Session at NICConf – Summary

There’s been a while since my previous update as my primary focus has been on working as a full-time Security Architect  and lecturing Office 365 / Security classes. I was lucky to have the opportunity to participate at Nordic Infrastructure Conference (NICConf) in Oslo Spektrum February 1st as a speaker with my colleague Oddvar Moe. We had the session “Hardcore hacker VS. Awesome IT-Pro” where we demonstrated effective attacks vs defenses in Windows, where we covered common attack techniques. The purpose of the session was to add focus to the importance of not only implementing security but also testing that your implementation is actually successful. Details about the session can be found here: http://nicconf.com/talks/hardcore-hacker-vs-awesome-it-pro-battle-royale/. I was planning to wait for the recording before publishing this blog post but I will update once it’s out.

To reference where you can find additional information that was not shown directly in the session look here:

NTLM Leaking:  https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7/ “Old but gold”, covering how NTLM can be audited prior to blocking in great detail.

Office macro attacks: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard Recommend looking into Windows Defender Exploit Guard, and specifically Attack Surface Reduction rules. In addition, see Blocking Office Macros from the internet

More blog posts will come soon covering Office 365 and Azure.

Karim

The ultimate guide to protecting against Meltdown (CVE-2017-5754) on Windows

Introduction

As most have heard by now, there is a critical vulnerability affecting most computers and servers worldwide.

Microsoft released an out-of-band patch for all compatible operating systems. Some systems may not have been applicable for the patch due to AV vendor not supporting the fix yet.. An unofficial list seen on Twitter yesterday (which I can’t seem to find right now..) shown only Microsoft, Kaskersky and ESET were prepared, with several vendors working on it and Sophos planning to have it ready by early next week. This is likely to change as I’m writing this, so please contact your AV vendor if your uncertain.

Getting started

To see if your system is affected, Microsoft Security Research Center (MSRC) has created and uploaded PowerShell module that can be used. Details can be found here. This module can be used to determine status for all systems by following the guidance, and should also be used to verify you successfully have remediated the issues.

To see if your system is applicable for the patch (this is determined by AV vendor), look for:

HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat and a DWORD value with the name: cadca5fe-87d3-4b96-b7fb-a231484277cc and value data: 0. Most systems will also require a firmware update. For all Surface devices, a firmware update can be found here.

Patching systems

Prior to applying the patch, your system will likely generate this output when running “Get-SpeculationControlSettings”:

After verifying that your system is applicable for the patch, install the latest update. I included KB for the newest Windows versions:

KB4056890 – Server 2016
KB4056898 – Server 2012 R2 / 8.1
ADV180002 – Windows 10 (contains numerous patches).

This update might fail on the first try, try a reboot and give it a new shot.. been parsing through Windowsupdate.log without being able to pinpoint the exact issue yet. Please note, the update might take more than an hour to complete so be patient!

Protecting systems

After the patch is installed, you can see that the problem isn’t completely fixed by running “Get-SpeculationControlSettings”.

… the reason for this is because patching the vulnerability requires deployment of registry values in addition to the patch. 

Microsoft published “Windows Server guidance to protect against speculative execution side-channel vulnerabilities” where it clearly states that mitigations must be enabled for servers after deploying the patch.

We then proceed by adding the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


And now running the command we can verify that the systems are protected against CVE-2017-5754:

Want to know more? https://meltdownattack.com/

Karim

Interview with RunAs Radio

I had the honor of being a guest at RunAsRadio with host Richard Campbell where we discussed security in Office macros and how you can secure your enterprise. Click the image to listen to the podcast:

Office macros need security? Yes! Richard chats with Karim El-Melhaoui about the issues around Office macros. With default settings, VBA macros in the Office suite are incredibly powerful and are an effective malware vector. While Microsoft has some built-in capabilities to warn users about enabling macros, modern malware makers have been socially engineering users to bypass those protections. You can go heavy handed and disable macros with group policy, but what if you need them? Karim talks about some of the latest features coming in the Windows 10 Creators Update to provide more granular security for Office macros. But maybe it’s time to move away from them entirely?

To get started:

Attack Surface Reduction – Windows 10 1709:

Attack Surface reduction were discussed in the interview and is a powerful mitigation that were introduced in Windows 10 Fall Creators Update. It gives several options for blocking common macro attacks.

Also look into blocking macros originating from the internet, more information is covered in a detailed blog post from Microsoft:

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

 

Hoping to write a more detailed blog post covering ASR in Windows 10 1709..

Restrict OneDrive for Business to Domain-joined Computers

Conditional Access for OneDrive can be configured multiple ways, but it’s not a part of the new Azure AD Conditional Access experience, there’s also lacking an option to restrict devices that can synchronize files in the new OneDrive Admin Center (https://admin.onedrive.com/), but there are several other options worth looking into.

If you would like to restrict OneDrive to only synchronize files on Domain Joined computers you will either need Microsoft Intune with the classic portal, this feature does not exist in the new Azure Experience – or it can be configured with SharePoint Online Management Powershell module. In order to configure OneDrive for Business “Conditional Access” with PowerShell do the following:

Step 1:

Find your Domains ObjectGuid, if you have multiple domains make sure to include all ObjectGuids and separate by commas.

To find your Domains ObjectGuid run the following command in Powershell, specify your on-premise domain:

Get-ADDomain -Identity EntSecLab.com | Select-Object ObjectGuid

 

Step 2:

Install the SharePoint Online Management Shellhttps://www.microsoft.com/en-us/download/details.aspx?id=35588

Run in PowerShell: Connect-SPOService -Url  https://Office365Tenant-admin.sharepoint.com (make sure to replace Office365Tenant with your tenants name). You will then be prompted to specify Credentials. The least privileges required is Service Administrator for SharePoint Online.

Run: Set-SPOTenantSyncClientRestriction -Enable -DomainGuids <ObjectGuid>

Done!

Windows 10 Enterprise E3 on CSP

As Microsoft continues to move towards the “Windows as a Service” model they recently released Windows 10 as a part of the Cloud Service Provider program which makes Windows 10 available for organizations of any size as a monthly subscription, in addition I considered this another opportunity to increase the adoption of Windows 10. Espcially considering  Enterprise features such as Credential Guard and AppLocker are almost becoming mandatory for sufficient protection of Windows with the increased threat landscape.

The biggest disappointment with this license is that it requires an activated Windows 10 Professional License prior to activating, which means it can not be used for a cheaper upgrade to Windows 10. It also doesn’t include Software Assurance which I consider one of the bigger benefits with Enterprise license. Technical documentation can be found here: https://technet.microsoft.com/en-us/itpro/windows/deploy/windows-10-enterprise-e3-overview

Microsoft will likely introduce a new license called “Windows 10 Enterprise E5” which will include Windows Defender ATP, if Software Assurance will be a part of this E5 license is currently unknown.

Considering the deprecation of some Group Policies in Windows 10 Professional prior to the launch of this license it could seem like Microsoft is trying to force organizations to use Enterprise license, sources in Microsoft confirmed this is not the case and Professional will still be usable for business in the future.

 

Microsoft Intune: Troubleshooting Android Company Portal enrollment issues

In some cases users are unable to uninstall Company Portal application on their Android devices after unenrolling or while troubleshooting enrollment issues.

capture20160925140947756

There are 2 ways this can be resolved:

The easiest way for end user is by having the administrator “Selectively wipe” the the device, this will in most cases resolve the problem as long as the device has established contact with Microsoft Intune.

capture20160925141317628

The other scenario is when the device failed before establishing connection with Microsoft Intune, the user will  then have to manually remove Company Portal as a Device Administrator in order to uninstall the app.

Instructions:

Open Settings > Security > Device Administrator > Delete Company Portal from Device Administrators and reinstall the application.

The same instructions will resolve another problem you might encounter during enrollment: “Failed to activate Device Administrator”. This often occurs if a user had problems with the initial enrollment phase.

 

 

Customizing Bitlocker Unlock screen

With Windows 10 ADMX templates finally released I had a thorough search through every setting that was added and I found one of them very useful. Too see the full announcement from Microsoft:  http://blogs.technet.com/b/askds/archive/2015/08/07/windows-10-group-policy-admx-templates-now-available-for-download.aspx 

The specific setting I found very useful is found here: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\

“Configure pre-boot recovery message and URL” which lets you configure the default message that user get when they receive a Bitlocker Encryption while trying to enter Recovery Mode or sometimes appear when they attach their PC into a docking.

I tested it myself and it work just as described (I added an example text to show how useful it would be to configure it for enterprises):

abc