Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 2

Posted by Ahmed Nabil | 2 comments»
On part 1 of this series i went through the configuration of the new Windows Defender ATP service, in this blog post i will move forward and try a demo attack and how its analyzed in the ATP portal.

For more Info please check Part 1

http://itcalls.blogspot.com.eg/2016/12/microsoft-windows-defender-atp.html

The main goal of this article is to understand how the attacks are reported and how to analyze and move through the ATP portal. Microsoft did a good job and provided a Do IT Yourself (DIY) document for any user who is undergoing ATP trial. These are safe Scenarios with no harm to test and explore the functionality of ATP (Only to be used on test environments)

So based on this DIY attack scenario document, the attack sequence is as follows:


  1. User will receive a link in the email (Typical type of attack) that will ask him to download a normal word file. This "Fake" word document has a bad fake macro that drops malicious executable file on your machine.                                                                                                                                                                                                                                                         Few points to consider here is that the attacker will search on the best user who can click this link without hesitation. The attacker need to target specific profile users who won't take security seriously. The number one source to get this information on your users, their interests is the social media as LinkedIn and Facebook. User might be huge football fan and the whole document/process will be geared towards this interest (Targeted attacks). A very nice tool that can help you in scanning each and every link in your email is the Office 365 Advanced Threat Protection which is different that the Defender ATP as i explained in my first blog.                                                                              
  2. This executable will open a backdoor that allows the attacker to run commands on the victim machine. In our test scenario (Microsoft DIY document) it will open Power Shell.                                                                
  3. Last step will be running couple of reconnaissance commands, copying few files and getting some system info to complete the scenario. In real life scenarios this can be wiping your hard disk or encrypting it (Ransomware)

So in our case i received the file, opened it and its done, the executable will run and session will be open with the attacker server and i am completely hacked.

So let us take a look on the ATP Portal dashboard after simulating the attack.



An active alert is displayed showing that a Right to Left Override technique is used. Right to left is an encoding mechanism for those who writes from Right to Left as the Arabic Language, the problem is that you can use this method to hide something bad and show it in another state. In our case the malware was hidden in this file and using this technique it was shown to users as word file which they didn't suspect and opened it.

For more info on the RLO, please check the below link

https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/

You can click on this warning which will dive in more details on how this attack occurred and how it was triggered on the user machine and which applications were used........etc






This will give you more info on the attack and how it was triggered on the user, starting by getting it from outlook.exe, then opening the email and clicking on the attachment which opened the word file with the malware that loaded the powershell. This is a complete detailed tree of the attack process using the RLO technique.

We can also check the machines and open this suspected machines to check other event as shown below:



The machine view will display all attacks, warnings and event on this machine. Other stages of our attack scenario is listed here. The RLO technique, Hiding files, running suspicious Power shell and running some commands (The whole picture)




Of course you can configure the ATP to send you email alerts once these attacks are listed and reported.

One important thing to note about Windows Defender ATP is that its an EDR product (Endpoint Detection and Response). Its a behavior based and it takes some time to detect these attacks that other real time protection tools as Antivirus, Firewalls........etc.

Detection will vary based on the complexity of the attack. If its a simple attack it will be displayed on the ATP portal in no time. If its very complex it will take some time before it show up on the portal as it need more time for analysis.

ATP team is working hard on improving this accuracy and adding integration to other services as Office 365 and Microsoft ATA solution.

I would highly recommend going on a trial and checking this nice solution. The industry average standard to detect a breach without EDR is 146 days so definitely detecting them in few hours using ATP will add more defense to your current environment.

Hope this post was helpful and enjoy your ATP trial.



Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 1

Posted by Ahmed Nabil | 2 comments»
Before the close of year 2016 i would like to share with you a very cool new security service offered recently by Microsoft to detect and respond to advanced targeted attacks. Information security attacks are getting more complex and needs several layers of protection and more importantly different way of analyzing and detecting such threats.

Windows Defender Advanced threat protection is based on Windows 10 clients and serves as a post breach protection for investigating and responding to threats while the Windows 10 client itself is already fully packed with Pre-Breach protection as credential guard, Device guard, information protection........etc.

For some reason Microsoft is using the term Advanced Threat Protection widely in several products which is causing confusion for the users. Basically there are three services/tools sharing the same name as follows:


  1. Office365 Advanced Threat Protection (ATP). This service is mainly concerned about protecting your email from advanced threats in real time. For example inspecting all Internet links coming in your email. You need to have Office365 E5 license to work.                                                                                                                                                                       
  2. Microsoft Advanced Threat Analytics (ATA). This tool is based on user behavior and machine learning to detect attacks with main focus on credentials as Pass the Hash, Pass the Ticket.......etc as well as common and know threats to your network. Please check my earlier blog series on ATA https://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata.html                                                                                                                                              
  3. Windows Defender Advanced Threat Protection. This is our blog target service and its mainly concerned with your end point device (Windows 10 device). You need to have Windows E5 License to run it.

So what is the requirement to get enrolled and run Windows Defender ATP

  1. This will run only on Windows 10 Update 1 and later (Windows 10 RTM won't work). Also not all Windows 10 clients are approved (Home Edition won't work)                                                                       
  2. This service is on the cloud so the Windows 10 client need to have access to the Internet to contact this service.                                                                                                                                                              
  3. Windows Defender ATP is not the same as the local Windows Defender AV installed by default on Windows 10 however it needs some components from it as the ELAM driver (Early Launch Anti Malware). So the ideal situation is that you have the default Windows Defender as your main real time protection against viruses, in this case you don't have to worry about anything. However if you are using other AV protection as Symantec or McAfee acting as the main real time protection then ATP needs the ELAM driver to be running. By default when you install a 3rd party AV as Symantec or Kaspersky, the Windows defender local AV will enter passive mode where the ELAM will be running and engine updated however not acting as your real time protection. So if you have 3rd part AV don't block or Disable the Windows defender on your local machine as this will cause the ATP to stop functioning.                                                                                                                                                                                                           For more details on Windows Defender ATP requirements, please check below                      https://technet.microsoft.com/en-us/itpro/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection

So the normal process is that you will contact your Microsoft Account Manager and ask for the Windows Volume License E5 and after getting/purchasing the needed licenses you will get notification that its activated. The Process of configuring and implementing the ATP once its purchased is as follows:

  1. Open the Windows Defender ATP Portal https://securitycenter.windows.com/ and login using your corporate credentials and on the Welcome screen click Next as shown below.                                                                                                
                                                                                                                                                                                                                                                         
  2. The next step is very crucial decision because it cannot be reverted back later after your are up and running. This is mainly dealing with the storage location of your data and whether you prefer to store it in US or Europe (Some Organizations have policies to store their data in Europe for example). If you wana change it later you will need to off board all your clients and reset the whole subscription (Need Microsoft Support) and create everything from scratch again.   
                                                                                                                                                     
  3. Choose the period of time you wana keep your data in the cloud (you can change this later if needed)
  4. Pick your organization size and anticipate any planned growth (This preference cannot be changed later on)         
                                                                                                                                                                                                                                                                                                       
  5. Choose your industry and your organization main scope of work. This setting can be changed later and will provide insights on any alerts or threats that are targeted to a specific industry.                                                                                                                                                                                         
                                                                                                                                                                                                                                                                                                
  6. You will get a warning that some changes cannot be reverted as we mentioned earlier as the storage and organization size. Click Continue to create your cloud instance.                                                                                                                                                                                                                                                                                                                                        
                                                                           
                                                                     
  7. The final step after the ATP cloud instance is created is to on board your clients (Point them to the ATP instance) and activate this protection on their machines. To do so you need to install a very simple package on your client machines, in this step you are offered all kind of distribution types as SCCM for your domain machines with SCCM client or intune package for your BYOD devices or via group policy......etc. In our test case i used the local script which is just installing the need files and getting it manually on the client.  You need to run this script file using elevated Command Prompt.                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                           

  8. In our case i installed the ATP on 3 machines and the ATP portal dashboard is shown below.                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
This concludes Part 1 which was mainly dealing with the installation and configuration. In Part 2 I will start simulating an attack and how to analyze it in ATP. Happy new year everyone and see you on Year 2017 :)





Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring Azure Multi Factor Authentication (MFA) for VPN connection - Part 4

Posted by Ahmed Nabil | 3 comments»
In part 1,2 and 3 of this series we discussed the VPN role and its step by step installation, configuration, integration with the RADIUS server and the VPN client configuration with the main common problems from the client side

For more information, please check Part 1, 2 and 3 from this series.

