Category: Security


I got request form IT Security team to block DNS query malware in DNS Service.

They guide me with follow this link.

https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries 

ex: Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicy” -Action IGNORE -FQDN “EQ,*.onion” -PassThru

Unfortunately, this PowerShell command works only Windows server 2016 or greater.

For previous versions read those articles:

https://superuser.com/questions/458590/how-to-setup-a-dns-blacklist-whitelist-on-windows-server-2008-r2

https://serverfault.com/questions/513777/prevent-dns-responses-for-specific-domain-completely

third-party DNS firewall:

https://softati.com/download/dns-firewall/

 

 

Advertisements

DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations.

DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS would. It rather provides a forensically relevant snapshot of machines running Microsoft Windows.

Links:

https://dfir-orc.github.io/

https://github.com/DFIR-ORC/dfir-orc

 

Microsoft has release a new PS  module to manage Azure Information Protection : AIPService. At the same time, MS is deprecating the previous AIP module called AADRM (for the 15th, July  2020). https://docs.microsoft.com/en-us/azure/information-protection/install-powershell

https://docs.microsoft.com/en-us/powershell/azure/aip/overview?view=azureipps

 

Reference article:

https://docs.microsoft.com/en-us/office365/admin/add-users/set-password-to-never-expire?view=o365-worldwide

 

# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Warning

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv

 

Reference article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994558(v=ws.10)

 

 

To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:

https://docs.microsoft.com/en-us/intune/certificates-configure

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune

https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/02/25/part-4-protecting-ndes-with-azure-ad-application-proxy/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

 

NDES troubleshooting articles:

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certficates-pfx-configure

https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

https://blog.hosebei.ch/2016/11/28/configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure/

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority

 

 

Azure AD password protection is now generally available:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

 

Azure AD password protection – how to eliminate bad passwords:

Architecture (to cover also onprem AD domain controllers):

 

Deployment:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

 

Eliminate bad passwords in your organization:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#license-requirements

 

Azure AD Password protection monitoring:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor

 

Azure AD password protection troubleshooting:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot

 

 

https://support.microsoft.com/en-us/help/10065/associating-a-custom-domain-name-and-securing-communication-with-azure

 

 

Microsoft has recently announced the public preview of Azure Active Directory’s passwordless login. This new capability enables your employees to use external security keys to sign into their Azure Active Directory-Joined Windows 10 machines (running version 1809 or higher) and get single sign-on to their cloud resources. They can also sign into Azure AD-connected apps on supported browsers including the latest versions of Microsoft Edge and Mozilla Firefox.

You can learn more about how it works here: https://aka.ms/fido2securitykeys

To help get you started, MS partners are offering promotions so you can try out their solutions:

  1. For a limited time, Yubico is offering complimentary YubiKey Starter Kits to organizations with Microsoft 365 customers who are interested in beginning their passwordless journey. The starter kit includes the YubiKey 5 NFC and YubiKey 5C. You can learn more about Yubico’s promotion here: https://www.yubico.com/passwordlessoffer.
  2. FEITIAN is offering the first 500 Microsoft referred clients limited-time promotional discounts of more than 30% for Fingerprint Biometric Passwordless Security Keys. Visit  http://www.FTSafe.com/AzurePublicPreview.
  3. HID Global will take 10% off the manufacturer’s suggested retail price (MSRP) for orders above 500 Crescendo C2300 cards or the Crescendo Key, until August 16, 2019. Learn more at https://www.hidglobal.com

 

TechNet article how-to:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-enable#enable-new-passwordless-authentication-methods

 

 

Reference:

Need 2012 R2 Domain functional level on the forest to use authentication silos/policies

Their are part of the configuration partition (so, at the forest level), replicated on all domain controllers

 

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos.md

 

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_HowKerbUsed

 

Videos: