Speaker

Evgenij Smirnov

Evgenij Smirnov

Senior Solutions Architect @ Semperis

Senior Solutions Architect @ Semperis

Berlin, Germany

Evgenij has been working with computers since the age of 5 and delivering IT solutions for over 25 years. His Active Directory and Exchange background naturally led to PowerShell, of which he's been an avid user and proponent since its first release.
Evgenij is an active community lead at home in Berlin, a leading contributor to the German TechNet forum and an experienced user group and conference speaker. He is a Cloud and Datacenter Management MVP since 2020.

Evgenij ist ein IT-Industrie-Veteran mit mehr als 25 Jahren Erfahrung im Gepäck. Seine Expertise liegt primär in den Microsoft- und VMware-Technologien. Die Beschäftigung mit Active Directory und Exchange führte zu PowerShell, und diese Technologie ist aus Evgenijs Blogbeiträgen, Artikeln und Konferenz-Vorträgen seit vielen Jahren nicht mehr wegzudenken.
Evgenij ist aktiv im TechNet-Forum sowie in den Offline-Communities: Er ist Group Lead für drei offizielle Microsoft User Groups in Berlin. Er ist Microsoft MVP für Cloud and Datacenter Management seit 2020.

Awards

Area of Expertise

  • Information & Communications Technology

Topics

  • PowerShell
  • automation
  • Security
  • scripting
  • Microsoft Exchange
  • Active Directory
  • Migration
  • VMware

Sessions

PowerShell: Helping a CISO see the light en

"Disabling PowerShell is high on our list of priorities in securing our environment ." Everyone who participated in a security assessment in recent years, especially in a Windows-heavy organization, probably heard this being said by a security officer.

In this session, we will debunk some misconceptions about the viability of this measure and look at the vast gray zone that remains after all that is achievable by supported methods has been done. Then we will pivot to the possibilities to move not to a "PowerShell-free" environment but to a regulated one, where PowerShell usage is controlled and logged to enable both manageability AND visibility. Because, dear CISO, PowerShell is not your enemy!

Creating a PowerShell executor - a non-dev's tale en

Sometimes, an enterprise scripter is forced to leave their comfort zone and create a binary executable, a windows service or a web application. Having the ability to execute PowerShell code from that application opens many possibilities like reusing script code one already has in form of scripts, modules and snippets. It also provides countless ways to lower your security posture, impact performance and degrade the overall usefulness of your application.

In this session, we will look at two typical use cases and the facepalm moments you are likely to encounter along the way. But I will also provide hard-earned integration advice so that you, as a non-developer, at least do not have to repeat the mistakes I already made for you.

Outfitting Windows Admin Center with proper RBAC en

WAC is a great server management tool that, while offering tons of functionality, is lacking one essential feature: proper role based access control. There is almost no granularity between "Reader" and "Fulll Admin", save for the "Hyper-V Manager" role which, again, does not offer any granularity in terms of VMs, networks or storage locations that are allowed to a certain user. Features other than Hyper-V completely lack any access granularity.

In this session, we will explore the possibilities and the challenges of providing RBAC to WAC, the limits of what can be done without breaking stuff and ways to effectively cope with WAC updates and extensions.

Basic Toolmaking - The road to extensibility en

The best indication that you've made a great tool that solves a real problem is that people actually start using it. But once they do, improvement suggestions and feature requests are sure to start rolling in. Some of them are trivial to implement. Others, however, may send you down the rabbit hole of refactoring the complete code very quickly.
In this session I will demonstrate some techniques that saved me from the refactoring hell more than once and allowed me to incorporate incoming feature requests in record time.
Good planning is key, of course - but what exactly should you plan for? And what criteria should you set for declining a request? Because some of your (internal) customers will not take a simple 'no' for an answer!

Reverse hybrid AD: What you can, cannot and should not do with Azure AD DS en de

Everyone working in Microsoft tech probably knows the typical hybrid identity architecture: Active Directory as the identity source, synchronised to Azure AD for authentication, authorization and service provisioning in the cloud. However, Azure AD provides identity and access management capabilities superior to those your on-premises AD is able to deliver out of the box.

In this talk, we will dive into Azure AD Directory Services, see what functional gaps can be closed by adding it to your hybrid environment, where the limits of this concept lie and what else Microsoft has to offer so that we can overcome those limits.