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access_30.html

https://itcalls.blogspot.com.eg/2016/11/implementing-microsoft-remote-access.html


In this final post we will be adding to our solution the Multi factor Authentication using Azure MFA On-premise server. The MFA will add an extra security layer instead of depending only on the User name/Password. We will be using the model of something you know (Which is your password) + something you have (which is your device - Cell phone)

If you have Azure Active Directory Premium or Enterprise Mobility suite (EMS) then you already have the Azure MFA included. For more details on Azure MFA licensing and pricing, please check the below link

https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/



Installing and Configuring Azure MFA On-Premise Server


  1. Log in to your Azure Portal - Active Directory - Multi factor Authentication Providers. If you have a provider you can directly manage it however if not as in our case you need to create an Authentication Provider                                                                                                                                                               
                                                                                                                                
  2. Creating one is very easy Wizard as shown below however you have to make one important decision regarding the License model (Check above link for licensing)                                                                                                                                                                                                     
                                                                                                                          
  3. After Creating the provider you will be directed to the Azure Multi Factor Authentication page where you can find downloads and pick the one that suites your environment (In our case i am installing it on 64 Bit Windows server 2016).                                                                                                                                                                                              
                                                                                                                                     
  4. I will pick the 2012 R2 version since the 2016 wasn't available at that time and generate the activation codes. Please note this activation code will last for 10 minutes only to enter it in the MFA installation wizard later, if you took more than 10 minutes before you reached the Wizard part requiring it then you will get an error. Don't panic, all you need to do is come back here and generate a new code.                                                                                                                                                                                                              
                                                                                                                            
  5. Launch/Run the downloaded file, it will require couple of components and updates to be installed as shown below (Prerequisites).                                                                                                                                                                                                             

                                                                                 
                                               
  6. Go ahead and select the installation folder (You can safely have it in the default location)                                                                                                                                                                                                              
                                                                                         
                                                  
  7. After Installation, it will launch the configuration page - Click Next and add the activation code you copied from step 4                                                                                                                                                                                                                
                                                                                   
                                    
  8. The next option will be which service you need to apply MFA ? In our case we are applying it on the VPN service. This is is a very critical step, we will add here the VPN Server IP address and shared secret (You can use the one we used before with RADIUS). Now the VPN server Security was previously configured pointing to the RADIUS server, we need now to change it in VPN server to point to the MFA server (as if its the RADIUS server) and the MFA will connect on behalf of it to the RADIUS server.                                                                                                                                                                                                                                                                                                                                                                                 Check Part 2 of this series to add the MFA server instead of the RADIUS server directly and also check Part 2 on how to add a new RADIUS client (This time it will be the MFA server). So previously VPN server contact RADIUS directly, now Its VPN to MFA to RADIUS.                                                                                                                                                                                                                       
                                                                                     
                         
  9. Add the RADIUS server IP. Again remember the MFA is a broker now receiving requests from VPN (claiming to be RADIUS) and then contacting the real RADIUS.                                                                                                                                                                                                                                  
                                                                                 
                  
  10. After finalizing the Wizard, open the Azure MFA Server application located on the Start Window and click on Users.                                                                                                                                                                                                                   
                                                                                                                                         
  11. Pick any user to enable the MFA.  Add the Phone number and pick the MFA method (Phone call, Text, Mobile App....etc.) and then click on Enabled.                                                                                                                                                                               
                                                                                                              
  12. Make sure that the user Account in Active Directory - Dial In Tab                                                                                                                                                                                             Network Access Permission = Allow                                                                                             Call Back Options = Set by Caller (RRAS)                                                                                                    
  13. In the Azure MFA server Application - Click on Radius Authentication. On the Client you should have the IP address of the VPN server and on the Target you should have the RADIUS server IP.                                                                                                                                                                                                                                            
By that you are ready to turn on to your client and connect your VPN and it won't sign you until you pick your phone and press the # key to complete authentication.

Through this 4 blog posts, i tried to detail each and every step with screen shots to make sure nothing is missed, Hopefully you enjoyed this series and you will try the VPN solution on your devices especially the portable ones (Tablets and phones).

See you on the next post.

















Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring VPN On Windows 10 Client - Part 3

Posted by Ahmed Nabil | 2 comments»
In part 1 and 2 of this series we discussed the VPN role and its step by step installation, configuration and integration with the RADIUS server

For more information, please check Part 1 and 2 from this series.

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access_30.html


In this part we will be discussing the Client side and how to setup the VPN on Windows machines (Screen shots will be on Windows 10 machine) and common issues after installation.


