At our last Windows
Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading
professionals in the Windows OS and Security flying over to the Netherlands and
present for our user group. In his presentation titled: “Securing Windows
in 2020 and forward”, Sami made us aware that by implementing some simple
Applocker policies on our Modern Workplace and by making sure that the user
working on the device has no
admin rights, we can seriously improve our security. In his presentation
Sami referred to a quote from Mikko Hyppönen (Chief Research Officer at
F-Secure): “Make your security better than your
blogpost I will share my experience with implementing Applocker policy within
my own tenant, and how I started to use these principles myself which
eventually led by removing my account from the local administrator group.
Disclaimer: This blogpost provides a very
simplistic way of enabling Applocker policies, in the real world there are some
caveats which must be addressed when implementing Applocker. I will
address those caveats later in this post
as a modern workplace consultant also means that sometimes you have to go deep
into Exchange Online options in order to make sure that (sensitive) data of
your customer doesn’t leave the organization without the proper security
measurements taken. In the Microsoft documentation titled: “Best
practices for configuring EOP and Office 365 ATP“, the recommended
settings for both Standard and Strict states that Auto-forwarding to external
domains should be disallowed or monitored at least.
email forwarding is one of the possible and still most common way (sensitive)
company data might leave the organization. Giving the users the ability to
automatically forward emails using either mailbox forwarding or message rules
to users outside the organization in that case can be very risky. I’ve seen
many cases where corporate email accounts were configured to automatically
forward all email to personal gmail.com or hotmail.com accounts. Also still
enabled mailboxes which forward mail to users personal accounts while the user
doesn’t work at the company anymore is common practice.
commonly known that if a user somehow gets compromised, hackers usually put a
forward on the mailbox of the user in order to gain knowledge about the user in
order further continue with their attack methods, or to retrieve sensitive
company data for their own gains.
default, on Windows 10 devices which are Azure AD joined, the user performing
the join is added to the Local Administrator group. Besides the user and the
local administrator (which is disabled by default), two other SIDs are added
without any friendly name which explain who they are. So where are those SIDs
may know, it’s possible for your users to sign-in to SaaS based applications
using their Azure AD account. By doing this, a Single Sign On (SSO) experience
is created for the user. Before this SSO for an SaaS based application is
possible though, the user needs to accept (a) permission request(s) from the
application allowing the application to access the users data on its users
behalf, even when the user is not using the application.
Added February 11th: Erik Loef pointed me to the following two interesting articles detailing on how oAuth can be used to exploit Office 365 environments. See:
has quietly introduced the option to automatically block connections to
unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console.
This is accomplished by integrating MCAS with Microsoft Defender Advanced
Threat Protection (MDATP).
the information available in Cloud App Security, the app’s domains are used to
create domain indicators in the Microsoft Defender ATP portal. Within
Windows Defender the Exploit Guard Network Policy option is used to block the
access to the URLs. This will eventually result in the following notification
sent to the user.
blog post I will explain how to setup this functionality when Microsoft Intune
is used and what the behavior is within Windows 10. This assumes that you are
licensed for both MCAS and MDATP, in my case by using a Microsoft365 E5
discussed the baseline policies in part
5 of my blogpost series “Conditional
Access Demystified“, while they provided a welcome addition, one of
the main disadvantages of the baseline policies in its current preview form was
that there was no option to exclude accounts from the policy, which was in
contradiction with the best practice for break glass accounts and therefore
made the policies not usable in some scenario’s.
When you create an
Intune tenant within your environment, you execute the creation with an account
which is Global Administrator within Azure Active Directory. And in my work as
an indendent consultant I see a lot of companies which keep using the account
with Global Administator rights to manage their Microsoft Intune environment as
While for initially
setting up some Azure AD functionality Global Administrator rights might be
needed, this is only the case during the setup phase. Once you have implemented
your environment, you hardly ever need the Global Administrator rights and for
most tasks they are not needed perse. Think of the Global Administrator rights
as an equivalalent of the Forest Administrator/Schema Administrator group
within Active Directory.
Disclaimer: This post is written on December 4th 2019 and reflects the state of this functionality at that point in time.
When you host your email on the Exchange Online (EXO) platform part
of Office365 you can implement several security measures to make sure that
email send from your domain gets delivered to the mailbox of the recipient.
The most known solution for this is by implementing a Sender Policy
Framework (SPF) DNS record. By creating a SPF DNS record in your DNS you
provide receiving email servers the option to check if the originating IP of
the email is also the authorized email server for the domain. If not the email
can be considered suspicious and the email system from that point forward can
decide to threat the email as spam, phishing and so forth.
If you decide to make the nameservers of Microsoft authoritative,
which allows you to manage your DNS settings from the Office administration
portal, the SPF record needed can automatically be enabled for you.
One of the
disadvantages of being an experienced consultant in IT is the fact that once in
a while you need to re-learn. With re-learn I mean that for some concepts it’s
easier to understand how it works if you come from no-experience. I’ve
experienced this with quite some Microsoft products as well. If you know the
old version, switching to concepts in a new version might not be that easy
compared to when you get to know the new version without any prior knowledge.
I also experienced
this “challenge” lately when trying to figure out when to assign
applications or configuration to either User Groups or Device Groups.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.