Monitoring Tier Zero: Operationalizing the Crown Jewels en de

Monitoring solutions how come a long way towards delivering insights into IT infrastructure health, resource usage and consolidation and overall operational fidelity. However, most infrastructure components have not evollved in a way that would make monitoring them more secure, still mostly requiring privileged access in order to obtain operational parameters.
This becomes especially critical when it comes to monitoring Tier 0 assets. Not all is lost, though. In this session, you will learn about some architectural concepts for securely monitoring Tier 0 applications and also get technical implementation advice to take home.

Putting JEA to good use on Hyper-V clusters en

This may come as a surprise to some, but organisations are actually using Hyper-V in production! There is, however, one area where it absolutely does not shine, and this is delegating permissions!
With the old AzMan-based engine gone from Hyper-V, the obvious choice is to use PowerShell for delegation. Luckily for us, Just Enough Administration (JEA) goes a long way towards our objective, only permitting certain operations on certain objects to our designated management groups and then invoking the permitted operations with a highly privileged virtual account! However, there are limitations to what "pure JEA" can do, so we'll have to improve on that.
We will discuss what's in the box, take a look at how Windows Admin Center does it, and then create a JEA endpoint that is even more 'private cloud' than that. Lots of demo and some gotchas along the way!

Maintaining code quality with a bunch of non-developers en

With the advent of open-source PowerShell, the Dev-minded part of the community more or less assumed power over (and, to a slightly lesser extent, responsibility for) best practices of writing and maintaining PowerShell code.

Yet a significant portion, if not the majority, of PowerShell script code that gets executed every day, is being produced not by devs but by "enterprise scripters", i.e. persons who may know how to code but are otherwise not dev-minded. It gets worse if scripts and modules have to be maintained by a whole team of ops people.

Having spent lots of time among both groups, I will present some challenges ops-minded scripting teams are facing and solutions to at least a part of those challenges. Not all of them are of technical nature, but you can still take them home and implement in your organization!

Keeping Secrets: State of the Union en

For some time it seemed that with the Secret Management module in PowerShell and service principals in Azure AD most of the questions around credentials persistence in PowerShell code have been answered. Yet we're still seeing plaintext credentials in scripts, GitHub repositories and code examples on the Internet. It may be worth the while to revisit this topic after all.
After a brief discussion of the requirements, posiibilities and impossibilities of credential management in script code, I will showcase some of the techniques you can use today to store and access credentials in your scripts in a secure manner without having to visit each endpoint if one of the secrets changes.
And yes, there are possibilities beyond Secret Management and Secret Vault!

Active Directory: Will PowerShell save us? en

With the inclusion of ADWS and the PowerShell AD module in the Windows Server OS scripting Active Directory with PowerShell instead of arcane tools like dsget or dsacls became mainstream for many, if not most, AD admins and security professionals.

But is PowerShell the answer to all AD-related questions, especially where maintaining AD security is concerned?

After a brief discussion about the possibilities, the limits and the perils of PowerShell in regard to AD management, we will dig in and showcase some advanced scripting practices that will help you streamline your AD management even further.
And coming from me, performance considerations will definitely play a part.

Bye Bye NTLM en de

After 30+years of serving authentication needs in the Windows world and beyond, NTLM has deserved to be finally put out to pasture. Yet this is way easier said than done. The old protocol has been hardwired in may areas of Widows, Active Directory and even its Kerberos implementation!

If you're responsible for Windows security in your organisation (or consult on the subject), this session is for you. After a brief recap of why NTLM is bad for your health, I will present an action plan of getting rid of NTLM authentication in a controlled manner and without breaking too much in the process.

Basic Toolmaking - strategies for storing persistent data in PowerShell scripts en

The cases for persisting data after your script has finished executing are legion. Logs, execution stats, configuration settings, sometimes even credentials - all of these need to be persisted to storage and retrieved later, either by the next instance of the same script or by some other system.
In this talk I will showcase some strategies for persisting data in PowerShell in a compatible and performant manner.

Beyond lab: Gathering data from real-world scale sources (Short Version) en

This is a compressed version of the two-part real-world data gathering workshop. We will look at some epic failures of scripts that look OK and work well in a small environment, then explore some routes of action to deal with huge amounts of data coming in from real-world scale sources like Active Directory, SQL or log stash.

