Security
Tuesday, July 14, 2020
I’m going to continue my recent look at securing your Office 365/Azure AD directory with a quick dive into using Conditional Access rules to protect your directory’s most prized asset - accounts with admin roles.
These are roles that can be used to accomplish admin tasks within your organisation’s Office 365/Azure AD and Azure estate and they are important because they are essentially the keys to the kingdom. While you should be looking to secure all your accounts because all your users probably have access to sensitive information, systems or services; admin accounts are the accounts that give their user access to your entire estate in one or two leaps.
Continue reading →
Sunday, July 5, 2020
As the pace of attacks continues against companies who use online services, major IAM providers such as Microsoft and Okta are looking for ways to improve theirs and your security game.
I was fortunate enough to attend the 2019 Okta forum in London and one of the drums Okta beat throughout the entire presentation was Passwordless Authentication. Microsoft are also recommending this as a major improvement to Office 365/Azure security even on top of MFA.
Continue reading →
Friday, July 3, 2020
I suspect most of you reading this article will already know this, but part of Microsoft’s Azure AD (AAD) / Office 365 Cloud directory service that you get when you pay for premium AAD is Conditional Access (CA), which can be used to allow quite sophisticated access controls for accessing Office 365 resources.
Of course, you get basic Office 365 MFA with the basic Office 365 enterprise product, and you should absolutely look into enrolling your users and turning this on straight away if that is what you have.
Continue reading →
Saturday, March 30, 2019
Introduction to Microsoft Mobile Device Management I'm currently settling in to a new job where I'm spending a fair amount of time working with Microsoft's Mobile security management tools, mostly Microsoft Intune. This is largely what I was doing towards the end of my old job too, and while there's some great people writing great material out there, I think there's a lack of articles that try to start at the beginning with current (as of April 2019) tools and pull all the strands together, so that's what we're going to talk about here.
Continue reading →
Sunday, August 26, 2018
Introduction So I think a lot of us take backups for granted. It's one of those things you look at once and then tend to not worry about too much. As long as its working, why worry? Except… if you don’t look at it, how do you know how well its working? I’m talking from the viewpoint of a senior engineer or manager here of course, hopefully if you’re a junior engineer who has been put in charge of backups you’re making sure that the current system works well and telling people about any concerns you might have.
Continue reading →
Wednesday, March 14, 2018
Finally. Finishing up after Part 1 and Part 2, this is the end of my updated thoughts on an old Server Fault post with some final thoughts on reducing risks in the future.
Reducing the risk in the future. The first thing you need to understand is that security is a process that you have to apply throughout the entire life-cycle of designing, deploying and maintaining an Internet-facing system, not something you can slap a few layers over your code afterwards like cheap paint.
Continue reading →
Wednesday, March 14, 2018
Following on from Part 1 of my revision of an old Server Fault post, we will continue on to look at remediation after an intrusion.
(Part 3 available here)
Understand the problem fully: Do NOT put the affected systems back online until this stage is fully complete, unless you want to be the person whose post was the tipping point for me actually deciding to write this article. I'm not going to link to that post so that people can get a cheap laugh, but the real tragedy is when people fail to learn from their mistakes.
Continue reading →
Wednesday, March 14, 2018
Introduction In this series of posts I’m revisiting an answer to a question that appeared on Server Fault way back in 2011. I’m pleased to say that it’s been viewed over 100,000 times, and I like to think its helped a few of them.
But it’s time to look again. Since I wrote that post, there have been some huge intrusions, such as the well known Ashely Madison, Anthem Medical Data and JP Morgan breaches that affected millions of people.
Continue reading →
Saturday, September 9, 2017
One of the things that I’ve always been interested in is automation, and being able to reproduce a ‘known state’ reliably and consistently. This applies at work when building servers or workstations thanks to tools like SCCM and Fog, and should be in your grasp at home or in even the smallest office, thanks to Chocolatey.
Not to make a fine point of it, between my last post and this one I’ve rebuilt my PC, installing windows from scratch and all my applications, prepared breakfast for my partner and myself, started some laundry, and dealt with the cat pulling the net curtains down in my study.
Continue reading →
Saturday, September 9, 2017
I’m currently reading /r/sysadmin on reddit at the moment, specifically this post from someone ranting that a user complain that “malware spam e-mail” went to their mail client’s spam folder. While this is classed as a rant on the site and not intended as deep analysis of a problem, their entire comment on this was:
What the hell? This is exactly what it should have done! I'm really not sure what to say to this, or to the responses that suggest telling the "
Continue reading →
Sunday, June 11, 2017
So I recently did a podcast with SonicWall on Safeguarding and the statutory guidance on Keeping Children Safe in Education (KCSiE). You can listen to it here.
Invaluable resources:
Safer Internet Centre's Advice section. Internet Watch Foundation (IWF) Thinkuknow website.
Continue reading →
Wednesday, June 7, 2017
As I’m sure most of us know by now, SHA1 cryptography hashes have been increasingly under attack, and are now regarded as fully broken. In fact, my use of “now” kinda understates the point; you should be urgently looking to upgrade to SHA2 if you have any devices or servers using certificates.
If you’re not aware of these risks then please look around. There are some good introductory articles on the entrust website that talk about this issue, but please note that these articles are from 2014 and somewhat understand the urgency of the issue.
Continue reading →
Sunday, October 2, 2016
{There was a section here on converting Windows 2016 server eval to full version for enterprise customers, but as Windows 2016 is properly out there now it seems pointless. I've pasted what was here into the comments below in case anyone needs it} Upgrading ADFS The first question after deciding to roll out a new version of Windows server into your organisation is what to deploy first, and the answer for me, at least, turned out to be ADFS 4.
Continue reading →
Friday, May 3, 2013
I see lots of people talking about and asking about hardware being “prepared for BYOD” and/or “BYOD ready”. Most of the time they’re talking about Wireless Access Points(WAPs) or other similar items of infrastructure.
In a lot of ways, as long as you stick to a reputable vendor, what make of WAP you buy is the least difficult and least interesting part of the project - you wouldn’t focus too heavily on what brand of switch your desktops were wired into as part of a project to give everyone access to a new corporate intranet site from the desktop - you’d spend more time checking that the site’s CMS system worked with your standard browser and thinking about what content users should be able to get to, and how they’d get to it.
Continue reading →
Tuesday, April 30, 2013
5. "Nuke from orbit" is still the best approach to a rooted system. See http://serverfault.com/a/218011/7783 I've talked about this in the Server Fault answer above, and I might do another post diving into some of the details behind my beliefs here but the drive to rebuild after getting a system compromised comes down to trust. For an illustration of why I use that word, please read "reflections on trusting trust"
Continue reading →
Saturday, March 9, 2013
We’ve been migrating from SCCM 2007 to SCCM 2012 at work. One very interesting part of SCCM 2012 for us has been the support for Mac OSX that was added in SCCM 2012 SP1. We have about 70 Mac clients, I guess, on top of about 1500 Windows clients, and those 70 clients need a dis-proportionate amount of time to manage, not because of any problems with Mac OSX as such, but rather due to the lack of real tools available to manage a large desktop roll-out.
Continue reading →
Friday, March 1, 2013
So another day, another Java vulnerability. Before we go on, if you’re not actually using Java for anything then uninstall it right now from your computer - or at the very least disable the browser plugin. Go ahead, I’ll wait.
Done? Good.
Much like the problems that surrounded Microsoft’s Windows XP prior to Service Pack 2, the problens with Java have reached critical mass - even Oracle themselves are finally waking up to this fact.
Continue reading →
Tuesday, April 26, 2011
Whatever problems you've faced at work today just comfort yourself with this thought: You're probably not "head of security" for the PlayStation Network. Yeah, Sony have been the victims of an intrusion, and the question that everyone is wondering (and I certainly hope you are thinking about this if you're a Sony Playstation network customer) is what exactly has been "lost" and how quickly can you get all your banking security details changed.
Continue reading →