How-To

Office 365 IRM & Azure Rights Management

I recently configured IRM to protect documents and email communications as part of a security initiative.

Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology service in Office 365. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization’s firewall

Need to know info:

  • Time to complete this task: 30-60 minutes
  • You need to be assigned admin permissions to manage IRM
  • Knowledge of using Windows PowerShell to connect to Exchange Online

Steps Taken:

Step 1: Activating Azure Rights Management

  1. Log into the Office 365 admin center
  2. In the left pan expand the services settings
  3. Click Rights Management
  4. On the Rights Management page, click Manage
  5. On the Rights Management page, click Activate
  6. You will be prompted with the question: Do you want to activate Rights Management? click activate.

You should now see Rights Management is activated

Step 2: Using Exchange Management Shell to log into Office 365

Here I use PowerShell ISE to step through he process

# Login to the Office 365 Account

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Step 3: Use the Exchange Management Shell to configure the RMS Online key sharing location in Exchange Online

#Displaying the IRM Configuration

Get-IRMConfiguration

# List of Locaitons

#North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

#European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

#Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

#South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

#Office 365 for Government (Government Community Cloud) https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”

#Checking that the configraiton was applied

Get-IRMConfiguration

Step 4: Importing Trusted Publishing Domain (TPD) from RMS Online

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Test-IRMConfiguration -RMSOnline

Step5: Enabling IRM in Exchange Online

Set-IRMConfiguration -InternalLicensingEnabled $true

Step 5: Testing the IRM configuration

Get-IRMConfiguration

Test-IRMConfiguration -Sender jsmith@jermsmit.tld

Expected Results should show that each area verified has passed

Ref Links:

https://technet.microsoft.com/en-us/library/jj983436(v=exchg.150).aspx

https://support.office.com/en-us/article/Set-up-Information-Rights-Management-IRM-in-SharePoint-admin-center-239ce6eb-4e81-42db-bf86-a01362fed65c

Summery  image of my PowerShell ISE

 

How do I remove the Windows.old

After a recent update of my Windows 10 installation, I was left with the expected Windows.old folder containing 16 GB of old data.

It’s time to clean up.  Here are the steps I followed to make this happen.

Steps:

  1. Click in Windows’ search field, type Cleanup, then click Disk Cleanup.
  2.  Click the “Clean up system files” button.
  3. Scroll down the list until you see “Previous Windows installation(s).”
  4. Check the box next to the entry. Click OK to start the cleanup.

 

VMware vCenter 6 Phantom Snapshots

I’ve been using vCenter 6 for a while now and noticed an odd issue pertaining to snapshots. It seems that all guest show a “revert to current snapshot” state even if a snapshot does not actually exist.

However viewing under the Snapshot Manger… shows no existing snapshots associated with the virtual machine guests.

I’ve noticed this this issue does not exist when using the vSphere Web Client.

These symptoms have been confirmed by VMware official in the following KB: https://kb.vmware.com/kb/2111363

For now there are no resolution steps…

Symptom Recap:

  • There are no snapshots on virtual machine(s).
  • Virtual machines show Revert to current snapshot (right-click on the virtual machine > Snapshot > Revert to current snapshot) enabled in vSphere Client when connected to the vCenter Server 6.0.
  • When viewing the Snapshot Manager (right-click on the virtual machine > Snapshot > Snapshot Manager) for the virtual machine in the vSphere Client, there are no snapshots present.
  • Directly logging into the ESXi host using the vSphere Client shows the Revert to current snapshot grayed out.
  • Creating and deleting a snapshot does not resolve this issue.
  • In the vSphere Web Client Revert to current snapshot appears grayed out.

Work around: 

  1. Ignore the vSphere Client results and use the vSphere Web Client
  2. Use PowerCli to display snapshots.

Example command I like to use:

 

ntopng on Ubuntu 14.04

I just completed my ntopNG appliance setup. Once more I can look into my network traffic to get an idea of what’s going on.

Below you will find the steps to complete the install

Here are the steps

Log into the ubuntu server host and issue the following commands:

  1. sudo into root: sudo -i
  2. wget http://www.nmon.net/apt-stable/14.04/all/apt-ntop-stable.deb
  3. dpkg -i apt-ntop-stable.deb
  4. apt-get update
  5. apt-get -y install pfring nprobe ntopng ntopng-data n2disk nbox
  6. service apache2 restart

The steps provided here are the official ntop.org directions for their stable build packages.

Please note you will need to have a management and monitoring interface for your configuration.

