Categories
Random

OSCAL Introductory Overview (High level)

OSCAL

…OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. (OSCAL – Open Security Controls Assessment Language)

  • Easily access control information from security and privacy control catalogs
  • Establish and share machine-readable control baselines
  • Maintain and share actionable, up-to-date information about how controls are implemented in your systems
  • Automate the monitoring and assessment of your system control implementation effectiveness

Problem(s) Definition

Static documentation and point-in-time auditing is not scalable or maintainable.

So – we need to move to:

  • Security as Code
  • Docs as Code / Policy as code
  • Compliance as code
  • Audit as Code
  • Risk as Code

Solution… OSCAL?

Integration of InfoSec and Operations

  • Unified Security Framework: OSCAL provides a structured, standardized format for representing security controls, assessments, and system configurations. This allows InfoSec, compliance, and risk data to be integrated directly into IT operations and monitoring tools.
  • Automated Compliance Monitoring: OSCAL is machine-readable, which enables automated monitoring of compliance status across various standards (ISO 27001, PCI DSS, NIST 800-53, etc.). It can help keep compliance and InfoSec teams in sync with real-time IT operations.
  • Alignment with Continuous Monitoring: OSCAL facilitates a continuous approach to compliance by embedding compliance checks within the CI/CD pipeline, helping teams maintain compliance as part of routine IT operations.

De-duplicate Compliance

  • Standardized, Interoperable Format: OSCAL provides a common language for multiple security and compliance standards, enabling organizations to map controls across frameworks (e.g., ISO 27001, NIST 800-53, GDPR, Essential Eight) without duplicating work.
  • Control Mapping: OSCAL enables the mapping of controls between different frameworks, allowing organizations to efficiently demonstrate compliance with multiple standards simultaneously.
  • Reuse of Control Implementations: By using OSCAL, organizations can document controls once and reuse them across multiple standards, reducing the effort needed to comply with additional frameworks.

Handle emerging IT Patterns

  • Dynamic and Automated Documentation: OSCAL supports a “docs as code” approach, where documentation is maintained as machine-readable code. This helps keep security and compliance documentation up to date automatically, even as infrastructure and configurations change frequently.
  • Alignment with IaC and CaC: OSCAL is designed to work alongside Infrastructure as Code (IaC) and Configuration as Code (CaC), enabling real-time validation of compliance as infrastructure changes are deployed.
  • Support for Continuous Compliance: Since OSCAL models are machine-readable, compliance checks can be integrated into CI/CD pipelines, providing continuous compliance validation instead of relying on point-in-time audits.

Dynamic documentation and reporting

  • Machine-Readable, Version-Controlled Documentation: With OSCAL, compliance documentation can be version-controlled, traceable, and maintainable. This is essential for adapting to changes in dynamic environments like cloud and DevOps.
  • Audit as Code: OSCAL enables automated auditing by allowing assessments to be defined as code. This helps maintain an accurate picture of compliance posture and enables on-demand, real-time audits.
  • Reduction of Documentation Errors: By automating compliance and risk management, OSCAL reduces the risk of human error in documentation, helping ensure that reports and records are up to date and accurate.

Security, Compliance, Policy as Code

  • Compliance as Code: OSCAL enables organizations to define compliance requirements as code, automating adherence to various regulatory standards. This helps reduce time and effort in maintaining compliance across multiple standards.
  • Policy as Code: OSCAL can work with policy engines (like OPA) to enforce policies directly within cloud and containerized environments, making policies enforceable and traceable.
  • Security as Code and Risk as Code: With OSCAL, security and risk management activities can be managed as code, automating assessments, updating control implementations, and maintaining an accurate view of risk at any given time.

Improve accuracy and efficiency

  • Scalable Compliance Management: OSCAL provides a modular and extensible approach to compliance, which can scale with organizational growth. Its support for automated assessments and control documentation reduces the need for manual updates.
  • Improved Incident Response and Decision-Making: By providing an accurate, up-to-date picture of the security posture, OSCAL improves decision-making, especially during incident response. Real-time insights into compliance reduce the chances of errors due to outdated information.
  • Consistency Across Environments: OSCAL’s machine-readable formats ensure consistent compliance documentation and processes across all environments—whether cloud, on-premises, or hybrid—reducing the potential for configuration drift or misalignment between standards.

