Azure Site Recovery is cool!

I’ve been working on a new course for the CIAOPS Academy around all things Azure Backup.

Now because I’m not really an on-prem kinda guy any more, and also because I don’t have the physical equipment to do this, I never spent much time with Azure Site Recovery (ASR), which uses Hyper V replica technology. However, thanks to creating this course and including an ASR module I gotta say this Hyper V replica stuff is really cool!

The great thing with Hyper V replica is that you can do it directly between machine or via a cloud service such as Azure. Once you get the two locations replicated and synced you can do all sorts of fail overs. That allows you to easily spin up replacement machines in the backup location (such as Azure) as well as recover from these locations.

What really blew me away was how easy this was all to set up with Azure. Much, much easier than I thought. There is a three step wizard you follow through to get everything connected up. Then from there you have lots of disaster recovery (DR) and even migration options.

Thus, you can fail over a local Hyper V guest to Azure and then use that as a migration process to get that machine into the cloud. That is a really nifty way of moving whole VMs to Azure!

Now of course there is some leg work and understanding you need around Azure Site Recovery and Hyper V Replicas, but like I said, it is surprising at how easy it is to actually implement. I’d therefore suggest that if you are looking to provide DR services for businesses with local Hyper V guests or looking to migrate existing Hyper V guests to Azure VMs then you should take a look at Azure Site Recovery.

Of course, I’d also recommend you sign up for my Azure Backup online course to give you a quick start on all the backup options with, including Site Recovery. I’ve also got an option where you can sign up for the complete catalogue of my courses annually. One fixed price for access to every online course I create now and into the future. To find out more visit:

http://www.ciaopsacademy.com

By purchasing my online courses you give me the resources to build more.

Answering common questions with Office 365 Part 2

This is the second article in a series of typical customers questions around Office 365. These questions were part of presentation I did with two other resellers at the Australian Microsoft Partner Conference in 2016. You’ll find the first part of the series here:

Answering common questions with Office 365 Part 1

The question for this article is:

Customer Question – There is a lot of talk about online privacy and governments spying on data. Although my business doesn’t have anything to hide how does Office 365 keep my data private and secure from unwanted ‘prying eyes’? I also have a legal responsibility to ensure my clients data remains secure and private. Can this be achieved with Office 365 to ensure I am compliant with any legislation?

In Australia, if you run up an Office 365 tenant today the data will be located in the Australian data centers. An administrator can easily see where their Office 365 data is located using this process:

Office 365 Data location

The E5 license provides functionality known as ‘Customer Lockbox’. This allows the customer to control who accesses their data by basically have requests for access come directly to the customer. I have written an article about this here:

Enabling Customer Lockbox

and you’ll also find some good information about Customer Lockbox in this video:

Information that is sent to and from Office 365 is encrypted:

Encryption in transit

Information saved in Office 365 is also encrypted at rest as detailed in this video:

Depending on the Office 365 license you have (typically E3 or above) you can enable and configure additional security measures to keep your data safe. One of these is Data Loss Prevention or DLP and I have previous detailed how to set this up for SharePoint:

Enabling DLP for SharePoint and OneDrive for Business

Office 365 also includes the ability to enable multi factor authentication. This means that not only do you need a login and password but you’ll also need something like a unique code sent via text message to login. You can read more about this here:

Set up multi factor authentication for Office 365

I’ve also previously covered how Office 365 includes basic Mobile Device Management (MDM) that allows you to protect which mobile devices connect to your environment as well as allowing you to set policies to ensure they are secure. You can read more about how to set that up here:

Office 365 Mobile Device Management

With plans from E5 and above you also get the ability to place information on ‘Legal Hold’ to preserve it for long periods of time. More information on those abilities is at:

Legal Hold

These plans also allow you to use advanced eDiscovery to search across all the data sources inside Office 365 for information that matches your pre-defined query. Here is an article I have written about eDiscovery with SharePoint Online:

SharePoint Online eDiscovery

here is a FAQ on eDiscovery:

eDiscovery FAQ

as well as as an overview article on eDiscovery in Office 365:

eDiscovery in Office 365

As I have written about previously, many users of E3 licenses and above don’t appreciate that they have the ability to use Rights Management to protect their documents no matter where they are located. My article explaining all this is here:

Office 365 E3 and above includes Rights Management

I also have an article on using Rights Management with SharePoint Online here:

Using Office 365 Rights Management with SharePoint Online

and here’s more information on Rights Management in Office 365:

Information Rights Management

and how you use email message encryption:

Office 365 message encryption

As I have said before, the security features of Office 365 are one of the real differentiation points when it comes to online services. There are lots and lots more features I could dig into here but I’ll point you to a presentation I gave a while back on Office 365 security which is a good overall summary of what’s available:

Office 365 security, privacy and compliance – Office 365 Nation 2015—Robert Crane Docs.com

https://docs.com/d/embed/D25195817-5129-1561-2200-001922537313%7eMd4186d87-61d5-259a-4d26-00a8bd86cfff

The slides are also available here as well:

https://doc.co/uWMfkS/qcihGm

I’ll also point you to the article I wrote on the new Microsoft Secure Score service that allows you to rate how secure your tenant is and then take actions to improve that:

Office 365 Secure Score

You can rest assured that Microsoft takes security very seriously and as such, has many features available across all plans to ensure your data remains private and secure. You can increase that security by using the Enterprise Plans such as E3 and above to enable even more security. For what these advanced plans provide, their cost is cheap. Really cheap. So if you haven’t considered what additional security plans like E3 include then I’d strongly encourage you to check out the features.

Watch out for the answers to more common questions with Office 365 coming soon.

Answering common questions with Office 365 Part 1

I was recently lucky enough to present at the Australian Partner Conference 2016 with Microsoft and two other resellers. The focus of our presentation was around how to answer common user questions with Office 365 and the features that it includes.

What I thought I’d do is share these questions and answers over a few blog posts. So here is part one.

Customer question – I know a lot of businesses that are getting hit by this crypto locker malware where their documents are being encrypted and there are being asked to pay a ransom. I am really worried that one of my employees may inadvertently open an infected file and we’d be in the same boat as we get lots and lots of attachments every day. How can Office 365 protect me against that?

Office 365 already includes advanced malware protection in email by default. With the E5 license you also get:

Advanced Threat Protection

as well which includes the ability to open suspect attachments in a sandboxed environment to determine what happens and take the appropriate action. More details of these features can be found in this video:

By default, every time a document is updated in SharePoint Team Sites or OneDrive for Business the previous version is saved. Thus, if a file does become encrypted it can be quickly rolled back to a previous version.

At the moment, if multiple files do become encrypted and uploaded there is no single command sequence that would allow you roll back multiple files. Unfortunately, rolling back to a previous version has to be done one file at a time. However, as I understand it, Microsoft is working on a process to roll back multiple files via a single command. I also believe it is possible to do this using advanced scripting (aka PowerShell).

Exchange Online also allows you to create rules to automatically exclude certain attachments and quarantine them before they are delivered to end users. A good reference is:

Reducing malware threats through file attachment blocking

You can also use a third party mail cleansing service, such as Mailguard, in front of Exchange Online.

Of course, the best best protection that you can have is informed and paranoid users. Part of any security policy for a business needs to be education not abdication of this to technology. Technology is not 100% reliable, there is always the chance of some attack slipping through the protective technology security net that is erected around the business. On the odd occasion that this should transpire if it greeted with informed and paranoid users then the chance of the payload being delivered, and the business being interrupted, is much lower. You know, an ounce of prevention and all that.

Office 365 provides some excellent protection by default. The premium Office 365 licenses provide better protection. Appropriate configuration and user education provide even more protection. Finally, there is always the option to integrate third party solutions.

Office 365 Secure Score

One of the real differentiators that Office 365 provides I believe is security. A new initiative that Microsoft have announced is:

New security analytics service

You can try this out for yourself. Firstly, login to your Office 365 tenant as a global administrator. Then, in a new browser tab, navigate to:

https://securescore.office.com/

You’ll be asked to provide Secure Score permissions to your tenant as you see above. Simply select Accept to continue.

Your tenant will then be assesses and rated as you can see above (in this case on a demo tenant).

This site not only gives you a security rating for your own tenant but it also provides you with an Action list which you can undertake to make your tenant more secure.

As you slide the bar in the middle of the page you see your security score increase. However, when you do this, you also see the Actions in the queue increase. Basically, to make your tenant more secure you have to take more actions. Obvious!

You can drill into an Action item to get more details and you see above.

If you select the Learn More button you get an informational card appear on the right with a Launch Now link to take you straight to the location to make the change.

The most interesting item on this page is over on the right, under the Compare your score as shown above.

What I find interesting is that this demo E5 tenant, more or less out of the box, is over 4 times more secure than the average! Not sure how this average is arrived at, and maybe it currently doesn’t include every tenant, but WOW do a lot of people have a lot of work to do to secure their tenant!

You’ll find plenty of other great information on this page as well as ability to view your score over time, so it is worth spending time to explore.

In short, this is great tool from Microsoft. It is simple to use and understand as well as making improving your Office 365 security dead easy! If you have Office 365 then I’d suggest you go and check out your security score. After visiting, I reckon you’d be pretty much at least double your score following the recommendations the site makes.

Enabling DLP for SharePoint and OneDrive for Business

DLP or Data Loss Prevention is a way inside Office 365 (E3 suites or above) that you can protect data from leaving the organisation. You can use DLP to protect not only email attachments but also files in SharePoint Online Team Sites and user’s OneDrive for Business.

Office 365 provides a number of standard templates for protecting standard information, such as credit card information as detailed here, but you can also customise the DLP policies to protect any custom data you wish.

The first step in using DLP is to set up and enforce the policies you wish to use. To do this you’ll need to login to the Office 365 portal as an administrator with the appropriate rights. You’ll then need to navigate to the tenant Admin area. From the menu on the left hand side of the screen expand the Admin centers option. From the options that appear select the Security & Compliance item.

From the Security and Compliance console select Security policies on the left. From the options that then appear below this select Data loss prevention. If this menu item doesn’t appear then you current don’t have an Office 365 plan that supports DLP.

On the right hand side you will probably see that the list is empty. Select the Plus icon to create a new policy.

You can select from a number of templated policies if you wish but in this case select Custom and then the Next button.

You now need to select the areas in which this policy will apply. You can specify unique locations but for this example we’ll simply select all locations and then continue.

At the next screen select the Plus icon to set the rules for which you wish to test.

In the new window that appears select the Add condition button.

From the pull down menu that appears select Content containing sensitive information.

Select the Plus icon that appears to enter the actual rules.

Scroll down the list that appears and select Credit Card Number. You can select other items here but in this case all we want this example DLP rule to test for is credit card numbers.

Select OK to continue.

You should now see the entry appear in the list as shown above. You can edit this entry if you wish by selecting it and then pressing the Pencil icon (edit).

Select the Actions item from the menu on the left.

Select the Add actions button on the right.

In this example, select Block the content. This will prevent anything that matches this rule from being shared.

You should now see the blocking Action listed as shown above.

Select the Incident report option from the menu on the left. Enter the details if you wish to receive a report of any actions on this policy.

Select General from the menu on the left. Give this set of rules a name and save them.

You should now see the rules listing appear as shown above in the DLP policy you just created. You can create as many of these rules inside a single policy as you wish. However, best practice is always to keep it simple.

Give the DLP policy and name and select the option to Turn on the policy.

Select the Create to complete the policy creation process.

You should now see the policy listed in the DLP area as shown above. You should also see that the Status is set to On.

The DLP policy will not come into effect immediately. It will take a little while (15 – 30 minutes typically in my experience) to roll out through your tenant.

To test the policy, create a document in your OneDrive for Business that contains credit card numbers as shown above. The numbers used here are verified public ‘test’ card numbers.

Now create a public View link that requires no sign-in as shown above. This should allow anyone who clicks on that link direct access to the file without the need of a login or password.

When the DLP policy is active anyone trying to access that link will have the content blocked as shown above. This confirms that teh DLP policy is working as expected.

If you also elected to get alerts you should fine one in your inbox as shown above.

Thus, DLP is a way to protect your Office 365 information by examining the contents against a set of rules that you create. It can examine both email and file data then take actions which you determine.

DLP is part of the E3 or better suite in Office 365.

Enable Customer Lockbox from Classic Office 365 Admin portal

At this stage of the game it appears that not everything has been migrated to the new Office 365 Administration Console. One of the things that is missing is the Customer Lockbox configuration (which is available with the E5 plan).

To get to the old admin center select the button in the top right of the Office 365 Admin center preview screen. Once you have done that, follow my previous article:

Enabling Customer Lockbox

When you have enabled Customer Lockbox according to my article, select the orange bar across the top of the Office 365 admin center to revert back to the new Admin center preview that you started out with.

I would assume that the control of Customer Lockbox will eventually make its way into the new Admin portal but for now you’ll need to go round the long way to configure it.

Office 365 Security and Compliance Overview

A common question you get with any cloud service is around security and compliance. Many don’t realise that Office 365 has many advanced features built right into the product. You also get a lot more features when you start looking at enterprise plans such as E3 and up.

The above video is an overview of what’s available with Office 365 Security and Compliance. It contains many of the features that I believe most people aren’t even aware of.

Of course, Office 365 security and compliance features and abilities continue to improve but hopefully this tutorial will give you a better concept of exactly what is available with the product.

The impact of Stuxnet

I’ve always had a fascination for the change cyber security is bringing and how little people appreciate the challenges and dangers it provides. One of these major changes of late has been the Stuxnet program and how it now seems evident that we are at the of a new age of cyber warfare.

If you have any interest in cyber security or the changing face of the digital world that we live in I’d highly recommend you take a look at the above documentary:

Zero Days – Stuxnet and the Iran Nuclear Program

It provides a really good in depth examination of what Stuxnet is and how it has impacted us far beyond its original mandate.

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

I’d also commend to you the book:

Countdown to Zero Day

which also covers a lot of the same material.

Ultimately, I still firmly believe that technology will doom us all as I see more and more of our lives being placed in critical but effectively insecure systems all being tied together. This growing interdependency means a failure of one part of the system potentially leads to a catastrophic failure of the complete system.

Yes, technology is amazing and yes technology can help us solve many problems, but when these solution create additional vulnerabilities is the cure worse than the cause? All I can say is make sure you have your contingencies in place and always be sceptical of technology. Trust but verify as they say.

The ramifications of Stuxnet go far beyond the job it was designed to do Seeing the movie and reading the book will help you understand that Pandora’s box has now been opened.