Need to Know podcast–Episode 213

A quick news update followed by an engaging interview with Amy Babinchak around some of the cloud topics she will be presenting at some upcoming events. Amy is owner of Harbor Computer, Third Tier Consulting and an Office 365 MVP to boot, so plenty of great learnings to he had listening in.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-213-amy-babinchak/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@ababinchak

@contactbrenton

@directorcia

Samsung and Microsoft Alliance

Updates to SharePoint authoring

Top 5 advantages of OneDrive for Business

MFA and end user impacts

Set up conditional access with Microsoft Search in Bing

New Azure files authentication

Lower pricing for Azure storage

Chromium version of Edge now has a beta channel

Impact of a password spray attack

Basically, when someone launches a password spray attack on one of your accounts, they are basically using automated processes to guess your password and brute force their way into the account. These attacks typically happen via legacy protocols that should be disabled in your Microsoft 365 tenant as i have mentioned before:

Disable basic auth to improve Office 365 security

This can be tricker than you think because many legacy applications require basic authentication to operate. Therein lies the challenge.

I have purposely left legacy authentication enabled on some accounts to track what happens during brute force attempts. Experience is the best teacher as they say. Thanks to Cloud App Security:

A great security add on for Microsoft 365

I have configured it to alert me when there is failed login from outside my corporate locations:

Tracking failed logins using Cloud App Security

image

I would occasionally get the odd failed alert but nothing sustained. That was until today!

image

As you can see from my inbox, all of sudden I started to get massive volumes of alerts from Cloud App Security. The spray was on!

image

I jumped across to Azure AD sign-ins for the account and filtered the location down to be largely from China (i.e. CN is the location filter in the above results).

image

Due to the intensity of attack I started to get login failures and reported locks outs as shown above. So how does Azure AD handle lockouts? You’ll find that information here:

Azure Active Directory smart lockout

which says:

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.

Smart lockout is always on for all Azure AD customers with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires paid Azure AD licenses for your users.

In this case, the tenant didn’t have a premium version of Azure AD so the standard defaults were in effect.

image

The next application to feel the strain was the OneDrive for Business sync client which started requiring re-authentication.

image

Then the Azure portal began to struggle under the weight of so many failed login attempts.

image

Then the Microsoft Teams desktop application also started to have authentication issues.

image

Next, it was OneNote’s turn to start requiring re-authentication.

The attacks came in waves, typically separated by a few minutes (as happens with spray attacks) and then it was back again.

image

So what can you do if an account is subject to a spray attack and you are effectively getting denial of service thanks to that? Microsoft has provided every tenant with a number of free Baseline Conditional Access policies. The most appropriate one in this case is Block legacy authentication.

image

Enabling this policy will basically prevent legacy protocols like IMAP, POP and SMTP BUT it will do this across the WHOLE tenant! That is, for ALL users. That may be an issue if you have other accounts that depend on these older protocols for operation. However, this is certainly the quickest and easiest way to block spray attacks if you need to.

image

A more refined approach is to use PowerShell and create a new authentication policy as shown above. This creates a policy that disables the legacy protocols.

image

image

With the policy in place you can now apply it to just the user in question. Most authentication policies can take up to twenty four hors to take effect, however you can force an immediate refresh using the –STSRefreshTokenValidFrom option as shown above.

image

image

After doing all this, it is advisable to check to ensure the user has this authentication policy enabled as shown above.

image

When you dive into the Azure AD logs you’ll see that the brute force attempts have happened via SMTP, confirming a spray attack against the account.

image

Another service that may be affected by these attacks is Flow as seen above.

image

You may need to go into the Flow and re-authenticate as with the other affected apps. The issue may not be come evident until the next time your Flow actually runs.

So what my ten take aways?

1. Spray attacks are easy to automate and initiate. That means they will continue because they have a great ROI for attackers.

2. Implementing MFA on accounts is going to protect against an account breech from these spray attacks.

3. Spray attacks are facilitated via basic authentication which is enabled on all tenants by default for legacy support and has to be manually disabled! Enabling MFA DOES NOT automatically disable basic authentication since it allows support for static app passwords for applications that don’t support MFA out of the box. Disabling legacy authentication can cause issues with older applications that don’t support modern authentication. Disabling legacy authentication across the whole tenant needs to be done with caution. A user by user approach may be a better approach initially.

4. If your applications are complaining about failed authentication, check to see whether your account is not in fact the subject of a spray attack. Azure AD is trying to protect the account by locking itself out for a time period which affects good and bad attempts.

5. Use Cloud App Security and you’ll get a heads up on this sort of thing early on. Knowing what is happening makes it much easier to deal with and there really isn’t a better way than using Cloud App Security.

6. Use conditional access to restrict who can attempt to login to your tenant. Every one gets some free basic baseline policies from Microsoft but it is worth paying for Azure AD P1 to get the ability to be more granular. Don’t forget that Microsoft 365 Business comes with this granular Conditional Access ability out of the box now!

7. Consider having a ‘break glass’ emergency administrator account that you can call on to make admin changes if your only other existing administration account comes under attack and access becomes denied. This account doesn’t need a licence, it just needs permissions. It is hard to make changes to a tenant as an administrator if that account is subject to denial of service by a spray attack!

8. Even if you have MFA enabled, if you leave legacy authentication enabled, then even though attackers can’t correctly guess the password, their continued attempts could effectively result in a denial of service. This is very hard to mitigate, so look to eliminate all your legacy apps and protocols to prevent becoming collateral damage.

9. Review:

Azure AD and ADFS best practices: Defending against password spray attacks

as a good refence for the steps to protect your tenant against spray attacks. Remember, security is a journey and requires eternal vigilance and education.

10. Documentation before, during and after any incident is critical to knowing, understand and mitigating attacks. This all starts with preparation and knowing your situation and what can and needs to be done in a logical manner using tools like checklists. Your information is too important and valuable to leave to chance. Have a plan, your attacker does.

The more hardened your environment, the more likely attackers will simply move on to easier targets. Leaving legacy settings enabled is going to ensure they keep coming back to test your defences and potentially impacting your productivity as a side effect. In this case, once legacy authentication was disabled for the account the attacks ceased.

Use PowerShell to get site storage usage

One of the challenges for IT Pros when managing the online collaboration world of SharePoint Online and OneDrive for Business in Microsoft 365, is getting a quick overview of things like storage usage across their environment. In the gold ol’ days you’d just using Windows Explorer or something similar, but in the Microsoft 365 world these tools are not ‘online’ aware.

Thankfully, it is PowerShell to the rescue here again! What you can do is is basically grab all the SharePoint and OneDrive for Business Sites and look at a property called StorageUsageCurrent. Thus,

$sposites=get-sposite
$sposites.storageusagecurrent

will firstly get all the SharePoint sites and then display the storage usage of each in MB. However, that is a bit basic. What you really want is something like this:

image

for you SharePoint sites and and a separate group for your OneDrive for Business sites like this:

image

You might also notice that they are also sorted in descending order, from largest to smallest.

The good news is that I have done all that hard work for you and made the script available in my GitHub repo here:

https://github.com/directorcia/Office365/blob/master/o365-spo-getusage.ps1

The only thing that you need to do before running the script is to connect to SharePoint Online using PowerShell as an administrator.

Don’t forget there are also plenty of other handy scripts in my GitHub repo which get updated regularly. So, make your admin life easier and use what I have already created rather than re-inventing the wheel.

Creating unique file permissions with Teams

Microsoft Teams is a really easy way to share files with others. However, the modern concept with Microsoft Teams is that once you are part of the Team then you have the same rights as everyone else. This generally means that all Team members have the ability to read, write, modify and potentially delete files. This is common across all channels in the Team.

One thing that you really don’t want to do is go into the SharePoint back end of the Teams files and modify the default permissions. If you do, you’ll cause a whole lot of problems. We are expecting private channels in Teams very soon but here’s an easy way to overcome the default common sharing options in Teams by creating a separate area with unique permissions and linking that back into the Team.

image

Firstly navigate to your Team.

image

Select the Files tab to the right of Conversations to see all the files for that channel as shown above. These are common files that all Team members have the same rights to.

Select the Open in SharePoint option as shown above.

image

This will take you to the location of those channel files in SharePoint as shown above. This location is typically a subfolder with the name of the channel (here General), in a Document Library called Documents

You will need appropriate permissions to complete the process from here. So you will need to be an admin of the Team or a SharePoint Site owner.

image

In the top right of the screen select the COG then Add an app from the menu that appears as shown.

image

Typically, you’ll select to a new Document Library and give it a name.

image

In this case, a new Document Library called Final Presentations has been created as shown.

image

Once you are at this new location, select the COG again in the top right and this time select Library settings as shown.

image

Select the second option from the second column at the top of the page called Permissions for this document library.

image

Now it is just good ol’ SharePoint permissions configuration.

Typically, you firstly select Stop Inheriting Permissions.

image

In this case, Sales members will be changed from Edit to Read permissions by selecting that group and then the Edit User Permissions button. However, you can configure whatever permissions suit your needs.

image

Make sure you select OK after you have made you changes.

image

Once you have completed the require permissions, you need to return to the Team and link this new location there.

image

Inside the Team, select the channel in which you wish this new location to be linked and select the + icon on the right as shown.

image

From the dialog that appears, select Document Library as shown.

image

You can either navigate or input a direct link here. In this case the destination site, Sales, is selected.

image

You should then see the new location you created (here Final Presentations). Select this and then the Next button.

image

Give the new tab a name, which can be different from the location if you wish, and press Save.

image

You should now see the location you created and any files in there as shown above. These items have permissions governed by those set previously in SharePoint but now they are also displayed and accessible in Teams. The great thing is you can link this new location in multiple places and you can link from locations not even in the current Team. As long as users have permissions, they can see and interact with those files based on those permissions.

Hopefully, that is an easy way to create locations for file with unique permissions but still have them accessible for users via Teams.

Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia

Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync

CIAOPS Techwerks 8–Adelaide October 24

bw-car-vehicle

I am happy to announce that Techwerks 8 will be held in Adelaide on Thursday the 24th of October. The course is limited to 15 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or  sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. A special part of this event will be sessions by MVP Amy Babinchak as well as some other surprise guests.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:




























Patron Level Price Inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399


The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Adelaide on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) or complete the form:

http://bit.ly/ciaopsroi

and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

Need to Know podcast–Episode 210

Brenton speaks with global Azure black belt Sarah Young about the new Azure Sentinel service. Of course we also update you on all the happenings in the Microsoft Cloud and there has been plenty of late, so listen along to get all the latest and learn about Azure Sentinel.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-210-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

Faster, with a modern design, and new features – the new Outlook on the web is here

Tracking failed logins with Cloud App Security

New Azure discount for CSP partners to come live in October

OneDrive Roundup – June 2019

Announcing question and answer in Yammer

First Microsoft Cloud regions in the Middle East now available

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

All 10 steps

Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.

SNAGHTML1d8570c5

If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.

image

Select All Devices.

image

Select the PC in question from the list.

image

Now select the Recovery keys option.

image

On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.

image

If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.

image

Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.

image

If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.

image

If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

https://account.activedirectory.windowsazure.com

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.