My password recommendations from the trenches

The following are recommendations and thoughts that I extracted by working with several customers, maybe you will find it obvious, but for other people could be useful. So, let’s begin:

In the identity plane, we could say that exists 2 categories:

• Resist Common attacks
• Contain successful attacks

I don’t want to enter of how to resist or contain attacks, because probably I covered some of these topics in other blog entries, but for me, there is another category which is: understand the human nature.

Nothing more that understand that almost every rule that we impose to the end users, result in degradation of security. Why? Because we force users to use long passwords, with special characters, and in the end, users tend to reuse passwords which makes easier to guess or crack passwords for malicious actors.

So, in the post I will resume some of my experiences as AntiPatterns and recommendations:

• Antipattern – Requiring long passwords: excessive length passwords (more than 10 characters) can result in a behaviour predictable, users tend to choose repeating patterns (heyholetsgoheyholetsgo) that meet the character length but clearly not hard to guess. We can say that this kind of passwords are hard to guess but lead to poor behaviours to guess the password.
  • SuperPRO Tip: You can use a long password, but in this case what I recommend is something that engineers from Microsoft do. They use a very loooooooong password, they forget it, and instead of it, they use passwordless mechanisms such as Windows Hello to sign in.

My tip: Use minimum 8 length requirement but ban common passwords with Azure AD Password Protection.

• Antipattern – Require use of multiple character sets: probably you’re not in the same line as me, but I’ve seen that this rule do more harm than good. People use patterns as substitutions such  as $ for s, @ for a, 1 for I. So keep it in mind

• Antipattern – Password expiration: Policy expiration drive users to use very predictable password (for example, the next password can be predicted on the previous password), end users do not tend to use a new password, the tend to update the old one.

My tip for the two previous points: Azure AD Password Protection + Conditional Access based on User Identity

• Recommendation – Ban common passwords: For me, the most important restriction is to ban the use of common password to reduce the possibility of brute force or password spray attacks

Tip: Look at my first tip 😊

• Recommendation – Educate end Users not to use organization credentials anywhere else: Yes I know that educate users are difficult, but you have to do it, because the tend to reuse the same password across multiple sites. It is a common practice for cyber criminals to try compromised credentials across many sites.

• Recommendation – Enforce MFA registration and enable MFA: ensure that users maintain their security information up to date, so they can respond to security challenges if needed. Doing this, I have seen that end users are more implicated concerning digital security

Enabling MFA prevents up to 99.9% of identity attacks, and if we use other controls such as user location, the better.

PRO TIP: Use Conditional access with FIDO2 security key (PassWordless Authentication with Fido 2 Keys – Albandrod’s Memory (albandrodsmemory.com))

EndUser TIP: Consider turning on two-step verification everywhere you can

• Recommendation – Enable risk-based Authentication: when the system detects suspicious activity, it challenges the user to ensure that they are the legitimate account owner. Personally, I think that this feature is great, but the only drawback that it is only included with AAD P2

Probably you will have different ones based on your experience but these are my recommendations. Till next time and stay safe!

Advertisement

Azure Active Directory security operations guide

If you want to audit or strenght your security posture in AzureAD, OnPrem or M365, Microsoft has published a guide with which points you have to tweak in order to improve your (or your customers) security: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction

Defender Rocks

While I was doing a PoC about Defender For Identity in one of my costumers, I decided to take one step further and try to work with all the Defender capabilities enabled in the VM.

In this case, I was preparing Defender for Identity, but also Defender for EndPoint was enabled on the VM, so… I started playing:

The first thing, is when I tried to run mimikatz on the VM:

I leaved intentionally Windows Defender on, and not only it blocked the program, it was erased from the VM, so first thing cool.

Also, this execution fires some alerts in the defender for endpoint portal:

Wow, a lot of information to start… So iesn order to carry on my tests, it was necesary to deactivate Windows Defender Protection:

But once I have everything in place, and I have executed my test, what I can see from the different security products is the following:

Azure Defender has been talking a lot with all the products, firing a lot of alerts in my environment, I have to say that not only I have Defender for Identity, also Defender for Endpoint and Sentinel, so all my alerts are being correlated in my workspace.

So I can dig into the alerts in order to know what is really happening in my environment:

For me, all the variants of Defender & Sentinel, are great tools to protect our environments from external threats 🙂

Windows Security Alert: Disable Print Spooler

This post will be quick, if you haven’t heard about PrintNightmare take a look to this article: https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

In order to avoid some ransom in our companies, just disable the service Print Spoler on WIndows 10 and Windows Server environments.

In order to do that, just open a PS as an admin and run the following:

Stop-Service -Name Spooler -Force

#prevent the service from starting again during restart

Set-Service -Name Spooler -StartupType Disabled

That’s all! take care!

Preventing M365 app bypass MFA

Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.

The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.

Scary stuff that you probably want to avoid, isn’t it?

What can I do to prevent the attack?

In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future

How I can detect those actions?

Want to see if you’ve had this happen already?

1. Open the Security & Compliance Center at https://protection.office.com.
2. Navigate to Search and select Audit log search.
3. Search (all activities and all users) and enter the start date and end date if required and then click Search.
4. Click Filter results and enter Consent to application in the Activity field.
5. Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.

How I can respond to those attacks?

If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:

• You can revoke the application’s permission in the Azure Active Directory Portal by:
  • Navigate to the affected user in the Azure Active Directory User blade.
  • Select Applications.
  • Select the illicit application.
  • Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc. 

Good luck!

What do you need to know about protecting documents in M365

Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.

But… What key points do you need to know?

1. You can only protect individual documents, not a complete document library.
2. You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
3. In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting.
   (You can also use other ways of protection, but that is out-of-scope for now)
4. In the online apps you can only protect Word and Excel, but not PowerPoint.
5. You can protect Word and Excel files in SharePoint and OneDrive.
6. You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
7. You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
8. You can use “review-only” in Word in SharePoint and OneDrive.
9. When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
10. How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.

How to delete metadata in O365 files

Currently in pur daily lives we are using text processors, excel files and other office documents where we put a lot of metadata.

But what will happen if we upload all these files with all the metadata to a public site without deleting them first? Easy, we will compromise the author of the content.

Why? Because metadata is a very useful information for the hackers and could give clues about the company or to attack to a web.

But, which type of information can metadata give? For example in O365 we have:

• Author
• User
• Reviwers
• Directory where ther file was generated
• creation
• printers associated to the author
• office version

So… as you can see, is it possible to extract a lot of information from a simple Office file.

But, to delete them, we can follow the following procedure:

• Open the Office file, click on info, info, inspect document

This toll will check if in the file the metadata exists and it would indicate, which metadata are showing in the file:

So… once we click in remove all, we can upload the document without problem 🙂

Till next time!

Conditional Access extension for Chrome

If you’re implementing conditional access in your company and you’re struggling with Windows 10 devices and Chrome support, probably you will need to visit that Docs link: https://docs.microsoft.com/es-es/azure/active-directory/conditional-access/concept-conditional-access-conditions#chrome-support

But in this post, I want to talk about something related to it, in one of my projects, I have a CA policy that required one of the following selected controls: Require MFA or Require Hybrid AAD joined device

My device was Hybrid, so I was fullfilling one of the requirements, for example, when I was accessing with IE or Edge, the device info gets passed properly and MFA is bypassed for hybrid AAD machines.

But with Chrome, even having the Windows 10 Account extension pushed via GPO, I was able to see in the azure sign-in logs that device info is blank except for Browser and OS, so the AAD join status is not passed and MFA triggers. So it was very weird and it was causing me some problems…

So finally, after hours of troubleshooting, i finally figured out what was wrong. When you automatically install the extension, it doesn’t clear some cookies which Chrome will then try to use the old way of logging in. So in this case what you will need to do is access to chrome://settings/content/all and delete the cookies for login.microsoftonline.com

After doing that, everything was working perfectly, keep aware of that!!

What is really PIM?

Currently in all project were I’m involved I’m trying to used Best Practices of Security, including the use of PIM.  Privileged Identity Management it is a service that is available in Azure AD and is part of Azure AD Plan 2, it is used for all admin related tasks, where no employee has standing access within the company, reducing the surface of an attack.

PIM makes it possible to give a user the privilege to elevate his or her access rights for a preset amount of time to a higher role such as User Administrator or SharePoint Administrator.

PIM gives access to huge quantity of roles in Office 365 and Azure resources where the user is by default a reader and can elevate it to be an owner of a resource (group) for a specific amount of time (which is great!)

Enabling a PIM role is done by going to the Azure Portal and select the role you want to elevate. You need to do this for every role separately.

For example, imagine that you have members that need to elevate their account daily to be a SharePoint and User administrator, so they need to do this daily. After enabling they need to sign out and sign in again to make sure the roles are activated.

No more to give the role to a user and forget which role we give to them…

 

How to enforce Azure AD Connect to use TLS 1.2 only

To enforce Azure AD Connect to use TLS 1.2 only, run the following Windows PowerShell script in an elevated PowerShell window on each Azure AD Connect server:

$RegPath1 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"

New-ItemProperty -path $RegPath1 `
-name SystemDefaultTlsVersions -value 1 -PropertyType DWORD

New-ItemProperty -path $RegPath1 `
-name SchUseStrongCrypto -value 1 -PropertyType DWORD

$RegPath2 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"


New-ItemProperty -path $RegPath2 `
-name SystemDefaultTlsVersions -value 1 -PropertyType DWORD

New-ItemProperty -path $RegPath2 `
-name SchUseStrongCrypto -value 1 -PropertyType DWORD

Hope it helps!