Category: Microsoft


Microsoft IGNITE 2016

Microsoft Ignite 2016 conference – annoucements:

  • Office avec Tap & Quick Start
  • Yammer integrated with Office 365 Groups
  • SharePoint (SharePoint teamsite, Synchro des librairies, App Android & Windows)
  • Skype Entreprise on Mac
  • Transcription instantanée sur Skype Broadcast
  • PSTN Calling en preview en France

Office at Ignite : https://blogs.office.com/2016/09/26/office-365-news-in-september-at-ignite-intelligence-security-collaboration-and-more/

Other annouces regarding Office 365:

Office 365

Connect to expertise and content with new people experiences throughout Office 365

Applying intelligence to security and compliance in Office 365

 

Skype Entreprise

 

Yammer

 

SharePoint and OneDrive

  • Major OneDrive updates at Ignite 2016 include SharePoint Online sync preview
  • Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof
  • Enhanced conditional access controls, encryption controls and site classification in SharePoint and OneDrive
  • Enriching the mobile and intelligent intranet with team news, apps for Android and Windows and more

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication and firewalls, this document tells you how to securely setup an environment where you can natively consolidate and monitor event log based entries. In addition, the NSA goes onto cover a number of areas that should be monitored – complete with event IDs:

http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html

http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html

Event forwarding guidance: https://github.com/iadgov/Event-Forwarding-Guidance

Malware archeology cheat sheets: http://www.malwarearchaeology.com/cheat-sheets/

Machine-specific issues – which can be indications of malicious activity

  • Application Crashes
  • System or Service Failures
  • Kernel and Device Signing
  • The Windows Firewall

Administrator Activity – specific actions performed that may be suspect

  • Clearing of Event Logs
  • Software and Service Installation
  • Remote Desktop Logon
  • Account Usage

The bad news is you’re still left to sort out a TON of event log detail and interpret whether the entries are a problem or not.

Additionally: Changes to Group Policy only show up in the events as a change to the policy, but lack detail on exactly what was changed within the Group Policy.

To truly have a grasp on whether you have an “adversary” within or not and, if so, what that adversary is doing, you’re going to require a solution that not only collects events, but can correlate them into something intelligent. Your solution should:

  • Consolidate events
  • Focus on the events you are concerned about
  • Provide comprehensive detail about the changes to your systems, security and data

Three software solutions:

  • Netwrix Auditor for AD
  • Dell change auditor for AD
  • IBM QRadar (SIEM)

Splunk (SIEM)  : Splunk Windows Auditing using the NSA guide: https://github.com/anthonygtellez/windows_auditing

MS white-paper best practices to secure AD: http://aka.ms/bpsadtrd

MS Advanced threat analytics (MS ATA): https://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/

Windows Event IDs useful for intrusion detection:

Windows Vista events and above

Category Event ID Description
User Account Changes 4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change
Domain Controller Authentication Events 4768 TGT was requested
4771 Kerberos pre-auth failed
4772 TGT request failed
Logon Session Events 4624 Successful logon
4647 User initiated logoff
4625 Logon failure
4776 NTLM logon failed
4778 Remote desktop session reconnected
4779 Remote desktop session disconnected
4800 Workstation locked
4801 Workstation unlocked
Domain Group Policy 4739 Domain GPO changed
5136 GPO changed
5137 GPO created
5141 GPO deleted
Security 1102 Event log cleared
Software and Service Installation 6 New Kernel Filter Driver
7045 New Windows Service
1022, 1033 New MSI File Installed
903, 904 New Application Installation
905, 906 Updated Application
907, 908 Removed Application
4688 New Process Created
4697 New Service Installed
4698 New Scheduled Task
External Media Detection 43 New Device Information
400 New Mass Storage Installation
410 New Mass Storage Installation
Group Changes Created Changed Deleted Members
Added Removed
Security Local 4731 4737 4734 4732 4733
Global 4727 4735 4730 4728 4729
Universal 4754 4755 4758 4756 4757
Distribution Local 4744 4745 4748 4746 4747
Global 4749 4750 4753 4751 4752
Universal 4759 4760 4763 4761 4762

Office 365 roadmap: http://fasttrack.microsoft.com/roadmap

Azure roadmap: https://www.microsoft.com/en-us/server-cloud/roadmap/?tduid=(d54b359b9c4047f808e986150b41d860)(152407)(1806294)(skim725X721037Xcefc634c345a150ca3baaa1302d64ce5)()

Microsoft roadmap: https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap?tduid=(d54b359b9c4047f808e986150b41d860)(152407)(1806294)(skim725X721037X197a8775c837e9b1f7341d7aac534129)()

 

A well-known vulnerability within Windows can map an anonymous connection (or null session) to a hidden share called IPC$ (which stands for interprocess communication). This hack method can be used to

  • Gather Windows host configuration information, such as user IDs and share names.

  • Edit parts of the remote computer’s registry.

Although Windows Server 2008, Windows XP, Windows 7, and Windows 8 don’t allow null session connections by default, Windows 2000 Server does — and (sadly) plenty of those systems are still around to cause problems on most networks.

Map a null session

Follow these steps for each Windows computer to which you want to map a null session:

  1. Format the basic net command, like this:

    net use \\host_name_or_IP_address\ipc$ "" "/user:"

    The net command to map null sessions requires these parameters:

    • net followed by the use command

    • The IP address or hostname of the system to which you want to map a null connection

    • A blank password and username

  2. Press Enter to make the connection.

    After you map the null session, you should see the message The command completed successfully.

    image0.jpg

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

You should see the mappings to the IPC$ share on each computer to which you’re connected.

With a null session connection, you can use other utilities to gather critical Windows information remotely. Dozens of tools can gather this type of information.

You — like a hacker — can take the output of these enumeration programs and attempt to

  • Crack the passwords of the users found.

  • Map drives to the network shares.

You can use the following applications for system enumeration against server versions of Windows prior to Server 2003 as well as Windows XP.

net view

The net view command shows shares that the Windows host has available. You can use the output of this program to see information that the server is advertising to the world and what can be done with it, including the following:

  • Share information that a hacker can use to attack your systems, such as mapping drives and cracking share passwords.

  • Share permissions that might need to be removed, such as the permission for the Everyone group, to at least see the share on older Windows 2000–based systems.

    image1.jpg

Configuration and user information

Winfo and DumpSec can gather useful information about users and configurations, such as

  • Windows domain to which the system belongs

  • Security policy settings

  • Local usernames

  • Drive shares

Your preference might depend on whether you like graphical interfaces or a command line. Winfo is a command-line tool. The following is an abbreviated version of Winfo’s output of a Windows NT server, but you can collect the same information from other Windows systems:

Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
   - http://www.ntsecurity.nu/toolbox/winfo/
SYSTEM INFORMATION:
 - OS version: 4.0
PASSWORD POLICY:
 - Time between end of logon time and forced logoff: No forced logoff
 - Maximum password age: 42 days
 - Minimum password age: 0 days
 - Password history length: 0 passwords
 - Minimum password length: 0 characters
USER ACCOUNTS:
 * Administrator
 (This account is the built-in administrator account)
 * doctorx
 * Guest
 (This account is the built-in guest account)
 * IUSR_WINNT
 * kbeaver
 * nikki
SHARES:
 * ADMIN$
 - Type: Special share reserved for IPC or administrative share
 * IPC$
 - Type: Unknown
 * Here2Bhacked
 - Type: Disk drive
 * C$
 - Type: Special share reserved for IPC or administrative share
 * Finance
 - Type: Disk drive
 * HR
 - Type: Disk drive

This information cannot be gleaned from a default installation of Windows Server 2003, Windows XP, Windows 7, or Windows 8.

You can peruse the output of such tools for user IDs that don’t belong on your system, such as

  • Ex-employee accounts that haven’t been disabled

  • Potential backdoor accounts that a hacker might have created

NetUsers

The NetUsers tool can show who has logged in to a remote Windows computer. You can see such information as

  • Abused account privileges

  • Users currently logged into the system

    image2.jpg

This information can help you track, for auditing purposes, who’s logging in to a system. Unfortunately, this information can be useful for hackers when they’re trying to figure out what user IDs are available to crack.

Countermeasures against null session hacks

If it makes good business sense and the timing is right, upgrade to the more secure Windows Server 2012 or Windows 7. They don’t have the vulnerabilities described in the following list.

You can easily prevent null session connection hacks by implementing one or more of the following security measures:

  • Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:

    • 139 (NetBIOS sessions services)

    • 445 (runs SMB over TCP/IP without NetBIOS)

  • Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.

  • Restrict anonymous connections to the system. For Windows NT and Windows 2000 systems, you can set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a DWORD value as follows:

    • None: This is the default setting.

    • Rely on Default Permissions (Setting 0): This setting allows the default null session connections.

    • Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as Walksam to garner information from the system.

    • No Access without Explicit Anonymous Permissions (Setting 2): This high security setting prevents null session connections and system enumeration.

Microsoft Knowledge Base Article 246261 covers the caveats of using the high security setting for RestrictAnonymous. It’s available on the web at http://support.microsoft.com/default.aspx?scid=KB;en-us;246261.

image3.jpg

FIM and MIM resources

Web resources:

Identity Manager Hybrid Reporting in Azure: https://technet.microsoft.com/en-us/library/mt134414.aspx

Out-of-the-box FIM 2010 R2 Reports: https://technet.microsoft.com/en-us/library/jj133843(v=ws.10).aspx

FIM/MIM connectors (free): https://msdn.microsoft.com/en-us/library/jj863241(v=ws.10).aspx

Connectors: http://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-management-agents-from-partners.aspx

Powershell connector: https://msdn.microsoft.com/en-us/library/dn640417(v=ws.10).aspx

 

 

 

 

 

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx

 

 

Using Powershell:

http://msexchange.me/2014/06/05/monitoring-event-id-thru-powershell/

http://community.spiceworks.com/topic/282720-powershell-event-log-monitor-email-alert-script-central-monitor

https://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/

Using SCOM:

http://jimmoldenhauer.blogspot.fr/2013/03/scom-2012-how-to-generate-alerts-from.html

http://scomandplus.blogspot.fr/2013/02/creating-rules-to-monitor-security-logs.html

http://thoughtsonopsmgr.blogspot.fr/2013/11/windows-event-log-monitoring-how-to-get.html

http://opsmgradmin.blogspot.fr/2011/05/scom-monitoring-windows-event-logs.html

 

 

 

 

Introduction:

When Kerberos was chosen to be AD’s authentication protocol in the mid- to late-1990s, the World Wide Web was a shadow of what the Internet offers today. Although the Kerberos ticket contained an encrypted password hash that could be attacked, there wasn’t any substantial requirement to provide support outside the highly protected corporate firewall.

The rise of cloud services is changing many aspects of our lives, and these services don’t support external authentication via Kerberos because of that password vulnerability. If a web service uses standards, it handles claims-based authentication using SAML 2.0 or, increasingly, OAuth 2.0 and OpenID Connect. Microsoft’s own Azure Active Directory doesn’t use Kerberos; it supports SAML and OAuth 2.0 as its authentication protocols.

Resources:

http://windowsitpro.com/active-directory/ease-cloud-security-concerns-federated-identity

http://windowsitpro.com/identity-management/kerberos-might-not-be-dead-its-not-feeling-well

Wikipedia Article: OAuth

http://css.csail.mit.edu/6.858/2014/projects/kanter-bcyphers-bfaviero-jpeebles.pdf

http://www.axiomatics.com/blog/entry/authentication-vs-authorization-part-2-saml-and-oauth-2.html

OAuth in details

OAuth is an authorization method to provide access to resources over the HTTP protocol.

Usage

OAuth2 can be used for authorization of various apps (server/browser/mobile)and desktop applications or manual user access.

The general way it works is allowing an application to have an access token (which represents a user’s permission for the client to access their data) which it can use to authenticate a request to an API endpoint.

Oauth 2 flow

A sample OAuth flow: Facebook

OAuth versions

There are two versions of OAuth authorization OAuth 1 (using HMAC-SHA signature strings) and OAuth 2 (using tokens over HTTPS).

Note: SoapUI currently only offers Oauth2 authorization.

OAuth 2 terms

Conceptually, OAuth2 haas a few components interacting: The resource server (the API server) contains the resources to be accessed. Access tokens are provided by the authorization server (which can be the same as the API server). The tokens are provided by the resource owner (the user) when accessing the resources. Similarly, an application using the credentials, and the API is called client.

End Points

The token Endpoint is used by clients to get an access token (and optionally refresh token) from the authorization server.

Note: When using implicit grant, this endpoint is not used. Instead the access token is sent from the authorization endpoint directly.

Tokens

The two token types involved in OAuth 2 authentication are Access Token and Refresh Token.

Access Token

The access token is used to for authentication and authorization to get access to the resources from the resource server.

Refresh Token

The refresh token normally is sent together with the access token.

The refresh token is used to get a new access token, when the old one expires. Instead of the normal grant type, the client provides the refresh token, and receives a new access token.

Using refresh tokens allows for having a short expiration time for access token to the resource server, and a long expiration time for access to the authorization server.

Token Types

Access tokens have a type, which defines how they are constructed.

Bearer Tokens

The bearer tokens use HTTPS security, and the request is not signed or encrypted. Possession of the bearer token is considered authentication.

MAC Tokens

More secure than bearer tokens, MAC tokens are similar to signatures, in that they provide a way to have (partial) cryptographic verification of the request.

Grants

Methods to get access tokens from the authorization server are called grants. The same method used to request a token is also used by the resource server to validate a token.

The four basic grant types are Authorization Code, Implicit, Resource Owner Credentials and Client Credentials.

Note: SoapUI currently only offers the grant types Code Grant and Implicit.

Authorization Code

With authorization_code grant, the resource owner allows access. An authorization code is then sent to the client via browser redirect, and the authorization code is used in the background to get an access token. Optionally, a refresh token is also sent.

Implicit

The implicit grant is similar to authorization code, but instead of using the code as an intermediary, the access token is sent directly through a browser redirect.

Not yet in SoapUI Resource Owner Credentials

The password/Resource Owner Credentials grant takes the uses the resource owner password to obtain the access token. Optionally, a refresh token is also sent. The password is then discarded.

Not yet in SoapUI Client Credentials

In client_credentials grant mode, the client’s credentials are used instead of the resource owner’s. The access token is associated either with the client itself, or delegated authorization from a resource owner.

Grant Type Extensions

OAuth has a mechanism for extending grant types as a bridge to other authorization frameworks, or for specialized clients.

Extension grants are used by clients through an absolute URI together with a grant_type parameter and by adding any additional parameters necessary to the end point.

Scope

In OAuth 2, the scope is a way to restrict access to specified areas. A common way of handling it is with a comma-separated or space-delimited list of strings, where each string indicates an areas of access.

 

 

 

 

La SA serait disponible dans les nouveaux contrats MPSA à partir du 1er Septembre 2014 :
http://blogs.technet.com/b/volume-licensing/archive/2014/07/16/announcing-phased-plan-to-retire-select-plus-due-to-world-wide-mpsa-availability.aspx

Les contrats Select Plus disparaitraient définitivement. Cela se ferait en 2 étapes :
·         A partir du 1er Juillet 2015, il ne serait plus possible de signer un nouveau Select Plus.
·         A partir du 1er Juillet 2016, il ne serait plus possible de passer des nouvelles commandes dans un Select Plus. Les contrats en cours seront à priori « migrés » vers des contrats MPSA (sauf si MPSA non disponible dans le pays). Les bénéfices SA acquis dans ces contrats seraient également conservés.
http://blogs.technet.com/b/volume-licensing/archive/2014/07/16/mpsa-adds-software-assurance.aspx

With Win7-W2008 R2 you can configure audit subcategories using Group Policy; look under Security Settings\Advanced Audit Policy.

Whether you apply advanced audit policy by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy settings can cause unexpected results.

To see the full syntax for this command run “auditpol /?” at the command line.

To get a listing of all categories and their subcategories, run:

auditpol /list /subcategory:*

To display the current audit policy for all subcategories run:

auditpol /get /category:*

Here’s an example of enabling the File System subcategory for success and failure:

AUDITPOL /SET /SUBCATEGORY:”file system” /SUCCESS:ENABLE /FAILURE:ENABLE

Best Practices:

  • Do not use Local Security Policy
  • Do not use auditpol /set
  • Use group policy objects in AD to configure audit policy
  • Always enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” and, for Win2008R2+ systems, ignore the 9 legacy audit categories.
  • Configure all of the advanced audit policy subcategories even if it is just to explicitly disable them
  • Do not use Local Security Policy, Group Policy Results Wizard, RSOP or gpresults to verify what your true audit policy is
  • Use only “auditpol /get /category:*” to verify what your true audit policy is on a given system
  • Monitor for 4719 where user is not the system itself.  This indicates someone is temporarily overriding your official audit policy defined in AD GPOs.

More information:

AuditPol Help: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx

Planning and Deploying Advanced Security Audit Policy: http://technet.microsoft.com/en-us/library/ee513968%28v=ws.10%29.aspx

Details about advanced security audit settings: http://technet.microsoft.com/fr-fr/library/dd772712(v=ws.10).aspx

AD DS Auditing Step-by-Step Guide : http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx

Advanced Security Auditing FAQ : http://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx

TIP:  You cannot deploy advanced security audit policy settings to Windows Server 2008 R2 Server Core: http://support.microsoft.com/kb/2477932

Recommended Settings for Windows Domains

Here are my selection of security audit settings after tests and validation:

Category/Subcategory                     Setting
System
Security System Extension           Success and Failure
System Integrity                              Success and Failure
IPsec Driver                                     No Auditing
Other System Events                     Success and Failure
Security State Change                   Success and Failure

Logon/Logoff
Logon                                                Success and Failure
Logoff                                                Success and Failure
Account Lockout                              Success and Failure
IPsec Main Mode                             No Auditing
IPsec Quick Mode                            No Auditing
IPsec Extended Mode                     No Auditing
Special Logon                                   Success and Failure
Other Logon/Logoff Events            Success and Failure
Network Policy Server                     Success and Failure

Object Access
File System                               Success and Failure
Registry                                     Success and Failure
Kernel Object                           Success and Failure
SAM                                           No Auditing
Certification Services                     Success and Failure
Application Generated                   Success and Failure
Handle Manipulation                     No Auditing
File Share                              Success and Failure
Filtering Platform Packet Drop          No Auditing
Filtering Platform Connection           No Auditing
Other Object Access Events              No Auditing
Detailed File Share                             No Auditing

Privilege Use
Sensitive Privilege Use                 No Auditing
Non Sensitive Privilege Use         No Auditing
Other Privilege Use Events          No Auditing

Detailed Tracking
Process Termination                 Success and Failure
DPAPI Activity                             Success and Failure
RPC Events                                  Failure
Process Creation                        Success and Failure

Policy Change
Audit Policy Change                             Success and Failure
Authentication Policy Change            Success and Failure
Authorization Policy Change              Success and Failure
MPSSVC Rule-Level Policy Change         No Auditing
Filtering Platform Policy Change           No Auditing
Other Policy Change Events                   No Auditing

Account Management
User Account Management                 Success and Failure
Computer Account Management        Success and Failure
Security Group Management               Success and Failure
Distribution Group Management        Success and Failure
Application Group Management         Success and Failure
Other Account Management Events    Success and Failure

DS Access
Directory Service Changes                      Success and Failure
Directory Service Replication                  Failure
Detailed Directory Service Replication  Failure
Directory Service Access                          Success and Failure

Account Logon
Kerberos Service Ticket Operations      Failure
Other Account Logon Events                  Success and Failure
Kerberos Authentication Service           Failure
Credential Validation                               Success and Failure