Stories with Tag Windows Server

• (Reasonably) secure Azure Pipelines on-prem deployments

  permalink

  Posted: 2025-03-04 16:25:54

  Verbose tl;dr

  This blog post details a method for securely deploying applications to on-premises IIS servers from Azure Pipelines without exposing credentials. The author leverages a self-hosted agent running on the target server, combined with a pre-configured deployment group. Instead of storing sensitive information directly in the pipeline, the approach uses Azure Key Vault to securely store the application pool password. The pipeline then retrieves this password during the deployment process and utilizes it with the powershell task in Azure Pipelines to update the application pool, ensuring credentials are not exposed in plain text within the pipeline or agent's environment. This setup enables automated deployments while mitigating the security risks associated with managing credentials for on-premises deployments.

  This blog post details a method for implementing reasonably secure deployments from Azure Pipelines to on-premises IIS servers, focusing on minimizing the attack surface and adhering to the principle of least privilege. The author outlines a process that avoids storing sensitive credentials like passwords directly within the pipeline definition, leveraging Azure Key Vault for secure secret management and Managed Identities for authentication.

  The core strategy revolves around establishing a dedicated deployment user account on the target IIS server. This account is granted only the necessary permissions to deploy and manage the specific application, adhering to the principle of least privilege. It explicitly does not have administrative privileges. This minimizes the potential damage if the account is compromised.

  The deployment process utilizes a self-hosted agent running on the on-premises server, which is registered with the Azure DevOps project. Critically, the agent itself doesn't hold any secrets. Instead, it leverages a Managed Identity assigned to the Azure DevOps project. This Managed Identity has permissions to access the necessary secrets stored in Azure Key Vault. During the deployment process, the pipeline instructs the agent to retrieve the deployment user's credentials from Key Vault using its Managed Identity. These credentials are then used to authenticate with the IIS server and perform the deployment tasks.

  The actual deployment steps involve using the msdeploy.exe utility. The retrieved credentials are passed securely to msdeploy.exe to authenticate with the target IIS server. The pipeline script then uses msdeploy.exe to sync the application files from the build artifact to the IIS server and configure the application within IIS. The author emphasizes the importance of using the -declareParamFile option with msdeploy.exe to avoid exposing sensitive information in the pipeline logs. This approach stores the sensitive deployment parameters in a separate file that is accessed securely during the deployment process.

  The author also touches on securing the web.config file. They recommend excluding the web.config from the initial deployment and instead using a separate, dedicated step to deploy a transformed web.config file. This transformed configuration file contains environment-specific settings retrieved securely from Azure Key Vault, ensuring sensitive information like connection strings isn't embedded in the application's source code. This approach separates configuration from code and allows for environment-specific configurations without compromising security.

  Finally, the post briefly discusses the option of using deployment groups as an alternative to individual self-hosted agents. However, the core principles of using Managed Identities, Azure Key Vault, and least privilege remain the same regardless of the chosen deployment method. The author advocates for this approach as a more secure and manageable way to handle deployments to on-premises IIS servers compared to traditional methods relying on stored credentials.

  • Azure DevOps
  • Azure Pipelines
  • On-Premises
  • deployment
  • Security
  • IIS
  • Self-Hosted Agents
  • DevOps
  • CI/CD
  • Continuous Integration
  • Continuous Deployment
  • Infrastructure as Code
  • Windows Server
  • .NET

  Summary of Comments ( 32 )
  https://news.ycombinator.com/item?id=43256802

  Verbose tl;dr

  The Hacker News comments generally praise the article for its practical approach to a complex problem (deploying to on-premise IIS from Azure DevOps). Several commenters appreciate the focus on simplicity and avoiding over-engineering, highlighting the use of built-in Azure DevOps features and PowerShell over more complex solutions. One commenter suggests using deployment groups instead of self-hosted agents for better security and manageability. Another emphasizes the importance of robust rollback procedures, which the article acknowledges but doesn't delve into deeply. A few commenters discuss alternative approaches, like using containers or configuration management tools, but acknowledge the validity of the author's simpler method for specific scenarios. Overall, the comments agree that the article provides a useful, real-world example of secure-enough deployments.

  The Hacker News post titled "(Reasonably) secure Azure Pipelines on-prem deployments" discussing the linked blog post about secure deployments to IIS using Azure DevOps has generated a small but focused discussion thread. Several commenters engage with the specific technical details and offer alternative approaches or raise potential concerns.

  One commenter points out a potential vulnerability if the deployment agent's machine account, which has write access to the web application directory, is compromised. They suggest an alternative where the build agent packages the application, and a separate deployment process, running under a more restricted account, handles the extraction and deployment to IIS. This separation of duties limits the potential damage from a compromised build agent.

  Another commenter discusses the complexity and challenges associated with using tools like Ansible for deployments, particularly in Windows environments. They acknowledge the benefits of such tools but highlight the effort required to learn and maintain them, contrasting it with the relative simplicity of the approach presented in the blog post. This commenter suggests that while more sophisticated tools exist, the author's method might be a pragmatic solution for those prioritizing simplicity and ease of implementation.

  A third commenter questions the security of storing deployment credentials within Azure DevOps, even if encrypted. They propose using a dedicated secrets management solution like Azure Key Vault for storing sensitive information and retrieving it during the deployment process. This approach enhances security by decoupling the secrets from the deployment pipeline itself.

  The overall sentiment in the comments is one of cautious appreciation for the author's approach. Commenters acknowledge the practicality of the solution while also highlighting potential security concerns and suggesting alternative, more secure, albeit potentially more complex, methods. The discussion revolves around the trade-off between simplicity and security in real-world deployment scenarios. No one outright criticizes the author's method but instead offer constructive feedback and alternative perspectives for achieving secure deployments.

