Monthly Archives: July 2016

New site & New provider, welcome to Azure!

So after much back and forth now, I’m moved from WordPress which has been my provider for my blog since I’ve started blogging in 2012 but now I’ve decided like to many others that its time to move across to Microsoft Azure.

Why did I decided to move it there, instead of other providers or just leave it at WordPress?

  • – Better Control of content and underlying infrastructure
    – Monitoring features
    – Eat your own medicine
    – More feature in the same plane

    So I decided to spin up a couple of LAMP instance which now runs WordPress as the CMS with a MySQL (Where I have a plugin in WordPress that does a copy dump of the wordpress instance and I have a MySQL script that does regular backups of the database which is stored on a seperate disk on the host.


I also have another LAMP instance where I can use for dev purposes, custom apache modules and such. I am also using DNS service in Azure to host my domain I also use the Azure Load balancer to easily switch between one server or the other in case I decided to switch over to another version of LAMP.
I also use application insight to prope my external DNS from different locations using HTTP GET (Pretty simple) but since it doesn’t cost anything in my case is was an easy solution Smilefjes

I’m also using Azure Backup services to backup my virtual machine (Since the LAMP instance is using a supported OS from Azure)

And last but not least, I’m using Op Insight to collect all my Syslog events both from the OS and the Apache instance + Performance data, it also does the network analytics on my NSG to see any abnormal traffic.

NOTE: Since the old site is still getting alot of traffic, I will still maintain it and also articles will still be posted here, but other content such as whitepapers and ebooks will be published here.

Managing NetScaler upgrades using NITRO API

With the release of NetScaler 11.1 there was a new API module available which I haven’t seen before which was “install” API which allows us to handle upgrades/downgrades of NetScaler versions using the NITRO API.

There isn’t so much about it on the docs yet, luckily I got some response from the NetScaler team on the NetScaler masterclass today and I got the link I was looking for in the documentation.

The simplest way to do this now (If you don’t have MAS or Command Center) is to do it using PowerShell Smilefjes som blunker note this does not apply for CPX I have another blog coming there later on.

For this to work I placed my latest netscaler firmware on an IIS servere which all HTTP request have access to the file. So I placed the firmware under C:\inetpub\wwwroot on a specific computer. Then I can reference that in the NITRO API.

There aren’t so many parameters available in the API call, you just need to specify where to get the firmware and specify if you want to force the upgrade and enable callhome.

I’ve been using the PowerShell cmdlets on Github which you can find here

So basically just added another function to it. If you want to try it out without using the entire PowerShell cmdlet you can use this. Simple and split into two functions. (NOTE I HAVE HARDCODED THE VARIABLES SO YOU SEE WHICH TO CHANGE AND ADD YOURSELVES Smilefjes)

function Login-NS {

# Login to the NetScaler
$body = ConvertTo-JSON @{
Invoke-RestMethod -uri “” -body $body -SessionVariable NSSession `
-Headers @{“Content-Type”=”application/”} -Method POST
$Script:NSSession = $local:NSSession

function upgrade-NS {

$body = @{
$body = ConvertTo-JSON $body  
Invoke-RestMethod -uri “” -body $body -WebSession $NSSession `
-Headers @{“Content-Type”=”application/json”} -Method POST


So basically just run Login-NS (Where you change the variables username and password and same with URI and IP address) and since you need to authenticate against the NetScaler first. Then the second command which is upgrade-NS which fetches the firmware from 106 using that filename and then asks the 171 NetScaler to get the firmware from that location.

Security overview with Windows 10 and Dive into Windows Defender Advanced threat protection

Remember back to the Windows XP/Vista days? Life was alot simple from a security perspective. Yeah we got virus and malware, yeah we got spyware and yeah we got malware like we have been used too for the last decade. What did Microsoft have to offer us in terms of protection and security mechanims?

  • We got introduced to User Access Control in Vista
  • We got introduced to Windows Defender which was a form of Forefront Protection
  • We got security updates and such from Windows update
  • We got Bitlocker to do drive encryption
  • Windows Firewall could filter ingoing and outgoing traffic!
  • Drivers needed to be digitally signed!

But of course alot was still up to the third party vendors which delivered their endpoint security solutions (Norman, Symantec, Trend, etc…) Which was there to stop whatever else tried to come in.

So much was introduced into the operating system in especially Vista to try to protect against virus and malware which required elevated user rights (which was the aim of UAC) to try and stop these types of attacks. Now fast forward to 2016, the security landscape has changed, most IT-pros know that in most cases it is not a case of if you get hacked, because in most cases YOU will get hacked! and Microsoft is fully aware of this, and has stepped up their game (Leveled up to lvl 100!)

Because now organized crime is the largest threat and we have different types of Ransomware which can automatically encrypt files and require large amounts of money to decrypt them. These ransomware’s are always evolving, which makes it hard to use signature based detection systems, so it often the case to try and minize the damage.

Another issue is username & passwords, with the large amount of different websites getting hacked each day with people leveraging the same username and password both at work and for personal stuff the use of two-factor authentication is becoming more and more the defacto standard.

And of course in larger enterprises there is always the risk of getting hacked from the “inside” and having security mechanisms which can protect against these types of attacks.

So there have been numerous security enhancements in Windows 10 because Microsoft wants the consumers to have built-in protection instead of the 60-day trial of some “random” third party vendor they get when the buy it from the store.

So what’s new from a security persective in Windows 10?

