Category: Weekly Blog

In addition to monitoring, managing VMs is a key task for administrators. Below are simple PowerCLI commands for cloning and deleting VMs.

Cloning a VM

$sourceVM = Get-VM -Name "template-vm"
$targetHost = Get-VMHost -Name "esxi-host-01"
$datastore = Get-Datastore -VMHost $targetHost | Where-Object {$_.Name -like "vsanDatastore"}

New-VM -Name "cloned-vm" `
       -VM $sourceVM `
       -VMHost $targetHost `
       -Datastore $datastore `
       -ResourcePool ($targetHost | Get-ResourcePool)

Deleting a VM

Get-VM -Name "cloned-vm" | Remove-VM -DeletePermanently -Confirm:$false

These commands are especially useful for lab environments or when automating template-based VM provisioning.

---

Conclusion Use this PowerShell command as part of your regular cluster health checks. When combined with vCenter’s vSAN resync and health dashboards, it gives you the full picture to maintain optimal performance and avoid storage imbalances.

Stay tuned for a follow-up post on triggering manual rebalancing using RVC (Ruby vSphere Console).

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction: Keeping your vSAN environment healthy and balanced is critical to maintaining performance and avoiding bottlenecks. One of the best ways to stay ahead of potential issues is by proactively monitoring your ESXi host’s CPU and memory usage using PowerShell and PowerCLI. In this post, we’ll walk through a script that provides a quick overview of resource usage across your vSAN cluster — a valuable step before deciding whether to initiate a manual rebalance.

---

PowerShell Script to Monitor vSAN Host Resource Usage

Get-VMHost | Select Name, `
    @{N="CPU Usage MHz"; E={($_.CpuUsageMhz)}}, `
    @{N="Total CPU MHz"; E={($_.CpuTotalMhz)}}, `
    @{N="Memory Usage GB"; E={[math]::Round($_.MemoryUsageGB, 2)}}, `
    @{N="Total Memory GB"; E={[math]::Round($_.MemoryTotalGB, 2)}}

---

Sample Output

Host Name	CPU Usage MHz	Total CPU MHz	Memory Usage GB	Total Memory GB
esxi-host-01	6,405	115,168	151.94	511.71
esxi-host-02	7,148	115,168	199.02	511.71
esxi-host-03	2,089	115,168	124.49	511.71

---

What This Tells You

• CPU Load: In the sample output, CPU usage is consistently low (<10%), meaning the compute load is healthy.
• Memory Load: Memory usage ranges from ~24% to ~39%, suggesting room for optimization or upcoming load balancing.

---

When to Rebalance

If you see disproportionate usage — for example, one host consistently nearing 80%+ memory while others are underutilized — it may be time to initiate a vSAN rebalance.

This script gives you the confidence to proceed with rebalance safely during production hours, especially when CPU usage is low and no resync activities are ongoing.

---

Conclusion Use this PowerShell command as part of your regular cluster health checks. When combined with vCenter’s vSAN resync and health dashboards, it gives you the full picture to maintain optimal performance and avoid storage imbalances.

Stay tuned for a follow-up post on triggering manual rebalancing using RVC (Ruby vSphere Console).

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

In today’s digital landscape, cybersecurity is more than just antivirus software and firewalls—it’s about layered security across endpoints, networks, identities, and applications. With cyber threats evolving daily, businesses must adopt proactive monitoring and defense mechanisms. This is where Security Information and Event Management (SIEM), Application Performance Monitoring (APM), and Privileged Access Management (PAM) come into play.

This guide will cover the importance of these tools, best practices, and how to integrate them with enterprise-grade security solutions like Cisco MX, Cisco Umbrella, CyberArk, and DUO.

---

1. Security Information and Event Management (SIEM)

SIEM solutions aggregate, analyze, and correlate security data from multiple sources, providing real-time visibility into potential threats.

