gMSA Accounts

A standalone Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrator, can be used for services running on multiple servers such as a server farm. ADFS, IIS and systems behind a Network Load Balance.

As I stated at the beginning, the main benefit from an identity perspective is that there is no password to manage for this account. The gMSA is configured on the servers and Windows handles the password management of the account.

This makes the solution easier to manage since there is no user interaction required to cycle the password on a regular basis. This would normally involve changing the password in Active Directory and then updating the individual services with the new password to ensure continuation of services, thus, eliminates service accounts with static passwords that are set upon creation, and then never cycled again, which is very normal in most of my customers.

Also, another thing very important about gMSA accounts, is that cannot be used to log on to any computers in the domain. This ensure the service account is only used for it’s intended purpose of running a service.

one thing to also to keep in mind is that service in olny available from W2012R2, so if your forest is running under W2008R2, forget it and upgrade your forest 🙂

If you want to go ahead and configure your gMSA account, you con do it by executing the following PowerShell:

New-ADServiceAccount AccountgMSA -DNSHostName AccountgMSA.fqdn -PrincipalsAllowedToRetrieveManagedPassword nameoftheServerstoretrievethegmsaaccount$ -KerberosEncryptionType RC4, AES128, AES256

the $ it is not a typpo, it is necessary to include the servers name. If you execute the script and you receive and error like the following:

You will need to create a key first, you can do it with the following command:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

Once we have executed the previous command, we can execute the other one to create the account, which will appear in Users&Computers:

Windows Security Alert: Disable Print Spooler

This post will be quick, if you haven’t heard about PrintNightmare take a look to this article: https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

In order to avoid some ransom in our companies, just disable the service Print Spoler on WIndows 10 and Windows Server environments.

In order to do that, just open a PS as an admin and run the following:

Stop-Service -Name Spooler -Force

#prevent the service from starting again during restart

Set-Service -Name Spooler -StartupType Disabled

That’s all! take care!

Deploying Microsoft 365 Apps

This a service that I discovered the other day, which is Office cloud policy service: lets you enforce policy settings for Microsoft 365 Apps for enterprise (what was named in the past Office 365 ProPlus) on a user’s device. It doesn’t matter if the device isn’t domain joined or otherwise managed.

The magic here flows when a user signs into Microsoft 365 Apps for enterprise on a device, then the policy settings roam to that device. Also, some other cool features is that you can enforce some policy settings for Office for the web, and anonymous users.

Some of the policies to configure are also included in GPO or in EndPoint Manager, so take into account this. But also keep in mind the following requirements:

  • At least Version 1808 of Microsoft 365 Apps for enterprise.
  • User accounts created in or synchronized to Azure Active Directory (AAD).
  • Office cloud policy service supports security groups and mail-enabled security groups created in Azure AD.
  • to create policy configurations, you need to have one of the following roles: Global Administrator, Security Administrator, or Office Apps Admin.

To enable security policy recommendations, sign in to the portal for managing Microsoft 365 Apps for enterprise, click Security, and then choose On for the Security Policy Advisor.

How Security Policy Advisor creates recommendations

When a security group has been assigned a policy configuration, Security Policy Advisor analyzes how users in that group work with Microsoft 365 Apps for enterprise. Based on this analysis and on Microsoft best practices, recommendations are created for specific security policies and insights about the impact of those policies on productivity and security.

Recommendations are usually generated within a few minutes of a policy configuration being applied to a group. On rare occasions, it may take longer. In such instances, please revisit Security Policy Advisor to check if new recommendations are available.

that’s all for know, keep playing and discover some cool jewels hided in the M365 portal

till next time!

Preventing M365 app bypass MFA

Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.

The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.

Scary stuff that you probably want to avoid, isn’t it?

What can I do to prevent the attack?

In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future

How I can detect those actions?

Want to see if you’ve had this happen already?

  1. Open the Security & Compliance Center at https://protection.office.com.
  2. Navigate to Search and select Audit log search.
  3. Search (all activities and all users) and enter the start date and end date if required and then click Search.
  4. Click Filter results and enter Consent to application in the Activity field.
  5. Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.

How I can respond to those attacks?

If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:

  • You can revoke the application’s permission in the Azure Active Directory Portal by:
    • Navigate to the affected user in the Azure Active Directory User blade.
    • Select Applications.
    • Select the illicit application.
    • Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc. 

Good luck!

Nested Virtualization in Azure

This post has to be in common with Nested Virtualization – Albandrod’s Memory (albandrodsmemory.com)

For all those who still don’t know what is Nested virtualization, is a feature that allows us to enable the Hyper-V role within a Virtual Machine in order to host and run Virtual Machines.

So in other words, to run a virtual machine inside an Azure Virtual Machine. When and why should be used? for:

  • Non-production workloads.
  • Testing purposes. Most suitable for scenarios where several hosts are required to test configurations.
  • Training. Building virtual infrastructure for educational purposes.
  • Development. Building and providing dedicated hosts to teams for Application development.

But you hace to be aware that not all AzVM sizes allow Nested Virtualization, I recommend you to always keep an eye for any upcoming updates/changes here.

Baseline for AIP policies

When I am delivering workshops for AIP to my customers, I regularly get the question that if I have a baseline for Sensitivity labels. I always answer with the same, it depends on your needs and requirements, but with this post, I want to show you, how you can start your content classification.

