LAB: Microsoft Defender ATP and Conditional Access

The integration between Intune and Microsoft Defender Advanced Threat Protection (MDATP) has been there for a while now. It’s an interesting feature, as it allows the risk score assigned by MDATP to be utilized in CA policies. Most organizations I’ve worked with only use Intune for MDM and MAM and still use SCCM (or the like) for managing workstations. While Intune’s capabilities in workstation management are still limited, it’s constantly evolving – and with SCCM co-management supported, it’s becoming a very viable option to enroll also your workstations into Intune. In any case, I wanted to do a quick experiment on how the MDATP -> Intune -> CA integration works, and how quickly we can go from detecting an alert in MDATP into actually making access restrictions in Azure AD based on the incident.

In all its simplicity, the environment is depicted in the picture below. The laptop in this case is just a VM running in Azure but it will do the trick. The Windows 10 is directly joined to Azure AD (this would work equally well with hybrid scenarios, but I got lazy setting up the local infrastructure). The device will be enrolled into Intune and into MDATP (using Intune).

Setup: Intune + MDATP + CA

To begin with, you have to integrate Intune with MDATP. You’ll find the setting within the Intune management blade:

As well as in the advanced settings of the MDATP portal:

Once the tenant level integration is done, you need to create a device configuration profile for MDATP:

The next thing you need is a device compliance policy. This will determine at which MDATP risk level the device will be marked as non-compliant. In my case, I’ve set it to ”Low”, which means that any risk level higher than that will push the device out of compliance. We’ll see how the risk levels are shown in MDATP later.

On the compliance policy settings we want to make sure that devices with no compliancy status will be marked non-compliant:

And finally, you should set up a security baseline for MDATP. Although not strictly required for this experiment, it gives you a good idea which MDATP features you can centrally manage via Intune. If you’re running your Windows 10 remotely, be careful with the firewall configurations. The default settings in the baseline will make you lose RDP connectivity (been there…).

Finally, we’ll create a couple of conditional access policies. For testing purposes, I’ll create two policies:

Access to SharePoint Online will require either a compliant device or MFA
Access to Exchange Online will require both a compliant device and MFA (picture below)

Enroll!

Now we’re good to go! I start by joining the Windows 10 client to Azure AD, which will also automatically enroll it into Intune (as I have enabled the enrollment policy). After that, I’ll login with an Azure AD account and run the following command. This should generate an informational alert in MDATP, just to show that we’re getting the data.

The information in the MDATP portal lags a few minutes behind, you have to wait for a bit for the information to appear. But eventually, you should see this:

As you can see, the risk level is currently ”No known risks”, as this activity is not considered suspicious. Note, this view also shows the machines exposure level. MDATP assesses any vulnerabilities on the host, either due to missing security patches or known vulnerable configurations. The exposure level does not impact the devices compliance status, but provides very useful information about the security posture of the device.

At this point, we can see our device also in Intune, and it is compliant with all the defined policies:

When I access SharePoint Online, I’m able to get in with just username and password. And if I login to Exchange Online, I need to authenticate using MFA, but I’m able to get in. So everything is working as expected. Note: if you’re using Chrome, you need to have the Windows 10 Accounts extension enabled. Otherwise the device information will not get conveyed to Azure AD, and it will assume that you’re using a non-compliant device.

Infect me!

Now, let’s break things. In order to do that, I need to simulate an attack on my Windows 10 device so that MDATP will increase the risk level. For that purpose I’m using a Word document that is crafted for this purpose.

The document contains a macro that drops two files on the desktop (diy_rs3_jscript_executes_ps.js and WinATP-Intro-Backdoorexe.jpg). It will then establish persistence by modifying the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. And finally, it starts a trusted process (RuntimeBroker.exe) and injects malicious code into it. This kind of pattern might go unnoticed from traditional anti-malware solutions, and that’s of course the point here.

Once I’ve opened the document, I’ll wait a couple of minutes and voilà! There’s not just one alert, but a bunch of them, and the device risk level jumped to High. We’ll briefly look into the forensics later, now we just want to see what happens with conditional access.

The information has also propagated to Intune via the integration and the device is no longer compliant (this took literally just a couple of minutes from the simulated infection):

At this point, I’m still able to use my open browser session as the access token is still valid (1 hour validity time). But I’m impatient so I just close my browser and reopen it. When I login to Exchange Online now, I get the following notice. In this case, it should say: ”Oops – you really shouldn’t have opened that document”.

I’m still able to access SharePoint Online but it now requires MFA. So the CA policies work just as expected.

Off the grid

One useful feature within MDATP is that you can completely isolate the client from the network. It might be that the device is currently in the corporate network, and therefore just restricting access through Azure AD might not be enough (unless you’ve implemented a full-blown zero-trust model).

Once I do that, it takes a minute or two and I lose my RDP connection. Luckily, that the device will still be able to communicate back to MDATP (well, it would be a pretty crappy feature otherwise). This way, once the remediation activities have been completed and, you can remotely allow the device back into the network. Also, I can still continue my forensic analysis while the device is safely off the grid.

CSI

So what would happen next? Obviously, at this point someone from the SOC team, or whoever is monitoring the alerts, would need to investigate what happend, and help getting the device back into compliance. There are a couple of MDATP features worth exploring at this point (we won’t go through everything). MDATP shows you the process tree during the incident, which gives a nice overview of what happened:

You can also check on individual files, and where they have been seen in the organization, in this case I’m looking at the WinATP-Intro-Backdoorexe.jpg:

You can also take the file hash and use it to drill down to the data using the advanced hunting functionality. This allows you to search the data directly from the MDATP logs using Kusto query language (same that is used with Log Analytics). There’s also a community that has produced useful examples, both for generic use as well as for identifying specific exploits (https://github.com/microsoft/WindowsDefenderATP-Hunting-Queries). In this case, I’m just looking into all the events involving this particular file.

Another useful feature is the ”Collect investigation package”:

This will pull all sorts of useful information from the machine and allow you to download it in zip format. This can be very useful when doing the forensic analysis.

Reincarnation

So let’s say we’ve now concluded our investigations and cleaned up the machine. What next? We have to decrease the risk level of the machine for it to become compliant again. To do that, we have to resolve the alerts in the portal. You can also link alerts into incidents, as in this case all the alerts originating from this machine should all be related to a single incident.

Once all the alerts have been resolved, the risk level goes back to ”No known risks”. At this point, if we have isolated the machine, we could release it from the isolation (it took a couple of minutes for me to be able to reconnect my RDP session after the release).

And as expected, device status in Intune is back to compliant:

And I’m able to read my email again!

That concludes today’s experiments.

Lab: Zero Trust Exchange 2016 with AAD oAuth2 and SAML (KEMP)

Posted on helmikuu 3 by Joosua Santasalo

Welcome to the four part lab (1/4) regarding implementing ”Zero Trust”, or identity perimeter-ish controls for your’re hybrid environment:

First part is about unifying access controls for cloud-and on prem users (this part)
Second part is hardening of the remaining on-prem entry vectors
Third part is hardening of the remaining cloud entry vectors
Fourth part is about hardening and monitoring – what happens after authentication and authorization have taken place

Giving the Zero Trust Treatment for OWA and Exchange On-premises

Hybrid Modern Authentication + Kerberos Constrained Delegation

One of the most understated, and welcome enhancements introduced lately for Hybrid setups, is the so called ”Hybrid Modern Authentication” – It mostly fixes the problem, of having mix set of users with Legacy Authentication and modern authentication in hybrid environment – Example an environment where all the mailboxes are in on-prem (for compliance reasons) but, other services are consumed from Cloud.

What I mean by mostly, is that I noticed the documentation for HMA left out the Outlook Web Access and ECP out of the possibilities

Exchange

No Oauth for OWA? No problem

”Full blown HMA” with Azure AD + KEMP

Benefits?

You get to protect on-prem OWA with Conditional Access , and users get the SSO benefits of Azure AD Device Login (HDJ, Registration and similar options) – besides MAPI,EWS,ACTIVESYNC and OAB

Azure AD authentication for OWA, Outlook and ActiveSync

OWA Azure AD Login

(Click pictures to open gallery view)

Outlook Hybrid Modern Authentication

(Click pictures to open gallery view)

You get to see all Exchange On-prem logins on Azure AD
(Click pictures to open gallery view)

You have the same 2FA experience for on-prem, and cloud mailbox users
Unified policies based on the use case for both on-prem and cloud mailbox users
You get Identity protection for on-prem users, and on-prem Apps as well

Configuration

Important configuration notes

Understand how SPN’s work in Azure AD and Active Directory
- I wanted to ensure, that SPN for OWA doesn’t end-up in Exchange Online list SPN’s for Oauth2 relying partys, so I ensured that OWA has its own FQDN which is later used processing of KCD

Customize KEMP SAML SP to parse Identity from custom Azure AD attribute
- I had to do some input/output testing to figure out how KEMP creates KCD attributes from SAML assertion http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

KEMP is unable to parse the domain from UPN, so its that important the SSO namespace has name that is searchable in the AD Domain

ssomgr: #812# auth_saml_post: SAML Response verified! - redirect to https://sp.dewi.red/ 
 ssomgr: #812# >>add_user():  ts: 1549182167 [age=36]  type: 6  user: joosua@ff00.info  samAccName:   host: 192.168.1.1  domain: default domain [AD02.DEWI.RED] for VS[11]
167 [age=36]  type: 6  user: joosua@ff00.info  samAccName:   host: 192.168.1.1  domain: AD02.DEWI.RED  cookie: 66ac2548acb92ee3796e324e6d392362  failed_auths: 0  lockout: 0  tout: type:900[1] 
 ssomgr: #16972# kcd_reauth_thread: KCD reauth for SAML, user[joosua@ff00.info]
 ssomgr: #16972# baseUserName: basename=|joosua|
 ssomgr: #16972# >>> kcd_get_user_ticket
 ssomgr: #16972# >>>resolve_destination_address: Attempt to resolve destination [192.168.2.7][2]
 ssomgr: #16972# <<>> get_impersonator_cred_handle
 ssomgr: #16972# get_impersonator_cred_handle: /tmp/kerberos_domain_init_done: 0 
 ssomgr: #16972# >>> get_impersonator_cred_handle - handle=0x70c530
 ssomgr: #16972# kcd_get_user_ticket: Get a ticket on behalf of user joosua
 ssomgr: #16972# kcd_get_user_ticket: Credentials aquired
 ssomgr: #16972# Proxy name: [KEMP_KCD@AD02.DEWI.RED] 
 ssomgr: #16972# Target name: [http/sp.dewi.red@AD02.DEWI.RED] 
 ssomgr: #16972# Delegated name: [joosua@AD02.DEWI.RED] 
 ssomgr: #16972# Delegated mech: [{ 1 2 840 113554 1 2 2 }] 
 ssomgr: #16972# encode_ticket: sz=1982 ticket=0x7ffd79b750a0 len=65536 buf_sz=65536

Exchange

Configure HMA (and it’s prerequisites)

I will go into hardening on a next blog – Nonetheless I highlight that I disabled already for MAPI, ActiveSync, OAB some of the legacy authentication options for testing.

Active Directory

I am not going to delve into Exchange, DNS and AD Namespaces here, nonetheless its good to understand, that SPN’s and FQDN’s are deeply in play here enabling how Azure AD authentication can be extended to on-premises apps

Create Service Account for KEMP_KCD and assign the delegation for SPN’s
We will take an new look into this part the second blog

Azure AD

Configure SSO for OWA in Azure AD
- Use the Service Principal Name as Entity ID
- Download certificate and XML to be used KEMP configuration SSO config
- Implement user assignment if you want to have additional layering of ACL between AAD and OWA

Create Conditional Access Policy for Exchange and OWA

KEMP

KEMP

Attach the KCD account to Client Side configuration in SSO settings

Ensure that the DNS for the domain is working as intended (no local resolution here)

Remember that Azure AD Token Sign In certificate has to be imported from ”Intermediate Certs”

Ensure that reverse resolution for IP to DNS name works

https://support.kemptechnologies.com/hc/en-us/articles/203860275-Kerberos-Constrained-Delegation

See it in action!

”OAuth Parlance”

For anyone curious I’ve attached the initial flow type example for ActiveSync below with IOS accounts app
- These initial flows happen before application starts to mostly work with grant_type=refresh token

Initial ActiveSync registration after standard 401 – Request Authorization Code

Initial ActiveSync registration – Get access token in exchange for Authorization Code

Initial ActiveSync registration – Request ActiveSync options with Bearer Token (Access Token)