Why SIEM Matters:

• Centralized Log Management: Collects logs from firewalls, servers, endpoints, and applications.
• Threat Detection: Uses AI and correlation rules to identify anomalies.
• Incident Response: Sends alerts when suspicious activity is detected.
• Compliance: Helps meet PCI-DSS, HIPAA, SOX, and Hi-Trust requirements.

Recommended SIEM Solutions:

✅ Splunk – Enterprise-level security analytics.
✅ Microsoft Sentinel – Cloud-native SIEM for Microsoft ecosystems.
✅ DataDog – Lightweight SIEM with cloud integrations.
✅ Elastic SIEM – Open-source alternative.

---

2. Application Performance Monitoring (APM)

APM tools monitor application behavior, uptime, and response times to ensure optimal performance and detect security anomalies.

Why APM Matters:

• Proactive Threat Identification: Detects application-layer attacks.
• Performance Optimization: Reduces downtime and enhances user experience.
• Integration with SIEM: Provides deeper insights into suspicious activity.

Recommended APM Tools:

✅ Datadog APM – Cloud monitoring with SIEM integration.
✅ Dynatrace – AI-powered full-stack monitoring.
✅ AppDynamics – Deep visibility into application health.
✅ SolarWinds APM – Cost-effective solution for IT teams.

---

3. Privileged Access Management (PAM) & Multi-Factor Authentication (MFA)

Privileged accounts are the biggest attack targets. Implementing PAM with MFA ensures that admin accounts are secure.

Why PAM & MFA Matter:

• Least Privilege Enforcement: Restricts admin access to critical systems.
• Prevents Credential Theft: Limits exposure to compromised passwords.
• Logs & Audits: Tracks administrative actions for compliance.

Best Practices:

✅ Use CyberArk for managing privileged accounts.
✅ Require MFA (DUO, Microsoft Authenticator, YubiKey).
✅ Separate Personal & Admin Accounts:

• Personal Account → No admin rights.
• Admin Account → Requires 15-min auto MFA renewal (best practice in enterprises like PIMCO & CNB).

---

4. Endpoint Protection with XDR

Extended Detection & Response (XDR) provides real-time protection across endpoints, emails, and cloud workloads.

Why XDR Matters:

• AI-powered Threat Detection: Blocks malware, ransomware, and phishing attempts.
• Zero Trust Security: Ensures only verified endpoints can access corporate networks.
• SIEM Integration: Sends endpoint logs for analysis.

Recommended XDR Solutions:

✅ Microsoft Defender XDR – Built-in for Microsoft environments.
✅ CrowdStrike Falcon – AI-driven endpoint security.
✅ SentinelOne XDR – Autonomous threat response.

---

5. Network Perimeter Security: Cisco MX & Cisco Umbrella

Firewalls alone are not enough. Organizations need cloud-based DNS security & perimeter defense.

Why Cisco MX & Umbrella Matter:

• Protects Against DNS-layer Attacks (e.g., phishing & malware sites).
• Prevents Data Exfiltration (blocks malicious domains before connections happen).
• Works with SIEM & XDR (for full security visibility).

Best Practices:

✅ Deploy Cisco MX for firewall + SD-WAN security.
✅ Use Cisco Umbrella to block malicious internet traffic.
✅ Segment Networks to isolate critical resources.

---

Conclusion: Security Requires Layered Defense

Cybersecurity isn’t just about one tool—it’s about a layered approach:

1. SIEM for centralized monitoring.
2. APM for app performance & security insights.
3. PAM & MFA for privileged access control.
4. XDR for endpoint protection.
5. Cisco MX & Umbrella for perimeter security.

Implementing these tools reduces risk, improves compliance, and protects IT infrastructure from modern threats.

---

Next Steps:

✅ Read our Step-by-Step Guides for each tool (coming soon).
✅ Explore PowerShell automation for security hardening.
✅ Contact us for enterprise security consulting (if applicable).

🔗 Stay tuned for more guides on securing your IT infrastructure!

---

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

In today’s cybersecurity landscape, Security Information and Event Management (SIEM) plays a crucial role in protecting organizations from threats. A robust SIEM system centralizes security monitoring, aggregates logs, detects anomalies, and helps security teams respond to incidents in real time. However, SIEM is only one piece of a comprehensive security framework. To maximize its effectiveness, it should be integrated with other advanced security solutions such as APM tools, privileged access management (CyberArk), multi-factor authentication (Duo), and endpoint detection and response (XDR).

The Role of SIEM in Security

A SIEM system provides the following key functions:

• Centralized Log Management: Aggregates and normalizes logs from different sources.
• Real-Time Threat Detection: Uses correlation rules and AI-driven analytics to detect anomalies.
• Incident Response: Helps security teams investigate alerts and mitigate threats.
• Compliance & Auditing: Meets regulatory requirements for PCI-DSS, HIPAA, SOX, and Hi-Trust.

Recommended SIEM Solutions:

1. Splunk – Market leader in log analysis and threat detection.
2. IBM QRadar – Integrates well with enterprise IT infrastructure.
3. Microsoft Sentinel – Cloud-based SIEM with strong integration into Microsoft’s security ecosystem.
4. LogRhythm – Offers automation and advanced analytics.

Integrating APM Tools for Security & Performance Monitoring

APM (Application Performance Monitoring) tools work alongside SIEM to ensure application security and performance. APM tools help in:

• Detecting performance bottlenecks before they become security vulnerabilities.
• Correlating security events with application behavior.
• Enhancing log visibility for forensic analysis.

Recommended APM Tools:

1. Datadog – Offers monitoring for applications, logs, and security events.
2. Dynatrace – AI-powered analytics for anomaly detection.
3. New Relic – Provides application telemetry and distributed tracing.
4. AppDynamics – Deep visibility into application performance.
5. SolarWinds – A cost-effective alternative with performance monitoring capabilities.

The Importance of CyberArk for Privileged Access Management

Why Privileged Access Management (PAM) Matters? Privileged accounts are the highest-value targets for cybercriminals. CyberArk provides:

• Credential Vaulting – Securely stores and rotates privileged credentials.
• Session Isolation – Prevents direct access to critical systems.
• Least Privilege Enforcement – Ensures users only have access to what they need.
• Audit Logging – Records privileged activity for compliance.

Best Practices: Personal vs. Admin Accounts with Duo MFA

Many enterprises make the mistake of using a single account for both personal and administrative tasks, increasing security risks. Best practices recommend:

• Personal Account for Day-to-Day Use:
  • No elevated privileges.
  • Limited access to sensitive data.
  • MFA enforced for login.
• Admin Account for Privileged Tasks:
  • Protected by Duo MFA with time-based authentication every 15 minutes.
  • Password resets automatically every 15 minutes (e.g., CyberArk enforcement).
  • No direct internet access (restricted browsing and email access).

Endpoint Protection with XDR

Endpoints are the most vulnerable attack surface. Extended Detection and Response (XDR) solutions provide:

• Advanced Threat Detection: AI-driven monitoring for malware, ransomware, and behavioral anomalies.
• Automated Response: Blocks and isolates compromised endpoints.
• Integration with SIEM & SOAR: Security teams can automate investigations and threat responses.

Recommended XDR Solutions:

1. Microsoft Defender XDR – Natively integrates with Microsoft’s security suite.
2. CrowdStrike Falcon XDR – Lightweight agent with cloud-native capabilities.
3. SentinelOne – AI-driven threat hunting.
4. Palo Alto Cortex XDR – Strong perimeter and endpoint defense.

Perimeter Security: Cisco MX & Cisco Umbrella

Perimeter Security & Zero Trust Architecture A properly configured perimeter ensures that malicious traffic is blocked before it reaches endpoints or internal servers.

• Cisco Meraki MX – Next-generation firewall with content filtering, VPN, and IPS/IDS.
• Cisco Umbrella – Cloud-delivered security that blocks malicious domains and phishing attempts at the DNS level.

Conclusion

An effective security framework requires a layered defense strategy that integrates SIEM, APM, PAM, MFA, XDR, and Perimeter Security.

By implementing these solutions, organizations ensure: ✔ Proactive threat detection and response ✔ Regulatory compliance (PCI-DSS, HIPAA, SOX, Hi-Trust) ✔ Minimized attack surface ✔ Reduced impact of security breaches

Cybersecurity is not just about having tools—it’s about implementing the right tools, enforcing best practices, and continuously monitoring for evolving threats. The Force is always within you, but having the right technology stack ensures that you are always prepared for battle.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

When a team member leaves your organization, it’s critical to offboard them securely and efficiently. Here’s a step-by-step PowerShell-based offboarding process that covers:

✅ Disabling the user in Local Active Directory
✅ Disabling the Azure AD account
✅ Removing all licenses
✅ Disabling MFA
✅ Converting the mailbox to a shared mailbox
✅ Granting full mailbox access to the supervisor

---

Step 1 – Disable the User in Local Active Directory

powershellCopyEditDisable-ADAccount -Identity jdoe

---

Step 2 – Disable Azure AD User Account

powershellCopyEditConnect-AzAccount
Set-AzureADUser -ObjectId [email protected] -AccountEnabled $false

---

Step 3 – Remove Microsoft 365 Licenses

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
$UserId = (Get-MgUser -UserId [email protected]).Id
Set-MgUserLicense -UserId $UserId -AddLicenses @() -RemoveLicenses @("tenant:licenseGUID")

📝 Replace tenant:licenseGUID with the appropriate license GUID assigned to your tenant.

---

Step 4 – Disable MFA

powershellCopyEditConnect-MsolService
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()

---

Step 5 – Convert Mailbox to Shared

powershellCopyEditConnect-ExchangeOnline
Set-Mailbox -Identity [email protected] -Type Shared

---

Step 6 – Grant Supervisor Full Access to the Shared Mailbox

powershellCopyEditAdd-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -InheritanceType All

---

Summary

Using PowerShell for offboarding saves time and ensures consistency. Always document changes and communicate them to HR or management for final closure.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction
In many enterprise environments, automatic Windows 10 updates can disrupt critical applications. This guide provides step-by-step instructions on preventing updates, forcefully logging off users without rebooting, and managing remote machines efficiently using PowerShell, Command Prompt, and PsExec.

---

Step 1: Prevent Windows 10 from Installing Updates

Option 1: Disable Windows Update Service (Quick & Easy)

1. Open Run (Win + R), type services.msc, and press Enter.
2. Locate Windows Update in the list.
3. Right-click and select Properties.
4. Set Startup type to Disabled.
5. Click Stop, then Apply and OK.

💡 This prevents Windows from automatically downloading and installing updates.

Option 2: Use Group Policy to Block Updates

1. Open Run (Win + R), type gpedit.msc, and press Enter.
2. Navigate to:Computer Configuration → Administrative Templates → Windows Components → Windows Update
3. Double-click Configure Automatic Updates.
4. Select Disabled, then click Apply and OK.

Option 3: Delete Pending Updates Using PowerShell

If Windows updates are already downloaded and pending installation:

Stop-Service wuauserv -Force
Stop-Service bits -Force
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Recurse -Force
Start-Service wuauserv
Start-Service bits

💡 This clears pending updates, preventing them from being installed.

---

Step 2: Completely Cancel Pending Updates and Remove Notification

Option 1: Clear the Update Queue from Windows Update

If stopping services alone doesn’t remove pending updates, run this in PowerShell:

Remove-Item -Path "C:\Windows\WinSxS\pending.xml" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\SoftwareDistribution\*" -Recurse -Force

💡 This removes Windows’ record of pending updates.

Option 2: Flush Update Status from Windows Registry

If the notification persists, remove any registry traces of pending updates:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name "RebootRequired" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending" -ErrorAction SilentlyContinue

💡 This tells Windows that no updates are waiting for a reboot.

