Need to Know podcast–Episode 213

A quick news update followed by an engaging interview with Amy Babinchak around some of the cloud topics she will be presenting at some upcoming events. Amy is owner of Harbor Computer, Third Tier Consulting and an Office 365 MVP to boot, so plenty of great learnings to he had listening in.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-213-amy-babinchak/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@ababinchak

@contactbrenton

@directorcia

Samsung and Microsoft Alliance

Updates to SharePoint authoring

Top 5 advantages of OneDrive for Business

MFA and end user impacts

Set up conditional access with Microsoft Search in Bing

New Azure files authentication

Lower pricing for Azure storage

Chromium version of Edge now has a beta channel

Impact of a password spray attack

Basically, when someone launches a password spray attack on one of your accounts, they are basically using automated processes to guess your password and brute force their way into the account. These attacks typically happen via legacy protocols that should be disabled in your Microsoft 365 tenant as i have mentioned before:

Disable basic auth to improve Office 365 security

This can be tricker than you think because many legacy applications require basic authentication to operate. Therein lies the challenge.

I have purposely left legacy authentication enabled on some accounts to track what happens during brute force attempts. Experience is the best teacher as they say. Thanks to Cloud App Security:

A great security add on for Microsoft 365

I have configured it to alert me when there is failed login from outside my corporate locations:

Tracking failed logins using Cloud App Security

image

I would occasionally get the odd failed alert but nothing sustained. That was until today!

image

As you can see from my inbox, all of sudden I started to get massive volumes of alerts from Cloud App Security. The spray was on!

image

I jumped across to Azure AD sign-ins for the account and filtered the location down to be largely from China (i.e. CN is the location filter in the above results).

image

Due to the intensity of attack I started to get login failures and reported locks outs as shown above. So how does Azure AD handle lockouts? You’ll find that information here:

Azure Active Directory smart lockout

which says:

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.

Smart lockout is always on for all Azure AD customers with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires paid Azure AD licenses for your users.

In this case, the tenant didn’t have a premium version of Azure AD so the standard defaults were in effect.

image

The next application to feel the strain was the OneDrive for Business sync client which started requiring re-authentication.

image

Then the Azure portal began to struggle under the weight of so many failed login attempts.

image

Then the Microsoft Teams desktop application also started to have authentication issues.

image

Next, it was OneNote’s turn to start requiring re-authentication.

The attacks came in waves, typically separated by a few minutes (as happens with spray attacks) and then it was back again.

image

So what can you do if an account is subject to a spray attack and you are effectively getting denial of service thanks to that? Microsoft has provided every tenant with a number of free Baseline Conditional Access policies. The most appropriate one in this case is Block legacy authentication.

image

Enabling this policy will basically prevent legacy protocols like IMAP, POP and SMTP BUT it will do this across the WHOLE tenant! That is, for ALL users. That may be an issue if you have other accounts that depend on these older protocols for operation. However, this is certainly the quickest and easiest way to block spray attacks if you need to.

image

A more refined approach is to use PowerShell and create a new authentication policy as shown above. This creates a policy that disables the legacy protocols.

image

image

With the policy in place you can now apply it to just the user in question. Most authentication policies can take up to twenty four hors to take effect, however you can force an immediate refresh using the –STSRefreshTokenValidFrom option as shown above.

image

image

After doing all this, it is advisable to check to ensure the user has this authentication policy enabled as shown above.

image

When you dive into the Azure AD logs you’ll see that the brute force attempts have happened via SMTP, confirming a spray attack against the account.

image

Another service that may be affected by these attacks is Flow as seen above.

image

You may need to go into the Flow and re-authenticate as with the other affected apps. The issue may not be come evident until the next time your Flow actually runs.

So what my ten take aways?

1. Spray attacks are easy to automate and initiate. That means they will continue because they have a great ROI for attackers.

