Blog

Many organizations are adopting Microsoft 365 (formerly Office 365) and businesses nationwide are seeing the benefits of improved productivity through its email and collaboration solution. Organizations of all sizes can benefit from a seamless user experience between mobile and on-premise environments.

While Microsoft 365 offers great flexibility, it mostly focuses on infrastructure management rather than data management. Meaning: You are responsible for your data.

Some businesses who have migrated their workloads to Microsoft 365 do not realize that the same reasons they had for backing up and protecting that data on-premises applies even in the cloud.

If you are still considering Microsoft 365 for office productivity and collaboration, this article may be for you: Microsoft 365: Is it the right choice for your business?

Without proper backup and recovery, your data is at risk, because Microsoft isn't providing complete protection. It's important to create a backup and recovery strategy to ensure you avoid permanently losing your critical data.

It's important to understand the difference in responsibilities of Microsoft and Microsoft 365 user organizations. Microsoft hosts the infrastructure, but you are responsible for your data.


What is Microsoft's Responsibility?

Cloud Infrastructure Uptime — Microsoft focuses on the infrastructure management rather than data management. By focusing on infrastructure, Microsoft ensures its cloud service is online and operational. Guaranteed uptime is based on your agreement level and outlined in the availability SLA (Service Level Agreement).

Basic Data Replication — Microsoft provides basic data replication with datacenter-to-datacenter geo redundancy, and limited retention for short-time data recovery.

Data Processing Compliance — Compliance and controls for data processing are limited to the processor, not the data itself. Microsoft ensures data privacy, regulatory controls, and industry certifications for compliance are in place and maintained for the infrastructure of its cloud service.

Physical Infrastructure Security — Security functions for Microsoft 365 are limited to physical infrastructure, not data. It includes app-level security, logical security, and access controls for users and administrators.


What is the Customer's Responsibility?

Business Data in Microsoft 365 — The customer is the owner of the data that resides in the Microsoft 365 data centers. As the owner, the customer controls the data and who can access the data. All responsibility of the data is on the user to ensure data security, privacy, and retention.

Enterprise-grade Backup and Long-Term Data Retention — Implementing an enterprise-grade backup solution for Microsoft 365 can give businesses confidence to recover from security breaches, compliance exposure, and data loss. With enterprise-grade backup, a copy of the data is stored outside the environment. In the event of an incident, it provides granular and point-in-time recovery options.

Data Owner Compliance — As the data owner, the customer has the ultimate responsibility of data for internal legal and compliance teams. The customer answers to the demands from corporate and industry regulations.

Security Functions to Protect Data — Protection of data is the responsibility of the user, not Microsoft. Security controls must be implemented to protect the data from internal threats, such as accidental deletion, insider threat, and disgruntled employees, and external threats, such as malware, ransomware, and rogue applications.


What happens when Microsoft 365 is used without backup?

Microsoft only provides basic and limited retention. If you don't implement a backup strategy outside of Microsoft's native capabilities, you are opening up your business for unnecessary risk. Lack of a Microsoft 365 backup plan is a risky data strategy.

Without proper backup and recovery, your organization can expose itself to the following risks:

  • Data loss from accidental deletions
  • Ransomware attacks and security breaches
  • Insufficient retention time for regulatory compliance policies
  • Lack of data control due to potential SaaS lock-in

Organizations investing in productivity and collaboration tools should also consider their backup and retention needs as a factor in efficiency and productivity. Considering a third-party backup solution is critical for data loss avoidance.


What is the best strategy for Microsoft 365 backup?

Your data is your business. By taking a data-driven approach to your backup strategy, you recognize the critical importance of your data for your business stability.

Make Microsoft 365 Backup a Key Priority

Backup for cloud services (SaaS), such as Microsoft 365, is imperative for security and data control. Full oversight and control of data is a boardroom priority. Without backup, organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control of their data. Backup should be part of the conversation when buying SaaS and not an afterthought.

Consider Enterprise-grade Data Protection

When investing in backup solutions, consider integration between the Microsoft 365 environment and your existing data protection environment. Evaluate automation, security, and integration between systems when comparing enterprise-grade data protection and recovery features. Integrating SaaS into enterprise data protection can help unify data management.


What to look for in a Microsoft 365 backup solution

1) Freedom to use existing on-premise capacity for Microsoft 365 backup, or the ability to leverage another cloud for cloud backup.
2) Basic features provided, such as incremental backups, granular recovery, automation, and policy-based retention capabilities.
3) A solution capable of managing and protecting hybrid deployments and the ability to ease the full adoption of SaaS.
4) Integration between Microsoft 365 and the customer's existing data protection environment.
5) Advanced security features such as access control, SaaS usage metrics, and multifactor authentication for additional security.
6) Ability to scale up or down as business and data demand changes and as SaaS is rolled out more widely within the company.


Investing in productivity tools and the corresponding backup is an exciting adventure. When you are ready for a guide, we are here to help. We can advise on and implement a solution that fits your business needs. Contact us today to schedule a consultation.


 

Microsoft has been emphasizing Office 365 (now Microsoft 365) subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Microsoft 365.

In this article, we will highlight several pros and cons of Office 365 you should consider to determine if it's right for your business.

Microsoft 365 (formerly Office 365) encompasses several different products and services, but in this article, we will address these services in two primary areas: user applications and back-end services.

Microsoft 365 User Applications

Most Microsoft 365 subscription plans include Office applications like Word and Excel running on Windows, macOS, and portable devices running iOS and Android. Applications are also available through a web browser but most customers are interested in Microsoft 365 applications as a possible replacement for traditional Office licensing.

What are the primary differences between Microsoft 365 and traditional on-premise Office applications?
  • Microsoft 365 is an annual subscription per user or seat. Each user is entitled to run the Microsoft 365 applications on up to 5 devices for the term of the subscription. As long as you continue to pay the annual subscription, you are covered for the Office applications included in your plan.
  • Office applications through Microsoft 365 are designed to be downloaded from the O365 portal. There is no license key to determine if you have a valid license. After installation the applications routinely "check in" to the M365 (formerly O365) portal to ensure there is an active account. Because of this check-in process IT administrations must use a specific procedure for mass deployment of M365 applications. Additionally, installation on multi-user servers like Remote Desktop Services and Citrix requires a new approach.
  • Microsoft 365 applications are designed to install features and security updates directly from Microsoft when they are released. Legacy patch management solutions like Windows Server Update Services (WSUS) and 3rd party solutions will not work with M365. This can create a challenge for regulated customers who are required to report on patch status. Scanning tools used by auditors to determine patch levels will need the ability to recognize the differences between M365 and traditional Office applications. The M365 update process could also create an issue for Office-integrated applications if a hotfix is released that affects the compatibility of those applications, as there will be no option to block that update from being installed.
  • Microsoft 365 applications utilize a feature called Click to Run. This feature, which was originally introduced with Office 2016, provides a streaming method for installing features and patches for Microsoft 365 and Office 2019 applications. Our experience is that Click to Run can use a significant amount of bandwidth if you are installing Office applications or large updates on multiple systems simultaneously.
Is licensing through Microsoft 365 less expensive than traditional licensing?

For most customers the biggest question is: "Is licensing through Microsoft 365 less expensive than traditional licensing?" The answer is "It depends!" Microsoft 365 licensing could be financially attractive if:

  • Your business always updates to the latest release of Office.
  • You want the flexibility of per user licensing.
  • You want to take advantage of the licensing of up to 5 devices for multiple systems, mobile devices, home use, etc.
  • You need a simplified update process that works anywhere the PC has Internet connectivity.
  • You need to use the browser-based applications for a specific function or employee role.
  • You plan to implement one of the Office 365 back-end services.

Microsoft 365 Back-End Services

Microsoft provides several cloud server applications through Microsoft 365 including Exchange Online (email), Skype for Business (voice and messaging collaboration), SharePoint (file collaboration), and OneDrive (file storage and sharing). These back-end services can be implemented individually, or as part of a bundle with or without the Office applications depending on the plan. However, Exchange Online vs. Exchange on-premise is receiving the most attention from our customers.

What should I look for when performing due diligence?

The security and compliance of back-end Microsoft 365 services is not significantly different than any other cloud-based application or service. The areas to research include:

  • External audit attestation – SSAE 18 or similar
  • Data location residency – production and failover scenarios
  • Data privacy policies - including encryption in transit and at rest
  • Contracts and licensing agreements
  • Intellectual property rights
  • Service Level Agreements – service availability, capacity monitoring, response time, and monetary remediation
  • Disaster recovery and data backup
  • Termination of service
  • Technical support – support hours, support ticket process, response time, location of support personnel
A few more things to consider...

As a public cloud service, Microsoft 365 has several challenges that need specific attention:

  • The business plans listed on the primary pricing pages may include applications or services that you don't need. All of the various features can be confusing and it's easy to pick the plan that is close enough without realizing exactly what's included and paying for services you will never use.
  • Most of the back-end M365 services can integrate with an on-premise Active Directory environment to simplify the management of user accounts and passwords. This provides a "single sign-on" experience for the user with one username and password for both local and M365 logins. Microsoft has several options for this integration but there are significant security implications for each option that should be reviewed very carefully.
  • Microsoft has published several technical architecture documents on how to have the best experience with Microsoft 365. The recommendations are especially important for larger deployments of 100+ employees, or customers with multiple physical locations. One of the notable recommendations is to have an Internet connection at each location with a next-generation firewall (NGFW) that can optimize Internet traffic for M365 applications. Redundant Internet connections are also strongly recommended to ensure consistent connectivity.
  • The default capabilities for email filtering, encryption, and compliance journaling in Exchange Online may not provide the same level of functionality as other add-on products you may be currently using. Many vendors now provide M365-integrated versions of these solutions, but there will be additional costs that should be included in the total.
  • Microsoft OneDrive is enabled by default on most Microsoft 365 plans. Similar to other public file sharing solutions like Dropbox, Box, and Google Drive, the use of OneDrive should be evaluated very carefully to ensure that customer confidential data is not at risk.
  • Several other vendors provide Microsoft 365 add-on products that provide additional functionality which may be useful for some businesses. Netwrix Auditor for Microsoft 365 can provide logging and reporting for security events in your M365 environment. Veeam Backup for Microsoft 365 can create an independent backup of your data to ensure it will always be available. Cloud Access Security Brokers (CASB) such as Fortinet FortiCASB and Cisco Cloudlock can provide an additional layer of security between your users and cloud services such as M365.

Discover why the default retention policies of Microsoft 365 can leave your business at risk.

It is certainly a challenge to research and evaluate cloud solutions like Microsoft 365. Financial institutions and other regulated businesses with high-security requirements have to take a thorough look at the pros and cons of any cloud solution to determine if it's the best fit for them.

CoNetrix Aspire has been providing private cloud solutions for businesses and financial institutions since 2007. Many of the potential security and compliance issues with the public cloud are more easily addressed in a private cloud environment when the solution can be customized for each business.

The combination of Office application licensing with back-end services like Exchange Online can be a good solution for some businesses. The key is to understand all of the issues related to Microsoft 365 so you can make an informed decision.

Contact CoNetrix Technology at techsales@conetrix.com if you want more information about the differences between Aspire private cloud hosting and Microsoft 365.


 

If you are like most leaders in an organization, you don't have the time or motivation to do any sort of cybersecurity assessment to mitigate risk. It's easy to question security testing and ask, "why bother." After all, doesn't it take a lot of effort to do security testing when it may not turn up any results?

However, much like a regular visit to the doctor's office for our physical health, you should find ways to regularly "check up" on your organization's cybersecurity posture. Much like a check-up with a doctor, finding irregularities or vulnerabilities early allows you to implement mitigating controls before they cause harm.

How do you manage your cyber risk? What vulnerabilities are you facing? How can you know?

In this article, we are going to discuss five "check-ups" you can do now to secure your future.

Internet Vulnerability and Exposure Assessment (IEVA)

Let's start with the external evaluation, and is similar to a doctor when he asks questions and pokes around. This is an external evaluation. It is not really an invasive procedure, and by no means will it catch everything, but it does allow the doctor to look for warning signs and make an informed decision about next steps.

The same kind of external evaluation should be performed for your network. We like to call this an "Internet Exposure and Vulnerability Assessment" or IEVA, for short. An IEVA can identify how a potential attacker can target your system from outside your network. It is designed to review controls protecting your external presence, including your perimeter devices, servers, applications, and encryption technology.

Evaluating the external perimeter of your network allows you to identify vulnerabilities in your first lines of defense. This level of knowledge allows you to focus your resources, both monetary and time, to areas providing the biggest impact making your security more efficient and effective.

An IEVA is a great place to start, but remember, this is a high-level observation. For a full assessment of external vulnerabilities, there is always one step further you can go, which is a full-on network penetration test. You can think of this as a referral from your primary care physician to a specialist. They may perform some of the same tests, but the goal is to discover and remedy flaws, which means more thorough tests may be performed.

When it comes to assessing the status of your external perimeter, consider the following questions.

  • Have you had an external vulnerability assessment or penetration test performed on your network?
  • What is the frequency of these assessments, is that frequency sufficient to ensure your external perimeter remains secured?

A strong external perimeter will dissuade an attacker as well as alert you to persistent attempts, allowing you to be proactive instead of reactive.

Internal Vulnerability Assessments (IVA)

Let's continue with the doctor analogy. When a doctor finishes his high-level assessment, he sends you over to have lab work done. These tests are a bit more invasive and look at things that could be wrong or right internally. With results from the lab, the doctor can make a more precise diagnosis about the status of your health, seeing if previous recommendations were working as intended, or if changes needed to be made.

An "Internal Vulnerability Assessment," or IVA, works in similar ways. An IVA is a credential scan, preferably with domain admin privileges. This scan can identify vulnerabilities that exist inside your network. An IVA can find vulnerabilities such as outdated software, missing patches, weak or outdated protocols, weaknesses in system hardening procedures, and many other known vulnerabilities.

With this information the Information Security Officer can make recommendations for additional controls that target these specific vulnerabilities, increasing the efficiency and effectiveness of your information technology infrastructure.

When assessing the status of your internal network, consider the following questions.

  • What types of internal assessments have you performed on your network?
    • How frequently do you conduct those assessments?
    • Do these assessments test all your internal controls?
  • Are the controls working as intended?
    • Are they mitigating the known threats as designed?
    • What proof are you relying on to verify the controls are working as intended?
    • If not, what are your short-term and long-term plans for addressing those weaknesses?

Knowing your vulnerabilities and addressing them is an ongoing process. Threat landscapes are constantly changing as are the vulnerabilities facing your organization.  Constant evaluation and upkeep are required to maintain a secure environment.

Security Awareness Training

Another way a doctor might help you physically is to provide some literature on natural ways to improve health. As you may know, people adapt to the culture that surrounds them when it comes to healthy living. If those around you eat healthily and exercise, then you are likely to do so as well. 

Culture sets the tone for nearly everything we do in life and security awareness is no different.

When assessing the status of your organization's security awareness culture, consider the following questions.

  • Is maintaining a high level of information security part of your culture, or is it a compliance box to check?
  • Does your security awareness training focus solely on policies, or does it apply to your employees' personal and professional lives?
  • Do your policies reflect security or convenience?
  • Is information security addressed both formally and informally throughout the year?
  • In your governance structure, who is accountable for the level of training provided (e.g., IT Director, ISO, CEO, etc.)?

For security awareness training to be impactful, it needs to happen frequently, be relevant to its audience, current in its content, and start at the top of the organization.

According to a survey of financial institutions conducted by Tandem, a CoNetrix Security partner, 79% of respondents stated they believe cybersecurity awareness training directly reduces the risk of security incidents. Download the 2020 State of Cybersecurity Report for additional trends and insights.


Simulated Phishing Tests

When we visit the doctor, he asks if you exercise, how frequently, and for what duration. The more you exercise, the better you feel. The better you feel, the more exercise you are willing to do. 

Simulated phishing tests are similar to exercise. At first, your employees will think you are out to get them, but the more times they pass the test, the more times they recognize the phishing attempt, the more confidence they will have going forward, knowing they have the ability to thwart the bad guys.

An unfortunate, yet simple truth is the human asset is any organization's weakest point when it comes to information security. This is why phishing (or variants thereof) remains the most carried out cyber-attack. A particularly scary problem with phishing is that every time you put a control in place, attackers find a way around it. For instance, phishing used to primarily be about delivering a malicious file, getting the recipient to install the file, and granting the bad guy access. Today, this is still an employed tactic, but it is just as likely the attacker is trying to get the recipient to divulge important information.

Phishing tests should be frequent in nature and the results should be used to drive security awareness training. In the areas where you see success, highlight those in your next training. In the areas where you see weakness, follow up with an increased focus on identifying key elements of the phishing attempt.

Send out multiple types of phishing emails, requesting unique recipient interaction (e.g., download a file, ask for credentials or other confidential information, request immediate action, etc.). Maybe try vishing (phone calls) or smishing (SMS messages). Let your employees know that the principles for each type of social engineering are the same, and the outcomes are equally devastating.

While clicking a link or providing information is a failure, equally important is what the employee does once they have succumbed to the attack. How quickly did they notify the appropriate personnel? Was it quick enough to minimize the damage that could have been caused if the phishing email was real? Is this part of your security awareness training?

When assessing the status of your organization's simulated phishing training, consider the following questions.

  • How often do you send phishing tests to your employees?
  • What are you doing with the results?
  • Are you diversifying the types of phishing tests carried out?
  • What do you deem a "failure?"
  • What type of follow-up training do you provide?

Phishing is so prevalent because it works, and it only takes one person to make that vital mistake. Awareness is the most important control you can put in place when mitigating this threat.

Strategic Planning

When you visit a doctor's office, it is common to discuss your family's medical history. You will look at issues that you could potentially face in the future, and determined a needed strategic plan to help secure your future. The plan will often include recommendations based on your current health and often includes a recommendation to consult with a specialist as a preventative or early detection measure.

Identifying threats allows you to put controls in place to mitigate what you know. Having a strategic plan in place allows you to prevent or respond quickly to the unknown.

Everything we've talked about up this point can help you identify where you are, but what is your plan to address the identified issues? How do you transition from identification to detection and prevention? How can you develop a sustainable plan? There are some basic elements, essential to any information security program that all organizations should factor into their strategic plan.

  • A Business Continuity Plan, based on an impact analysis for each business unit to promote resilience and create restoration plans, in the event of a business disruption.
  • An Information Security Risk Assessment to identify the threats your organization faces and the controls in place to mitigate the risk of those threats.
  • An Incident Response Plan to document how your organization is going to handle an information security incident when it happens.
  • Information Security Policies to define the overarching principals your organization will follow when it comes to users, system hardening, and use of organizational or personal assets.

When assessing the status of your organization's strategic plan, consider the following questions.

  • What is the status of the organization's information security program?
  • When is the last time the program was tested?
  • What types of training and/or testing are you performing?
  • Is the information security program part of your organization's strategic plan?
  • If not, does your organization have the expertise or knowledge to change that?

If you are not sure about the status of your organization's information security program, or if necessary expertise does not exist, it may be time to look at a consultant to help put a plan in place for moving forward.

Securing Your Future

Sometimes, we all need a helping hand. When it comes to something as important as your health or the security of your network, an independent evaluation can help offer the tools you need to secure your future. If you work in a regulated industry, I look forward to hearing how your next audit, examination, and/or consultation goes, and the improvements you decide to make as we all mature together.

For your next steps towards securing your future, learn more about how CoNetrix Security can help at https://conetrix.com/security.

 


 

At CoNetrix we've helped many customers implement Multi-Factor Authentication (MFA) over the past year. Most of these implementations have been to support employees working from home or migration to cloud-based services such as Microsoft 365.

Overall I consider MFA to be a positive approach to improving account security and preventing unauthorized access due to phishing or weak passwords. But as MFA becomes more common, are there any "gotchas" that we need to consider?

I recently encountered a situation where a user was getting prompted for an MFA "allow" through a smartphone app when they weren't actively trying to log on. This type of non-interactive login using MFA is potentially dangerous because the user can become desensitized and automatically click "allow" or "approve" without knowing if it's a valid login attempt. Obviously this completely defeats the purpose of using MFA in the first place.

How do we prevent this problem?
- Ensure your MFA solution is configured so it is only used for interactive logins and not background processes or services.
- Train the users they should only see an MFA prompt when they are trying to login, and don't approve logins automatically.
- If the above are not practical or effective, then consider configuring MFA to require the user to enter a code instead of approving through a push alert.

Multi-Factor Authentication is a great solution to provide an additional layer of security to protect our businesses. However like any technology, we need to carefully consider the implementation and how it will affect our employees.


 

By: (CISA, CISSP, Security+)

Well, maybe it used to be the question, but it is no longer a question to be asked. Scanning your network is an essential part of your security protocol to ensure that customer information is secured. So, since I need to scan my systems for vulnerabilities, where do I start?

Determine the Best Product to Scan Your System

There are many good products on the market to test for system vulnerabilities. The best method is to review different products and decide which product will take care of your needs. Not only does the product need to give you information on what vulnerabilities exist on your network, but it also needs to provide you with reporting that is easy for you to read and understand. A report is only good if you can take the information and make decisions on how to remediate the findings that it observes.

Rely on Network Vendors to Conduct Your Scanning

You may be thinking, I do not have the expertise to conduct these scans and read the reports, so what do I do now? This is where you will have to rely on a network vendor or third-party to conduct your scanning. You also need to ensure you have a contract and have conducted your due diligence with this vendor because they will need an administrative account on your network to perform an administrative vulnerability scan. User accounts can be used to scan the systems but will not give you a full representation of all your vulnerabilities. The goal is to mitigate as many vulnerabilities as possible, and a good administrative scan will help you reach this goal.

Remediate Vulnerabilities on the Network

Now that I have all this information, what do I do? REMEDIATE and DOCUMENT. Yes, those two words you always love to hear that strike fear in the hearts of man. Most, if not all, scanning software will rate the criticality of each vulnerability that is found on the network. Always start with the most critical and work your way down the list. Findings will require a knowledge of the systems you are running and an understanding of how to remediate the vulnerability. If you do not have the expertise to take care of these issues, a network vendor will need to be used at this point. Some findings require changes in Active Directory, registry settings or Group Policy. When changing these settings, making the wrong move can cause tremendous damage to your network. If one of these settings need to be changed, it is always a good practice to change the setting for one computer and test the change to ensure it does not cause issues with existing applications.

Sometimes settings cannot be changed due to the harm it causes in the system. If this is the case, document, document, document. Documentation needs to be completed that reveals the issue when you will resolve the issue, how the issue was resolved, and then verify that the issue was resolved.

Verification of the resolution is a critical part of the process. If a change is made in Active Directory, how do I know that the change has happened? If there is a change in Group Policy, how do I know if it has propagated to all the systems with the vulnerability? There are multiple ways to verify different vulnerabilities have been remediated, but the best way is to rerun a scan against the system.

Continue to Scan Your System

So how often do I need to run this scan? The frequency of the scan will be determined by your risk assessment and the size and complexity of your system. Sound familiar? Sounds like a statement that may come from your regulator or through guidance, doesn't it? If my system is not that complex, I would not have to scan frequently, but if it is complex, open to the outside world, and includes multiple users, I would need to scan more frequently.

Keep Up to Date with New Vulnerabilities

New vulnerabilities are being developed all the time, and a system that is scanned and is secure one day may be the target of a new vulnerability the next day. When you are between scans, be sure and keep yourself aware of any new vulnerabilities that may arise, especially those vulnerabilities that target your systems. Keep up to date by receiving emails from publications, vendors and regulators, and attending webinars and seminars that deal with information technology. Sound like a full-time job? It is!

So, to scan or not to scan can never be the question again.


 

Proof-of-concept (PoC) exploitation code is now in circulation for a critical privilege elevation vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol (MS-NRPC). This vulnerability, also known as "Zerologon," occurs when establishing a secure channel connection to a Windows domain controller. 
 
Exploitation could allow an unauthenticated remote attacker on the local network to gain domain administrator privileges on vulnerable systems. The first phase to mitigate this vulnerability is to install the August 11th, 2020 update patch to all domain controllers. The second phase is scheduled to be released in early 2021.
 
The mitigation update for this vulnerability was installed before the end of August for all Aspire cloud hosting systems and CoNetrix Technology customers with a patch management service agreement. All other CoNetrix Technology and CoNetrix Security customers should install this update as soon as possible.
 
For CoNetrix Technology Cybersecurity Monitoring customers, we are working with our SIEM provider to identify and send alerts when this exploit is attempted on domain controllers. However, the August 11th update is required to be installed before the security log entries will be created. We will post an update when these new alerts are operational.
 
 
Please contact CoNetrix Customer Service at support@conetrix.com or 806-698-9600 if you have any questions or need assistance with installing the August 11th update.
 

 

I recently worked with an admin user from one of our clients. Her account kept locking out each Friday @ 6 PM. I checked Netwrix and found the server that was locking the account. This was also in the event viewer on the domain controller. I checked the credential manager on that server for any cached accounts and found none. I checked the task scheduler and there were no scheduled tasks. I checked the event viewer to verify the lock out, and found the account was trying to connect to a CIFS share.

The fix was to run this command as an administrator on that server: 'rundll32 keymgr.dll,KRShowKeyMgr'.

This will open a "Store User Names and Passwords" window. In that window, I found the user ID that was locking and removed it.


 

For most customer networks, file servers turn into a mess over the years. This is usually due to a few things. First, users have access to make folders at high levels and then place data in those folders that should have access restricted. Second, users try to solve the first problem by securing those folders, but end up breaking access to administrator accounts. Third, most lack a logical structure or any guidance as to where certain documents should be stored, so documents end up in multiple folders.

I have been working with a customer who had all of these issues, along with the need to merge two file structures into a single structure after the merger of their two companies. My suggestion to the customer was to come up with a structure for five to ten top level folders that would be the shared folders. Their primary focus for the top level folders was by department (HR, Finance, Legal, etc.) We then tightly controlled the second to fifth levels, depending on the granularity needed of the specific folder. At the controlled levels, we did not allow users to make new folders or files and also prevented them from changing the permissions for these folders. We used a combination of list, read, and read/write access to all of these folders. We created an Active Directory group for each folder and the level(s) of access necessary for that folder. We then created additional groups in Active Directory based on job role and made these groups members of the Active Directory groups used for setting permissions on each folder.

After setting all of the folder permissions, I found that the Owner of the file or folder had Full Control even if they should not have this level of control based on the NTFS permissions. This can be fixed by setting OWNER RIGHTS to none, which will cause the permissions explicitly defined to be enforce and not be circumvented by OWNER RIGHTS.

The partial folder tree shown in the screenshots below is as follows:

  • Shares – OWNER RIGHTS permissions set
    • (Other folders not shown)
      • Internal Reports – List permissions
        • Containment – Read only and Modify permissions set

Example of OWNER RIGHTS permissions. Notice no boxes are selected, which causes the owner to have no rights and the other defined permissions to be used:

Example of the Internal Reporting folder with list permissions:

Example of the Internal Reporting\Completions folder with read only access:

Example of the Internal Reporting\Completions folder with modify access. Notice "Delete" is not selected, but "Delete Subfolder and files is". Delete is the value in the "Modify" permission set, so this change makes this not truly "Modify", but rather "Special":


 

I've run into this issue a few times over the past few months and the fix has been roughly the same each time. Typically, what will happen is that a user account is created in Azure AD with a specific username/UPN. Later on, an account will be synced from the on-premise Active Directory environment with the same username/UPN. Azure tries to automatically reconcile this during the sync by renaming the synced account and appending numbers to the end.

Naturally, this is a problem if you need the on-premise AD account to be the authoritative copy. The first thing to be resolved is whatever is causing the conflict in the first place. Once that is resolved, Azure won't automatically rename everything back. Not to mention that once the account is already synced, it won't auto update the account as the source has not been changed since the original sync.

Since deleting and re-creating the on-premise account isn't always the best option, your solution is fairly simple – update the attribute on the source side to some bogus value, force a delta sync, update the attribute back, and force a delta sync again.

For example, if the email address of your on-premise user is tuser@domain.com and the Azure AD account shows the SMTP attribute is listed as tuser5589@domain.com, update the primary SMTP value in the proxyAddresses attribute to tuser1@domain.com and force a delta sync. Azure AD should then show tuser1 as the primary SMTP value with tuser5589 no longer listed. Once you see that, change it back to tuser@domain.com and force another delta sync.

I've had to run through similar steps with the proxyAddresses and the UPN attributes for the conflicting objects.


 

We have a customer that I'm working with to rebuild their RDS farm from 2008R2 servers to 2016. Once I finished the initial deployment, I began testing the builds and realized pretty quickly that I couldn't open the start menu or use even use the search feature in the taskbar no matter what I tried.

I was using the same group policies that were currently applied on their existing farm thinking it should transition pretty smoothly, but that turned out not to be the case. I was eventually able to narrow it down to a single policy, but I also made the mistake of using Group Policy Management from their current 2008R2 management server, which I discovered later on complicated the troubleshooting since the setting causing the issue isn't visible from the 2008R2 console.

It ultimately turned out to be due to Applocker's Packaged App Rules. Since this had never been configured previously, there was no default rule to allow signed packaged apps that had been introduced in Server 2012 and later, and is what was ultimately breaking the Start button/Search feature.