This is not (primarily) about PowerShell multi-threading but rather about really knowing the idiosyncrasies of data sources like Active Directory or IoT streams and scripting practices that allow for mitigating those from the very beginning.

Beyond lab: Gathering data from real-world scale sources (Part 1) en

Scripts that access external data sources - flat files, Active Directory, IoT streams or relational databases - usually do so very well in the lab but will fail or take aeons to complete when facing real world scale. In this session, we explore information gathering techniques for large scale infrastructure data and produce recipes for your everyday automation.
In Part One we shall look at Active Directory, VMware vSphere and SQL, with an aside to SQLite.

This is a more workshoppy version of the Real-World Scale talk, with much more audience interaction intended.

Beyond lab: Gathering data from real-world scale sources (Part 2) en

Scripts that access external data sources - flat files, directories, databases or the Internet - usually do so very well in the lab but will often fail or take aeons to complete when facing real world scale. In this session, we explore information gathering techniques for large scale infrastructure data and produce recipes for your everyday automation.
In Part Two, we shall look more closely at file systems and flat structured data files, Internet resources, Event Logs and IoT data streams.

Part Two can, but need not necessarily be scheduled after Part One, should the selection committee decide to accept both parts. There is a compressed version of this talk which I also submitted.

Revenge of the Devs - The operational ROI of moving to PowerShell 7 en

PowerShell 6 and 7, a.k.a. PowerShell Core, has introduced many exciting features - from the developers' point of view - while still lagging behind Windows PowerShell's in terms of maintainability and security, at least in the Windows part of the world. The latter concerns are often brushed aside in community discussions in spite of being still valid, operations-wise.

In this talk I will identify some of the use cases where moving to PowerShell vNext "all the way" is indeed feasible. For the rest, I will offer an estimate of "operational ROI" of such an initiative and also some practical advice on peaceful coexistence between PowerShell and Windows PowerShell in a common DevOps environment.

Basic Toolmaking - robust scripting for unattended execution en

In this talk, we will look at the challenges of scripting where the user in front of the console cannot react to unforeseen events such as exceptions or systems being unreachable at execution time. As an enterprise scripter, it's your responsibility to make your script robust enough that they execute correctly every time and do not wreak havoc if some of the conditions at execution time are not as you (and everybody else) assumed they would be.

Basic Toolmaking - reducing dependencies for portable scripting en

In this Level 200 talk I will demonstrate several techniques to make your scripts 'drop & run' by reducing dependencies both on external code and on the environment the scripts run in.

Why Active Directory is not an identity management system and what you should do about it en

Identity is the core component of every IT organization. At the same time, given the current state of cybersecurity worldwide, identity is being viewed as 'the new perimeter' - the first line of defense against various threats.

At the core of most identity landscapes today is Microsoft Active Directory which is often being treated as the primary identity source. However, AD, while being a robust and battle-proven identity delivery system, lacks most of the components one would expect in identity management.

In this talk, I will present three main strategies IT organizations should consider for dealing with this phenomenon in a hybrid identity situation, tell some horror stories from the trenches and provide implementation pointers for you to take home.

NTLM muss weg! en de

Nach über 30 Jahren im Dienst der Authentifizierung hat NTLM es verdient, endlich in den Ruhestand entlassen zu werden. Doch ist es leichter gesagt als getan – das in die Jahre gekommene Protokoll ist in vielen Bereichen von Windows, Active Directory und sogar indirekt in Microsofts Kerberos-Implementierung hart verdrahtet. Manchmal findet sich NTLM an Stellen, wo man es am wenigsten vermutet – inklusive der bekannten Protokollschwächen!

Wenn Sie für die IT-Sicherheit in Ihrer Organisation verantwortlich sind, ist diese Session gleichzeitig ein Weckruf und eine Handreichung an Sie! Nach einem kurzen Rückblick und der Feststellung, dass NTLM schlecht für Ihre Gesundheit ist, widmen wir uns dem Prozess, den Sie implementieren müssen, um NTLM aus Ihrer Umgebung so gut es geht zu verbannen. Sie werden einige Lösungsansätze mit nach Hause nehmen können, die Sie vor den gröbsten Fehlern bewahren und Ihnen so einen reibungslosen Übergang in die „NTLM-lose Ära“ ermöglichen werden.