Key Concepts / Terms

1. Control
  • A requirement or guideline that, when implemented, mitigates risks associated with information systems. Controls are central to frameworks and standards for security and privacy.
  • Control Objective
    • Describes the intended outcome of a control, specifying what it aims to achieve in terms of security and compliance.
  • Control Enhancement
    • Additional, optional requirements that extend a control’s effectiveness or specificity. Enhancements offer extra layers of security or risk reduction.
  • Statement
    • A specific requirement within a control, providing a unit of meaning that can be evaluated for compliance.
  • Control Parameter
    • Variable aspects within a control that allow customization (e.g., password length). Parameters help tailor controls to organizational needs.
  • Control Parameter Value
    • The specific value assigned to a control parameter, used to set details like minimum password length in a control implementation.
2. Catalog
  • An organized collection of controls within a framework. Catalogs allow for grouping controls and, when needed, include subordinate control requirements, control objectives, assessment methods, references, and other content.
  • Control (as defined above)
  • Control Implementation
    • Describes how each control in the catalog is implemented by an organization, including the settings, roles, and configurations specific to that organization.
  • Implemented Requirements
    • The documented controls that an organization has put in place, aligned with the overall compliance program.
3. Profile
  • A tailored selection or view of controls within a catalog, allowing customization based on specific standards, regulations, or internal policies.
  • Parameter (within a Profile context)
    • A variable within the profile that allows control customization, often by setting specific values for requirements based on the organization’s needs.
4. Assessment Plan
  • A document describing the scope, objectives, and methodology of a security assessment, which outlines the controls to be tested and assessment methods to be used.
  • Assessment Objective
    • Specifies what will be evaluated during the assessment to verify compliance with control requirements.
5. Assessment Results
  • A record of findings from an assessment, noting compliance or non-compliance with controls and including remediation recommendations.
6. Component Definition
  • A modular structure that defines a specific component or group of related components (e.g., software, hardware), including configuration details and associated controls.
7. Party
  • An entity, such as a person, organization, or role, associated with a control, component, or assessment process. Parties clarify responsibilities and ownership.
8. Metadata
  • Descriptive information about an OSCAL document, such as author, date, version, and associated standards. Metadata aids in tracking and managing documents.
9. Back Matter
  • The section of an OSCAL document that includes appendices, references, and external documents, providing additional context or support for controls and implementation

What OSCAL is / ins’t

What OSCAL Is What OSCAL Isn’t
Machine-Readable Representation: OSCAL formats are in XML, JSON, and YAML, making them suitable for automation and integration with various tools. Not a Standalone Compliance Tool: OSCAL provides a format, not the tooling, and must be implemented within a larger compliance platform.
Standardized Control Catalogs: OSCAL defines catalogs that group control requirements from standards like ISO 27001, NIST 800-53, and PCI DSS. Not a Security or Compliance Framework: OSCAL doesn’t define the controls; it encodes existing frameworks and standards in a standardized way.
Dynamic Control Baselines: It allows organizations to establish and tailor control baselines to fit their unique regulatory and security requirements. Not a Substitute for Governance: OSCAL automates compliance documentation but does not replace governance, oversight, or accountability.
Actionable Documentation of Control Implementations: Provides up-to-date, shared documentation on control implementation for continuous compliance. Not an Out-of-the-Box Solution: OSCAL requires integration, tooling, and expertise to deploy effectively and isn’t a quick-fix compliance solution.
Automated Monitoring and Assessment: OSCAL enables organizations to automate monitoring and auditing compliance status across various standards. Not a Magic Bullet for All Standards: Some standards may need additional customization or extensions beyond what OSCAL currently provides.

Example User Stories

User Story:
“As a compliance manager, I want to automatically generate reports to demonstrate compliance with multiple standards (e.g., ISO 27001, PCI DSS, and NIST 800-53) so that our organization can meet regulatory requirements without manually mapping controls.”

OSCAL can be used to map overlapping controls across different frameworks within a standardized catalog, allowing the organization to document compliance with multiple standards simultaneously. The compliance manager could use OSCAL profiles to create tailored control sets for each standard, reducing redundancy in reporting and improving accuracy.

User Story:
“As an Information Security officer, I want to maintain a central repository of all control implementations and assessment data that updates dynamically, ensuring accurate, up-to-date compliance documentation.”

OSCAL assessment plans and results allow the auditor to automate control testing and assessments. By creating OSCAL-based assessment plans, they can automatically gather evidence from various systems and compare it against expected control implementations, producing a comprehensive assessment report with minimal manual effort.

User Story:
“As a DevSecOps engineer, I want to automatically validate compliance of our infrastructure configurations every time a change is made, so that our organization maintains security and compliance requirements in real-time.”

By integrating OSCAL into CI/CD pipelines, the engineer can set up automated compliance checks, validating that each infrastructure change meets regulatory and security requirements. For example, an OSCAL profile with necessary compliance controls could trigger automated scans of IaC (Infrastructure as Code) files to confirm they match the control requirements.

User Story:
“As a board member, I want confidence that the organization is consistently meeting regulatory and compliance standards across all jurisdictions, reducing legal and reputational risks.”

By adopting OSCAL, the organization can maintain a centralized, machine-readable repository of compliance data aligned with multiple standards (e.g., GDPR, ISO 27001, PCI DSS, NIST 800-53). This enables consistent and reliable compliance reporting across regions and jurisdictions, reducing the risk of non-compliance penalties or brand damage. Board members can rely on OSCAL-backed compliance dashboards to ensure the company is always prepared for regulatory scrutiny.

User Story:
“As an internal auditor, I want to automate control assessments to efficiently evaluate and report on compliance status without extensive manual documentation.”

OSCAL assessment plans and results allow the auditor to automate control testing and assessments. By creating OSCAL-based assessment plans, they can automatically gather evidence from various systems and compare it against expected control implementations, producing a comprehensive assessment report with minimal manual effort.

Further Reading

Authoritative source:

Other:

Tools and Content

Helpful aggregation list: awesome-oscal: A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.

GRC Products using OSCAL:

Tools from NIST:

Other tools I looked at:


Reading is too hard

PDF: NIST_OSCAL-What_is_and_Who_needs_it

Categories
ITOps Random

OpenVPN – Docker Quick Start

Quick and easy VPN setup using OpenVPN Docker image, on Amazon Linux 2023.

References

Installation steps

Install docker on amazon linux 2023

dnf update -y dnf install docker -y systemctl enable docker systemctl start docker

OpenVPN Access Server Docker Image

# see: https://openvpn.net/as-docs/docker.html#run-the-docker-container docker pull openvpn/openvpn-as docker run -d \ –name=openvpn-as –cap-add=NET_ADMIN \ -p 943:943 -p 4443:4443 -p 1194:1194/udp \ -v /root/openvpn-server:/openvpn \ openvpn/openvpn-as # Modify ports and hostname as appropriate
cd /root/openvpn-server/etc vim ./config-local.json
docker restart openvpn/openvpn-as # Get Temp password docker logs openvpn-as | grep -i “Auto-generated pass” # Scroll to find the line, Auto-generated pass = “[password]”. Setting in db..

Configure your OpenVPN services

# Use the generated password sign in to the Admin Web UI. # username: openvpn https://[my_hostname_or_pubip].com:943/admin/ # Check the hostname setting.. put in yourhostname… https://[my_hostname_or_pubip]:943/admin/network_settings # Stop the VPN services and start to ensure changes loaded and persistent: https://[my_hostname_or_pubip]:943/admin/status_overview # Create a user and a new Token Url for the user to import the profile

Windows Client set up

# Install with winget: winget install -e –id OpenVPNTechnologies.OpenVPNConnect # Once installed, get the token which will be something like: openvpn://https://[my_hostname_or_pubip]:043/ConnectClient/[token].ovpn # Put in browser and should open up the OpenVPN client and import the profile, and connect

Checkout your traffic routing

Categories
Random

Writing ‘modern’ PowerShell Modules [2024]

Context

PowerShell was… initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET (previously .NET Core). PowerShell – Wikipedia

As Microsoft is no longer updating Windows PowerShell with new features it makes sense to use the procedure for ‘Developing modern modules‘ which are (hopefully) portable to any OS running PowerShell.

If creating a new module, the recommendation is to use the .NET CLI.