VPN Client Configuration:


  1. On a windows 10 computer, open the Setting - Network and Internet - VPN and Add a VPN connection                                                                                                                                                                                                    
                                                                                                                          
  2. Connection type will be Windows (built-in) and you can pick any name for the connection name. The server name/address should be the FQDN that you have HTTPS traffic directed on your network. This name should match the name of the SSL certificate you bought and configured during the VPN (Security TAB - Please check Part 2). We will be using in our scenario SSTP as agreed (we only allowed HTTPS). Sign-in will be using Username/Password and remove the check box to remember my sign-in.                                                                                                                                                                                                         
                                                                                                                 
  3. One common issue after the user gets VPN connected being unable to connect to normal Internet sites (Google, Microsoft) because all traffic is now pushed through the VPN tunnel (Your machine looks as if its inside the domain) so if you have proxy server in your network then you need to add it to your browser. A quick fix is split tunneling where all corporate traffic go through the VPN and normal Internet traffic from your normal Wireless or Home connection.                                                                                                                                                                                                                                                                                                 In order to do this you need to go to the Network connections and get the properties of the newly created network (Test VPN in our case) - Properties - IPV4 - Advanced and remove the check box of "Use default gateway on remote network" - Check below screen shots                                                                                                                                                                                                             
                                                                                                                                                                                                                               
                                                 
  4. Now you are ready and the user can double click the Test VPN from the VPN tab in the settings or from the Wireless connections and enter his/her user name and password. Make sure to enter it in the format domain\username (remember this is Home computer or work group device with no information on your domain.)                                                                                                                                                                                                          
                                                                                                                                                              
At that point your VPN status should be connected and you are ready to access your corporate resources, applications and data.


Frequently asked questions (FAQ):

  • I can't map any share or RDP to my client/Server ?
We need always to remember that this VPN connected machine is a work group machine which is not connected or joined to your domain. Always use FQDN when connecting to resources (There is no default DNS suffix on the client and we even can't push it by Group Policy).

For example: RDP to computer.domain.com Not just computer name. Also map the share in FQDN as \\server.domain.com\share. Everything should be in FQDN. Ping by either IP or FQDN.

If you can't ping by IP or FQDN a corporate resource then its not reachable (No route on the VPN server) - Remember the internal NIC of the VPN server has no Gateway. Make sure to add the route first to all resources/VLANs on the VPN server (Manually using Route Add Command).

  • I can't map or access my DFS root shares ?
This is a very tricky situation. Logically this is normal since DFS is based on Active Directory domain structure and the VPN is a work group client who cann't connect to the domain controller and get the Server referral.

The solution is configuring the DFS to use FQDN in Referrals because its normal behavior is to reply to queries in Net BIOS names only.

To fix this issue you need to follow the below article

Example: Your DFS server "Server01" with DFS Root "RootShare" and all users access it using \\Mycompany.com\RootShare


Remove-DfsnRootTarget -TargetPath \\Server01\RootShare
Set-DfsnServerConfiguration -ComputerName Server1.mycompany.com -UseFqdn $true

Stop-Service dfs
Start-Service dfs
New-DfsnRootTarget -Path \\mycompany.com\RootShare -TargetPath \\Server01.mycompany.com\RootShare


This should cover most of the issues the VPN/Work group users face while connected. Hopefully you enjoyed this part and stay tunes for our last part with the Azure Multi Factor Authentication.







                                                                                                          

Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring VPN Server 2016 and Integration with RADIUS - Part 2

Posted by Ahmed Nabil | 1 comments»
In part 1 of this series we started by identifying the VPN role and why/When it should be used and we started by installing the VPN role on Windows Server 2016 and enabled the service.