2. Implementing MFA on accounts is going to protect against an account breech from these spray attacks.

3. Spray attacks are facilitated via basic authentication which is enabled on all tenants by default for legacy support and has to be manually disabled! Enabling MFA DOES NOT automatically disable basic authentication since it allows support for static app passwords for applications that don’t support MFA out of the box. Disabling legacy authentication can cause issues with older applications that don’t support modern authentication. Disabling legacy authentication across the whole tenant needs to be done with caution. A user by user approach may be a better approach initially.

4. If your applications are complaining about failed authentication, check to see whether your account is not in fact the subject of a spray attack. Azure AD is trying to protect the account by locking itself out for a time period which affects good and bad attempts.

5. Use Cloud App Security and you’ll get a heads up on this sort of thing early on. Knowing what is happening makes it much easier to deal with and there really isn’t a better way than using Cloud App Security.

6. Use conditional access to restrict who can attempt to login to your tenant. Every one gets some free basic baseline policies from Microsoft but it is worth paying for Azure AD P1 to get the ability to be more granular. Don’t forget that Microsoft 365 Business comes with this granular Conditional Access ability out of the box now!

7. Consider having a ‘break glass’ emergency administrator account that you can call on to make admin changes if your only other existing administration account comes under attack and access becomes denied. This account doesn’t need a licence, it just needs permissions. It is hard to make changes to a tenant as an administrator if that account is subject to denial of service by a spray attack!

8. Even if you have MFA enabled, if you leave legacy authentication enabled, then even though attackers can’t correctly guess the password, their continued attempts could effectively result in a denial of service. This is very hard to mitigate, so look to eliminate all your legacy apps and protocols to prevent becoming collateral damage.

9. Review:

Azure AD and ADFS best practices: Defending against password spray attacks

as a good refence for the steps to protect your tenant against spray attacks. Remember, security is a journey and requires eternal vigilance and education.

10. Documentation before, during and after any incident is critical to knowing, understand and mitigating attacks. This all starts with preparation and knowing your situation and what can and needs to be done in a logical manner using tools like checklists. Your information is too important and valuable to leave to chance. Have a plan, your attacker does.

The more hardened your environment, the more likely attackers will simply move on to easier targets. Leaving legacy settings enabled is going to ensure they keep coming back to test your defences and potentially impacting your productivity as a side effect. In this case, once legacy authentication was disabled for the account the attacks ceased.

Sharing an Azure Information Protected file

image

Let’s say that we have a super secret text file with the contents shown above that we want to share with an external contact outside our Microsoft 365 tenant. We want to ensure that the document is encrypted and only viewable by those we have deemed to have permissions. We also want to restrict external users to have read only access to the file. How can we achieve that? With Azure Information Protection (AIP).

image

The first step in the process is to define an Azure Information Protection label with the permissions desired. You can see in the above that access for this label is defined for a Gmail account and the permissions for this account are set to “Viewer” (i.e. read only).

This label then needs to be added to a policy and pushed out to those Microsoft 365 users who will be creating documents, so it is available on their machines.

image

Users should already have the Microsoft Azure Information Protection Clients for Windows client installed on their machines. Doing so will add an Azure Information Protection banner to their Office desktop applications as well as an extension to Windows Explorer when they right mouse click on a file as shown above.

You typically use this Windows Explorer extension when you want to protect non-Office documents. You do this by selecting Classify and Protect as shown above.

image

This will launch the AIP client and allow you to apply the protection label that was created previously in the Azure portal. To apply that specific label to protect the document simply select the label name as shown above. You should then see the Sensitivity set to that level in the top left. Don’t forget to select the Apply button in the bottom right to actually protect the file!

SNAGHTML128bdeb6

You should now see that the file is a “Protected Text File” and that it has a new icon. You will also notice that the extension here is now .PTXT for protected text file.

image

That file can now be uploaded to OneDrive for Business and appears as shown.

image

If that protected file is now sent outside the organisation, using any method,  and is opened with the native viewer, here Notepad, you’ll note the message saying that the file is protected and to view it you must download the Microsoft’s protected file viewer. This is actually exactly the same client that was used earlier – Microsoft Azure Information Protection Clients for Windows client. So, this will need to be downloaded and installed on the destination machine to allow viewing/access of the file.

image

Once the Microsoft Azure Information Protection Clients for Windows client has been installed, when you open the file it should open automatically in the Azure Information Protection Viewer. If it doesn’t just launch the Azure Information Protection Viewer first, and then use it to open the protected document.

image

Because the document is protected the user will now be asked to enter their credentials as shown. This will be their email address.

image

In this case, the email address with permissions is a Gmail account which isn’t an Azure AD account like say an Office 365 account. Access will therefore be granted in a very similar way to the way OneDrive for Business does it’s sharing. This means, that after entering a non-Azure AD account, the account will be sent a verification code that needs to be entered as shown above.

image

Checking back in the Gmail account, the user sees the Account verification code and enters that at the prompt. You’ll also notice that this code is good for 30 minutes. Access outside that will require re-authorisation and a new code.

image

With the code entered, the user can view the document as shown above. You’ll notice that both the Print and Save As are greyed out.

image

Upon selecting the View Permissions option for the file, the user can see which permissions they are allowed. Here, as expected, the only permissions available are View.

Now there are some restrictions around the file types supported for classification, labelling and protection. You can read more about those here:

Admin Guide: File types supported by AIP unified labelling client

However, you should be able to protect just about any file and allow the Save As upon delivery to protect the file contents during transmission.

Azure Information Protection basically allows you to apply unique permissions to an individual document. This ensures that the permissions travel with, and are obeyed, no matter where or to whom the document is sent. That is a very powerful way to protection your information and as you can see, once you have configured the label it is very easy to apply to any document directly using Windows Explorer.

Azure Information Protection in some form is included in most Office 365 Enterprise SKUs but is also importantly included in Microsoft 365 Business. You cab also purchase it as a stand alone offering. Have a look at:

Requirements for Azure Information Protection

for more details.

CIAOPS Need to Know Microsoft 365 Webinar–August

laptop-eyes-technology-computer

Time for the August webinar. This month we’ll take a look at device management using Microsoft 365. The aim will be to show you how Microsoft 365 can help secure and manage iOS, Android, Windows 10 and even MacOS easily. I’ll again be using Microsoft Teams Live Events to host this, so by being part of this you’ll also see how this great technology from Microsoft functions. There will also be the latest Microsoft Cloud news as well as Q and A plus loads more. I’d love if you’d come along and be part of this.

You can register for the regular monthly webinar here:

August Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – August 2019
Friday 30th of August  2019
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 212

In this episode I speak with Darrell Webster about what happens behind the scenes with the Regarding365 community. A really good discussion around community and the process of regularly creating content. Of course there is also the latest Microsoft Cloud news and yes, Brenton is back to explain where he has been. Tune in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-212-darrell-webster/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@darrellaas

@regarding365

@contactbrenton

@directorcia

What’s new in Teams – July 2019

New to Microsoft 365 in July

OneDrive round up – July 2019

New Flow and PowerApps licensing

An Office 365 Guide to PowerApps and Flow licensing

Microsoft Defender ATP evaluation lab is now available

Without enrollment and Outlook for iOS and Android general app configuration

What’s new with Microsoft 365 – July [VIDEO]

Ring Central Teams

Teams in the Classroom [VIDEO]

https://mcdn.podbean.com/mf/web/g3iqgy/ep212.m4a

CIAOPS MS-100 online Certification training

image

I have just opened up the next round of the CIAOPS MS-100 online certification training.

The cost of the course is:

Patron Level AU$ Price inc GST
Gold Enterprise Free
Gold $33
Silver $99
Bronze $176
Non patron $399


The course will include:

The course will run over 4 weeks commencing on Monday the 12 of August and finish on Sunday the 15th of September.

The aim of this course is help you prepare to pass the MS-100 certification and should not be considered as a ‘general’ training course on Microsoft 365. I will ask you to commit to sitting the exam prior to the 1st of October 2019. If you pass the exam prior to this date you will be eligible for some special offers, however if you wish to take longer than that you can complete the exam at your leisure but with no additional benefits.

If you wish to be part of this program email me (director@ciaops.com) asap so I can reserve you place. Enrolment closes on Friday the 9th of August at 5pm.

