Microsoft Defender for EndPoint

This product is becoming very popular among my customers specially when they’d purchased Microsoft 365 E5 LIcenses, but, let’s have a look how we can implement this technology in our business.

But first, What is Defender for EndPoint? It’s an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Also we can onboars servers and devices indepently to the service, which is great.

What is very cool, MDE is not only available for Windows, also for iOS, Linux and Android, so we can cover almost all the spectrum of corp devices.

And most important, Microsoft Defender for Endpoint integrates seamlessly into Microsoft Endpoint Manager. You only must activate the Intune integration ones during the initial setup and your reports will flow into MEM. This allows you create and configure Security baselines, which are pre-configured groups of Windows settings that help you apply the security settings that are recommended by the relevant security teams.

If you’re using an existing AV solution, you can check out the following guidelines to migrate to MDE:

What are the high level steps to implement Microsoft Defender for Endpoint?

If you want to know more, as always Microsoft Learn is the more technical and comprehensive approach to explain products than on normal Microsoft Docs Practice security administration – Learn | Microsoft Docs and don’t forget to visit the TechCommunity: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP

Lastly, remember, you can access to the M365 Defender portal at https://security.microsoft.com

Keep safe and get some fun!

PassWordless Authentication with Fido 2 Keys

This is something I wanted to test some time ago, and now thanks to Feitian I was able to do it. So let’s dig into detail what is passwordless with Fido2 Keys, how we can configure it in AzureAD, and what advantages provide as an end user. ¡Let’s begin!

But before dig in depper, let me explain the basics: A security key is a piece of hardware that you can connect to your computer or phone to verify your credentials when logging, unlike a password, it’s completely safe, because the configuration is different for each system.

So, what does Fido2 Keys? As you probably know, logging into a resource requires a username and password, and with MFA, it usually requires a username/password combination plus one other authentication factor, like a time-based one-time password. In this case, FIDO2 is a standards-based method of user authentication that is passwordless, supporting PIN and biometrics in security tokens

For starters, with FIDO you can:

  • Improve security with crypto-secured passwordless authentication
  • Remove the helpdesk costs associated with forgotten passwords by replacing them with a simple PIN or fingerprint
  • Remove the user-experience annoyances of long passwords to create, remember and reset so that your workforce can get on with their role simply and seamlessly.

What about the preparation of AzureAD?

For IT, At high level there is only two tasks to accomplish:

  • Enable the new authentication method registration on AzureAD
  • Enable FIDO2 as an authentication method

Easy, isn’t it?

What about the registration for end users?

In my case, how the security Key is a biometic security Key, what i needed to do first is to register my fingerprint. Once I did this (manufacturer provide details, you’re ready to go with next steps).

In order to register the security token with AzureAD, the user will need to access to https://aka.ms/setupsecurityinfo where will be able to see all the authentication method available for them:

And once the user have selected the security key option, the process of registration will begin. In my case, I selected USB device and then… I needed to provide a PIN for the security Key:

Things that you have to keep in mind, is we user have to set up their own PIN to use their key, it cannot be enforced or centralized way to manage PIN, so is probably that your users end up using PINs like 123456.

ONce you have registered the key, it will appear in the security Info Panel:

Ok, it’s great what you’re are explaining, but how it is used?

With the following video, I want to show how the process of passwordless authentication in AzureAD is done:

As you can see, the login was done without entering any user or password. If you’re conviced, and you want to start deploying Fido2 Keys in your organization, think first about the following points:

Registration

  • Control to ensure that the employee has been through sufficient identity checks to create a trusted identity.

Issuance

The organisation needs policy control over:

  • The type of FIDO device used (external USB / Bluetooth)
  • The organisation needs to consider the type of user verification required (Fingerprint / NFC)
  • The end user needs a simple experience during registration of a FIDO credential
  • The organization needs to trust the genuineness of the FIDO device being used for the FIDO credential

Lifecycle Management

  • Vision of who has been assigned which FIDO Credentials
  • Ability to simply revoke access to all systems accessed by the FIDO Credential
  • Ability to manage lost devices / replacement devices / back up devices

Authentication

  • The end user needs a simple experience to authenticate to systems, usernameless aids this process.

As you can see Fido2 Keys are great, and what is better, not only works with AzureAD, it can be used to authenticate with oter services like twitter, Instagram, etc…

Link References:

Register your key at https://aka.ms/mysecurityinfo

If you are a Microsoft 365 admin, use an interactive guide at https://aka.ms/passwordlesswizard

Does my organization need Azure AD Conditional Access?

Consider how the authentication process has traditionally worked: Organizations require users to supply a user ID and password. Then, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But what about if an attacker has stolen a user’s credentials? How can we reduce these risks? It is where Conditional access takes place 🙂

But the question is, do I really need it? It depends your case or scenario 😛 but let’s dig in depending in what you’re using:

  • Security Defaults: To help organizations establish a basic level of security, Microsoft makes security defaults available to everyone at no extra cost. This feature automatically enforces the following policies:
  1. All Users must register for AzureAD MFA
    1. Users must complete MFA challenge when they authenticate using a new device or application
    2. Administrators must complete an MFA step every time they sign in. This policy applies to nine key Azure AD roles, including Global Administrator, SharePoint Administrator, Exchange Administrator, Conditional Access Administrator and Security Administrator.
    3. Any user trying to access the Azure portal, Azure PowerShell or the Azure CLI must complete additional authentication
    4. All authentication requests made using older protocols are blocked
  • Azure AD COnditional Access: But as you can imagine, in some organizations these security defaults are not enough, they want to have more fine-grained controls, so to do this we need Conditional Access, which allows us to:
  • create a policy to require administrators — but not regular business users — to complete an MFA step
    • Use the user location and the type of protocol being used to restrict the access
    • Deny all requests that comes from a particular country, and require MFA for the rest
    • As you can see, you can create multiple policies that work together to put guardrails in place exactly where you need them

Azure AD Conditional Access is an extremely valuable tool for helping you implement a Zero Trust model, protecting the three cores of the strategy:

  • Least privilege — Helps to grant the right access at the right time to only those who need it by enabling trusted locations and IP ranges, implement stronger controls for privileged users, and control access to sensitive applications and content.
  • Verify explicitly — Continually verify identities as users move around the network by requiring MFA when users appear on new devices and from new locations.
  • Assume breach — Weak passwords, password spraying and phishing all but guarantee malicious actors are inside your network. It allows to block legacy authentication and putting stronger access controls in front of your most valuable resources.

As you can see, Azure AD Conditional Access is a powerful tool for strengthening security and ensuring regulatory compliance

Take care!

Defender Rocks

While I was doing a PoC about Defender For Identity in one of my costumers, I decided to take one step further and try to work with all the Defender capabilities enabled in the VM.

In this case, I was preparing Defender for Identity, but also Defender for EndPoint was enabled on the VM, so… I started playing:

The first thing, is when I tried to run mimikatz on the VM:

I leaved intentionally Windows Defender on, and not only it blocked the program, it was erased from the VM, so first thing cool.

Also, this execution fires some alerts in the defender for endpoint portal:

Wow, a lot of information to start… So iesn order to carry on my tests, it was necesary to deactivate Windows Defender Protection:

But once I have everything in place, and I have executed my test, what I can see from the different security products is the following:

Azure Defender has been talking a lot with all the products, firing a lot of alerts in my environment, I have to say that not only I have Defender for Identity, also Defender for Endpoint and Sentinel, so all my alerts are being correlated in my workspace.

So I can dig into the alerts in order to know what is really happening in my environment:

For me, all the variants of Defender & Sentinel, are great tools to protect our environments from external threats 🙂

Windows Security Alert: Disable Print Spooler

This post will be quick, if you haven’t heard about PrintNightmare take a look to this article: https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

In order to avoid some ransom in our companies, just disable the service Print Spoler on WIndows 10 and Windows Server environments.

In order to do that, just open a PS as an admin and run the following:

Stop-Service -Name Spooler -Force

#prevent the service from starting again during restart

Set-Service -Name Spooler -StartupType Disabled

That’s all! take care!

Preventing M365 app bypass MFA

Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.

The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.

Scary stuff that you probably want to avoid, isn’t it?

What can I do to prevent the attack?

In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future

How I can detect those actions?

Want to see if you’ve had this happen already?

  1. Open the Security & Compliance Center at https://protection.office.com.
  2. Navigate to Search and select Audit log search.
  3. Search (all activities and all users) and enter the start date and end date if required and then click Search.
  4. Click Filter results and enter Consent to application in the Activity field.
  5. Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.

How I can respond to those attacks?

If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:

  • You can revoke the application’s permission in the Azure Active Directory Portal by:
    • Navigate to the affected user in the Azure Active Directory User blade.
    • Select Applications.
    • Select the illicit application.
    • Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc. 

Good luck!

What do you need to know about protecting documents in M365

Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.

But… What key points do you need to know?

  1. You can only protect individual documents, not a complete document library.
  2. You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
  3. In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting.
    (You can also use other ways of protection, but that is out-of-scope for now)
  4. In the online apps you can only protect Word and Excel, but not PowerPoint.
  5. You can protect Word and Excel files in SharePoint and OneDrive.
  6. You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
  7. You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
  8. You can use “review-only” in Word in SharePoint and OneDrive.
  9. When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
  10. How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.

Enabling zero trust security in your environment

Zero Trust is a principle that is coming to all business, why? because helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement.

So… when we are trying to implement a Zero Trust model, we will touching all components—user identity, device, network, and applications— to be validated and more important to be trustworthy.

But, what about the main components to be aware of? Let’s keep a further detail to that list:

  1. Identity – Identity is the best starting point for Zero Trust. I’am a big fan of AAD identity, and Conditional Access, PIM is a great way to start
  2. Implement conditional access controls – we can stop compromise identity credentials from accessing to corporate resources and more important, avoid a move laterally in the network.
  3. Strengthen credentials – Weak passwords undermine the security of your identity system, so take aware of that and use MFA
  4. Integrate intelligence and behavior analytics – Having tools to automate tasks and detect some behaviours, are great! Keep an eye to ATP, WDATP, MCAS…
  5. Reduce your attack surface – nothing to explain here 🙂
  6. Increase security awareness – Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns.
  7. Enable end-user self-help – users are the core of the business, we cannot enable security tools without thinking in them
  8. Don’t overpromise – Zero Trust is not a single ‘big bang’ initiative, so keep in that mind
  9. Show value along the way – One of the most effective ways to build long-term support for a Zero Trust initiative is to demonstrate incremental value with each investment.

As you can see here A Zero Trust model is not easy to achieve, but it’s a key element of any long-term modernization objective for the digital enterprise. If you want to assess your system yourself, keep an eye to the following tool: Take the Zero Trust Assessment (microsoft.com)