Break Glass Account using FEITIAN FIDO2 Key

I was invited by Della (FEITIAN Technologies) to review one of their FIDO2 products. Out of their range of products I choose the K50: USB A-Type with Fingerprint.

There is one particular use case for using a FIDO2 Fingerprint Key I’d like to examine. The Break Glass (Global Admin) Account. By now, in 2023, we all agree on Multi Factor Authentication for ALL Users and we’re moving fast forward to Passwordless Authentication. In the Trainings I deliver and in conversations with my Customers we always discuss the “Break Glass Account” for emergencies. Shouldn’t we have a non-MFA-enabled Account for that? Write a very complex password on a piece of paper and put it in a safe?

No more. For daily use of both normal users and privileged users the Authenticator App works just fine. I’m not so much in favor of adding another device. For privileged accounts we should add Conditional Access policies like Device Compliance (Windows 11 Enterprise with all Security Features enabled), location and such. And Privileged Identity Management to harden access security (Principle of Least Privilege and Just-Intime Access).

And then we run into an emergency situation….. the hardened workstations become inaccessible or cellular Wi-Fi Services become unavailable (no push notification to Authenticator app) or whatever trouble.

In situations like that, having some FIDO2 Keys on some Break Glass Accounts can be a very good solution. Restrict these accounts to authenticating ONLY with a Security Key. Have 3-5 Accounts and a couple of these Keys (you can add up to 128 accounts on 1 Key). Enroll all 3-5 accounts on all Keys and keep the Keys in separate places for redundancy. Don’t forget to put PIM on these Accounts!

Et voila! We have a very decent solution in place, compliant with the MFA Policy for ALL users and also Passwordless.

 

Break the Glass safely!

Microsoft Operating Systems and Me

People who know me, know that one of my slogans is “Who needs an Operating System”. Through some mysterious pathway I am currently taking some Operating System exams…. (MD-100 = Windows Client, AZ-800 and AZ-801 = Windows Server) Huh??

Organizations and their way of thinking IT only move so fast (actually real slow). Clinging to the Desktop, be it physical or virtual, and clinging to Servers, be it on-prem or in the Cloud. While the technology to rid of that ancient stuff has been out there for a while now. Who would need a full Desktop OS if all Applications were Web Apps? Why deploy IaaS solutions while PaaS and SaaS solutions are real?

So anyway, apparently, we live in a Hybrid IT world, in this context meaning that we are mixing and mingling traditional deployments with all the Cloud goodies. Which does not make it easier to use these goodies. And there pops up my reason to take another round (#8) at Microsoft Operating systems Certifications. To oblige as Trainer, Consultant and Advisor. Reality sucks , doesn’t it?

Happy Learning!

 

MCT: Delivering AZ-305, notes from the field

This week I did a first-time delivery of MOC AZ-305, Designing Microsoft Azure Infrastructure Solutions, towards Microsoft Certified Azure Architect Expert Certification. The Exam is still in beta, I took it a week before delivering the training. Making the time investment count double, preparing for both my Exam, and delivering the training.

I consider this training and this exam (topics, depth, and breadth) one of the better ones out of the whole Curriculum. The real “Expert level” deal. The 4-day training can be delivered without Labs, the GoDeploy Labs have no direct link with the course content but offer some great deep dives in specific technologies should they fall out of the knowledge scope of the participants. Long Labs, up to 3-4 hours. Each Module ends with one or more Case Studies, plenty of room to discuss various options.

After my preparation I had some concerns for the knowledge level of the participants, it happens too often that people over-estimate themselves in which case they might get lost on day 2 or so. The course really covers a lot of Cloud in just 4 days, the more knowledge the participants already have, the higher the value of this course gets. I would suggest to Microsoft Learning that the prerequisites (also for Certification) should be not just the AZ-104 Azure Administrator. Add 1 or 2 “electives” (as in the old days of MCSE Certifications). Electives can be almost any “Associate level” Certification (AZ-500, AZ-700, SC-300, AZ-204, etc.).

Luckily, the 6 participants in this group selected the right course, they were all very seasoned senior Azure Admins/Engineers and there was plenty of expertise in the (virtual) room on specific technologies like SQL and Kubernetes. But anyhow, take care of the intake of participants for this course.

I started of with a whiteboard session of the “Well Architected Framework”, to give some context on how to approach the content. So, in the discussions on the Case Studies, we could discuss possible solutions based on these principles. For in the Exam as well, references are made to these principles. Maybe a module on this could be added to the course. On day 1 and 2 (and planned for day 3 and 4) I allocated some 2-3 hours for them to work on the Labs. On day 3 however a request was made to not use course time for Labs and rather spend it on discussing the topics and the case studies. The vote on that was unanimous, Wonderful! We ended up in vivid discussions and we all learned a lot form each other. I invited them to look at becoming MCT! And I think some of them will take that path . As we all agreed that the Knowledge and Skills Gaps are a big showstopper for leveraging Cloud technologies. Do something about it instead of complaining about it.

Overall, I am very satisfied with this course and I’m looking forward to delivering it again (scheduled for March).

 

Happy Learning!

Following my Passion: Making a Difference as a Trainer

Back in 1996 I entered the IT Space as an “IT Professional”. Before that, I spent 8 years in accounting. IT manifested itself in that area already deeply and I did my fair share. Anyway, I decided I was done with accounting for other people’s money (although I’m good at it).

I started as a Trainer for a non-profit Organization, and I trained some 2,000 persons on the big switch back then from DOS to Windows. I watched some colleagues of mine carrying these MCSE NT4 books around, I thought “wow, that is interesting stuff”. In no time I mastered the Certifications, and I was teaching IT Professionals instead of end users. Those were the Days. Delivering the complete MCSE Tracks on NT4 and Windows 2000 a couple of times.

In retrospect, those were the days indeed. It was all about the marvels of the technology, anything was possible. Then I joined more commercial Organizations and became an Admin, an Engineer, a Consultant, a Senior Consultant and even a Solution Architect over the years. Some 80+ Certifications, another 1,000 Training Participants and 4 Employers later, I now come to the following conclusion:

With all my passion and drive for progress using the latest Technology the way it is supposed to be used, I always engage in conversations with both employers and customers to “move forward”. Of late, I discovered that Senior Consultant or Solution Architect may not be my best way of making people and organizations successful where they want to be successful. I believe the biggest stop on using the latest and greatest Technology is the Knowledge Gap, on all levels in all organizations. My drive is sharing knowledge with those who seek that and who want to benefit from that.

So, I go back to my Roots. Who I am is a Trainer. Out of Passion for making a difference for individuals and organizations. Out of Passion for the Possibilities of modern IT Technologies and its Power to drive Transformation.

Passion, Power and Transformation.

That is who I am and that is what you can count on!

Pay for what you Use? Yes! And, then Use what you Pay for!

Too many Organizations leave too much money on the table. And then they talk about reducing cost.

ICT Cost reduction seems to be a Business driver for IT Projects. That may be valid for as long as the ICT Department is considered a Cost Center. The two major KPI’s are Total Cost of Ownership (TCO) and Return on Investment (ROI).

Both KPI’s can be looked at from the perspective of “cost”. I would rather look at it from the perspective of “Value”. A statement I make frequently: Any Organization can increase productivity by at least 30% without investing in software or hardware. You already have everything; you just do not use it the way it is supposed to or can be used.

That applies to IT Professionals (your IT Staff), responsible for both TCO and ROI, and it applies to your Users, mostly responsible for ROI. For IT Staff, what is missing, is Training and Certification on the Technologies in place. For Users there is a huge lack in PC Literacy. On the C-level, onboard a CTO, in the end, decisions are made here. Knowledge being the Key distinction here.

When engaging in the Knowledge space, IT will move from being a Cost Center to a Business enabler, a new perspective. It is called Digital Transformation.

So, we can have 2 conversations now, choose:

  1. Spend time scraping money out of all corners and get a marginal cost reduction as a result. Little impact on TCO and ROI.
  2. Start using what you pay for and squeeze all the Value out of your software and hardware investments. Exciting impact on TCO and ROI!

Something to consider for 2021 and beyond…….

 

Happy transforming….. !

Training or Learning, it is not the same

Kind of a re-iteration from a Blog Post I wrote in March 2019 (remember, pre-COVID19). You can read the Post here “Training means Train”

Now, we are in the middle of that pandemic and I am really, really getting so tired of all the Webinars, Exam preps, Learning videos and the lot of it. Let me quote myself:

Training is not the same as watching a “how-do-I-….” video on YouTube or attending a Webinar/Seminar. Training means practice, repetition, endurance, discipline, making mistakes, learning to understand why it is as it is. Training is an action; one needs to allocate time for it. Results will take a while. A new insight is not good enough if you do not practice the actions that come out of the new insight. The insight gives a moment of “aha”. After practicing it becomes obvious.

I never study or learn for an Exam, I only just practice, I train myself. The outcome is that I feel grounded in the matter. And in my line of business that matters! The two most important things here: allocate time and have the discipline. There are no shortcuts and no quick wins.

