Sunday, May 18, 2014

My Notes from TechED 2014

I just got back from TechED 2014. One thing I really love about TechED is that all the sessions are presented by the people that work very closely with the products they are talking about. Often time you can gain a lot of insight just by the way they talk about things. Every sessions has 1 or 2 real gems.

As I review my notes, here are some of the key takeaways for myself. Things I didn't realize before or things I need to pay more attention to going forward. These are my notes and they are a little cryptic at times.

Azure now offers Redis cache
SQL 3014 offers %3000 performance increase for some workloads
API management is new Azure feature
Antimalware now part of azure
Office 365 encryption with each file having its own key
Site recovery now support replica directly to Azure
Managed apps are on IOS/Android
Azure Remote App
Cortana runs in the cloud is and is context aware
Xamarin offers .Net support for IOS/Android with Visual Studio 2013
HDInsight is Microsoft's implementation of Hadoop
PowerBI.com is like PowerView but in Azure with a powerful natural language search
Oslo and the Office Graph
One source of the truth
vNext Intune managed apps gives more control over data. Can block copy paste to other apps
Win-B310 TWC: Bullet proofing your network security - Download PPT and check blog for online sessions
defaultpassword.com
exploit-db
Security Compliance Manager: http://technet.microsoft.com/en-us/library/cc677002.aspx
    Can compare you settings vs best practice. Can also import GPO and compare it.
Microsoft Attack Surface Analyzer: http://www.microsoft.com/en-us/download/details.aspx?id=24487
    Run it before and after you install an application and it shows you how it changes the system attack surface
ITIL V3 DCIM-B224 - Watch this session again
   Start IT Steering Committee
   What service do we offer and how do we measure it
Desired State Config
  Scale * Complexity =  Exceeds Skill
New-CimSession - is this the replacement for New-PSSession, Investigate more
When hacked, do a memory dump before you shut it down. Then do a disk dump.
   Lot of important stuff in ram, like possible encryption keys or memory resident tools
Whatever runs is in memory and the rest of the OS is just a bunch of files
The prefetch can identify recent programs that were ran
This is turned off by default on SSD drives, turn it back on
X2works pf64.exe can analyse prefetch files
RPD History shows recent connections
Bitmap cache can show pieces of the last sessions screen
mstsc /public
Recommended to centeralize logs
Nvidia K2 or K5000 for VDI
Use change logon /drain
Local accounts have the same name, the fact that they have the same SID is not important
If 2 accounts have the same password, they have the same hash.
You can deny access to computer from network with group policy
New local group for local accounts that can be used in GPO to deny access
NT AUTHORITY\Local account
Run LSASS as protected process, it requires dlls to be digitally signed
mstsc /restrictedadmin
You can create silos in Active Directory
Monad Manifesto http://www.jsnover.com/Docs/MonadManifesto.pdf
DSC will be the primary administrative interface for Microsoft
released in October and Stack Overflow is using it in production
You can push or pull, use pull over https
DSC uses WSMAN
VMM can inject .mof files already
Must import non more modules in config files
connect.microsoft.com - where to provide feedback
Don't let existing habits dictate how you use this
DSC for Linux
Become a pull admin - Things are changing fast enough that you have to pull the info yourself to keep up
Focus on servers
One version of the truth
Virus Total integration with sysinternals
Uploading suspicious files can tip off attackers that you are on to them
clip command takes standard input to the clip board
AccessChk new options -h file/print shares -l detailed list -f filter out things
procmon can export to XML
there are scripts on blog to identify changed items and then copy those files/reg keys to a folder
if you run xcopy from a 32 bit cmd, then it will put things into the 32 bit locations automatically
You can use scheduled tasks to bypass UAC prompts
PsExec now encrypts on the wire
PsPing can to UDP testing, timed tests, and created firewall exceptions
darkreading.com
winflip for windows 8 embedded thin clinets
Storage spaces limit to 80 disks per pool and 4 pools per SOFS cluster
disk x columns = write speed
When trying to max iops, consider latency
Performance paper in PPT from Wed Tiered Storage Spaces Best Practices
use MPIO, use SMB multichannel
4xSSD + 20x7.2rpm drives = 700 VDI users
Force dedup after deploy then run tiering
There is a script to validate all the drive you need to run before you set up spaces
Monitor health, latency, tier usage
Server Performance Monitor (SPA) tool can configure alerts
xJEA
Get-PSSSessionConfiguration shows several default configurations
uses local account. 127 character password that changes daily
Get-Command will show you what you can run
DevOps - If you cannot measure it, you cannot improve it
Campfire, look at it
Automated SCCM Deployment that uses a variable.xml file for all the settings
   will download everything, take care of dependencies, and fire up VMs if needed
jp64 from TZworks can read the NTFS Journal changes
in IIS, application pool settings can dump passwords in plain text
Same issue with services
Sysinternals Process Manager uses purple for packed files
Search strings for HTTP
Change the default refresh rate when hunting malware
Add verified signature column
Add VirusTotal column
Autoruns can scan offline systems
ProcMon - filter category write, then proc tree view to include subtree
Azure Express Route - 1-2 ms delay, with 10GB pipe

That is more of a mess then I expected. I may revisit this list later and clean it up with more details as I work with these things.

No comments: