blog.icewolf.ch

Let's talk about IT!
posts - 2257, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Security

Patches, Updates, Applications, Windows, Virus, Trojans
New Microsoft 365 Defender RBAC (Preview)

Hi All, I've stumbled accross the new Microsoft 365 Defender Role-based access control (RBAC). It is still in Preview but i gave it a go.For now you can create the RBAC Roles only in the M365 Defender Portal. But Graph Integration is at least on the Roadmap. Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/centrally-manage-permissions-with-the-microsoft-365-defender/bc-p/3717432 Microsoft 365 Defender role-based access control (RBAC) https://learn.microsoft.com/en-us/microsoft-365/security/defender/manage-rbac?view=o365-worldwide Let's have a look. You can find it under the Microsoft 365 Defender Portal https://security.microsoft.com/mtp_roles Let's create a custom role Give it a Name and some Discription if you like Select one of the Categories Select the Permissions you need or...

posted @ Wednesday, February 8, 2023 11:16 AM | Filed Under [ Security Microsoft365 ]

Document AzureAD Conditional Access Policies

Hi All, I had the "pleasure" again this week to Document the Azure AD Policies. Making several Screenshots in the Azure AD Portal seemed not the best way. MSGraph: List Conditional Access policies https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&tabs=http So tried to use the Microsoft Graph Explorer https://aka.ms/ge You need the Permission: Policy.Read.All https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies While using the JSON could be one way. It's not very good if you have to Document it in a Word Document right. I tried to use the Microsoft.Graph PowerShell Module Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes Policy.Read.All $CAP = Get-MgIdentityConditionalAccessPolicy $CAP As you can see the Conditions, GrantControls and SessionControls are dedicated Objects $CAP[1] | fl If we dig down the Conditions more Objects appear $CAP[1].Conditions | fl And...

posted @ Friday, February 3, 2023 10:49 AM | Filed Under [ Security PowerShell Azure ]

Analyze AzureAD SignIn Logs with PowerShell

Hi All, I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell. I've started at the Azure AD Signin Logs and filtered by UPN https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/SignIns Next step was Graph Explorer where i found the needed Permissions ############################################################################### # Graph Explorer ############################################################################### #Go to https://aka.ms/ge https://graph.microsoft.com/v1.0/auditLogs/signIns https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch') Let's connect with these Permissions (they need Admin Consent and i already have that) #Import-Module and Connect to Microsoft Graph Import-Module Microsoft.Graph.Reports Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All By default you only get 1000 Rows #Get Signins $Signins  = Get-MgAuditLogSignIn $Signins.Count Let's check the Details of one Record #Show Details of one Record $Signins[0] | fl Do we have SignIns where RiskState is set? #List RiskState $Signins | where {$_.RiskState -ne "none"} By using a Filter...

posted @ Thursday, January 26, 2023 10:51 AM | Filed Under [ Security PowerShell Azure ]

Migrate MFA and SSPR Authentication Methods

Hi All, In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy. How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD (preview) https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage First review current Policies: MFA policy SSPR policy (if used) Authentication methods policy (if used) Enable "Allow use of Microsoft Authenticator OTP" Let's start the Migration Let's try to finish the Migration Apparently, we need to...

posted @ Tuesday, January 24, 2023 10:40 PM | Filed Under [ Security Microsoft365 ]

Exchange Online legacy TLS Endpoints for POP3 IMAP and SMTP

Hi All, New opt-in endpoint for POP3/IMAP4 clients that need legacy TLS https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-for-pop3-imap4-clients-that-need-legacy-tls/ba-p/3710395 Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. This year, we plan to disable these older TLS versions for POP3/IMAP4 clients to secure our customers and meet compliance requirements. However, we know that there is still significant usage of POP3/IMAP4 clients that don’t support TLS 1.2, so we’ve created an opt-in endpoint for these clients so they can use TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless...

posted @ Tuesday, January 10, 2023 10:56 PM | Filed Under [ Security Exchange ]

DNS Certification Authority Authorization (CAA)

Hi All, Do you know the Certification Authority Authorization (CAA) DNS Records? With these Records you can control what CA can issue Certificates for your domain. DNS Certification Authority Authorization https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization CAA implementation mandatory for all certificate authorities by September 2017. RFC 8659 DNS Certification Authority Authorization (CAA) Resource Record https://www.rfc-editor.org/rfc/rfc8659 That Record means no CA is allowed to issue Certificates and Wildcard Certifcates for that Domain domain.tld.  IN  CAA  0 issue ";" domain.tld.  IN  CAA  0 issuewild ";" Only the specified CA can Issue Certificates and Wildcard Certifcates for that Domain domain.tld.  IN  CAA 0 issue "ca.domain.tld" domain.tld.  IN  CAA 0 issuewild "ca.domain.tld" To indicate that certificate authorities should report invalid certificate...

posted @ Wednesday, January 4, 2023 11:33 PM | Filed Under [ Security PowerShell ]

AzureADAssessement and PowerBI Reports

Hi All, Recently i came across an interessting Project. Now i had some Time to check it out. Microsoft Azure AD Assessment https://github.com/AzureAD/AzureADAssessment ## Install Module Install-Module AzureADAssessment ## Authenticate using a Global Admin or Global Reader account. Connect-AADAssessment ## Export data to "C:\AzureADAssessment" into a single output package. Invoke-AADAssessmentDataCollection It's important to say, that you have to use PowerShell 7. Seems to be that you need to have an Azure Active Directory P2 License to gather all the Logs. This generates the follinwing Output Now you can create the Reports with these Files Complete-AADAssessmentReports -Path C:\AzureADAssessment\AzureADAssessmentData-icewolfch.onmicrosoft.com.aad -OutputDirectory C:\AzureADAssessment\icewolfch\Report PowerBI Reports Let's open up AzureADAssessement.pbit You have to fis some Settings to use the Report Now the PowerBI...

posted @ Saturday, September 3, 2022 9:55 AM | Filed Under [ Security Azure ]

New Microsoft Authenticator settings in AzureAD

Hi All, I've seen some Posts about the new Microsoft Authenticator settings in AzureAD. Here is how you get there. Go to the Azure Active Directory Portal https://aad.portal.azure.com and select "Security" On the Security Page open "Authentication methods" On Authentication methods select "Microsoft Authenticator" On Microsoft Authenticator Settings select "Configure" Here you can change some settings that are already available quite for a while, but now you have a GUI to it. How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match How to use additional context in Microsoft Authenticator notifications (Preview) - Authentication methods policy https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context These Settings can be found in the Graph API https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator Regards Andres...

posted @ Saturday, September 3, 2022 9:32 AM | Filed Under [ Security Azure ]

VMware Tools update 12.1.0 to fix CVE-2022-31676

Hi All, VMware has released a Security Advisory to address the CVE-2022-31676. You need to upgrade to VMware Tools 12.1.0 to fix the Issue. https://www.vmware.com/security/advisories/VMSA-2022-0024.html VMware Tools 12.1.0 Download https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS1210&productId=1259&rPId=92824 After you have downloaded the ZIP file mount the vmwaretools.iso and run the Setup64.exe (or setup.exe on x86 Processors) On my Server i had to restart and relaunch the Setup Looks good after the Reboot and again launched setup64.exe Let's check in VCSA Regards Andres Bohren

posted @ Wednesday, August 24, 2022 3:35 PM | Filed Under [ Security Virtualisation ]

Exchange Server Support for Windows Extended Protection

Hi All, With the August 2022 Updates for ExchangeServer 2013/2016/2019 there is a new Feature called Windows Server Extended Protection. This will help against authentication relay or "man in the middle" (MitM) attacks. Exchange Server Support for Windows Extended Protection https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/ does not work with hybrid servers using Modern Hybrid configuration SSL Offloading scenarios are not supported Automated Archiving with Archive Policy is not suported TLS configuration must be consistent across all Exchange servers Access to Public Folders on Exchange 2013 not supported The newest...

posted @ Thursday, August 11, 2022 6:15 AM | Filed Under [ Security Exchange ]

Full Security Archive

Powered by:
Powered By Subtext Powered By ASP.NET