Tech news for the week of May 6th, 2024
Topics in this week’s Tech Newsletter
What’s New Updates
Copilot and AI
Microsoft 365
Windows 365 and Azure Virtual Desktop
Microsoft Defender and Sentinel
Azure
Server
Identity Protection and Management
Information Protection and Management
Device Management
Scripting and Automation
Security Tools and Guides
Microsoft News
Security News
Industry Specific News
?
What’s New Updates
Announcing Zero Trust DNS Private Preview (1st party)
In the modern world, useful network destinations are far more likely to be defined by long-lived domain names than long-lived IP addresses. However, enforcement of domain name boundaries (such as blocking traffic associated with a forbidden domain name) has always been problematic since it requires breaking encryption or relying on unreliable plain-text signals such as DNS over port 53 inspection or SNI inspection. To support Zero Trust deployments trying to lock down devices to only access approved network destinations, we are announcing the development of Zero Trust DNS (ZTDNS) in a future version of Windows. ZTDNS was designed to be interoperable by using network protocols from open standards to satisfy Zero Trust requirements such as those found in OMB M-22-09 and NIST SP 800-207. ZTDNS will be helpful to any administrator trying to use domain names as a strong identifier of network traffic.
Public Preview of Azure Arc Site Manager (1st party)
This week we are excited to announce the Public Preview of Azure Arc site manager. We designed site manager to meet the needs of customers who manage solutions on the adaptive cloud and want to view and monitor their resources according to their physical locations, such as stores, restaurants, and factories. Within site manager, customers can create Arc sites to represent their on-premises environments and see centralized monitoring information across their edge infrastructure.
Before the release of FSLogix 2201 hotfix 3, our team dedicated significant effort to meticulously identify, replicate, and address the numerous challenges encountered during the shift to the new Teams MSIX update. Although it's unlikely that every conceivable issue has been anticipated, I believe that FSLogix 2210 hotfix 4 represents a thorough update suitable for most environments. Aligned with Microsoft's "patch Tuesday" calendar, FSLogix 2210 hotfix 4 is set to become widely available on Tuesday May 14th, 2024, ready for download and also pre-loaded on Windows 10 and Windows 11 multi-session Azure images. This hotfix, along with the updates from hotfix 3, addresses a wide range of issues associated with New Teams. We wish to express our gratitude to the 30+ customers and partners whose crucial involvement in our validation process has been essential for the discoveries and solutions provided in this release. Additionally, we are reintroducing a previously released and highly requested feature: Asynchronous Group Policy processing!
Update 2403 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2211 or later. When installing a new site, it will also be available as a baseline version soon after general availability. This article summarizes the changes and new features in Configuration Manager, version 2403.
?
Copilot and AI
Sometimes the best way to solve a complex problem is to take a page from a children’s book. That’s the lesson Microsoft researchers learned by figuring out how to pack more punch into a much smaller package. Last year, after spending his workday thinking through potential solutions to machine learning riddles, Microsoft’s Ronen Eldan was reading bedtime stories to his daughter when he thought to himself, “how did she learn this word? How does she know how to connect these words?”? That led the Microsoft Research machine learning expert to wonder how much an AI model could learn using only words a 4-year-old could understand – and ultimately to an innovative training approach that’s produced a new class of more capable small language models that promises to make AI more accessible to more people.
Copilot Scenario Library downloads (1st party)
Becoming AI powered means transforming scenarios across your organization. Use our guidance by department and individual scenario to get inspired, empower your workforce and realize value from your Copilot investment. Download our department kits, scenario guides, and day in the life guides to accelerate your Copilot implementation.
How to Fast-Track Your Work, Mastering Microsoft 365 Copilot (3rd party) [VIDEO]
The video titled “How to Fast-Track Your Work, Mastering Microsoft 365 Copilot” is a comprehensive tutorial hosted by Laura Rogers, where she delves into the innovative features of Microsoft 365 Copilot. Throughout the session, Laura demonstrates how Copilot seamlessly integrates into various Microsoft 365 applications such as Word, Teams, Excel, and more, enhancing productivity and collaboration. She emphasizes the practicality of Copilot for business users, particularly those who are not deeply technical, by showcasing real-time examples and providing a platform for live interaction and discussion. The video serves as an invaluable resource for anyone looking to leverage Microsoft 365 Copilot to streamline their work processes and unlock new possibilities within their digital workspace.
?
