Information protection with EMS [video]

Here’s a new short video from Microsoft that shows how you can protect your organisation’s information, using solutions that are part of the Enterprise Mobility + Security suite, such as Cloud App Security, Intune and Azure Information Protection.

https://www.youtube.com/watch?v=LWlRVHp7sKQ


Advertisements
Posted in AIP, CAS, EMS, Rights Management Services, RMS | Tagged , , , , | Leave a comment

ATA Center – Installation failed. Error code: 0x80070002

When I recently installed an ATA Center I encountered the following error message:

image
Installation failed. Error code: 0x80070002

I got the error message right after entering the Center configuration information, as seen below:

When looking on the ATA logs (which I unfortunately didn’t save, so I can’t show them here), I eventually saw that the installation had issues finding the setup executable file?

It then hit me.

I had downloaded an ISO-file with the ATA installation media on it. I double-clicked the iso to auto-mount it in Windows, and then ran the Microsoft ATA Center Setup.exe from the mounted drive.

This normally doesn’t cause any issues. But since .Net Framework wasn’t installed on the server, the ATA Center installation Wizard kindly asked to do this for me:

clip_image001

That installation required a reboot of the server.

When I logged in again, the ATA Center installation automatically resumed, but failed with the error above.

Here’s the thing: Mounting iso files does not persist a reboot. So the the wizard was looking for a virtual drive that didn’t exist at that time.

As it turns out, this is a know problem and it is even listed in the ATA Deployment documentation:

image

Kudos to the ATA team for being clear about this. I do not know how I managed to miss it.

Note that the ATA Center seems to be installed after this error occurs:

image

Although it is not (no folder called Microsoft Advanced Threat Analytics here):

image

Simple choose to “uninstall” it before trying to install the ATA Center again, otherwise you will see this message:

image

Posted in ATA | Tagged , , , | Leave a comment

Quickly find all GPOs with PKI settings

When doing PKI audits and also when troubleshooting autoenrollment I want to see if there are multiple Group Policies that configure contradictory PKI settings.

Instead of manually going through all GPOs I wrote a PowerShell script that lists all GPOs that have PKI-settings in them, and also singles out those that configure autoenrollment.

Here is a sample output:

image

As you can see I look in both Computer and User scope of the GPOs.

The script utilizes the commands Get-GPO and Get-GPOReport, so you need to run the script on a computer that has the Group Policy Management feature installed (like a DC) or a computer with the Remote Server Administration Tools installed.

As always, there is room for improvement. Besides error management, perhaps showing the actual settings and also where the GPOs are currently linked. Feel free to improve it, and let me know if I can reshare it.

You can view and download the PowerShell script here:
https://1drv.ms/u/s!ApDVTW2lda1rtekXQkWvT-SJTQYlvA

Standard Disclaimer: I am NOT a professional coder. I am not responsible for what this script does. Do a code audit and testing in test environment if you run it in a sensitive environment.

Please leave any feedback you have as a comment to this post.

Posted in Okategoriserade | Leave a comment

What is Azure Information Protection

image

One of the security solutions I work with is called Azure Information Protection.

It is Microsoft’s solution for labeling and protecting information and it has some awesome features:

  • Super simple to use for end users, just a click away or fully automatic (based on location, recipient or content)
  • Access is based on your identity, no static passwords or keys that needs to be remembered, shared or managed
  • The information can be encrypted, which keeps the bad guys out
  • You can set policies for what users are allowed to do with the information once they have access, such as printing, copying or forwarding, which makes it easier for good guys to follow the rules and avoid mistakes
  • The information is labeled in a way so that other solutions, such as Exchange, SharePoint, Cloud App Security and even third party DLP services, can make decision based on it
  • Custom watermarking and header/footer can be added to the information
  • The protection follows the information where ever it goes
  • You can share safely with anyone
  • All file types and most platforms (including Mac, iOS and Android) are supported
  • You can track who accessed your protected information
  • You can remotely kill a document (without access to the file), making it totally unreadable for anyone from that point on. Can you current information protection solution do this?
  • Microsoft never needs to have access to your information, they only manage the authentication part
  • The team at Microsoft behind this service are not only really nice people, but also really attentive to customer’s needs and have shown remarkable agility in their development
  • I could go on, but, I’m sure most of you stopped reading this list by now and jumped to the video below 🙂

If you want to know more, see this 2 minute overview video, or contact me for further discussions:

Note that this service used to be called Rights Management Services and the RMS technology is very much still used for the encryption and policy parts, but when Microsoft added the user friendly labeling part, that can be used for so much more than just RMS protection, they renamed it to Azure Information Protection. In other word, RMS went from being the front-end solution to being one of the consequences that can be applied based on the chosen labeling. Using the RMS features without the labeling is still available and works just as great.

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | Leave a comment

My two sessions from TechX [in Swedish]

I gave two talks at the TechX conference held at Microsoft headquarters in Stockholm on February 13-17 2017.

image

The sessions were recorded and are now available to watch on YouTube [see links below]. Note that they are delivered in Swedish.

Both sessions covered the same three security solutions from Microsoft:

  • Windows Defender Advanced Threat Protection
  • Office 365 Advanced Threat Protection
  • Advanced Threat Analytics

I know, they all have very similar names. But this image shows how they relate and how they complement each other to provide protection on several layers:

clip_image001

In the first session I talked about what the products actually are. In the second I talked about how to get started with them. Both have demos Ler

Unfortunately I had sound issues, which was a bummer since I had several embedded videos in my presentation, but hey, that’s life…

Here are the videos:

TechX 2017 – Detektera och förhindra intrång

TechX 2017 – Hur kommer du igång med WDATP + ATA + Office ATP ?

Posted in ATA, OATP, TechX, WDATP | 1 Comment

Translate Windows messages in other languages

Sometimes I run into error messages in foreign languages, like this French one:

image

Ok, I admit it, I made the dialog box myself, but the message text is real. And I have no idea what it means.

So, how can I find out what “Le contenu a été bloqué, car il utilise un protocole de chiffrement non sécurisé.” really means? Preferably with the exact wording of the corresponding English message in Windows.

As in most cases, Google is usually your friend. There are also many online translation services, but since a word can have multiple meanings they might alter the wording, and that can make further troubleshooting Googling harder.

But did you know that Microsoft has a Language Portal, where you can search and translate Microsoft official terminology?

The address is https://www.microsoft.com/Language/en-us/Search.aspx
and it look like this:

image

In the search result for the message above can see what the message says:

image

You can also search translations from English to other languages. The list contains a whopping 115 languages! Did you for instance know that the word administrator is called alábòójútó in the language Yoruba and umlawuli in the language ixiXhosa?

You do not have to search the exact string, partial matches will work as well. You can also filter your results based on 118 different products. Here I have limited my search results of the word administrator to only show results from the product Intune:

image

I hope this tip will help others that sometimes also has to troubleshoot Windows machines with foreign languages configures.

Posted in Okategoriserade | Leave a comment

LastPass now also free on mobile devices

LastPass_logo_2016.svg

The password manager LastPass has always been free to use in your web browser, but they just announced that they will no longer require a paid subscription for accessing your LastPass from mobile devices:

Untitled2

If you are not using a password manager yet there is a chance that you might be reusing the same few passwords on all you different websites and perhaps also keep them simple/short so that they are easier to remember. Both of which are really bad ideas.

I can really recommend LastPass for managing all your passwords. I have been a paid subscriber for several years and store hundreds of passwords to websites, Wi-Fi connections, PIN codes and other various secret things there.

There are other alternatives that are equally good, which one you chose is not the most important thing, just that you start using one.

Remember to use a very secure and long master password. Put some effort in creating and remembering it, and take comfort in that it is (almost) the last password you will ever have to remember. Hence the name of the service Smile

Don’t forget to activate Two Factor Authentication and to configure LastPass to log you out when you log on from another browser/device and also to log you out after a certain time of inactivity. Even if using a password manager can increase the complexity of all your passwords while making life a lot easier for you, if someone gets into your account they have the keys to all your kingdoms.

LastPass can be configured to do a lot of things, and I won’t go through all the features here. But be sure to check it out to increase your identity protection without going insane remembering tons of different complex passwords.

Read more about how LastPass can make your password life a lot easier:
https://lastpass.com/

Source:
https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html

Posted in Okategoriserade | Leave a comment

Azure Information Protection client – now with diagnostics!

The Azure Information Protection client was recently updated to version 1.2.4.0.

One of the improvements is a built-in diagnostics tool:

image

You get to this dialog box by going to the Home tab and clicking on the Protect icon in an Office application, and then selecting Help and feedback:

image

As you can see this option is not there in the previous version of the client:

image

When you click the Run diagnostics link a new window appears and the progress of the diagnostics tests are continuously updated:

image

You might get prompted to login with you Azure AD account:

image

The test takes some time (see the status bar text in the image above), but it sure takes A LOT less time than doing all these tests manually.

When the test is finished you can click Copy Result an send to your helpdesk or to Microsoft support. You can also click Reset to perform a reset on the Azure Information Protection client’s settings:

image

If you chose to perform a reset you will see these prompts:

image

image

I have seen the diagnostic tool get stuck at different stages of testing, but simply closing the result windows and re-running the diagnostics have solved it.

You can download the latest version of the Azure Information Protection client with the built-in diagnostic tool here:
https://www.microsoft.com/en-us/download/details.aspx?id=53018

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | 1 Comment

Get free SSL certificates with Let’s Encrypt

I have previously blogged about how you can get a free SSL certificate from the Certification Authority called WoSign, but they have been misbehaving lately (see details here) and some big companies like Apple, Google and Mozilla are actually considering removing the built-in trust to WoSign in their browsers.

So I decided it’s time to write a new post, this time using the Certification Authority Let’s Encrypt, which also makes it a lot less complicated. But still free!

clip_image001

So what is Let’s Encrypt?

It is a free, automated and open certificate provider. The organization behind Let’s Encrypt is called Internet Security Research Group (ISRG) and they have a lot of official sponsors. Here are a few of the more well-known, which shows that Let’s Encrypt is a serious player on the market and that they should be around for a long time:

clip_image003 clip_image005 clip_image007 clip_image009 clip_image011 clip_image013

Let’s Encrypt is already trusted by most browsers today. To achieve this already in the early stages, Let’s Encrypt’s intermediate Certificate Authorities have been cross-signed by IdenTrust. Eventually, when enough browsers trust Let’s Encrypt natively, they will stand on their own. Read more about the cross-signing here.

The certificate issuance is based on Domain Validation, which means that you have to prove your ownership of a domain name by creating a publicly accessible file under that domain name. You are then allowed to request a free SSL certificate for that domain name. The protocol used is called ACME (not the best name if you ask me, since it makes me think of the cartoon Road Runner).

The validity time of certificates from Let’s Encrypt is shorter, only 90 days instead of the usual 1-3 years for SSL certificates. Read why here. But since re-enrollment is automatic (and free) it should not be an issue.

There are currently over 8.6 million unexpired certificates issued by Let’s Encrypt. See more statistics here.

Update 2016-10-19: Today they reached 10 million!

In this blogpost I chose to go the ACME client letsencrypt-win-simple. It is limited to IIS but is very simple to use. There are many different clients for different operating systems, web servers and languages that you can choose from.

Note that the certificate will have the Enhanced Key Usage Server Authentication and Client Authentication, which means that it also can be used for other things than just web servers, such as VPN servers, email servers etc.

The steps

First the basic setup. I installed a Windows Server 2016 (as an Azure VM, but that is not really relevant here).

I installed the role Web Server (IIS), no other roles or features are needed.

I created a new Web Site called certdemo that points to the folder C:\certdemo:

clip_image014[10]

I configured the site binding to use the host name certdemo.tomdemo.se and the port 80. The tool I am using will scan IIS for bindings based on host names, so you need to make sure that web sites you want to enroll certificates for has host name configured:

clip_image015[8]

If I browse that URL I can access the site over HTTP:

image

But if I try to access it over HTTPS it fails, which is expected since no binding or certificate for this exists:

image

Next, I downloaded the zip-file containing the letsencrypt-win-simple files. The latest version at the time of writing this blogpost was v1.9.1 and is about 4 Mb:

image

Extract the files from the zip archive. Do not use a temp folder that might be deleted or that is hard to find. The application will be regularly run from that folder going forward (for the automatic re-enrollments). I chose C:\letsencrypt-win-simple:

image

Note the file letsencrypt.exe.config here, it will be referenced later in this post. It contains some setting that you might want to modify before running the tool. You can search for that file name in this post to find them.

Run letsencrypt.exe as administrator:

clip_image020

Enter an email address that will be used to send notifications if renewal will fail. I have not received ANY unrelated emails or spam to that address:

image

Agree to the Subscriber Agreement by typing Y (after reading it thoroughly of course):

clip_image022[4]

Now a configuration file and a secret key is created. These will be used for certificate requests going forward. The files are stored in the following location:

clip_image023

Note: This location can be modified by editing the setting CertificatePath in the file letsencrypt.exe.config before running the tool.

Now I type A to get certificates for all hosts (which in my case is only one):

clip_image024

Below you can see the Domain Validation actually being performed for you automatically:

  • It receives a Challenge Type http-01
  • It writes the challenge answer in a file in a new subfolder called \.well-known\acme-challenge
  • It configures IIS to allow that folder to serve files without file extensions
  • It submits the answer
  • When the challange answer is validated by Let’s Encrypt it deletes all the files related to this validation:
    Note: You can disable the deletion of these temporary authorization files and folders by editing the setting CleanupFolders in the file letsencrypt.exe.config before running the tool.

clip_image025[4]

Now the client performs the following steps:

  • It creates a certificate request (the private key is created locally and never leaves your computer)
  • It saves the signed certificate
  • It saves the certificate of the issuing CA (needs to be installed on the IIS)
  • It adds the certificate to the computer’s WebHosting certificate store (can be modified, see later in this post)
  • It adds HTTPS binding on the web site, using the new certificate
  • It creates a Scheduled Task that will run once a day to see if the certificate is older than 60 days
    Note: You can modify how many days after issuance renewal shall occur by editing the setting RenewalDays in the file letsencrypt.exe.config before running the tool. Leaving it at 60 gives you 30 days to troubleshoot before the 90 days are up.

clip_image026[4]

Now it asks for credentials for the scheduled task to run with. Use an account that has NTFS write permission on the web sites root directory, since it will need to perform a challenge/response on every renewal:

clip_image027[6]

After it has configured the Scheduled Task, I pressed enter and the command prompt closed:

clip_image028[6]

Now we are done.

The result? Going back to the HTTPS version of my web site (that failed before) you can see that it now works, without warnings of any kind:

image

That’s not too bad, considering it didn’t take long, it will be automatically renewed and did not cost me a single penny.

Behind the scenes

Ok, let’s look at the changes this tool made to the server.

You can see the installed certificate in the Web Hosting certificate store. The Web Hosting certificate store was introduced in IIS on Windows Server 2012 and is similar to the Personal store, but it was designed to support a much higher number of SSL certificates without a noticeable impact on the performance of the server, since certificates here are only loaded into memory on demand.
Note: You can modify in which container the certificate should go into by editing the setting CertificateStore in the file letsencrypt.exe.config before running the tool. You can also manually move/copy the certificate to other certificate stores after it is created.

clip_image030[6]

By double-clicking the certificate you can see that the certificate has a validity time of 90 days:

clip_image031[8]

In IIS Manager you can see the new binding using the default post 443:

clip_image032[8]

and verify that the new certificate is configured:

clip_image033[10]

You can see the created Scheduled Task

clip_image034[10]

and its corresponding action:

clip_image035[10]

You can also see all the files that were created during enrollment:

clip_image036[10]

Note that the certificate (including its private key) is available here. The .pfx version can be imported on any machine you chose. By default, there is no password set on the .pfx (just leave the password field empty when importing). You can set a password to be used for the pfx file by editing the setting PFXPassword in the file letsencrypt.exe.config before running the tool.

I hope you found this primer on Let’s Encrypt together with IIS useful.

Please test this before performing this in production environments, especially if you use a non-English version of the OS, have multiple web sites and/or use non-default ports.

Let me know if you have any questions.

Posted in Okategoriserade | 1 Comment

Links from my Windows Security and ATA session

2016_10_04 - EMS ATA

A few days ago I spoke about IT security in general and Advanced Threat Analytics in particular at Microsoft’s headquarter in Stockholm.

I showed a few sites and was asked to share them. So here they are:

Norse

image

Norse is a company that has over 8 million sensors all over the internet that detects attacks. They visualize the current attacks on a world map, which is available here:
http://map.norsecorp.com/

World’s Biggest Data Breaches

image

Over a decade of data breaches are visualized in this interactive map, where you can sort, color code and click for more information:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

‘;–have i been pwned?

image

Security expert Troy Hunt gathers and verifies credentials in data leaks, and gives you the possibility to search for your email address to see if it was present in any of the confirmed leaks. You can also subscribe to alerts if your address appears in a future leak and if you can prove ownership of a domain you can subscribe to alerts for all addresses in that domain:
https://haveibeenpwned.com/

Shodan

image

The entire IPv4 network is continuously scanned for exposed services and the result is stored in a searchable database. If a bug or weakness is found in a particular software version, all public servers using that exact version can be immediately found and exploited, which makes quick patching very important:
https://www.shodan.io/

Update 2017-08-04:
Here is another site that tracks major data breaches:
https://www.comparitech.com/blog/information-security/biggest-data-breaches-in-history/

Posted in Okategoriserade | 1 Comment