Monthly Archives: July 2020

Switch from ADFS to Azure AD

A surprising number of clients are still operating complex ADFS farms.

ADFS Complexity 

Here are 8 reasons to switch to Azure AD.

1. ADFS has a greater surface attack area than Azure AD. Example: NTLM Brute-Force (CVE-2019-1126).

2. ADFS can have multiple single points of failure unless designed properly

3. ADFS requires certificate maintenance – resulting in planned downtime

4. ADFS requires lots of IT overhead (Backups, Monitoring, OS Upgrades, etc)

5. Azure AD Conditional Access offers better security controls than ADFS Claims

6. Azure AD is lightweight and less complex to administer (No Claims Rules)

7. Azure AD more closely aligns to NIST 800-63b (Scan for breached passwords)

8. Azure AD has a better feature roadmap

It’s easy to switch from ADFS to Azure AD. For example, this one PowerShell command can migrate Office 365 from ADFS to Cloud in less than 5 minutes. Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication Managed

You can also do a staged rollout of smaller groups at a time rather than a big bang cutover using (the first security group is limited to 200 users). Learn more about staged rollout (here).

Note: That’s the core command that moves the trust from ADFS to Azure AD. There are more planning steps involved like making sure you have enabled password hash sync. Learn more planning steps (here).

Here are 5 tips for moving other apps from ADFS to Azure AD

  1. Use the new ADFS Application activity report (preview) or the ADFS to Azure AD app migration tool to analyze your current apps. This tool will quickly identify which apps can be migrated seamlessly and which require remediation (see figure one).
  2. Acquire deployment guides for the relevant apps. Many are published on the Microsoft app gallery, but if not, you can open a ticket through the third-party vendor who developed the app.
  3. Allocate appropriate time and resources to the high-touch apps.
  4. Migrate the apps that are ready to go for quick wins.
  5. Identify a test environment or plan a maintenance window to avoid moving large servicing app at peak usage.

Learn more here:

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/five-tips-to-improve-the-migration-process-to-azure-active/ba-p/445364

What is Double Key Encryption (DKE)?

Today Microsoft announced the public preview of Double Key Encryption (DKE).

What does “Double Key” mean? It’s similar to a missile launch where two people must turn their key at the same time. In the case of encryption, it is the combination of two keys held by separate parties that encrypt or decrypt data.

DKE

Or to quote Microsoft:

“Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.”

Your Client Key is hosted outside of Microsoft (wherever you want) via a web service that you are responsible for hosting. If your web service goes down (intentionally or unintentionally) then no new data can be encrypted or decrypted.

This is similar to its predecessor, Hold-Your-Own-Key (HYOK) which I assume DKE will eventually replace at some point in the future. Except there is one big advantage: Unlike HYOK, DKE does not depend upon on-premises Active Directory Rights Management Services (AD RMS). So it is a simpler configuration.

Is DKE right for me? Most likely not. It’s intended for some super rare scenarios that very few clients have. There are serious productivity limitations to DKE that are nearly identical to HYOK, where many features inside Office 365 and other services will not function such as SharePoint Search, eDiscovery Search, Data Loss Prevention, Transport Rules, Exchange ActiveSync, Journaling, Malware scanning, Archiving Solutions and any other services that needs to read data such as 3rd party document management systems.

Therefore customers should carefully evaluate all key options before proceeding with DKE (see table below).

What if I lose my key? Your data is inaccessible, and there is no ‘back door’ key like the ‘Availability Key’ feature in BYOK that allows Microsoft to decrypt data if you lose your BYOK key.

Encryption Key Comparison

HYOK

(Hold-Your-Own-Key)

Double-Key Encryption (NEW)

BYOK
(Bring-Your-Own-Key)

Microsoft

Managed Key

Can Microsoft Read the Encrypted Data?

No

No

Yes

Yes

AD RMS Required?

Yes

No

No

No

100%Cloud Hosted

No

No

Yes

Yes

On-Prem or Cloud
DMZ Req?

No

Yes

No

No

On-Prem
HSM Req?

Yes

Yes

Yes

No

ActiveSync Support

No

No

No

No

Exchange On-Premises IRM

No

No

Yes

Yes

Outlook Mobile

No

No

Yes

Yes

OWA

No

No

Yes

Yes

Office Mobile

(Word/Excel/PPT)

Yes (Consume Only)

Yes (Consume Only)

Yes

Yes

Mac OSX

Yes (Consume Only)

Yes (Consume Only)

Yes

Yes

SharePoint Search

No

No

Yes

Yes

Key Strength

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

External Collaboration

No

No

Yes

Yes

Office Client Support

Office 2013 +

Office Insider*

Office 2013 +

Office 2010 +

Auditing

Yes

Yes

Yes

Yes

Office Insider is required at the time of this writing (July 2020) but eventually it will roll out to Office versions in mainstream support.

Initially at the time of this writing, the AIP Unified Labeling Client is required to encrypt/decrypt content. It will eventually be available natively in the Office Ribbon.

Additional Resources

Blog Post: https://aka.ms/DKEpreview
Deployment Docs: https://aka.ms/DKEpreviewdocs
Github Repo: https://aka.ms/DKErepo

July 2020 Major Vulnerability Roundup

Palo Alto CVE-2020-2021

If you have SAML enabled on your Palo Alto, a CVE Severity 10 Critical vulnerability allows remote unauthenticated access
https://security.paloaltonetworks.com/CVE-2020-2021

Citrix (Multiple CVE’s)

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.

https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/

F5 (CVE-2020-5902)

If you have F5, and haven’t patched, treat it as incident response at this point as public exploits are available. There was also a new bypass discovered.

Chrome

Google is rolling out an important software update for Chrome browser—version 83.0.4103.106 for Windows, Mac, and Linux—that includes security patches for 4 high-severity vulnerabilities.

SAP (CVE-2020-6287)

A new critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, was found in SAP impacting 40,000 customers. At least 2,500 customers in the United States that have internet facing SAP are impacted.

According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.
https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/

Cisco CVE-2020-3297

The flaw ranks 8.1 out of 10.0 and could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges.

https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/

Microsoft

AVANAN announced “SYLKin Attack” which claims to bypass M365 security.

You can block .SLK attachments with the Set-MalwareFilterPolicy PowerShell command, or Exchange transport rules.

Patch Tuesday (7/14/2020) included a fix for a wormable RCE vulnerability in Windows DNS that should be patched ASAP. (CVE-2020-1350)

Microsoft pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.

These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.