Skip to main content

A guide to implementing Applocker on your Modern Workplace

At our last Windows Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading professionals in the Windows OS and Security flying over to the Netherlands and present for our user group. In his presentation titled: “Securing Windows in 2020 and forward”, Sami made us aware that by implementing some simple Applocker policies on our Modern Workplace and by making sure that the user working on the device has no admin rights, we can seriously improve our security. In his presentation Sami referred to a quote from Mikko Hyppönen (Chief Research Officer at F-Secure): “Make your security better than your neighbours”.

In this blogpost I will share my experience with implementing Applocker policy within my own tenant, and how I started to use these principles myself which eventually led by removing my account from the local administrator group.

Disclaimer: This blogpost provides a very simplistic way of enabling Applocker policies, in the real world there are some caveats which must be addressed when implementing Applocker. I will address  those caveats later in this post as well.

Read More

Stopping automatic email forwarding in your Exchange Online environment in a controlled way

Working as a modern workplace consultant also means that sometimes you have to go deep into Exchange Online options in order to make sure that (sensitive) data of your customer doesn’t leave the organization without the proper security measurements taken. In the Microsoft documentation titled: “Best practices for configuring EOP and Office 365 ATP“, the recommended settings for both Standard and Strict states that Auto-forwarding to external domains should be disallowed or monitored at least.

Automatic email forwarding is one of the possible and still most common way (sensitive) company data might leave the organization. Giving the users the ability to automatically forward emails using either mailbox forwarding or message rules to users outside the organization in that case can be very risky. I’ve seen many cases where corporate email accounts were configured to automatically forward all email to personal gmail.com or hotmail.com accounts. Also still enabled mailboxes which forward mail to users personal accounts while the user doesn’t work at the company anymore is common practice. 

It’s also commonly known that if a user somehow gets compromised, hackers usually put a forward on the mailbox of the user in order to gain knowledge about the user in order further continue with their attack methods, or to retrieve sensitive company data for their own gains.

Read More

Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices

By default, on Windows 10 devices which are Azure AD joined, the user performing the join is added to the Local Administrator group. Besides the user and the local administrator (which is disabled by default), two other SIDs are added without any friendly name which explain who they are. So where are those SIDs coming from?

It is possible to make the user a normal user while enrolling the device, but then you have to create a Deployment Profile and use Windows Autopilot. See: Configure Autopilot profiles or use Bulk enrollment. See: Bulk enrollment for Windows devices

Note: This post reflects the status of Azure AD local administrative privileges as of February 11th 2020. Functionality may change, even right after this post has been published.

Read More

Did you already modify your Azure AD consent defaults settings? Here is why you should

As you may know, it’s possible for your users to sign-in to SaaS based applications using their Azure AD account. By doing this, a Single Sign On (SSO) experience is created for the user. Before this SSO for an SaaS based application is possible though, the user needs to accept (a) permission request(s) from the application allowing the application to access the users data on its users behalf, even when the user is not using the application.

Added February 11th: Erik Loef pointed me to the following two interesting articles detailing on how oAuth can be used to exploit Office 365 environments. See:

Shining a Light on OAuth Abuse with PwnAuth
Introducing the Office 365 Attack Toolkit

TL;DR; – Disable user app consent, and enable admin consent requests as soon as possible!

Note: This post reflects the status of Admin consent as of February 9th 2020. Functionality may change, even right after this post has been published.

Read More

Blocking access to Cloud apps by integrating Microsoft Cloud App Security with Microsoft Defender Advanced Threat Protection

Microsoft has quietly introduced the option to automatically block connections to unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console. This is accomplished by integrating MCAS with Microsoft Defender Advanced Threat Protection (MDATP).

Based on the information available in Cloud App Security, the app’s domains are used to create domain indicators in the Microsoft Defender ATP portal. Within Windows Defender the Exploit Guard Network Policy option is used to block the access to the URLs. This will eventually result in the following notification sent to the user.

Windows 10 Notification

In this blog post I will explain how to setup this functionality when Microsoft Intune is used and what the behavior is within Windows 10. This assumes that you are licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5 license.

Read More

Microsoft deprecates Conditional Access baseline policies in favour of Security Defaults, here is what you need to know and do

Last week, Microsoft announced that the Azure AD conditional access baseline policies will not make it out of their current preview status. The functionality of the baseline policies will be made in available in a new feature called “Security Defaults”, Microsoft will remove the baseline policies on February 29th, so if you are using them you need to take action in order to make sure to keep their functionality in place. Here is what you need to know.

I’ve discussed the baseline policies in part 5 of my blogpost series “Conditional Access Demystified“, while they provided a welcome addition, one of the main disadvantages of the baseline policies in its current preview form was that there was no option to exclude accounts from the policy, which was in contradiction with the best practice for break glass accounts and therefore made the policies not usable in some scenario’s.

Read More

Implementing RBAC and Scoping in Microsoft Intune

When you create an Intune tenant within your environment, you execute the creation with an account which is Global Administrator within Azure Active Directory. And in my work as an indendent consultant I see a lot of companies which keep using the account with Global Administator rights to manage their Microsoft Intune environment as well.

While for initially setting up some Azure AD functionality Global Administrator rights might be needed, this is only the case during the setup phase. Once you have implemented your environment, you hardly ever need the Global Administrator rights and for most tasks they are not needed perse. Think of the Global Administrator rights as an equivalalent of the Forest Administrator/Schema Administrator group within Active Directory.

Disclaimer: This post is written on December 4th 2019 and reflects the state of this functionality at that point in time.

Read More

Did you already enable DKIM and DMARC for your Office 365 domains?

When you host your email on the Exchange Online (EXO) platform part of Office365 you can implement several security measures to make sure that email send from your domain gets delivered to the mailbox of the recipient.

The most known solution for this is by implementing a Sender Policy Framework (SPF) DNS record. By creating a SPF DNS record in your DNS you provide receiving email servers the option to check if the originating IP of the email is also the authorized email server for the domain. If not the email can be considered suspicious and the email system from that point forward can decide to threat the email as spam, phishing and so forth. 

If you decide to make the nameservers of Microsoft authoritative, which allows you to manage your DNS settings from the Office administration portal, the SPF record needed can automatically be enabled for you.

Read More

Intune: Choosing whether to assign to User or Device Groups

One of the disadvantages of being an experienced consultant in IT is the fact that once in a while you need to re-learn. With re-learn I mean that for some concepts it’s easier to understand how it works if you come from no-experience. I’ve experienced this with quite some Microsoft products as well. If you know the old version, switching to concepts in a new version might not be that easy compared to when you get to know the new version without any prior knowledge.

I also experienced this “challenge” lately when trying to figure out when to assign applications or configuration to either User Groups or Device Groups.

Read More

Report-only mode, and some more handy reporting functionality for Conditional Access and Azure AD

During its annual Microsoft Ignite 2019 conference this week, Microsoft announced a new feature for Conditional Access called Report-Only mode in preview.

So, what is Report-only mode?

Report-Only mode is a new option within a Conditional Access policy. Besides the option to turn the conditional access policy on or off, the option to Report-only has been added.

New Report-only option
Read More