Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
4 views4 pages

Final Script Draft

Uploaded by

Azfar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views4 pages

Final Script Draft

Uploaded by

Azfar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

•Why use Azure Backup?

–Azure back up is a built-in service that provides secure back up for all azure-managed data
assets.
–It uses zero-infrastructure solutions to enable self-service backups and restores, with at-
scale management at a lower and predictable cost.
–At present, Azure Backup offers specialized backup solutions for Azure and on-premise
virtual machines(VMs).
–Azure Backup also enables workloads like SQL Server or SAP HANA running in Azure VMs to
have enterprise class backup and restore options.

•How can you use Azure Backup?


–On-premises - Back up files, folders, system state using the Microsoft Azure Recovery
Services (MARS) agent. Or use the DPM or Azure Backup Server (MABS) agent to protect
on-premises VMs (Hyper-V and VMware) and other on-premises workloads
–Azure VMs - Back up entire Windows/Linux VMs (using backup extensions) or back up files,
folders, and system state using the MARS agent.
–Azure Managed Disks - Back up Azure Managed Disks
–Azure Files shares - Back up Azure File shares to a storage account
–SQL Server in Azure VMs - Back up SQL Server databases running on Azure VMs
–SAP HANA databases in Azure VMs - Backup SAP HANA databases running on Azure VMs
–Azure Database for PostgreSQL servers - Back up Azure PostgreSQL databases and retain the
backups for up to 10 years
–Azure Blobs - Overview of operational backup for Azure Blobs

•Security features for hybrid backups


–Prevention: New authentication layer added for critical operations like Delete Backup Data,
Change Passphrase. These operations now require Security PIN available only to users
with valid Azure credentials.
–Alerting: Email notifications are sent for any critical operations that impact availability of
backup data. These notifications enable users to detect attacks as soon as they occur.
Recovery: Azure backup retains deleted backup data for 14 days ensuring recovery using any
old or recent recovery points. Also, minimum number of recovery points are always
maintained such that there are always sufficient number of points to recover from.
Task 1: Enable Windows Defender Credential Guard using Group Policy
1) Accessed GP management on SEA-SVR2
2) GPM CONSOLE
3) Forest:contoso.com - domains - contoso.com - IT
4) Create a GPO in this domain, and link it here
5) New GPO – Name : CredentialGuard_GPO
6) CredentialGuard_GPO – Edit
7) GP management editor
8) Computer configurations – policies – administrative templates – system –
device guard
9) Turn on virtualization based security – policy setting – enable
10) Select platform security level – secure boot and DMA Protection
11) Credential guard configuration – enable UEFI lock
12) Secure launch configuration – enabled

Task 2: Enable Windows Defender Credential Guard using the Hypervisor-


Protected Code Integrity (HVCI) and Windows Defender Credential Guard
hardware readiness tool
Memory Integrity (also called hypervisor-protected code Integrity or HVCI), uses Microsoft's Hyper-V hypervisor to
virtualise the hardware running some Windows kernel-model processes, protecting them against the injection of
malicious code.

1) Run PS as administrator on SEA-SVR2


a) Set-Location – Path C:\Labfiles\Lab01\
b) .\DG_Readiness_Tool.ps1 -Enable –AutoReboot
2) Device will restart.

Task 1: Locate and reconfigure domain accounts with non-expiring passwords

1) Run PS as administrator on SEEA-SVR2


2) List ADUser with non-expiring password and enable password expiration
a) Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true}
b) Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Set-ADUser -
PasswordNeverExpires $false
Task 2: Locate and disable domain accounts that have not been used to sign in for
at least 90 days

1) Identify ADUserthat has not signed in for at least 90days and disable
a) $days = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonTimeStamp -lt $days -and enabled -eq $true} -Properties
LastLogonTimeStamp
b) Get-ADUser -Filter {LastLogonTimeStamp -lt $days -and enabled -eq $true} -Properties
LastLogonTimeStamp | Disable-ADAccount

Task 1: Prepare computer accounts for implementing LAPS (Local Administrator


Password Solution)
1) Create OU and move SEA-SVR1 , in windows PS and install LAPS.
a) New-ADOrganizationalUnit -Name "Seattle_Servers"
Get-ADComputer SEA-SVR1 | Move-ADObject –TargetPath
"OU=Seattle_Servers,DC=Contoso,DC=com"
b) Msiexec /i C:\Labfiles\Lab01\LAPS.x64.msi
2) Enable Windows Defender Firewall with Advanced Security rule, allow incoming Server Message Block
from other domain-joined servers, Type in Windows PS
a) $rule = Get-NetFirewallRule | Where-Object DisplayName -eq 'File and Printer Sharing (SMB-In)'

$rule | Set-NetFirewallRule -Profile Domain


$rule | Enable-NetFirewallRule

Task 2: Prepare Active Directory for LAPS

1) Prepare domain for laps in SEA-SVR2, in Windows PS


a) Import-Module admpwd.ps
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -Identity "Seattle_Servers"
2) GP Management –contoso.com - domains – contoso.com - seattle_servers OU – create a GPO in
this domain and link it here, name as LAPS_GPO
3) Edit LAPSGPO , computer configuration – policies – administrative templates – LAPS
4) Enable local admin password management - policy settings - Enable local admin password
management – Enabled – OK
5) Password Settings - policy settings – Enabled - Password Length to 20
6) Password Age (Days) is configured to 30, and then select OK.

Task 4: Verify LAPS


1) Console SEA-SVR2 - START – LAPS – LAPS UI
2) LAPS UI – COMPUTERNAME – SEA-SVR1
3) Windows PS
a) Get-ADComputer -Identity SEA-SVR1 -Properties ms-Mcs-AdmPwd
Task 1: Install Failover Clustering
1) Install Windows PS Admin on SEA-SVR2 and install failover clustering server feature on SEA-SVR1
and SEA-SVR2
a) Install-WindowsFeature –Name Failover-Clustering –IncludeManagementTools
Install-WindowsFeature -ComputerName 'SEA-SVR1.contoso.com' –Name Failover-Clustering –
IncludeManagementTools
2) Install iSCSI Target server role on SEA-DC1 , Windows PS
a) Install-WindowsFeature -ComputerName 'SEA-DC1.contoso.com' –Name FS-iSCSITarget-Server
–IncludeManagementTools

You might also like