You may want to read my thoughts on why I believe certification is becoming increasingly important with the cloud:

The benefits of certification

I hope you’ll sign up to become certified in Microsoft 365.

Use PowerShell to get site storage usage

One of the challenges for IT Pros when managing the online collaboration world of SharePoint Online and OneDrive for Business in Microsoft 365, is getting a quick overview of things like storage usage across their environment. In the gold ol’ days you’d just using Windows Explorer or something similar, but in the Microsoft 365 world these tools are not ‘online’ aware.

Thankfully, it is PowerShell to the rescue here again! What you can do is is basically grab all the SharePoint and OneDrive for Business Sites and look at a property called StorageUsageCurrent. Thus,

$sposites=get-sposite
$sposites.storageusagecurrent

will firstly get all the SharePoint sites and then display the storage usage of each in MB. However, that is a bit basic. What you really want is something like this:

image

for you SharePoint sites and and a separate group for your OneDrive for Business sites like this:

image

You might also notice that they are also sorted in descending order, from largest to smallest.

The good news is that I have done all that hard work for you and made the script available in my GitHub repo here:

https://github.com/directorcia/Office365/blob/master/o365-spo-getusage.ps1

The only thing that you need to do before running the script is to connect to SharePoint Online using PowerShell as an administrator.

Don’t forget there are also plenty of other handy scripts in my GitHub repo which get updated regularly. So, make your admin life easier and use what I have already created rather than re-inventing the wheel.

Creating unique file permissions with Teams

Microsoft Teams is a really easy way to share files with others. However, the modern concept with Microsoft Teams is that once you are part of the Team then you have the same rights as everyone else. This generally means that all Team members have the ability to read, write, modify and potentially delete files. This is common across all channels in the Team.

One thing that you really don’t want to do is go into the SharePoint back end of the Teams files and modify the default permissions. If you do, you’ll cause a whole lot of problems. We are expecting private channels in Teams very soon but here’s an easy way to overcome the default common sharing options in Teams by creating a separate area with unique permissions and linking that back into the Team.

image

Firstly navigate to your Team.

image

Select the Files tab to the right of Conversations to see all the files for that channel as shown above. These are common files that all Team members have the same rights to.

Select the Open in SharePoint option as shown above.

image

This will take you to the location of those channel files in SharePoint as shown above. This location is typically a subfolder with the name of the channel (here General), in a Document Library called Documents

You will need appropriate permissions to complete the process from here. So you will need to be an admin of the Team or a SharePoint Site owner.

image

In the top right of the screen select the COG then Add an app from the menu that appears as shown.

image

Typically, you’ll select to a new Document Library and give it a name.

image

In this case, a new Document Library called Final Presentations has been created as shown.

image

Once you are at this new location, select the COG again in the top right and this time select Library settings as shown.

image

Select the second option from the second column at the top of the page called Permissions for this document library.

image

Now it is just good ol’ SharePoint permissions configuration.

Typically, you firstly select Stop Inheriting Permissions.

image

In this case, Sales members will be changed from Edit to Read permissions by selecting that group and then the Edit User Permissions button. However, you can configure whatever permissions suit your needs.

image

Make sure you select OK after you have made you changes.

image

Once you have completed the require permissions, you need to return to the Team and link this new location there.

image

Inside the Team, select the channel in which you wish this new location to be linked and select the + icon on the right as shown.

image

From the dialog that appears, select Document Library as shown.

image

You can either navigate or input a direct link here. In this case the destination site, Sales, is selected.

image

You should then see the new location you created (here Final Presentations). Select this and then the Next button.

image

Give the new tab a name, which can be different from the location if you wish, and press Save.

image

You should now see the location you created and any files in there as shown above. These items have permissions governed by those set previously in SharePoint but now they are also displayed and accessible in Teams. The great thing is you can link this new location in multiple places and you can link from locations not even in the current Team. As long as users have permissions, they can see and interact with those files based on those permissions.

Hopefully, that is an easy way to create locations for file with unique permissions but still have them accessible for users via Teams.