info@qualityplusconsulting.com l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit https://qpcsecurity.podbean.com where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Problems with Azure

9/1/2017

 

 

Problems with Azure



Azure can do wonderful things, but there is a lot to beware of also.

MP3 - Problems with Azure you need to be aware of

 
 

 

Problems with Azure

Azure can be great, but it can also cost you a fortune and get you into a billing model that you may never be able to get out of. Listen to this podcast to become informed.
 

Subscription Issues with Azure

  • Using anything but a Pay-Go subscription is probably a really bad idea.
  • Don't get sucked into CSP provisioned licensing subscription for paying for Azure because resources often cannot be moved.
  • Azure credits are more hassle than they are worth to deal with. The discount is not enough to compensate you for the problems associated with dealing with them.

Resources not provisioned in the same regional datacenter resource group are not able to be networked together without MORE expenditure using VPN gateways, or other site-to-site VPN functionality.

Everything you provision is going to cost more.


 
 

Pricing for Azure AD Domain Services

https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/?cdn=disable

~ $130/mo regardless of how many users you have or whether or not you use it.

There is no guidance about what size of org or what use case makes this cost effective.

 
 

Many resources cannot be moved to be paid by a different method … ever.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources

The services that currently do not enable moving a resource are:

•        AD Domain Services

•        AD Hybrid Health Service

•        Application Gateway

•        Availability sets with Virtual Machines with Managed Disks

•        BizTalk Services

•        Container Service

•        Express Route

•        DevTest Labs - Move to new resource group in same subscription is enabled, but cross subscription move is not enabled.

•        Dynamics LCS

•        Images created from Managed Disks

•        Managed Disks

•        Managed Applications

•        Recovery Services vault - also do not move the Compute, Network, and Storage resources associated with the Recovery Services vault, see Recovery Services limitations.

•        Security

•        Snapshots created from Managed Disks

•        StorSimple Device Manager

•        Virtual Machines with Managed Disks

•        Virtual Networks (classic) - see Classic deployment limitations

•        Virtual Machines created from Marketplace resources - cannot be moved across subscriptions. Resource needs to be deprovisioned in the current subscription and deployed again in the new subscription

 
 

Windows 10 Security Patch / OS Versioning model

Microsoft will now release two versions of Windows Desktop OS twice per year.

Patching now includes preview trickle patches that you can install if you want, or there is one big super-patch each month.

We do not do that for our clients. The trickle patching is less painful and makes more sense on many levels.

If the trickle patches are installed, the super patch is not going to install because the system detects that those security vulnerabilities are already patched.

Microsoft has stated they are not only going to support each version of Windows 10 for 18 months.

You can delay the installation of the new version up to that point in time, but after that it will automatically install.

I really do not have a problem with this considering how many breaches and issues have occurred over the last 25 years simply because patches were not installed. And people have not demonstrated that they have vigilance associated with installing patches.

WSUS is nearly completely deprecated as a patch deployment system. I have always hated it and found it to be more hassle than it was worth.

Tools like Kaseya have their own system that can be very good if you manage it properly. And Kaseya has reach far beyond the capabilities of WSUS or SCCM, especially at a certain price point. At another price point and scale, SCCM with Microsoft DirectConnect is the best method.

 
 The Office Training Center - useful resource for office workers

https://support.office.com/en-us/article/Office-Training-Center-b8f02f81-ec85-4493-a39b-4c48e6bc4bfb?ms.officeurl=training&ui=en-US&rs=en-US&ad=US

 
 

A really interesting article on what could be going on with the US Navy ship collisions of late

https://www.secplicity.org/2017/08/26/us-navy-ship-collisions-result-hacking/

JavaScript and drive-by downloads hacking your computer

https://www.secplicity.org/2017/08/18/javascripts-hidden-danger-drive-downloads/

Linkedin