Reverse Hybrid Identity - was Sie mit Managed AD tun können, und was Sie lieber lassen sollten en de

Die typische hybride Identität ist wahrscheinlich jedem geläufig, der in den letzten Jahren mit Microsoft-Technologie gearbeitet hat: Das lokale Active Directory wird per Azure AD Connect oder Cloud Sync mit der Cloud verbunden, und im Tandem bieten beide Services Authentifizierung und Autorisierung für Dienste und Anwendungen. Leider bleibt in diesem Szenario das herkömmliche AD führend und dessen Fähigkeiten maßgebend für die Sicherheit und Funktionalität der Gesamtlösung. Dabei hat Azure AD von vornherein überragende Features in Bezug auf Sicherheit, Identity Management und Identity Lifecycle! Damit liegt der Gedanke nahe, das in der Cloud verwaltete Verzeichnis und nicht das on-premises-AD als das primäre Identity Management-Vehikel zu betreiben.
Am Beispiel Azure AD DS schauen wir uns einen „umgekehrten“ Hybrid-Aufbau an. An Beispielen aus der Praxis werden Sie sehen, für welche Szenarien diese Architektur prädestiniert ist, und von welchen Lösungsansätzen Sie von vornherein lieber die Finger lassen sollten!

Connecting to systems in a trustless world en

No, it's not about Zero Trust :-) Even in 2024, there is still work to be done on premises. However, due to the rapidly evolving threat landscape, not everything is integrated in Active Directory, and even trusts between different AD forests within one and the same organization are not the norm anymore.
In this session, we will explore different possibilities of connecting to remote (Windows) systems using PowerShell on a local (Windows) system in scenarios where there is no common authentication basis between the two. We'll be looking at the functionality, security, performance, ease of use - but also at the operational cost involved in order to make each particular method work.
This session concentrates on scripting rather than on interactive CLI administration, but of course, most remoting methods are applicable to one-line-at-a-time tasks as well.

Tier 0 überwachen - Wie binde ich die Kronjuwelen in meine Ops ein? en de

Kaum eine IT-Organisation kommt ohne Monitoring aus, und die entsprechenden Lösungen werden immer komfortabler, intelligenter, mächtiger... jedoch kaum sicherer! Meist nimmt das Monitoring sehr hohe Privilegien für sich in Anspruch, die ihm erlauben, den Betriebszustand aller Systeme lückenlos zu überwachen.

Doch spätestens wenn es um die Kronjuwelen, also Tier 0-Systeme, geht, stellt sich die Frage, wie man die aus Sicherheitssicht unabdingbare Trennung mit der aus Betriebssicht wünschenswerten Verknüpfung der Zustandsdaten zwischen Tier 0 und Tier 1 hinbekommen soll. In dieser Session schauen wir uns kurz die allgemeinen Prinzipien und Ansätze an und untersuchen dann anhand von Demos einige Beispiele erfolgreicher Tier 0-Überwachung.

How Hard is Hardening? en

In the world of Windows, Active Directory and Microsoft applications in general, hardening recommendations and frameworks are legion. They all share a common Achilles heel though - the consequences of implementing a certain security control are hard to predict, That has kept many organization from consistently hardening their systems in the past and is continuing to do so in spite of the cyber threat ravaging the modern world.

In this session I will present a typical on-premises environment that is 100% functional, yet very resilient against a wide variety of typical attack techniques, along with the simple yet effective hardening measures that make this level of resilience possible.

psconf.eu 2024 Sessionize Event Upcoming

June 2024 Antwerpen, Belgium

PowerShell + DevOps Global Summit 2024 Sessionize Event Upcoming

April 2024 Bellevue, Washington, United States

psconf.eu 2023 Sessionize Event

June 2023 Prague, Czechia

psconf.eu 2022 Sessionize Event

June 2022 Vienna, Austria

Scottish Summit 2022 Sessionize Event

June 2022 Glasgow, United Kingdom

psconf.eu 2020 Sessionize Event

June 2020 Hannover, Germany

Evgenij Smirnov

Senior Solutions Architect @ Semperis

Berlin, Germany