In my configuration, I will be listening on a mirrored port to capture network traffic to be displayed under ntopNG

 

Are you interested in learning more about Ubuntu.  Check out the following book:  Ubuntu Unleashed 2016 Edition

Using Get-SPWebTemplate to list available site templates in SharePoint 2013

In this tech-short we will go over a simple yet effective way to list out the available site templates in SharePoint 2013.

Using the New-SPSite PowerShell cmdlet allows you to specify the name of a template to use. In my case I was unaware of the name of available templates in my SharePoint installation.  Using the Get-SPWebTemplate command to produce a list for me.

Steps

  1. Open the SharePoint 2013 Management Shell
  2. The the following command: Get-SPWebTemplate | Sort-Object “Name”

The results are a list Templates which could be used in this environment.

 

If you wanted to do the same with PowerShell locally or remote the following steps can be taken.

Open PowerShell and issue the following commands:

  1. New-PSSession -ComputerName SharePoint
  2. Add-PSSnapin Microsoft.SharePoint.Powershell
  3. Get-SPWebTemplate | Sort-Object “Name”

Deploy Template Using VMware Guest Customization Specification

Using templates save you lots of time when it comes to deploying virtual machines. And if you are looking to get a slight edge on your deployments in lab or production using customization specifications may be the way you want to go.

Here are some quick steps to deploy using this method:

 

  1. From the home page of  vCenter Web click VMs and Templates
  2. Right click on the template of choice and select New VM from Template…
  3. Enter the name of your virtual machine guest as you would refer to it in vCenter. Choose your datacenter and click Next to continue
  4. If you are using clusters, choose your cluster and click Next to continue
  5. Select your datastore and click Next
  6. On the select clone option screen choose customise the operating system option; you may also set the machine to power on after creation to start the process which customises the guest – Click Next to continue
  7. On our last screen we are shown our customization choices.  Choose your template configuration and click next
  8. Clicking Next on the confirmation screen start our deployment

And that’s all folks  — posted this for a friend with screenshots to illustrate the process.

– Jermal

VMware Flings: Embedded Host Client Update

I am excited about the release of VMware Labs Flings release of  version 3 of the Embedded Host Client. For those of you who find yourself out of the loop at time, no worries it happens.  Here is some details about the the embedded host client:

The Embedded Host Client is written purely in HTML and JavaScript, and is served directly from your ESXi host. The installed client is in its development phase at this time and does not have full feature sets, but has implemented a very useful feature set.

These features include:

  • VM operations (Power on, off, reset, suspend, etc).
  • Creating a new VM, from scratch or from OVF/OVA (limited OVA support)
  • Displaying summaries, events, tasks and notifications/alerts
  • Providing a console to VMs
  • Configuring host networking
  • Configuring host services

 

Installation Steps:

  1. Enable SSH on your ESXi host, using DCUI (Direct Console User Interface) or the vSphere web client.
  2. SCP the VMware_bootbank_esx-ui_0.0.2-0.1.3172496.vib to a directory on your ESXi host. In my case I used a shared storage LUN or NFS volume as I will apply this to multiple hosts.
  3. Next issue the following command:

     

Upgrade Steps

  1. Enable SSH on your ESXi host, using DCUI (Direct Console User Interface) or the vSphere web client.
  2. SCP the VMware_bootbank_esx-ui_0.0.2-0.1.3172496.vib to a directory on your ESXi host. In my case I used a shared storage LUN or NFS volume as I will apply this to multiple hosts.
  3. Next issue the following command:

     

Example output from running the above command:

[root@esx1:~] esxcli software vib update -v /vmfs/volumes/nfs/installs/flings/VMware_bootbank_esx-ui_0.0.2-0.1.3172496.vib
Installation Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed: VMware_bootbank_esx-ui_0.0.2-0.1.3172496
VIBs Removed: VMware_bootbank_esx-ui_0.0.2-0.1.2976804
VIBs Skipped:

 

Tools of choice

WinSCP – http://winscp.net/eng/index.php

Putty – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 

For more info on ESXi Embedded Host Client: https://labs.vmware.com/flings/esxi-embedded-host-client

 

Thanks for visiting – jermal

 

Windows 2003, HTTPS Access Issues

One of the teams I support had run into some issues. Spending a lot of time investigating code and possible configuration problems. What they later suspected to be a policy issue, possibly a firewall, network issues turned out to be something entirely different.

