Need to Know podcast–Episode 240

Mark O returns! Brenton returns! it’s the come back show, just in time for the end of COVID lock down. Mark O’Shea and I talk about the swag or recent changes to the Microsoft 365 Business suite of products. Brenton and I also bring you up to date with all the very latest Microsoft Cloud news as well. What a return it is!

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

https://ciaops.podbean.com/e/episode-240-mark-oshea/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@intunedin

@contactbrenton

@directorcia

Marl O’Shea’s blog

What’s New in Microsoft Teams | Build Edition 2020

Announcing Microsoft Lists – a new Microsoft 365 app to track information and organize work

Announcing Microsoft Lists – Your smart information tracking app in Microsoft 365

Now Live – SharePoint home sites: a landing for your organization in the intelligent intranet

The new Yammer public preview

Enable a combine MFA and SSPR registration experience in Azure AD

Evolving Azure AD for every user and any identity with External Identities

Audio

It’s all about Search

Here’s my second presentation from Microsoft May 2020:

https://www.slideshare.net/directorcia/its-all-about-search

It’s all about search

Search is the killer app for Microsoft 365, it is available everywhere but few seem to take full advantage of what it has to offer. This session will show the power of Microsoft 365 search and how to make the most of this from the browser to the desktop. You’ll also a peek into what Microsoft has planned for search in Microsoft 365 and what that will mean going forward.

New Office 365 Safe Attachment options

image

I was updating my security scripts for Office 365 ATP and when I ran it I noticed an option not set, which I highlight in red in my scripts to draw attention to it.

image

I then went and took a look at the Safe Attachments options in my web console, as shown above. I didn’t see any differences there.

image

However, when I visited another tenant, as shown above, I do indeed see a new section as shown. You’ll note however that:

Only available with Microsoft 365 E5 or Microsoft 365 E5 Security license

Thus, if you have the required license there is now a Safe Documents feature that you can enable in the organisation. Once enabled it will:

“will upload user files to Microsoft Defender Advanced Threat Protection (MDATP) for scanning and verification”

You can read more here:

Safe Documents in Office 365 ATP

image

You won’t be able to enable it via PowerShell either, unless you have the appropriate license as shown above.

Need to Know podcast–Episode 239

FAQ podcasts are shorter and more focused on a particular topic. In this episode I’ll talk about the differences between OneDrive for Business and SharePoint.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-239-starting-with-dns-for-security/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

CIAOPS Patron Community

Message Header Analyser

@directorcia

Transcription

Robert Crane  0:00 
Welcome to the Need to Know podcast. My name is Robert Crane and this is a shorter FAQ episode. These episodes are brought to you by the CIA ops patron community which you can sign up for@www.co ops patron.com. Now I’ve done a number of these FA Q’s, while I thought that one of the topics we really haven’t covered in any depth or started to cover is around security. So I thought that there are going to be lots of FAQs and lots of stories we can talk about with security when it comes to Microsoft Cloud. So I thought I’d kick that off with maybe starting with a discussion to help you get a starting point and all this now, the idea with security is that it’s going to be about defense in depth. Now that means there are going to be multiple systems or multiple configurations to put in place to effectively improve the security and reduce the risk. Now we can never eliminate the risk, right there’s always going to be some sort of risk but


Our job as IT professionals is going to be to minimize this to the best of our capabilities. And that’s going to mean implementing a number of systems to provide that Microsoft gives us lots and lots of options, which I hope to be able to run through over the course of upcoming FAQs. But the way I like to think about it is we need a systematic approach. Now good security is going to be about having a system doing things in a systematic way, and making sure that doesn’t leave any holes, we miss something. And we can repeat that over and over again. Now, the system I would suggest you adopt is one of working from the outside, it’s what’s the furthest point on the defense of our tenant that we can look to secure first and then once we’ve done that successfully, we can then move our way further and further inside the tenant. Now in the Microsoft space, probably the point that is furthest


From the tenant is actually something Microsoft generally won’t handle. That will be your DNS records. Now, there are three major DNS records when you look at security that are very, very important. Now, the first one of these is called the SPF record. Now most people will have to set that up when they’ve configured their tenant. That means that it will already be in place before they even got the tenant up and running. Now, the idea with SPF is for it to basically be a record or a match between the IP address or the actual physical server that is sending mail and the domain that it claims to come from. So basically, the SPF record is going to provide that match to let other people know that the email being sent by your custom domain is authorized to come from the server. Now, what we find is that many customers need the ability to send from multi service


Some might send a bulk email or maybe on prem and also in the cloud. So again, there are the option to you to have multiple servers configured an SPF now, the simply you could have this the better. So if you’ve only got office 365 as the way to send emails, then that’s gonna make it very simple. But if you do have some of the other configurations, then you’re gonna have to make sure that you add those in appropriately. And the idea is, is you’re going to make sure that the syntax is correct. Now, it is very easy to make a simple mistake formatting mistake when it comes to formatting these records. So my advice is even if you have an SPF record in and up and running already, make sure that you go in and double check it now. There are lots of tools out on the internet that will do this for you. mx toolbox.com is a great place that I use, just go in there and you can run a DNS query across all your records, but then focusing on


The ones we’ll be talking about here and SPF the first one. So most people will have SPF in, make sure that it is correct. It is correctly formatted has the right configuration before you go too much further. Now, after you’ve got your SPF, and you’ve verified that go and have a look at Deacon, right, so the idea with DKM is that DKM is a dentist’s record, that will basically provide the key to unlock a cryptographic key that is put into or sent with every email. So the idea is, is that when an email is sent out from the domain, it will include a short cryptographic header. And then when the receiving party gets that they can go back to the DNS record, get the decryption key from the DNS record which has been set up and that will then be used to decrypt the header from the email that was received and I can then verify that that is expected.


And indeed that email did come from that originator. So again, DKM requires typically two DNS records very simple. You only have to put them in do them once. And again, you can use something like MX toolbox to go in and check to see whether you had decom in place. There’s also plenty of places to read up on how Deacon needs to be configured. There is some articles around office 365. Now, office 365 does use a form of dynamic DKM. But it’s always better to go in and have a static version. So once you’ve got your Deacon records in, you can go into the Exchange Online configuration, you’ll find a decom option under protection, and then you can basically ensure sure that it’s working, verify that DKM is correctly configured. And then basically make sure that it’s turned on going forward. So the second thing I get you to check is that make sure that you have a DKM record and


Make sure that he’s set up correctly. And if you are using a Microsoft 365 tenant, you can go into Exchange Online config under decom. And you can make sure that that is set to on. So again, that’s going to provide you additional layer of protection when it comes to your emails. Now the third DNS record is something called demark. Now demark basically does an evaluation on the success of both the SPF and Deacon record. Now it is basically something that you can configure to initially just report you can also configure the situation’s of files demark


A can then quarantine the email and you can then get quite aggressive if you want to insert it to actually reject if it fails demark. So, in summary, the demark is that evaluation of the success of DKM and SPF together and then what action will be taken based on the success or failure of that evaluation.


Now demark, again, is something I would suggest that perhaps you start off with just reporting and there are tools out there that can send you the demark reports to let you know what’s failing and what’s happening. Generally, I would suggest that you move from reporting to at least quarantine so that again, that means that if there is a failure of demark, then we basically look at quarantine in the email rather than accepting it into the system. Now demark, again, is a single DNS record that you put inside your environment, to basically let people know that when they receive an email, they want to evaluate demark and come back to your DNS records and then they can look at what the settings are and then help them make a evaluation based on those settings.


Now, the reality is, is those three DNS records are typically outbound, so they’re typically more important for the


mouths that are being sent to another organization. So to be a good internet citizen, make sure that you do have those records set up correctly and configured appropriately. Now, you can also use that technology to assess inbound emails as well. So basically what we can say is okay, do records that are coming into our environment. If they do not, basically have success with SPF, we can then treat them or mark them as more likely to be spent, which they are. And then we can also do the same with D. Kim and demark. So there are a number of settings inside Exchange Online, particularly that you can go in and modify or set up policies that take different actions depending on the success or failure of what these records replicated for inbound emails. Now, the idea here is is that there is an area that you can go in and sit down


He’s up, we can do this via the web interface. We can also do this with PowerShell. And for example, when emails come in to Exchange Online, they are evaluated, using it what’s called an SEO level. So the spam confidence level. And things like a failure of SPF will generally add to the fact that it’s probably more likely to be spam or not. And then you can set a threshold to determine Okay, well, when it gets over, when the threshold gets over, say seven, which is the default option, then we will treat it as being spam and then you can determine what action you want to take once that evaluation has been made, but the important thing is, is to think about this starting as far out from the tenant as possible. Make sure that your DNS records are correct, especially for the SPF D Kim and demark. You can use tools like MX toolbox calm to evaluate your records.


You can also use that tool to evaluate other records, other tenants other domains as well, because the DNS records are effectively public so you can go out and again, have a look and see how many people have set up SPF have set up things like DKM, and demark. Now a couple of other tools I’d recommend that will help you in this assessment is what’s called the exchange message. analyzer header analyzer. So what it allows you to do, it’s a free tool that you can download from Microsoft is typically an add on for Outlook. So you go and do a search for exchange message analyzer, you can then add that into Outlook. And then when an email is received, you can use that to drill in and report on the message header. So typically, the stuff you don’t see in normal outlook will tell you whether there has been SPF you know, success on the email that you’re looking at. Whether


decom is assessing whether demark is a success. But also lets you know, for example, which servers, the email has come through lots and lots of really good detail in there. And I would certainly recommend that add on as a standard. Now remember, we can load that individually onto a single Outlook client, if you want also works in our the Outlook Web Access as well. And if you’re an administrator, you can add that to the admin area of your Microsoft 365. And then push it out to all your clients. And it’s a recommended option because most clients probably won’t. Customers won’t use it themselves. But if you ever need to troubleshoot Why did this email end up being spam? Or why did this email end up in junk? This message header analyzer is going to allow you to be able to debug and it has a number of links in there that will take you directly to the relevant


articles from Microsoft to let you know how the settings are and where you can make changes. So I would strongly recommend that if you are curious or you’re really wanting to tweak your settings or you want to analyze why emails are ending up in places like junk mail folders, then use this message head analyzer ad in. And you can go and evaluate and see much more detail what the actual message headers how the internet’s rather this, what the actual


process that has taken place, moving this email between servers. So hopefully that’s given you a bit of a start coming to think about security. Good security, like I said, is done in layers. The outermost layer, I believe, is to look at the DNS records. So make sure you have your SPF, your decom and your demark configured and correctly set up. You can evaluate that with a number of tools. Once you’ve got those set up correctly. There are a number of options inside Microsoft 365 to make sure


They that is turned on Microsoft 365 is taking advantage of the signals that are coming from those DNS records. And to do a bit of evaluation and look at those headers in more detail for inbound emails, you can use the free message header analyzer plugin from Microsoft in your outlook that will give you the ability to drill into that if you want to get some more details. So I think very much for taking the time listening to this episode, hopefully we’ll be able to, again, do a number of the dive sessions into specific areas in security down the track. If you do have any suggestions, we do want to hear a topic in more detail, please don’t hesitate to contact me you can do that via director at CIAops dot com. And I’ll take this opportunity once again to thank you very much for listening to this episode.

Creating a WVD Session Host in the Azure console

Before you launch into creating host pools in Windows Virtual Desktop (WVD), you’ll need to do some preparations. I’ve detailed those previously here:

Moving to the Cloud  – Part 1

Moving to the Cloud – Part 2

Moving to the Cloud – Part 3

What you need for Windows Virtual Desktop (WVD)

Creating a WVD host pool in the Azure console

this article will show you how to add hosts (i.e. Virtual Machines (VMs)) to the host pool you have already created.

Open the Azure portal and navigate to Windows Virtual Desktop in your tenant and you should see the above screen.

Select the option for Host pools from the menu on the left as shown.

image

You should now see a list of Host Pools already created. You’ll need to have at least one host pool to continue, so if you don’t have one yet, you’ll need to go and create it.

Select the host pool you wish to add hosts machines (i.e. VMs) to.

image

In this case, I selected Host Pool P2 and see the above screen which should also see some similar. You will note that this Host Pool currently has no Session Hosts in it. To add a Session Hosts (i.e. a VM), select the Session hosts from the menu on the left as shown above.

image

Select the +Add button on the right as shown to add a new host VM.

image

You’ll now be stepped through a host creation wizard. There generally won’t be anything you can change on this initial page, because the settings are determined already by the Host Pool. So, select the Next: Virtual Machines > button, at the bottom of the page, to continue.

image

Select the Resource Group and the Location (i.e. data center) for the host machines. I’d suggest that you keep all of these together in the same data center.

Next, select the Size of the VMs you wish. Have a think here. Any machines you also add to this Host Pool will need to match any machines you add to this pool down the track. So, have a think about how machines you are likely to need in total before you select the size of the VM you want.

Now select the total number of VM’s you wish to create at this time. Again, start small and grow if you need to is the suggestion. That helps keep costs down. You can also enter a Prefix that will be added to each host as it is created. This make it easy to keep track of which hosts below to each pool. My best practice if to use an identifier that let’s you know what pool this host is part of.

When complete, scroll down for more options.

image

Next, you’ll need to select where to get the image to put on hosts (i.e what initial operating systems and any additional apps). You can use your own custom image if you wish, but you’ll need to have it prepared beforehand. Here a standard one from the gallery is selected.

Then, select the type of hard disk you wish for the hosts.

