Security – Hybrid IT Pro

Managing Device Code in Entra ID

Posted on mars 2, 2024mars 2, 2024 by HybridITPro

New capability to manage Device Code authentication in Entra ID. Here, I’ll show you how you can allow Device Code authentication only to a group that you need to Privileged Identity Management (PIM), a Privileged Access Group. So, unless you PIM this group, you won’t be able to use Device Code authentication. Device Code authentication is often used in phishing campaigns and poses a real risk to tenant security. Microsoft has listened to the user community and now brings the ability to manage who can use Device Code. Here, I’ll show you how I would implement this new capability.

Prerequisites :

Privileged Role Administrator
Entra ID Premium P2 licence
Conditional Access Administrator

Create a Security Group

Convert the group as a Privileged access group

Assign users and configure settings for this group, you can configure allowed time (1 hour should be correct), required MFA

Create a Conditional Access Policy

Include All Users, Exclude your Break the glass accounts and the PAG you previously created

Add the Conditions for Authentication flows – Device code flow

Grant the Block Access

You are now done, so users assigned to this group now need to use Privileged Identity Management to PIM the Security Group to be allowed to use Device Code authentication.

The perfect servers environnement

Posted on juillet 28, 2023juillet 28, 2023 by HybridITPro

In this blog post i list the essential features a server environnement should have to be considered almost perfect :

100 % automated image build and deploy to a store (Azure compute gallery, VmWare Content library, etc.).
100 % automated server build mechanism, so no humain is involve for the server delivery.
100 % automated server destruction mechanism.
Servers are shut down when not in use to save energy, hosts shut down, save cost in cloud.
Servers capacity are well used, right-sizing, automated size reviews, storage sizing, storage tier (archive, cold, hot, performance), tier reviews and auto-adjust, scheduled.
Predictable stability, i mean that if your servers are all built the same way, same tools, same versions, you then are in control of the environnement where you do modifications, you just have to take the software exceptions into account.
All the server function/roles are deploy automated, so you can rebuild the server if needed, you can migrate OS with a high level of confidence .
Receipes of auto-adaptability of most of the scenarios that your entreprise can have, ex. auto-storage provisionning in a controled environnement if batch need it, end of month CPU needed for some compliance reports
All (in/out) the network flows are controled and well known, they are validated from the server point of view
Servers utilization are controled and well known, ex. accounts that authenticate, protocol usage, number of requests per account, per protocol, per port, CPU usage, Memory usage, Network usage
Servers are 100% compliant to the business standards, all exceptions are documentation into the script that does the validation, this script if auto maintained by automation (server destroy, function/roles deployment) and validate every week.
All the server functions/roles are tested/monitor with automations, transactions are validated
All the access to functions/roles support teams are delegated remotly, no interactive logon, so deployment, support logs, software/infrastructure restart are delegated directly or by pipeline.
The environnement is auto-documented, server names, network flows, servers specs, account access, etc.

In that list i haven’t talk about backup, EDR, SIEM, patches, tooling etc.. only the server functions. We should take server management to a level where we almost never have to log to a server

Microsoft Windows Defender Elevation of Privilege Vulnerability (CVE-2020-1163) & Microsoft Windows Defender Elevation of Privilege Vulnerability (CVE-2020-1163)

Posted on mars 7, 2021mars 21, 2021 by HybridITPro

Hello,

I was in a situation where Windows Defender was not the antivirus configured on the Windows Server 2019 boxes and the vulnerability scanner trigger that the servers has 2 vulnerabilities related to Windows Defender. The issue is that if you dont use Microsoft Windows Defender, you can’t patch it. Since Microsoft Windows Defender is not started the vulneralibility is not exploitable. But since we wanted to provide a clean vulnerability report and if in the future the client decide to use Windows Defender it will be patched, so i needed to find a solution. Here’s what i did to be able to patch it (scriptable).

GPO :

Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus

Turn off Windows Defender Antivirus = Disable

Add to this GPO scope the servers that i wanted to patch (remove Authenticated Users from the « apply GPO » rights

Run gpupdate /force on the destinations servers

Copy and run the latest version of : mpam-fe Microsoft Defender Antivirus for Windows 10 and Windows 8.1(https://www.microsoft.com/en-us/wdsi/defenderupdates)

You should have new entries in the EventViewer under the section Microsoft-Windows-Windows Defender/Operational logs

If you verify Task Manager you will see that MsMPEng.exe is running

Copy and run updateplatform_e2a95a1a729b3e06ee156591826d0adb52502e5d (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) Latest Defender Antivirus Definition (~15 MB)

You should have new entries in the EventViewer under the section Microsoft-Windows-Windows Defender/Operational logs

You can know remove the servers from the GPO scope and run gpupdate /force on the destinations servers

No reboot needed

Hope that was useful

Glad to have contribute to a Trimarc AD Security post

Posted on septembre 7, 2020mars 21, 2021 by HybridITPro

Take a look at https://www.hub.trimarcsecurity.com/post/escalating-to-domain-admin-in-microsoft-s-cloud-hosted-active-directory-azure-ad-domain-services, an excellent post about AADDS.

Watchout ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

Posted on janvier 21, 2020mars 21, 2021 by HybridITPro

At this moment, Microsoft plan to publish in the rollup of March 2020 an update that change the default behavior of the LDAP and will be requiring LDAP Signing if you haven’t apply a registry modification.
~~In the rollup of March 2020~~ Microsoft is looking to enable by default the LDAP Signing, so if you haven’t force the parameter by GPO or other method your LDAP clients that don’t use LDAP Signing would have troubles. No news from Microsoft for the new date.

You should take a look at
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

Event ID 2887 in Directory Service tells you each 24h when an unsigned ldap attempt was done. So it’s a good indicator. If you want to identify where it comes from i suggest you to

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 2

and then look for event ID 2889, no reboot or service restart is needed to activate this logging.

That change also apply to LDAP of AD LDS and I guest it would be the same of Azure AD DS

SMB Signing

Posted on septembre 12, 2019mars 21, 2021 by HybridITPro

Hello,

Today’s subject, SMB Signing, since many of us are asked to be CIS, NIST, anything Compliance to standards, since most of us worked hard to removed SMB1 from the environnement, now SMB Signing.

The best document and where everyone is referring to is https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/

It’s kind of clear, on the first read, but you need to reread it many times and do your own testing with it. Here’re the conclusions of my tests :

Digitally sign communications (if server agrees) – Only apply to SMB1

Digitally sign communications (if client agrees) – Only apply to SMB1

So now you say.. SMB2 and SMB3 have it embedded… and the answer is NO!

The only way to use SMB Signed is to enable Digitally sign communications (always), so now the question is, if I have a system that are incompatible with Signed SMB ? You can’t have both..

The workaround would be to use SMB Encryption instead, but now your Compliance team would not be happy because you don’t have Digitally sign communications (always) enable on every server, i’ll let you deal with this part. SMB Encryption is much secure than signing.

PLUS : SMB Encryption has a low footprint on the performance on Windows Server 2016 and UP. On 2008 R2 and 2012 R2, SMB Signing has a lower footprint on performance.

Demo Part :

Windows 2016 Default Config -> Windows 2016 Default Config

Get-SmbConnection | Select *

SmbInstance : Default
ContinuouslyAvailable : False
Credential : Confidential
Dialect : 3.1.1
Encrypted : False
NumOpens : 4
Redirected : False
ServerName : Confidential
ShareName : Confidential
Signed : False
UserName : Confidential
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB : MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted…}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Part 2 :

Windows 2016 Digitally sign communications (always) -> Windows 2016 Default Config

Windows 2016 Default Config -> Windows 2016 Digitally sign communications (always)

Windows 2016 Digitally sign communications (always) -> Windows 2016 Digitally sign communications (always)

Get-SmbConnection | Select *

SmbInstance : Default
ContinuouslyAvailable : False
Credential : Confidential
Dialect : 3.1.1
Encrypted : False
NumOpens : 4
Redirected : False
ServerName : Confidential
ShareName : Confidential
Signed : True
UserName : Confidential
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB : MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted…}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Part 3

To encrypt, you have 2 options, one really nice, per Share, on GUI you can use Server Manager (no you don’t have it in Computer Management), by powershell

Set-SmbShare –Name shareName -EncryptData $true

or

Set-SmbServerConfiguration –EncryptData $true

To enable SMB encryption for every SmbServer connections

Beware! SMB Signing and SMB Encryption comes with increase in CPU Usage, be sure to monitor your CPU before and after to see if you are still OK.

CPU Speculation Control vulnerabilities

Posted on janvier 5, 2019mars 21, 2021 by HybridITPro

What better than a vulnerability that affect almost everything to start the new year ! We’ll start to work hard this year since this vulnerability needs you to patch the hardware, the OS (clients and servers), mobile devices, hypervisor, cloud machines, etc.. I don’t know about other cloud provider but i can say that Microsoft were pretty fast on patching Azure hardware and hypervisor. First we need to look how huge is the performance impact, specially on database and hypervisor servers.

There’s also a Powershell module to test your system ! Just run a elevated Powershell and install the module :

Install-Module SpeculationControl

Get-SpeculationControlSettings

After Microsoft patch and reboot i got

The Microsoft update is already available on Windows Update (prior to patch tuesday)

http://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

In order to have Windows OS support for branch target injection mitigation is enabled : True you need to update the Bios with latest patch

After Bios update of tablet manufacturer

On an older machine I got

Now interesting to see how fast my motherboard manufacturer will be since it’s a 2012 motherboard..

So Suits Up and get to work!