For more details please check Part 1 https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html

In this part we will continue configuring the VPN role and integrating it with RADIUS server for authentication (Optional)

Configuring VPN on Windows Server 2016


  1. We will start now where we stopped on our last post after the services are enabled. Go to Server Manager - Tools - Routing and Remote Access. You will notice that the Server name under the Server status has green indicator which means its enabled and with running services.                                                                                                                                                    Right Click on the Server  - Properties                                                                                                                                                 

                                           
                                                                                     
                                                                          
  2. On the Security Tab we need to make few decisions:                                                                                                                                                                                                                         Authentication Provider: You have 2 options whether Windows Authentication (If you don't have RADIUS server on your network) which will work great by connecting to your Domain Active Directory or LDAP service and if the Server is domain joined will even make it simpler. However for our case we will go for RADIUS Authentication.                                                                                                                                                                                                               Accounting Provider: Again you have option between Windows Accounting and RADIUS accounting. With Radius accounting you will be sending connection accounting logs to the RADIUS server while Windows Accounting will save them on a file on the VPN server. I will go with Windows Accounting to keep all VPN logs in one place.                                                                                                                                                                                               
                                                                                                                                                             
  3. For the Authentication Methods, Ensure that EAP and MS-CHAP V 2 (First 2 options are selected)                                                                                                                                                                                                          
                                                                                                                                            
  4. In the Authentication Provider (After Picking RADIUS Authentication) - Click on Configure - Add - Add RADIUS Server. Add your Current Network RADIUS server name and a shared secret (This is the same shared secret/password that will be used also on the RADIUS server to validate/authenticate each other). Increase the Time out to 60 (This will be very beneficial with our MFA implementation - Wait time till you get the call or SMS on the mobile and confirm your VPN authentication)                                                                                                                                                                                                      
                                                                                                                       
  5. Now on the RADIUS server  we will create a new client and add the VPN server as a client. RADIUS Clients - New - Enable the RADIUS client and enter the name and IP address of your VPN server as well as the shared secret that we added in the VPN server (Previous step)                                                                                                                                                                                                            
                                                                           
                                                                             
  6. Back to our VPN server and we are still on the security Tab, we will add a certificate in the SSL Certificate binding option at the bottom of the page. In our Scenario we will be using SSTP connection (HTTPS) to limit ports open on the VPN server. You can use your company Wildcard certificate or create a commercial normal SSL certificate and give it a simple name as VPN.company.com. Install the Certificate on the Server and pick it from this location.                                                                                                                                                                                                              
                                                                                                                                   
  7. That's it for the Security and we will move to IPv4 Tab. We need to decide which IPs and how the clients will get their addresses. We have 2 options, whether to assign the IP addresses to the VPN clients using the DHCP or using Static Pool. If you will pick the DHCP option it will assign IPs from the same pool as your Server LAN interface. Most probably you have Server IPs / VLAN and you won't prefer to assign addresses to VPN client from this pool (You can use it only for testing).                                                                                                                                                                                                                                         So in our case we will pick the second option which is assigning IPs to the client VPN devices from a static pool. We will add a new pool from 10.10.10.1 - 10.10.10.254. This pool is different that the Server Internal NIC pool and is not in its routing table.                                                                                                                                                                                                                                                                                                                                   When users connect to the VPN server they will get an IP from this pool however they won't be able to ping or reach any of your corporate resources, this static pool will require a simple network configuration. The problem is that the VPN clients may be able to go (Half way) to your resources but the resources doesn't know how to get back to the VPN client. We need to add a route for this Pool that points to your Local VPN Server IP address (Internal NIC)                                                                                                                                                                                                                                                                                                          Let us assume that your VPN server Internal (Domain Facing) NIC has an IP address of 192.168.100.10 and as per the below screen shot your Static Pool is 10.10.10.1 - 10.10.10.254. You need to add a route on your Inter-Routing devices on your network which is most possibly your internal core switch or your Internal Router that routes and points any traffic going to 10.10.10.0 Network (VPN Pool) to 192.168.100.10. This should do the trick and allows you to access and reach your internal resources. As discussed in Part 1, this VPN server internal NIC doesn't have a Gateway (Multi-Home NIC) so it should has its own static Routes to other subnets in your corporate Network.                                                                                                                                                  
                                                                     
                                                                                      
  8. We will move to the Logging TAB and ensure the log all events and additional Routing and Remote Access information are checked as shown below.                                                                                                                                                                                                                              
                                                                                                             

Now your VPN is properly configured and you are almost ready for your users to connect to your Remote Access / VPN server. Two more items to be checked are:

  • This Scenario is using only SSTP so you need only yo enable HTTPS traffic to your VPN server. No more ports or protocols are needed.                                                                                           
  • Make sure the Network Access Permission is allowed for each user Dial-In properties in Active Directory. You can only allow this option for users using VPN.                                                              



We are all set now and on the next part of this series we will go through the Client VPN setup/configuration and common client scenarios. Hopefully you enjoyed this part and stay tuned for the next post.