Category: Uncategorized

With 2020 came a seemingly biblical stream of plagues. Obviously Covid-19, Murder Hornets, Social Unrest, and… Ransomware. Sure, ransomware isn’t a terribly new concept, but this year the ante has been upped significantly by the bad guys. Not only have crime groups become more brazen, they’re demanding far bigger ransoms causing cyber insurance companies and their unfortunate customers to struggle.

There are a million things that companies need to consider when it comes to protecting their infrastructure from ransomware, and maybe we’ll dive in a little further later, but today we’re going to spend some time talking about what you can do to make sure that you’re able to recover when every domain controller in your organization has been paved over with ransomware or destructive malware.

As you scream ‘But I have backups!’, you might want to stop for a second and think about those backups. Are they performed with an account that has access to everything else (I hope not)? Are the backups themselves stored in a place that’s susceptible to being encrypted? And how long will it take you to actually restore those backups?

Azure System State Backup

Taking advantage of Azure System State Backup is a great way to handle those concerns. The primary benefits here are that this solution involves a simple agent installed on a domain controller, doesn’t involve credentials of any kind, the backups are stored in an offsite location, and those backups are protected from tamper with a host of enhanced security features.

So let’s talk about configuration. Since we’re talking configuration of a critical resource, from a PAW (you ARE using PAWs, right?), we need to make sure that a recovery services vault is available in Azure.

Then, in that recovery services vault we’ll configure a backup:

Since a domain controller backup only involves the system state, it’s a simple configuration. A system state backup will ensure that Sysvol and registry configurations are retained.

then, when prompted, download the MARs agent and move it to the domain controller and start the install. The agent requires Visual C++ Runtime so if it’s not already installed, setup will take care of that for you.

then select where you’d like the agent to be installed:

Backups are shipped to Azure with encrypted, outbound connectivity initiated by the MARs agent. If you’d like to proxy that connectivity configure it next.

Make sure that the agent is configured to be able to update itself moving forward:

Then, finish the installation and the agent will prompt you to register it.

To register the agent you’ll need to go back to the backup that you configured in Azure and in the properties of the backup, ensure that you’ve declared you’re using the latest MARS agent, download the backup credentials, and transfer them to the Domain Controller you’re working on.

Select the previously exported credentials and move forward:

Next, you’ll need to generate a passphrase that will be used when restoring the backup. You can either specify your own, or let the setup generate one for you. Select Browse and specify where you’d like to export that passphrase. This needs to be protected because you won’t be able to restore if the secret is lost. Azure Key Vault (which we’ll talk about on a later date) is a great option here.

Now that registration is complete, you’ll want to schedule your backups. Open the Azure Backup agent and on the right side, select ‘Schedule Backup’.

Since we’re only backing up the system state, select ‘Add Items’ and ‘System State’.

Finally, ensure you’re taking daily backups and we’ll take a look at retention of those backups.

Retention depends entirely on your RTO/RPO strategy, but typically restoring a a domain to a point too far in the past has little value at all. I’ve chosen to perform daily backups and retain them for 14 days, but you might find it more reasonable to only maintain 7 days of daily backups, and maybe 4 single weekly backups to be used in fringe cases.

Finally, we confirm that the schedule is what we need it to be and move forward through the setup.

So there you have it. Nothing complicated at all and there are a handful of topics touched on that we’ll pick up later, but we’ve done some good work! Often, people use complicated or expensive backup/storage solutions that put them at risk for credential theft or data destruction in worst case scenarios. Azure System State Backup is neither expensive or complicated, but it ensures that you’ll be able quickly and confidently recover from disaster.

So here we are, early 2019 and just a few months removed from a data breach at Marriott that saw over 500 million guests’ personal information hit the public internet. If that sounds like an insane number you’re absolutely right! That’s nearly 6% of the world population and about 150% the population of the US.

So the big question is how. How do things like this happen, how do attackers gain so much information, how do they exfiltrate the data, and how is it so common that Forbes is over here making cyber predictions for 2019!?

A while back I wrote about securing privileged access with a brief, high level overview of how an attacker will work to gain access in an organization and work to keep it. Part of that process is by making use of local admin credentials harvested from the first compromised machine to pivot around the network to see what else those credentials will work on. Sounds harmless enough, but what if the machine they gain access to is a domain controller? Or an admin’s workstation who happens to have administrative privileges on his daily account?

During this process it’s difficult to detect because the attacker is using valid credentials to pivot around the network digging for more information or waiting for an admin to slip up. The first step to stopping this is by attacking the first link in the kill chain and limit privileged escalation of other workstations. How? By making sure that other workstation doesn’t have the same administrative password as the one the attacker already has.

Enter LAPS! The first part of the solution involves deploying an agent to each workstation and server on the network. That agent can be downloaded here. Since Microsoft was kind enough to provide the package as an MSI it’s easy enough to deploy with a script (msiexec /i \\fileserver\share\LAPS.x64.msi /quiet), Intune if you’re into comanagement, or good ole’ fashion SCCM. Definitely be sure to update your images to include the agent as well! Once that’s deployed and imaging has been updated, admin users need to install the management client on their PAWs (you are using a privileged access workstation, right?) to get the management client, powershell module, and GPO templates for management.

The next step is to make sure that the Active Directory Schema is taken care of. We need to extend the schema to include the attributes that we’ll be working with and then make sure to update permissions so we’ve accounted for users who shouldn’t be able to see those attributes. To extend the schema we need to use one of the admin workstations we just installed the management tools on and import the module in a powershell session and update the schema:

Import-module AdmPwd.PS
Update-AdmPwdADSchema

After waiting a short while for that schema change to replicate we’ll move on to making sure only specific users and computers have access to the AD attribute that now stores these passwords. The first step is to remove permissions for groups at the OU level. If you’ve blocked inheritance you’ll need to make sure to take care of any nested OUs as well.

1. Open ADSIEdit
2. Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties.
3. Click the Security tab
4. Click Advanced
5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit.
6. Uncheck All extended rights

*Be sure to preview all extended rights permissions first to make sure you aren’t removing permissions required by that group of users

Now that we’ve taken care of scoping away permissions from unintended users/computers, we need need to make sure that the machines themselves have access to write to this attribute so they’re able to update their own passwords as they expire.

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Servers,DC=domain,DC=com"

We’ll grant individual admin groups access to read those randomized admin passwords:

Set-AdmPwdReadPasswordPermission `
-OrgUnit "OU=Admins,DC=domain,DC=com" `
-AllowedPrincipals Domain\PasswordAdmins

And of course we need to account for password resets as well so let’s add reset permissions:

Set-AdmPwdResetPasswordPermission `
-OrgUnit "OU=Admins,DC=domain,DC=com" `
-AllowedPrincipals Domain\PasswordAdmins

Finally, you’ll want to hop into Group Policy on that admin workstation you installed the tools on to establish the password policy settings you’ll be enforcing on those workstations and servers.

There’s quite a bit here to chew on but it’s not technically challenging so give it a try in a lab, then roll it out to your user workstations and eventually the servers as well! Again, the idea here is to limit lateral movement and make elevation of privilege more and more difficult for bad actors.

We’ll have another shorter session to go over some of the day to day admin tasks like looking up those passwords and resetting them, but that day is not today!

After a little bit of a holiday hiatus we’re back to start a segment on securing privileged access. When we refer to privileged access we’re talking about everything from the different levels of administrative access, to privileged users who might handle extremely sensitive data for your organization.

So many organizations still believe that traditional firewalls are enough to keep the big, bad internet at bay. Well, in the modern enterprise it’s foolish to believe that you’re able to keep your data within any boundary while your users begin to work remotely, leverage third party SaaS storage (Dropbox, Google Drive, OneDrive, etc.), or you begin to host your data in an enterprise cloud like Office 365. I’m not here to tell you that those firewalls aren’t absolutely necessary, but it’s important to realize that the days of recognizing your firewall as the security boundary are over and you need to work hard to secure identity, regardless of where your data is hosted.

Recognizing that, let’s take a look at how a typical credential theft takes place in an organization:

An attacker is going to establish a foothold in your organization by targeting end users with social engineering or phishing attacks. Once they’ve got access to that user’s computer they’ll start working on lateral movement, meaning that they’ll begin reaching out to other computers or servers on the network to see what else can be compromised. Maybe it’s by exploiting non unique local admin passwords, maybe the originally breached user has access elsewhere, or maybe an admin isn’t using a separate account for admin activities. Pivoting further and further until control of the directory database is gained (through actual domain admin permissions, by exploiting misconfigurations, or server agent configuration).

The first step is a simple one, and to many organizations it’s already very well ingrained in IT culture. Administrators need dedicated administrative accounts that are not shared with any other admins. I work with too many customers where this isn’t that case. Some have a generic account with domain admin that’s used for automation or just ‘general use’, or they flat out grant admin permission to their day to day account. Admin roles in your org should be reported on regularly to identify these and there should be alerts for elevation of privilege with an actual process for following up on those.

The next steps are again, not technically challenging but require culture change that many admins are adverse to. Privileged Access Workstations need to be deployed for users owning high value admin roles, and unique local admin passwords need to be deployed to workstations first and finally servers to help stop lateral movement. I’ll reach back to these two topics later with dedicated articles, but for now; know that it needs to be accomplished and needs to be prioritized.

Now that we’ve touched on high level goals of attackers and the first steps required to secure privileged access, I’ll follow up soon with part two. I’ll be working through Microsoft guidelines published here so definitely feel free to read ahead a little and ask questions!

Admins are expected to keep tabs on major changes to the service and understand how those could impact uptime, or just good ole’ fashioned end user experience. Unfortunately, there are hundreds of items coming down the pipe that may or may not be relevant to every organization and it’s difficult to follow it all.

The first part of making that manageable is understanding how Microsoft’s release options work. Updates are released to different update ‘Rings’ as the updates become more mature. The first three rings are Microsoft release teams where Microsoft consumes the updates first, prior to being formally released to the rest of the world.

After that, you can select to add friendlies to the targeted release group. These would typically be IT groups or power users who will be a little more adaptive to change. Here are a few of the benefits of making sure you have decision makers in the targeted release group:

• Test and validate new updates before they are released to all the users in the organization.

• Prepare user notification and documentation before updates are released worldwide.

• Prepare internal help-desk for upcoming changes.

• Go through compliance and security reviews.

• Use feature controls, where applicable, to control the release of updates to end users.

Here’s how you can add individuals to targeted release.

Handy, right? Super common use case here; Teams were released about a year ago and most customers had no idea exactly how it would impact them or how their users would cope. The feature was added to enterprise licensing and enabled by default upon standard release. The trouble? End users were able to go to http://teams.microsoft.com and create a new one with any name and any picture which shows up in the address book with (at the time) no central management and can potentially be shared with the wide world of the internet. Mayyyybe you might want to review that feature to make sure you have controls in place that match your organization’s goals.

In addition to release options you’ll want make sure that your team is managing the message center for major updates.

Updates in the service come at you pretty fast, but Microsoft does a pretty decent job of providing information and allowing you to plan for them. Make sure you keep an eye on the roadmap, the message center, and of course make use of targeted release to find out how those changes will impact your users!

Now don’t mind me while I go drown myself in meaningless college football games!

And here we are at the Crossroads of collaboration and productivity. With this little diddy I’ll make my foray into the wild, wild world of technical blogging.

I’ve been lucky enough to become an established engineer and have claimed some of the most iconic brands and organizations in the world as my customers in the last ten years. My goal is to share some of the knowledge I’ve gained along the way with hopefully, a bit of a smile as well.

Here you’ll find tips, tricks, and news about technical collaboration solutions used by organizations today. Everything from specific script samples, deployment guidance, and migration scenarios to major news released by industry leaders.

I’ll start with the message that struck me quite a while back and hope it does the same for you. Steve Jobs paid forward to the graduates of Stanford University in 2005 when he sent them off into the world with four words. Stay hungry, stay foolish.

For those of you who don’t recognize the reference, Steve was referencing the closing message of The Whole Earth Catalog. His message was one of ambition, living life, and embracing risk.

Education begins the gentleman, but reading, good company, and reflection must finish him. – John Locke