  • Microsoft Passport
      • Windows Hello (Which allows for biometric or PIN based two-factor authentication, which makes it more user friendly to get two-factor authentication)
  • Credential Guard (Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.)
  • Windows Defender (with Network Inspection System) which is now enabled by default
  • Network based start Bitlocker (Allows corporate Computers to boot without typing bitlocker pin in corporate networks)
  • SMB signing and mutual authentication (such as Kerberos) to SYSVOL (To migiate against MItM)
  • UEFI Secure boot
  • Early Launch Antimalware (Which allows certified antimalware solutions to start before malware processes start to run)
  • Health Attestation (The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.)
  • Device Guard (to only running code that’s signed by trusted signers, as defined by your Code Integrity policy)
  • Windows Heap
    • Internal data structures that the heap uses are now better protected against memory corruption.
    • Heap memory allocations now have randomized locations and sizes, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
    • Windows 10 uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.

So even all these security features are included in the operating system. What if a disgruntled employee wants to take files outside of the buisness or if files get lost on a USB thumbdrive? There are more features to come!

First thing is Windows Information Protection! (Formerly known as Enterprise Data Protection) which is coming in the next release of Windows 10 ( Windows 10 Anniversary Update.)

This feature will allow for seperation of data between personal and corporate and wherver the device it resides on it can be wiped. Data based upon policies can be encrypted at rest.

And using this will also be visible when saving files to the local system, where corporate content can be stored in specific folders.

Now this feature handles data protection and leak protection of files. But back to ransomware and such, in many cases it is a case of minimizing the threats that occur, and get the overview of what’s happening. Microsoft found that it takes an enterprise more than 200 days to detect a security breach and 80 days to contain it. During this time, attackers can wreak havoc on a corporate network.

Windows Defender Advanced Threat Protection

Enter Windows Defender Advanced Threat Protection! This is a feature which is now in Public Preview, which will be available for Windows 10 enterprise users, which leverages the Windows Defender feature in Windows 10 to do post-breach investigation and it is “not a realtime protection feature” The feature consists of 3 parts:

1. The Client:  built into Windows 10 Anniversary Update, that logs  detailed security events and behaviors on the endpoint. It’s a fully integrated component of the Windows 10 Operating System.

2. Cloud Security Analytics Service: combines data from endpoints with Microsoft’s broad data optics from over 1 billion Windows devices, 2.5 trillion indexed Web URLs, 600 million online reputation look-ups, and over 1 million suspicious files analyzed to detect anomalous behaviors, adversary techniques and identify similarities to known attacks. The service runs on Microsoft’s scalable Big Data platform, and combines Indicators of Attacks (IOAs), behavioral analytics, and machine learning rules.

3. Microsoft and Community Threat Intelligence: Microsoft’s own Hunters and researchers constantly investigate data, identify new behavioral patterns, and correlate collected data with existing Indicators of Compromises (IOCs) collected from past attacks and the security community.

Since the agent is already “built-in” its a matter of on-boarding the client and getting it up and running. As part of the public preview I have one of my computers added to the solution.


As we can see we have a timeline of different processes and threats that get detected. I did a simple EICAR test, which was automatically removed by Windows Defender but was also added to ATP


I can also do more deep-dive into a specific event to see what happend.


I can also see for instance which IP addresses that has been communicated from the corporate network. For instance if a computer or a group of computers have been communicating with a “known” C&C for botnets for instance


We can also deep-dive into detected malware to see occurences world-wide from Microsoft (Alot of EICAR occureences… ) Smilefjes Also I can see if this has been observed from other agents in the organization.


NOTE: I had some issues with the agent on my laptop since it for some reason only reported back data every 60 minutes, this was because my laptop wasn’t connected to a power source, so in order to reduce battery usage is falled back to that setting. It will do the same on a metered connection. When I connected a power source again I’t went back to sending data every 5 minutes.

I can see this solution as an preview of what’s to come from the ATP, as of now it can give good insight into “what’s happening” and using the timeline, we have a good overview of the history. Given that Microsoft has ALOT of data from billion of devices, both using windows update, defender, system center endpoint protection, and also alot new data will come from Microsoft OMS as well. This will clearly be the stepping stone into more advanced protection features from Microsoft

Setting up NMAS with remote Docker integration with Ubuntu docker hosts

I’ve previosly blogged about setting up NMAS and setting up Netscaler CPX

CPX here –>

Now with the upcoming features in NMAS one of the cool stuff is being able to manage and deploy CPX instances directly fron NMAS. All we need to do is configure the dockers hosts properly with remote Docker API. (Which means that we do not need to install the CPX on the docker host manually) Remember that CPX is only supported on Ubuntu!

It’s been tricky to find the correct setup for the remote API, since this is the API that NMAS uses to configure the CPX instances.  So here are the steps that needs to be done on the docker host before we can manage it using NMAS

Edit the file /lib/systemd/system/docker.service using for instance VI

sudo vi /lib/systemd/system/docker.service

Edit the ExecStart line so it looks like this.

ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://

After this change has been made save the file, which is typically done using ZZ Then run the systemctl daemon-reload command and then restart the docker service

sudo service docker restart

Then last but not least, use curl to see if it is communicating properly using the default remote API port 4232.

curl http://localhost:4243/version


and voila! all the configuration is done on the ubuntu host and can now be added into NMAS. Now go into the NMAS console. Go into Infrastructure –> Instances –> NetScaler CPX –> Docker hosts and click Add (Enter the IP address of the ubuntu hosts.


and voila!


So now I can go and provision CPX’s instances based upon the image I have


After the instance has been added, I can get a dashboard view of the CPX instance running in NMAS


So now I can get started with setting up services and provision other instances, learn more on our upcoming webinar on July 13 –>