is not blocked, and two co-editors can simultaneously work with it – edits are publicly displayed a very short time later. The fact that someone else is working on the same element, can be seen in the “Share” menu.

The fact that someone else is working on the same element on Android

In the case of the IPhone with changes in the message about the updates to the proposal Apply / Cancel. It would be interesting to test more on Windows Phone with Windows 10.

Microsoft Excel App

Real time collaboration in Excel App is not supported.

File has locked by someone

Conclusions

In general, co-editing tools from Microsoft can be considered functional, although different components implement it differently. The process of co-editing is best implemented in Office Online as it represents real co-working. You can add a feature which displays the names of simultaneous co-editors of documents (moving across your screen). But, unfortunately, for full editing functionality you’d still have to resort to the desktop version of the program, which still needs a “save” button. In addition, the process of working together is not made so user-friendly (Excel suffers most, where things remain all at check-in and check-out level).

In the next post, we’ll show you how to deploy on-premise components for co-authoring and sharing within an enterprise infrastructure. SharePoint 2016 Farm, Office Online Server, the publication – that will all be discussed. Stay tuned.

More articles about SharePoint

An IT specialist’s work time can now be monitored with SkypeTime

An easy, flexible and transparent way to tackle the problem of time and attendance management at IT companies.

Like any other company, IT companies providing high tech services – whether software development, IT outsourcing, or remote infrastructure support – need tools to maintain adequate work discipline.

One method traditionally used is a time-and-attendance management system, which provides the employer with detailed information about who was present at their work places and when, which software was open on employees’ office computers, and employee’s web requests, including the ability to use a webcam to monitor employees’ physical presence at their computers.

This method is moderately effectively for regular office workers, but it negatively affects the performance of expert teams. There are several reasons for this.

First, a high-tech company’s employees (let’s call them “experts”) do not only work at their desk and during standard work hours. They might need to do some work at night, participate in late meetings due to time zone differences with customers, or simply reach peak performance between 11pm and 4am. Accordingly, it is the actual work performed on the office computer (sometimes remotely from home) that must be estimated, not the time spent in close proximity to it.

Second, experts are usually freedom-loving individuals. Just the thought that some software program is monitoring their activities is demoralizing to innovative teams and, as a result, has a negative effect on their performance.

Third, experts have professional ambitions. The existence of software that discourages work may induce them to fight this software during work hours and at their workplace. This is hardly the effect you desire.
In our view, the best way to account for and monitor employee time is a program that meets several criteria:

  • It should be invisible to employees. Ideally, it should not be detected on employees’ computers.
  • The program should allow estimating the time employees spend accessing their work computer, based not only on when they are physically present but also when they are working remotely. Thus, the system should be able to identify the type of employee presence.
  • The program should support great flexibility in adjusting employees’ schedules. For example, it should allow for rules such as “If not present at work at 9:15 – send notice of absence without leave” or “Allow coming late no more than twice a week,” or “When working with a customer at night, allow time-off until noon or work from home.”
  • The program should ensure the required level of monitoring without encroaching on employees’ privacy (for instance, Internet traffic).
  • The program should not require significant investment in additional servers and system software.

Servilon has developed such a program and we now offer it to you. It is called SkypeTime – a time and attendance management system based on Microsoft Skype for Business.

SkypeTime is an ideal solution for IT companies where:

  • Microsoft Skype for Business is used for corporate communication;
  • Employees’ work is associated with resource intensive software and/or access to internal corporate resources, and therefore requires physical or remote access to an office computer.
  • The work day is not strictly measured by physical presence in an office but rather by the number of hours worked, and can be coordinated with senior management to allow for individual rules and exceptions.

SkypeTime discreetly monitors employees’ work without making them uncomfortable. It provides the flexibility needed to take into account the specific characteristics of the work schedule.

How SkypeTime Works?