Lets start with the symptoms:

  • Service request to a secured site stopped functioning, there were no know changes on the client (server) end. All attempts to connect to this site using the internet explorer failed.  However connections can be made to the site from the same network on other systems.
  • Windows updates did not resolve the issue
  • There was no proxy server or network firewall in the path from the client to the destination server hosting the services
  • Note: Port 80 (HTTP) web requests and even alternate ports listening on HTTP had all worked

 

Differential testing:

  • Attempted to access other known and popular SSL enabled sites and encountered the same issue
  • Attempted to connect to some SSL enabled sites which I had in a lab environment and they worked — OK, Good… SSL is working from this host.
  • But why?  I did some checking on the SSL Certificates, using some of the steps from one of my older posts: http://jermsmit.com/tech-short-lets-test-for-poodle-or-sslv3/

Example of the command used: openssl s_client -connect google.com:443

Discovery: I noticed that the Cipher types where different between those sites which worked using SSL and those that did not.

  • The sites that worked used SSL-Sessions with a Cipher of: AES128-SHA
  • The sites that no longer worked used SSL-Sessions with a Cipher of: ECDHE-RSA-AES128-GCM-SHA256, AES256-GCM-SHA384, etc.

It seems that all SSL sites using SHA2 256 or higher encryption where no longer supported.

 

Resolution: I started my search for a possible hotfix for this issue and I found it

The following KB post details this issue and provides the hotfix download to resolve the limitation on this older OS: https://support.microsoft.com/en-us/kb/968730

Note: Make sure to download the correct Platform version of the hotfix.

 

 

OVF Deployment Issue Ubuntu Snappy 15.04-stable (5 cloud)

When you have time, you do something.

Tonight I was headed over the Ubuntu site to grab me the latest version because I was thinking of installing OpenStack when I noticed on their landing page and noticed “Get Ubuntu Core” ; yes something new.

But where is my Raspberry Pi? No worries they have OVF images I can use to deploy to my vCenter Lab here at home. So I started just this and encountered an issue I once had.

Lets walk you through my events.

Downloading the image

  1. Found myself on the Ubuntu Internet of Things landing page: http://www.ubuntu.com/internet-of-things
  2. Located the OVF section of the getting started page: http://developer.ubuntu.com/en/snappy/start/
  3. Downloaded the OVA image (x86): 15.04/stable

Deploying the OVF Template 

  1. Using the vSphere Client, connected to vCenter (or stand alone ESXi host)
  2. Select server to deploy to and choose file > Deploy OVF Template
  3. Browse to the path were you downloaded your OVF image and select it

This is when I received the following error:
The following manifest file entry (line 1) is invalid: SHA256(core-stable-amd64-cloud.ovf)= d4b8922ed38a4eb9055576f7b46f8e92f463398298f3a42af942f25457d4d41c

Troubleshooting Step 1

  1. I extracted the OVA image (core-stable-amd64-cloud) with 7zip
  2. Once extracted attempted the steps detailed above “Deploying the OVF Template”

The same error was thrown once more.

Troubleshooting Step 2

Within the extracted folder exists the following file types: certificate, manifest, ovf (instruction / configuration) and disk image

  1. I remove the SHA256(core-stable-amd64-cloud.ovf)= d4b8922ed38a4eb9055576f7b46f8e92f463398298f3a42af942f25457d4d41c line from the .MF (manifest)
  2. Once removed I attempted the steps detailed above “Deploying the OVF Template”

It failed also, only this time the error started the the remaining SHA256 was also invalid.

Troubleshooting Step 3 – Third time is the charm

  1. Moved into the extracted OVA folder
  2. Deleted the .mf (manifest) file
  3. Followed steps above “Deploying the OVF Template” only this time using the OVF located in the extracted folder

This go around everything worked

So why did this happen?

The template was changed after its creation which invalidated the SHA256 key.  I have made templates myself, only to have to edit something out such as removing a CD Rom reference which later caused me issues.

I hope this helps if you face this incident or something similar

 

Thanks for visiting – jermal

Also published here

Activating RMS in Office 365

Microsoft Azure Rights Management provides a comprehensive policy-based enterprise solution to help protect your valuable information, no matter whom you share it with.

These policies help improve data security using both Both Information Rights Management and Office 365 Message Encryption

To activate rights management:

  1. Log into Office 365 with an account which has been assigned an administrator role. To do this simply go to the portal site: https://portal.office.com
  2. Click on admin to enter the Office 365 admin center via the admin app icon

  3. In the left pane, expand the service settings
  4. Click on Rights Management to enter the Rights Management dashboard
  5. Here on the dashboard, click on Manage
  6. Click on Activate to active Rights Management

For additional options and steps please have a log over on technet

 

Thanks for visiting – jermal