Enterprise Security | Stephen Hackers Blog

22/06/2020

Microsoft Azure Security – Study Notes

By Steve inAdvisor, Alerts, Alerts, App Service, Azure AD, Azure Container Registry, Azure Monitor, Azure Security, Blueprint, Cloud & Datacenter Management, Cloud Security, Conditional Access, Content Trust, Cyber Security, Enterprise Security, Enterprise Security, Externsions, Hot Wired IT Solutions, IAM, Identity Protection, Key Vault, Kubernetes, Logs, Management Locks, Microsoft, Microsoft Azure, Networks, Powershell, Roles, Users and Groups, Security & Compliance, Security Center, Storage Tag AZ-500, AZ500, Azure, Azure Security, Exam, Microsoft, Microsoft Azure Security Technologies, Prep, Study Notes

A collection of all my study notes and lab work while working towards passing the badge Microsoft Certified Security Engineer Associate by passing the AZ-500 exam

These notes are in no order and are not focused towards any exam content other than sharing my experience of configuring and automating security within Azure in the run up to the final exam.

04/06/2020

MS-101: Microsoft 365 Mobility and Security – EXAM PASSED!!!

By Steve inBusiness Applications, Cloud & Datacenter Management, Cloud Security, Cyber Security, Endpoint Manager (Intune), Enterprise Mobility, Enterprise Security, Exchange, Hot Wired IT Solutions, Microsoft, Mobility and Security, Office 365, Office Apps & Services, Powershell, Security & Compliance Tag 365, Exam, Microsoft, Microsoft 365, Mobility, MS-101, MS101, MS365, Passed, Security

MS-101: Microsoft 365 Mobility and Security

EXAM PASSED!!!

#MS365 #Security #365Security #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #Microsoft365 #MicrosoftCloud #Microsoft #alwaysbelearning #MS101 #EXAM #PASSED

03/06/2020

Microsoft 365 – Audit Log Search – UserLoginFailed

By Steve in2FA, MFA, Cloud & Datacenter Management, Cloud Security, Cyber Security, Dark Web, Enterprise Security, Enterprise Security, Exchange, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Activity, Audit Log, CyberSecurity, Email, Filter, M365, Pwned, RaisingAwareness, Search, Security, User Login Failed, UserLoginFailed, Whois

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search

Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.

Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

Conditional Access
Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.

27/05/2020

AZ-500: Microsoft Azure Security Technologies – EXAM PASSED!!!

By Steve inAzure Security, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Hot Wired IT Solutions, Microsoft, Microsoft Azure, Security & Compliance Tag AZ-500, Azure, Certified, Exam, MCP, Microsoft, Microsoft Azure Security Technologies, Passed, Security, Stephen Hackers

AZ-500: Microsoft Azure Security Technologies

EXAM PASSED!!!

#Azure #Security #AzureSecurity #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ500 #EXAM #PASSED

25/05/2020

Azure – Setup Azure Blueprints

By Steve inAzure Security, Blueprint, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Microsoft, Microsoft Azure, Security & Compliance Tag ARM, Azure, Blueprint, Example, How to, Policy, Publish, RBAC, Resource Groups, Roles

Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.

Required : Each subscription to have the same role assignments

Solution : Azure Blueprints to define a repeatable set of Azure resources

How ?

Azure Blueprints provides

Role & Policy Assignments
ARM templates
And Resource Groups

Reference guides

Tutorial: Create an environment from a blueprint sample
Quick start: Define and assign a blueprint in the portal
PowerShell – Create Blueprint
ARM – Create Blueprint

Getting Started Azure Blueprints (PREVIEW)

Creating Blueprint Guide – Focused on Roles

Create a blue print, if your new, start with a sample predefined Blueprint.

For this example I have selected Resource Groups with RBAC (Role-based Access Control)

Create blueprint> Enter Name, Description and Definition Location

Next : Artifacts

Click Save Draft

How to Publish Blueprint

Click Blueprints > Blueprint Definitions > Select the version to publish

Click Publish blueprint.

Enter version and change notes > Click Publish

25/05/2020

Azure – Advisor

By Steve inAdvisor, Azure Security, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Microsoft, Microsoft Azure, Security & Compliance Tag Advisor, Azure, Cost, High Availability, Operational Excellence, Performance, Recommendations

Sample screen shots of Azure Advisor

Recommendations : Cost , Security, High Availability, Performance, Operational Excellence

Example Recommendations report export, output as a PDF or CSV

25/05/2020

Azure – AD Identity Protection

By Steve inAlerts, Alerts, Azure Security, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Identity Protection, Microsoft, Microsoft Azure, Network Security, Security & Compliance Tag AD, Azure, How To Guides, Identify Protection, MFA Registration Policy, Policy, Reference Guides, RISK, Sign-In Risk, User Risk

This feature looks to identify activity and assign a risk level. “Risk detection and remediation”

All features look to be available in Azure AD Premium P2 and restricted number of features in Azure Premium P1 and Basic/Free.

Key differences are the notifications options only in Azure AD Premium P2.

There are three default polices

User Risk
Sign-In Risk
MFA Registration

Example of the Identity Protection Policies

Reference How To Guides :

How To: Configure the Azure Multi-Factor Authentication registration policy
How To: Configure and enable risk policies
How To : Identity protection configure notifications

25/05/2020

Cloud-Native Security and Performance: Two…

By Steve inCloud Security, Cyber Security, Enterprise Security, Kubernetes, VMware Tag Kubernetes, Patching, Security

Kubernetes in a production environment, and you need to apply a patch #Kubernetes #Security #Patching #Containers

Cloud-Native Security and Performance: Two…

You’re running Kubernetes in a production environment, and you need to apply a patch — perhaps to a commercial application, an open source component or even a container image. How long should it take to implement that patch in production? Thirty days? One day? One hour?

VMware Social Media Advocacy

24/05/2020