Microsoft Security Features (And How To Use and Find Them)

Working on some security stuff over the next few weeks and decided to write up a blog post on all the Microsoft Security features.  Aka, what they are and what uses them and how you actually find them!  You will also realize that the same name is used a couple of times (“Advanced Threat Protection”) and some things aren’t really products but a marketing term for a “set of products”.  In some cases, the names have changed so Google/Bing search results are crazy!

Someone needs to manage product names with SEO in mind at Microsoft!

  • Azure Key Vault
  • Advanced Threat Analytics (ATA)
    • What is it and what does it do?
      • A proprietary network parsing engine that captures authentication and authorization data.
      • ATA will discover a well known set of attack types such as Pass-the-ticket,  Pass-the-hash, Overpass-the-hash, and many more!
    • What uses it?
      • It uses other systems (like a span port on a switch).
    • How do you get to it?
      • ATA is an on-premises software solution (download it here – amazingly not in the MSDN download center).  You must install it and configure it to monitor the traffic on your network.
      • ATA has to be configured to received data from your SIEM, Windows Event Forwarding and Windows Event Collectors
  • Office 365 Advanced Threat Protection
    • What is it and what does it do?
      • Protects your email from various different attack vectors including “possible” zero-day protection.  Provides the following:
        • Safe LInks, Safe attachments, spoof intelligence, quarantine, anit-phishing
    • What uses it?
      • Exchange Online and if enabled, your Hybrid setup of your on-premises Exchange
    • How do you get to it?
      • You have to add a subscription that contains this feature, once enabled you will have reports in your Exchange Online portal to view all security events
  • Windows Defender Advanced Threat Protection (aka Windows Defender Security Center)
    • What is it and what does it do?
      • An agent-less built in feature of Windows 10 OS that utilizes “sensors” to analyze user and app behavior to detect anomalies.
    • What uses it?
      • Windows 10 (v1703+)
    • How do you get to it?
      • Do a search for “Windows Defender Security Center” on your windows 10 device.
  • Compliance Manager
    • What is it and what does it do?
      • A new tool that will be release later this year that will score your environment on its compliance abilities to common laws and regulations.
    • What uses it?
      • Office 365 services
    • How do you get to it?
      • TBD
  • Azure Conditional Access
    • What is it and what does it do?
      • Allows you to prevent a user or app to login based on policies and threat analytics
    • What uses it?
      • Azure Active Directory
    • How do you get to it?
      • Open your Azure Portal
      • Find the Azure Active Directory you want to configure, select it
      • Click “Conditional Access”
  • Office 365 Conditional Access
    • What is it and what does it do?
      • Allows you to drill down into the sites in SharePoint Online that you’d like to lock down based on limited policy (Modern Auth, IP)
    • What uses it?
      • SharePoint Online
    • How do you get to it?
      • Open your Office 365 Portal
      • Click “SharePoint”
      • Click  “Access Control”
  • Windows Hello
    • What is it and what does it do?
      • Allows you to use Biometric based factors for authentication
    • What uses it?
      • Windows 10+
    • How do you get to it?
      • It is a part of the Windows 10 Operating System.  You can enable it with these steps:
        • Open “Settings”
        • Click “Accounts”
        • Click “Sign in options”
  • Multi-Factor Authentication
    • What is it and what does it do?
      • Only using a password has become bad practice.  Enabling both a password and a token are common place (even though many people have not protected their Azure Admin account with MFA!)
    • What uses it?
      • Anything and everything that utilize authentication via Azure AD or even Hotmail\Passport
    • How do you get to it?
      • You can get there by selecting a user in your Office 365 admin page, then click “Manage multi-factor authentication or browse to Azure AD here
      • Tokens are available via the Microsoft Authenticator app (iPhone, Android)
  • Cloud App Security (used to be called “Office 365 Advanced Security Management”)
    • What is it and what does it do?
      • This tool will monitor your employee application usage (including cloud based apps) and give you an idea of what rouge IT solutions may be lingering on your network.
      • A Cloud App catalog can be constructed that would allow you to trust or untrust applications.  Example, If you have chosen OneDrive as your personal file solution, then all instances of Box and DropBox should be disallowed (after migration of course).
    • What uses it?
      • It runs behind the scenes gathering data and information on the apps that are running on your users computers.  The data that is gathered is anonymous so that you abide by various new laws (such as our friends in the EU have enacted).
    • How do you get to it?
  • Data Loss Prevention
    • What is it and what does it do?
      • Allows you to control the type of data that is being sent from your Office 365 environments
    • What uses it?
      • Exchange, SharePoint, Skype
    • How do you get to it?
  • Customer Lockbox
    • What is it and what does it do?
      • It prevents Microsoft engineers from accessing your content in Office 365.
    • What uses it?
      • Office 365 systems
    • How do you get to it?
      • Open your O365 admin portal
      • Expand the “SERVICE SETTINGS” node
      • Click “Customer Lockbox”
      • Toggle the switch to “On”
      • NOTE:  When a Microsoft Engineer needs to access your environment to fix an issue, be aware that the Customer Lockbox requests have a default lifetime of 12 hours, after which they expire.
  • Windows Information Protection
    • What is it and what does it do?
      • An extension to the Information Rights Management (IRM) conversation.  WIP is designed to be seemless.  The idea is that data that starts on your network should stay on your network. If it needs to go somewhere else, then policy should define the rules.  WIP does this.
    • What uses it?
      • Windows 10 (v1607+) with all Microsoft Office products and Microsoft Edge. Universal Windows Apps support WIP but have to be enabled to do so (Microsoft is working with 3rd parties).
      • Azure Rights Management (cloud based IRM) will kick in if your have to share data outside your network (such as with Business Partners).
    • How do you get to it?
      • You can enable WIP by configuring a policy in your Intune portal or utilize System Center Configuration Manager (SCCM) – steps here.
  • Azure Storage Service Encryption
    • What is it and what does it do?
      • Encrypts all the blobs in your storage account using an encryption key
    • What uses it?
      • Azure Storage Accounts
    • How do you get to it?
      • Go to your Azure Portal and select “Storage Accounts”
      • Select a Storage Account
      • In the properties window, select “Encryption”, click “Enabled”
        • NOTE:  If you are missing the “Encryption” node, then is could be:
          • The storage account is “classic”
          • The storage account is not “Blob Storage”
        • NOTE: You cannot utilize your own key with this services (aka, no BYOK)
        • NOTE:  If you enable after you have created an account, only new blobs are encrypted!
        • NOTE:  It is also possible that the Azure Security Center may “recommend” you enable encryption for your older storage accounts
  • Device Guard
    • What is it and what does it do?
      • A group of features.  Combined they lock down a system such that only trusted applications are allowed to execute, thereby preventing malware from ever running on your computer.
    • What uses it?
      • Windows 10 and Windows Server 2016 operating systems
    • How do you get to it?
      • You have to have UEFI running in Native Mode on Windows 64bit, Second Layer Address Translation (SLAT) and Virtualziation Extensions (Intel VT or AMD v) and preferably with a Trusted Platform Module (TPM)
      • Install the “Hyper-V Hypervisor” feature
      • You have to create a Code Integrity Policy and then deploy it to the targeted systems.  This file is called SIPolicy.p7b and lives in the C:\Windows\System32\CodeIntegrity or <EFI System Partition>\Microsoft\Boot for UEFI computers
      • NOTE:  These policies can get very complex very fast, check out all the stuff you can do here
  • Windows Defender Credential Guard
    • What is it and what does it do?
      • Prevents credential theft attacks such as Pass-the-Hash or Pass-the-Ticket.
      • Sets up a virtualization like approach to allow only access to the system software that should be able to get to them
      • Uses the new Virtual Secure Mode (VSM) to secure data in memory, also called Virtualization Based Security (VBS)
    • What uses it?
      • Any software that has to do NTLM or Kerberos authentication
    • How do you get to it?
      • This is a part of the operating system in Windows 10 and Server 2016
  • UEFI Secure Boot
    • What is it and what does it do?
      • Ensures that all software loaded at boot time is trusted.  No “Bootkits” can be loaded.
    • What uses it?
      • Pretty much all of the latest hardware (laptops, servers) have a UEFI bios now, so you get this by default.  You can turn it off, but you would only do so if your operating system was not a part of the trusted set of software
    • How do you get to it?
      • When you computer loads, jump into the UEFI bio settings,  from there you can turn it on or off.  Unless you have a really special Linux distro (or your own) you should probably leave it on!
      • NOTE:  Secure Boot does not require a TPM
  • Trusted Boot Process
    • What is it and what does it do?
      • It is the steps after the Secure Boot process ends.  It makes sure that all the Windows OS level items are secure and trusted.  No “Rootkits” can be loaded.
      • These include:
        • OS Loader, Kernel, System drivers, System Files, ELAM Driver
      • What uses it?
        • Windows 8.1+ and Server OSes
    • How do you get to it?
      • Nothing to “see” here
  • Enterprise Mobility + Security
    • What is it and what does it do?
      • It is a subscription in Office 365.  It is not “technically” a product, but a set of services that will light up in your tenant if you purchase it
    • What uses it?
      • Office 365 and Azure (in terms of “lighting up” available services)
    • How do you get to it?
      • Open your Office 365 portal
      • Click “Billing”
      • Click “Subscriptions”
      • Click “Add subscription”
      • Search for “Enterprise Mobility + Security”
      • Select it, Buy It!
  • MDM for Office 365
    • What is it and what does it do?
      • It allows you to do some really basic mobile device policy enforcement such as password requirements, data encryption, no jail broken phones.
      • You can also enforce things like blocking cloud backup, screen capture, app store, and bluetooth.
    • What uses it?
      • Policies are enforced by the applications you download such as Outlook for iPhone, etc
    • How do you get to it?
  • Microsoft Intune
    • What is it and what does it do?
      • Microsoft’s hard core MDM solution.  It goes waaay past the basic MDM you get with Office 365.
      • Intune adds many more features and functionality around device management such as windows updates and software push aka Mobile App Management (MAM).
    • What uses it?
      • Any registered or unregistered devices that want to access your cloud services
    • How do you get to it?
      • Open your Office 365 portal, in the “Admin Centers”, select “Intune” or just go to the Intune Portal
  • Intelligent Security Graph
    • What is it and what does it do?
      • Marketing term mainly…not really a product
      • It is a network of security related systems and events that are continually analyzed to determine what attackers are trying to do against the Microsoft Cloud Infrastructure.
    • What uses it?
      • Nothing you are directly exposed too.  This is a behind the scenes system of systems that uses various algorithms to find attack patterns.
    • How do you get to it?
      • Its abstracted away from you, nothing to see here…literally.
  • Azure Monitor
    • What is it and what does it do?
      • It is the log aggregator for all Azure services.  Any future products will also send their data here.
    • What uses it?
      • All Azure services are monitored by Azure Monitor
    • How do you get to it?
      • It has many entry points to gain access to the monitoring data.  Azure Portal, PowerShell, CLI, REST and a .NET SDK
  • Azure Advisor
    • What is it and what does it do?
      • Evaluates your Azure subscriptions for several categories of security.  High Availability, Security, Performance, and Cost
    • What uses it?
      • Nothing technically uses this feature, but it does provide you will recommendations on how to best use Azure and its many features in an optimal manner
    • How do you get to it?
  • Database Threat Protection
    • What is it and what does it do?
      • Protects your Azure Databases from potential internet based threats.  This can be super helpful for when you want to ensure that your developers have actually followed best practices when designing the applications that make calls into your database.
    • What uses it?
      • Azure SQL Databases, possibly other db platforms in the future
    • How do you get to it?
      • Open your Azure Portal
      • Navigate to the “” category
      • Select your SQL Database
      • Click the “Auditing and Threat Detection” node
      • Toggle the buttons to enable “Auditing” and “Threat Detection”
      • NOTE:  It costs $15/server/month
  • Azure Network Monitor (aka Network Watcher, aka Network Performance Monitor)
    • What is it and what does it do?
      • Similar to the Solarwinds Traffic Analyzer and Network Performance Monitor, Azure Network Monitor allows you to setup monitors between services and servers in your Azure instance.  You can also monitor your ExpressRoute traffic if you have that setup.
    • What uses it?
      • Nothing really uses it other than you.
    • How do you get to it?
  • Office 365 Secure Score
    • What is it and what does it do?
      • This tool will evaluate your Office 365 tenant and compare your settings and service configurations to over 364 different reference points
    • What uses it?
      • Nothing uses it, its another recommendation tool like Azure Advisor
    • How do you get to it?
  • Operation Management Suite (OMS)
    • What is it and what does it do?
      • Its your SCOM server in the cloud, only, much cooler!  You can utilize events to fire off configuration tasks similar to how SolarWinds uses its NCM product to push configurations to Cisco devices
      • OMS is not really a single product, but a set of services, these include:
        • Log Analytics
        • Automation
        • Backup
        • Site Recovery
    • What uses it?
      • OMS uses everything else.  It can make changes to your infrastructure based on the data it is receiving.
    • How do you get to it?
      • Open your Azure Portal
      • The OMS services are under the “MONITORING + MANAGEMENT” category

