Need to Know podcast–Episode 266

Jeff Alexander from Microsoft joins me to catch up and talk about the ‘new normal’, securing remote environments, update management, migrations and more. Jeff also shares some handy information about the Microsoft Fasttrack service and why everyone should take advantage of it. I also bring you up to date with what’s happens in the Microsoft Cloud at the top of the show, so lean back, listen in and enjoy.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-266-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show

Resources

Jeff Alexander – @jeffa36, About Me, Linkedin

Benefits of Fasttrack

Cloud Management Gateway

Microsoft Secure Score

Azure AD Conditional Access

Microsoft Zero Trust

Windows 10 Cloud Configuration

Overview of Windows Autopilot

Microsoft adoption

Step-by-step threat protection in Microsoft Defender for Office 365

Announcing the iOS/iPadOS Security Configuration Framework

OneDrive sync 64-bit for Windows now in public preview

Block BCC Messages to Distribution Groups in Exchange Online

Install Viva Connections today

Get started with trials for Microsoft Viva Topics

New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats

SharePoint: 20 years young

New threat and vulnerability management experiences in Microsoft 365 security

Email filtering reports

Launching threat analytics for Microsoft 365 Defender

Best practices for migrating to SharePoint and OneDrive

Exchange Online AV engines

I have found that many don’t appreciate that Exchange Online uses anti virus engines from multiple providers, apart from Microsoft.

“We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can’t choose one anti-malware engine over another.:

per – How many anti-malware partners do you have? Can I choose which malware engines we use?

So email will be scanned by three (3) engines in total. One from Microsoft and another two from third parties.

Native external sender notifications in Exchange Online

I’ve never been a big fan of setting up rules to add a HTML banner to inbound emails, as shown above, that “warn” a user about an external email source. I dislike this solution for a number of reasons, including that it is something that an attacker can replicate, it creates a certain amount of complacency for the receiver and it ends up embedded in every reply to the email going forward.

i do however understand what is trying to be achieved here due to a lack of something provided by Exchange Online. That is, until now! A native approach is now available.

You can now get the External tag, as shown above, to appear in all versions of Outlook (desktop, web and mobile) to help understand the origin of email messages. I like this solution much better because it is built into the platform and appears in an area that an attack would find really hard to replicate. Having such labelling as a native part of Exchange Online is a much better approach I feel.

You also get the above when you view the email item.

You can enable this on new inbound messages received (only from the point you enable it going forward) using PowerShell.

You’ll need to firstly ensure that you have the latest version of the Exchange Online V2 PowerShell module. The minimum version required is 2.0.4. To verify this, and to ensure all the Microsoft 365 PowerShell modules are current in your environment, I encourage you to use my script:

https://github.com/directorcia/Office365/blob/master/o365-update.ps1

that will verify and update if necessary. Just remember to run the PowerShell environment as an administrator prior to running my update script.

Now connect to Exchange Online using PowerShell. Again, you can use my script at:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

to do this. In fact, using that script will also ensure that you have the latest version of the Exchange Online PowerShell V2 module installed.

Once connected to Exchange Online as an administrator running the command:

Set-externalinoutlook -enabled $true

The best documentation is currently here:

https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/exchange/exchange-ps/exchange/Set-ExternalInOutlook.md

as this is still a new command at this point in time. You’ll also note that the command also has an Identity and AllowList option that you can further customise your settings.

Once the command has been run it will take a few hours for the External label to start appearing on emails from outside the organisation.

I would expect to see further configuration options become available as well as improvements to the label display. However, a very handy option that will improve the security in your environment and I’d encourage you enable it today!

March Microsoft 365 Webinar resources

Slides from this month’s webinar are at:

March 2021 Microsoft 365 Need to Know Webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.

Another Defender for Endpoint integration

If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.

Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.

You can read more about this new capability here:

Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)

It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.

Reviewing Windows 10 Audit Policy Settings

I have spoken about things like Attack Surface Reduction (ASR) for Windows 10 and how easy they are to implement to improve the security of Windows 10:

Attack surface reduction for Windows 10

Another very important aspect of securing Windows 10 environments is to ensure that the audit policy settings are appropriate to capture the right information to help with any investigation. To that end, I have a free scripts available at:

https://github.com/directorcia/Office365/blob/master/win10-audit-get.ps1

which will show you the current audit policy settings in your environment like so:

As you can see from the above screen gab, many audit settings are not enabled out of the box. Please note, you’ll need to run the script as an administrator for it be able to report the audit policy settings.

You’ll find the best practice recommendations for audit policy settings from Microsoft:

Audit Policy Recommendations

and government departments like the Australian Cyber Security Center:

Hardening Microsoft Windows 10 version 1909 Workstations

Look for the section heading – Audit Event management in the above page.

As always, there are number of different ways to enable these best practice audit policy settings on your Windows 10 devices. To my mind using Microsoft Endpoint Manager that comes with offerings like Microsoft 365 Business Premium is the easiest.

And the quickest way to do this inside Microsoft Endpoint Manager is simply to apply the Windows 10 Security Baseline policies as shown above. To read more about this capability visit:

Use security baselines to configure Windows 10 devices in Intune

In fact, the results from my script are based on the settings found in the Windows 10 Security Baseline policy.

To read more about these security audit policies for Windows 10 I encourage you to take a look at:

Advanced security audit policy settings

and remember, you can configure these settings at the command line if you need to using the:

auditpol

command, which is exactly what I used in my script to extract the current settings. However, deploying them using Microsoft Manager for Endpoint and baseline policies is going to be far easier across a fleet of devices.

What the online world can learn from recent on prem Exchange Server challenges

It has been a pretty challenging few days for those that still manage and maintain on premises Exchange servers thanks to:

HAFNIUM targeting Exchange Servers with 0-day exploits

Throughout which I’ve seen a lot of smug cloud administrators wondering why people still bother with on premises. I think a better use of their energies would be to look at the current situation and learn from it rather than allocating it to self righteousness.

The cloud is a shared responsibility model. This means that both Microsoft and end user now responsible for the security of cloud infrastructure. Luckily, these recent Exchange issues have largely fallen to Microsoft when it comes to the cloud. Where there is room to learn for the rest of us, is in the response to the situation from those battling to contain it.

From everything I have seen online in regards to the HAFNIUM issue, what I find most interesting is the lack of a response plan. Technically, administrators can follow directions, run scripts, patch systems pretty well. However, most seem totally unprepared for this kind of situation, especially at scale. That’s what worries me the most. Why? Because challenges in the cloud can easily be of the same scale and impact.

There have been plenty of examples when services like Azure AD or Exchange Online have been unavailable, but when they have, I’ve seen the same level of, dare I say, panic. Because systems work 99.99% or more of the time ‘on average’, a large amount of complacency begins to creep into the system, especially those charged with maintaining these systems. Thoughts of disaster recovery and outage impact get put on the back burner and never really addressed because there are always ‘higher’ priorities.

What worries me is the dependency we have built into our modern lives, business and economy, to the point where most cannot function if their phones run out of charge. What worries me when I look at the response I see to broad security challenges in IT is simply the lack of a credible contingency plan. A check list of what to do, if you like. Of course, you can’t have a plan for every contingency but some semblance of a plan is better than no plan at all surely?

In the end it comes down to risk analysis. When the sun is shining, risk analysis is the furthest thing from people minds. This however, is exactly the time that it should be a priority because developing a strategy in midst of a crisis does not generally lead to the best outcome. You want to have a checklist of what to do, well in advance of whenever you may need it.

Even though the systems I work with are cloud based are immune from the HAFNIUM (it appears at least), that doesn’t stop me learning from how the unfortunate are dealing with it. I’m watching, learning and preparing, because as the saying goes, “When did Noah build the Ark?”

Before it rained.

A painful bulk email sending lesson

I needed to get some event registration and Microsoft Teams meeting details out to around 100+ users recently. So, I composed the email, Bcc’d people and pressed Send as I always do.

Not longer after, I get a failed delivery to all those addresses as you can see above. The message reads:

Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

What the hell is going on here I thought? I’ve done this before, what’s wrong?

As always, the issue has to do with the email security settings I have. One of my primary recommendations with outbound spam filtering is to limit the amount of emails that a user can send per hour and then block them once they reach this threshold.

I had, of course, gone for a very low setting because ‘I never send more than 90 email per hour’ to external recipients. We’ll guess what? The email I just tried to send crossed that threshold and now I was blocked as a user. I could no longer send ANY emails!

So that’s the why, now the how to fix it so I could again send emails?

Initially, I thought that I’d just go in and change the policy and bump up the threshold plus set the action to alert only. Surely, that’ll fix my problem, right? After retrying 5 minutes, 10 minutes, etc up to 1 hour after the change, I still had the same issue. Damm!

As it turns out, because I had contravened that outbound spam policy I’d ended up as a ‘Restricted user’, as shown above. The direct URL to this portal is:

https://security.microsoft.com/restrictedusers

I could go in there and select the Unblock link to the right of my login.

I’m take through a wizard as shown above, giving me the reason why I have been restricted and some recommendations.

Given that I already have MFA enabled and I’m happy that my password has not been compromised, I select the Unblock user button at the bottom of the page. Note, the warning at the bottom of the page here:

It may take up to 1 hour before restrictions are removed

Damm!

I receive a last warning about removing the restrictions, to which I select Yes to continue.

After waiting the 1 hour, as directed, I was back in business.

In summary, it is always the exception that catches you out. I had never before crossed the outbound threshold limits before. I must have been close, but clearly this send was above those limits and resulted in contravention of the policy. The result being that I ended up on the restricted user list, unable to send. Once I had worked out how to get myself off that list, by visiting the appropriate portal, it was easy enough to get things back in order, although the up to 1 hour wait for this removal process to complete should not be overlooked.

After this learning experience, the question is now, what should my outbound spam policy be set to? I rarely send this many emails within an hour time frame, but I may indeed need to do so in the future again at some point? Should I increase the limit from 90? Should I also change the action from restrict to just alert? All very good questions I’ll need to consider.

So the learning from this experience is, when you get a security exception, where do you look to work out why it has happened? Second, how to ‘allow’ it if the action was not an exploit? Finally, what adjustments should be taken in the policy to avoid the same instance happening again in the future. Security is not an exact science and it is exceptions that cause you the greatest pain. Sometimes that pain will be due to a false positive, but in the end, I’d rather experience that pain than a full on breach!