250 Hello - Security

1

Enable DMARC For OnMicrosoft.com Domains

Posted on 8th January 2024 by Rhoderick Milne [MSFT]

It is possible to add a Domain Based Message Authentication Reporting and Conformance (DMARC) record for your onmicrosoft.com domain in M365.

Is that a good thing?

Well, your viewpoint may depend on your experiences with this domain. If you actually use the onmicrosoft.com domain to send email, then yes! Adding the DMARC record enables the DMARC alignment check to pass and the mail to be successfu… Read the rest “Enable DMARC For OnMicrosoft.com Domains”

1

How To Generate File Hash Using Certutil

Posted on 21st December 2023 by Rhoderick Milne [MSFT]

Windows has the ability to easily generate a hash for a given file using the Certutil.exe utility. Administrators may have previously used to this tool when they need to generate TLS certificates or to perform other tasks against AD Certificate Services. As an example of the former, this was a common task for AD FS certificates as described in this post.

To generate the file hash we will use the … Read the rest “How To Generate File Hash Using Certutil”

0

Quick Tip – Easily Allow JIT to Azure VMs In A Resource Group

Posted on 21st June 2023 by Rhoderick Milne [MSFT]

Controlling connections to Azure VMs using the just in time (JIT) policy of Microsoft Defender for Cloud (MDC) certainly improves the overall security of the Azure resource. However, then having to enable JIT on a given VM runs into issues pretty quickly.

Azure Portal Too Permissive

Who thought it was a great idea to have “All configured IPs” as the default option? No thanks – I do not want to enab… Read the rest “Quick Tip – Easily Allow JIT to Azure VMs In A Resource Group”

0

Check If AD FS WSTrust Endpoint Enabled

Posted on 14th November 2022 by Rhoderick Milne [MSFT]

Active Directory Federation Services (AD FS) uses endpoints to provide access to features. There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols. It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”

0

How to Use NsLookup To Check DKIM Record

Posted on 3rd October 2022 by Rhoderick Milne [MSFT]

There are a multitude of online tools that help diagnose issues with various mail services, but understanding what these tools actually check is valuable. One example is around manually checking published DomainKeys Identified Mail (DKIM) records. DKIM is described in RFC 4871. As an interesting piece of history DKIM went through a previous iteration "Domain-Based Email Authentication Using Pub… Read the rest “How to Use NsLookup To Check DKIM Record”

0

Migrate Safe Links Block Settings to TABL

Posted on 20th July 2022 by Rhoderick Milne [MSFT]

Migration of MDO Global Block List to TABL

Note that there have been changes to Safe Links policy for Microsoft Defender for Office 365 (MDO).

Previously you could add URLs to the Safe Links policy to control how MDO would process the URLs. As part of this change the URL blocking is moving to the Tenant Allow Block List (TABL).

Below is a screenshot showing that a previously entered URL needs to be migrated to TABL.

Learn more

&nb… Read the rest “Migrate Safe Links Block Settings to TABL”

0

Upgrade to Azure AD Connect 2.0

Posted on 3rd July 2022 by Rhoderick Milne [MSFT]

When delivering Office 365 Security Optimisation Assessments (SOA) to customers, one of the control items is the version of Azure AD Connect deployed along with some related configuration elements. In many cases, Azure AD Connect is not updated to a build that resolves both security and feature issues. Why is Azure AD Connect not current? Good question.

There are two main scenarios that I see rig… Read the rest “Upgrade to Azure AD Connect 2.0”

0

Joys of Server 2012 R2 TLS Defaults in June 2022

Posted on 30th June 2022 by Rhoderick Milne [MSFT]

Windows Server 2012 R2 was a great platform and was very widly adopted. Unlike it’s less popular step-sister, Server 2012. At least the R2 product had a start button, rather than the start pixel….

However, it really does show its age when viewed under a modern security lens. Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 defaul… Read the rest “Joys of Server 2012 R2 TLS Defaults in June 2022”

1

Remediate SWEET32 — Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA For Windows Server 2012 R2

Posted on 12th June 2022 by Rhoderick Milne [MSFT]

Admins have become very aware of the need to adjust the Schannel protocol settings for TLS to enable TLS 1.2 and to disable older versions. However, the cipher suites do not always receive the same amount of attention and may be left at their default values.

If you are reading this post there is a good chance that your security auditors have flagged a weak cipher is enabled on your server, and the… Read the rest “Remediate SWEET32 — Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA For Windows Server 2012 R2”

0

SSL Labs Scan Portal.Azure.com–June 2022

Posted on 12th June 2022 by Rhoderick Milne [MSFT]

This is a snapshot of portal.azure.com using SSLLabs.com to scan the TLS configuration. The image below is a point in time snapshot of the configuration.

The summary screen is repeated here so it can be used as the feature image for the post.