Blog: Microsoft

Many organizations are adopting Microsoft 365 (formerly Office 365) and businesses nationwide are seeing the benefits of improved productivity through its email and collaboration solution. Organizations of all sizes can benefit from a seamless user experience between mobile and on-premise environments.

While Microsoft 365 offers great flexibility, it mostly focuses on infrastructure management rather than data management. Meaning: You are responsible for your data.

Some businesses who have migrated their workloads to Microsoft 365 do not realize that the same reasons they had for backing up and protecting that data on-premises applies even in the cloud.

If you are still considering Microsoft 365 for office productivity and collaboration, this article may be for you: Microsoft 365: Is it the right choice for your business?

Without proper backup and recovery, your data is at risk, because Microsoft isn't providing complete protection. It's important to create a backup and recovery strategy to ensure you avoid permanently losing your critical data.

It's important to understand the difference in responsibilities of Microsoft and Microsoft 365 user organizations. Microsoft hosts the infrastructure, but you are responsible for your data.


What is Microsoft's Responsibility?

Cloud Infrastructure Uptime — Microsoft focuses on the infrastructure management rather than data management. By focusing on infrastructure, Microsoft ensures its cloud service is online and operational. Guaranteed uptime is based on your agreement level and outlined in the availability SLA (Service Level Agreement).

Basic Data Replication — Microsoft provides basic data replication with datacenter-to-datacenter geo redundancy, and limited retention for short-time data recovery.

Data Processing Compliance — Compliance and controls for data processing are limited to the processor, not the data itself. Microsoft ensures data privacy, regulatory controls, and industry certifications for compliance are in place and maintained for the infrastructure of its cloud service.

Physical Infrastructure Security — Security functions for Microsoft 365 are limited to physical infrastructure, not data. It includes app-level security, logical security, and access controls for users and administrators.


What is the Customer's Responsibility?

Business Data in Microsoft 365 — The customer is the owner of the data that resides in the Microsoft 365 data centers. As the owner, the customer controls the data and who can access the data. All responsibility of the data is on the user to ensure data security, privacy, and retention.

Enterprise-grade Backup and Long-Term Data Retention — Implementing an enterprise-grade backup solution for Microsoft 365 can give businesses confidence to recover from security breaches, compliance exposure, and data loss. With enterprise-grade backup, a copy of the data is stored outside the environment. In the event of an incident, it provides granular and point-in-time recovery options.

Data Owner Compliance — As the data owner, the customer has the ultimate responsibility of data for internal legal and compliance teams. The customer answers to the demands from corporate and industry regulations.

Security Functions to Protect Data — Protection of data is the responsibility of the user, not Microsoft. Security controls must be implemented to protect the data from internal threats, such as accidental deletion, insider threat, and disgruntled employees, and external threats, such as malware, ransomware, and rogue applications.


What happens when Microsoft 365 is used without backup?

Microsoft only provides basic and limited retention. If you don't implement a backup strategy outside of Microsoft's native capabilities, you are opening up your business for unnecessary risk. Lack of a Microsoft 365 backup plan is a risky data strategy.

Without proper backup and recovery, your organization can expose itself to the following risks:

  • Data loss from accidental deletions
  • Ransomware attacks and security breaches
  • Insufficient retention time for regulatory compliance policies
  • Lack of data control due to potential SaaS lock-in

Organizations investing in productivity and collaboration tools should also consider their backup and retention needs as a factor in efficiency and productivity. Considering a third-party backup solution is critical for data loss avoidance.


What is the best strategy for Microsoft 365 backup?

Your data is your business. By taking a data-driven approach to your backup strategy, you recognize the critical importance of your data for your business stability.

Make Microsoft 365 Backup a Key Priority

Backup for cloud services (SaaS), such as Microsoft 365, is imperative for security and data control. Full oversight and control of data is a boardroom priority. Without backup, organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control of their data. Backup should be part of the conversation when buying SaaS and not an afterthought.

Consider Enterprise-grade Data Protection

When investing in backup solutions, consider integration between the Microsoft 365 environment and your existing data protection environment. Evaluate automation, security, and integration between systems when comparing enterprise-grade data protection and recovery features. Integrating SaaS into enterprise data protection can help unify data management.


What to look for in a Microsoft 365 backup solution

1) Freedom to use existing on-premise capacity for Microsoft 365 backup, or the ability to leverage another cloud for cloud backup.
2) Basic features provided, such as incremental backups, granular recovery, automation, and policy-based retention capabilities.
3) A solution capable of managing and protecting hybrid deployments and the ability to ease the full adoption of SaaS.
4) Integration between Microsoft 365 and the customer's existing data protection environment.
5) Advanced security features such as access control, SaaS usage metrics, and multifactor authentication for additional security.
6) Ability to scale up or down as business and data demand changes and as SaaS is rolled out more widely within the company.


Investing in productivity tools and the corresponding backup is an exciting adventure. When you are ready for a guide, we are here to help. We can advise on and implement a solution that fits your business needs. Contact us today to schedule a consultation.


 

Proof-of-concept (PoC) exploitation code is now in circulation for a critical privilege elevation vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol (MS-NRPC). This vulnerability, also known as "Zerologon," occurs when establishing a secure channel connection to a Windows domain controller. 
 
Exploitation could allow an unauthenticated remote attacker on the local network to gain domain administrator privileges on vulnerable systems. The first phase to mitigate this vulnerability is to install the August 11th, 2020 update patch to all domain controllers. The second phase is scheduled to be released in early 2021.
 
The mitigation update for this vulnerability was installed before the end of August for all Aspire cloud hosting systems and CoNetrix Technology customers with a patch management service agreement. All other CoNetrix Technology and CoNetrix Security customers should install this update as soon as possible.
 
For CoNetrix Technology Cybersecurity Monitoring customers, we are working with our SIEM provider to identify and send alerts when this exploit is attempted on domain controllers. However, the August 11th update is required to be installed before the security log entries will be created. We will post an update when these new alerts are operational.
 
 
Please contact CoNetrix Customer Service at support@conetrix.com or 806-698-9600 if you have any questions or need assistance with installing the August 11th update.
 

 

The May 2019 Microsoft patch releases included an update for a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) that affects Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2.

This vulnerability allows an unauthenticated attacker (or malware) to remotely execute code on the vulnerable system. It is considered as VERY high risk, particularly for systems with Remote Desktop Protocol (RDP, port 3389) directly exposed to the Internet. However if a system inside the network is compromised it could easily spread to other PC's and servers because RDP is enabled by default.

CoNetrix strongly recommends all customers ensure the May updates are installed as soon as possible.

Microsoft has not only released updates for Windows 7, Server 2008 & R2, but also has issued updates for Windows XP and Server 2003 which are not officially supported.

All CoNetrix Technology customers with managed services agreements and all cloud hosted Aspire systems, were updated shortly after this vulnerability was announced.

This vulnerability can be mitigated by enabling Network Level Authentication (NLA) - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11). Additionally CoNetrix recommends disabling RDP access over the Internet to internal systems.


 

With our move to Nessus for our audit scanning, we are digging deeper into unsupported software. In these checks, there has been a software that has shown up across a majority of different customers which is unsupported Microsoft XML Parser and XML Core Services.
 
Microsoft XML Parser and XML Core Services are used to create and validate data in XML documents and have the ability to parse and process the data. More info can be found here: https://searchmicroservices.techtarget.com/definition/XML-Core-Services
 
One customer that I was working with had questions about the software because it was showing up as unsupported for a server that they just installed on the network. After doing some investigation, we found that the server did in fact have the unsupported Microsoft XML Parser and XML Core Services installed along with the current version of the software. After doing some additional research, it appears that when there is a new version of the software released, the update installs the new software, but does not remove the old unsupported software.
 
If the current version of the software is installed, then the unsupported versions can be removed manually.
 

 

The Microsoft Assessment Planning (MAP) Toolkit is a useful utility that can be used to gather hardware and software information for workstations and servers. After installing the toolkit, you can provide domain credentials which it uses to poll each device in Active Directory and gather information about the devices it finds. This data can be viewed through various Excel reports and can help to shorten the time it takes to fill out an audit questionnaire.
 
The toolkit can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?&id=7826
 


 

We recently encountered a strange issue with a customer running Outlook 2010 in an Exchange 2007 environment. Some users (not all) would randomly get certificate warning pop-ups in Outlook. The certificate warnings indicated the Fully Qualified Domain Name (FQDN) "autodiscover.customerdomain.com" wasn’t on the certificate. The certificate warning was legitimate; that FQDN was not on the certificate because this customer didn't have a UCC certificate.

However, all the autodiscover SCP records had been changed via Powershell to point the autodiscover URL to "webmail.customerdomain.com" which WAS on the certificate. All the PCs were joined to the Active Directory domain so the SCP lookup should have had precedence over any other autodiscover method. Doing an autodiscover check via the Outlook system tray icon indicated the certificate warning pop-up and all the values returned by the test were all correct.

The question was why were these PC's even contacting "autodiscover.customerdomain.com"? After much troubleshooting, we found that even though the domain SCP records were correct, some Outlook clients were also doing DNS lookups for "autodiscover.customerdomain.com" in parallel with the SCP lookup. Checking DNS there was an "autodiscover.customerdomain.com" A record and pointed to the IP address of the Exchange server; however, since that FQDN wasn’t a subject alternate name on the certificate, it would have legitimately generated the certificate warning.

The resolution was to simply remove the "autodiscover.customerdomain.com" A record from DNS and we added SRV records for good measure. It doesn’t seem like having that A record in DNS would have mattered since the autodiscover priority shouldn’t have ever used it, but from now on we will use DNS SRV records and SCP exclusively for Exchange autodiscover.


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

Starting in Windows 7 and Windows Server 2008 R2, Microsoft introduced sub-category configuration audit policies.  This provides administrators with added granularity when deciding which event logs are necessary to be logged.  More on  Advanced Audit Policies can be found here: http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx [more]

The following command will pull the configuration for all of the new advanced security audit policies:

audipol /get /category:*

 

Several of our customers have been confused recently regarding the number of Microsoft licenses they own.  The issue is confused by Microsoft’s process itself.  When a customer purchases licensing they are issued an Open Business Authorization certificate which states the number of licenses purchased.

The client is also issued a set of keys to install the purchased licenses.  The license number and the number of times the customer can use the key are very confusing.  In fact the key can be used roughly 5 times per 1 license.  As an example, if a customer purchases 10 Windows Server licenses, the associated key may state a quantity of 50.  This actually means you can activate the key 50 times on the same 10 licenses.

If you seem to have extra licenses that magically appeared, make sure you are looking at your certificate and not the number associated with the keys.


 

You assume, that both Microsoft and Lenovo will create a restore point before applying updates to your computer. I did… and it cost me dearly!  I had to rebuild my machine from scratch!  Restore points require disk storage, and there is a screen (see below) where the amount of the disk to be used for restore points is specified.  In my case the amount was set to “0” (zero), and then when the Lenovo updater tries to create a restore point, it failed. There was no warning that it failed! [more]