0

SPF Record Fun

SPF Record Structure

Sender Policy Framework (SPF) is a fundamental component of modern e-mail authentication, designed to reduce the risk of spoofing and phishing attacks. By publishing a DNS record that specifies which mail servers are authorised to send messages on behalf of a domain, SPF allows receiving systems to validate whether an incoming message genuinely originates from the claimed sender. SPF alone does no… Read the rest “SPF Record Fun”

0

Entra SSPR Failing–Unexpected Error During A Set Password Operation

Entra SSPR - Unable to Reset Password

On-premises users were unable to use Entra SSPR to reset their passwords.  This needs to use the Password Writeback feature, and in this case Entra Connect was used.  Nowadays there is also Entra Cloud Sync, but that was not an option for this customer.  Users were able to access the SSPR page at https://aka.ms/SSPR and successfully go through all of the steps of the wizard.  This included the CAPT… Read the rest “Entra SSPR Failing–Unexpected Error During A Set Password Operation”

0

TLS Web Services Support On Exchange Server 2019 CU14 vs CU15

Exchange Server 2019 CU15 TLS Scan Results

Transport Layer Security (TLS) has always been a critical component of securing communications in Microsoft Exchange Server, ensuring confidentiality and integrity of email traffic both internally and externally. With Exchange Server 2019, Microsoft has steadily evolved TLS support to align with modern security standards and deprecate older, weaker protocols. A notable shift came between CumulativRead the rest “TLS Web Services Support On Exchange Server 2019 CU14 vs CU15”

1

Enable DMARC For OnMicrosoft.com Domains

DMARC Record For onmicrosoft.com Domain

It is possible to add a Domain Based Message Authentication Reporting and Conformance (DMARC) record for your onmicrosoft.com domain in M365.

Is that a good thing?

Well, your viewpoint may depend on your experiences with this domain.  If you actually use the onmicrosoft.com domain to send email, then yes!  Adding the DMARC record enables the DMARC alignment check to pass and the mail to be successfu… Read the rest “Enable DMARC For OnMicrosoft.com Domains”

1

How To Generate File Hash Using Certutil

Create File Hash using Certutil

Windows has the ability to easily generate a hash for a given file using the Certutil.exe utility.  Administrators may have previously used to this tool when they need to generate TLS certificates or to perform other tasks against AD Certificate Services.  As an example of the former, this was a common task for AD FS certificates as described in this post.

To generate the file hash we will use the … Read the rest “How To Generate File Hash Using Certutil”

0

Time To Stop Using The Legacy Azure MFA & SSPR Portal

Legacy Azure MFA Portal - Time To Migrate

In today's threat landscape, passwords alone are no longer sufficient to protect access to cloud systems. Enter Multifactor Authentication (MFA): a security mechanism that requires users to present two or more independent validation factors—typically something you know (e.g. password), something you have (e.g. a mobile authenticator or hardware key), or something you are (e.g. biometric data)—befo… Read the rest “Time To Stop Using The Legacy Azure MFA & SSPR Portal”

0

Configure On-Premises Exchange For EOP Spam Thresholds

Exchange Online Anti Spam Threshold

A common issue when deploying Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) with on-premises Exchange is making Exchange aware of the EOP spam filtering.  This is because EOP uses slightly different logic to stamp the spam results etc. into the message.  Exchange Server needs to be aware of this so that it can take action upon those settings.

On-Premises Spam Confiden

Read the rest “Configure On-Premises Exchange For EOP Spam Thresholds”
0

Check If AD FS WSTrust Endpoint Enabled

Check WSTrust Endpoint Configuration

Active Directory Federation Services (AD FS) uses endpoints to provide access to features.  There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols.  It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”

0

Migrate Safe Links Block Settings to TABL

Migration of MDO Global Block List to TABL

Note that there have been changes to Safe Links policy for Microsoft Defender for Office 365 (MDO).

Previously you could add URLs to the Safe Links policy to control how MDO would process the URLs.  As part of this change the URL blocking is moving to the Tenant Allow Block List (TABL).

Below is a screenshot showing that a previously entered URL needs to be migrated to TABL.

 

Migration of MDO Global Block List to TABL

Learn more

 

&nb… Read the rest “Migrate Safe Links Block Settings to TABL”

0

Joys of Server 2012 R2 TLS Defaults in June 2022

Server 2012 R2 SSLLabs Report

Windows Server 2012 R2 was a great platform and was very widly adopted.  Unlike it’s less popular step-sister, Server 2012.  At least the R2 product had a start button, rather than the start pixel….

However, it really does show its age when viewed under a modern security lens.  Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 defaul… Read the rest “Joys of Server 2012 R2 TLS Defaults in June 2022”