Option 3: Reset Windows Update Components

Run the following commands in CMD (Admin):

net stop wuauserv
net stop cryptsvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 Catroot2.old
net start wuauserv
net start cryptsvc
net start bits
net start msiserver

💡 This resets Windows Update components so the system forgets pending updates.

Force Windows to Acknowledge No Updates Are Pending

Run:

wuauclt.exe /resetauthorization /detectnow

or

gpupdate /force

💡 This forces Windows to recheck update policies and clear any pending update flags.

Reboot Without Installing Updates

To make sure Windows doesn’t install the update after a reboot, run:

shutdown /r /t 0

💡 This reboots without triggering pending updates.

---

Step 3: Remotely Log Off a User Without Rebooting

Option 1: Using PowerShell (Requires Admin Privileges)

1. Open PowerShell as Administrator.
2. Run:query user /server:RemotePCName
3. Identify the Session ID of the user you want to log off.
4. Log them off with:logoff <SessionID> /server:RemotePCName

💡 This logs off the user without shutting down the VM.

Option 2: Using PsExec (If PowerShell Remoting is Blocked)

1. Download PsExec.
2. Extract it to C:\PSEXEC.
3. Open Command Prompt as Administrator.
4. Navigate to the PsExec folder:cd C:\PSEXEC
5. Check who is logged in:psexec \RemotePCName -u Administrator -p YourPassword query session
6. Log off the user:psexec \RemotePCName -u Administrator -p YourPassword logoff <SessionID>

💡 This method works even if WinRM and RPC are blocked.

Option 3: Using Command Prompt (WMI-Based Logoff)

If PsExec fails, try using WMI:

wmic /node:RemotePCName /user:Administrator /password:YourPassword computersystem where name="RemotePCName" call Win32Shutdown 4

💡 This forces all logged-in users to log off without rebooting! 🚀

---

Step 4: Ensure Remote Management Works for Future Use

Once you regain access, run this on the remote VM to prevent future lockouts:

Enable-PSRemoting -Force
Set-Service -Name RemoteRegistry -StartupType Automatic
New-NetFirewallRule -DisplayName "Allow RDP and RPC" -Direction Inbound -Protocol TCP -LocalPort 135,3389 -Action Allow

💡 This allows future remote PowerShell and PsExec commands to execute successfully.

---

Conclusion

By following this guide, you can prevent Windows 10 from automatically updating, remotely log off users without rebooting, and ensure seamless remote access to your systems. This is critical for IT environments where stability is a priority.

Let me know if you need additional troubleshooting steps!

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

With the rise of remote work and hybrid environments, many IT professionals access their work machines using VPN and RDP (Remote Desktop Protocol). While this setup provides flexibility, it also presents security risks—especially when working in a cross-domain network or dealing with multiple IT teams.

As an IT professional with experience in Citrix VDI for banking and enterprise security, I’ve implemented best practices to ensure my remote work setup is secure against unauthorized access. Here’s how you can do the same.

---

🔍 Understanding the Security Risks of VPN + RDP

A typical work-from-home setup involves:
✅ Connecting to a corporate VPN (e.g., Cisco AnyConnect, Fortinet, or Palo Alto GlobalProtect)
✅ Using RDP (Remote Desktop Protocol) to access your work machine

However, if not properly secured, this configuration could expose your computer to:
⚠ Unwanted access from other IT personnel within the VPN network
⚠ Brute-force RDP attacks if port 3389 is open
⚠ Drive redirection vulnerabilities, where attackers can view or copy your files
⚠ Misconfigured VPN routes, allowing unauthorized users to connect to your machine

To prevent these risks, I follow a strict security protocol when using VPN and RDP.

---

🛡️ Step-by-Step Guide: How to Secure Your Work Computer When Using VPN + RDP

1️⃣ Enforce Network Level Authentication (NLA) for RDP

Network Level Authentication (NLA) ensures that only authenticated users can initiate RDP sessions, blocking unauthorized login attempts.

✅ How to enable NLA:

1. Open System Properties (sysdm.cpl)
2. Go to the Remote tab
3. ✅ Check “Allow connections only from computers running Remote Desktop with Network Level Authentication”
4. Click Apply > OK

🔹 Why it matters? Without NLA, an attacker can initiate an RDP connection and attempt brute-force attacks before authentication.

---

2️⃣ Restrict RDP Access to VPN-Only IP Ranges

By default, Windows allows RDP connections from any network. To prevent unauthorized access, restrict RDP connections only to your VPN subnet.

✅ How to block all external RDP access except your VPN subnet:

1. Open Windows Defender Firewall
2. Navigate to Advanced Settings > Inbound Rules
3. Find Remote Desktop – User Mode (TCP-In)
4. Right-click > Properties > Scope
5. Under Remote IP Address, choose These IP addresses
6. Add only your VPN subnet (e.g., 172.16.104.0/24)
7. Click Apply > OK

🔹 Why it matters? Even if someone inside your network tries to RDP into your machine, their connection will be blocked unless they are in the allowed VPN range.

---

3️⃣ Disable Drive Redirection in RDP

RDP allows drive redirection by default, which means that if an attacker gains access, they can browse and copy files from your local machine.

✅ How to disable RDP drive redirection:

1. Open Group Policy Editor (gpedit.msc)
2. Navigate to: pgsqlCopy codeComputer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
3. Find “Do not allow drive redirection”
4. Set it to Enabled
5. Click Apply > OK

🔹 Why it matters? This prevents your local drives from being exposed during RDP sessions.

---

4️⃣ Monitor RDP Access Logs for Unauthorized Connections

Since you’re the only one RDPing into your machine, it’s important to monitor login attempts to detect any suspicious activity.

✅ How to check RDP login logs in Event Viewer:

1. Open Event Viewer (eventvwr.msc)
2. Navigate to: nginxCopy codeWindows Logs > Security
3. Look for:
   • Event ID 4624 (successful logins)
   • Event ID 4625 (failed logins)

🔹 Why it matters? If you see failed logins from unknown IPs, someone may be trying to brute-force your RDP connection.

---

5️⃣ Disable Remote Access for Unauthorized Users

IT admins in your network may have elevated privileges, allowing them to remotely manage your system. To block unauthorized admin access, you can disable remote administration tools.

✅ How to remove unauthorized administrators:

1. Open PowerShell as Administrator
2. Run the following command to list local administrators: powershellCopy codenet localgroup Administrators
3. If you see any unauthorized users, remove them: powershellCopy codenet localgroup Administrators "DOMAIN\Username" /delete

🔹 Why it matters? Even with VPN access, they won’t be able to take control of your system.

---

💡 Alternative: Using Citrix VDI Instead of RDP for Secure Access

Since I’ve worked with Citrix Virtual Desktop Infrastructure (VDI) for banks, I know that virtual desktops eliminate most RDP risks. Instead of exposing RDP ports, a Citrix setup allows users to access their workstations securely via a web portal.

✅ Why Citrix VDI is better than RDP over VPN:
🚀 No direct RDP connection – Reduces attack surface
🚀 User sessions are isolated – Prevents unauthorized access
🚀 Secured with multi-factor authentication (MFA) – Extra security

If your organization supports it, using Citrix or Windows Remote Desktop Web Access (RD Web) is a safer alternative.

---

🔎 Final Thoughts

Working remotely via VPN + RDP is convenient, but it must be properly secured to prevent unauthorized access and IT snooping. By implementing:
✅ Network Level Authentication (NLA)
✅ Restricting RDP to VPN-only IP ranges
✅ Disabling drive redirection
✅ Monitoring login logs
✅ Removing unauthorized admin users

You can ensure that your remote work environment remains private and secure.

🔹 If you’re managing an enterprise network, consider moving to Citrix VDI or Windows RD Web for an extra layer of security.

💡 Have questions about securing your remote access? Drop a comment below!