Monthly Archives: October 2017

What is Microsoft security story?

Looking back at 2017 so far is has been alot of development from Microsoft when it comes to security products. Just by looking at the Microsoft Ignite which was a couple of weeks back most announcements were security focused with new products such as Azure ATP, improved version of Windows Defender ATP as well and of course with a lot of investments into security features directly into Azure Active Directory. All these new stuff has made me confused at times, what does the product actually do and how does it interact with other features? Therefore I decided to write this post to show what the product does and how it fit into the Windows ecosystem. This visio shows some of the integration and the different cloud security products that Microsoft offers.

But to understand what they actually provide in terms of functionality lets look closer into some of the products.

Microsoft ATA
Microsoft ATA (Advanced Threat Protection) or Azure ATP which it was announcing during Microsoft Ignite is a service which can detect multiple attacks that can happen against Active Directory.

This can be for instance:
Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Forged PAC (MS14-068)
Golden Ticket
Malicious replications
Brute Force
Remote execution

The list is quite long, you can read more about it here → until now Microsoft ATA has been a piece of software that you needed to install on your local infrastructure, and the architecture has been quite simple. You needed to have a ATA Center which was the central point of management and containing the MongoDB which contained all the events. You also had ATA Gateway’s which was used to gather information from domain controllers either using Windows Event Forwarding or using Port Mirroring traffic from domain controllers. Later on with ATA, Microsoft released Lightweight Gateway’s which allowed us to install a Windows agent inside the domain controllers. This removed the need to setup SPAN or RSPAN to get domain controller traffic. With the latest release of ATA 1.8 the Lightweight agent was improved further to reduce bandwidth usage and be able to forward Windows based event as well. With Azure ATP, Microsoft essentially moved the ATA Center directly to Azure.

Bottomline for Azure ATP
Detect, investigate and respond to advanced attacks inside Active Directory, looking at exploiting weaknesses in security or authentication protocols.

Windows Defender Advanced Threat Protection
Is another cloud service, which initially was aimed at Windows 10 endpoints but has recently also gotten support for Windows Server (again mostly aimed at Windows environments) This is using sensors in Windows 10 which will report a lot of the internals happening inside a machine directly to the cloud service

It allows us to take a closer look at suspicious behaviour such against a machine, IP address, end user for instance. This can be that a end-user has run some weird script which was triggered from an email that the end-user received and has therefore raised an alert to ATP. All suspicious behavior is also sent through Microsoft Intelligent Security Graph, so when Windows Defender ATP flags a process tree—let’s say a tree for a PE file that opens a command-line shell connecting to a remote host—our systems augment this observation with various contextual signals, such as the prevalence of the file, the prevalence of the host, and whether the file was observed in Office 365. Windows Defender ATP classifiers consider these contextual signals before arriving at a decision to raise an alert.

To on-board an agent to this service, you basically run a PowerShell which is deploying using Group Policy or using Intune OMA-URI against ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding

Bottom line for Windows Defender ATP is
Detect, investigate and respond to advanced attacks or suspicious attacks inside Windows infrastructure (Clients and Windows Server) combined with Machine Learning capabilities within Microsoft Intelligent Security Graph.

Microsoft Azure Security Center
Initially Azure Security Center was a offering which was about protecting Virtual Machine and policy control in Microsoft Azure, but it has now evolved into so much more. It has now extended and can now be used against on-premises machines as well using the Log Analytics agent (Microsoft Monitoring Agent)

The service is more about looking to give recommendations about service you can use in Microsoft Azure. So the solution can monitor
Virtual machines (VMs) (including Cloud Services)
Azure Virtual Networks
Azure SQL service
Azure Storage account
Azure Web Apps (in App Service Environment)
Partner solutions integrated with your Azure subscription such as a web application firewall on VMs and on App Service Environment

It also allows us to create a security policy which can define a baseline for security in Microsoft Azure, such as that all machine runnings in Azure needs to have the following default ports blocked by firewall, all machines needs to have monitoring agent installed and such. You can also use something called playbooks which can react based upon an alert in Security Center. It can trigger a Logic App workflow from it.

The bottomline about Azure Security Center is.
Proactive security detection for resources in Azure (Virtual Machines, PaaS) security baselines and automation.

Cloud App Security
This is another Cloud service which is aimed at protecting information flow in SaaS such as data and governance. IT can discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment. It can monitor and control data in the cloud by gaining visibility, enforcing DLP policies, alerting and investigation.

It can connect to the following Cloud applications
G Suite
Office 365

Where it can be used to apply DLP policies, or who accesses what from where.It can also get information from firewall products such as BlueCoat, Cisco, Zscaler, Web Sense, Palo Alto and such. This allows Cloud App Security to easily detect what kind cloud applications your end-users are running.

The bottomline for Cloud App Security.
Protecting Cloud Applications (SaaS) usage for enterprises using DLP policies and Cloud Application discovery.

Microsoft Intune
Intune can be described as an endpoint management solution, since it allows for remote management and policy control and software deployment to endpoints. This can be Windows machines or mobile devices. It also provides MAM (Mobile Application Management as well) Intune is using the open standard OMA-URI to manage Windows 10 devices directly. Microsoft is also investing heavily into the OMA-URI CSP with alot of new options coming with every Windows 10 update, which you can see here →

From a security perspective, Intune can be used to control endpoint configuration
Management of Windows Defender on Client computer
Management of Windows based features such as Application Guard, Bitlocker, Device Guard
Remote Management (Reset, Remote Lock, Factory Reset) of devices
Security policies for mobile devices such as disallow camera, enforce encryption and such and other policy management using OMA-URI
Deliver Windows Patches using Windows update for Business
Configure Windows Information Protection policies.
Integrate with VPN devices to provider NAC using Device Health Attestation Service

The bottom line for Intune is.
Provide endpoint management and policy control. Also handling update management and simple reporting

Azure Rights Management Azure Rights Management is an Azure feature which is aimed at protecting data. This allows us for instance to be used to encrypt file attachments and send it to another recipient. We can also use it to define policies on who should have access to view the file and can actually use it as well to trace who has opened the file.Azure Rights Management includes integration into Office 365, and can also integrate into regular windows based environments such as Windows file servers, Exchange and SharePoint as well. It also requires a special agent installed to be able to view files which are protected by Azure RM and it its core we have Azure AD which defines if a user gets access to the protected resource or not.

the bottom line for Azure Right Management.

Provides protection and encryption of information such as files and content, both locally and in Office365.

In the center of this we also have Azure Active Directory, which is the source of identity for multiple services such as Microsoft Azure, Office 365 among others but is also needed for many of the other services such as use of Azure MFA, RMS, Conditional Access and such. Azure Active Directory also provides multiple security services such as Privileged Identity Management and Identity Protection.

With Windows 10 we also have a new feature called Azure AD Join which allows us to join a Windows 10 device directly to Azure AD instead of a local Active Directory domain. This also helps us isolate the endpoints away from Active Directory and help it stay more secure and move the endpoints away from the infrastructure. Also with the latest versions of Windows 10, Microsoft has done a lot of investment adding new security features as well such as Application Guard, Exploit Guard and such which all can be managed from Microsoft Intune as well.

Looking at all the features and products that Microsoft have just within security it might be a bit confusing but hopefully this article highlighted some of the differences and what area within security these products belong too. Looking at this rich ecosystem shows how much Microsoft has invested into cloud based security over the last years. If we were to look back only 5 years, only a fraction of these services actually existed, but Microsoft has to make this a lot more integrated solution because now we have a lot of different products which seem to have a bit more overlapping functionality and different product suites as well. Then again different detection and defense product should be treated differently, but I for one would love to have one place for cloud based security such as Cloud App Security and Log Analytics to detect SaaS based cloud usage and user activity, combined with ATA information to see if someone has gotten access to some end-user credential and have tried something suspicious.

Also Defender ATP with Azure Security as well to see more in-depth on server workloads, and also enable Defender ATP to do more Defender and endpoint security policy management as well, because now it feels like a product which can only be used for analytics and recon. Would love to have more in-depth control of Defender and other security mechanisms in Defender ATP.




Shared Computer support Office365 and Citrix with AD PTA

One of the issues that has been with delivering Office 365 on a non-persistent Citrix environment is how to manage licensing and activation. Previously we needed to have a ADFS infrastructure in place with Group Policy to allow “Automatic Activation with federated credentials” to allow for seamless activation without the end-user to need to do enter any type of information. This was needed because when a user logs onto a XenApp host and starts Office they will need to login with their Azure AD credential. This process would generate a license token that was bound to that machine the user was logged into. If the user then switched to another virtual machine the next day they would need to repeat the process there.

During Ignite, Microsoft announced that Azure AD Connect PTA (pass-trough authentication) was now generally available. This provides seamless sso authentication against Office365 without then need to setup an ADFS infrastructure. This makes a lot of sense for small businesses who doesn’t want to have the complexity with ADFS just to get automatic activation and or authentication for Office365.

However AD Connect PTA had one issue for Office365 was that
1: It does not work together with “Automatic Activation with federated credentials” policy
2: The user is required to type in their UPN to get authenticated.
This makes the authentication process a bit simpler but the license token was still machine bound and therefore a user would need to repeat the process the next day.

However! With Version 1704 of Office365 you now have the ability to setup licensing token roaming. This allows us too configure the licensing token to roam with the user’s profile or be located on a shared folder on the network.

To configure licensing token roaming, you can use either the Office 2016 Deployment Tool or Group Policy, or you can use Registry Editor to edit the registry. Whichever method you choose, you need to provide a folder location that is unique to the user. The folder location can either be part of the user’s roaming profile or a shared folder on the network. Office needs to be able to write to that folder location. If you’re using a shared folder on the network, be aware that network latency problems can adversely impact the time it takes to open Office.

If you’re using Group Policy, download the most current Office 2016 Administrative Template files (ADMX/ADML) which can be found here –>
and enable the “Specify the location to save the licensing token used by shared computer activation” policy setting. This policy setting is found under Computer Configuration\Policies\Administrative Templates\Microsoft Office 2016 (Machine)\Licensing Settings.


Now this together with Azure AD PTA the user is now required to type their username once, a token is generated and is cached on a network drive, allowing for a better end user experience.