Azure ATP: How to do exclusion detection?

Hi and good weekend to you. I haven’t been writing blog post for 1 week due to Chinese New Year holiday, 1 week off from doing YouTube videos and writing blog post, and spending quality time with my family. This is the first Chinese New Year celebration without visiting friends or other family members. E-angpao has become our replacement of physical AngPao. Seeing how this pandemic pushes technology forward and forcing people from all different generation to use technology, is amazing.

Anyway, this blog post I’m going to be talking about how you as administrator you can exclude certain situation from the Azure ATP detection. Azure ATP stands for Microsoft Defender for Identity. There are few situation you can exclude from Azure ATP detection such as Backup accounts and replication accounts. Take note this is only based on my experience or Microsoft recommendation but is not a MUST to exclude them.

How the alerts works in Azure ATP, is that when ever the account is behaving one of the detection it will notify an alert to the Azure ATP portal and to administrator’s email. So imagine if you have Azure AD Connect in your environment, your Azure AD Connect service account is notifying your administrator every 30 minutes, because the default replication time is every 30 minutes. Annoying right? Once you confirmed that this is the service account used only for replication, here is how you could whitelist it from the Azure ATP detection;

*This is for replication account, for others situation the exclude value may differ, these steps below is mainly to gain understanding how to exclude and where to locate the exclude.

  1. Login to https://portal.atp.azure.com
  2. Select Settings
  3. Under the Detection category
  4. Select Exclusion
  5. Locate the detection type and select it
  6. There you would see 3 sections for your choices on how you want to exclude it
  7. You can exclude based account name, hostname, IP addresses, subnets and etc..
  8. Key in the value and remember to save it
  9. This changes apply immediately

Recommended that you monitor 24 hours. For your information, email notification doesn’t have to be send to same tenant users, it could be external party domain but beware of your auditors.

The portal is a simple user interface, not as confusing as the Security and Protection portal.

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/configure-detection-exclusions

Azure ATP: gMSA limitation for single label domain

Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.

As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.

To locate the logs in the server that you installed the sensor to further identify the cause and issue,

C:\ProgramFiles\Azure Advanced Threat Protection\<sensor version> \Logs

In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.

There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.

So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.

Active Directory: Troubleshoot ADPREP /DOMAINPREP “Access is denied” issue

Good day, hope you guys are having a good weekend. This blog post is about active directory portion. My situation was the environment contains Windows Server 2008, and would wish to upgrade to Windows Server 2008 R2, by setting up new VMs with Windows Server 2008 R2 Operating System. The environment contain a parent domain and 2 child domains. Due to Microsoft has stop supporting pushing updates to legacy servers, the environment had to use a third-party product to support the pushing of windows update to the legacy servers and the product is also served as Anti-virus/malware.

Before you are going to prep domain and forest you have to make sure your account has the proper permissions to perform the prep.

While I was about to prep a child domain using the command prompt in elevation mode, I receive an error saying “Access is denied”, there was no log to refer to, to know about details what caused this issue. Same goes to event viewer logs.

After long research there was no resolution and the next try was to disable the third-party product and re-run the adprep command and was able to run successfully.

If you have other issues with adprep, you may refer the logs from this path “C:\Windows\Debug\adprep\”.

References:

  1. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731728(v=ws.11)

Azure ATP: How to setup a gMSA account?

Hey guys hope you all are staying indoors and cautions about your health. Today’s blog post is to understand what is gMSA account, how to create them and why does it required for setting up Azure ATP (a.k.a Microsoft Identity Defender ATP).

gMSA stands for group managed service account, below reference that you can refer to understand details about it. You only need to setup a gMSA account for Windows Server version 2012 and above, it is recommended to use gMSA account for you Azure ATP deployment if your Domain controller fall on the versions 2012 and above.

Why gMSA and not usually service account (user object)? It improves the security and automatic password management. It works similar as a managed service account functionality and with extended capabilities, such as password is being managed by your Active Directory and every 30 days a new password is assigned to this service account automatically. If you have mix of legacy domain controllers and newer version of domain controllers, you would need both type of service accounts.

Note:

  • Azure ATP directory service connection, doesn’t required a gMSA account, to be a member of domain admin
  • If your server doesn’t have the root key created, then run the Add-KdsRootKey command with following parameter “-EffectiveTime“, with value immediately or scheduled.

For this Azure ATP case, all domain controllers with sensor must have managed password permission/right on the gMSA account. Make sure your account has a domain admins right to be able to perform the following setup below;

How to setup a gMSA account?

  1. On your domain controller
  2. Open/Launch PowerShell cmdlet
  3. Type the following command
    New-ADServiceAccount -Name <ATP service account name> -DNSHostName <FQDN of 1 of your domain controller> -PrincipalsAllowedToRetrieveManagedPassword <domain controller hostname01$>,<domain controller hostname02$>
  4. Sample of the command
    New-ADServiceAccount -Name AzATPSvc -DNSHostName DC01.contoso.com -PrincipalsAllowedToRetrieveManagedPassword DC01$, DC02$
  5. Retrieve your change result command
    Get-ADServiceAccount -Identity AzATPSvc -Properties PrincipalsAllowedToRetrieveManagedPassword
  6. Testing the service account command
    Test-ADServiceAccount -Identity AzATPSvc

If your customer is highly concerns about what sort of permission this account is assigned you may run the command below;

  1. Get-ADServiceAccount -Identity AzATPSvc -Properties MemberOf

Sample image

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#-sensor-requirements
  2. https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_AddMemberHosts
  3. https://adsecurity.org/?p=4367

Azure AD Connect: Event code 8344 – Permission issue

Hey guys hope you are doing well today, today blog post is about Azure AD Connect permission issue. If you have been doing new infra deployment for years and very less in terms of troubleshooting and yes you will not expect what is the cause to this problem. The impact of this problem, is that user’s password won’t able to be sync to office 365 and they will have issue login to their office 365 portal and would required reset of their password from office 365 portal.

I had written about this issue before but it was 2018, the version of Azure AD Connect was much older. If you look into the Azure AD Connect deployment Microsoft article, version about 1.148 would required a write permission for the attribute “ms-ds-consistencyguid” to the service account that you are using to deploy the Azure AD Connect.

Minimum permission required for the service account are:

  1. Replicate directory changes
  2. Replicate directory changes all
  3. Write permission , for attribute ms-ds-consistencyguid

After providing the permissions to the service account, you would need to re-run the Azure AD Connect execution file or tool, for the changes that you made to that service account to take reflect.

Example image

After that the sync would start to run and I notice that are still some accounts giving “permission issue” error. So the next dependency was looking into the “inheritance” function, was it disable or not. I was able to identify that the particular OU have its inheritance enabled but on the single user object inside that OU, its inheritance was disabled.

This inheritance is from user’s object > Security tab > Advanced, at bottom.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

Microsoft Endpoint Manager ATP: Onboarding Methods For Windows 10

Hey fellow humans, how are you guys doing? With this covid-19 happening around us, hope that you are cautions about your health and safety of yourself and others too. I still can not believe that there are people still thinks that this virus is a myth. It really hurts to see the increases of cases in Malaysia has reach 4 thousand covid-19 cases yesterday in a day.

Anyway, lets start this blog post with another ATP, if you are new with this technology ATP stands for Advanced Threat Protection. My last post about ATP , is Azure ATP / Microsoft Endpoint Identity Defender ATP, do feel free to read about it.

This blog post would be about onboarding methods Endpoint to Microsoft Endpoint Defender ATP, if you haven’t notice Microsoft has launch 1 new onboarding methods that you can enroll for your lab environment or customers.

If you are new to the ATP here are the steps to get these methods;

  1. Sign up for a Office E3 trial license
  2. Setup the account
  3. Sign in to Office 365 Admin center> Billing > Select Purchases Services
  4. Under the purchases services select M365 E5 trial license
  5. Assign your Office 365 account with M365 E5 license
  6. Would take an hour or few minutes for the ATP Admin portal to setup for ready to use
  7. Head to Microsoft Endpoint Manager Admin Center
  8. At the side bar you can see “Endpoint security” > Setup > Microsoft Defender ATP
  9. There you would need to start setup of the Microsoft Defender ATP, it only takes 5 mins to setup, yes from the setup page here you may able to view the onboarding methods too but is only one-time setup page, so the actual location of this onboarding is at their Microsoft Defender ATP Admin portal.
  10. Enter the Microsoft Defender ATP Admin portal and there it will direct you to another portal where all the Endpoint’s onboarding , offboarding, analytics and etc.. located
  11. At the side bar > Select Settings icon > Device Management > Onboarding
Onboarding methods

As you can see the above image, these are the following onboarding methods that you can use to onboard your endpoint devices.

  1. Local Script
    • Has limitation, per script only for 10 devices. Meaning that Script 1 has been used for 10 devices and to enroll the number 11 device you would need to re-download the new script package from the onboarding method.
    • If you are doing a quick lab this would be the best method to test the onboarding
  2. Group Policy
  3. Microsoft Endpoint Configuration Manager current branch and later
  4. System Center Configuration Manager 2021 /2012 R2/1511/1602
  5. MDM/Microsoft Intune
  6. VDI onboarding scripts for non-persistent devices

Onboarding are run at the backend of your endpoint, and it dependent on the licenses that you purchase and also the environment type. Meaning if your environment has SCCM then you would need to use the SCCM onboarding method to enroll the devices to Microsoft Defender ATP.

Microsoft has really ease quite a lot for administrators work in enroll their devices to ATP services and having integration between ATP and other security features inside. I will write more about it on the next blog post. Have a nice weekend!

References:

  1. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboard-configure
  2. Microsoft Defender for Endpoint – Windows security | Microsoft Docs
  3. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints

Azure Exam: AZ-500 How to pass the exam?

Good day, I’ve been receiving requests asking me how did I manage to pass the AZ-500 exam, which I just recently took it, on 22nd December 2020. I’m writing a blog post about it because I can’t go one by one to reply you guys.

There was 60 questions, including (1) case study, (10) true and false questions and (40) objective questions. If not mistaken.

There were no labs in this exam. If you were the earlier adopters for this exam and yes there was a requirement of completing a lab in this exam.

The exam was mainly focusing on

  1. Your understanding of OSI layers *
  2. Steps on encryption and decryption of SQL and databases.
  3. RBAC
  4. Azure AD Connect deployments
  5. Network access and privileges
  6. Access and privileges of virtual servers
  7. Where to get Reports from, for different platform based on the types of Azure services

To be honest, without proper understanding and reading the questions and OSI layers concept you would have slight chances of passing this exam. If you have experiences with Azure services, then you won’t need to worry much about the exam. I would recommend you to prepare yourself with the following reference links below, it would give you help on passing this exam.

All the best and good luck ahead!

References

  1. https://microsoftlearning.github.io/AZ500-AzureSecurityTechnologies/

Azure ATP: Azure ATP capabilities and mechanism

Hey everyone, hope you guys had a wonderful day. Starting of a new year 2021. I hope everyone stay healthy and stay safe distance from one another or avoid crowded places.

I know that this pandemic has test us in many ways, in terms of physically and mentally. If you manage to get through year 2020 challenges, then give yourself a pad on the back, you did good.

