Security | Stephen Hackers Blog

21/01/2021

How to Enable “Security Defaults” in Azure and Office 365

By Steve inActive Directory, Azure AD, Azure Security, Cloud & Datacenter Management, Conditional Access, Enterprise Security, Microsoft Azure, Office 365, Office Apps & Services, Office365, Security & Compliance, Security & Compliance Tag 365, Azure, Azure AD Multi-Factor Authentication, Basic Auth, Blocking legacy authentication protocols, Defaults, Legacy, MFA, Modern Authentication, MS Azure, MS365, multi-factor authentication, Office 365, Org Settings, Protecting privileged activities, Security, Security Defaults

Security Defaults in Azure Portal. IMPORTANT, SECURITY DEFAULTS IS NOT ALWAYS ENABLED BY DEFAULT. YOU MUST CHECK YOUR SETTINGS

What does Security Defaults give you? Security Defaults when enabled provide the following preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.
Requiring administrators to perform multi-factor authentication.
Blocking legacy authentication protocols.
Requiring users to perform multi-factor authentication when necessary.
Protecting privileged activities like access to the Azure portal.

Azure Active Directory security defaults | Microsoft Docs

How do you enable? Azure Active Directory > Properties > Manage Security Defaults > Yes > Save

Useful links:

Discovering and blocking legacy auth:
Discovering and blocking legacy authentication in your Azure and Microsoft 365 subscriptions – Jussi Roine

Understanding Modern vs Legacy auth:
Understanding Modern vs. Legacy Authentication in Microsoft 365 – Ru365 (campbell.scot)

20/07/2020

Security Is a Hugely Strategic Area For VMware:…

By Steve inCloud Security, Cyber Security, Enterprise Security, VMware Tag Security, Strategic, Vision, VMware

Video discussion about VMware and their recent acquisition, security company Octarine. #Security #VMware #Octarine

Security Is a Hugely Strategic Area For VMware:…

VMware recently acquired yet another security company Octarine. The acquisition shows again that VMware is taking security extremely seriously. We sat down with Tom Corn, Senior Vice President of Security Products at VMware to talk about this acquisition and also why is VMware taking […]

VMware Social Media Advocacy

15/06/2020

Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results

By Steve inAlerts, Alerts, Azure Security, Cloud & Datacenter Management, Enterprise Security, Exchange, Logs, Microsoft, Microsoft Azure, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance, Security Center Tag Azure Security, Compliance, Compliance.microsoft, Content Search, Export, Investigation, Mailbox, New Search, Search, Security, Security And Compliance, specific word

If you’re doing some compliance investigation work, you may need to search a user’s mailbox for specific words.

This is how To Search Email Content in Office 365 Security & Compliance for a specific user which sent email containing a specific word then export results.

Reference guides – Content search

Microsoft Docs Content Search

Microsoft Docs Export Search

Content Search : How to search a mailbox for specific keywords and export the data

Mircosoft 365 Admin Center -> Compliance Admin Center

Content Search > + New Search

New Search > Keywords “Blog” example > Specific Locations > Modify > Choose Users, Groups or Teams

Enter users name > Select > Choose

Done > Save > Save & Run > Save Search

This search will trigger a default alert email to be sent out

Next step, Export the results

Unable to preview results problem or export?

If you cannot preview, you need to add a role to the user account, eDiscovery Administrator role (Example) or eDiscovery Manager for specific cases / Compliance Admin / Compliance Data Administrator

You must sign out and sign in for the groups to take effect.

Now back to the search

After the you can see the preview, now you can click Export

Click Export > ReportsOnly or Export > Copy to clipboard export key > Download report > Install eDiscovery Export Tool

Export tool installs

Use the Export Key and Set a directory.

File Downloads

Now you can open the report exported

04/06/2020

MS-101: Microsoft 365 Mobility and Security – EXAM PASSED!!!

By Steve inBusiness Applications, Cloud & Datacenter Management, Cloud Security, Cyber Security, Endpoint Manager (Intune), Enterprise Mobility, Enterprise Security, Exchange, Hot Wired IT Solutions, Microsoft, Mobility and Security, Office 365, Office Apps & Services, Powershell, Security & Compliance Tag 365, Exam, Microsoft, Microsoft 365, Mobility, MS-101, MS101, MS365, Passed, Security

MS-101: Microsoft 365 Mobility and Security

EXAM PASSED!!!

#MS365 #Security #365Security #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #Microsoft365 #MicrosoftCloud #Microsoft #alwaysbelearning #MS101 #EXAM #PASSED

03/06/2020

Microsoft 365 – Audit Log Search – UserLoginFailed

By Steve in2FA, MFA, Cloud & Datacenter Management, Cloud Security, Cyber Security, Dark Web, Enterprise Security, Enterprise Security, Exchange, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Activity, Audit Log, CyberSecurity, Email, Filter, M365, Pwned, RaisingAwareness, Search, Security, User Login Failed, UserLoginFailed, Whois

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search

Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.

Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

Conditional Access
Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.

27/05/2020

AZ-500: Microsoft Azure Security Technologies – EXAM PASSED!!!

By Steve inAzure Security, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Hot Wired IT Solutions, Microsoft, Microsoft Azure, Security & Compliance Tag AZ-500, Azure, Certified, Exam, MCP, Microsoft, Microsoft Azure Security Technologies, Passed, Security, Stephen Hackers

AZ-500: Microsoft Azure Security Technologies

EXAM PASSED!!!

#Azure #Security #AzureSecurity #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ500 #EXAM #PASSED

25/05/2020

Cloud-Native Security and Performance: Two…

By Steve inCloud Security, Cyber Security, Enterprise Security, Kubernetes, VMware Tag Kubernetes, Patching, Security

Kubernetes in a production environment, and you need to apply a patch #Kubernetes #Security #Patching #Containers

Cloud-Native Security and Performance: Two…

You’re running Kubernetes in a production environment, and you need to apply a patch — perhaps to a commercial application, an open source component or even a container image. How long should it take to implement that patch in production? Thirty days? One day? One hour?

VMware Social Media Advocacy

22/05/2020

AZURE – Control Storage Access by Networks

By Steve inAzure Security, Cloud & Datacenter Management, Cyber Security, Enterprise Security, Enterprise Security, Microsoft, Microsoft Azure, Network Security, Networks, Storage Tag Access, Allow, Azure, Azure Security, Firewall, Network, Security, Storage, Storage Account

We have a storage account, “StorageV2 (general purpose v2)” and its can be accessed initially from all networks. We now want to restrict the storage access to an approved network location.

How?

Click on the storage account > Firewalls and virtual networks and click “selected networks”

You can allow access from virtual networks or allow access through the firewall. Example below adds a Virtual network name and an external IP range. Then click Save.

15/05/2020

IT Enterprise Security – Overview

By Steve inCyber Security, Enterprise Security, Security Tag Compliance, Enterprise, Enterprise Security, Framework, IT, IT Enterprise Security, NIST, Security, SysAdmin

This post is looking at IT Security for the Enterprise. I have often visited new clients and reviewed the security landscape. The results are often surprising to the senior management. So the question is, does a business or brand need to review and plan IT Enterprise Security? The Sys Admin reports all the systems are all OK, the users are happy and the business hasn’t appeared on the news. So if you are hired as an IT Enterprise Security Architect, what does that mean and what value does this role bring to a business?

Take a step back and ask yourself, what is IT Enterprise Security? How can you understand the current IT Enterprise Security state? To learn about the IT enterprise security state, you need to pick and apply a security framework to a business. For example using a security framework like NIST gives us the ability to understand the security state of the business. This framework is a method to highlight information about the overall security state and which areas need investment and have room for improvement.

So how does the process start?

Prep Work, Review Core Areas:

Understand the Business.
How or what would you attack?
How can you protect?
How would you investigate and recover?

What stage make up the core areas:

When you first enter a business unlock the knowledge.

What does the business do?
Who are the customers?
What is the IT infrastructure and EUC?
Who is the IT people? (Get to know them)
Who is the management and the key stake holders?

Next work out how you would break into the business

What ways could you get in?
Who would you target?
Would anyone know if you did break in?
What is the worst thing you could do?

Review and Protect

Identify Key resources
Known issues
Quick wins
5-year strategy & budget
Review stages

How would you know of an attack, an abnormality and how do you remediate?

Logs, Monitoring, Detection & Alerts
Incident Procedures – Identify & Remediate.

Post to be continued – These are opinions of the author only.

08/05/2020

What is the difference in Microsoft 365 Enterprise Mobility + Security E3 and E5 Licenses

By Steve inAlerts, Business Applications, Cloud & Datacenter Management, Endpoint Manager (Intune), Enterprise Mobility, Enterprise Security, Microsoft, Microsoft Azure, Office 365, Office Apps & Services, OneDrive, Security & Compliance Tag Difference, E3, E5, Enterprise Mobility, Explained, Features, License, Microsoft 365, Security

Today I’m looking at Microsoft 365 Enterprise Mobility + Security E3 and E5 Licenses and trying to work out which licenses I need and what the differences are. I’ve reviewed the guide on features and pricing, visit compare-plans-and-pricing

There are four key areas for Enterprise Mobility + Security:

Identity and access management
Managed mobile productivity
Information protection
Identity driven security

If you business it focused on Enterprise Mobility + Security E5 licenses but you need to save costs, its certainly worth reviewing what features your using and what is available / partially included in an Enterprise Mobility + Security E3 license. Microsoft would describe the differences as “Enterprise Mobility + Security E5 includes new and advanced security capabilities that make up our holistic and innovative approach to security for the mobile enterprise. Some E5 capabilities were previously only available as standalone products, such as Microsoft Cloud App Security, or as products in preview, such as Microsoft Azure Active Directory Identity Protection, Azure Active Directory Privileged Identity Management, and Azure Information Protection.”

A break down of the Key Additional Features in E5 and not in E3.

This is a quick break down of the additional features in the E5 license you don’t get in E3 currently. (Please check again, this is not a live feature list)

Risk-based conditional access (Explained further)
- Register MFA – All Users
- Password changed (High risk users)
- Require MFA for medium to high risk users
Privileged identity management (PIM) – (Explained Futher)
- Manage, Control and monitor important information or resources
Intelligent data classification and labelling (Azure Active Directory Identity Protection)
- Automate the classification and labelling process ( Personal interpretation, not sure if that terminology is correct)
- Azure identity Protection which can be leveraged in CA. Identity Protection Policies example
Microsoft Cloud App Security (Explained Further)
- CASB Cloud Access Security Broker
Azure Advanced Threat Protection (ATP) – (Getting started with Azure ATP)
- Detect, Identify Abnormalities, Advanced Attacks

So does you business have any other 3^rd party tools already providing the features of E5? It might be worth noting some components Enterprise Mobility + Security E5 can be purchased separately, but the logic is a suite gives more value in a bundle.

Another good option to get hands on and try the full E5 license, why not run a PoC to see if the features of Enterprise Mobility + Security E5 with a free Trial (90 days offered when I wrote this)?

I hope this post helped, additional information is available direct from the Microsoft Site.

Apologise if any information is incorrect, this is just a personal review and no way related to Microsoft.