Security related things
Sender Policy Framework (SPF) is a fundamental component of modern e-mail authentication, designed to reduce the risk of spoofing and phishing attacks. By publishing a DNS record that specifies which mail servers are authorised to send messages on behalf of a domain, SPF allows receiving systems to validate whether an incoming message genuinely originates from the claimed sender. SPF alone does no… Read the rest “SPF Record Fun”
On-premises users were unable to use Entra SSPR to reset their passwords. This needs to use the Password Writeback feature, and in this case Entra Connect was used. Nowadays there is also Entra Cloud Sync, but that was not an option for this customer. Users were able to access the SSPR page at https://aka.ms/SSPR and successfully go through all of the steps of the wizard. This included the CAPT… Read the rest “Entra SSPR Failing–Unexpected Error During A Set Password Operation”
Transport Layer Security (TLS) has always been a critical component of securing communications in Microsoft Exchange Server, ensuring confidentiality and integrity of email traffic both internally and externally. With Exchange Server 2019, Microsoft has steadily evolved TLS support to align with modern security standards and deprecate older, weaker protocols. A notable shift came between Cumulativ… Read the rest “TLS Web Services Support On Exchange Server 2019 CU14 vs CU15”
It is possible to add a Domain Based Message Authentication Reporting and Conformance (DMARC) record for your onmicrosoft.com domain in M365.
Is that a good thing?
Well, your viewpoint may depend on your experiences with this domain. If you actually use the onmicrosoft.com domain to send email, then yes! Adding the DMARC record enables the DMARC alignment check to pass and the mail to be successfu… Read the rest “Enable DMARC For OnMicrosoft.com Domains”
Windows has the ability to easily generate a hash for a given file using the Certutil.exe utility. Administrators may have previously used to this tool when they need to generate TLS certificates or to perform other tasks against AD Certificate Services. As an example of the former, this was a common task for AD FS certificates as described in this post.
To generate the file hash we will use the … Read the rest “How To Generate File Hash Using Certutil”
In today's threat landscape, passwords alone are no longer sufficient to protect access to cloud systems. Enter Multifactor Authentication (MFA): a security mechanism that requires users to present two or more independent validation factors—typically something you know (e.g. password), something you have (e.g. a mobile authenticator or hardware key), or something you are (e.g. biometric data)—befo… Read the rest “Time To Stop Using The Legacy Azure MFA & SSPR Portal”
A common issue when deploying Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) with on-premises Exchange is making Exchange aware of the EOP spam filtering. This is because EOP uses slightly different logic to stamp the spam results etc. into the message. Exchange Server needs to be aware of this so that it can take action upon those settings.
Active Directory Federation Services (AD FS) uses endpoints to provide access to features. There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols. It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”
Note that there have been changes to Safe Links policy for Microsoft Defender for Office 365 (MDO).
Previously you could add URLs to the Safe Links policy to control how MDO would process the URLs. As part of this change the URL blocking is moving to the Tenant Allow Block List (TABL).
Below is a screenshot showing that a previously entered URL needs to be migrated to TABL.
&nb… Read the rest “Migrate Safe Links Block Settings to TABL”
Windows Server 2012 R2 was a great platform and was very widly adopted. Unlike it’s less popular step-sister, Server 2012. At least the R2 product had a start button, rather than the start pixel….
However, it really does show its age when viewed under a modern security lens. Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 defaul… Read the rest “Joys of Server 2012 R2 TLS Defaults in June 2022”