Set the compilation debug flag in IIS web.config

 One of the first things I check when troubleshooting ASP.NET applications is the debug flag in the web.config.

For this, I’ve written the following function that use the [xml] accelerator to cast the web.config file contents as an xmlDocument and use PowerShell’s dot notation to get the debug flag value, or use the .NET methods of the dom document to set the debug flag value:

function SetWebConfigDebugFlag {

    PARAM(

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]

        [string]$IISsitename,

        [Parameter(Mandatory=$true)]

        [ValidateSet(‘True’, ‘False’)]

        $DebugFlag = $false

    )

$mersite= Get-Website -Name $IISsitename

$appPath = $mersite.physicalPath + "\web.config"

$config = [xml](Get-Content -Path $appPath)

 try {

if (($config.SelectSingleNode(‘configuration/system.web/compilation’)) -eq $null) {

$compilation = $config.CreateElement(‘compilation’)

$sw = $config.SelectSingleNode(‘configuration/system.web’)

[void] $sw.AppendChild($compilation)

} 

if ($config.SelectSingleNode(‘configuration/system.web/compilation/debug’) -eq $null) {

$compilation = $config.SelectSingleNode(‘configuration/system.web/compilation’)

$compilation.SetAttribute(‘debug’, ($DebugFlag.ToString()).ToLower())

} else {

$config.configuration.‘system.web’.compilation.debug = $DebugFlag

}

$config.Save($appPath)

if($?) {

$Result = ‘Success’

$ThisDebugFlag = $DebugFlag

} else {

$Result = ‘Error saving the config file’

$ThisDebugFlag = ""

}

}

catch {

$Result = $appPath.Exception.Message

if ($Result -eq ‘You cannot call a method on a null-valued expression.’) {

$Result = "Configuration does not contain a ‘system.web’ section"

$ThisDebugFlag = ""

}

}

New-Object -TypeName PSObject -Property @{‘Path’=$appPath; ‘DebugFlag’=$ThisDebugFlag; ‘Result’=$Result }

}

#Calling the above function by passing iissitename and Debugflag params.

SetWebConfigDebugFlag -IISsitename "iissitename" -DebugFlag 'True'

Azure Sentinel- Most common Use cases deployment

 Ready to go . Just import them, configure any additional permissions needed. Take advantage of Azure Sentinel right now.

Disable Users from OnPrem Active Directory:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-OnPremADUser

Block Azure AD Users:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

Integrate Azure Sentinel alerts with Service Now:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Close-SentinelIncident-fromSNOW

Add Comments (Guidelines) on Incidents:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Comment-RemediationSteps

Confirm Risks for Azure Active Directory Users:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Confirm-AADRiskyUser

Collect Threat Vulnerability Management report from compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Enrich-SentinelIncident-MDATPTVM

Send all details (Machine Vulnerabilities, Missing KBs, Security Recommendations, Alerts, Software Inventory) from a compromised Machine and send it via Teams:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-MachineData-EDR-SOAR-ActionsOnMachine

Send scheduled report focused on Cost Management:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-IngestionCostAlert

Start Packet Capture from a compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Run-AzureVMPacketCapture

Send scheduled report focused on Connector Heath:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus

Restrict App Execution in a compromised Machine:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Restrict-MDATPAppExectution

Backup objects into another vault in another subscription

 How to: Backup objects into another vault in another subscription

In this section, I'm getting the secret values and saving them into another vault directly. We want to do this without touching any disk files.

With this approach, we're simply fetching all secrets from Vault1 in Subscription1, and saving them to Vault2 in Subscription2. However, remember that the secrets we fetch now are not encrypted to your subscription, hence it's not a good idea to persist them in memory, sessions or disk. Here I'm not saving it to any variables.

Make sure you have installed Azure CLI for windows in order to run the below script.

Param(

    [parameter(mandatory)] [string] $sourceVaultName,

    [parameter(mandatory)] [string] $sourceSubscriptionId,

    [parameter(mandatory)] [string] $destinationVaultName,

    [parameter(mandatory)] [string] $destinationSubscriptionId,

    [string] $destinationSecretsDisable = $true

)

# 1. Set the source subscription id. 

Write-Host "Setting origin subscription to: $($sourceSubscriptionId)..."

az account set -s $sourceSubscriptionId

# 1.1 Get all secrets

Write-Host "Listing all origin secrets from vault: $($sourceVaultName)"

$originSecretKeys = az keyvault secret list --vault-name $sourceVaultName  -o json --query "[].name"  | ConvertFrom-Json

# 1.3 Loop the secrets, and push the value to the destination vault without instantiating new variables.

$originSecretKeys | ForEach-Object {

    $secretName = $_

    Write-Host " - Getting '$($secretName)' from origin, and setting in destination..."

    az keyvault secret set --name $secretName --vault-name $destinationVaultName -o none --value(az keyvault secret show --name $secretName --vault-name $sourceVaultName -o json --query "value")

}

Write-Host "Secrets restored."

You can call the above script as mentioned below

.\CopySecretsToAnotherVault.ps1 -originVault "vault1-name" -originSubscriptionId "SUBSCRIPTION GUID" -destinationVault "vault2-name" -destinationSubscriptionId "SUBSCRIPTION GUID"

Passing Keyvault certificates to Virtual Machine deployment using ARM template

 

Referencing certificate from keyvault in an ARM template

You need to make sure all parameters are passed

"virtualMachineProfile": {

          "osProfile": {

            "computerNamePrefix": "[variables('compnamepref')]",

            "adminUsername": "[variables('adminUPN')]",

            "adminPassword": "[variables('adminpswd')]",

            "windowsConfiguration": {

              "provisionVMAgent": true,

              "enableAutomaticUpdates": false

            },

            "secrets": [

              {

                "sourceVault": {

                  "id": "[resourceId(parameters('RG'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"

                },

                "vaultCertificates": [

                  {

                    "certificateUrl": "[parameters('Cert1')]",

                    "certificateStore": "My"

                  },

                  {

                    "certificateUrl": "[parameters('Cert2')]",

                    "certificateStore": "My"

                  }

                ]

              }

            ]

Purging a soft deleted Azure APIM - API Management

 First you need to run the below script to get all soft deleted apims so that the details can be passed to the delete method which we will run after this. The output printed on powershell window is trimmed and hence I'm writing the response to an output file.

#GET Request- To list all soft deleted apims in a specific subscription

$token = Get-AzAccessToken

$request = @{

    Method = 'GET'

    Uri    = "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/deletedservices?api-version=2020-06-01-preview"

    Headers = @{

        Authorization = "Bearer $($token.Token)"

    }

}

Invoke-RestMethod @request  -OutFile c:\apimoutput.txt

#DELETE Request- This will purge the soft deleted apim 

$token = Get-AzAccessToken

$request = @{

    Method = 'DELETE'

    Uri    = "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/locations/{Location}/deletedservices/{APIMName}?api-version=2020-06-01-preview"

    Headers = @{

        Authorization = "Bearer $($token.Token)"

    }

}

Invoke-RestMethod @request

Version an API in Azure API Management using Azure Resource Manager

When creating a new API in an Azure API Management Service using the portal, you can specify whether you would like the API to be versioned

To achieve this through ARM scripts you'll need to create an ApiVersionSet resource first:

{
    "name": "[concat(variables('ManagementServiceName'), '/', variables('VersionSetName'))]",
    "type": "Microsoft.ApiManagement/service/api-version-sets",
    "apiVersion": "2017-03-01",
    "properties": {
        "description": "Api Description",
        "displayName": "Api Name",
        "versioningScheme": "Segment"
    }
}

Then update the apiVersionSetId property on the Microsoft.ApiManagement/service/apis resource:

{
        "type": "Microsoft.ApiManagement/service/apis",
        "name": "[concat(variables('ManagementServiceName'), '/', variables('ApiName'))]",
        "apiVersion": "2017-03-01",
        "dependsOn": [
            "[resourceId('Microsoft.ApiManagement/service/api-version-sets', variables('ManagementServiceName'), variables('VersionSetName'))]"
        ],
        "properties": {
            "displayName": "string",
            "apiRevision": "1",
            "description": "",
            "serviceUrl": "string",
            "path": "string",
            "protocols": [
                "https"
            ],
            "isCurrent": true,
            "apiVersion": "v1",
            "apiVersionName": "v1",
            "apiVersionDescription": "string",
            "apiVersionSetId": "[concat('/api-version-sets', variables('VersionSetName'))]"
        }
    }

Cloud Maker- Allowing all azure services to access resources

 Cloud Maker- Allowing all azure services to access resources. While creating SQL Server droplet or other resources, if you would like to enable all azure services to access your resource then you can achieve that through firewall rules as shown in the below screenshot.