[ Sean TrimarcSecurity.com ]

Similar documents
Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Managing Microsoft 365 Identity and Access

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Office 365: Modern Workplace

News and Updates June 1, 2017

Securing Office 365 with Okta

Identity as the core of enterprise mobility

Google Identity Services for work

Use EMS to protect your mobile data and mobile app

Hybrid Identity de paraplu in de cloud

GLBA Compliance. with O365 Manager Plus.

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Exchange Control Panel EMC. Remote PowerShell

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

CONDITIONAL ACCESS FROM A TO Z

A tale of Modern Management Part 1

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Business Essentials Business Business Premium

Conditional Access Policies

President Interlink Cloud Advisors. Mike Wilson Vice President Interlink Cloud Advisors. Kirk Terrell Consultant Interlink Cloud Advisors

Single Sign-On Showdown

Enabling Office 365 Services (347)

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

FISMA Compliance. with O365 Manager Plus.

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

HIPAA Compliance. with O365 Manager Plus.

At Course Completion After completing this course, students will be able to:

MD-101: Modern Desktop Administrator Part 2

MB Microsoft Dynamics CRM 2016 Online Deployment.

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Multi Factor Authentication & Self Password Reset

PCI Compliance. with O365 Manager Plus.

Technology Partners.

Office 365 and Azure Active Directory Identities In-depth

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Identity & Access Management

DOWNLOAD OR READ : OFFICE 365 SECURITY AND TRUST STANDARD REQUIREMENTS PDF EBOOK EPUB MOBI

Exchange 2007 End of Service: Modernize with Office 365. Todd Sweetser Technical Solutions Professional

From Workstation to Domain. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.com

Go mobile. Stay in control.

Microsoft Office 365 Business Plans

Identity as the Entrée to the Microsoft Cloud

Securing Active Directory Administration

Phil Schwan Technical

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Release Notes. Last Updated: March 2018

Microsoft Graph API Deep Dive

TIS/App Delivery Mobility Job Aid: Install and Configure Microsoft Outlook on Your iphone. Overview. Job Aid: Outlook for Mobile - iphone

CAN MICROSOFT HELP MEET THE GDPR

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

Cloud Print Migration Step-by-Step Deployment Guide

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Partner Center: Secure application model

Integrating On-Premises Identity Infrastructure with Microsoft Azure

NaviSite Managed Office 365 Productivity Suite Powered by Microsoft

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

Office 365 for businesses. Stay connected on the go

Exchange Online Technical Overview. CCAP Exchange Online Overview 10/27/ /28/2011

Windows 10 Azure AD / EMS

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

Why Choose MS Azure?

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

Securing Active Directory Administration. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Assess Remediate Enable Migrate

MCSA Office 365. A Success Guide to Prepare- Microsoft Enabling Office 365 Services. edusum.com

Secure & Unified Identity

Session: CEO206. Mike Crowley Planet Technologies

Windows 10. scalable IT services & solutions. October 25, Bruce Ward, VP of Business Strategy. Dan Sharp, Senior Consultant

What is Azure Active Directory (and Why Should I care)?

TIS/App Delivery Mobility Job Aid: Install and Configure Microsoft Outlook on Your Android Phone. Overview. Job Aid: Outlook for Mobile - Android

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Basic. $5/user per mo.

The Pathway to the Cloud Using Azure SQL Managed Instance

Cloud Computing. An introduction using MS Office 365, Google, Amazon, & Dropbox.

Price list for Microsoft Office 365 from Swisscom. Valid from 1 may, 2016

Service Description VMware Workspace ONE

SERVERS TO SERVICES HOW MICROSOFT AZURE CAN MODERNISE YOUR IT INFRASTRUCTURE. Joey Lau 9 November 2017

Netwrix Auditor. Administration Guide. Version: /31/2017

The Economics of Office YTD Net Promoter Score. Microsoft Office365 10/20/2017. Paul Hoffman, CPA, CITP, CGMA CEO/President of SouthTech

Office 365: What to Expect When Moving to the Cloud

Microsoft Dynamics CRM Online Deployment (MB2-706)

Q&As Managing Office 365 Identities and Requirements

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Liquid Telecom Microsoft Partnership

MB MCSA Microsoft Dynamics 365. A Success Guide to Prepare- Microsoft Dynamics 365 customer engagement Online Deployment. edusum.

