Another Defender for Endpoint integration

image

If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.

image

Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where  you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.

You can read more about this new capability here:

Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)

It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.

Reviewing Windows 10 Audit Policy Settings

I have spoken about things like Attack Surface Reduction (ASR) for Windows 10 and how easy they are to implement to improve the security of Windows 10:

Attack surface reduction for Windows 10

Another very important aspect of securing Windows 10 environments is to ensure that the audit policy settings are appropriate to capture the right information to help with any investigation. To that end, I have a free scripts available at:

https://github.com/directorcia/Office365/blob/master/win10-audit-get.ps1

which will show you the current audit policy settings in your environment like so:

image

As you can see from the above screen gab, many audit settings are not enabled out of the box. Please note, you’ll need to run the script as an administrator for it be able to report the audit policy settings.

You’ll find the best practice recommendations for audit policy settings from Microsoft:

Audit Policy Recommendations

and government departments like the Australian Cyber Security Center:

Hardening Microsoft Windows 10 version 1909 Workstations

Look for the section heading – Audit Event management in the above page.

As always, there are number of different ways to enable these best practice audit policy settings on your Windows 10 devices. To my mind using Microsoft Endpoint Manager that comes with offerings like Microsoft 365 Business Premium is the easiest.

image

And the quickest way to do this inside Microsoft Endpoint Manager is simply to apply the Windows 10 Security Baseline policies as shown above. To read more about this capability visit:

Use security baselines to configure Windows 10 devices in Intune

In fact, the results from my script are based on the settings found in the Windows 10 Security Baseline policy.

To read more about these security audit policies for Windows 10 I encourage you to take a look at:

Advanced security audit policy settings

and remember, you can configure these settings at the command line if you need to using the:

auditpol

command, which is exactly what I used in my script to extract the current settings. However, deploying them using Microsoft Manager for Endpoint and baseline policies is going to be far easier across a fleet of devices.

What the online world can learn from recent on prem Exchange Server challenges

It has been a pretty challenging few days for those that still manage and maintain on premises Exchange servers thanks to:

HAFNIUM targeting Exchange Servers with 0-day exploits

Throughout which I’ve seen a lot of smug cloud administrators wondering why people still bother with on premises. I think a better use of their energies would be to look at the current situation and learn from it rather than allocating it to self righteousness.

The cloud is a shared responsibility model. This means that both Microsoft and end user now responsible for the security of cloud infrastructure. Luckily, these recent Exchange issues have largely fallen to Microsoft when it comes to the cloud. Where there is room to learn for the rest of us, is in the response to the situation from those battling to contain it.

From everything I have seen online in regards to the HAFNIUM issue, what I find most interesting is the lack of a response plan. Technically, administrators can follow directions, run scripts, patch systems pretty well. However, most seem totally unprepared for this kind of situation, especially at scale. That’s what worries me the most. Why? Because challenges in the cloud can easily be of the same scale and impact.

There have been plenty of examples when services like Azure AD or Exchange Online have been unavailable, but when they have, I’ve seen the same level of, dare I say, panic. Because systems work 99.99% or more of the time ‘on average’, a large amount of complacency begins to creep into the system, especially those charged with maintaining these systems. Thoughts of disaster recovery and outage impact get put on the back burner and never really addressed because there are always ‘higher’ priorities.

What worries me is the dependency we have built into our modern lives, business and economy, to the point where most cannot function if their phones run out of charge. What worries me when I look at the response I see to broad security challenges in IT is simply the lack of a credible contingency plan. A check list of what to do, if you like. Of course, you can’t have a plan for every contingency but some semblance of a plan is better than no plan at all surely?

In the end it comes down to risk analysis. When the sun is shining, risk analysis is the furthest thing from people minds. This however, is exactly the time that it should be a priority because developing a strategy in midst of a crisis does not generally lead to the best outcome. You want to have a checklist of what to do, well in advance of whenever you may need it.

Even though the systems I work with are cloud based are immune from the HAFNIUM (it appears at least), that doesn’t stop me learning from how the unfortunate are dealing with it. I’m watching, learning and preparing, because as the saying goes, “When did Noah build the Ark?”

Before it rained.

