Session at NICConf – Summary

There’s been a while since my previous update as my primary focus has been on working as a full-time Security Architect  and lecturing Office 365 / Security classes. I was lucky to have the opportunity to participate at Nordic Infrastructure Conference (NICConf) in Oslo Spektrum February 1st as a speaker with my colleague Oddvar Moe. We had the session “Hardcore hacker VS. Awesome IT-Pro” where we demonstrated effective attacks vs defenses in Windows, where we covered common attack techniques. The purpose of the session was to add focus to the importance of not only implementing security but also testing that your implementation is actually successful. Details about the session can be found here: http://nicconf.com/talks/hardcore-hacker-vs-awesome-it-pro-battle-royale/. I was planning to wait for the recording before publishing this blog post but I will update once it’s out.

To reference where you can find additional information that was not shown directly in the session look here:

NTLM Leaking:  https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7/ “Old but gold”, covering how NTLM can be audited prior to blocking in great detail.

Office macro attacks: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard Recommend looking into Windows Defender Exploit Guard, and specifically Attack Surface Reduction rules. In addition, see Blocking Office Macros from the internet

More blog posts will come soon covering Office 365 and Azure.

Karim

The ultimate guide to protecting against Meltdown (CVE-2017-5754) on Windows

Introduction

As most have heard by now, there is a critical vulnerability affecting most computers and servers worldwide.

Microsoft released an out-of-band patch for all compatible operating systems. Some systems may not have been applicable for the patch due to AV vendor not supporting the fix yet.. An unofficial list seen on Twitter yesterday (which I can’t seem to find right now..) shown only Microsoft, Kaskersky and ESET were prepared, with several vendors working on it and Sophos planning to have it ready by early next week. This is likely to change as I’m writing this, so please contact your AV vendor if your uncertain.

Getting started

To see if your system is affected, Microsoft Security Research Center (MSRC) has created and uploaded PowerShell module that can be used. Details can be found here. This module can be used to determine status for all systems by following the guidance, and should also be used to verify you successfully have remediated the issues.

To see if your system is applicable for the patch (this is determined by AV vendor), look for:

HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat and a DWORD value with the name: cadca5fe-87d3-4b96-b7fb-a231484277cc and value data: 0. Most systems will also require a firmware update. For all Surface devices, a firmware update can be found here.

Patching systems

Prior to applying the patch, your system will likely generate this output when running “Get-SpeculationControlSettings”:

After verifying that your system is applicable for the patch, install the latest update. I included KB for the newest Windows versions:

KB4056890 – Server 2016
KB4056898 – Server 2012 R2 / 8.1
ADV180002 – Windows 10 (contains numerous patches).

This update might fail on the first try, try a reboot and give it a new shot.. been parsing through Windowsupdate.log without being able to pinpoint the exact issue yet. Please note, the update might take more than an hour to complete so be patient!

Protecting systems

After the patch is installed, you can see that the problem isn’t completely fixed by running “Get-SpeculationControlSettings”.

… the reason for this is because patching the vulnerability requires deployment of registry values in addition to the patch. 

Microsoft published “Windows Server guidance to protect against speculative execution side-channel vulnerabilities” where it clearly states that mitigations must be enabled for servers after deploying the patch.

We then proceed by adding the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


And now running the command we can verify that the systems are protected against CVE-2017-5754:

Want to know more? https://meltdownattack.com/

Karim

Interview with RunAs Radio

I had the honor of being a guest at RunAsRadio with host Richard Campbell where we discussed security in Office macros and how you can secure your enterprise. Click the image to listen to the podcast:

Office macros need security? Yes! Richard chats with Karim El-Melhaoui about the issues around Office macros. With default settings, VBA macros in the Office suite are incredibly powerful and are an effective malware vector. While Microsoft has some built-in capabilities to warn users about enabling macros, modern malware makers have been socially engineering users to bypass those protections. You can go heavy handed and disable macros with group policy, but what if you need them? Karim talks about some of the latest features coming in the Windows 10 Creators Update to provide more granular security for Office macros. But maybe it’s time to move away from them entirely?

To get started:

Attack Surface Reduction – Windows 10 1709:

Attack Surface reduction were discussed in the interview and is a powerful mitigation that were introduced in Windows 10 Fall Creators Update. It gives several options for blocking common macro attacks.

Also look into blocking macros originating from the internet, more information is covered in a detailed blog post from Microsoft:

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

 

Hoping to write a more detailed blog post covering ASR in Windows 10 1709..

What’s new in Intune – Ignite announcements

So there’s been lots of announcements at Ignite this year and it doesn’t seem like Microsoft is  able to cover everything in their official blog.. Hence why I’m writing a blog to make sure you heard of the new features I find really important.

1. Geo-Fencing for Intune managed devices. Geo-Fencing defined on a map will be available in Public Preview from Q4 2017, with ability to set up alerts when a device leaves the perimeter. A location can also be based on known networks.

2. Full capabilities with Outlook Mobile for companies running Exchange Hybrid. Available for preview through Microsoft’s Technical Adoption. It uses Exchange Online functionality to synchronize On-Prem mailboxes in the cloud for 30 days, the mailboxes are protected equal to Office 365 mailboxes and the whole feature is based on communication between Exchange server and ExOnline. The announcement was made on Ignite and the Exchange blog which many EM+S admins don’t read. For more information: https://blogs.technet.microsoft.com/exchange/2017/09/27/tap-outlook-mobile-support-for-exchange-on-premises-with-microsoft-enterprise-mobility-security/  

3. Access Intranet resources through Application Proxy and Managed Browser. By publishing internal resources through Azure Application Proxy users can access those sites externally directly through Managed Browser, protected by the container technology built into the Managed Browser. Company Admins can easily enforce policies and revoke access.

 

To see additional features that Microsoft released at Ignite, check out this post: https://blogs.technet.microsoft.com/enterprisemobility/2017/10/03/enterprise-mobility-security-ignite-2017-wrap-up/

What do you think?

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Hands-on: Windows Defender Application Guard

Microsoft announced more than a year ago a new feature coming to Windows 10 allowing Microsoft Edge to run in Isolated User Mode. This needs to be configured before users can access the feature, this can be done through Group Policy. For more information: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard

In the chart below you can see Microsoft’s comparison of Microsoft Edge and Edge with Windows Defender Application Guard:

 

I installed a Windows 10  Enterprise Insider Preview Build 16278 on a computer, enabled Application Guard and started experimenting.

I started out by enabling some useful Policies settings, that can be found here “Administrative Templates -> Windows Components -> Windows Defender Application Guard”.

Allow data persistence for Windows Defender Application Guard: Saves user downloaded files and other items (such as, cookies, Favorites and so on) for use in future Application Guard Sessions. Enabled this feature to give end-users a smoother experience when using Application Guard. There will be some confusion on how to access files that were downloaded in an Application Guard session. A session can be reset by using “Reset-ApplicationGuard”, the command is not available in the current build I’m running.

Configure Windows Defender Application Guard Clipboard Settings: Enabling this settings give you several options. It is not recommended to enable copying data data from the host to the isolated session, enabling this might give a compromised Application Guard session access to the host’ clipboard. I enabled with “Enable clipboard operation from an isolated session to the host” and then specified the value 1: Allows text copying (2 = Allow image copying, 3 = Allows both text and image).

Configure Windows Defender Application Guard Print settings:

By default you can’t print from an Application Guard session. In this policy you can chose from 15 different options to allow printing from the session to local, XPS, PDF and network printers. In this scenario I only chose to allow printing to PDF for now.

I also had to configure settings in “Administrative Templates -> Network -> Network Isolation” in order to fully configure Windows Defender Application Guard-

I specified “Enterprise resource domains hosted in the cloud”, which are sites that I fully trust and allow to run in a normal browser session, for these testing purposes I specified 2 sites, pay close attention to the separation of the 2 sites I specified, instead of a comma-separation these sites are separated by a pipe (|)character. It also supports wildcard scenarios by specifying DOT character before domain name.

 

After a reboot I was ready to launch Microsoft Edge and give the feature a try. My first attempt to launch an Application Guard session (directly from Microsoft Edge, which was now an option):

It took 5 minutes for initial session to launch my first session, patience is a virtue:

When launching the first thing I notice is my Favorites are missing, just as expected:

I started browsing a site that’s on the list of Enterprise Resources and it launched just as expected in a normal session where I was able to interact with one of the sites I trust, screenshot:

 

The second I access a site that’s not on the list of Enterprise resources it opens in a new instance of Microsoft Edge that has another icon on the toolbar and is protected, as expected:

Trying to copy data from the host into the Application Guard session gives me a warning, also as expected:

Trying to paste data from the session to Notepad works just fine without any warning.

Overall, this feature is very secure and provides a way for users to browse the internet without risking that the host will be compromised, currently it’s not the most efficient way and Microsoft is looking into integrating add-ins and let Favorites work across the Isolated and Normal session.

 

Windows Defender Application Guard is set to release with the Windows 10 Fall Creator’s Update.

Securing Windows environments with baselines

I recently held a webcast in Norwegian related to securing Windows with baselines and the changes to managing baselines after Microsoft announced the retirement “Security Compliance Manager”. For more information: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

I promised to write a blog post containing the simple script I used to export the GPO’s from my lab environment and import to Production.

Recording of the full presentation can be seen here (Norwegian only):

A quick summary of how I manage the baselines:

  1. Dummy server containing all Group Policy objects x 2. 1 that’s unchanged from the baseline and 1 that has my customization’s configured. The reason behind having 2 is that it makes it easier to do a comparison of what differences there are between my customization and the default – using PolicyAnalyzer.
  2. Export the baseline containing a specific string from the dummy server
  3. Importing the baseline to the production environment, removing the specific string (“Test” in my case). If a policy with the name already exists, current policy will be merged.

