Evgenij Smirnov
Senior Solutions Architect @ Semperis
Senior Solutions Architect @ Semperis
Berlin, Germany
Actions
Evgenij has been working with computers since the age of 5 and delivering IT solutions for over 25 years. His Active Directory and Exchange background naturally led to PowerShell, of which he's been an avid user and proponent since its first release.
Evgenij is an active community lead at home in Berlin, a leading contributor to the German TechNet forum and an experienced user group and conference speaker. He is a Cloud and Datacenter Management MVP since 2020.
Evgenij ist ein IT-Industrie-Veteran mit mehr als 25 Jahren Erfahrung im Gepäck. Seine Expertise liegt primär in den Microsoft- und VMware-Technologien. Die Beschäftigung mit Active Directory und Exchange führte zu PowerShell, und diese Technologie ist aus Evgenijs Blogbeiträgen, Artikeln und Konferenz-Vorträgen seit vielen Jahren nicht mehr wegzudenken.
Evgenij ist aktiv im TechNet-Forum sowie in den Offline-Communities: Er ist Group Lead für drei offizielle Microsoft User Groups in Berlin. Er ist Microsoft MVP für Cloud and Datacenter Management seit 2020.
Links
Awards
Area of Expertise
Topics
PowerShell: Helping a CISO see the light en
"Disabling PowerShell is high on our list of priorities in securing our environment ." Everyone who participated in a security assessment in recent years, especially in a Windows-heavy organization, probably heard this being said by a security officer.
In this session, we will debunk some misconceptions about the viability of this measure and look at the vast gray zone that remains after all that is achievable by supported methods has been done. Then we will pivot to the possibilities to move not to a "PowerShell-free" environment but to a regulated one, where PowerShell usage is controlled and logged to enable both manageability AND visibility. Because, dear CISO, PowerShell is not your enemy!
Creating a PowerShell executor - a non-dev's tale en
Sometimes, an enterprise scripter is forced to leave their comfort zone and create a binary executable, a windows service or a web application. Having the ability to execute PowerShell code from that application opens many possibilities like reusing script code one already has in form of scripts, modules and snippets. It also provides countless ways to lower your security posture, impact performance and degrade the overall usefulness of your application.
In this session, we will look at two typical use cases and the facepalm moments you are likely to encounter along the way. But I will also provide hard-earned integration advice so that you, as a non-developer, at least do not have to repeat the mistakes I already made for you.
Outfitting Windows Admin Center with proper RBAC en
WAC is a great server management tool that, while offering tons of functionality, is lacking one essential feature: proper role based access control. There is almost no granularity between "Reader" and "Fulll Admin", save for the "Hyper-V Manager" role which, again, does not offer any granularity in terms of VMs, networks or storage locations that are allowed to a certain user. Features other than Hyper-V completely lack any access granularity.
In this session, we will explore the possibilities and the challenges of providing RBAC to WAC, the limits of what can be done without breaking stuff and ways to effectively cope with WAC updates and extensions.
Basic Toolmaking - The road to extensibility en
The best indication that you've made a great tool that solves a real problem is that people actually start using it. But once they do, improvement suggestions and feature requests are sure to start rolling in. Some of them are trivial to implement. Others, however, may send you down the rabbit hole of refactoring the complete code very quickly.
In this session I will demonstrate some techniques that saved me from the refactoring hell more than once and allowed me to incorporate incoming feature requests in record time.
Good planning is key, of course - but what exactly should you plan for? And what criteria should you set for declining a request? Because some of your (internal) customers will not take a simple 'no' for an answer!
Monitoring Tier Zero: Operationalizing the Crown Jewels en de
Monitoring solutions how come a long way towards delivering insights into IT infrastructure health, resource usage and consolidation and overall operational fidelity. However, most infrastructure components have not evollved in a way that would make monitoring them more secure, still mostly requiring privileged access in order to obtain operational parameters.
This becomes especially critical when it comes to monitoring Tier 0 assets. Not all is lost, though. In this session, you will learn about some architectural concepts for securely monitoring Tier 0 applications and also get technical implementation advice to take home.
Putting JEA to good use on Hyper-V clusters en
This may come as a surprise to some, but organisations are actually using Hyper-V in production! There is, however, one area where it absolutely does not shine, and this is delegating permissions!
With the old AzMan-based engine gone from Hyper-V, the obvious choice is to use PowerShell for delegation. Luckily for us, Just Enough Administration (JEA) goes a long way towards our objective, only permitting certain operations on certain objects to our designated management groups and then invoking the permitted operations with a highly privileged virtual account! However, there are limitations to what "pure JEA" can do, so we'll have to improve on that.
We will discuss what's in the box, take a look at how Windows Admin Center does it, and then create a JEA endpoint that is even more 'private cloud' than that. Lots of demo and some gotchas along the way!
Maintaining code quality with a bunch of non-developers en
With the advent of open-source PowerShell, the Dev-minded part of the community more or less assumed power over (and, to a slightly lesser extent, responsibility for) best practices of writing and maintaining PowerShell code.
Yet a significant portion, if not the majority, of PowerShell script code that gets executed every day, is being produced not by devs but by "enterprise scripters", i.e. persons who may know how to code but are otherwise not dev-minded. It gets worse if scripts and modules have to be maintained by a whole team of ops people.
Having spent lots of time among both groups, I will present some challenges ops-minded scripting teams are facing and solutions to at least a part of those challenges. Not all of them are of technical nature, but you can still take them home and implement in your organization!
Keeping Secrets: State of the Union en
For some time it seemed that with the Secret Management module in PowerShell and service principals in Azure AD most of the questions around credentials persistence in PowerShell code have been answered. Yet we're still seeing plaintext credentials in scripts, GitHub repositories and code examples on the Internet. It may be worth the while to revisit this topic after all.
After a brief discussion of the requirements, posiibilities and impossibilities of credential management in script code, I will showcase some of the techniques you can use today to store and access credentials in your scripts in a secure manner without having to visit each endpoint if one of the secrets changes.
And yes, there are possibilities beyond Secret Management and Secret Vault!
Basic Toolmaking - strategies for storing persistent data in PowerShell scripts en
The cases for persisting data after your script has finished executing are legion. Logs, execution stats, configuration settings, sometimes even credentials - all of these need to be persisted to storage and retrieved later, either by the next instance of the same script or by some other system.
In this talk I will showcase some strategies for persisting data in PowerShell in a compatible and performant manner.
Basic Toolmaking - robust scripting for unattended execution en
In this talk, we will look at the challenges of scripting where the user in front of the console cannot react to unforeseen events such as exceptions or systems being unreachable at execution time. As an enterprise scripter, it's your responsibility to make your script robust enough that they execute correctly every time and do not wreak havoc if some of the conditions at execution time are not as you (and everybody else) assumed they would be.
Basic Toolmaking - reducing dependencies for portable scripting en
In this Level 200 talk I will demonstrate several techniques to make your scripts 'drop & run' by reducing dependencies both on external code and on the environment the scripts run in.
Connecting to systems in a trustless world en
No, it's not about Zero Trust :-) Even in 2024, there is still work to be done on premises. However, due to the rapidly evolving threat landscape, not everything is integrated in Active Directory, and even trusts between different AD forests within one and the same organization are not the norm anymore.
In this session, we will explore different possibilities of connecting to remote (Windows) systems using PowerShell on a local (Windows) system in scenarios where there is no common authentication basis between the two. We'll be looking at the functionality, security, performance, ease of use - but also at the operational cost involved in order to make each particular method work.
This session concentrates on scripting rather than on interactive CLI administration, but of course, most remoting methods are applicable to one-line-at-a-time tasks as well.
Tier 0 überwachen - Wie binde ich die Kronjuwelen in meine Ops ein? en de
Kaum eine IT-Organisation kommt ohne Monitoring aus, und die entsprechenden Lösungen werden immer komfortabler, intelligenter, mächtiger... jedoch kaum sicherer! Meist nimmt das Monitoring sehr hohe Privilegien für sich in Anspruch, die ihm erlauben, den Betriebszustand aller Systeme lückenlos zu überwachen.
Doch spätestens wenn es um die Kronjuwelen, also Tier 0-Systeme, geht, stellt sich die Frage, wie man die aus Sicherheitssicht unabdingbare Trennung mit der aus Betriebssicht wünschenswerten Verknüpfung der Zustandsdaten zwischen Tier 0 und Tier 1 hinbekommen soll. In dieser Session schauen wir uns kurz die allgemeinen Prinzipien und Ansätze an und untersuchen dann anhand von Demos einige Beispiele erfolgreicher Tier 0-Überwachung.
How Hard is Hardening? en
In the world of Windows, Active Directory and Microsoft applications in general, hardening recommendations and frameworks are legion. They all share a common Achilles heel though - the consequences of implementing a certain security control are hard to predict, That has kept many organization from consistently hardening their systems in the past and is continuing to do so in spite of the cyber threat ravaging the modern world.
In this session I will present a typical on-premises environment that is 100% functional, yet very resilient against a wide variety of typical attack techniques, along with the simple yet effective hardening measures that make this level of resilience possible.
psconf.eu 2024 Sessionize Event
PowerShell + DevOps Global Summit 2024 Sessionize Event
psconf.eu 2023 Sessionize Event
psconf.eu 2022 Sessionize Event
Scottish Summit 2022 Sessionize Event
psconf.eu 2020 Sessionize Event
Evgenij Smirnov
Senior Solutions Architect @ Semperis
Berlin, Germany
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top