{
   "aud": "https://tps.dewi.red",
   "iss": "https://sts.windows.net/7fde6064-17a0-4c0e-87d6-19883001bd0d/",
   "iat": 1549180035,
   "nbf": 1549180035,
   "exp": 1549183935,
   "acct": 0,
   "acr": "1",
   "aio": "AVQAq/8KAAAAZt/xl2vYwIQrhcwUYV+BU4WdPVl3S5fXM8tGFmrS990ceaP+ylA0lNP24dVQjPM9l0hKmhmLEESy0iaokgeVcXWfZ5V2KpEETwOa+CYBzR8=",
   "amr": [
     "pwd",
     "mfa"
   ],
   "app_displayname": "iOS Accounts",
   "appid": "f8d98a96-0999-43f5-8af3-69971c7bb423",
   "appidacr": "0",
   "enfpolids": [],
   "family_name": "santasalo",
   "given_name": "joosua",
   "ipaddr": "62.78.150.57",
   "name": "joosua santasalo",
   "oid": "7b01cbef-1b79-4eaf-8862-b8e27e955e19",
   "onprem_sid": "S-1-5-21-621967805-835074083-177589206-1145",
   "puid": "100320003A4286E4",
   "scp": "EWS.AccessAsUser.All",
   "sid": "a6d45091-a808-4415-a49c-83768ce94208",
   "sub": "G0G5xfi7EMTpIqv6RWk9LL2hLobO-3ji1NA1tz3eS80",
   "tid": "7fde6064-17a0-4c0e-87d6-19883001bd0d",
   "unique_name": "joosua@ff00.info",
   "upn": "joosua@ff00.info",
   "uti": "tyDmP9YOIkSJ6CqBymQRAA",
   "ver": "1.0"
 }

Stay tuned for next part (Hardening the setup)

Br, Joosua

Tips&Tricks- Securing Activesync Access to Exchange Online with 365 MDM

Posted on lokakuu 15, 2018 by Joosua Santasalo

I’ve always felt that Office 365 MDM is obsolete option between doing just Exchange ActiveSync Policies, and going the whole nine yards with true MDM capabilities (Intune)

Today I realized that you can do at least one thing with o365 MDM, separating it from plain Exchange mobile policy, and that is securing ActiveSync enrollment

https://support.office.com/en-us/article/capabilities-of-built-in-mobile-device-management-for-office-365-a1da44e5-7475-4992-be91-9ccec25905b0?ui=en-US&rs=en-US&ad=US

Background

Most (or all) mobile OS’s apart from native iOS mail-client are missing modern auth capable native mail client, thus securing ActiveSync enrollment with 2FA is sometimes seen as bit of an question.

It’s usually addressed with one, or combination of some of the following ways:

By using Outlook mobile app
By using app passwords ( I wouldn’t recommend app passwords even to my worst enemy)
By Intune enrollment requirement
By bypassing activesync for 2FA, and requiring admin release from quarantine
Just bypassing activesync for 2FA

Now I am adding one more option to the list, (6) – Office 365 MDM – Which is pretty much my top recommendation, if you need to use non iOS native mobile clients and/or don’t have Intune available

If you’re using Azure AD Premium P1, or 3rd party MFA with AD FS, and wan’t to offer strong enrollment before allowing ActiveSync access, but don’t have Intune, then I see this as pretty tempting way of achieving some additional security for ActiveSync:

Client experience

After adding the ActiveSync profile to the mobile phone user receives very similar mail to the classic quarantine message. This is only item in the mailbox. Thus no data is exposed to the user until further verification (2 FA requiring enrollment is done)

Service side settings

Active MDM
Create test policy

And in order for this setup to work

Block non-Office365 MDM supporting devices

Company Portal App and device join (Intune) has to require second factor, otherwise the protecting qualities of this setup are done
If you wan’t to allow non-ActiveSync clients in AD FS 3rd party create filtering rule, or configure CA to filter out ActiveSync in ’Client Apps’ settings

Thats it!

Br, Joosua

Testing: Conditional Access: Strong Proof Up for Azure MFA in the cloud

Posted on syyskuu 5, 2018 by Joosua Santasalo

Update 6.May.2019: There is new feature in Conditional Access, which allows creating a different policy for updating security properties,

Cheat sheet: AD FS and Azure AD Hybrid Conditional Access

Posted on kesäkuu 2, 2018 by Joosua Santasalo

What is so great about AD FS 2016 + Azure AD Hybrid Device Join?

You get absolutely the best SSO experience with it – In fact it’s preferred over any ¹ of the existing methods in terms of the use experience when used with W10 (Standard licensing)
It works as seamless second factor for Azure AD Applications with Azure AD Conditional Access (AAD P1)
You can use it as seamless factor for your on-premises federations by requiring the presence of trusted claims in the request. In the absence of these trusted claims you can fall-back into standard 2-Factor Auth (AAD P1)
Hybrid Device Registration with AD FS is not dependent on AAD Connect to enable SSO on the device (AAD P1)
- AAD connect Synchronization links the device to corresponding Azure Device, once the on-prem device satisfies required filter conditions in metaverse

Please note, that Azure AD join is not something that replaces initial Sign-on modes, it still requires that initial sign-in has taken place before the device is paired with Azure AD to obtain SSO experience based on the PRT tokens

Major tips to get it right

Do I need any on-premises pointing device registration records to accomplish the scenario presented?

Absolutely none – In fact, if you look at the Device Registration Logs, you will find out that it explicitly states that local endpoints will NOT be enabled

DRS is in Hybrid AAD mode, registration endpoints will NOT be enabled.

Do I need to enable Device Authentication in the Authentication policies for Intra/extranet?

No – The device authentication claims in this scenario are emitted as part of Windows, or Forms authentication. This happens with the AD DS Device Object and its properties in conjunction with Primary Refresh Token, which is accounted for in the Windows Login process,

While you need to have Device Registration enabled, you don’t need to enable device authentication as method in the authentication policies.

If you look at the claims with forms authentication and Extranet login, you will see the Device Claims that were emitted as part of the FormsAuthentication

Take note of the PRT claim – You wont find it in the RP’s login trace pipeline, because it’s formed at Windows Login

If you want to peek under the hood, and understand how these DRS claims end up in the same pipeline, then check DRS trace logs

Here DRS is checking for device match

”GetDeviceKeyFromKeyCredLink” & GetDevice(ID,DC):

Is it multi-factor authentication method?

Not in the context of AD FS, but conceptually it’s Multifactor Auth (one factor more added to the on-going authentication sequence)

Is there single important action that help will me in achieving the goal?

Yes, start with the newest version of the AAD Connect. It now supports both AAD HDJ and Writeback configuration during the setup without manual scripts AAD Connect 1.1.819.0
- (DISCLAIMER: Do always review the changes made to AAD connect, and estimate if there is any change existing Relying Party trusts or sync related settings before proceeding)

What should I confirm before debugging anything else?

Assuming the pre-requisites are satisfied (AAD Connect installation, with correct configuration) and you’re not seeing this thing work, then please ensure that ”msDS-KeyCredentialLink” is getting populated in the write-back flow
- See more:[Top Issue].
- See more: Hello4Business and Hybrid Certs
Still no luck? Get intimate with Plan Device-based Conditional Access on-Premises

Coarse flow description

Click here to enlarge

Example policy using Device-Based Conditional Access

1. Requiring presence of ’known device’ when accessing on-prem federations

This policy will ensure, that unknown devices will have to perform standard multi-factor authentication, whereas known devices will be granted access based on the presence of the ’isknown’ claim with value=True
- List of Device Access Control Policies

Do I need Web Application Proxy

In my experience not, if you have capable reverse proxy, and opt for the Azure AD joined Domain devices. For Example KEMP VLM that can impersonate WAP for most of the features, and forward IP and Proxy information to AD FS via the use of headers¹

This would have been different with the non hybrid device registration which requires that SSL is terminated at the WAP's directly

Extra stuff:

One very welcome addition is, that the shared W10 and Server 2016 Devices don’t reserve this feature to only single user. Thus you get for example in remote desktop installation the Azure AD join SSO for multiple users.

Br, Joosua!

SecureCloudBlog

Mad Scientists in the realms of IAM, Azure and Office 365!

Conditional Access

LAB: Microsoft Defender ATP and Conditional Access

Tips&Tricks- Securing Activesync Access to Exchange Online with 365 MDM

Background

Client experience

Service side settings

Testing: Conditional Access: Strong Proof Up for Azure MFA in the cloud

Cheat sheet: AD FS and Azure AD Hybrid Conditional Access

Major tips to get it right

Do I need any on-premises pointing device registration records to accomplish the scenario presented?

Do I need to enable Device Authentication in the Authentication policies for Intra/extranet?

Coarse flow description

Example policy using Device-Based Conditional Access

1. Requiring presence of ’known device’ when accessing on-prem federations

Do I need Web Application Proxy

Extra stuff:

Jaa:

Tykkää tästä:

Hybrid Modern Authentication + Kerberos Constrained Delegation

”Full blown HMA” with Azure AD + KEMP

Benefits?

Configuration

Jaa:

Tykkää tästä:

Background

Client experience

Service side settings

Jaa:

Tykkää tästä:

Jaa:

Tykkää tästä:

Major tips to get it right

Do I need any on-premises pointing device registration records to accomplish the scenario presented?

Do I need to enable Device Authentication in the Authentication policies for Intra/extranet?

Coarse flow description

Example policy using Device-Based Conditional Access

1. Requiring presence of ’known device’ when accessing on-prem federations

Do I need Web Application Proxy

Extra stuff:

Jaa:

Tykkää tästä: