Category Archives: Security

Azure AD Premium Conditional Access for Domain Joined Machines

This article is an attempt at discovering what the minimum steps are to get the Conditional Access feature which checks for Domain Join status for both Windows 10 and Windows 7 operating systems.

Conditional Access is a feature of the “Azure AD Premium P1 License” which can be purchased ala carte for $6/user/month, or as part of the “Enterprise Mobility + Security license” for $8.75/user/month, or the new Microsoft 365 SKU announced at the 2017 Inspire conference.

This is what the feature looks like when configuring a Conditional Access Policy in the Azure Portal to only permit domain joined devices:

For more information about Conditional Access, read about it here.

I had the following questions:

  • What does the conditional policy mean by “Domain Join” – is it on-premises or is it Azure AD Domain Join, both, or something else? (Answer: on-prem domain join with an account that has been synced by Azure AD Connect to the cloud… with a software deployment required for Windows 7, and a GPO required for Windows 10).
  • Is it necessary to deploy the Workplace Join v2.1 client to Windows 7 Machines? (Answer: Yes)
  • Does Azure AD Connect require configuration, and if so, what is the minimum version of Azure AD Connect required? (Yes, you must create a service connection point in Active Directory per this article).
  • What role does Azure AD Seamless Single Sign-On Play (also referred to as “Desktop SSO” in the Azure AD Connect documentation) Answer: (It provides a similar SSO experience to ADFS, but only when connected to the corporate network).
  • Is ADFS required? (Answer: No)
  • Is there any configuration necessary in Azure AD? (Answer: Not unless you changed the default settings)
  • Is it necessary to deploy a Group Policy change? If so, what are those changes? (Answer: For Windows 10, Yes, see below)
  • Is it necessary to create any DNS records? (Answer: Yes, see below)

Domain Join vs Azure AD Domain Join vs Azure AD Registration

If you configure a Conditional Access Policy and select the “require domain joined device” checkbox, what is it checking?

To find out, I created 6 virtual machines to see exactly what works and what does not work.

Computer Name Operating System Configuration Test Results Notes
Win10DomainJoin Windows 10.0.15063 (Creators)
  1. On-Prem Domain Joined
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
Success  
Win10DJandReg Windows 10.0.15063 (Creators)
  1. On-Prem Domain Joined
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
  4. GPO Applied “Register domain-joined computers as devices”
Success  
Win10DJandAADJ Windows 10.0.15063 (Creators)
  1. On-Prem Domain Joined
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
  4. Azure AD Domain Joined (aka ‘Workplace Joined’)
  5. GPO *NOT* Applied “Register domain-joined computers as devices”
Success  
Win10AADJoined Windows 10.0.15063 (Creators)
  1. Azure AD Joined Only
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
  4. GPO *NOT* Applied “Register domain-joined computers as devices”
Fail – Got a block page (see block page example below) Wasn’t entirely expecting this to work since the screen tip that is in-band of the configuration says that this checkbox does *not* apply to Azure AD joined machines.

Win7DomainJoin Windows 7 SP1
  1. Azure AD Joined Only
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
Fail – Got a block page (see block page example below) Wasn’t expecting this to work – just testing to create a baseline before the Workplace Join client was installed. With no ADFS in the environment – just Azure AD Connect with Desktop SSO and Password Hash Sync.
Win7DJwithWPJ Windows 7 SP1
  1. Azure AD Joined Only
  2. Azure AD Connect “Desktop SSO” is enabled
  3. “enterpriseregistration” DNS CNAME exists
  4. Workplace Join v2.1 client installed
SUCCESS I was starting to lose hope after all these failed tests, but we now have a successful test!

The common denominator for the successful test was the DeviceTrustLevel changed to “Managed”

Block Page Example

This is the end-user example of what it looks like when you try to open an application protected by a Conditional Access Policy that requires Domain Join.

DNS Records

According to the documentation, is necessary to register the following DNS CNAME record in both internal and external DNS (if using split-zone / split-brain DNS):

DNS Entry Type DNS Value (Address)
enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.net

Workplace Join v2.1

For Windows 7 and Windows 8.1 devices, the documentation states that it is necessary to deploy the Workplace Join client (MSI Package) from here. This is not required for Windows 10 systems, which can register to Azure AD via group policy, although in my lab that does not appear to be working, as that does not produce any records when I run get-msoldevice. Perhaps it requires ADFS for Windows 10 machines to work with Domain Join conditional access.

Workplace join Version 2.1 (Released June 2017) added support for Azure Active Directory Seamless Single Sign On (https://aka.ms/hybrid/sso).

Ready for some kludge? The installer creates a scheduled task on the system that runs in the user’s context. The task is triggered when the user signs in to Windows. The task silently registers the device with Azure AD with the user credentials after authenticating using Integrated Windows Authentication. To see the scheduled task, in the device, go to Microsoft > Workplace Join, and then go to the Task Scheduler library.

The two main benefits of this tool in my opinion is that it registers a Windows 7 machine in Azure AD, and, the version 2.1 client makes it so that you don’t have to use ADFS (simplifying the configuration).

Azure AD Seamless Single Sign-On

Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

If you have ADFS, you do not need this feature as ADFS already provides “seamless SSO” (assuming you also deployed the ADFS STS web page to your Local Intranet zone in Internet Explorer).

*Note: The ‘Edge’ web browser is not yet supported. Currently IE, Chrome and Firefox are supported. Firefox requires custom configuration to make it work.

To deploy seamless SSO, you turn it on in Azure AD Connect, then you deploy it through Group Policy.

Azure AD Connect

You must be using version 1.1.484.0 or later of Azure AD Connect.

If you already have an installation of Azure AD Connect, choose “Change user sign-in page” on Azure AD Connect and click “Next”. Then check the “Enable single sign on” option

Completing that step will create a new computer object in Active Directory “AZUREADSSOACC” – if this object is accidentally deleted, users can still logon, but it will just be the standard logon just like prior to seamless SSO being enabled (so it ‘fails open’ so to speak). For more information see the technical deep dive here.

Group Policy

You can add the Azure AD device authentication end-point to the local Intranet zones to avoid certificate prompts when authenticating the device. This works for both IE and Chrome which both share the same setting. For other browsers see the references section.

To roll this out in a group policy object, here are the steps:

  1. Open the Group Policy Management tool on a domain controller, ex: start > run > gpmc.msc
  2. Edit the Group Policy that is applied to some or all your users.
  3. Navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List

    Enable the policy, and enter the following values (1 indicates Intranet zone) in the dialog box.

    https://device.login.microsoftonline.com

    https://autologon.microsoftazuread-sso.com

    https://aadg.windows.net.nsatc.net

    Note: One of the references only listed the first URL, whereas another reference listed the bottom two. Since the documentation was not consistent, I’m including all three to be safe.

    ADFS

    ADFS is not required as long as you deploy the Workplace Join v2.1 client to your Windows 7 systems.
    Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq#i-want-to-register-non-windows-10-devices-with-azure-ad-without-using-ad-fs-can-i-use-seamless-sso-instead

    Azure AD Configuration

    By default, Azure AD enables users to register devices. So unless someone in your organization changed this setting, you should not have to change this. This is found in http://portal.azure.com then find Azure Active Directory > Users and groups > Device settings. The policy “Users may register their devices with Azure AD” must be set to “All” (which is the default setting).

    Windows 10

    All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in. However, Windows 10 November 2015 Update automatically registers with Azure AD only if the rollout Group Policy object is set. So the best thing to do is configure a Group Policy object to control the rollout of automatic registration of Windows 10 and Windows Server 2016 domain-joined computers.

    Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain-joined computers as devices, and then select Edit. Select Enabled, and then select Apply.

  • Older GPMC Consoles may see: Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join > Automatically workplace join client computers. Select Enabled, and then select Apply.


Testing

You can check successful registered devices in your organization by using the Get-MsolDevice cmdlet in the Azure Active Directory PowerShell module.+

The output of this cmdlet shows devices registered in Azure AD. To get all devices, use the -All parameter, and then filter them using the deviceTrustType property. Domain joined devices have a value of Domain Joined. In my testing, the only combination that seemed to work with conditional access is when the DeviceTrustType was Domain Joined, and the DeviceTrustLevel was Managed.


To test the scenario where the user enters only the username, but not the password:

Troubleshooting

  1. Check to make sure the computer account is syncing to the cloud by running get-msoldevice. If it does not show up there, then make sure the OU or container containing the computer objects is being synced. If it shows up there, it must have DeviceTrustType = ‘Domain Joined’ and DeviceTrustLevel = ‘Managed’
  2. Check to see if the computer object contains a value in the userCertificate attribute. If not, this means that the computer is unable to read the value of the SCP object in Active Directory. Check to make sure that the Authenticated Users group is not missing from the “Device Registration Configuration” object.  To see if it can query the SCP, run this command:
    $config = [ADSI] “LDAP://CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=YourDomain,DC=com”;

    $config

  3. Run the dsregcmd /status and make sure ‘AzureAdJoined’ is Yes and ‘IsUserAzureAD’ is Yes
    Under User State, verify that WamDefaultSet is Yes, WamDefaultAuthority is organizations, WamDefaultId is https://login.microsoft.com, AzureAdPrt is Yes, and WamDefaultGUID contains a value.
  4. Enable Debug and Analytic logs in Event Viewer. Click the View menu. Select Show Analytic and Debug Logs to make these logs visible. Enable logs under Applications and Services Logs > Microsoft > Windows > User Device Registration, and then export the logs for Admin and Analytic folders about five minutes after you have rebooted (or signed-out/in)
  5. Check the troubleshooting article https://docs.microsoft.com/en-us/azure/active-directory/active-directory-device-registration-troubleshoot-windows

Top 5 Azure Information Protection Limitations

Before I discuss the limitations of any product, I try my best to point out all of the things I appreciate about a product. In general, you will not hear Microsoft tell you about product limitations. I suspect it is a culture thing. But then again, do you expect a new car salesman to tell you about the limitations of the car they are trying to sell you?

So let me first point out that I have been a longtime fan of Microsoft’s Rights Management Services (RMS) which debuted in Windows Server 2003. As the product evolved over the years into what is now called Azure Information Protection, I became an even greater admirer of the product as well as the team within Microsoft responsible for its development.

A key milestone came when RMS was ported to Azure, because it became easy to enable (with one mouse click), eliminating the effort to configure servers on-premises, and especially the underlying Public Key Infrastructure (PKI) environment that RMS required.

With the rise in popularity of Office 365 (100 Million subscribers), many began to take advantage of RMS because it is included for free in the most popular business subscription (known as the “E3” license).

One of my favorite RMS features came in September of 2015, when Microsoft announced Document Tracking and Revocation capabilities (here). I’m still amazed by how cool this feature is, allowing you to see a map of the world and the location of where your documents have been opened!

Another key milestone in the evolution of RMS came when they acquired Secure Islands (announced by Takeshi Numoto on 11/9/2015). Six months later, Dan Plastina (@TheRMSGuy) first announced on 6/22/16 (here) that RMS would be rebranded as “Azure Information Protection” (AIP) and later reached general availability in October 2016 (here).

AIP is a truly jaw-dropping experience. As you are authoring content, the document will automatically be labeled and encrypted with a strong 2048 bit encryption key on-the-fly if sensitive information is found (ex: credit card numbers, social security numbers, or data you define as sensitive using regular expressions).

As a consultant, my job is to listen to customer problems, and then recommend solutions. This leads me to the title of this post – AIP Limitations.

Azure Information Protection Limitations

1. External Sharing using AIP with business partners who are still running Office 2010 (or older) needs improvement

When you protect a document with AIP, and you want to send that document to an external user, things go smoothly if they are running Office 2013 or Office 2016.

However, a lot of companies still run Office 2010. This is what their experience would look like:

“Dear External User,

We would like to share sensitive documents with you. If you are running Office 2013 or 2016, and if you have an Office 365 subscription, then you should be able to open the attachments without a problem.

Otherwise, if you are using Office 2010, you will need the following before you can open the documents we send you:

      1. Local Administrator Rights are required to install the Azure Information Protection Client
      2. Download and install the Azure Information Protection Client
        1. If you are running Windows 7, you first need to install KB 2533623 (This will require a reboot)
        2. Note: Office 2010 require Microsoft Online Services Sign-in Assistant version 7.250.4303.0. This version is included with the AIP client installation, however, if you have a later version of the Sign-in Assistant, uninstall it before you install the Azure Information Protection client.
        3. Note: The AIP Client will automatically install the .NET 4.6.2 Framework, so be sure not to deploy this on any machine that has known compatibility issues with the 4.6.2 framework.
      3. Be advised, that in some cases, even if you follow all of the steps above, you may still get an error message when attempting to open an RMS or AIP protected document in Office 2010. The work-around is to create a few registry entries for the service location as documented in the AIP Client Admin guide (here).

If you do not have an Office 365 Subscription, you will need to sign up for “RMS for Individuals” (this is a free identity platform that allows you to open the documents we send to you).”

2. Ad/Hoc External Sharing using an AIP Label is not possible

Let’s say you get a call from a new customer or business partner who wants you to send them a Microsoft Word document. The document is too large to email so you host it in online storage (ex: OneDrive, SharePoint, Dropbox, etc). You might be tempted to click an AIP label that says “Business Partner” or “Client Confidential” but that would not work in the current implementation of AIP, because the Labels must be associated with an RMS Template, and RMS Templates must be associated with Mail Enabled Security Groups, and those Groups must contain a Contact Object. Since normal end-users cannot create contact objects in their Active Directory or Azure Active Directory, they must submit a helpdesk ticket for the external contact to be created, then added to the appropriate Mail Enabled Security Group. You get the picture that this process just broke down fast. Essentially, there is no way with AIP today to associate a label with ad/hoc external sharing. Labels can only be used for defined and known business partners who are pre-configured as contact objects in a group associated with an RMS template that is then tied to a Label. It would be just as exhausting to implement this in a process as it was to type this all out I am sure!

3. There is no Mac OSX client for Azure Information Protection.
The work-around, as best as I can tell, is to have Mac users try the legacy “RMS Sharing App” for Mac OSX. This was the application written before the AIP client was released.

4.In April of 2016, there was a vulnerability discovered in the RMS technology that allows someone with View rights to escalate their privilege and change the document by stripping RMS from the document (which could be potentially undesirable if they then re-share that document with unauthorized parties, or if that document is exposed in the wild (ex: lost/stolen laptop, ransomware, etc). This is documented on Wikipedia here, and proof of concept code is available for testing from GitHub (here). This issue isn’t too great in my opinion, because it requires that one of the named users who is authorized to view the document has to compromise the document. In other words, an unauthorized party cannot break the 2048 bit encryption.

5.OneDrive.
Protecting documents with AIP or RMS automatically when they are uploaded to OneDrive is currently not a great idea. First, Microsoft has removed the navigation button permitting you to do this, so you would have to find the direct hyperlink to the document library settings to enable IRM on your OneDrive document library. Even if you were to do this, it would prevent you from sharing any of those documents with outside users because there is no straight-forward way to make a OneDrive library’s IRM settings understand external users. It essentially ends the ad/hoc sharing capabilities of OneDrive. Perhaps that is why MSFT removed the navigation button for site settings in OneDrive.

Guidance

So given these limitations, what do I recommend?

  • I recommend you use AIP to protect sensitive information that should be accessible to internal employees, or known/named individuals from business partners. When communicating with the business partner for the first time, try to find out if they use Office 2010, and if so, warn them that it will be a rocky road for them (see sample email template above). Fortunately, Office 2013 and 2016 seem to natively open AIP encrypted documents.
  • If you need to share documents with encryption in transit, then use Office 365 Message Encryption (OME). The limitation of OME (today) is that the recipient can save the document and do anything they want to it (the encryption does not follow the attachments after the recipient saves it to their computer). This will be resolved with the upcoming Secure Email feature that was announced at the 2016 Ignite conference.
  • If you need to securely share emails and documents with Gmail users, then wait for the upcoming Secure Email solution that was announced at the 2016 Microsoft ignite conference (watch the video here, starting around the 46 minute mark).

Roadmap

Will things get better? In many cases, yes, however, not for the external user who needs to edit the AIP/RMS protected document using Office 2010.
The proposed Secure Email solution will make it seemless for any user to VIEW AIP/RMS protected documents by providing a web-browser experience. But if the business process requires the external user to make changes and send those back, my understanding is that capability is not going to be in Secure Email when it is released (from what I have heard anyway). To be clear, if the external user is given edit rights, and if they are still on Office 2010, they are going to have the same pain points as I described above with Office 2010.

AIP Licensing

AIP can be licensed in one of four methods:

  1. You can get AIP as a standalone license for $2/user/month.
  2. You can get AIP as part of the Azure Active Directory Premium P1 or P2 license families.
  3. You can get AIP in the Enterprise Mobility + Security E3 or E5 license families.
  4. Or you can get AIP as part of the Secure Productive Enterprise E3 or E5 license families.

If you just need the original RMS capabilities (encryption, access control and policy enforcement) then you can license that individually or as part of the Office 365 E3 license.

If you need the Document Tracking and Revocation Capabilities, you’ll find that in the Enterprise Mobility + Security E3 or Secure Productive Enterprise E3.

Note: AIP automatic labeling is an advanced feature that requires the AADP P2, or EMS E5, or SPE E5 license. Otherwise, the down-level version of AIP requires the user to manually label documents they create.

Windows Information Protection

Windows Information Protection is a feature of Windows 10 Anniversary Update that helps protect corporation information by encrypting data using the Encrypted File System.

This is not to be confused with Azure Information Protection (which was rebranded from Azure Rights Management Services RMS).

How WIP works

Enterprise data is automatically encrypted after it’s downloaded to a device from SharePoint, a network share, or an enterprise web location, while using a WIP-protected device or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

A WIP Policy includes a list of applications that are allowed to access corporate data. This list of apps is implemented through AppLocker functionality.

Requirements

Requires Intune or SCCM Policy

Devices requires Windows 10 Anniversary Update or devices that are enrolled with Intune or a supported 3rd party MDM (I was unable to find a list of supported 3rd party MDMs).

Limitations

  • Files encrypted with WIP cannot be shared externally. Each user would need the ability to disable WIP on a particular file and then re-encrypt the file using a separate technology such as Azure Information Protection.
  • All clients in your environment must be running Windows 10 Anniversary update or a mobile device managed by Intune or supported 3rd party MDM. For example, a Mac OSX machine that downloads data from SharePoint, a file share, or wherever, is not going to be protected by WIP and therefore that employee can bypass WIP and leak sensitive information. Think of WIP as a client side solution that is only truly effective when all client systems fit the mold.
  • WIP is not compatible with Direct Access. The workaround is to replace DirectAccess with Windows 10 Always-ON VPN for client access to Intranet instead.*
  • WIP is not compatible with Network Isolation (IPSEC feature).
  • Cortana must be disabled otherwise Cortana can leak encrypted information*
  • WIP is not compatible with shared workstations.* One user per device.
  • Marriage/Separation name changes can disrupt WIP. Workaround: Disable WIP before changing someone’s first or last name.* This is pretty time intensive as it requires decrypting all files that were protected by WIP.
  • Internet Explorer 11 with webpages using ActiveX controls can cause data leakage. Work-around is to use Microsoft Edge browser. Issue is that not all websites are compatible with Edge.*
  • There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP.