Before it rained.

A painful bulk email sending lesson

I needed to get some event registration and Microsoft Teams meeting details out to around 100+ users recently. So, I composed the email, Bcc’d people and pressed Send as I always do.

image

Not longer after, I get a failed delivery to all those addresses as you can see above. The message reads:

Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

What the hell is going on here I thought? I’ve done this before, what’s wrong?

image

As always, the issue has to do with the email security settings I have. One of my primary recommendations with outbound spam filtering is to limit the amount of emails that a user can send per hour and then block them once they reach this threshold.

I had, of course, gone for a very low setting because ‘I never send more than 90 email per hour’ to external recipients. We’ll guess what? The email I just tried to send  crossed that threshold and now I was blocked as a user. I could no longer send ANY emails!

So that’s the why, now the how to fix it so I could again send emails?

image

Initially, I thought that I’d just go in and change the policy and bump up the threshold plus set the action to alert only. Surely, that’ll fix my problem, right? After retrying 5 minutes, 10 minutes, etc up to 1 hour after the change, I still had the same issue. Damm!

image

As it turns out, because I had contravened that outbound spam policy I’d ended up as a ‘Restricted user’, as shown above. The direct URL to this portal is:

https://security.microsoft.com/restrictedusers

I could go in there and select the Unblock link to the right of my login.

image

I’m take through a wizard as shown above, giving me the reason why I have been restricted and some recommendations.

image

Given that I already have MFA enabled and I’m happy that my password has not been compromised, I select the Unblock user button at the bottom of the page. Note, the warning at the bottom of the page here:

It may take up to 1 hour before restrictions are removed

Damm!

image

I receive a last warning about removing the restrictions, to which I select Yes to continue.

After waiting the 1 hour, as directed, I was back in business.

In summary, it is always the exception that catches you out. I had never before crossed the outbound threshold limits before. I must have been close, but clearly this send was above those limits and resulted in contravention of the policy. The result being that I ended up on the restricted user list, unable to send. Once I had worked out how to get myself off that list, by visiting the appropriate portal, it was easy enough to get things back in order, although the up to 1 hour wait for this removal process to complete should not be overlooked.

After this learning experience, the question is now, what should my outbound spam policy be set to? I rarely send this many emails within an hour time frame, but I may indeed need to do so in the future again at some point? Should I increase the limit from 90? Should I also change the action from restrict to just alert? All very good questions I’ll need to consider.

So the learning from this experience is, when you get a security exception, where do you look to work out why it has happened? Second, how to ‘allow’ it if the action was not an exploit? Finally, what adjustments should be taken in the policy to avoid the same instance happening again in the future. Security is not an exact science and it is exceptions that cause you the greatest pain. Sometimes that pain will be due to a false positive, but in the end, I’d rather experience that pain than a full on breach!

CIAOPS Need to Know Microsoft 365 Webinar – March

laptop-eyes-technology-computer

Security is something that you need to regularly re-visit and re-evaluate. It’s about time we did this for Microsoft 365 to learn what’s new and how best to defend our tenants against attackers. In this session I’ll cover off the latest security learnings and provide you with a check list to help you secure your Microsoft 365 information better. I’ll also have the latest news from Microsoft and as always there will be time for your questions.

You can register for the regular monthly webinar here:

March Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – March 2021
Friday 26th of March 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Email overrides are not best practice

I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.

For more information, let’s review the Microsoft document:

Create safe sender lists in EOP

which says:

  • We don’t recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks.
  • Use Outlook safe senders – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user’s Safe Senders or Safe Domains lists don’t prevent malware or high confidence phishing messages from being filtered.
  • Use the IP allow lists – Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn’t prevent malware or high confidence phishing messages from being filtered.
  • Use allowed sender lists or allowed domain lists – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don’t prevent malware or high confidence phishing messages from being filtered. Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.

In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:

Mail flow best practices for Exchange Online and Office 365

Best practices for configuring standalone EOP

Recommended settings for EOP and Defender for Office 365 security

To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:

image

Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.

image

From the pull down options in the top right, as shown above, select Message override.

image

You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.

A direct link to this report can be found here:

Threat Protection status – Message override

Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.