Create module from ‘Standard Template’

# Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ > # Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ ## Requires NuGet source enabled > dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org > dotnet new install Microsoft.PowerShell.Standard.Module.Template # Create a new module project > mkdir myPSModule; cd .\myPSModule > dotnet new ps5module

Categories
Random

Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Azure Secure Admin Workstation posts:


Context and References

Troubleshooting and Errors

  • After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

  • Likely related to the AVD VM’s ability to talk to required Entra endpoints
    • An easy way to validate this is to add a temporary allow all outbound TLS
Categories
ITOps Random

Mounting CloudShell Persistence Storage locally

Context

  • CloudShell is very handy for working with Azure and M365, it removes the issues of PowerShell versioning/modules/authentication and is hosted within you Azure infrastructure boundary, providing some mitigation to privileged access and administrator device risks.
  • When implementing an Azure Virtual Secure Administration Workstation solution I ended up wasting a bunch of time editing files via the Azure CloudShell instead of locally, this resulted in silly typos (due to lack of syntax highlights, error correction and all the other goodness of an IDE like Visual Studio Code.
  • To solve this issue I want to mount my CloudShell persistent storage locally, enabling me to edit files locally and immediately test in CloudShell, without pushing/pulling and inevitable conflicts between local and remote.
  • Turns out that this is much easier than expected using

References

Procedure

  1. Install the Azure Account and Azure Storage extensions for VSCode:
  2. Sign in with the extension in VScode:
    • CTRL+SHIFT+P > Azure: Sign in
      • Opens browser AuthFlow
  3. Open Azure Cloud Shell (PowerShell) in VSCode Terminal:
    • CTRL+SHIFT+P > Terminal: Create New Terminal (With Profile)
      • If you don’t have NodeJS installed the extension will ask you to install (providing button to click..) the link the extension provided was to an older version of NodeJS and not latest… suggest just using: Node.js (nodejs.org)
  1. Mount your CloudDrive share locally
    • I had some issues doing this with VScode following: How to Use Cloud Shell in Visual Studio Code
    • Instead I am just using the Azure Extensions Resource Explorer (SHIFT+ALT+A), navigating to the fileshare and selecting files (which opens them in VScode local window)
    • NOTE: The CloudDrive is not your enitire CloudShell homedir, its ~/clouddrive
Categories
ITOps

Azure Virtual Secure Administration Workstation – Part 3 – Session hosts and access

Azure Secure Admin Workstation posts:


Context

In the interest of enabling source control and potentially automation, the deployment is conducted using PowerShell commands. In this example I am using Azure CloudShell, for manual and exploratory activities it is handy as it is secure, includes all required modules, removes any authentication faff.

  • If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. (Add session hosts to a host pool | Microsoft Learn)
  • You can create session hosts and register them to a host pool in a single end-to-end process with the Azure Virtual Desktop service using the Azure portal or an ARM template. You can find some example ARM templates in our GitHub repo

Reference Materials

Key Terms

Deployment Procedure

When using Azure CLI or Azure PowerShell you’ll need to create the virtual machines outside of Azure Virtual Desktop, then add them as session hosts to a host pool separately.

  1. Add members to the saw_user_group
  2. Generate a registration key
    • When you add session hosts to a host pool, first you’ll need to generate a registration key. A registration key needs to be generated per host pool and it authorizes session hosts to join that host pool. It’s only valid for the duration you specify. If an existing registration key has expired, you can also use these steps to generate a new key.
  3. Create and register session hosts with the Azure Virtual Desktop service

Add Entra joined Session Host

Following is direct from Add session hosts to a host pool – Azure Virtual Desktop | Microsoft Learn:

  1. Sign in to the Azure portal.
  2. In the search bar, enter Azure Virtual Desktop and select the matching service entry.
  3. Select Host pools, then select the name of the host pool you want to add session hosts to.
  4. On the host pool overview, select Session hosts, then select + Add.
  5. The Basics tab will be greyed out because you’re using the existing host pool. Select Next: Virtual Machines.
  6. On the Virtual machines tab, complete the following information:
  • (this is for our use case and assumes you followed Part 1, of course customise this as appropriate)
    • Name prefix: SAW
    • Availability options: No infrastructure redundancy required
    • Security Type: Trusted launch virtual machines
    • Enable secure boot: True
    • Enable vTPM: True
    • Integrity monitoring: True
    • Image: Latest Windows 11 Enterprise multi-session
      • If we select Personal instead of Pooled in Part 1, we would have non-Enterprise options here…
    • Virtual machine size, Number of VMs, OS disk type
      • Use case dependent with no impact on procedure/security
    • Boot diagnostics: Enabled with managed storage account
    • Network and security
      • Virtual Network: SAWVnet
      • Subnet: SAWSubNet
      • Network security group type: Basic
      • Public inbound ports: No
    • Domain to join
      • Select which directory you would like to join: Microsoft Entra ID
      • Enroll VM with Intune: Yes
    • Virtual machine administrator account
      • Required for Azure to provision the VM, once it joins Entra and Intune your Configuration Profile should remove the local administrator
    • Custom configuration
      • Custom configuration script url: None for now…
  • Tags?
    • Suggest adding ‘ResougeTag:AzureSAW’ for now… tags can be handy
  • Download a template for automation, suggest doing this as a default behaviour
  • Create!

Post Host Deployment

  • After launching your first Session Host, Azure will take several (20?!) mins to deploy the session host and add it to the Host Pool. You can verify this was successful via Host pools – Microsoft Azure:

Enable Entra ID SSO

Troubleshooting

Disk Encryption???

PowerShell

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateRegKey.ps1
RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/AddMembersToGroup.ps1

Connect to my Azure Virtual SAW!

Extras

Set up Azure Virtual Desktop Client

  1. Download and install the Client App (or deploy to users via Add Microsoft Store apps to Microsoft Intune | Microsoft Learn)
  2. Run it, on first run, assuming you installed unconfigured from the MS store you will be asked to subscribe (do this with your SAW access user)
    • …. Thats it… you will see Session Host to connected to if all worked!
  3. Noting that Entra SSO was not working for me so… Part 4 – Configuring Entra SSO

Validate Session Host can talk to required Azure endpoints

You can validate that your session host VMs can connect to these URLs by following the steps to run the Required URL Check tool.

Categories
ITOps

Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets

Azure Secure Admin Workstation posts:


Context and References

Deployment procedure

Stage 2 – Create Azure Network Components

  • This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.

Procedure

Primary source for this bit: Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn

  • Noting Azure states that for ‘production’ deployments, a hub and spoke model is recommended, where the firewall is in its own VNet.
    • For our use case, I don’t believe the hub and spoke model will provide any benefit regarding security or otherwise.
  1. Create a Vnet and add FWsubnet + SAWsubnet
    • NOTE: The AzureFWSubnet must be a /26
  2. Create a Public IP Address for the Azure FW and deploy the firewall
  3. Create a route table and associate routes to SAW subnet ensuring SAW traffic is routed via the Azure Firewall
  4. Create rules for outbound internet connectivity, some MS doc still has commands for deploying Application and Network firewall rules directly on the Azure Firewall despite the Azure Well-Architected Framework review – Azure Firewall | Microsoft Learn stating that Azure Firewall Manager and Policies should be used
    • … so the PowerShell script below has been updated to create an Azure Firewall Policy instead of assigning rules directly to the firewall

PowerShell

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateSAWNets.ps1
Categories
ITOps

Azure Virtual Secure Administration Workstation – Part 1 – VDI Environment

Azure Secure Admin Workstation posts:


Context

We have numerous clients and our own systems that require:

  • Access only from appropriately hardened and monitored hosts
  • Inbound and outbound network security including the ability to ‘AllowList’ and ‘BlockList’ based on IPs/URLs/Hostnames/other ‘NGFW‘ methods… although this can be achieved with host-based only controls… does not seems like a very layered defence.
  • Idempotent deployment solution (deployment code can be run regularly and if no changes to code, no changes to deployment)
    • PowerShell is not ideal for doing idempotency proper… but it can, will see how I go for time.

In the interest of enabling source control and potentially automation, the deployment is conducted using PowerShell commands. In this example I am using Azure CloudShell, for manual and exploratory activities it is handy as it is secure, includes all required modules, removes any authentication faff.