SkypeTime collects employees’ work statistics based on changes to their Skype status (online, offline, inactive, away, in call, in call – mobile) and based on information about the device from which the status is obtained, which are recorded by the Skype for Business server. In addition, the system receives information from RDGs (Remote Desktop Gateways), and you can see whether an employee accessed a computer locally or remotely (from home or another location).

SkypeTime uses the information received to build accurate work schedule reports that include the following:

  • Start of work day;
  • Lunch breaks;
  • End of work day;
  • Total number of hours worked versus the expected number of hours;
  • Work performed from home.

All components are installed on SkypeTime servers, and Skype4B clients provide the information about presence. In other words, no additional software needs to be installed employees’ computers. Thus, the monitoring system cannot be removed, blocked, or otherwise affected. Moreover, the system does not interfere with employees’ work, so they cannot have a negative reaction to it.

Close integration with Active Directory and Skype for Business minimizes the effort required to configure SkypeTime – users are added and removed automatically after the integration is complete.

slypetime_eng1

SkypeTime features for monitoring and recording work time

Reports on employees’ work statistics

SkypeTime generates the following reports on employee work:

Average and maximum tardiness for a period;

  • Absence history with an indication of whether the manager’s permission had been given;
  • Periods of overtime;
  • Employees’ ranked by work discipline violations for a period;
  • Summary and detailed reports on daily changes in employees’ statuses;
  • Statistics on employees’ work from home;
  • Departmental summary of the work day (latecomers, absent, current requests, work time for the previous day);
  • Weekly employee summary.

Authorized managers can receive these reports both by accessing the program’s interface and through a regular email.

Work calendar management

SkypeTime allows users to set up an employees work calendar and indicate standard work hours for a specific department or employee. Time zones can be accounted for when setting up your work calendar, thus supporting the work of geographically distributed teams.

The system also lets you keep logs of holiday calendars, create and manage employee requests for time off, and change work schedules.

  • Employees within the same department can plan their holidays easily and avoid overlap by using a shared holiday calendar. This helps prevent key personnel on a project from taking holiday leave at the same time.

Dashboard

Both managers and employees access the system via the Dashboard – an easy-to-use interface that provides access to the following personal and group settings:

  • Create, send and approve requests for holiday, absence with leave, and other personal situations;
  • Manager or employee control over employees’ work schedules;
  • Monitor unused holidays and sick leave days;
  • Manage individual, group and system settings.

Prices and terms for installation

SkypeTime licenses start at $10 for one registered user and depend on the number of user licenses and additional services purchased. Discounts are available, if:

  • You are an IT company.
  • You order both the application and services to deploy it.
  • You purchase Microsoft Skype for Business or any other software license from us.
  • You are our client.
  • You are not our client, but you order other services from us along with SkypeTime.

Your purchase of a SkypeTime license gives you one year of free technical support and an annual subscription to all program updates, including new versions. Additionally, for one year from your purchase of SkypeTime you will receive a discount on our other services. Furthermore, when you buy more than 50 licenses you will receive a 50% discount on deployment of Skype for Business.

Contact us for a custom quote for SkypeTime with all applicable discounts.

SkypeTime features

Manager interface

workdesk-new-pic1

The Manager Interface is a side menu containing all of the application’s functionality, as well as up-to-date information on employees in four separate sections (Latecomers, Absent, Work Time, and Requests). Detailed information is available by clicking on each section’s name.

Employee Dashboard

user-cabinet-new_pic2

Employees can work more productively using web data from the Dashboard, which summarizes the information for a selected period of time, e.g. the beginning and end of a work day, planned work time per day / week, overtime, tardiness, and much more.

Employee Requests

editing-request_pic3

Editing employee requests is a key feature in time and attendance management systems. Managers can approve, deny or edit employee requests.

Employee report for a specified time period

report-by-employee-new_pic4

Employee summary report

To make it easier to read, the “Report by Period” generated as a table and Gantt chart. This makes it possible to interpret the tabular data in the chart.

report-by-employee-new_pic4

This report is a Gantt chart in the form of a table showing how much time the employee spent at work and how much he or she was offline during the working day. More information is available in the “Detailed Report” tab. You can see the device the employee was working from, as well as his or her status in the system and the duration of that status.

Report by holidays

report-by-holidays_pic6

The holiday report contains a list of all employees and indicates the number of used and remaining holiday days during a year/period. The Gantt chart displays employee requests as a horizontal bar showing the number of days. By clicking on the bar, you can edit the request. By clicking on the employee’s name in the table, the request search page opens for the selected employee.

More articles about Skype for Business

bitlocker windows

How to enable BITLOCKER on EXCHANGE servers

The Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files for Exchange Server 2013 and Exchange Server 2016.

What is BitLocker?

BitLocker is the built-in Microsoft Windows feature for full disk encryption that offers enhanced protection against data theft on stolen or lost computers or hard disks.

BitLocker first appeared in Windows Vista and Windows Server 2008. Since then, BitLocker functionality has expanded and now includes encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

Windows BitLocker enables data protection on volumes with 128-bit (default) and 256-bit key using AES (Advanced Encryption Standard) encryption algorithm.

How to deploy BitLocker?

BitLocker can be deployed on Exchange servers using the following methods.

  1. Encrypting the operating system volume, as well as, the Exchange data volumes either via TPM (recommended) or with the help of network unlock, the Data Recovery Agent and PKI infrastructure.
  2. Only encrypting the Exchange data volumes.

To use BitLocker in a FIPS-compliant manner, note that:

In case that you are not using Windows Server 2012 R2 or later as the base OS, then you cannot utilize recovery passwords for BitLocker. For more details, see What’s New in BitLocker and KB 947249.

Volume Encryption Method

There are two approaches for volume encryption:

  1. Encrypting the entire volume. This option works best when you need to encrypt volumes which already comprise existing messaging data. With a 3TB disk, it will take more than 8 hours to encrypt the disk completely.
  2. Encrypting the used space only. This method works for new deployments or for new disks without existing data.

Prior to beginning the encryption of an entire volume, make sure to set the servers in maintenance mode to prevent impact to end users. Performance can significantly deteriorate (~90% CPU usage) and free OS volume space will be limited (less than ~2GB) while the volume is being encrypted. Remember to deploy BitLocker on one DAG server at a time to ensure availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.

Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist. Open PowerShell with the appropriate Active Directory permissions.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName

2. Create group policy object and link it to the Exchange Servers OU.

Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

3. Install the BitLocker module on the Exchange servers.

  • Open PowerShell with local administrative privileges.
  • ExecuteInstall-WindowsFeature BitLocker -Restart.
  • Reboot the server.

4. Enable TPM on the Exchange servers.

  • Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
  • Verify the TPM state by using the Trusted Platform Module Management tool (msc).

5. Allow TPM Recovery Information to be stored in Active Directory.

  • Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
  • Execute the following.


Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents

6. Configure the Bitlocker GPO settings.

  • Open the Group Policy Management Console (gpmc.msc).
  • Navigate the hierarchy to the Exchange Servers OU.
  • Right-click the Exchange Server BitLocker Policy and select Edit.
  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.

In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.

Choose drive encryption method and cipher strength

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
  • In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.

Additional-authentification-at-startup

  • In the right pane, double-clickChoose how BitLocker-protected fixed drives can be recovered. Select the Enabled  Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Choose how BitLocker-protected fixed drives can be recovered

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
  • In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabledoption. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption option

  • Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
  • In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.

Turn on TPM backup to Active Directory Domain Services

  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

  • Enable OS encryption.
  • Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
  • Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
  • Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).

Create a recovery key: manage-bde -protectors -add -RecoveryPassword “C:\ExchangeVolumes\ExVol1”

Execute the following for each Exchange database volume: manage-bde -on “C:\ExchangeVolumes\ExVol1” –usedspaceonly

Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock –MountPoint “C:\ExchangeVolumes\ExVol1”

Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

  1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
  2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

  • Create an Organizational Unit to contain the Exchange servers, if one does not already exist.


