Month: January 2020

Modern Desktop implementation – Behind the scenes

Modern Desktop implementation – Behind the scenes

Introduction & Vision

At Synergics we truly believe the mission of Microsoft to empower every person and every organization on the planet to achieve more. Every great implemented project start with a vision and with goals/milestones.

In the first project we delivered workshops to understand the transformation needs of the organization. we identified these digital outcomes below. (the description is basic, I know. But it’s another side-traject of this implementation)

  • Empower information workers and firstline workers so they can collaborate and communicate.
  • Simplified communication – Communicate through the full organization.
  • Increase agility for the IT-Organization – adaptability.
  • Futureproof design – Technical design, cloud first strategy.

You can read the reference-case in NL or FR! Microsoft Surface with Windows Autopilot ensure efficiency gains and easier IT management for the city of Lokeren. Reference Case.

Evolution to modern management – 100% CLOUD!

  • Less complexity
  • built-in automation
  • brand-new configuration & policies
  • higher security standards
  • self-service possibilities
  • 100% CLOUD!

To achieve more it’s important to give control to the people (empower), update your platform, easier roll-out’s of new devices etc.. (Scenario on the right, 100%…)

Traditional Co-Management Modern

New device setup experience with Autopilot

Imaging/cloning/etc of devices is taking a lot of crucial time – compared to Autopilot. This isn’t the easiest enabler because there are policies, GPO’s, in place. With Autopilot we deliver the roll-out of the Windows 10 Devices and sync back the Device-Object so on-premise resources can still be accessed in transition for future plans.

Autopilot Microsoft EndPoint Manager
  • – Old GPO’s can stay for some time.
  • – New possibilities of modern management becomes active.
Autopilot

Microsoft Windows update in waves & delivery optimization

It looks like a easy job but most of the time it’s a non-controlled mechanisms.

Windows 10 started in 2015 with builds as: 1511, 1607, 1703,1709, 1803,1809,1903,1909. As you see can in the screenshot, now we are transforming to 1903! and 1909 starting soon.

Compliance Policy
Device Compliance

Hybrid Identity – and password write-back

I was hoping to write cloud-identity but we still live in a world of on-premise infrastructure waiting to move to the cloud. For now we are creating and maintaining identities on-premise. We enable password-write-back so users are able to change their password.

Azure AD connect configuration

Intune mobile device management authority

Office 365 ProPlus distribution based on dynamic collections

It sounds very easy but I’ve seen a lot of customers fighting with licenses and automated processes.

  • When a user is in a M365 E3 dynamic collection because of the parameters Office ProPlus is automatically distributed.
  • When a user has no ProPlus acces, like a O365 F1 user, office 365 ProPlus will be removed.

Onedrive Known Folder Move (KFM)

There are two primary advantages of moving or redirecting Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll) to OneDrive for Business for the users in your domain:

  • Your users can continue using the folders they’re familiar with. They don’t have to change their daily work habits to save files to OneDrive.
  •  Saving files to OneDrive backs up your users’ data in the cloud and gives them access to their files from any device.
  • This has value, value, value. Users can find their documents on their phones because of the automated move. When there workstations crashes, the data is still there..

Microsoft Defender Advanced threat protection

All devices are fully managed under the greatest MDATP. (also see the quadrant)

  • Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
  • Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
  • A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
  • Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
  • Automated security, SecureScore and +10 more features!
Microsoft Defender ATP

Enterprise state roaming (ESR)

With Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:

  • Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
  • Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.
  • Even next to KFM! Even more great for data loss etc..

Future achievements..

  • Everything starts with the value of Microsoft 365 E3 of E5.
  • Analytics and data. My-analytics, Workplace Analytics?
  • Security Operations – Advanced hunting?
  • Proactive services – thousand scenario’s possible..
  • Automation in processes with Power Automate?
  • Deep integration with third-party applications?
Modern Device Management
Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 Advanced Threat Protection is growing and evolving over time. Writing documentation takes time – automation doesn’t. Automatically export your O365 ATP settings in one HTML file to see the scores and recommendations.

Solution: ORCA! Orca is a report that you can run in your environment which can highlight known configuration issues and improvements which can impact your experience with Office 365 Advanced Threat Protection (ATP).

Start from Exchange Online Powershell

Start up your Exchange Online Powershell Module from:

PowerShell Module Exchange Online

Installation of ORCA

  • Install-Module ORCA
Install Orca

Run ORCA

  • Get-ORCAReport
OrcaReport

Results

The results are logged in a log in your userprofile. And will be populated in a really great HTML overview.

High-level overview of the Office 365 ATP ORCA Report

Configuration Analyzer Report

Recommendation example

Compliant Level
Safe Links

What’s in scope?

  • Configuration in EOP which can impact ATP
  • Safe Links configuration
  • Safe Attachments configuration
  • Antiphish and antispoof policies.

Coming Soon!

  • At MS Ignite session’s Microsoft announced a new best-practice portal in Office 365’s admin console. This session can be found here: 79719(BRK2104)
Best Practive Analyzer

Bring it all together

  • Export and compare multiple customer-scenario’s. This will help you determine the differences.
  • Modern Security mechanisms as Office 365 ATP are continues improving and need continues attention and recurrent validations. (each month!)
  • In 2018, the percentage of inbound emails that were Phishing messages grew 250%. That trend has continued to grow with increased level of targeting and sophistication! Still super important!
  • Focus on user education and training. In addition to advanced security tools for detection, investigation and response still 40% is user-related.
  • More and more control an reporting will come to the Office 365 portal!
  • AND NOW since you have the report in a easy way. ACT and enable best-practices!
Protect apps with Microsoft Cloud App Security Conditional Access App Control

Protect apps with Microsoft Cloud App Security Conditional Access App Control

A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!

Scenario:

  • You have all your devices enabled in Microsoft’s endpoint manager aka Intune
  • You are able to have an inventory and control of your hardware assets (CIS Control 1)
  • You are using Office 365 or Microsoft 365.
  • You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)

Protect apps with Microsoft Cloud App Security Conditional Access App Control

It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.

Step 1: Choose the cloud application – select the condition!

  • Select cloud apps or actions: Microsoft Exchange
  • Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.
device State Preview

Step 2: select the Access Controls

  • IF not they are not able to download attachments to their environment. Block downloads. That’s it!
Conditional Access App Control

By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.

In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here

  • Exchange Online
  • OneDrive for Business
  • Power BI
  • SharePoint Online
  • Microsoft Teams

Conclusions

  • It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
  • Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
  • Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
  • More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …
The Multi-factor-authentication struggle? AND the solution!

The Multi-factor-authentication struggle? AND the solution!

The struggle for a Multi-factor authentication implementation is REAL and most of the time, really frustrating? Some frequently asked questions and answers below! Let’s change problem into a solution.

We don’t want to use Multi-factor authentication – it’s too complex!

  • Ask the people in your organization if they use the same password as their corporate account for: Dropbox, Yahoo, Gmail, Facebook. Do they?
  • I know, it’s really bad advice. But type your ‘old’ password in Haveibeenpwned.com Is it still ‘safe’?
  • Do you have MFA on your Facebook account? Your iCloud account, You’re private mail? Is it that bad?

How to tackle the resistance!

  • END-USER AWARENESS: There are a lot of organizations helping with a great case which can help your organization (including Microsoft) to communicate well. Communicate – make people understand WHY – support them – give them more!
  • MEASURE THE NEED FOR MFA: Measure the impact in your organization. And make people understand WHY. You could send out a ‘false Payroll update’ and measure how many people are entering their credentials. Make them aware that they did very good not entering their corporate credentials. Don’t punish people because they did. Help them to identify and understand phishing mails. https://protection.office.com/attacksimulator
ATP Phishing demo
Change Password
  • SELF-SERVICE: Give people in the organization the ability to get some pro’s because they ‘need’ to do MFA. For example: self service reset password possibilities. It could also mean that the workload of IT-teams will decrease because of self-service mechanisms. It’s nearly impossible (insecure) to deliver self-service without a trusted-second factor.
  • MODERN MANAGEMENT: Bring all your devices in a Azure AD in a state where they are at least Azure AD Joined so users will have pro’s like Single-Sign-On in Microsoft Edge. Other browsers are possible, but requires a little bit more time.
  • CONDITIONAL ACCESS: It’s simple to define a basic set of conditions where there shouldn’t be an second factor required. For example your work-environment. It creates a huge way of possibilities to have a better roll-out. Better have MFA with one condition then having no MFA at all.
Passwordless authentication codes
  • PASSWORDLESS AUTHENTICATION: Deliver passwordless authentication. It will help your users to not struggle with their password. Implementation guide here.
  • MEASURE THE RISK(S): Login to your Azure AD portal and export all sign-in logs of the last 3 month. Filter on SUCCESS and filter on a country which your company is not in. (or filter out all locations you are in and work with the left-overs) You have leaked credentials. Mostly it’s clear after this simple exercise.
  • MICROSOFT AUTHENTICATOR APP: You could just use SMS as a factor but don’t bother and use the Authenticator App
Sign-ins Azure AD
  • AZURE ADVANCED THREAT PROTECTION: Work with Azure Advanced Threat Protection in a ‘Pilot’. This setup will cost you 60 minutes. Order a trial license of Microsoft 365 E5, go through the wizard of Azure ATP and add your domain controllers as a sensor.
Azure Advanced Threat Protection

After 30 days go to the console and export: Passwords exposed in clear text, lateral movement paths to sensitive accounts. I’m sure you can find something happening without knowing! This will bring insights where you had none before.

ATP Reports Cloud
  • THIRD PARTY ASSESSMENT: Work with third-party tools to measure the security or cyber-security maturity of your organization.
  • CLOUD APP SECURITY: Measure that data is extracted to machines to understand the needs in your environment. This will prioritize the need of identity-protection (later data-control)
Cloud Discovery Reports

Advice to IT Administrators

  • Maintain an 8-character minimum length requirement (and longer is not necessarily better)
  • Eliminate character-composition requirements.
  • Eliminate mandatory periodic password resets for user accounts.
  • Ban common passwords, to keep the most vulnerable passwords out of your system.
  • Educate your users not to re-use their password for non-work-related purposes.
  • Enforce registration for multi-factor authentication.
  • Enable risk based multi-factor authentication challenges.

Microsoft Password guidance didn’t changed in years. It’s still great!

It isn’t only commercial talk..

Microsoft sees over 10 million username/password pair attacks every day. This gives them a unique vantage point to understand the role of passwords in account takeover. 99.9 percent of attacks on your accounts can be prevented. (and it is not)

Side nodes