Security

Security related items and thoughts

0

Quick Tip – How Do I View The Deleted Objects Container

Posted on by Rhoderick Milne [MSFT]

Windows Server 2008 R2 Active Directory added the AD Recycle Bin feature.  This allowed for an easier way to recover from an “oops” moment when a small number of objects were mistakenly deleted.  The option to perform an authoritative restored remains to recover from mass deletion events.  The AD Recycle Bin can be enabled via the AD Admin Centre or AD PowerShell using the Enable-ADOptionalFeatureRead the rest “Quick Tip – How Do I View The Deleted Objects Container”

0

MDI Readiness Test Script

Posted on by Rhoderick Milne [MSFT]
MDI Test Readiness Script

Before deploying Microsoft Defender for Identity (MDI), administrators  traditionally have relied on the MDI Test Readiness script to validate domain controller prerequisites. The script is intended to catch configuration issues early, such as missing directory permissions or insufficient system resources, before sensor installation begins. However, a recent update has caused a question to be raise… Read the rest “MDI Readiness Test Script”

0

MDI–Assign & Verify Permissions To Deleted Objects Container

Posted on by Rhoderick Milne [MSFT]
Granting Permissins to Deleted Objects Containter for MDI

In Active Directory, the Deleted Objects container is a hidden location where objects reside temporarily after they have been deleted, before they are fully removed by the tombstone or recycle bin process. This container plays a critical role in object recovery and directory hygiene.  By default, permissions on it are limited and the container itself is often overlooked since it is out of sight.

Th… Read the rest “MDI–Assign & Verify Permissions To Deleted Objects Container”

0

Time To Stop Using The Legacy Azure MFA & SSPR Portal

Posted on by Rhoderick Milne [MSFT]
Legacy Azure MFA Portal - Time To Migrate

In today's threat landscape, passwords alone are no longer sufficient to protect access to cloud systems. Enter Multifactor Authentication (MFA): a security mechanism that requires users to present two or more independent validation factors—typically something you know (e.g. password), something you have (e.g. a mobile authenticator or hardware key), or something you are (e.g. biometric data)—befo… Read the rest “Time To Stop Using The Legacy Azure MFA & SSPR Portal”

0

MDI Sizing Tool

Posted on by Rhoderick Milne [MSFT]
MDI Sizing Tool

Deploying Microsoft Defender for Identity (MDI) requires more than just installing the sensor on a domain controller.  MDI demands careful capacity planning to ensure reliable performance and accurate threat detection. Each MDI sensor analyses authentication traffic, monitors Active Directory activity, and reports telemetry to the MDI cloud service. If the underlying domain controller is undersize… Read the rest “MDI Sizing Tool”

0

Quick Tip – Easily Allow JIT to Azure VMs In A Resource Group

Posted on by Rhoderick Milne [MSFT]
Azure Portal Connect to VM

Controlling connections to Azure VMs using the just in time (JIT) policy of Microsoft Defender for Cloud (MDC) certainly improves the overall security of the Azure resource.  However, then having to enable JIT on a given VM runs into issues pretty quickly.

Azure Portal Too Permissive

Who thought it was a great idea to have “All configured IPs” as the default option? No thanks – I do not want to enab… Read the rest “Quick Tip – Easily Allow JIT to Azure VMs In A Resource Group”

0

Check If AD FS WSTrust Endpoint Enabled

Posted on by Rhoderick Milne [MSFT]
Check WSTrust Endpoint Configuration

Active Directory Federation Services (AD FS) uses endpoints to provide access to features.  There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols.  It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”

0

How to Use NsLookup To Check DKIM Record

Posted on by Rhoderick Milne [MSFT]
Check DMARC DNS Record Using NSLookUP

There are a multitude of online tools that help diagnose issues with various mail services, but understanding what these tools actually check is valuable.  One example is around manually checking published DomainKeys Identified Mail (DKIM) records.  DKIM is described in RFC 4871.  As an interesting piece of history DKIM went through a previous iteration "Domain-Based Email Authentication Using Pub… Read the rest “How to Use NsLookup To Check DKIM Record”

0

Migrate Safe Links Block Settings to TABL

Posted on by Rhoderick Milne [MSFT]
Migration of MDO Global Block List to TABL

Note that there have been changes to Safe Links policy for Microsoft Defender for Office 365 (MDO).

Previously you could add URLs to the Safe Links policy to control how MDO would process the URLs.  As part of this change the URL blocking is moving to the Tenant Allow Block List (TABL).

Below is a screenshot showing that a previously entered URL needs to be migrated to TABL.

 

Migration of MDO Global Block List to TABL

Learn more

 

&nb… Read the rest “Migrate Safe Links Block Settings to TABL”

0

Upgrade to Azure AD Connect 2.0

Posted on by Rhoderick Milne [MSFT]
Azure AD Connect Upgrade to 2.X

When delivering Office 365 Security Optimisation Assessments (SOA) to customers, one of the control items is the version of Azure AD Connect deployed along with some related configuration elements.  In many cases, Azure AD Connect is not updated to a build that resolves both security and feature issues.  Why is Azure AD Connect not current?  Good question.

There are two main scenarios that I see rig… Read the rest “Upgrade to Azure AD Connect 2.0”