The “Security Compliance Toolkit” can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55319

I also promised to do some generalizations in my script prior to publishing but it’s almost been two weeks since my webcast and I haven’t had the time yet. The script is only intended for demonstration purposes and should not be used in production environments without adjusting the code.

That’s it.

Work Folders – Extending Sync Shares beyond the limit (21)

Work Folders feature was introduced in Windows Server 2012 R2 that allowed clients to synchronize files with a built-in agent (in Windows 8.1 and 10, there’s also a patch for Win 7 Enterprise), later they’ve also added support for iOS and Android. To read more about Work Folders: https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx

By default you can only create 21 Sync Shares in Work Folders, because of limitations in the JetDB which Work Folders is based on. Usually a few Sync Shares should be more than enough for a company of most sizes and extending the limit beyond 21 will only be necessary for very rare occasions. Due to the rare nature of the environment I would need up to several hundred Sync Shares and reached the limit quickly. When reaching the limit you are able to create more Sync Shares but users that has their Sync Share configured to one of those created after number 21 will receive “Parameter is incorrect” error in their Work Folders Control panel.

In order to extend the Sync Share limit beyond 21: Open Regedit on the Work Folders server, navigate to HKLM\SYSTEM\CurrentControlSet\Services\SyncShareSvc\Settings, create a new Multi-string value with the following data:

ValueName: EseParameterSettings

Value:

[GLOBAL]
Jet_paramMaxInstances=1024

 

..and that’s it. Restart the Sync Share Service and every Sync Share you create will work until you reach 1024 Sync Shares on the same server/cluster. Make sure to configure all nodes with the same configuration if you’re a cluster.

 

Restrict OneDrive for Business to Domain-joined Computers

Conditional Access for OneDrive can be configured multiple ways, but it’s not a part of the new Azure AD Conditional Access experience, there’s also lacking an option to restrict devices that can synchronize files in the new OneDrive Admin Center (https://admin.onedrive.com/), but there are several other options worth looking into.

If you would like to restrict OneDrive to only synchronize files on Domain Joined computers you will either need Microsoft Intune with the classic portal, this feature does not exist in the new Azure Experience – or it can be configured with SharePoint Online Management Powershell module. In order to configure OneDrive for Business “Conditional Access” with PowerShell do the following:

Step 1:

Find your Domains ObjectGuid, if you have multiple domains make sure to include all ObjectGuids and separate by commas.

To find your Domains ObjectGuid run the following command in Powershell, specify your on-premise domain:

Get-ADDomain -Identity EntSecLab.com | Select-Object ObjectGuid

 

Step 2:

Install the SharePoint Online Management Shellhttps://www.microsoft.com/en-us/download/details.aspx?id=35588

Run in PowerShell: Connect-SPOService -Url  https://Office365Tenant-admin.sharepoint.com (make sure to replace Office365Tenant with your tenants name). You will then be prompted to specify Credentials. The least privileges required is Service Administrator for SharePoint Online.

Run: Set-SPOTenantSyncClientRestriction -Enable -DomainGuids <ObjectGuid>

Done!

WDATP – Isolating infected machines

Windows Defender ATP recently added a new feature allowing Administrators to isolate any computer from accessing the network. This is very useful in scenarios where a compromised machine is actively trying to spread throughout the network .

By responding to the alarm you can click to see possible actions for the compromised host, where you can take several actions:

When we click Isolate Machine we are prompted to enter a comment.
If we look at the client after running the Isolate Machine Action Continue reading “WDATP – Isolating infected machines”

Intune – Conditional Access with Exchange on-prem migration issues

Intune Support Team blogged about “Migration Blockers” in March, mentioning several important steps. You can find more information about that here:

https://blogs.technet.microsoft.com/intunesupport/2017/03/17/intune-migration-blockers-for-grouping-targeting/

Suddendly last week one of my customers reported that users received quarantine email incorrectly. I looked further into it and saw the Exchange Connector started generating logs I haven’t seen before in Windows Logs-> Application.

For instance:

Microsoft.Management.Services.Common.InternalErrorException: An error has occurred – Operation ID (for customer support): be9a87aa-1c83-46ce-9aa3-3a2e5b56241c – Activity ID: a63cf524-5075-41e5-b330-89cff853f7f9 – Url: https://fef.msub02.manage.microsoft.com/StatelessExchangeGatewayService/$batch – CustomApiErrorPhrase:
__BEGINCMEXCEPTIONMETADATA__
{
“CustomApiErrorPhrase”: “”
}
at Microsoft.SystemCenter.Online.Mobile.Services.Exchange.Agent.Proxy.ExchangeConnectorSoapServiceClient.PutMessage(ExchangeGatewayMessage message)
at Continue reading “Intune – Conditional Access with Exchange on-prem migration issues”