Moving from reactive to proactive security

in Azure
Sami Laiho
Senior Technical Fellow, MVP

BRK2096
Sami Laiho
Senior Technical Fellow
Win-Fu.com / Sulava
• IT Admin since 1996
• MCT since 2001
• MVP in Windows OS since 2011
• Specializes in and trains:
• Troubleshooting
• Windows Internals
• Security, Social Engineering, Auditing
• Trophies:
• Ignite 2018 – Session #1 and #2 (out of 1708) !
• Best Speaker at NIC, Oslo 2016, 2017 and 2019
• Best External Speaker at Ignite 2017
• TechDays Sweden 2016, 2018 – Best Speaker
• TechEd Europe and North America 2014 - Best session, Best
speaker
• TechEd Australia 2013 - Best session, Best speaker
• TechEd Europe 2013 - Best Session by an external speaker
I got Certs
2.6 pounds
of them
Windows XP Deep Dive in 2001
Housekeeping
 I’ll exchange business cards for swag!
Contact
• sami@adminize.com
• Twitter: @samilaiho
• If you are not on Twitter get
on Twitter!!
• Blog: http://blog.win-fu.com/
“Make your security better
than others’”
- Mikko Hyppönen, F-Secure
What does the
Cloud change?
Implementing baselines
CIS?
Getting the baselines for 1809 and 2019
 More traditional way:
https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-
final-for-windows-10-v1809-and-windows-server-2019/
 For Intune: https://docs.microsoft.com/en-us/intune/security-baselines
2019

https://docs.microsoft.com/en-us/windows/security/threat
-protection/windows-security-configuration-framework/wi
ndows-security-configuration-framework
Implementing Bitlocker
Implementing least privilege
2015
 Analysis of Microsoft “Patch
Tuesday” Security Bulletins
from 2015
 85% of Critical Microsoft
vulnerabilities would be mitigated
by removing admin rights
 Windows Server
vulnerabilities
 85% were found to be mitigated
by the removal of admin rights
2016 Microsoft Vulnerabilities Study
Key findings  100% of vulnerabilities in Internet
 Of the 189 vulnerabilities in 2016 Explorer and Chrome could be
with a Critical rating, 94% were mitigated by removing admin
concluded to be mitigated by rights
removing administrator rights  99% of vulnerabilities affecting
 66% of all Microsoft Microsoft Office could be
vulnerabilities reported in 2016 mitigated by removing admin
could be mitigated by removing rights
admin rights  93% Critical vulnerabilities
 100% of vulnerabilities impacting affecting Windows 10 could be
Microsoft’s latest browser Edge mitigated by removing admin
could be mitigated rights
Microsoft Vulnerabilities Report 2017
The 2017 report highlights the following key findings:
 Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017.
 95% of Critical vulnerabilities in Microsoft browsers can be mitigated by removing
administrator rights.
 Almost two thirds of all Critical vulnerabilities in Microsoft Office products are mitigated by
removing admin rights.
 88% of all Critical vulnerabilities reported by Microsoft over the last five years would
have been mitigated by removing admin rights.
S*it ‘o’ meter
“75% reduction in tickets after
implementing Least Privilege”
Same as for on-prem
 PolicyPak
 BeyondTrust
Implementing the Tier Model
Mitigating PtH (IAAS)

 Split your environment into three layers (Azure minimum 2 layers)

 Never allow higher layer admins to logon to lower layers

Domain Admins Powe

r
PAW
(DCs)

Data (Servers and

Apps)

Server Admins Workstation Admins

Access (Endpoints)
Mitigating PtH (Native Cloud)

 Split your environment into two layers

 Never allow higher layer admins to logon to lower layers

Global Admins
Power

(Tenant)

Workstation Admins
Access (Endpoints)
Implementing
 Create a local group
 New-LocalGroup -Name "BLOCK LOGON“

 Block logon from them

 https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-use
r-26e259b0
 Add the Global Admins to this group
Global Admins
 There should only be a very limited amount of them anyway
 Figure out their SIDs from the local machine and add to the group with
PowerShell

 Add-LocalGroupMember -Group "BLOCK LOGON" -Member S-1-12-1-

2097157045-1280873170-2182225078-2682104764
Global Reader
 https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/1
6-new-built-in-roles-including-Global-reader-now-available-in/ba-p/90074
9
Don’t remove these
Applies to all “Azure admins”
including “Device Administrators”
Add Device Admins
 Hopefully soon via a group
Implementing PAWs
Concept of PAW

 You should do management from a PAW

 You can enforce by Firewall-rules, Proxies etc.

PAW
Safe addresses
 https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-ur
ls?tabs=public-cloud
Implementing Whitelisting
AppLocker HOW TO
 Keep to containers not items – Folders vs Files, Publishers vs Hashes
 Remember to audit your installation with AccessChk!
 Remember NO ADMIN RIGHTS!!
Simplest AppLocker
 Relies on the knowledge of the user
Simplest AppLocker for many
Signing

 95% of Malware is not signed – just something to think about

 You can sign apps yourself
 Use Timestamp if possible!

 If you have the cert on your computer installed:

 Signtool sign /v /s MY /n MyPrivateCert /t 
http://timestamp.verisign.com/scripts/timstamp.dll  FileToSign.exe
 If not:

 Guide:
https://blogs.msdn.microsoft.com/winsdk/2009/11/13/steps-to-sign-a-file-usin
AppLocker Example Policies
AppLocker example

 My current
 Replace Matti Laiho with you companies own cert
 Replace HP with your UEFI provider
 Add Block-rules for known weaknesses:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/mic
rosoft-recommended-block-rules
My customer devices
 Basic rules + AccessChk revealed exceptions
 Use certificates if you can (and trust the company)
 Then add required network locations with
 UNC
 IP
 FQDN
 Sometimes also with the drive letter: P:, \\SVR\Share, \\SVR.dom.com\share, and \\192.1.1.2\Share

 Then add local applications outside of the default folders with Certs, Folders (if
they can be blocked from writing to by limited users)
 Problematic ones
 Self-updating, not signed and stored in users profile
 TIP! File/Folder rules allow * at any point!
 Use with caution – but usually need some! Try to use HASH rather if possible!
Hardening Applocker
Twitter
 @Oddvarmoe
 @subTee
 @mattifestation
 @enigma0x3
 @aionescu
 @tifkin_
 @bohops
 @PhilipTsukerman
 @samilaiho ;)
Hardening Whitelisting
Make sure your containers don’t leak (this is one batch file) – CHECK THE LATEST FROM GITHUB!

https://gist.github.com/api0cradle/95cd51fa1aa735d93311
86f934df4df9#file-accesschk-bat
Add always the ADS-version of a folder as well
 %WINDIR%\tracing\*
 %WINDIR%\tracing:*
Hardening Whitelisting
 Remember to repeat the previous for every Folder-Rule you have…
Tools to help
 Oddvar Moe’s
 Ultimate AppLocker ByPass List
 https://github.com/api0cradle/UltimateAppLockerByPassList
 PowerAL
 https://github.com/api0cradle/PowerAL

 AaronLocker
 https://blogs.msdn.microsoft.com/aaron_margosis/2019/01/28/aaronlocker-moved-to-github
/
 Microsoft’s list of what to block:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windo
ws-defender-application-control/microsoft-recommended-block-rules
InTune + AppLocker
 https://blogs.technet.microsoft.com/matt_hinsons_manageability_blog/201
8/08/21/blocking-apps-with-intune-and-applocker-csp/
Implementing Firewall and IPsec
Firewall
How I use IPsec
 Require Inbound, Request Outbound
 Kerberos for users and computers
 Exclude DC’s and hard cases – You don’t need to get to 100%!
 Buy printers (etc) that can have a certificate if possible
Implementing Group Policy
InTune and AppLocker/Firewall
GPO2INTUNE 
Download
 https://win-fu.com/share/
Setup MFA where ever possible
 Setup Multi-Factor Authentication (MFA) service settings and enable MFA
for all possible accounts
 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettin
gs#mfa-service-settings
Checklist for Security
 https://www.itpromentor.com/azure-ad-checklist/
Need a code? Email sami@adminize.com
Free Training for my Session Attendees!
 Here is a code for my Dojo: Trial2018
 The address: http://win-fu.com/dojo/
 Under every video there is a CHOOSE OFFER button. Choose monthly
19,90€ and apply the code when paying.
 YOU CAN WATCH ALL THE VIDEOS FOR ONE MONTH 😊
Please evaluate this session
Your feedback is important to us!

Please evaluate this session through

MyEvaluations on the mobile app
or website.
Download the app:
https://aka.ms/ignite.mobileapp
Go to the website:
https://myignite.techcommunity.microsoft.com/evaluations
 Find this session Visit aka.ms/MicrosoftIgnite2019/BRK2096

in Microsoft Tech  Download slides and resources

Community
 Access session recordings in 48 hours
 Ask questions & continue the conversation
© Copyright Microsoft Corporation. All rights reserved.