These hosts need to live on an existing VNET and Subnet that need to have been set up prior. Again, it’s important that this VNET, and other resources live in the same region. If you mix regions, then some of the resources may not show in the wizard. Best practice again, is to keep all of the WVD infrastructure together in the same region.

If you wish to access these hosts directly from the Internet via something like RDP, you can give them a public IP address. This can be handy for troubleshooting but is not recommended best practices as they will be exposed to attack when running. By default, hosts in a pool are only accessible via the WVD service.

Scroll down the screen for more options.

image

If you have configured a sub domain or want to use specific OU’s in your domain for these these new hosts, you’ll need to set the Specify domain or unit option to Yes and add the appropriate configuration.

In my case, as I detailed here:

Moving to the Cloud – Part 3

I set up Azure AD Domain Services, specifically for WVD. Best practice, when I did that, was to create a subdomain like:

ds.domain.com

Thus, I needed to select Yes, here and enter the whole subdomain into the field that appears. You don’t necessarily have to do that, it all comes down to how you have configured your networking. But make sure you put the right entry here or adding hosts will fail.

The last fields on this page ask you for an account to be used to join the hosts to the domain. This can be the source of plenty of pain and frustration. My advice, is to test and ensure that this account actually can manually logon to Azure without MFA and also can actually add machines to the domain. Remember, this join account can’t have MFA enabled due to the automated nature of the join process about to take place. This may require manually adding a VM to the domain using this account, to verify before completing this wizard. Also, be aware that if you get the wrong details and continue with the wizard, not only will the attach fail but the account you are using might get locked out! So, lots to be aware of here and I highly recommend double checking everything as this is the most common point of failure in my experience. Remember, once the hosts are joined you can disable the login for your join account to keep it secure.

When you have made all your selections, press the Next button at the bottom of the page to continue.

image

Add any tags you wish on this screen and then select the Next button at the bottom of the screen to continue.

image

Azure will then evaluate your selections and let you know if there are any issues that require attention.

image

If the validation passes, you should see a green banner at the top of the page as shown and the Create button at the bottom will become available. Select this to continue.

image

You should then see the deployment process begin as shown above.

image

It will then continue on, through the various stages and take around 10 minutes to complete. That may vary depending on the amount and size of hosts you wish created.

image

If all goes as expected, you should then be greeted with a successful deployment page as shown above.

image

If you look at the hosts you just created in the Host Pool, you may see their status as Upgrading as shown above. This shouldn’t take long to complete.

image

and a few minutes later, the host status should be Available as shown above.

image

If you click on any individual host, you should see a summary screen like that shown above.

That completes the process of adding hosts (VMs) to the Host Pool. The next step will be to give users access to these machines which I’ll cover in a upcoming article.

Getting Windows Defender Application Guard (WDAG) working

Once I had solved my recent Windows Defender Application Guard (WDAG) problems:

Resolving Windows Defender Application Guard Issues

I now wanted to get it working in a manner that suited me. That meant that I wanted Microsoft Edge to work normally for things like Microsoft 365, Azure and other Microsoft sites but to automatically open Edge with WDAG if I ventured outside that. I also wanted to retain the flexibility to have a third party browser (Brave) also working on my machines. In essence, I am trying to achieve the ability to automatically ‘sandbox’ general internet browsing from work in the Microsoft Cloud as way of protecting the workstation from malicious web sites.

I’m not going to cover off setting up WDAG on your machine or via Intune because there are plenty of articles out there that show you how to enable it. You can start here:

Windows Defender Application Guard Overview

In essence, WDAG opens a defined set of URLs in a sandboxed version of Edge automatically. This means you’ll need to do a little configuration and add some features to your local version of Windows prior to getting it working. You can read about that here:

Prepare to install Windows Defender Application Guard

My configuration will be in Enterprise-managed mode. This means that I can automatically ‘white-list’ domains that I don’t want WDAG to operate with via a policy pushed from the Internet. In my case, these will be Microsoft Cloud URLs like http://www.office.com, portal.office.com and so on. Everything, apart from what I ‘white list’ I want to open using WDAG for protection.

The first thing to note here is that if you want to use Enterprise-managed mode you will need to have Windows 10 Enterprise edition. Windows 10 Pro edition only supports stand alone mode. This means:

In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites.

To do this manually, you must edit the local computer policy using the local Group Policy editor or like as shown here:

Application Guard in stand alone mode

It is pretty easy to set up and get working but not really scalable. Scripting may help overcome that.

In Enterprise-mode my initial questions was ‘Where do I define my sites?’. As it turns out, this isn’t particularly obvious, so it took me a while to track down. The definitions for the sites you want to ‘white list’ for WDAG are actually in the Intune App Protection policy settings.

image

Turns out they are in the Advanced settings of your Intune App Protection policy, as shown above.

I had wrestled with these settings previously, which I detailed here:

Intune App Protection Policy blocking browser

What I didn’t appreciate initially was that sites you define here however ALSO APPLY to WDAG! Makes sense now that I look at it, but I certainly didn’t think it was the place I should be looking to ‘white list’ sites for WDAG. Now you too are the wiser.

Another subtle configuration option that took me a while to figure out was:

Network isolation wildcards

Initially, I had portal.office.com white listed from WDAG but in fact the navigation was going to http://www.office.com, which means WDAG would trigger and open http://www.office.com because it wasn’t ‘white listed’. Then I thought *.office.com would work, but no. Maybe office.com? Nope. Turns out what I needed was

..office.com

which:

Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include shop.contoso.com, us.shop.contoso.com, http://www.us.shop.contoso.com, but NOT contoso.com itself.

So be super careful with how you configure you network perimeter settings and domain wildcards as it can make things very confusing if you don’t have a good handle on it. My suggestion is to start with only one or two sites in your network perimeter and ensure that they work. Only then scale up once you have verified it is operating as expected.

Finally, with all that configured correctly, WDGA was working as expected. Yeah! This meant that when I went to a Microsoft Cloud URLs like http://www.office.com, portal.azure.com, etc. WDGA wasn’t activated, but if I went elsewhere, WDGA launched and navigated to that site in the WDAG container. In the end I also white listed sites like bing.com, docs.microsoft.com, etc as I go there many times a day.

image

If you browse to a non ‘white listed’ site (here www.ciaopsacademy.com), then a WDAG session is launched. You’ll see WDAG spin up, if it is the very first time it has been activated. You’ll then see the browser load the site in question and then you’ll notice a WDAG icon in the toolbar as shown above, which, when opened, will let you know that the current browser is using WDAG.

image

You configure WDAG settings via Intune Endpoint protection policies as shown above.

image

My suggestion would be to enable the option to Retain user generated browser data as shown above.  This means things like extensions, session cookies and the like will be retained between sessions. However, if you want a totally clean experience each time, then disable that option.

SNAGHTML131a8b2f

By default, you’ll find that any file you download while WDAG is active, will be saved into an Untrusted files folder as shown above.

image

You can also get a WDAG companion app from the Windows store:

https://www.microsoft.com/en-au/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab

This allows you to manually launch a WDAG session, which is probably handy if you are not using Enterprise-managed mode. It will launch this is a container isolated from anything that automatically launches via your browsing, keeping that separate as well.

image

If you want non Microsoft browsers to also be protected with WDAG then you’ll find plugins available:

for Chrome

for Firefox

With these plug ins installed, those browsers will also only open non-whitelisted sites. Anything else will be opened in an Edge WDAG session for protection.

So now I have WDAG working the way I wanted. My main stumbling block was no appreciating that the WDAG ‘white list’ was the same as WIP and set via Intune App Protection policies. I now have a better appreciation for the breath of the settings in these policies.

I’m sure I’ll be tweaking WDAG along the way but I feel much more secure in the fact that I have it working and protecting my ‘random browsing’. Like most security configurations, WDAG takes a little bit of understanding and setup to get working but the end result is a much safer environment to work in and I’m all for that. Hopefully you are too!

Resolving Windows Application Guard Issues

A while back I wrote about a issue I was having with Windows Defender Application Guard (WDAG). You’ll find it here:

Microsoft Defender App Guard issue

I have now managed to find a solution for this. In short, the issue, as it turns out, has to do with disk encryption. I found some information about the general issue here:

Why does my encryption driver break Windows Defender Application Guard?

which says:

Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (“0x80070013 ERROR_WRITE_PROTECT”).

Chatting with good people at Microsoft, it seems that in my particular case was solved by this update:

https://support.microsoft.com/en-us/help/4550945/windows-10-update-kb4550945

and was due to a BitLocker issue (being drive encryption).

So, the good news is that my issue is resolved and I can run Windows Defender Application Guard without any errors.

If you can’t install the KB for some reason and you need a quick work around, the issue was linked the BitLocker “Deny write access to fixed drives not protected by Bitlocker” policy and you should clear any group policy and set the following in Intune to Not configured as well as a work around.

image

image

So in the end it was an issue with drive encryption that was rectified with an update. Yeah!

Thanks to the people at Microsoft for the assist on this one. Now onto the next challenge.