Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for August 2022 penetration test #1231

Merged
merged 55 commits into from
Aug 26, 2022
Merged

Fixes for August 2022 penetration test #1231

merged 55 commits into from
Aug 26, 2022

Conversation

jemrobinson
Copy link
Member

@jemrobinson jemrobinson commented Aug 25, 2022
edited
Loading

⤴️ Summary

  • Remove unused keys from config files
  • Fix comments
  • Allow 503 errors when building documentation
  • Add missing arguments and correct types for various function calls
  • Refactor Resolve-KeyVaultPrivateKeyCertificate into dedicated function
  • Add various missing module imports
  • Add additional places where resource groups/storage accounts are created if they don't exist to allow for running scripts out-of-order
  • Separate diskTypeDefault from storageTypeDefault and set this to Standard_LRS (nothing more than this is available in uksouth)
  • Allow additional installation endpoints through the firewall
  • Allow additional SSPR endpoints through the firewall
  • Move firewall deployment earlier in the process so that VMs are deployed from behind the firewall
  • Fix DC2 desired state configuration
  • Downgrade to Ubuntu 20.04 through as 22.04 is incompatible with Update Management (see Move from Microsoft Monitoring Agent to Azure Monitor Agent  #1232).
  • Prefer 'Repository' over 'Package' to describe PyPI and CRAN VMs
  • Remove some FQDNs from DNS allowlist as this was too long for remote scripting
  • Fixed SRE domain joining
  • Switched package repositories to deploy into a permissive network (for Docker image download) before moving to their final location
  • Ensured that user email addresses are synchronised with AzureAD

🌂 Related issues

Closes #738. Closes #742.

🔬 Tests

  • Deploy an SHM
  • Deploy a tier2 SRE
  • Deploy a tier3 SRE

@jemrobinson
Copy link
Member Author

In reference to #742, the current set of firewall rules give:

PS C:\Users\domaingreenadmin> Test-AzureADConnectHealthConnectivity -Role Sync
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
MD5 setting CloudStorageAccount.UseV1MD5 = False
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 2 of 3 - Blob data upload procedure completed successfully.

Connectivity Test Step 3 of 3 - EventHub data upload procedure begins ...
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 3 of 3 - EventHub data upload procedure completed successfully.

Test-AzureADConnectHealthConnectivity completed successfully...

@jemrobinson jemrobinson force-pushed the pentest-2022-08-30 branch 3 times, most recently from 1d78b4f to 49f2c09 Compare August 25, 2022 15:43
@jemrobinson
📝 Correct SRE deployment comment
0b73892
@jemrobinson
⚰️ Removed unused 'nexus' key from SRE configs as this is now configu…
caab978 
…red at SHM level
@jemrobinson
👽 Allow 503 errors when testing external links
eb19d65
@jemrobinson
🐛 Add missing -TtlSeconds argument when creating AAD DNS record
de9d991
@jemrobinson
📝 Add exception arguments for better debugging
175a120
@jemrobinson
🐛 Fix config argument when creating Linux update server secret
33fab5a
@jemrobinson
📝 Update note about Alternate Phone field
70e62f4
@jemrobinson
🔧 Add core configuration files for pentesting
64c6d2b
@jemrobinson
📝 Improve/standardise log messages
23d53a3
@jemrobinson
♻️ Refactor Resolve-KeyVaultPrivateKeyCertificate into dedicated func…
fbdfe9a 
…tion
@jemrobinson
🐛 Ensure that monitoring resource group exists in Setup_SHM_Firewall
5388dbf
@jemrobinson
🐛 Add missing module imports
4122483
@jemrobinson
🐛 Fix argument name
d3ae51e
@jemrobinson
🐛 Fix function types for Deploy-FirewallNetworkRule and Deploy-Firewa…
76f6550 
…llApplicationRule
@jemrobinson
🔧 Fix incorrect template expansion keys
1d00646
@jemrobinson
🥅 Ensure that non-existent VMs are caught when running Confirm-VMX fu…
b43f9d8 
…nctions
@jemrobinson
🔧 Separate diskTypeDefault from storageTypeDefault. Note that only Pr…
e4fe84d 
…emium_LRS, StandardSSD_LRS, Standard_LRS and UltraSSD_LRS are available in uksouth.
@jemrobinson
🔧 Allow additional endpoints through the firewall. tlu.dl.delivery.mp…
5af40c9 
….microsoft.com for Windows updates, go.microsoft.com for Powershell modules and SHM blob storage for artifact installation.
@jemrobinson
♻️ Reorder DNS installation to come after DomainController promotion
7a520b7
@jemrobinson
🔧 Ensure that resource groups are created before use
e3a1ad1
@jemrobinson
♻️ Add new Deploy_SHM script and reorganise docs accordingly
26fad96
@jemrobinson
🚚 Move VM registration to the end of SHM deployment
2e7bb48
@jemrobinson
⬇️ As the Linux monitoring agent (and hence Update Management) does n…
632ae8e 
…ot support Ubuntu 22.04, we must downgrade to 20.04 throughout.
@jemrobinson
🔧 Standardise naming of package repositories
88fce37
@jemrobinson
🔧 Added SSPR firewall rule to allow the DC to work from behind the fi…
92ac29b 
…rewall
@jemrobinson
🚨 Fix some linting errors
c7579a8
@jemrobinson
♻️ Switch cronjobs to use /etc/cron.d instead of appending to crontab
9233340
@jemrobinson
🐛 Explicitly use /usr/sbin/realm as this might not be in PATH
05bdb08
@jemrobinson
⚡ Improve name resolution checker
97d66f1
@jemrobinson
✨ Ensure that email address is synchronised with AzureAD
59ad6cf
@jemrobinson
👽 Reduce DNS allowlist by dropping AzureAD connect domains otherwise …
275f18a 
…list is too long to run as a remote script
@jemrobinson
🚨 Fix linting
e3c9fa0
@jemrobinson
🐛 Switch to new Deploy-AutomationScheduleInDays function
36a4b91
@jemrobinson
👽 Allow time for backup role assignments to persist
04290b3
@jemrobinson
📝 Expand on NPS debugging process
b0bd2c4
@jemrobinson
🐛 Add missing proxy admin password
2600504
@jemrobinson
✨ Add DeploymentSubnet for each repository VNet
28d6405
@jemrobinson
✨ Allow Update-VMIpAddress to take pipeline argument
d49f663
@jemrobinson
⚰️ Remove duplicated route table creation
af11c7b
@jemrobinson
♻️ Deploy repository VMs into unrestricted deployment subnet in order…
b36489f 
… to allow access to dockerhub
@jemrobinson jemrobinson marked this pull request as ready for review August 26, 2022 01:00
@JimMadge
Copy link
Member

For reference, Ubuntu server docs on package management contains a discussion of configuring unattended-upgrades. Seems quite flexible.

@jemrobinson jemrobinson merged commit e90ffd3 into alan-turing-institute:develop Aug 26, 2022
@jemrobinson jemrobinson deleted the pentest-2022-08-30 branch August 26, 2022 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimMadge JimMadge JimMadge approved these changes

@martintoreilly martintoreilly Awaiting requested review from martintoreilly

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AD Connect endpoints SSPR firewall endpoints
2 participants
@jemrobinson @JimMadge