Tag: Security and Compliance

Azure Storage & Office 365 Import PST: Troubleshoot Error “HttpStatusMessage: Bad request”

Hey guys and girls, just hope everyone are good during this Covid-19, movement control. Those that are hospitalize, hope that you recover. Those that have recovered, hope that you don’t face any criticism from others and not fall for Covid-19 again.

Well for IT field workers, our work still continues. In my lab environment, I was testing out Office 365 Import PST feature in Security and Compliance. Personally I feel this is a good feature but there is too much manual work on it.

Note:

Using network upload to import PST files is free.

Check out license plan to have this import feature at the reference below.

So just a brief explanation of what I was performing, in the Office 365 Import PST has 2 option for us on how we want to upload the PST, either network upload (free) or physical (Charges). I choose network upload to upload my PST, it require to use AzCopy command to run the upload. I have a PST that the size is more than 1 GB, and the upload failed with the following error message on the AzCopy console shows “HttpStatusMessage: This request is not authorized to perform this operation using this permission.

At first I thought that there could be limitation on the upload size, due to the given Azure Storage is temporary only. Looking through the documentation it didn’t state any upload limitation. Hence, further research.

The resolution to this was to disable the ATP agent that was in my lab PC, to prevent blocking the upload. Rerun the AzCopy command again to reupload the PST.

If you have any third party or applications that has network control or ATP functionality, would recommend that you disable to avoid this problem happen to you.

 

References:

  1. https://docs.microsoft.com/en-us/microsoft-365/compliance/faqimporting-pst-files-to-office-365?view=o365-worldwide
  2. https://www.microsoft.com/en-us/microsoft-365/business/compare-more-office-365-for-business-plans

PowerShell: PowerShell with MFA

It seems that more users are heading to enabling MFA but when it comes to managing via PowerShell, it can’t seem to login with their credential on normal PowerShell module.

When you have MFA enabled, you got to install the module  that’s support MFA. Pretty extra right? haha yea I know. Administrators tends to prefer GUI to manage but on other occasion we still need PowerShell to manage our cloud services.

To search for the PowerShell module tends to be a little tricky but hey I’m here to help you.

So enough of chit chat….let’s get it on!

First of all you got to open up your Exchange Online Portal > hybrid > Select the second option; Not the first option!

Capture

Note:

*Make sure your laptop or computer has the latest .Net Framework to support this module and supported Windows Operating System.

Once you got it install it will create a shortcut for you;

Capture

Anyway, do expect the Connect command will be the same as the usual PowerShell module.

Connect-EXOPSSession – Exchange Online

Capture.PNG

Connect-IPPSSession – Security and Compliance

Capture

References:

  1. https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps

Differences of AzInfoProtection and AzInfoProtection_UL client application

When unified labeling was announce that it is no longer in Preview mode, and here it comes the new application called, AzInfoProtection_UL, you could find the link to download this application at the references below of this post. There is the Preview application called, AzInfoProtection_UL_Preview.

Before unified labeling, the only application has for Azure Information Protection is AzInfoProtection (Classic client). So what so different about them? Before we jump into getting to know what are the differences, let’s understand the definition or meaning.

Classic client

Azure Information Protection is a new enhancement of rights management and it is manage from Azure portal. If you need scanner and HYOK (your own key) then you install AzInfoProtection.exe (User Profile based installer) or AzInfoProtection_MSI_for_central_deployment (System installer) client application.

word01
Classic client
word03
Classic client
word04
This part shows Azure labels and Office 365 Sensitivity labels. Let’s take “DLP View Only” is a label custom created from Office 365.

 

Unified labeling

Azure Information Protection with Unified Labeling was just announce somewhere the month of June or July 2019. Unified Labeling means that your labels can be manage either from the Azure portal or from Office 365 Security and Compliance portal. This feature is enabled by default. You can migrate your labels from Azure to Office 365 Security and Compliance. Unified Labeling supports for more Office 365 products, such as Microsoft Teams. If you do not need HYOK protection (your own key)  or the scanner, then you install AzInfoProtection_UL.exe (User Profile) or AzInfoProtection_UL_MSI_for_central_deployment (System installer) client application.

word05
This is how it looks like first install, notice the icon is different
word06
Select on the “Sensitivity” icon and click “Show Bar”
word07
These are my Office 365 Sensitivity labels

If you would like to deep-dive the comparison of these 2 application here is a helpful link.

 

References;

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018
  2. https://docs.microsoft.com/en-us/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history

 

C-level talk: M365 Security and Compliance

This post is going to be slightly different. Last week (21st August 2019), I got invited to give a talk about M365 Security and Compliance. This is really a test on my confidence and how I communicate with the audience. Another thing is that I cannot be technical, that is the biggest challenge! Standing out is always my biggest fear. Stepping into the room, trembling, all I can tell myself “Sabrina you can do it”. Everyone is looking at me and some smiling at me, probably because they are thinking “Why is this kid presenting?”. Anyway, the show must go on!

I am just someone wants to learn interesting things and stepping out from my comfort zone. I may not score well in this talk, but I willing to learn to be better. Another thing is I don’t blame my mentor, I only blame myself because I am the one on the stage. So mentor, don’t feel bad, I fall I still climb back up.

I don’t like to be a show-off, I just want to share what M365 can do better for an organization. Throughout my experiences with M365 Security and Compliance, I find that leveraging on their features and capability has helped quite a lot of my customer’s frustrations with auditors or lawbreakers in the company. To gather justification takes longer time and takes up energy, why not M365 right?

Just to summarize, minority audience clapped, it is a great experience and opportunity given, thanks very much, especially my mentor, for investing the time in me. Guess is still a long way for me to improve. I had a great time talking with some of the audience, there was 1 audience has been wanting to talk to me but afraid (I have no idea why, do I look scary? I’m just joking) and told me he liked the aOS KL 2018 talk that I gave about Azure Information Protection. With a little gratitude from the audience drives me to keep going, thanks.

0.jpg

Don’t be a smart-arse, Be unique! – From My Dear Parents

Office 365 Secure Score

office365secure

Security is a Journey

Secure Score is here to help.

Secure Score analyzes your organization’s security based on your regular activities and security settings in Office 365 and then assign a score.

Secure Score also provides you few guidelines on how to meet the score but not all of the score is needed by your organization to meet.

If you like to know how this Secure Score works and calculates, then you could refer to the link below at the “References”.

If you would like to know what are the requirement license to have this Secure Score, then you could refer to the link below at the “References”.

If you have any questions or concerns, then you could drop comments in this blog and I’ll get back to you.

 

*For Your Information

Please try not to modify any default security policies ,else you have no fallback plan.

References:

  1. https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-secure-score

Office 365 Security and Compliance: Data Leak Protection (DLP) & Azure Information Protection (AIP) Integration Unable to delete DLP Policy

Well hello! I’m back, yes I had been very busy last 2 months unable to write any new blog.

So when I was testing and playing with DLP and AIP in my test environment and I had 2 testing integration policy running and I found there was something wrong with my DLP policy and I went to trigger the delete via GUI at Security and Compliance and it basically will change its status to “Deletion pending” state. I know sometime these deletion takes up  to 48 hours. However, it was more than 48 hours and the DLP policy is still showing the status “Deletion pending”.

So its time to use PowerShell to solve this deletion pending problem;

*Take Note;

If you try to run the “Remove-DLPCompliancePolicy” this PowerShell without using the “ForceDeletion” to delete this policy it won’t work and you will return with an error;

#Sample PowerShell
Remove-DlpCompliancePolicy -Identity 58bed0c6-fbf9-41c4-b798-fdec65beae1c

We cannot remove policy ‘TopSecret_policy’ since it is already in pending deletion state.
+ CategoryInfo : InvalidOperation: (:) [Remove-DlpCompliancePolicy], ErrorCannotRemo…PolicyException
+ FullyQualifiedErrorId : [Server=xxxxxxxxxxxxxxx,RequestId=xxxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxxxx5,TimeStamp=4/1/2019
8:26:50 AM] [FailureCategory=Cmdlet-ErrorCannotRemovePendingDeletionPolicyException] xxxxxx,Microsoft.Office.Com
pliancePolicy.Tasks.RemoveDlpCompliancePolicy
+ PSComputerName : apc01b.ps.compliance.protection.outlook.com

What to do?

  1. First of all you need to using PowerShell and connect to Security and compliance
    1. https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell?view=exchange-ps
  2. Next run the command below to get your DLP information

Get-DLPCompliancePolicy | select Name, Guid

3. Than run this command

Remove-DLPCompliancePolicy -Identity “Policyname” -ForceDeletion

OR

Remove-DLPCompliancePolicy -Identity “Policy GUID” -ForceDeletion

4. Select “A” , A is Yes to All

Below is a sample;

 

Capture

 

References:

  1. https://sabrinaksy.com/2020/07/25/powershell-unable-to-delete-stuck-data-leak-policy-using-forcedeletion/

Data Leak Prevention (Azure Rights Management): aOS Kuala Lumpur 2018

Good day, everyone, I’m not here to insult but to raise awareness, so please read this with an open mind.

I had met and chat with a few different people from different companies, asking them to do you know about data security, is your company ready for data security, what do you think about security, and etc..

Most had replied to me that data security is expensive and does impact the end users productivity. When they told me that it is expensive, and I had asked them “why do you think it is expensive? “. Their answers had hesitation in it. Anyway, to the ones that told me that security could only bring impact to users, and I replied them “Plan, organize, and proper implementation, never jump/rush to a conclusion” (Disaster plan is important).

Technology is there, is how you look at it and use it. (A joke: Don’t tell me that you go shopping and you just blindly buy stuff without testing or checking whether that it really suits your needs/wants.)

Yes, whenever most users or companies hear about security, the first thing on their mind was expensive and impact. Had you really asked and research and gather enough information to prove it? (You know references) Had you ever compare the investment of data security vs The cost of Fines from regulators? (GDPR law fines? PDPA fines?)

During my talk about Data Leak Prevention (Rights Management) in aOS KL event, on 23rd October 2018. I was trying to gain awareness to the audience about data security too. However, there was one audience told me that Microsoft enterprise license is expensive.

What I replied to the person, who was asking about the pricing of Microsoft enterprise license was to ask for more information with the licensing companies. I should have added another replied “Are you ready to lose 2% to 10% of your company global revenue (or probably both fine and jailed) to regulators?” but my session period had used up another extra 5 mins (felt panic and guilty to used up the time that is not mine already).

So for the people that were asking/telling about the security license is expensive in a technical session, I kindly advise you to think twice or many times to the statement above, which I’ve highlighted in RED.

Quote;
“Better safe than Sorry”
“Never a technology problem, Is human/attitude problem”
“Never try, never know”
“Plan, Don’t make harsh decision/actions”
“Live till old, learn till old” (Take Malaysia’s latest Prime Minister as an Example)
“Ask more doesn’t do harm, Only Stupidity does harm”
“Stop dreaming, Wake up is reality”

44713511_254650268584098_815480119027040256_n
Speaker for aOS Kuala Lumpur 2018 (IT Pro), Office 365 Security Compliance and Azure Information Protection Demonstration
44703405_2249593058655998_7974614577625169920_n
With Patrick Guimonet

44857196_325676234652877_3635763410328616960_n
Data Breaches since 2000s till 2018

 

Reference:

https://sway.office.com/eQ1CbkS7mOE5dvSi

SharePoint Online: Why you should not Share your main site to external? What are the best practice?

As an organization, anything that is internal stays internal and if anything needs to be share to external, are only provided view permission to only specific site or documents, especially organization’s SharePoint Online or On premises main sites.

Providing sharing option for external is dangerous as this will causes sudden surprise of deleted sites or deleted documents, and users will start to compliant asking and demanding “How come that my site get deleted?” and another disadvantage is that even “Security & Compliance’s Audit Logging & SharePoint Audit Logging”, will not provide you the details of whom has perform the operation, because allowing anonymous to access to your organization’s main sites or any other private sites will not have result shown in audit logging.

For private sites or department sites, SharePoint Online share site permission, by default is Edit. Thus, if this falls on the hands of external, he or she can have the rights to delete or modify anything within the organization’s sites and copy any Private & confidential documents and exploit your data.

*Note:

  • Office 365 group is equal to SharePoint private site.
  • Only Owner of site has permission to perform deletion
  • If audit logging is not enable on the site, activities will not shown in Security & Compliance and SharePoint Online Audit report
  • By default, audit logging is disable for private sites

Best practices;

  1. Set sharing for Main site to “Allow only internal”
  2. Try to make use of OneDrive for document sharing
  3. Enable Rights Management Service for SharePoint Online
  4. Anything internal, Stays internal
  5. Educate users on the risk of sharing to external parties
  6. Enabled Audit logging for all private sites (Only owner of the sites has permission)
    • Without this you Global admin has no visibility to that site’s behavior, even with Security & Compliance
  7. Restrict users from creating Office 365 groups (optional)

 

Office 365 Custom DLP: How to create custom Sensitive Information?

Yes this is interesting topic for me because it involve programming! I will make this topic as simple as learning alphabet, because I will be showing you the importance on how to create your very own DLP sensitive information. DLP templates are come in the form of xml file format.

*Note: You may need to spend some time in this. Practice makes perfect result.

Importance that you must include into your xml are:

  1. Rule
  2. Entity
  3. Pattern
  4. Identity Match/Id Match/Format/RegularExpression

#This is the flow chart

Rule -> Entity -> Pattern -> Identity Match/Format/Regular Expression

Ok, now you know what are the importance, next will be things you need to take note on the “importance” that can have multiple section. That is “Pattern” & “Identity Match”. You can only have 1 rule consist with 1 Entity, where that Entity can have multiple unique pattern types and each pattern can have its own unique ID Match.

Below is a sample of my code on how it looks like in xml;

*Note: You have to change the GUID of the highlighted red parts, as you can see there are 4 GUIDs, but only 2 GUID are the same. To get new GUID, you simple have to open your PowerShell and type the command “[guid]::newguid()”.

<?xml version="1.0" encoding="UTF-8"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<!-- Need to change guid, rule package guid, [guid]::newguid()-->
<RulePack id="872155dc-1234-4e3e-a10d-x"> 
<Version build="0" major="1" minor="0" revision="0"/> 
<!-- Need to change guid, publisher guid --> 
<Publisher id="6907d14a-1234-4023-87cd-x"/> 
<Details defaultLangCode="en-us"> <LocalizedDetails langcode="en-us"> <PublisherName>Company Group</PublisherName> 
<Name>ID Custom Rule Pack</Name>
<Description> This rule package contains the custom ID entity. </Description> </LocalizedDetails> 
</Details>
</RulePack>

<!--This orange part, is your rule type-->
<Rules>
<!-- ID --> 
<!--This blue part, is your entity-->
<!-- need to change guid, entity guid--> 
<Entity id="b660289d-189e-1234-9e0a-x" patternsProximity="300" recommendedConfidence="70">
<!--This green part, is your pattern type-->
<Pattern confidenceLevel="80"> 
<!--This purple part, is your Identity match name-->
<IdMatch idRef="Regex_id1"/> 
</Pattern>
<Pattern confidenceLevel="80">
<IdMatch idRef="Regex_id2"/> 
</Pattern> 
</Entity>

<!--This pink part is your Regular Expression-->
<!--Format: AB-C-DE-FGH--> 
<Regex id="Regex_id1">(\d{2})[-](\d{1})[-](\d{2})[-](\d{3})</Regex> 
<!--Format: ABCDEFGMANNN -->
<Regex id="Regex_id2">(\d{7})[mM][a-zA-Z](\d{3})</Regex> 

<LocalizedStrings> 
<!-- Resource guid same as rule guid --> 
<Resource idRef="b660289d-189e-1234-9e0a-x">
<Name default="true" langcode="en-us">ID</Name>
<Description default="true" langcode="en-us"> A custom classification for detecting IDs. </Description> 
</Resource> 
</LocalizedStrings>

</Rules>

</RulePackage>

The above xml consist of 2 patterns both are set with accuracy of 80%, means if DLP scanned your mail/sharepoint/onedrive consist what is inside the pattern and has 80% match percentage will trigger the rule. Inside each pattern consist unique identity which name “Regex_id1”  and “Regex_id2”. After that, is comes to setting the format for each unique identities. As you can see above, the format i had state in the comment.

*Note: The code above doesn’t limit your needs, you could play around with what you wish to include, such as keywords, false positive, or etc.. You could learn more about twerking around the codes by reading below references. You can also use any online tester site to test out regex of your code .

References:

  1. https://support.office.com/en-us/article/Create-a-custom-sensitive-information-type-82c382a5-b6db-44fd-995d-b333b3c7fc30
  2. https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference
  3. https://justaucguy.wordpress.com/2014/11/21/adventures-in-custom-dlp-rules-part-one/