This blog post I’m going to write about what is Azure ATP, before I jump into the topic, I want to say that security is a journey. If you guys have read about the recent news about attacks rises double/triple in the year 2020 and also the news about solarwinds attack, then these are enough proof that hackers are given more chances to attack in this situation, because they know majority businesses or corporates are still vulnerable or not up to par in terms of securing their environment and providing security training to users. Users mistakes in allowing attackers are also risk to the corporate that is why users training is still important to corporates. Losing money/profit to attackers is twice painful to the corporates then purchasing and implementing security technologies/products in the environment. Let’s take ransomwares as an example for this case. Due to this pandemic, I notice quite an amount of corporates are now implementing the concept of “Zero-trust“. If you would like to know what is “Zero-trust”, do feel free to Google them up.

Anyway, alright lets start our topic. The ATP term has been quite awhile in the security industry, or if you still not too sure what is ATP, ATP stands for Advanced Threat Protection. It contains advanced intelligent technology and combination of algorithms to identify and investigate types of malicious behavior and it will select appropriate action to quarantine/block the malicious actions before doing any harm to the environment and provide deep dive detailed reports to administrators.

Azure ATP has been known quite awhile in Microsoft 365, and Microsoft had given a different naming, Microsoft Identity Defender. It’s capability is to:

  1. Identify compromised accounts
  2. Investigate malicious activities of accounts
  3. Provide best practice security actions to administrators on how to handle accounts that reported by Azure ATP as suspicious or compromised
  4. Provide detail visibility authentication of attacks
  5. Azure ATP able to provide details of attack’s source
  6. Reports are real-time and signals back to Microsoft Identity Defender portal

This is just a summary of the entire structure looks like implementing Azure ATP into the environment with Domain Controllers only.

Azure ATP agent is only for on-premises like Domain controllers and ADFS and the agent will send a signal back to Microsoft Identity Defender if detected malicious activities or compromised accounts. I do recommend that you read more about requirements of deploying Azure ATP, before deploying into your customer’s environment. There is a medium impact required.

References

  1. What is Microsoft Defender for Identity? | Microsoft Docs
  2. Microsoft Defender for Identity architecture | Microsoft Docs

Exchange Online and Hybrid: How to capture/export last usage of Distribution List?

Distribution Groups

Hey everyone, how are you doing? So today’s topic is about how to capture last usage of distribution list. We encounter when we need to do clean up on the groups but imagine if you have thousand of groups that you have to check with the owners whether that the group is in use/active, sounds ridiculous right?

So I came across with this request and manage to found a very good reference on achieving this request.

Make sure you have PowerShell on your workstation to get the following result.

If you do not have appropriate permission to run the following command, below reference on how to get it work. If you have the appropriate permission or this is not your first time using PowerShell, then you can just launch your PowerShell as usual.

#Import the module
Import-Module ExchangeOnlineManagement

#Connect to Exchange Online
Connect-ExchangeOnline -Credential $usercredential

#Retrieve list of distribution list
$DistributionList = Get-DistributionGroup -ResultSize unlimited

#Get the message trace function to capture the last usage, a delay is needed to not stress of the throttling
$DistributionList | %{Get-MessageTrace -RecipientAddress $_.primarysmtpaddress ; write-host (“Processed Group: ” + $_.primarySMTPAddress) ; Start-Sleep -Milliseconds 500} | export-csv -Path C:\<filename>.csv –Append 

References:

  1. https://docs.microsoft.com/en-us/archive/blogs/timmcmic/office-365-create-a-report-of-distribution-group-usage
  2. https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
  3. Set-ExecutionPolicy (Microsoft.PowerShell.Security) – PowerShell | Microsoft Docs

aOSKL 2020: How secure your endpoint protection?

Hey guys and girls, hope you are having a good day. I know is Monday Blues, I was having the blue mood this morning, not a good way to start the new day. Anyway, Covid-19 is still high alert in our area, it went from 600 to 800 users per day affected. Please don’t travel as a huge group, stay concern about people around you.

Is almost end of 2020, and here is another event that I am going to speak at, virtually of course. This is my 3rd year speaking at aOS Community event. Every year is a new experience and meeting new people in this event.

This year event, I’m going to talk about Endpoint Protection. Do register yourself if you are interested in this event.

Peace Out!