The point I want to make here, do not overwhelm yourself in attending too many webinars, videos, online learning programs, exam preps, etc. Set yourself some goals, dig in, TRAIN yourself and master the matter at hand.

One more quote: As a Microsoft Certified Trainer, I tell my students that the Labs are not about getting them done successfully. The Labs are about spending time on the technology, practicing. and learning to understand the why of the technology. The students train!

That is why I love the Role of being a Microsoft Certified Trainer!

 

Happy Training!

Remote Communication – Effective as Usual?

I sit behind my desk at home, I am working. But…. Where is my work?

I am a Consultant, I visit my Customers as frequently as possible, have face-to-face meetings on some topics, 2 or 3 meetings a day, sometimes continuing over lunch or dinner. I am a Trainer, nothing beats a full 5-day Training, locked up in a room with 10 persons: group-dynamics, frustrations on the Labs, the jokes, the unspoken things, the body language, the stories, a real white board. I am a Team Leader, my Team members reside in different countries, but boy, can we have some quality time whenever I am able to go there. I am a Public Speaker, standing on the soap box is the best place to be, Entertrain my audience. I attend the big conferences 3 or 4 times a year, meet with my peers, talk tech over junk food and beers. My wife is a high-school teacher, she sees some 180 kids a day in her Classroom, 5 days a week.

Now I sometimes have 5 or 6 back-to-back online meetings with my customers, sometimes with video, sometimes not. After 3 of those I have no clue what was discussed in the first one anymore. When was our last meeting again, the other day, like Blursday? I deliver my Trainings online, what are my participants doing? Are they paying any attention, are they working on their Labs? I try to schedule some informal meetings with my Team members, cancelled just as frequently, because we all have other priorities. I deliver Webinars now, talking to a microphone and looking into a webcam. What does my audience look like? I hope they nod every now and then, maybe they fell asleep. I recently attended the MS Build Conference online; it was 48 hours of content. I could not consume more than four 1-hour sessions a day. Not even with the junk food and beers included. My wife tries to deliver some classes online, seeing the kids in grid view, if they are willing enough to switch on their cameras. She got no support in using the tools, or how to deliver. Nobody is in control, but everybody tries their best.

And yet, we expect the same outcomes, the same results. The customer deals must be closed, the projects must finish. My participants must get the same value out of a virtual training to pass their Exams. My Team members are expected to be fully motivated and effective. My audiences are expected to walk away with the same insights. My motivation and ambition, I have to take care of that myself, not being able to “be” with my peers. The kids in my wife’s school get the same exams and are expected to make the same scores.

My point here is that we not only need to adjust the way we work, we must also adjust our expectations, the results, the outcomes. Our effectiveness and our “Return on Investment” are to be aligned with a new reality. We have to do without the power of real human interaction. We need new Key Performance Indicators, not based on the old ones (and then just a little lower) but based on the new reality. If we do not do so, we will all just be very unsuccessful, exhausted and frustrated.

 

 

 

WVD Notes from a NO-SBC fan

People who know me also know that I am no fan at all about Server Based Computing (SBC). Remote Desktop Services, Citrix, VMware, VDI, WVD, it is all the same complex and expensive misery to allow Organizations to keep on running their legacy Win32 Line of Business Applications.

This racket of mine is not new. Back in 2007 I joined a Dutch company called Qwise, and Qwise was one of the major players in The Netherlands on Citrix and App Packaging and deployment. I asked myself and my colleagues: Why do we do this? Why don’t we make all applications web-based? Who needs a Desktop, who needs an OS? Because Organizations run shitty Line of Business Applications.

Now we are 2020 and nothing has changed. SBC is still expensive and it is still very complex (also in the Cloud) because Organizations still run shitty applications…..

Okay, anyways, I have been doing some playing around with Windows Virtual Desktop as a Pilot in our production environment. It took me like a day or two to get it all up and running thanks to this article by Christiaan Brinkhoff . It is great that Microsoft will now manage the RDS Roles in the background. That surely takes away some headaches. And of course, provisioning on Azure is fast. Currently I do all of my daily job in a Virtual Desktop except for Teams Meetings. Pretty happy with the fluency and the performance. I oversized the VM’s a bit, I have to admit, but no fancy GPU stuff. I am waiting for the A/V Redirect to make Teams Meetings working.

There are quit some hoops to jump through setting this all up. I wonder how that is for less experienced people, there is much to deal with. My 70+ Microsoft Certs are well spent on this endeavor . Inova Solutions, the Company I work for, is a “Cloud Only” Company. I abolished all on-prem stuff, got rid of Active Directory, all happens from the Cloud and in the Cloud. The biggest “bummer” of WVD is that it relies on Active Directory. So, either put up some DC’s in Azure or deploy Azure Active Directory Domain Services. Back to Active Directory feels like “legacy” after doing only Azure AD and Intune for the last 6 years. Back to NTLM Authentication and GPO’s. I consider that a huge step back.

We also need to manage, one way or another, the end user device to enable these users to connect to their WVD environment including local printers, scanners and other devices, secure Corporate data, etc. WVD is not replacing those devices, WVD adds another Device per user, adding work to IT Staff to manage and maintain the complete environment.

In my previous Blog I wrote about connecting to (legacy) Line of Business applications for Remote Work. Not much to be found on “best practices” for WVD and those LOB Apps availability.

I can see valid use cases for WVD but maybe not so much for SMB unless they are served by a Managed Service Provider, the SMB’s in my customer base simply do not have the Knowledge for WVD. The Total Cost of Ownership for WVD, as it becomes so clear with the monthly bill from Microsoft for Azure consumption, may be considered high, I tend to look at the Value more than at the Cost. Valid Business cases can be written for deployment of WVD.

Anyways, I’ll keep on experimenting, trying and find valid scenarios for #WVD

The Big Underrated Issue in Working from Home

Although the initial anxiety on COVID-19 has dropped by now, lots of Organizations are aware that Remote Work is here to stay. And we see lots of applicable Technologies that can facilitate that. But mostly just up to the point where we come to “Line of Business Applications” (LOBs).

Most of my Customers have a pretty traditional setup of their IT Infrastructure in a on premises data center. Active Directory, member Servers running (legacy) client/server applications in sometimes a 2-tier infrastructure. The Local Area Network (LAN) sits in the Corporate Building and all Desktops have connectivity to the local data center. Some of these Customers started with moving some workloads to the Cloud, mainly email that goes to Office 365. Adoption and moving more workloads or starting to use new things in the Office 365 platform is going very slow.

And now we need to work remote. Outside of the Corporate LAN. That poses several challenges. For the sake of the topic I refrain from looking at processes relying on physical paper although a lot of my Customers still do so. Of course, that makes the challenge of working remotely even more complex.

The Devices

In most Office buildings people have a Desktop, I think in most cases, even in this COVID-19 situation, people are not allowed to take that one home. And even if they are allowed, it will not be connected to the Corporate LAN, so work as usual is not an option. Also, things like Group Policies (including Security settings) will not be applied to those Desktops. Corporate laptops suffer the same unless they are decently prepared for remote work. Lots of people will work on their personal device from home, or even their family device, Organizations have to realize that those devices are totally out of control. Then, users will use anything trying to accomplish their tasks using any application they can find. That list is endless by now and 99% of it fits in the category of “Shadow IT”, corporate data can and will flow anywhere.

Business Applications

Organizations can use a lot of different applications throughout their companies, per department or division. Some of them will just be a standalone application, a lot of them will tie back into a backend in the datacenter. Are these Line of Business Applications accessible for Remote Workers? Can they be made accessible, in a secure and user-friendly way? Some protocols to connect to these backends are not that suitable to traverse Wide Area Network (WAN) connections, resulting in a bad user experience or very limited functionality. Some Organizations already have some of their Applications accessible from outside the Corporate LAN; email is probably the most common one.

In general, a Client device must be fully managed and sit as close to the Data Centre as possible, preferably over Corporate LAN Connections. Add to that, a decent Data Protection configuration. That is the ideal situation. Or is it?

There are numerous options to make LOB Applications accessible for use outside of the Corporate LAN, and they all have their pros and cons.

  • VPN into the Corporate LAN; applications may seem very unresponsive/low performance, a simple thing like browsing a File Server is hard over a VPN connection. Can the VPN-appliance on the Corporate LAN side and the Internet connection handle the load? Are the remote devices secure? Can the “client” side of the LOB Application be installed on the Remote Device?
  • DirectAccess. Only available for Windows 10 Enterprise domain member PC’s. Transparent end-user experience (Always on), very secure (IPSec), Certificate based authentication, fully managed PC through GPO. Can the Corporate LAN side appliance and the Internet connection handle the load?
  • Web-based applications. These are relatively easy to expose and authenticate to. The http(s) protocol is designed for WAN Connections.
  • Re-architect application to Web-bases applications.
  • Remote Desktop Services. The actual (virtual) Desktop runs within the Corporate LAN. Modern RDP Protocols (or the proprietary Citrix and VMware ones) are designed for WAN Connections. RDS or VDI Services are expensive, they require large amounts of resources: CPU, RAM, Storage, Networking. It also requires Infrastructure specialists and Application packaging specialists. Managing and maintaining a SBC environment requires a lot of IT Staff resources.
  • Move LOB Applications to the Cloud. Make them available and accessible from anywhere. For “legacy” applications there is still the issue about the distance between the client and the server though.
  • Move LOB Applications to the Cloud AND build SBC in the Cloud like Windows Virtual Desktop (WVD). WVD is not cheap (resource intensive) and almost just as hard to manage and maintain as an on-premises SBC Solution.
  • All the above scenarios leave the end user device as is, unmanaged and not secure (except for Direct Access). With Microsoft 365 (Office 365, EMS, Intune) we can manage any device (Windows, MacOS, iOS, Android), implement things like Multi Factor Authentication, Conditional Access, Information Protection, Threat Protection, and lots of telemetry to analyze that all. The Office 365 portion allows for Communication and Collaboration (Email, Teams, SharePoint). Implementing Microsoft 365 will make all of the above scenarios easier and more secure.

What we can see happening right now is a myriad of all these options, which is fine as long as there is a Strategy or Vision stating where it leads to. If a Strategy is lacking all we are left with is a pile of unmanageable “spaghetti”. In the meantime, all scenarios could be valid under some specific circumstances. There is not one right way of doing it.

My “prefect picture” would look like “All Applications deployed in the Cloud, preferably as SaaS or PaaS Solution. All Devices managed through M365”.

Working from Home, #wfh

All of a sudden, we need to work from home. I’m quit an expert on that as I have been working from home for the last 7 years. Inova Solutions, my employer, has no Office on Aruba and I happen to live there.

Working from home is totally different than going into the office and get stuff done in that location. Expectations employers and employees have for whom working from home, may not come true. My experiences described below hardly take the current crisis into consideration, it will be a lot harder, being at home with your entire families and your work. So, have some compassion with yourselves.

We are heading into week 3 or 4 of the Working from Home era and it is very likely it will be like this for weeks to come. The first signs are here, that people start to get mental issues. Both employers and employees need to be aware of that and show compassion and empathy.

The Rhythm

Rhythm, create rituals and new habits. People will find out very fast that the rhythm and pace while working from home will move away from the 9 to 5 thing with your regular lunch break. I work between 5 AM, when I switch on my PC, and 8.30 PM, when I switch off my PC. Read carefully, I do not work FROM 5 AM till 8.30 PM, I work BETWEEN 5 AM and 8.30 PM. Because other things are also happening in my home, around my home and away from home. Obligations and distractions that are not there in an office. That works the other way around as well, of course, no coffee machine gossip or printer room talk. The main point here is: Do not feel guilty doing what you are doing if it is not work related and it is between 9 and 5. It is a transformation, losing old habits and creating new ones. Get the work done and respect the time of your family members, colleagues and customers. Have agreement on your availability, plan your meetings. There is nothing wrong sharing with employers, colleagues and customers that you have trouble focusing or that you are distracted. You will find the timeslots for your focused work overtime. Please realize, during the day and especially near the end of the day that enough is enough. I am noticing in my mailbox that people are starting to send emails at really weird times, don’t go there. One of my best practices: the first hour, after waking up, NO screens! The last hour, before going to bed, NO screens.

The Workplace

Make sure you have a good physical workplace. The kitchen table is just not good enough for a full-time “work-from-home-experience”. Nor is a kitchen chair. This will not be for just a week or so. Do not compromise on your workplace and its environment: lighting, temperature, fresh air, noise. Make it clear to your employer, colleagues and maybe even customers if you cannot create that “perfect” spot in your house if that is a reality. Again, compassion and empathy.

When you do online meetings a lot, wired connections are preferred: network and headsets. Eliminate anything that can deteriorate quality. Set up a “fair use policy” with family members on your available bandwidth. If you do a lot of video conferencing, make sure your webcam is on the same screen you are watching or sharing, don’t let the other participants look up into your nose or ears. Mute when not talking, for quality you can even switch of your camera when not talking (make sure you have a decent avatar in that case, not just your initials).

The Work

What about The Work? Sure, the show must go on. And, these are uncertain times. Employers must create virtual “hangouts”. Employees should call or virtually meet each other daily, aside from work topics. Normally, I travel a lot and meet lots of peers, nerds and geeks. Not so much now. I call them now, talk about our profession, the technology, how we are coping. Social closeness instead of social distancing. The work, you know what needs to be done, you know what can and cannot be done. Take responsibility and communicate. It is NOT business as usual. It is NOT.

#besafe #stayhome #wfh #behappy