Testing Office 365 Connectivity

Recently had a customer with an issue with accessing Office 365\SharePoint site.  They were complaining that the performance was not great.  So I needed to see what issues they might be having with their network.  Results were really interesting, they were being routed (via ATT) from SJC to CHI to NYC to DUB then back to LAX and finally to the US West data center in SJC.  Woah…that’s definitely not good!

Decided to write down all the tools I use and the script commands I execute to test a sites connectivity to Office 365.

  1. Fiddler
    1. Open a site collection, sort the HTTP requests by latency\execution time
  2. MeasurementLab tools
  3. Ping – Network level
  4. Tracert – Transport level
  5. WireShark – For really tough, weird things that don’t show up in regular network tools (Session, Transport issuse)

Services to ping:

  • Exchange
    • ping outlook.office365.com
      • Ensure you are getting the closest data center:
        • outlook-namcentral3.office365.com – 40.97.125.146
        • outlook-namnorthwest.office365.com – 40.97.134.178
        • outlook-apacsouth.office365.com – 40.100.17.34
        • outlook-emeawest.office365.com – 40.101.69.226
        • etc…
    •  SharePoint
      • Resolve-DnsName tenant.sharepoint.com
        • Determine DNS servers serving your requests
      • ping tenant.sharepoint.com -t
      • ping 104.146.168.28 (tenant.sharepoint.com)
        • Target latency = <100ms
      • ping 40.97.119.178 (outlook.office365.com)
        • Target latency = <50ms
  •  Skype
    • ping global.tr.skype.com
    • ping 13.107.8.2 -t
      • Target latency = <20ms
  • Azure
  • Other IPs

Services to tracert (use the db-ip.com service to find their locations):

  • tracert 13.107.8.2
  • tracert 40.97.119.178

Look up each ip along the way…to see if unnecessary routing is occurring.  If it is, then ISP needs to configure route to data center or customer needs to setup ExpressRoute.

https://db-ip.com/{IPADDRESS}

Painful Example:

  • 192.168.25.12 – local router (San Jose)
  • 12.251.115.241 – Chicago (ATT)
  • 12.122.110.58 – New York (ATT)
  • 12.122.163.34 – New York (ATT)
  • 12.122.158.9 – New York (ATT)
  • 104.44.9.183 – Dublin (Microsoft)
  • 104.44.4.105 – Los Angeles (Microsoft)
  • 104.44.4.102 – Los Angeles (Microsoft)
  • 104.44.9.215 – Los Angeles (Microsoft)
  • 40.97.119.178 – San Jose (Microsoft)

Helpful references:

Nintex 2016, SharePoint 2016, non-compliant roles

You may run into an issue with your Nintex Services not starting on your non-central administration servers as in this image:

You can attempt to browse the web and Nintex support pages, but they will be of little help:

It turns out that the services did not get installed as part of the solution deployment.  In otherwards, the Nintex Services are missing on your SharePoint server.

In this case, you have to install the services manually in order to start them and have your server be compliant. The three services are:

  • Nintex Connector Workflow Queue Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe)
  • Nintex External Relay Service -(C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe)
  • Nintex Workflow Start Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe)

You can manually install these services to the other servers by running the .net installutil utility (Except in the case for two of them you have to use the “sc” tool).  Note that there are two versions of this tool, 32bit and 64bit.  If you use the wrong one, you will get the dreaded “System.BadImageFormatException”, and if it does successfully run, the service won’t be visible to SharePoint due to Nintex “programming practices”.  The install tool is located in:

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

The series of commands in an administrator command (cmd.exe) window would be:

  • sc create “Nintex Connector Workflow Queue Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe” DisplayName=”Nintex Connector Workflow Queue Service” start=auto
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe”
  • sc create “Nintex Workflow Start Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe” DisplayName=”Nintex Workflow Start Service” start=auto

Why do you have to use “sc create”?  Because the internal name of the Queue Service is actually “Nintex Connector Workflow Queue Service Recycle”.  For the other, the name ends up being “NWStart”…SharePoint doesn’t like it when services don’t match what they expect!

Once you run the install commands, the services will display in your Services applet:

Once they are installed, switch back to Central Administration, click “Start” on the servers.  They should now start without error and your servers will be in “compliance”!

Enjoy!
Chris