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

HCX SERVER PRODUCT BRIEF & TECHNICAL FEATURES SUMMARY

Azure Multi-Factor Authentication: Who do you think you are?

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Microsoft. MS-101 EXAM Microsoft 365 Mobility and Security. m/ Product: Demo File

Microsoft 365. A complete, intelligent, secure solution to empower employees. Integrated for simplicity. Built for teamwork. Unlocks creativity

Why is Office 365 the right choice?

Transcription:

Securing the Microsoft Cloud (Office 365 & Azure AD) Sean Metcalf Founder, Trimarc

Presenter bio Sean Metcalf Founder & CTO, Trimarc One of ~100 people globally who holds the Microsoft Certified Master Directory Services (MCM) certification. Presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Shakacon and Sp4rkCon security conferences. Posts info on ADSecurity.org

Agenda The Cloud Attacking the Cloud Cloud Security Controls Auditing Administration Controlling Access Password Insight Cloud Security Tune Up Testing Defenses Office 365 Subscriptions & Capability Best Practices & Wrap-up Sean Metcalf (@PyroTek3) TrimarcSecurity.com

Source: Microsoft Ignite Conference 2018 https://myignite.techcommunity.microsoft.com/sessions/64565?source=sessions

Internal Network The cloud is more secure since spends millions every year on cloud security

Internal Network

Anywhere Cloud Access

Attackers Love the Cloud Source: Microsoft Ignite Conference 2018

Attacks on the Cloud Source: Microsoft Ignite Conference 2018 https://myignite.techcommunity.microsoft.com/sessions/64523?source=sessions

Attacks on the Cloud

Cloud Attack Timeline Source: Microsoft Ignite Conference 2018 https://myignite.techcommunity.microsoft.com/sessions/64523?source=sessions

Attacking the Cloud: Password Spraying

EWS Capability Availability Bulk Transfer Conversations Delegate Management Exchange Store Search Exchange Search Federated Sharing Folder Inbox Rules Item Mail Tips Messaging Records Management Message Tracking Notification Service Configuration Synchronization Unified Messaging User Configuration Utility

Attacking the Cloud: Password Spraying

Attacking the Cloud: Password Spraying

Attacking the Cloud: Password Spraying

Attacking the Cloud: Password Spraying

Attacking the Cloud: Password Spraying

Attacking the Cloud: Password Spraying

Microsoft Cloud Security Controls

Azure Identity Protection Included with Azure AD Premium Have to install via the Azure Marketplace (portal.azure.com) Dashboard covering identity risk. Provides automatic remediation of risky sign-ins

Enable Risk-based Policies Requires Azure Identity Protection (included with Azure AD Premium) Assigns a risk level during sign-in Risk level determines action Force password change Require MFA registration MFA for higher risk authentication

Enable Sign-in Risk Policy Is this a risky sign-in? Anonymous IP Unfamiliar location

Enable User Risk Remediation Policy What s the chance the account is compromised? Some detected in real-time ~14 day learning period

Enable User Risk Remediation Policy https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy

Auditing

Microsoft Cloud Auditing Audit Item Category Enabled by Default Retention User Activity Admin Activity Office 365 Security & Compliance Center Office 365 Security & Compliance Center No No 90 days 90 days Mailbox Auditing Exchange Online No* 90 days Sign-in Activity Azure AD (P1) Yes 30 days Users at Risk Azure AD Yes 7 days 30 days (AAD P1) 90 days (AAD P2) Risky Sign-ins Azure AD Yes 7 days 30 days (AAD P1) 90 days (AAD P2) Azure MFA Usage Azure AD Yes 30 days Directory Audit Azure AD Yes 7 days 30 days (Azure AD P1/P2) * Microsoft is gradually enabling mailbox auditing for tenants.

Enable User & Admin Activity Auditing

Enable User & Admin Activity Auditing

Get Mailbox Auditing

Enable Mailbox Auditing

Azure Log Retention: Log Analytics (Preview)

Protecting Administration

Cloud Administration Protection Only cloud admin accounts are in privileged groups. Require all cloud admin accounts to use MFA (Microsoft Authenticator only).

Break Glass Cloud Admin Account New account designated as the Microsoft Cloud Admin account. Has permanent membership in the most privileged groups. Is excluded from most security controls: MFA and Conditional Access policies. Has a strong password. Only used in emergencies. All other cloud admin accounts have strong security controls (MFA, etc.)

Audit Privileged Group Membership

Leverage PIM

Controlling Access

Azure AD Conditional Access Enforce different rules on authentication/access based on a variety of conditions. Control access based on: Sign-in activity (anomalies?) Network location (corporate network vs internet) Device (AAD Joined?) Application Requires Azure AD P1

Conditional Access https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Legacy Authentication Source: Microsoft Ignite Conference 2018

Legacy vs Modern Authentication Legacy Auth Office 2010 and older Office 2013 (requires patch + reg key to support modern auth) Clients that use mail protocols such as IMAP/SMTP/POP Older PowerShell modules Modern Auth Office 2013 (requires enabling) Office 2016 (PC & Mac) Outlook Mobile ios 11 Mail app

Legacy Authentication Source: Microsoft Ignite Conference 2018

Disable Legacy Auth

Disable Service Access Outlook on the Web (OWA) Outlook desktop (MAPI) Exchange Web Services (EWS) Mobile (Exchange ActiveSync) IMAP POP

Azure AD Connect Health - ADFS https://techcommunity.microsoft.com/t5/azure-active-directory-identity/monitor-your-adfs-sign-inactivity-using-azure-ad-connect-health/ba-p/245395

Gaining Password Insight

Azure AD Smart Lockout (Public Preview) https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-password-protection-and-smart-lockout-are-now-in-public/ba-p/245423

Password Hash Sync, What & Why? Azure AD Connect provides capability. Requests password hashes from Active Directory Domain Controllers on-prem. Hashes these hashes (MD4+salt+PBKDF2+HMAC-SHA256) Sends to Azure AD tenant. Microsoft can identify and flag Azure AD users with bad passwords.

Azure AD Premium Password Protection (Public Preview) On-prem Active Directory solution. Microsoft Password Filter deployed to DCs. 1-2 Proxy servers configured in the AD forest. Blocks >500 commonly used passwords (plus > 1M character substitution of the passwords). Audit or Enforce password restrictions. Usage reporting (Get-AzureADPasswordProtectionSummaryReport) https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

Azure AD Premium Password Protection

Microsoft Cloud Security Tune Up

Secure Score

Secure Score

Secure Score Highest Priority Items Recommended ASAP Additional subscription required Action Score Increase Enable MFA for Azure AD privileged roles 50 Enable MFA for users 30 Enable sign-in risk policy 30 Enable user risk policy 30 Enable Client Rules Forwarding Block 20 Enable Cloud App Security Console 20 Enable Data Loss Prevention policies 20 Enable Microsoft Intune Mobile Device Management 20 Enable policy to block legacy authentication 20 Ensure all users are registered for multi-factor authentication 20 Review permissions & block risky OAuth applications connected 20 Set automated notification for new OAuth applications connected 20 Set automated notifications for new and trending cloud applications 20

Testing Defenses https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator

Simulate the Attack: Password Spray

Simulate the Attack : Password Spray

Simulate the Attack: Password Spray

Simulate the Attack: Password Attack

Simulate the Attack: Password Attack

Simulate the Attack: Password Attack

Simulate the Attack: Password Attack

Simulate the Attack: Phishing Attack

Simulate the Attack: Phishing Attack

Simulate the Attack: Phishing Attack

Simulate the Attack: Phishing Attack

Simulate the Attack: Phishing Attack

Office 365 Subscriptions (Capability & Cost)

Office 365 Enterprise Tiers Enterprise 1 (E1) - $8 user/month Enterprise 3 (E3) - $20 user/month Enterprise 5 (E5) - $35 user/month 50 GB mailbox 50 GB mailbox 100 GB mailbox File storage and sharing with 1 TB OneDrive storage No Office installed apps Unlimited personal cloud storage Desktop versions of Office applications (One license covers 5 phones, 5 tablets, and 5 PCs or Macs per user ) ediscovery with in-place search, hold, and export Unlimited personal cloud storage Desktop versions of Office applications (One license covers 5 phones, 5 tablets, and 5 PCs or Macs per user ) ediscovery with in-place search, hold, and export Customer Lockbox Office ATP Auto classification, smart import, and more with Advanced Data Governance Office 365 Cloud App Security

Azure Active Directory Options Free Basic: $1 per user monthly No object limit & Basic reports P1: $6 per user monthly Self-Service Group and app Management Self Service Password Reset/Change/Unlock Two-way sync between on-prem & Azure AD Multi-Factor Authentication (Cloud and On-premises (MFA Server)) Cloud App Discovery Conditional Access based on group, location, and device state Connect Health Microsoft Cloud App Security integration MDM auto-enrollment P2: $9 per user monthly Includes P1 features Identity Protection Privileged Identity Management Access Reviews https://azure.microsoft.com/en-us/pricing/details/active-directory/

Enterprise Mobility + Security Options Azure AD P1: $6 Azure AD P2: $9

Approximate Microsoft Cloud Cost ($26 - $50 user/month) Office 365 E3 & Azure AD Office 365 E3 ($20) + Azure AD P1 ($6) = $26/user/month Office 365 E3 ($20) + Azure AD P2 ($9) = $29/user/month Office 365 E5 & Azure AD Office 365 E5 ($35) + Azure AD P1 ($6) = $41/user/month Office 365 E5 ($35) + Azure AD P2 ($9) = $44/user/month Office 365 E3 & Enterprise Mobility + Security Office 365 E3 ($20) + Enterprise Mobility + Security E3 ($8.74) = ~$29/user/month Office 365 E3 ($20) + Enterprise Mobility + Security E5 ($14.80) = ~$35/user/month Office 365 E5 & Enterprise Mobility + Security Office 365 E5 ($35) + Enterprise Mobility + Security E3 ($8.74) = ~$44/user/month Office 365 E5 ($35) + Enterprise Mobility + Security E5 ($14.80) = ~$50/user/month

Cloud Security Best Practices

Microsoft Cloud Recommendations Summary Disable user access protocols that aren't required - goal is Modern Auth with MFA. Enable user and admin activity logging in Office 365 (UnifiedAuditLogIngestionEnabled). Enable mailbox activity auditing on all O365 mailboxes. Review the recommendations in Office Secure Score and implement as many as possible. Enable Password Hash Sync Enable self-service password reset Ensure all users are registered for MFA Enable MFA for all users Enable sign-in & user risk policy Conditional Access: Block Legacy Auth (most attacks leverage legacy auth) Monitor App registrations. Audit consented permissions for apps & user access to apps

Microsoft Cloud: Protecting Admin Accounts Enforce MFA on all admin accounts Many of the basics remain the same Least privilege is key and poorly understood in many cloud implementations Least access, use the security features provided by the cloud Cloud admin workstations treat same as privileged users Limit admin role membership and monitor group membership. PIM can help.

Summary The cloud isn t inherently secure. There are many security features and controls that are available. Security controls need to be researched, tested, and implemented. Security in the cloud may cost extra. Slides: Presentations.ADSecurity.org Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.adsecurity.org TrimarcSecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback