Security

Hornetsecurity Overview – 365 Total Protection

Posted on by Adam Fowler


The Microsoft 365 Suite contains a lot of different solutions; and varying levels of security on those solutions, depending which tier of licensing you have. Microsoft’s security answers have varying levels of user experience, technical requirements, and administrative burdens.

For example, if you’ve used Microsoft native solutions to look at mailflow regularly compared to third-party solutions, you’d probably agree that Microsoft do not provide a quick and easy experience in troubleshooting why an email didn’t arrive. If you have to go back more than 2 days, then you’ll potentially have to wait a few hours just to get the results of the mailflow steps.

Third-party solutions must compete with Microsoft in their own space for security solutions, which means they need to be adding value somehow; cheaper, easier to use, more features, and/or quicker.

Hornetsecurity’s answer to this is their 365 Total Protection solution. I’m fairly experienced with Microsoft’s first party offerings, and a few other third-party mail security solutions, so was interested to see how this stacked up and where it might fit.

Hornetsecurity shows the 3 different tiers of licensing, and an option to start a free trial:

The above pricing based on the feature set seems quite reasonable to me, and from the page you can click on each feature and see more information including a screenshot.

The free trial process is well documented – the first page lays out what you’re in for which will unsurprisingly require tenant admin access to approve tenant permissions for Hornetsecurity.

Once you accept the permission request, a synchronisation will start. As I’m doing this in my own tenant of 1 user, it took about 20 seconds to perform. You’ll then need to update MX records so mail flows through the Hornetsecurity service, so it can do many of the services listed.

Not all services rely on mail flow, there is also an Outlook add-in. For older versions of Outlook it can be downloaded and installed like a traditional add-in, or there’s the much nicer modern method that’s controlled from inside Microsoft 365 admin center to deploy and show for users (I wish more vendors did this!).

Either way, the Outlook add-in provides several functions such as being able to report emails, block/allow emails, and view archived emails.

Some other notable features of the 365 Total Protection solution:

  • Email Archiving – something Microsoft can do, but don’t do a great job of exposing the archived emails. 10 years of email retention should be more than enough for most companies, and even if you have archiving enabled in your tenant natively, this gives you a backup of all your emails.
  • Email Live Tracking – a real time view of mail flow that works quickly and doesn’t require reports to be generated after 2 days that are CSV files.
  • Individual User Signatures – Centralised signatures that are also monitored for people who decide to change them away from the company standard. Different groups can get their own style of signature too. Microsoft still has nothing in this space natively and is still in the early days of having a signature saved to someone’s profile.
  • eDiscovery – Being able to search quickly across all emails in the company for keywords is a handy thing. Another one that Microsoft can do, but it’s clunky and far from quick.
  • Email Continuity Service – If Microsoft’s mail services go down, you can keep going until they’re back – delivering and sending emails directly through Hornetsecurity, then syncing up what happened after the event.
  • Automated backups for mailboxes, Teams, OneDrive and Sharepoint – this is really where all your Microsoft 365 data will live. Again, it gives you somewhere this data can be backed up and restored outside of Microsoft’s ecosystem.

There is of course a lot of security aspects to the solution such as Forensic Analyses, URL Malware Control and Realtime Threat Reports, but I quite like the Malware ex-post alert and Malware ex-post deletion. Malicious emails that get through on any system (and I’ve seen this with other third-party solutions as well as Microsoft) need to be detected and cleaned up, as well as investigated on whether anyone clicked the link. This ties into URL Malware control, which will do URL rewriting. Microsoft do this natively, but I’ve found the cleanup aspect can take a little while to perform and isn’t a seamless process from detection to cleanup.

One last point – it is good to see that they have a data centre in Australia as I see many of these companies ignore our region, which makes it hard when you need to keep your data in-country.

I look forward to playing around with Hornetsecurity further. If you’re curious too, then check out their free trial here.

Windows Hello for Business – A less forceful rollout option

Posted on by Adam Fowler

How to roll out Windows Hello for Business as optional

To roll out Windows Hello for Business optionally:

  1. In Group Policy, enable the ‘Use Windows Hello for Business’ policy
  2. Tick the option ‘Do not start Windows Hello provisioning after sign-in’
  3. Users will then need to click the Windows Security icon to register

Applies To : Windows 10

When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

To roll out Windows Hello for Business, follow Microsoft’s documentation which is quite detailed due to the complexities of scenarios and requirements; such as Single-Sign On, MFA of some sort and Public Key Infrastructure.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Cyber Security Essential Eight and Microsoft

Posted on by Adam Fowler

I wrote a 2 part piece on Australia’s Cyber Security Essential Eight and Microsoft over at 24x7ITConnection. Here’s Part 1 and Part 2, where I covered what the Essential Eight are, why they’re a risk, and where Microsoft can help in both a on-premises sense as well as cloud.

I don’t normally cross post from here what I write on other areas, but I put a fair bit of effort into writing this up, and thought it was worth resharing. Regardless if you’re Australian or not, our government actually has practical recommendations on what you should be looking at to harden your IT environment.

If you haven’t looked at these before, see how many of the eight you can tick off. If you can’t tick all eight, then I encourage you to work towards those gaps. Here’s what the eight areas are:

Application whitelisting

Patching applications

Office macros

Harden user applications

Restricting administrative privilege

Patching operating systems

Multi-factor authentication

Backup daily

All pretty obvious, but getting these perfect is still a very big undertaking. We’re seeing more and more security breaches in all different ways, so please don’t think of these items as ‘something to worry about later’!

Chinese Characters in IE11, Edge and Windows 10

Posted on by Adam Fowler

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000

Security Group Management Script

Posted on by Adam Fowler

Over at eNow Consulting’s blog, I submitted an article and script on Exchange Group Management. It’s been working great for me, and hopefully will help others. I had a similar requirement around Security Groups, and this is the result.

The script itself is almost identical, but I wanted to share it anyway. I think it’s a great demonstration that you can really customise a script for whatever purpose you have. If you want to know how the script works generally, read my post at eNow, but there’s only one line different.

Instead of creating a “New Distribution Group”, it’s creating a New AD Group. The whole command is a bit different in syntax, but it’s still doing the same thing – creating a group. If you only wanted to manage existing groups, and removed the line altogether, you could manage both email and security groups from the single script (assuming a since csv file contains everything you want).

Here’s the script:

# Script to populate members of Security Groups
Start-Transcript -path C:\Scripts\Admin\Logs\securitygroups.txt
$data = import-csv C:\Scripts\Admin\securitygroups.csv
foreach ($group in $data){
New-ADGroup -name $group.GroupName -GroupCategory Security -GroupScope Universal -Path “OU=Security Groups,DC=mydomain,DC=com,DC=au” -Description “Automatically Managed by  @AdamFowler_IT’s Script”
$users = Get-ADUser -SearchBase “ou=Users,dc=mydomain,dc=com,dc=au” -Filter $group.filter
Get-ADGroup -Identity $group.groupname | Set-ADObject -clear member
Add-ADGroupMember -Identity $group.groupname -Members $users
}
Stop-Transcript

Ideally, you should intelligently create security groups based on criteria around how the business functions. For example, the Finance department can have their own security group, if their department is Finance. Makes sense right?

The catch though, is to NOT link any actual security to this group. You don’t want 30 different things (e.g. files, folders, sharepoint sites, anything you’d use a security group for) pointing to one group. What if the Finance folder needs to be accessed by the CEO of your company? You shouldn’t just add them to the group by adjusting the filter, because they’ll get access to the 29 OTHER things pointed at this group.

The way around this is to have a security group for every single separate thing you apply security to. Have a Finance drive? Then create an AD security group with a descriptive name, and then add the original Finance security group as a member. This way, if someone joins or leaves the Finance team, security will automatically apply. On top of that, if you need to give the CEO access to the Finance drive by this secondary group, knowing you’re only giving them access to that one thing.

One to one relationships on a security group and what it applies to, will make managing it in the future much easier. You could extend this even further, and have a security group for each job function – this would mean there is a CEO security group that contains the CEO, and you can then add that security group to anything they need. The biggest benefit of this is when your CEO quits and another one comes along, you can just add the new CEO to the CEO group and they’ll get the same access. Not sure what access the CEO gets? Check what the CEO security group is a member of, and all your smartly named security groups will be listed.

My last tip around security groups is to note down who’s in charge of the group in either the notes or description field. If a query comes up a year later, you may not remember who originally asked for the security. Having a person or a job title listed means you can quickly get approval for making membership changes to the group.

Thinking about how you’re going to manage things in the future and planning around it might be a bit more painful at the time, but it really pays off in the end.