• Windows Is Free for Business (2008)

  permalink

  Posted: 2025-03-03 20:38:23

  Verbose tl;dr

  The 2008 blog post argues that Windows wasn't truly "free" for businesses, despite the common perception. While the OS itself came bundled with PCs, the associated costs of management, maintenance, software licensing (especially for Microsoft Office and server products), antivirus, and dealing with malware significantly outweighed the initial cost of the OS. The author contends that these hidden expenses made Windows a more expensive option compared to perceived free alternatives like Linux, particularly for smaller businesses. Ultimately, the "free" Windows license subsidized other revenue streams for Microsoft, making it a profitable, albeit deceptive, business model.

  In a 2008 blog post titled "Windows Is Free for Business," author Dave Gutteridge elucidates a then-contemporary business strategy employed by Microsoft, arguing that the pervasive perception of Windows as a paid operating system was not entirely accurate. He posits that the actual cost of Windows for businesses was frequently absorbed, masked, or offset by other expenses and licensing agreements, effectively making it functionally free in many scenarios.

  Gutteridge begins by highlighting the bundled nature of Windows. He observes that most businesses acquire their Windows operating system pre-installed on new computer hardware. The cost of the OS, therefore, becomes integrated into the overall price of the machine, obscuring its individual value and contributing to the illusion of its non-gratuitous nature. This bundling, he argues, makes it difficult for businesses to discern the true cost of the operating system itself, as it’s not itemized separately.

  Further, Gutteridge elaborates on the role of software assurance agreements. These agreements, often purchased by businesses for access to updates, upgrades, and support for Microsoft products, frequently include Windows licenses. Thus, businesses perceive the cost as being associated with the ongoing support and maintenance, rather than the initial acquisition of the operating system itself. The perceived value proposition shifts from solely acquiring Windows to gaining access to a suite of services and ongoing software improvements.

  He also discusses the impact of large enterprise agreements. Large organizations often negotiate comprehensive licensing agreements with Microsoft that encompass a multitude of software products and services. Within these complex arrangements, the cost of individual Windows licenses can become diluted or even entirely absorbed into the overall contract cost. The overall economic benefit derived from the comprehensive agreement outweighs the focus on the individual cost of Windows.

  The author underscores that while businesses technically pay for Windows, either directly or indirectly, the actual cost is often obfuscated by these various purchasing mechanisms. The lack of a separate, visible charge for Windows creates the impression that it is, for all intents and purposes, free. He concludes that this “free” perception contributes significantly to Windows' dominance in the business market, as the apparent lack of direct cost removes a significant barrier to adoption. This effectively allows businesses to focus on the overall hardware and software ecosystem, rather than the operating system cost itself, further reinforcing Windows’ entrenched market position.

  • Windows
  • Microsoft Windows
  • Operating System
  • Business Software
  • Free Software
  • Open Source
  • Licensing
  • Proprietary Software
  • 2008
  • Cost of Ownership
  • TCO
  • Windows Server
  • Desktop Operating System
  • Server Operating System

  Summary of Comments ( 32 )
  https://news.ycombinator.com/item?id=43246403

  Verbose tl;dr

  Hacker News users discussed the complexities of Microsoft's "free" Windows licensing model for businesses. Several pointed out that while the OS itself might not have a direct upfront cost, it's bundled with hardware purchases, making it an indirect expense. Others highlighted the ongoing costs associated with Windows, such as Software Assurance for updates and support, along with the costs of managing Active Directory and other related infrastructure. The general consensus was that "free" is a misleading term, and the true cost of Windows for businesses is substantial when considering the total cost of ownership. Some commenters also discussed the historical context of the article (from 2008) and how Microsoft's licensing and business models have evolved since then.

  The Hacker News post titled "Windows Is Free for Business (2008)" linking to davegutteridge.com/windows_is_free_for_business has a modest number of comments, primarily focusing on the nuances of the original author's argument about the "free" nature of Windows for businesses.

  Several commenters challenge the premise that Windows is truly "free," highlighting the associated costs like hardware, support, and software licensing for other necessary programs. One commenter points out that the total cost of ownership (TCO) for Windows includes not just the OS itself but also the ecosystem around it, which can be substantial. This is echoed by another who mentions that while the OS might be factored into other costs, the real expense lies in the necessary Microsoft Office suite and the compatibility constraints it imposes.

  Some comments discuss the shift in perception of software costs over time. One commenter reminisces about the days when software was a significant expense and how it's now often bundled or perceived as a less prominent part of the overall IT budget. This leads to a discussion about how hardware costs have comparatively decreased, making the software component seem more significant in some contexts.

  Another thread of discussion centers on the comparison between Windows and Linux in a business context. One commenter contends that the "free" argument for Windows is misleading, particularly when considering the potential cost savings and flexibility offered by Linux alternatives. This sparks a small debate about the practicalities of switching to Linux in established business environments, acknowledging the potential benefits but also the challenges of migration and compatibility.

  A few comments also touch upon the role of piracy in the perception of Windows' cost, suggesting that widespread illegal use might contribute to the idea that the OS is somehow "free" for businesses. However, this is not a dominant theme in the discussion.

  Overall, the comments offer a critical perspective on the original author's claim, emphasizing the hidden and indirect costs associated with Windows in a business environment. They explore the broader context of software costs, comparing them to hardware expenses and alternative operating systems, while also acknowledging the evolving perception of software value over time. The discussion remains largely focused on the financial aspects, without delving deeply into technical comparisons or specific use cases.