Author: rlevchenko

How to capture Linux VM in Azure

Images are used in Azure to provide a new virtual machine with an operating system. An image might also have one or more data disks. Images are available from several sources:

  • Azure offers images in the Marketplace. There are recent versions of Windows Server and distributions of the Linux operating system. Some images also contain applications, such as SQL Server. MSDN Benefit and MSDN Pay-as-You-Go subscribers have access to additional images.
  • The open source community offers images through VM Depot.
  • You also can store and use your own VM or OS images in Azure, by either capturing an existing Azure virtual machine for use as an image or uploading an image

There is a little difference between VM image (newer type) and OS image. VM image can include disk with generalized OS (sysprep in the Windows Server’s world) and data disks attached to the VM. OS image includes only OS disk.

I’ll show you how to make a new VM image from Linux VM created in Azure Resource Manager. You can use this image to create VMs across any resource group within your subscription (thanks to azure managed disks).

Before we start download and install the latest Python

Launch CMD , verify Python’s version and install Azure CLI 2.0

python --version
pip install --user azure-cli

azurecli_01

Open SSH to your VM (use azure public ip, root creds) and start VM’s deprovision (read WARNINGS!)

sudo waagent -deprovision+user -force

azurecli_02

Now VM is ready for generalizing

Switch back to CMD and change directory to C:\Users\yourusername\AppData\Roaming\Python\Python35\Scripts
Login to the Azure Account using Azure CLI (use received code to authenticate)

az login

azurecli_03

Select subscription in which source VM is running

#To list all subscriptions and get IDs
az account list

#To select target subcription
az account set --subscription subid

azurecli_04

Stop and deallocate the source VM

az vm deallocate --resource-group "groupname" --name "vmname"

azurecli_05

Time to generalize VM and create VM image

az vm generalize --resource-group "groupname" --name "vmname"
az image create --resource-group "groupname" --name "ImageName" --source "SourceVMName"

Get image list from CLI (copy Image ID):

azurecli_07

Azure side (Images):

azurecli_06

Now we are ready to create VM or bunch of VMs from this image

az vm create --resource-group "groupname" --name "VMname" --image "imageid" --admin-username username --authentication-type password --admin-password "cleartexthere"

azurecli_08

Note: VM Size , Storage type will be selected automatically by Azure. You need to manually define them if it’s required (see examples below)

Simple script that creates bunch of VMs with naming test-VM-0x , predefined VM size and storage type

for /L %%n in (1,1,9) do (
az vm create --resource-group "groupname" --name test-VM-%%n --storage-sku "StorageTypeHere (example: Standard_LRS)" --size "VMsize (example: Basic_A4)" --image "image id here" --admin-username adminname --authentication-type password --admin-password "password here"
)

Result:vms

How easy is it to track Group Policy changes using the event log?

Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge.

Group Policy Auditing with Windows

Occasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location

GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs.

Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory.

How to enable auditing of Group Policy Objects

A Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects.

How to enable auditing of DS objects

Perform the following steps to enable auditing of Directory Service Objects:

  1. Launch Group Policy Management Console (GPMC) from the “Administrative Tools” in the “Start Menu”.

  2. Go to Forest -> Domains -> Domain Controllers.

  3. Right click “Default Domain Controllers Policy”, and click on “Edit” to access “Group Policy Management Editor” (GPMC Editor).

  4. The GPMC Editor window opens up, in the editor window navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies”.

  5. Select “DS Access” in the Audit Policies. The following policies will be displayed in it.

I. Audit Directory Service Access

II. Audit Directory Service Changes

III. Audit Directory Service Replication

IV. Audit Detailed Directory Service Replication

  1. One by one, double-click these policies, and enable their auditing for both “Success and “Failure”.

  • Do the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

    • Continue reading “How easy is it to track Group Policy changes using the event log?”