At this stage I am not sure how much additional protection / value adding Azure Firewall to the environment will add… will add it for now and find out! Microsoft’s doc doesn’t make the benefits very clear for me:

  • A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the Azure Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic. (Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn)
  • The diagram below shows a suggested architecture, going to try avoid getting stuck without a required component later and stay somewhat close to this. Though it should be noted that a potentially valid architecture is just a SAWVnet as inbound connectivity is managed by Azure (via the AVD Instructure: Users connecting to Azure Virtual Desktop securely establish a reverse connection to the service, which means you don’t need to open any inbound ports. (Azure Virtual Desktop | Microsoft Learn)

Reference Material

Key Terms

  • Resource groups: Logical containers that you use to group related resources in a subscription. Each resource can exist in only one resource group. Resource groups allow for more granular grouping within a subscription. They’re commonly used to represent a collection of assets that are required to support a workload, application, or specific function within a subscription.
  • Host pools: A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts when you run the Azure Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience. You control the resources published to users through application groups. A host pool can be one of two types:
    • Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.
    • Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple different users on a single session host at the same time. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs and greater efficiency.
  • Application groups: An application group is a logical grouping of applications installed on session hosts in the host pool. An application group can be one of two types:
    • RemoteApp, where users access the applications you individually select and publish to the application group. Available with pooled host pools only.
    • Desktop, where users access the full desktop. Available with pooled or personal host pools.
    • NOTE: We don’t support assigning both the RemoteApp and desktop application groups in a single host pool to the same user.
  • Workspaces: logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the desktops and applications published to them.
  • Desktop Virtualization User: Built-in Azure RBAC roles Azure Virtual Desktop | Microsoft Learn

Out of scope

Deployment procedure

Stage 1 – Create Azure Virtual Desktop Environment

  • This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.

Azure Virtual Desktop Environment

  1. Prerequisites for Azure Virtual Desktop | Microsoft Learn
  2. Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type
  3. Create a Resource Group
    • Parameters:
      • Name, Location
  4. Create a Host Pool
    • Use the New-AzWvdHostPool cmdlet with the following examples to create a host pool. More parameters are available; for more information, see the New-AzWvdHostPool PowerShell reference.
    • Parameters:
      • Location: must be one of LocationNames Class (Microsoft.Azure.Documents) and match your Resource Group
      • HostPoolType: can be one of two types:
        • Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.
        • Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple different users on a single session host at the same time. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs and greater efficiency.
        • See also: Azure Virtual Desktop terminology – Azure | Microsoft Learn
  5. Create a workspace
    • Parameters:
      • Name, Location, ResourceGroupName
  6. Create an Application Group
    • Name, ResourceGroupName, Location
    • HostPoolArmPath: Azure Resource Manager Path
    • ApplicationGroupType: As above, RemoteApp / Desktop
  7. Add Application Group to Workspace
  8.  Create Entra User Group if it doesn’t exist
  9. Assign Entra Group to an Application Group

Next Steps:

PowerShell Script

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/scripts/CreateAzureVDIEnv.ps1

Sundry

Upload and Run PowerShell script in CloudShell

  1. Configure CloudShell
  2. Open CloudShell – https://portal.azure.com/#cloudshell
  3. Upload your script using the upload button
    • File is now persistent in your CloudShell home dir

Rules for Azure FW protecting Azure Virtual Desktop

RAW_https://raw.githubusercontent.com/zoak-solutions/AzureVirtualSAW/master/config/EXAMPLE_SAWDeployerConfigItems.ps1
Categories
Random

Excel report with all ECR vulnerabilities

  • Testing and gaining familiarity with PowerShell!
Categories
ITOps Random

Unable to delete Azure Firewall?

TLDR: Fix it

  • If you have removed/deleted a Firewall policy or attachment to the Azure Firewall – re-attach it, or create the policy/attachment with the same name (you will see the name in the CLI output as detailed below).
  • Once you have re-attached, re-created (just empty policy with same name) you can then delete the Firewall (recommended using Azure Cloud PowerShell) with command:
    • Obviously updating -Name and -ResourceGroup parameters.
Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup" -Force

Remove-AzFirewall: Long running operation failed with status ‘Failed’

The Azure UI does not give must detail regarding error messaged
$ Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup"
...
Remove-AzFirewall: Long running operation failed with status 'Failed'. Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'
StatusCode: 200
ReasonPhrase: OK
Status: Failed
ErrorCode: ResourceNotFound
ErrorMessage: The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

Once attempting to delete via CLI I actually got a meaningful error message:

Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found.

That resource had already been deleted… so, re-recreate (just and empty policy) with same name… attached it, then I could delete.