IAMCP Video Presentation

I recently did a presentation for the International Association of Microsoft Channel Partners Quarterly Briefing and you can find the slides here:

https://www.slideshare.net/directorcia/microsoft-365-security-overview

The videos is also available now at:

https://www.youtube.com/watch?v=bGEfjgIfhdE

if you want to take a look.

Thanks again to the IAMCP for the opportunity to present on Microsoft cloud security.

CIAOPS Secwerks 1 registrations now open

pexels-pixabay-60504

With the venue now secured I am please to announce that registrations for CIAOPS Secwerks 1 in Melbourne CBD on Thursday August 5th and Friday August the 6th are now open. If you are not a CIAOPS Patron there is an early bird offer of $440 inc GST if you use the coupon code SWEB at check out. After that date, the price will be $798 inc GST. Note, costs exclude food which is not available in the venue. You can register now at:

https://www.ciaopsacademy.com/p/secwerks

The event is a 2 day hands on Level 400+ deep dive into security for Microsoft 365. It will cover topics such as:

– Exchange Online Security

– Windows 10 device hardening

– Incident monitoring and handling

– Effective identity security

– Data protection and more

If you have the responsibility for the management of Microsoft and Office 365 environments, then this session is for you.

I’ll be posting more information about the event in the coming weeks but if you do have questions please feel free to contact me via director@ciaops.com.

I look forward to seeing you at the event.

I need help with Windows Defender System Guard

I need some help in my question to enable Windows System Guard in my environment. If you want to know what it is see:

Hardening the system and maintaining integrity with Windows Defender System Guard

and the Microsoft article is here:

Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10

and in summary Windows System Guard is:

Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
– Protect and maintain the integrity of the system as it starts up
– Validate that system integrity has truly been maintained through local and remote attestation

I enabled it using the techniques in this article:

System Guard Secure Launch and SMM protection

To verify it is enabled 9according to the article) you check MSInfor32 and you should see:

image

i.e. Secure Launch appear in both:

1. Virtualization based Security Configured

and

2. Virtualization based security Services Running

image

However, in my case I don’t see it appear under Virtualization based security Services Running as you see above?

Now, the Microsoft article does say:

image

Credential Guard is definitely running per my MSInfo32

image

To check Virtualization Based Security I can run the command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard


and I see the following:

image

According to the documentation,

image

if VirtualizationBasedSecurityStatus = 2 then:

VBS is enabled and running

Now, if I look at the SecurityServicesRunning field I see:

image

only Credential Guard and HVCI running per:

image

i.e no System Guard Secure launch. This confirms what I see in MSInfo32.

Verifying Device Guard is where things get challenging, because this:

Why we no longer use the Device Guard brand

seems to indicated the device Guard is now Windows Defender Application Control (WDAC)??

However, there is this article:

Windows 10 Device Guard and Credential Guard Demystified

from early 2021 talking about Device Guard?? Here, Device Guard is:

Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system

Device Guard consists of three primary components:

  • Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.

  • VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.

  • Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

According to that article the CCI is located at:

Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy

image

But I can’t see that on my machine as shown above??

I can’t see how to specifically enabled VSM Protected Code Integrity, I can only find:

Code Integrity

Finally, my machine does have UEFI and secure boot enabled:

image

The last piece of the puzzle is a service called Secure Launch:

image

which I have running and seems to be linked to System Guard but I can find no confirmation of what this service actually does??

In summary, I am at a loss to understand why my machine seems to not have System Guard enabled even though it is capable it seems. I feel confident that I do have all the requirements in place but the Configurable Code Integrity (CCI) may be the issue but I can’t find anything on how to configure that.

My ask then, is if you have any information on helping me get System Guard working on my machine or help me understand why it isn’t working I’d appreciate it as I have drawn a blank with all my other sources.

Using Azure Sentinel with Azure Lighthouse

A recent article:

Configure Azure Lighthouse

detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.

image

Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.

image

You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.

image

You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.

image

Ensure that all the directories are selected.

image

With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.

image

Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.

image

Ensure these are all selected and the Subscription option displays All subscriptions as shown above.

image

With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.

image

With all the workspaces selected, click the View incidents button from the menu along the top as shown above.

image

You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.

This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.

Missing calendar icon in Microsoft Teams

image

I recently ran a Live Event in Microsoft Teams and wanted to get back to the event resources but found my calendar was missing as seen above. This was evident on both the desktop and web interface.

image

When I attempted to use the link from the Live Event appointment in the calendar in my Outlook I was greeted with the above message:

Unable to connect to your Exchange calendar at the moment

I thought this strange as i had scheduled the Live Event using the calendar icon in Teams?

Turns out that what I had done in the meantime was disable Exchange Web Services (EWS) in my environment. Doing so affects a number of services in my environment including Teams and Exchange Add-ins as it turns out.

If you are seeing the same issues you can use PowerShell to check the EWS status of your environment. You’ll firstly need to connect to Exchange Online with PowerShell which you can do using my script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

then run the following command to see what the EWS settings are at the tenant level:

Get-organizationconfig | fl ews*

to which you should see something like:

image

From what I understand you’ll need to ensure that EWSEnabled and EWSAllowOutlook are NOT False (i.e. disabled). This will take care of allowing EWS for any new mailboxes created from this point forward.

Also run the command:

Get-CASMailbox  | fl identity, ews*

which should result in a list of all the EWS for each user like so:

image

Make sure that users do not have EwsEnabled or EwsAllowOutlook set to False (i.e. disabled). If it is you can use the command:

set-casmailbox –identity user@domain.com –ewsenabled $true –ewsallowoutlook $true

command to re-enable it and set it to True.

If you change an EWS setting for an individual mailbox it can take 4 – 24 hours for that change to flow through according to documentation I’ve seen. In my case however, I found by logging out and back in the change appeared almost immediately.

image

It should then re-appear in Teams as shown above. If it doesn’t, simply use the three dots (ellipse) at the bottom of the list to add it back in. You may also need to right mouse click it once you have added it back in and “pin” it to the side menu, so it stays there.

So in a nutshell, don’t disable EWS in your environment because things like Microsoft Teams needs it! If you are missing your calendar in Microsoft Teams or have issues with Outlook Add-ins, check EWS is enabled.

Configure Azure Lighthouse

Azure Lighthouse:

“enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants.”

In essence, it allows you to manage multiple ‘client’ Azure tenants from a single ‘master’ tenant. There is no cost for Azure Lighthouse and it is simple to enable. However, I would caution you to pay close attention to the permissions you assign the ‘master’ tenant inside the ‘client’ tenants and follow the best practice of least privilege security.

You are going to need a few things before you start configuring Azure Lighthouse.

1. A ‘master’ Azure tenant with a paid subscription

2. ‘Client’ Azure tenants with a paid subscription in each

3. For each ‘client’ Azure tenant you will require a login to that tenant who has the Owner built-in role for the subscription being onboarded. Typically, there is only one subscription in an Azure tenant and the initial administrator has that role. You will use this user, inside each ‘client’ tenant to permit access from the ‘master’ tenant.

4. The Tenant ID of the ‘master’ tenant.

image

You will find that on the front page of the Azure Active Directory blade in the ‘master’ Azure tenant portal as shown above.

5. The Object ID for the controlling entity (user or group) in the ‘master’ Azure tenant. This is basically the individual user or Azure AD security group who you wish to give access rights to the ‘client’ Azure tenants.

image

You will find the Object ID on the front page of that item in Azure AD as shown above. The above example show this for a single user.

image

The above example is for a group.

6. You now need to deicide what permissions you will give this Object ID from the ‘master’ Azure tenant inside the ‘client’ tenants. You can find all the Ids for Azure built-in roles here:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

So, if you want for the ‘master’ tenant Object ID to have effectively full rights inside the ‘client’ Azure tenants use:

Contributor – ID = b24988ac-6180-42a0-ab88-20f7382dd24c

Remember, best practice is to follow least privilege and as such if you just want to view Azure Sentinel information in the ‘client’ Azure tenant use:

Azure Sentinel Reader – ID = 8d289c81-5878-46d4-8554-54e1e3d8b5cb

but as I said, be very, very careful about the rights you assign the ‘master’ Object ID inside the ‘client’ tenants.

Once you have all the above information, you’ll need to login to the ‘client’ Azure tenant with the user account in step 3 above (i.e. an owner of the ‘client’ Azure tenant).

In the same browser session open a new tab and navigate to:

https://github.com/Azure/Azure-Lighthouse-samples/

and select the Auto-deployment button in the first row as shown:

image

A custom deployment template should launch

image

and look like the above. Here, select the Subscription and Region appropriate in the ‘client’ Azure tenant. You can put any custom text you wish into the Msp Offer Name and Msp Offer Description field.

Into the Managed by Tenant Id field enter the value you recorded in step 4 above (i.e. the Tenant ID of the ‘master’ Azure subscription).

The Authorizations field needs to be in the format of:

[{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”acdd72a7-3385-48ef-bd42-f606fba81ae7″,”principalIdDisplayName”:”PIM_Group”},{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”91c1777a-f3dc-4fae-b103-61d183457e46″,”principalIdDisplayName”:”PIM_Group”}]

where the principalId field will be the item you obtained in step 5 above (i.e. who in the ‘master’ Azure tenant do you want to have rights to the ‘client’ Azure tenant) and roleDefinitionId will be the information obtained in step 6 above (i.e. what permissions you want to gibe inside the ‘client’ Azure tenant). You can assign the principalIdDisplayName field any meaningful text you wish.

As you can see from the example you can chain multiple permission assignments together. So in this example, let’s say that I want to assign my one user full contributor rights and a security group only Azure reader rights. The entry would then look like:

[{“principalId”:”b75e7296-a058-4000-0000-000000000000″,”roleDefinitionId”:”b24988ac-6180-42a0-ab88-20f7382dd24c”,”principalIdDisplayName”:”User_contributor”},{“principalId”:”8d3a5c5a-0d1e-4639-0000-000000000000″,”roleDefinitionId”:”8d289c81-5878-46d4-8554-54e1e3d8b5cb”,”principalIdDisplayName”:”Group_Sentinel_reader”}]

It is very, very important that you get the formatting of the Authorizations field correct. I suggest you compose it in something like Notepad (with word wrap = off) and paste it in. If you see any errors during deployment, double check you have this field EXACTLY correct!

image

Once you have entered all the information, select the Review + create button an the bottom of the screen.

Your options will then be validated, and if passed, select the Create button at the bottom of the screen.

image

You should then see the deployment commence as shown above. The deployment will take a few minutes to complete, after which it take at least another 15 minutes for the Azure Lighthouse configurations to appear in the ‘master’ and ‘client’ tenants, so be patient.

image

After the 15 minutes, navigate to Azure Lighthouse in the ‘client’ tenant and look at Service Provider offer as seen above. This basically tells you that this ‘client’ tenant has single delegation (i.e connect to a ‘master’ Azure tenant).

image

Now head over to the ‘master’ Azure tenant and view Azure Lighthouse there, but look at the My customers then Customers option as seen above. Here you should see the ‘client’ Azure tenant just added to the current ‘master’ Azure tenant. Again remember, this takes around 15 minutes to appear once configured.

Congratulation you have successfully used Azure Lighthouse to link a ‘client’ Azure tenant to a ‘master Azure tenant. Look out for upcoming articles on what you can now do once you have enabled Azure Lighthouse.

Register your interest for a hands on, deep dive Microsoft 365 Security event

pexels-pixabay-356065

If you are interested in attending a hands on in person 2 day deep dive event into Microsoft Security including:

– Exchange Online

– Windows 10 hardening

– Effective incident monitoring

– Identity security

– Data protection

and more then I encourage you to register your interest now for CIAOPS Secwerks 1 in Melbourne CBD over 2 days, Thursday the 5th and Friday the 6th of August 2021. I expect demand to be extremely high for this event and I will have more to share when I have confirmed all the details. However, feel free to reach out to me if you want more information. Please register your interest here to be kept up to date with the event:

http://bit.ly/ciaopsroi

The theme of this event will be to help you understand all the technologies that the Microsoft Cloud provides, how to configure them appropriately and get your Microsoft Secure Secure above 80%. The material covered will be technical and cover all the basics but then to extend beyond Level 400. The course is specifically designed for those who need to provide security for environments connected to Microsoft 365.

I hope to see you there.