First of all, you have to think about naming and description, at first glance could be quite obvius, but when your end users start working on those labels, and they have to read names and description, this information will help them a lot, so, choose wisely and think twice.

My recommendation here is to ensure the real purpose of the label and a reflection of the terminology that uses the company. Once you have this, half of your work is done, then what you need to do is to create a description, explaining the contents that reflect the classification.

So.. what levels of AIP I am creating? the 4 following:

  • Public
  • Internal
  • Confidential
  • Secret

Public classification

The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption — such as news releases, job announcements, and sales brochures — are good examples.

Internal classification

The internal classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters — such as internal policy manuals and company phone lists — are good examples.

Confidential classification

The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.

Secret classification

The confidential classification label applies to information that is used in extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases… Examples for other organizations include documents used in mergers, strategic plans and litigation.

AADConnect : Unable to connect to the Synchronization Service Manager

This is a reminder to myself, long time ago I needed to configure an ADConnect service, since today. I used other account to configure the service, but when I tried to access to the server with another account I was receiving the follwing error:

Unable to connect to the Synchronization Service.

Some possible reasons are:

  1. The service is not started.
  2. Your account is not a member of a required security group.

See the Synchronization Service documentation for details

Solution:

Check if the Microsoft Azure AD Sync Service is started

Check is your account is a member of the local ADSyncAdmins and/or ADSyncOperators group,if not, add the current user to this group and logoff and logon again !

Retention Label VS Retention Policy

Retention is a great way to drive information governance and user behaviour, it is a good practice to have implemented a retention policy in organization content in order to enable long term retention in some of the workload such as SPO, Teams, ODFB, EXO…

But when it comes to the question what feature do I need to use in each case, it is when the doubts comes, so, with the following post I expect to clarify some of those points:

Use Retention Labels when:

  • Information within the same location requires different classifications to drive lifecycle
  • Information is required to be managed as a record or a regulatory record
  • Information requires manual classification by users or auto-classification using Keywords, metadata or machine learning

Use Retention Policies when:

  • A single baseline retention period is applicable to all information with a location (ODFB, EXO etc.)
  • Joiner / Leaver scenarios are required to be automatically managed
  • No user intervention is expected or required with the baseline policy

How to disable Hybrid Azure AD Join

A device is said to be hybrid joined if it has both an AD object and an Azure AD (AAD) object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined. The benefits of having Hybrid Azure AD Join devices are

  • The computer has a device object in Azure AD, which enables a variety of capabilities including:
    • Microsoft 365 Apps device licensing is possible
    • Azure AD Conditional Access features based on device conditions are possible
  • There is a reduction in user sign ins because user sign in gets both an NETID AD token and AAD token

But what If you want to disable that Hybrid Join?

You can disable hybrid join by preventing one of the requirement elements from triggering hybrid join registration:

  1. Modify the Hybrid Azure ADJoin from the AADConnect (Recommended)
  2. Use the following registry in the computers to block: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001
  3. Modify the Scheduled Task which triggers AAD device registration. See Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. See the following 3 items for details:
    1. Deleting the Scheduled Task seems to work reliably.
    2. Disabling the Scheduled Task does not work reliably; the disabled task will still run after a user signs in.
    3. Modify both triggers from an Enabled status to a Disabled status; this works reliably.
  4. Add a firewall block for https://enterpriseregistration.windows.net, to prevent the computer from connecting to the Azure AD Device Registration Service (AAD DRS). See the following item for possible side-effects:
    1. This should only affect the ability to AAD join. If you have Office installed on the Windows device, this might have an undesirable impact on AAD device registration (different from AAD device join) which is required per user for Microsoft 365 Apps (was Office 365 ProPlus) sign-in.
  5. Add a firewall block for the UW ADFS server, sts.domain.com, to prevent the computer from getting an ADFS token to authenticate to the AAD DRS. See the following item for possible side-effects:
    1. Note: this option will only work for as long as you continue to have federated authentication for AAD, which is planned to be removed. This option may be undesirable if there is any interaction with Azure AD applications like Office 365 from the device–those interactions would be blocked.

Ok, that’s great but what if I want to unjoin a Hybrid AzureADDevice? For hybrid Azure AD joined devices, make sure to turn off automatic registration. Then the scheduled task doesn’t register the device again.

Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave. Or run this command as a script across several devices to unjoin in bulk.

AIP AutoApply Label not working as expected

I have been testing auto apply label in some scenarios, but what I have discovered is that AutoApply Label is not working when I activate the autosave toogle in Word (for example):

I’ve been testing the same policy under different circumstances (Windows 10 + Office 2101 C2R)

Turned ON AutoSave for synced libraries (Default On):

Tested to create a new Word.docx where AutoSave in ON and then added keyword in doc to trigger AutoApply label.

After hit Safe nothing happens, no label applied (or suggested)

Turned OFF AutoSave for synced libraries (Default On):

Tested to create a new Word.docx where AutoSave in OFF and then added keyword in doc to trigger AutoApply label.

After hit Safe the Auto Apply label suggests me to change label.

But after digging some more, I was aware that If I used the built-in labeling client in Word it works with or without autosave. Strange isn’t it? I do not know if it’s a limitation or what…

I will keep tracking that problem…