*https://technet.microsoft.com/en-us/itpro/windows/keep-secure/limitations-with-wip
References

Original Announcement from 6/29/2016

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

Official Documentation for WIP

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

WIP “Enlightened Apps”

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

*These apps allow you to save things as personal (unencrypted). All other applications not listed will encrypt everything 100% with EFS encryption.

Patriot Guidance

Use Azure Information Protection and Avoid WIP unless you have a regulatory reason that justifies the effort to deploy WIP because of its restrictive encryption policy and only 11 apps allow the user to save things without encryption. One look at the implementation page (here) below shows how difficult an implementation would be, and more so to maintain.

How to prevent Cortana from mining your web browsing history

When Cortana is enabled, information such as your calendar, contacts, speech, handwriting patterns, typing history, location, and browsing history are sent to Microsoft so that Cortana can provide recommendations.

Disabling Cortana is not as easy as you might think. In Windows 10 RTM, you could disable Cortana as shown in the screen shot below.

However, the Windows 10 Anniversary update, this toggle was removed. Home users now have to use the registry to disable Cortana, but business users can use group policy as described (here) and (here).

However, in my case, Cortana continued to send information to Microsoft. Task Manager shows she is still lurking…

 

You have to admit, that is a little creepy, right?

 

It turns out that you have to also go to the Bing settings page and clear your personal info and then turn Cortana off there too (Kudos to this Windows Central article for the tip).

https://www.bing.com/account/personalization

Click on Search History Page

Then click the Off button

Cortana is no longer leaking information but as you can see from her CPU counter in Task Manager’s “App History”, she is still alive.

At least she isn’t leaking information though! That is 1 for the Humans and 0.5 for the Robots. Hopefully that doesn’t make her mad and send her AI friend Morgan after me.

 

 

Top 10 tips to bolster enterprise email security

 

The FBI issued an alert on April 4th that CEO Fraud (a form of Spear-phishing) is on the rise, and companies have already reported losses of 2.3 Billion dollars. Mattel made headlines for falling prey to CEO Fraud, when an employee sent a wire transfer of 2 million dollars to a bank in China. 

Other forms of spear-phishing attacks are on the rise, spreading ransomware variants like cryptowall. Surveys have shown that 30% of employees will open these types of emails. The ransoms paid in 2015 have amounted to a 500 billion dollar industry for cyber criminals.

A recent report from Trend Micro revealed that 81% of data breaches originated from phishing attacks. Therefore, email security should be a top priority for companies to protect themselves from these threats.

Here are my top 10 tips you can do to protect your company from these threats.

  1. Have employees participate in Security Awareness Training
  2. Phish your employees and train the ones who click on the false links
  3. Maintain regular backups offline. This may be your last line of defense if an employee or server becomes infected with ransomware.
    Note: Cloud based backups may be targeted, so traditional off-site rotation may need to be brought back for many companies who have switched to Disk to Disk only solutions.  Consider WORM drives to write to, (write once, read many) so that the original backup cannot be overwritten by cryptolocker type variants.
  4. Keep systems patched regularly. This reduces the surface attack area for advanced persistent threats (APT) to spread into your network.
  5. Block Executables at Mail Filter. This can prevent some forms of ransomware from coming into your environment.
  6. Implement DMARC to prevent spear-phishing attacks that pose from trusted executives. My how-to guide for implementing DMARC is here.
  7. Implement Zero Day email security protection solutions like MSFT ATP
  8. Implement application white-listing Solutions like Carbon Black (formerly known as Bit9) or Cylance
  9. Hide file shares, ex: \\server\share$. This prevents ransomware from scanning and finding file servers on the network.
  10. Replace Mapped Network Drives with shortcuts on Desktop to shared drives. This too can prevent ransomware from spreading. Implement principle of least privilege so that ransomware is limited to what it can write to.

Honorable mentions:
Cryptolocker Prevention Kit “The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment.”
Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw

You may have noticed that removing users from local administrator is not listed in the top 10. This is because CryptoLocker variants can execute without local admin privs.

10 Recommendations for preventing worm outbreaks

The US Department of Homeland defense issued a statement on Friday to disable Java. It’s a serious recommendation because many business applications rely on Java.
http://www.kb.cert.org/vuls/id/625617 

[Update 1/13/2013 3:43 PM PST]
Oracle has just released Java SE 7u11 – an emergency software update.
http://www.oracle.com/technetwork/java/javase/downloads/index.html 

The good news is this problem only impacts the very latest versions of Java, so organizations that are behind should be okay. Java installs an auto-updater that nags users to update, so it could be hard to predict how many systems are vulnerable without some type of software inventory tool like Microsoft’s System Center Configuration Manager or Windows Intune.
My guess is many organizations will not disable Java, either because they don’t have the tools to do so, or because they are just going to cross their fingers that they don’t get hit by a worm; perhaps the loss of productivity is greater than the potential impact of a worm. I wouldn’t pause to disable Java because I recently witnessed first-hand how a modern worm can quickly bypass traditional security controls. The result is a complete loss of productivity where users could not access file shares for days.
Consider the typical minimum safeguards that most businesses have in place today:
1. Firewall
2. Antivirus Software
3. Windows Updates

If this is all you have to defend yourself against a modern worm, it is only a matter of time before an employee, vendor or guest brings an infected system onto your network. That is when you will find out that traditional safeguards have not kept pace with the modern worms that are spreading. These worms are being written by state-sponsored organizations.. Not the stereotypical 16-year-old kid looking for attention.  It has always been an arms-race between the virus writers and the security vendors, but lately the bad guys seem to be on top. These are professional teams who sometimes directly target specific users within an organization who have elevated administrative rights on the network. They can also be financially motivated, distributing so-called “ransomware” that holds your data hostage unless you pony up the cash.
The level of sophistication that goes into these worms is astonishing. Consider the multiple attack vectors that these worms can spread through: email, network, USB thumb-drives; virtually any and all methods of propagating. They mutate themselves often to evade detection, then silently send your passwords and private information overseas. They inject themselves into known-good processes to evade detection. They can also spread by exploiting vulnerabilities in the host operating system. But usually they spread by taking advantage of people’s naivety. “But the pop-up said I had a virus on my system and it said to click here to clean it!” Yep.
This requires IT Security policies and procedures to be updated to combat the threat and innovative strategies and tactics to be developed.
I want to make an important distinction between worms/viruses and Malware. Malware infects a single system and does not spread. MalwareBytes is a tool that does a pretty effective job at removing Malware from a single system. But if you have a handful of staff supporting hundreds of users, MalwareBytes is not an effective tool to clean hundreds of systems that are simultaneously infected.

(disclaimer: the following recommendations are for educational purposes only and there is no warranty expressed or implied; use at your own risk).

1. Do not rely on traditional Antivirus alone.

Traditional antivirus engines rely on signatures to detect threats. Lately they have been getting smoked by Malware, Viruses and Worms because they automatically mutate themselves to stay a step ahead of the definition updates.
Zero-day worms are even more sophisticated – they can call home to distributed command center that has an ever-evolving list of domain names so you can’t block a specific static list of IP addresses or domain names at the firewall level. 
Therefore, you really need to combine signature-based AV with behavioral-based AV such as SONAR or Bit9. SONAR develops a profile for a process and then determines if it is a threat based on its behavior, eliminating the dependency for virus definitions (but it should be deployed to supplement AV signatures not completely replace them). For example, if a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day. Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad, and it can then prevent the process from executing. By taking into consider a processes’ communication characteristics, a behavioral based AV solution is much more effective than a signature-based solution alone. This is not a perfect science, as legitimate processes can be quarantined, but in a controlled environment, those processes can be proactively whitelisted.

So do yourself a favor and deploy the latest AV solution possible, with the most locked down configuration that still allows your applications to function. Security has always been a trade-off between productivity and security, but many are predicting 2013 to be the year of the worm, so it is important to be very proactive and not wait until it is too late. 

2. Do not give end-users local Administrator rights to their computers

If a virus cannot gain a foothold onto the computer to begin with, then half the battle is already won. In the past, this type of configuration would result in increased helpdesk requests (and increased support costs) because end users had to rely on someone else to install printers and software on their systems.
However, the last three major versions of Windows include a feature called User Account Control (UAC) that allows the user to run under a non-privileged account, and supply credentials only when necessary (a process known as elevation). Many IT departments are quick to disable this feature for fear of complaints from users, and to those departments I say it is time to re-evaluate that decision.

Worms that use Windows vulnerabilities do not require local admin privs to spread, they can perform a privilege escalation to grant themselves administrative rights if the system has not kept up to date with Microsoft updates. Worms like W32.ChangeUP disable the registry key for Windows Update, to prevent the machine from fixing those vulnerabilities.

IT Users with Domain Administrator rights must have a separate username and password that they only use sparingly to perform those duties that require elevated rights. Otherwise, if a worm executes itself on a machine with domain admin rights, say good bye to your network.

3. Patch 3rd party products like Java, Acrobat and Flash

How do you patch 3rd party software today? Windows Server Update Services (WSUS) cannot do it. There are three methods native to Microsoft: Group Policy or Scripting, System Center Configuration Manager or Intune (kind of like a Cloud-based SCCM).
Windows Update alone is not enough to protect your network from worms and viruses. It is now mandatory to patch applications like Adobe Acrobat, Flash and Java.

As evidenced by the DHS Java announcement, viruses and worms are spreading not just by exploiting vulnerabilities in Internet Explorer and Windows, but they are increasingly exploiting Adobe Acrobat and Java.
Windows Intune can be used to effectively deploy software updates to computers. Similar to its big brother System Center Configuration Manager, Intune runs in the cloud so there is no back-end infrastructure to setup or maintain.

4. Disable Auto Run

Many worms spread by attaching themselves to network file shares and placing an Autorun.inf file on the share. When the user opens the folder, Autorun.inf will cause a virus to load, even if the user did not open an executable file directly.
Auto Run can be disabled via Group Policy. There are two policies to update: one for XP and one for Vista/Win7/Win8.

Vista/Win7/Win8 Group Policy Setting:

Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
In the Details pane, double-click Turn off Autoplay.
Reboot client computers.

Windows XP

Computer Configuration, expand Administrative Templates, and then click System.
In the Settings pane, right-click Turn off Autoplay, and then click Properties.
Note In Windows 2000, the policy setting is named Disable Autoplay.
Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
Click OK to close the Turn off Autoplay Properties dialog box.
Restart client computers.
http://support.microsoft.com/kb/967715 

5. Enable Windows Firewall.

This can prevent a worm from scanning and spreading itself on various ports. Windows Firewall could potentially disrupt valid business applications so be sure to test this and any other configuration before deploying in a production environment.

6. Deploy a virus cleaner on computer startup

[Updated 1/18/2013]

The other technique is to deploy a free tool like McAfee’s stinger.exe. This is a stand-alone executable that can remove many of the worms out there.

Put this in the Domain controller’s sysvol\domains\scripts folder because it is shared out as the netlogon folder, and that way clients will download stinger.exe from their nearest domain controller to minimize the impact on the WAN.

REM Begin cleaner.cmd

if exist %userprofile%\stinger.exe goto end
echo not yet
copy \\contoso.com\netlogon\stinger.exe %userprofile%
%userprofile%\stinger –adl –delete –go –silent
:end
REM End of cleaner.cmd

Notice that if stinger exists then it won’t run a 2nd time, that is to prevent this from running more than once because it consumes a lot of CPU (end users might want to be informed that their computers may slow down a bit).

Then create a group policy that references that cmd file. I recommend putting it in the computer startup scripts so that it runs as local system rather than as a user process. Then email the users and tell them to reboot to take effect.

7. Deploy Network Access Protection (NAP)

Network Access Protection (NAP) is really important to deploy on VLANs where your critical line of business systems are located. Imagine the scenario where someone takes their laptop home, and their child unknowingly downloads a virus on the machine while playing an online game. When the adult brings that system back into work, the worm could spread the moment they plug into the network. They could also do the same damage if they connect to the network from home over a VPN connection. By deploying NAP, the system will first have to go through a health check to validate that AV is running, has the latest virus definitions, and has the latest Windows updates. If it passes the checks, then it can be permitted to communicate on the network.
Deploying NAP takes a serious commitment because it may involve re-architecting the network boundaries to accommodate the multiple requirements.
http://technet.microsoft.com/library/cc771746.aspx 

8. Use File Screening on your file servers

[Updated 1/18/2013]

Windows Server 2003 R2 and up has the ability to block .exe files and .inf files from being placed on file shares. This can be an effective technique to prevent worms from placing themselves on file shares.

2008 R2 Instructions:
http://technet.microsoft.com/en-us/library/cc732074.aspx

2003 R2 Instructions:
http://technet.microsoft.com/en-us/library/cc755492(v=ws.10).aspx

9. Adopt Defense in Depth

Deploy multiple levels of antivirus and defense.  Select different vendors at each layer of your network. It is a mistake to deploy the same antivirus engine at the gateway or web proxy that you do on your desktops. Otherwise the virus that evades your web filter will also evade your desktop. Not filtering web requests? Your users can unknowingly download viruses into your network by checking their personal email and downloading threats from email attachments that do not go through your hardened email server.
I recommend using OpenDNS (paid) or Dyn.com Security Guide (free) to filter DNS requests from known domains that host spyware and malware.

10. DNS Sync Holing

[Updated 1/18/2013]


DNS sinkholing is an effective technique where you host DNS zones that the worm tries to lookup instead of blocking those IP’s at your firewall. The DNS zone is populated with the IP address of your IDS sensor.  This is similar to a Wifi honeypot or tarpit. This is effective for two reasons:
1. It provides the worm a DNS response, so the worm does not attempt to lookup any other domain names. It thus prevents the worm from calling home and getting a new variant.
2. It provides your IDS sensor the exact IP addresses of the infected hosts so that your incident response team can go and clean those systems. This is more effective than firewall logs because those might only show the last previous hop if the last gateway strips off the original host IP.

How to deploy DNS sinkholing quickly.
Worms can use dozens of DNS zones to call home, so the quickest way to create the zones is to use the DNSCMD command built-into Windows:

Step 1: Create the zones
dnscmd /zoneadd ddnsd.at /DsPrimary
dnscmd /zoneadd noip.at /DsPrimary
dnscmd /zoneadd 3d-game.com /DsPrimary
… (repeat for all zones).. Note: DsPrimary means AD Directory Service integrated, meaning this will replicate to all domain controllers. This allows you to only have to run this on a single DC and it will replicate the zones everywhere. You can later clean these zones up with another dnscmd script.

Step 2: Populate the zones with @ records pointing to your IDS sensor
dnscmd /RecordAdd 3d-game.com @ A 192.168.1.2 (<-change this for your IDS)
(repeat for all zones)

Summary
image

Even if you do all the things recommended in this article, you could still get hit by a zero day worm. Therefore, it is important to review your antivirus logs regularly (daily if possible) or configure email alerts so that you can become aware of outbreaks as soon as possible. Make sure you have your Antivirus vendor contact information and support contract numbers at hand. If your network is compromised, engage your Antivirus vendor early in the process so that you can upload the specific strain of worm that has infected your network. They can tell you which virus definitions are effective for removing the threat. This is especially important if it is a zero day threat, or a threat that mutates daily. Communicate to your end users early so that they know what to avoid clicking on. As part of a Business Continuity Plan, departments should have plans for how their business processes can continue to operate without computers. Develop a communication plan for how IT will communicate with each other and key decision makers and end users if the email system is incapacitated.
There are many things you can do proactively to safeguard your network. Hiring a dedicated Security Engineer with CISSP certification is a great start. Hiring an outside consulting company to give you an objective analysis of your strengths and weaknesses is another good idea, and then having them come back to measure you against this first baseline periodically is also a good idea. Providing security awareness training for your end users is also very important.
I think it is also important to keep a level head and not overreact to every news article about the latest threat. Don’t overwhelm your users with scary emails. Sometimes our response to a problem can create a worse situation than any virus or worm outbreak. Therefore our responses should be carefully measured and tested when possible.

Some worms spread by guessing weak passwords on servers, shares and SQL applications. Most publically traded companies are required to change their passwords frequently and should have strong passwords. Private companies are advised to follow suit as this is a wise practice to adopt.

Why backups are important

If a worm or virus does some damage, you may need to restore from Backup.
Before you restore from backup, develop an Incident Response Procedure to inform users about any potential data loss that could occur as a result of the restore. If possible perform one last backup prior to the restore so that you can selectively restore any valid files that may have been saved by users after the last backup was taken. Do not perform the restore until after the threat has been eliminated from the network, otherwise the restore files could become re-infected – wasting valuable time and frustrating end-users.

Keep calm and carry on.

What defines success for IT Operations?

 

What must an IT Department do to be successful? The Operations Department within IT requires diligence across many technology disciplines. Here are some suggestions for IT Operations Management, that if met, will bring IT Operations closer to success.

  1. When the latest security patches have been applied to all servers.
  2. When all hardware is operational. There are no known failed components in the infrastructure. A streamlined process is in place to detect and respond to failed components. We also monitor the life cycle of equipment to make sure that critical systems are always under warranty.
  3. When all critical devices are monitored 24/7 IT staff is notified when a failure event occurs.
  4. When Line of business applications have sufficient bandwidth to perform their role. A monitoring solution should alert IT when network traffic exceeds 70% – because WAN links become saturated at this level and TCP retransmissions will occur, causing latency within applications.
  5. When servers have sufficient hard drive space to perform their role.
  6. When servers and workstations are protected from viruses, worms and advanced persistent threats (APTs).
  7. When servers are protected from data loss. For example, Exchange Native Protection does not protect you if all copies of the DAG databases are taken offline by an external hacker, an internal disgruntled admin, or a worm.
  8. When servers are fast or adequately responsive to end user requests. Using something like synthetic transactions are helpful to measure performance against previous accepted baselines.
  9. When servers have sufficient capacity to not only meet existing need, but to handle data and transactional growth for the next twelve months. This helps you be less reactive when problems occur. Using Azure IaaS helps because of the Autoscale feature.
  10. When all servers are provisioned with the lowest surface attack area possible.
  11. When IT can respond to a request to provision a server in minutes.  
  12. When IT discusses and then tests changes before implementing them in a production environment. Using Virtualization can help reduce the cost of implementing change management.
  13. When the most critical systems are clustered.
  14. When the IT staff has a good work/life balance. For example, creating a single weekend where all patches or maintenance is performed can reduce turnover compared to allowing IT Operations staff to work most nights and weekends.

 

Please leave a comment below if you have any other suggestions to add to this list.