New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers"

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath  ExchangeOU.DistinguishedName

  • Create group policy object and link it to the Exchange Servers OU.


Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

  • Create BitLocker scheduled task service account (_bitlockersvc).
  • Create security group for BitLocker management, placing the security group in a protected container.


New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local"

Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management"

  • Install the BitLocker module on the Exchange servers.


Install-WindowsFeature BitLocker

  • Reboot the server.
  • Add BitLocker security management group to local administrators group on the Exchange servers.
  • Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.


$ExchangeOU = Get-OrganizationalUnit "Exchange Servers"

DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword"

  • Configure the BitLocker GPO settings.
  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

Create the script that unlocks the volumes when the operating system boots.

Save the below file to your script directory (e.g., c:\bitlocker).



UnlockDrives.ps1

$computer = Get-ADComputer $env:computername $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
$vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
$lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
$vols[0].GetKeyProtectors().VolumeKeyProtectorID foreach($lockedvol in $lockedvols)
{
$RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
}

  • Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.

Save the below file to your script directory.

  • Executeschtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

System Changes

It’s important to keep in mind that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

  • Moving the BitLocker-protected drive into a new computer.
  • Installing a new motherboard with a new TPM.
  • Turning off, disabling, or clearing the TPM.
  • Changing any boot configuration settings.
  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
  • Applying BIOS/UEFI firmware updates.

As part of your customary procedure, it’s best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) before introducing any changes to the server. Additionally, make sure to test any hardware and software configuration changes in a lab setting (that has BitLocker enabled) before deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server’s lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

  1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup -AutoDagDiskReclaimerEnabled $false
  2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
  3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
  4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

  1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
  2. AutoReseed initiates reseed operations.
  3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
  4. Schedule a maintenance outage for the affected server and encrypt the new volume.

We hope that this post will help understanding BitLocker encryption and configuring BitLocker for Exchange servers. As demonstrated, the best approach is to use a TPM for storing the recovery data and to allow the operating system to unlock volumes automatically during boot. If your servers do not have access to a TPM, you can consider encrypting only the data volumes and making a mechanism to ensure that the data volumes unlock at OS boot.

Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files, both for Exchange Server 2013 and Exchange Server 2016.

More articles about BitLocker

MFAS as a Second Authentication Factor

How to Configure Microsoft Azure Multi-Factor Authentication Server (MFAS) as a Second Authentication Factor

Why MS Azure?

  1. Best AD integration, which is very convenient when the same VPN account is used for multiple resources.
  2. Different types of authentication: phone call, SMS or offline OTP code.
  3. Ease of configuration.
  4. High reliability and trust.

As for the downsides, the only thing worth noting may be that it is a paid solution, but security has never been cheap.

Microsoft Azure Configuration

The steps below assume that you have a subscription or you have installed a trial version of Microsoft Azure.

Let’s move directly to the setup process:

  • 1. Log on to the Azure Portal.azure active directory
  • 2. Click on the Active Directory tab -> Multi-Factor Authentication Providers -> select Quick Create. Specify the necessary parameters and click Create.azure active directoryAfter the creation provide has been created, the “Manage” button will be available; select it:
  • 3. Go to Downloads. Download MULTI-FACTOR AUTHENTICATION SERVER. You also need to create an account to activate the server.azure active directory

.NET Framework 2.0 is required to install this server.

Important: We recommend installing on a separate VM. Skip the configuration wizard during installation.

Server Features: user synchronization with AD, RADIUS server for Cisco ASA, submission of authorization requests by the second factor, reception and processing of client responses, user authentication. It can be installed both on server and client versions.

  1. When starting the first time, activate using the previously generated account (we do not need replication at this stage).
  2. Set up user integration between AD and our server. In the Directory Integration tab, add a directory that will sync with AD and configure the synchronization settings:

azure add syncronization item

mfa server

In AD, create a user and synchronize the user database with MFAS:

  • a) Create a test user and enter a phone number:mfa server edit user
  • b) Save, click the “Test…” button in the “Users” tab. Enter the user credentials:mfa server test user
  • c) After receiving the phone call at the specified phone number, press “#”. Upon successful completion of the test, the following message should be displayed:mfa server test user

You can also test SMS-based authentication. To do this, in the client settings, specify the “Text message – One-Way – OTP” authentication method. In this case, the MFAS will ask for an OTP, which will come to your phone in a text message.

mfa server otp

In order to associate a user with a mobile device on which the Azure Authenticator app is installed, open and configure the User Portal (Instructions to Install and Configure the User Portal).

You also need to install and configure the Mobile Portal:

  • Go to the C:\Program Files\Multi-Factor Authentication Server directory;
  • Select the correct version and install;
  • After installation, edit the file:
    С:\Inetpub\wwwroot\MultiFactorAuthMobileAppWebService\Web.conf

    Find the parameters:

    
    WEB_SERVICE_SDK_AUTHENTICATION_USERNAME
    WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD
    

and change the values to match the User Portal parameters.

In the pfup section, change the … parameter to match the … in the User Portal. In our case, “EXTERNALFQDN” is mfa.servilon.com.

Note that to use the User Portal you will need:

– A record in the external DNS zone that will point to the User Portal.

– A trust relationship with the server. Ideally, a “white” certificate issued for “EXTERNALFQDN”.

After installation and configuration, in order for the User Portal to work correctly, enter the URL to the portal in the “User Portal” tab. If you are using domain user authentication, set “Primary authentication” as Windows Domain.

mfa server windows domain

In the “Mobile App” tab, enter URL Mobile App Web Service and enable OATH tokens, if you want to use your mobile device as a software token.

The app works as follows:

  • In Token Modemfa server token mode
  • In standard mode without a PINmfa server without pin mode

After the portal is configured, to link the mobile device, click on the User Portal link.

mfa user log in

The first time you log in, you have to fill out the form with security questions. The user will then receive full access to the portal.

In the “Activate Mobile App” menu, click “Generate New Activation Code”. The result should look as follows:

mfa active mobile app

The Azure Authenticator app must be installed on your mobile device (links for iOS, Android and Windows Mobile).

Run the application, tap + and scan the QR code. The account will be synced to your mobile device:

Verify this on the server:

mfa server user edit

Now you can experiment with different authentication modes and see the difference between the Standard and OATH Token modes.

mfa server user edit

Configuring Radius

AnyConnect Cisco ASA can use a third-party Radius server for user authentication. On ASA, configure the AAA Server. On MFAS, configure the Radius client:

mfas radius edit

mfas radius edit

Configuring CISCO ASA

Since we are using domain authentication, ASA must be trusted by the domain. It is also recommended to use a “white” certificate for the VPN gateway. In our case, this is vpn.servilon.co.

On ASA, you can configure the AnyConnect VPN gateway with local authentication. Make sure that the connection works, then proceed to configuring authentication through Radius.

Then configure RADIUS. Go to Configuration / Remote Access VPN / AAA/Local Users / AAA Server Groups, and create a group:

mfas cisco asa edit

Add the server to the group. You need to increase the timeout, because the default value may not be enough to enter the code.

mfas cisco asa edit

Test the connection with the RADIUS server:

mfas cisco asa edit

After a successful test, in previously configured AnyConnect connection profiles, change authentication from local to the new group:

mfas cisco asa edit

Profile configuration:

  • 1. Change the timeout:mfas cisco asa edit
  • 2. Specify FQDN for the AnyConnect gateway.mfas cisco asa edit

In order to test the connection with authentication in Standard mode or OATH Token mode, connect to FQDN and enter the domain credentials.

mfas cisco asa edit

You will be prompted to enter a code from the mobile app. If you are using Standard mode without a PIN, the application will receive the authentication confirmation.

After verification via the second factor, the user is authenticated. You will see this:

mfas cisco asa edit

This article describes configuring two-factor authentication for Cisco AnyConnect, but this setup can be implemented for any service that supports authentication via the Radius protocol.

More articles about MS Azure