headerpic
« Hem

Office 365 Advanced Threat Protection

Skrivet av: Simon Öhman
October 31, 2018

There are three ATP policies available for your Office 365 environment in the Security & Compliance portal(https://protection.office.com). I will explain what these policies are and how you set up policies for these.

ATP anti-phishing

What is ATP anti-phishing? It checks incoming messages for indicators that the message may be phishing, the incoming messages are evaluated by multiple machine learning models that analyse the message to determine if the policy applies to the message and that the appropriate action is taken based on the configured policy. ATP learns how each user communicates with users inside and outside of the organization and builds a relationship map. Using this map ATP can understand if a message is trying to impersonate a user in the organization.

How do you set up an anti-phishing policy in your office 365 environment? Choose to create a new policy in the ATP anti-phishing page here you first name and choose who the policy will be applied to. When the policy is created more settings can be done as shown in the picture below. Here we have protected a user from phishing but could be a specific domain instead, a user has also been protected from impersonation. Only 60 internal and external users can be protected from impersonation preferably these users are high ranking in the organization I.e. CEO or CFO.

Two actions have been made when email is sent by impersonated user or domain to forward this attempt to another mailbox. Tips can also be displayed when user receives email with unusual characters, impersonated domains or users. Mailbox intelligence which is the function that maps the users to determine if an impersonation have been made of another user. We can also choose to add trusted senders and domains which won’t be classified as an impersonation attack. When trying to spoof the domain we move the message to the recipient’s junk folder we can also quarantine the message.

ATP Safe Attachment

What is ATP Safe Attachment? It protects against bad attachments by opening it in a virtual environment before the user receives the attachment, if it is determined that the attachment is malicious it will be removed from the email. ATP Safe Attachment can also include files in SharePoint, OneDrive and Microsoft Teams. If a malicious file is uploaded to one of these and a link is shared to the file, it is not possible to open the file to prevent other users from getting infected with the malicious file.

How do you set up a Safe Attachment policy in your office 365 environment? Start by naming the policy something appropriate. Then we can choose an action, in the example below Dynamic Delivery is used where the message is sent without attachment and rettaches after the scan is complete. We can also redirect attachments to another email adress on detection of malware or if the scanning times out or errors occurs. As the other ATP policies we choose to apply to a specific user but can be applied to domain or group. We can also enable ATP for Sharepoint, OneDrive and Microsoft teams on this policy page.

ATP Safe Links

What is ATP Safe Links? It protects users from bad links in email and for Word, Excel, PowerPoint and Visio documents. When a user receives a mail, it goes through Exchange Online Protection where IP and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied. When the user opens a link in the mail ATP Safe Links immediately checks the URL before opening the website and the URL is identified as blocked, malicious or safe.

How do you set up a safe links policy in your office 365 environment? Threat management and Policy where you find all the security policies available in office 365. First, we need to define a policy for the entire organisation by editing the default policy.  Start by choosing which domains and subdomains to block in below example the domain idg.se is blocked for all user to access.

When trying to access the blocked URL below message pop-up and blocks user from going forward to the site.

If some users or groups need to access a globally blocked URLs a policy that applies to specific email recipients can be created. As per below policy a single user can access the otherwise blocked URL and does not rewrite the URL. It is also possible to specify more how you want to apply in the policy than the global policy which is more of a blanket block list.

 

Postad i: Office 365 | Säkerhet |

Lämna en kommentar


Azure Information Protection – Protect all documents from unauthorized users!

Skrivet av: Simon Öhman
July 9, 2018

AIP should be used by all companies to protect their valuable documents and e-mail as has been shown these last years with massive leaks of documents from several companies.

What is AIP? It brings you the possibilities to classify documents with appropriate labels regarding which content the document contain. The labels can be customized to enable that only users in your domain is able to read the content or a specific person.

AIP uses the existing Azure Rights Management which is already integrated with cloud services Office 365 and Azure Active Directory, data is protected by encryption, identity and authorization policies.

What can be done with AIP? Start by setting a policy and choose if is for the whole tenant or for a specific group. In the policy settings it is possible to set how the labels are presented to the users, as an example if the users need to choose a policy to send an e-mail.

Then start by defining what types of labels and sub-labels that is needed in the organization. Microsoft has a standard of Personal, Public, Confidential, Highly Confidential and General labels. As an example, we can make a sub-label for Highly Confidential that automatically is chosen when a user writes a personal identification number or a credit card number.

There the e-mail is only possible to read for a day and who can read the e-mail, it can be the recipient of the mail or a group of users that is configured for this label. This would protect the confidential info from getting in to the wrong hands.

 

A useful tool is using the Azure RMS Portal where you can track your protected documents and see where in the world the document has been opened or how it has been shared. As a global admin it is possible to track all the documents from your organization and revoke access if the document has gotten in to the wrong hands.

How do you get to use AIP? A licensing of Enterprise Mobility and Security E3 or a subscription of Office 365 that includes Azure Rights Management.

Postad i: Azure | Säkerhet |

Lämna en kommentar


Think breach!

Skrivet av: Tero Kinnunen
June 14, 2018

Hur ska man agera om man blir utsatt för en hackerattack eller ett intrång?

Nuförtiden så behöver man göra mer än att bara stoppa viruset, dessa avancerade angrepp innehåller ofta flera olika delar.
Nyckeln är att upptäcka, undersöka och reagera på dessa angrepp.

Vid penetreringstester gjorda av säkerhetsföretag så upptäckte kunderna högst 30% av de skador som säkerhetsföretaget hade skapat vid angreppet.
Vad hade då säkerhetsföretagen gjort vid deras tester?

  • Kommit över lösenord till administratörskonton, tjänstekonton och användarkonton.
  • Planterat virus och trojaner.
  • Kommit över och ändrat information i viktiga dokument.
  • Phising-angrepp
  • Använt Social Engineering

Detta är en liten del av vad en hackare kan använda vid en attack. Ju mer välplanerade attacker och ju mer resurser en angripare har, desto svårare är det att skydda sig.

Hur skyddar man sig och vart ska man börja?

Enkelt beskrivet så gör man en analys på vad som behöver skyddas samt vilka risker som finns och skapar planer efter det för hur man skyddar sig. Sedan ska man ha utsett vem som är ansvarig och vilka befogenheter de har.

De förebyggande funktioner och åtgärder man kan använda är bl.a.:

  • Antivirusskydd av olika slag
  • Windows Defender Advanced Threat Protection
  • Office 365 Advanced Threat Protection
  • Azure Defender Advanced Threat Protection
  • Utbildning för personalen.
  • Hålla program, operativsystem, brandväggar och antivirusskydd uppdaterat.
  • Använda de säkerhetsfunktioner som eventuellt finns i applikationer och program för att skydda mot angrepp.
  • Lösenordspolicy som talar om hur lösenord ska se ut och när de ska bytas ut.
  • Flerfaktorsautentisering
  • Loggning av vad som hände vid angreppet och se till att filer är skyddade genom kryptering och att det finns spårbarhet på dessa.
  • Applocker
  • Bitlocker

Det finns givetvis många fler saker man kan göra men det beror på verksamheten och vilket skydd man behöver. Utmaningen blir oftast att skapa ett tillräckligt bra skydd för sin verksamhet samtidigt som dom som faktiskt ska använda IT-miljön dvs användarna inte tycker att det försvårar deras arbetsuppgifter.

Men det viktigaste är att man är förberedd på att man kan bli angripen. Är ni det?

En viktig del är att de människor som blir utsatta för dessa angrepp har rätt utbildning så att de kan förstå och minimera skadorna, de ska finnas planer för hur de ska agera när en attack sker, de ska veta vem som är ansvarig och vilka befogenheter de har och de ska ha rätt verktyg för att kunna försvara sig vid en attack.

Vi på Molnbolaget kan IT-säkerhet och kan hjälpa er att skapa ett skydd mot dessa angrepp.

Be safe out there!

Postad i: Public Cloud | Säkerhet |

Lämna en kommentar


Periodic backup and restore in Service Fabric standalone (Preview)

Skrivet av: Andreas Andersson
April 30, 2018

In this blog I’m going to go through how to set up backup and restore for Service Fabric standalone (on premise) to a file share.

First we need to use the Service Fabric runtime version 6.2.262.9494. So first upgrade your cluster, to do that first we need to connect to the cluster. In this example I will be using Windows as ClusterCredentialType instead of a certificate but this will work either way.

 

Check the available versions:

Connect-ServiceFabricCluster -ConnectionEndpoint ‘localhost:19000’ -WindowsCredential

 

Check the available versions:

Get-ServiceFabricRuntimeSupportedVersion -Latest and note the version number.

 

Start the upgrade:

Start-ServiceFabricClusterUpgrade -Code -CodePackageVersion ‘Version’ -UnmonitoredAuto

 

Monitor your upgrade with Get-ServiceFabricClusterUpgrade It should say

UpgradeState: RollingForwardCompleted when done

 

After the cluster is upgraded to at least version 6.2 we need to change some things in the cluster configuration.

Open up your current cluster configuration if you have it saved (you should) or you can get it from the cluster itself by executing this command:

Get-ServiceFabricClusterConfiguration

 

Enabling Backup and Restore service

Open the cluster configuration in your favorite editing software and check that the apiversion is

10-2017, if not update it and also remember to update the clusterConfigurationVersion otherwise we can’t update the cluster configuration as it does not allow the same version as before.

It should look something like this:
{

“apiVersion”: “10-2017”,

“name”: “CLUSTERNAME”,

“clusterConfigurationVersion”: “1.0.0”,

}

We then need to add the backup and restore service and we do that by adding the addonFeatures from the snippet below.

“properties”: {

“addonFeatures”: [“BackupRestoreService”],

“fabricSettings”: [ … ]

}

If you plan or is using a X.509 certificate you also need to add the certificate thumbprint, you can see an example in this snippet.

“properties”: {

“addonFeatures”: [“BackupRestoreService”],

“fabricSettings”: [{

“name”: “BackupRestoreService”,

“parameters”:  [{

“name”: “SecretEncryptionCertThumbprint”,

“value”: “[Thumbprint]”

}]

}

}

 

When you have done this save the document and update your cluster configuration, connect to the cluster if you are not connected.

Connect-ServiceFabricCluster -ConnectionEndpoint ‘localhost:19000’ -WindowsCredential

After you make sure you are connected start the upgrade.

Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath ‘Path to config file’

 

Monitor the upgrade progress with this cmdlet:

Get-ServiceFabricClusterConfigurationUpgradeStatus it should say RollingForwardCompleted when done.

 

You can now check you cluster to see if the BackupRestoreService now is under system.

Http://localhost: 19080/Explorer/index.html

Create a backup policy

Now we need to create a backup policy for our application:

$ScheduleInfo = @{

Interval = ‘PT15M’

ScheduleKind = ‘FrequencyBased’

}

$StorageInfo = @{

Path = ‘ \\172.21.3.182\BackupRestoreService’

StorageKind = ‘FileShare’

}

$BackupPolicy = @{

Name = ‘GettingStartedApplication’

MaxIncrementalBackups = 20

Schedule = $ScheduleInfo

Storage = $StorageInfo

}

$body = (ConvertTo-Json $BackupPolicy)

$url = “http://localhost:19080/BackupRestore/BackupPolicies/$/Create?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential)

 

This policy will backup every 15 minutes for a maximum of 20 incremental backups.

In the invoke-WebReqeust I have -Credential (Get-Credential) since the cluster is using windows as a credential type but you can replace the -Credential (Get-Credential) with  -CertificateThumbprint ‘Thumbprint’.

 

Enable the backup policy

Now we need to enable the backup policy for our application and the application I’m using is called fabric:/GettingStartedApplication

So the name in the url we will be using is only GettingStartedApplication (we will be using the applicationname in the url from this point forward) and then use the name of the policy we created earlier.

$BackupPolicyReference = @{

BackupPolicyName = ‘GettingStartedApplication’

}

$body = (ConvertTo-Json $BackupPolicyReference)

$url = “http://localhost:19080/Applications/GettingStartedApplication/$/EnableBackup?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential) or use -CertificateThumbprint ‘Thumbprint’

The policy will now be triggered after 15 minutes and you should be able to see it in the file share we specified earlier:

List the backups

You can now list the backups with PowerShell.

$url = “http://localhost:19080/Applications/GettingStartedApplication/$/GetBackups?api-version=6.2-preview”

$response = Invoke-WebRequest -Uri $url -Method Get -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

$BackupPoints = (ConvertFrom-Json $response.Content)

$BackupPoints.Items

Restore Partition

To restore a partition we need to get some information from the previous snippet when we listed the backups. What we need is BackupID and BackupLocation. In the BackupLocation we will see what service and what partition ID we can backup.

In my example I will use StatefulBackendService from the application GettingStartedApplication.

$StorageInfo = @{

Path = ‘\\172.21.3.182\BackupRestoreService’

StorageKind = ‘FileShare’

}

$BackupInfo = @{

BackupId = ‘f5367d0f-58f1-45d3-bf3b-b3cb7a7cfae8’

BackupLocation = ‘GettingStartedApplication\StatefulBackendService\fd9a836b-6218-44c6-b612-3d90fb484dc0\2018-04-27 13.42.42.zip’

BackupStorage = $StorageInfo

}

$body = (ConvertTo-Json $BackupInfo)

$url = “http://localhost:19080/Partitions/fd9a836b-6218-44c6-b612-3d90fb484dc0/$/Restore?api-version=6.2-preview”

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType ‘application/json’ -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

 

Monitor restore progress

To monitor the progress you can send a GET against the partition id we restored and get back Accepted, Succeeded or Failure.

$url = “http://localhost:19080/Partitions/fd9a836b-6218-44c6-b612-3d90fb484dc0/$/GetRestoreProgress?api-version=6.2-preview”

$response = Invoke-WebRequest -Uri $url -Method Get -Credential (Get-Credential)

or use -CertificateThumbprint ‘Thumbprint’

$RestoreProgress = (ConvertFrom-Json $response.Content)

$RestoreProgress.RestoreState

Postad i: Service Fabric |

Lämna en kommentar


Är du skyddad emot ransomware?

Skrivet av: Andreas Andersson
November 28, 2017

Att man har ett bra skydd emot ransomware i dagens samhälle är en viktig del då det kan komma att kosta mycket pengar och tid när man blir infekterad.

Ransomware är ett skadligt program som vanligt försöker kryptera alla dina dokument och övriga filer på din dator, den går då inte att använda och för att få tillbaka sin dator och filer begär programmet att man betalar en lösensumma.

I snitt är kostnaden på cirka 3000kr per dator, vilket kan bli en stor kostnad för ett företag där många blir drabbade.

Och det blir allt mer vanligare med ransomware.

Microsoft i samband med sin Windows 10 Fall Creators Update som släpptes 17 oktober 2017 introducerade flera nyheter och där bland några nya funktioner till Windows Defender.

Jag kommer att gå igenom Reglerad mappåtkomst som skyddar emot att okända appar försöker göra ändringar i mappar man får specifiera. Därav skyddar den emot bland annat om ett ransomware skulle försöka kryptera dina dokument, bilder och mycket mer.

Det första man behöver är att uppdatera sin Windows 10 enhet med Windows 10 Fall Creators Update, efter man har uppdaterat Windows så behöver man aktivera reglerad mappåtkost.

För att aktivera det behöver du öppna Windows Defender Säkerhetscenter och detta görs genom att

  1. Välj Start > Inställningar.
  2. Välj Uppdatering och säkerhet > Windows Defender.
  3. Välj Öppna Windows Defender Säkerhetscenter.
  4. Välj Skydd mot virus & hot och välj sedan Inställningar för skydd mot virus & hot.
  5. Aktivera eller inaktivera det under Reglerad mappåtkomst.

Som standard väljer Windows att skydda dessa mappar men det går att lägga till eller ta bort andra mappar som t.ex. din OneDrive för företag.

  • Dokument
  • Bilder
  • Videos
  • Musik
  • Skrivbordet
  • Favoriter

Som standard får inga applikation gå in och göra ändringar i den listan. Men från den här menyn kan du lägga till program som får lov att redigera innehållet i de skyddade mapparna. Som bildbehandlingsverktyg, ordbehandlingsprogram eller kanske molntjänster som OneDrive för att synka filer.

En it-ansvarig kan också aktivera funktionen för anställda via Powershell, Group Policy, Intune eller sina administrationsverktyg.

Det vanligaste sättet att man blir smittad av ransomware eller virus är via mail och nerladdningar ifrån infekterade hemsidor, så var försiktig med vad du klickar på och se till att ha datorn uppdaterad.

Postad i: Säkerhet |

Lämna en kommentar