Probably you’re asking yourself what’s a jump host? So in simple words, is a virtual host which is not the same as you use daily to read e-mail, browse the web, install software, but is used to perform administrative tasks for one or multiple IT infrastructures.
These are some of the recommendations that I follow when I need to deploy a jump host in Azure. The first two, are the most important, you have to be sure of not doing any of these
Do NOT install any productivity tools such as Office, it’s important to keep the VM as clean as possible, it’s only a considered to be a jump Host, not a working device.
Do NOT use this VM for general internet browsing purposes
and other some recommendations…
Isolate the VM with NSG, only is need to access where it is really needed
Install the AntiMalware extension from Azure and configure Windows Defender Settings
If possible, configure JIT on the VM
Onboard the device in Microsoft Defender for Endpoint (if Possible)
The following are recommendations and thoughts that I extracted by working with several customers, maybe you will find it obvious, but for other people could be useful. So, let’s begin:
In the identity plane, we could say that exists 2 categories:
Resist Common attacks
Contain successful attacks
I don’t want to enter of how to resist or contain attacks, because probably I covered some of these topics in other blog entries, but for me, there is another category which is: understand the human nature.
Nothing more that understand that almost every rule that we impose to the end users, result in degradation of security. Why? Because we force users to use long passwords, with special characters, and in the end, users tend to reuse passwords which makes easier to guess or crack passwords for malicious actors.
So, in the post I will resume some of my experiences as AntiPatterns and recommendations:
Antipattern – Requiring long passwords: excessive length passwords (more than 10 characters) can result in a behaviour predictable, users tend to choose repeating patterns (heyholetsgoheyholetsgo) that meet the character length but clearly not hard to guess. We can say that this kind of passwords are hard to guess but lead to poor behaviours to guess the password.
SuperPRO Tip: You can use a long password, but in this case what I recommend is something that engineers from Microsoft do. They use a very loooooooong password, they forget it, and instead of it, they use passwordless mechanisms such as Windows Hello to sign in.
My tip: Use minimum 8 length requirement but ban common passwords with Azure AD Password Protection.
Antipattern – Require use of multiple character sets: probably you’re not in the same line as me, but I’ve seen that this rule do more harm than good. People use patterns as substitutions such as $ for s, @ for a, 1 for I. So keep it in mind
Antipattern – Password expiration: Policy expiration drive users to use very predictable password (for example, the next password can be predicted on the previous password), end users do not tend to use a new password, the tend to update the old one.
My tip for the two previous points: Azure AD Password Protection + Conditional Access based on User Identity
Recommendation – Ban common passwords: For me, the most important restriction is to ban the use of common password to reduce the possibility of brute force or password spray attacks
Tip: Look at my first tip 😊
Recommendation – Educate end Users not to use organization credentials anywhere else: Yes I know that educate users are difficult, but you have to do it, because the tend to reuse the same password across multiple sites. It is a common practice for cyber criminals to try compromised credentials across many sites.
Recommendation – Enforce MFA registration and enable MFA: ensure that users maintain their security information up to date, so they can respond to security challenges if needed. Doing this, I have seen that end users are more implicated concerning digital security
Enabling MFA prevents up to 99.9% of identity attacks, and if we use other controls such as user location, the better.
EndUser TIP: Consider turning on two-step verification everywhere you can
Recommendation – Enable risk-based Authentication: when the system detects suspicious activity, it challenges the user to ensure that they are the legitimate account owner. Personally, I think that this feature is great, but the only drawback that it is only included with AAD P2
Probably you will have different ones based on your experience but these are my recommendations. Till next time and stay safe!
This product is becoming very popular among my customers specially when they’d purchased Microsoft 365 E5 LIcenses, but, let’s have a look how we can implement this technology in our business.
But first, What is Defender for EndPoint? It’s an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Also we can onboars servers and devices indepently to the service, which is great.
What is very cool, MDE is not only available for Windows, also for iOS, Linux and Android, so we can cover almost all the spectrum of corp devices.
And most important, Microsoft Defender for Endpoint integrates seamlessly into Microsoft Endpoint Manager. You only must activate the Intune integration ones during the initial setup and your reports will flow into MEM. This allows you create and configure Security baselines, which are pre-configured groups of Windows settings that help you apply the security settings that are recommended by the relevant security teams.
If you’re using an existing AV solution, you can check out the following guidelines to migrate to MDE:
If you have an existing AV, configure Defender as an exclusion
Onboard devices to MDE
Run detection test
Update MDE database
Final Phase: Microsoft Defender also recommends activating different features in order to increase the security level of your desktops in the Security recommendations tab. In there, you can find multiple settings that you can directly enable and push into Intune when you set up the connection correctly to your Intune tenant environment. But for me the most important are:
This is something I wanted to test some time ago, and now thanks to Feitian I was able to do it. So let’s dig into detail what is passwordless with Fido2 Keys, how we can configure it in AzureAD, and what advantages provide as an end user. ¡Let’s begin!
But before dig in depper, let me explain the basics: A security key is a piece of hardware that you can connect to your computer or phone to verify your credentials when logging, unlike a password, it’s completely safe, because the configuration is different for each system.
So, what does Fido2 Keys? As you probably know, logging into a resource requires a username and password, and with MFA, it usually requires a username/password combination plus one other authentication factor, like a time-based one-time password. In this case, FIDO2 is a standards-based method of user authentication that is passwordless, supporting PIN and biometrics in security tokens
For starters, with FIDO you can:
Improve security with crypto-secured passwordless authentication
Remove the helpdesk costs associated with forgotten passwords by replacing them with a simple PIN or fingerprint
Remove the user-experience annoyances of long passwords to create, remember and reset so that your workforce can get on with their role simply and seamlessly.
What about the preparation of AzureAD?
For IT, At high level there is only two tasks to accomplish:
Enable the new authentication method registration on AzureAD
Enable FIDO2 as an authentication method
Easy, isn’t it?
What about the registration for end users?
In my case, how the security Key is a biometic security Key, what i needed to do first is to register my fingerprint. Once I did this (manufacturer provide details, you’re ready to go with next steps).
In order to register the security token with AzureAD, the user will need to access to https://aka.ms/setupsecurityinfo where will be able to see all the authentication method available for them:
And once the user have selected the security key option, the process of registration will begin. In my case, I selected USB device and then… I needed to provide a PIN for the security Key:
Things that you have to keep in mind, is we user have to set up their own PIN to use their key, it cannot be enforced or centralized way to manage PIN, so is probably that your users end up using PINs like 123456.
ONce you have registered the key, it will appear in the security Info Panel:
Ok, it’s great what you’re are explaining, but how it is used?
With the following video, I want to show how the process of passwordless authentication in AzureAD is done:
As you can see, the login was done without entering any user or password. If you’re conviced, and you want to start deploying Fido2 Keys in your organization, think first about the following points:
Control to ensure that the employee has been through sufficient identity checks to create a trusted identity.
The organisation needs policy control over:
The type of FIDO device used (external USB / Bluetooth)
The organisation needs to consider the type of user verification required (Fingerprint / NFC)
The end user needs a simple experience during registration of a FIDO credential
The organization needs to trust the genuineness of the FIDO device being used for the FIDO credential
Vision of who has been assigned which FIDO Credentials
Ability to simply revoke access to all systems accessed by the FIDO Credential
Ability to manage lost devices / replacement devices / back up devices
The end user needs a simple experience to authenticate to systems, usernameless aids this process.
As you can see Fido2 Keys are great, and what is better, not only works with AzureAD, it can be used to authenticate with oter services like twitter, Instagram, etc…
Consider how the authentication process has traditionally worked: Organizations require users to supply a user ID and password. Then, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But what about if an attacker has stolen a user’s credentials? How can we reduce these risks? It is where Conditional access takes place 🙂
But the question is, do I really need it? It depends your case or scenario 😛 but let’s dig in depending in what you’re using:
Security Defaults: To help organizations establish a basic level of security, Microsoft makes security defaults available to everyone at no extra cost. This feature automatically enforces the following policies:
All Users must register for AzureAD MFA
Users must complete MFA challenge when they authenticate using a new device or application
Administrators must complete an MFA step every time they sign in. This policy applies to nine key Azure AD roles, including Global Administrator, SharePoint Administrator, Exchange Administrator, Conditional Access Administrator and Security Administrator.
Any user trying to access the Azure portal, Azure PowerShell or the Azure CLI must complete additional authentication
All authentication requests made using older protocols are blocked
Azure AD COnditional Access: But as you can imagine, in some organizations these security defaults are not enough, they want to have more fine-grained controls, so to do this we need Conditional Access, which allows us to:
create a policy to require administrators — but not regular business users — to complete an MFA step
Use the user location and the type of protocol being used to restrict the access
Deny all requests that comes from a particular country, and require MFA for the rest
As you can see, you can create multiple policies that work together to put guardrails in place exactly where you need them
Azure AD Conditional Access is an extremely valuable tool for helping you implement a Zero Trust model, protecting the three cores of the strategy:
Least privilege — Helps to grant the right access at the right time to only those who need it by enabling trusted locations and IP ranges, implement stronger controls for privileged users, and control access to sensitive applications and content.
Verify explicitly — Continually verify identities as users move around the network by requiring MFA when users appear on new devices and from new locations.
Assume breach — Weak passwords, password spraying and phishing all but guarantee malicious actors are inside your network. It allows to block legacy authentication and putting stronger access controls in front of your most valuable resources.
As you can see, Azure AD Conditional Access is a powerful tool for strengthening security and ensuring regulatory compliance
While I was doing a PoC about Defender For Identity in one of my costumers, I decided to take one step further and try to work with all the Defender capabilities enabled in the VM.
In this case, I was preparing Defender for Identity, but also Defender for EndPoint was enabled on the VM, so… I started playing:
The first thing, is when I tried to run mimikatz on the VM:
I leaved intentionally Windows Defender on, and not only it blocked the program, it was erased from the VM, so first thing cool.
Also, this execution fires some alerts in the defender for endpoint portal:
Wow, a lot of information to start… So iesn order to carry on my tests, it was necesary to deactivate Windows Defender Protection:
But once I have everything in place, and I have executed my test, what I can see from the different security products is the following:
Azure Defender has been talking a lot with all the products, firing a lot of alerts in my environment, I have to say that not only I have Defender for Identity, also Defender for Endpoint and Sentinel, so all my alerts are being correlated in my workspace.
So I can dig into the alerts in order to know what is really happening in my environment:
For me, all the variants of Defender & Sentinel, are great tools to protect our environments from external threats 🙂
Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.
The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.
Scary stuff that you probably want to avoid, isn’t it?
What can I do to prevent the attack?
In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future
Search (all activities and all users) and enter the start date and end date if required and then click Search.
Click Filter results and enter Consent to application in the Activity field.
Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.
How I can respond to those attacks?
If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:
You can revoke the application’s permission in the Azure Active Directory Portal by:
Navigate to the affected user in the Azure Active Directory User blade.
Select the illicit application.
Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc.
Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.
But… What key points do you need to know?
You can only protect individual documents, not a complete document library.
You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting. (You can also use other ways of protection, but that is out-of-scope for now)
In the online apps you can only protect Word and Excel, but not PowerPoint.
You can protect Word and Excel files in SharePoint and OneDrive.
You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
You can use “review-only” in Word in SharePoint and OneDrive.
When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.