Microsoft 365
Introducing Answers Intelligent Importer (1st party)
Answers Intelligent Importer is a brand-new feature that will allow licensed users to upload documents and use AI to generate question/answer pairs from that content, within Answers and communities on Engage. Through this feature, we aim to transform static knowledge to dynamic, interactive conversations that foster active engagement. This approach also facilitates the easy retrieval and reuse of existing knowledge, preventing them from getting lost within the depths of a document. The Answers Intelligent Importer requires a Viva suite or Communities & Communications license.
“In-person events tips and tricks” – The Intrazone podcast (1st party) [AUDIO]
It’s true. You CAN optimize your in-person event experience by listening to ONE podcast episode. And dear Intrazone’r, this is the one – loads of lessons rolled up into 38 info-packed minutes! The goal is to give you, Future Attendee, tips, tricks, and best practices to optimize your in-person event experience. We also got a sense of what each person plans to present + each shared a fun story from their past in-person event memory box. And we derived how Copilot "should be spelled" in their "expert" opinions :).
Employee engagement is vital for the growth and success of any organization. Organizations can foster positive engagement by enabling effective communication, offering rewards and recognition, and discussing career advancement opportunities with their employees. Apps on Microsoft Teams play a key role in enabling employers to better engage with their team members right where they are already working. For any organization, thriving employees are key for driving innovation and building a successful brand. There are apps available, like those featured here, that enable organizations to enhance employee communication, crowdsource ideas from team members, and encourage collaboration while also enabling employees to become advocates for the company brand.
How To Really Use AI For Businesses (3rd party)
There is something big missing in all of this talk on AI. There is tons of talk about the risks and ethics as well as many mentions of new whiz-bang exciting AI things that have come out. Speakers and authors preach about how AI will revolutionize how we work and live. They talk about how quickly ChatGPT was adopted versus any other recent technology. Despite all of this, many business leaders are still left wondering how they're really going to use AI for their businesses. A paper published by Harvard Business School found that highly skilled workers using generative AI can boost performance by 40% compared to those who do not use it.
Copilot Productivity Tip – Teams Chat Catchup (3rd party)
My workday at Microsoft involves communication with multiple teams spread around the globe, which means in-person communication is not always possible. This is why Teams has become the go-to tool for many conversations and discussions. When I start my day at 8am in the morning I know chats has happened in other time zones, and instead of reading everything right away I can use Copilot catchup for a summary, and then decide if I need to read it all. I typically use the “Summarize what I've missed” Copilot suggested prompt inline in the chat which opens the Copilot pane, or I open the pane manually as seen below with prompts such as “Highlights from the past day” or “Highlights from the past 7 days”.
?
Microsoft Defender and Sentinel
Follow the Breadcrumbs with Microsoft IR & MDI: Working Together to Fight Identity-based Attacks (1st party)
In cybersecurity incidents, one of the first goals of any Threat Actor is to gain credentials and elevate their privileges. For this reason, they will almost always target user identities and the underlying identity infrastructure. This blog post discusses how Microsoft Incident Response and Microsoft Defender for Identity (MDI) work together to fight identity-based attacks. We demonstrate how MDI can be used to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. MDI is an identity security solution that monitors key identity systems—both on-premises and hybrid—to detect and help respond to identity-related threats. It provides valuable insight into suspicious activities and events, helping security teams take appropriate actions to protect their organization from identity-based threats. As a core element of the Security Strategy alerts and data from MDI are correlated with signals from across other security domains offering security teams more comprehensive visibility into the entirety of an attack.
Get started with onboarding | Microsoft Defender Experts for XDR (1st party) [VIDEO]
This video provides a step-by-step guide on how to onboard to Microsoft Defender Experts for XDR, emphasizing the simplicity and efficiency of the process. It highlights the service’s proactive incident investigation and response capabilities, the ability to grant permissions for direct threat response, and the importance of setting up contact lists for incident and service review communications. The video also outlines the tasks users must complete to prepare their environment for the service, leveraging Microsoft Defender Vulnerability Management recommendations to enhance security posture.
Enforce least privilege for Entra ID company branding with the new organizational branding role (1st party)
This new role is part of our ongoing efforts to implement Zero Trust network access by enforcing the principle of least privilege for users when customizing their authentication user experience (UX) via Entra ID company branding. Previously, users wanting to configure Entra ID company branding required the Global Admin role. This role, though, has sweeping privileges beyond what’s necessary for configuring Entra ID company branding. The new organizational branding role limits its privileges to the configuration of Entra ID company branding, significantly improving security and reducing the attack surface associated with its configuration.
Microsoft Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a Microsoft Defender for Identity sensor. This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
Setting up Sentinel for Kubernetes Monitoring (1st party)
In part 1 and part 2 of this series, we discussed the type of log sources you should consider for monitoring the security of your Kubernetes environment, most pertinent risks (and corresponding use cases) in your AKS environment, and log sources to ingest data. This blog will demonstrate how to configure Azure Sentinel to derive identify the risks. More specifically we will show: mapping of container security risks with Microsoft Defender for Cloud, data connectors to ingest AKS data, container Security Workbooks in Sentinel, and search queries to mine specific log tables for more pressing risks.
Microsoft Defender for Identity (MDI) is a cloud-based security solution that helps monitor and protect identities and infrastructure across your organization. MDI is a core component of Microsoft Defender XDR, leveraging signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced cyberthreats directed at your organization. Recently, Defender for Identity (MDI) introduced Graph based API to view Defender for Identity Health issues.
Unleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection (1st party)
Microsoft Defender for Cloud (MDC) is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices that are designed to protect cloud-based applications from various cyber threats and vulnerabilities. In this article we make a case that the unique capabilities provided by MDC will be hard to replicate with a customized/3rd party solution. Note that there are many use cases where you will find MDC to have a natural edge. However, for brevity, we have picked a few common scenarios. So, the list below is not meant to be exhaustive, rather, representative.
Staying ahead of potential threats is a top priority for organizations worldwide in the ever-evolving cybersecurity landscape. Modern and effective cybersecurity defenses are built on several essential pillars, where security posture management plays an important role. Microsoft’s Security Exposure Management (XSPM) solution is a new innovation in the posture management domain. It can be imagined as a combination of the next-generation vulnerability management & posture management solution that modernizes posture management in the same way XDR modernizes threat management. Where XDR (detect, investigate, and respond) provides unified threat management for workloads, the XSPM (identify and protect) provides unified exposure management for the same workloads.
Microsoft on Protecting Identity – The Core of Your Digital Ecosystem: The Practical 365 Podcast (3rd party) [AUDIO]
On this week’s episode of the Practical 365 podcast, Rich Dean, Paul Robichaux, and I were joined by Alex Weinert, Director of Identity Security at Microsoft, to discuss the critical topic of identity threat detection and response (ITDR). Alex shared his valuable insights and experiences on safeguarding identity systems from sophisticated cyber-attacks and hardening identity infrastructure against emerging threats.
?
Azure
While increasingly rare, a region-wide outage might happen, impacting availability of Azure Cosmos DB for PostgreSQL clusters hosted in that region. Geo-redundant backup for Azure Cosmos DB for PostgreSQL allows you to protect against outages impacting the primary region by storing cluster backup in another Azure region. Geo-redundant backup is an optional capability that can be enabled during cluster provisioning. With geo-redundant backup enabled on your cluster, you can do point-in-time restore (PITR) for your cluster to another region at any time regardless of availability of the primary region.
Strategies for Migrating Your VMware Workloads to Azure (1st party) [VIDEO]
Explore how migrating your VMware to Azure can secure and unify your SQL Server data whether you are planning a seamless “lift-and-shift" or considering modernization with Azure native services. Watch the webinar to learn how Azure VMware Solution (AVS) acts as a gateway to Azure, see live demonstrations of SQL server workload modernization, and discover how Azure integrations can empower you to revolutionize your business and extract maximum value from your data.
Azure Governance Visualizer Accelerator guidance (1st party)
Organizations can use the Azure Governance Visualizer to capture pertinent governance information about their Azure tenants. The Azure Governance Visualizer accelerator runs the visualizer in an automated way through Azure Pipelines or GitHub Actions. The visualizer outputs the summary as HTML, MD, and CSV files. Ideally, the generated HTML report is made easily accessible to authorized users in the organization. This article shows you how to automate running the Azure Governance Visualizer and host the reporting output securely and cost effectively on the Web Apps feature of Azure App Service.
Build scalable applications with Azure cross-region Load Balancer | Azure Friday (1st party) [VIDEO]
In this Azure Friday episode, Scott Hanselman and Mahip Deora discuss the Azure cross-region Load Balancer, a global Layer 4 load balancer that allows for efficient traffic distribution across multiple Azure regions using a single static public IP address. They delve into the OSI model, emphasizing the importance of Layer 7 (HTTP) and Layer 4 (TCP/UDP) in networking and load balancing. The video highlights the Azure cross-region Load Balancer’s ability to overcome DNS caching issues, ensuring traffic is only sent to healthy endpoints, and its seamless handling of backend instance health for optimal user routing without IP management overhead.
Monitor virtual machines with Azure Monitor (1st party)
This guide describes how to use Azure Monitor to monitor the health and performance of virtual machines and their workloads. It includes collection of telemetry critical for monitoring and analysis and visualization of collected data to identify trends. It also shows you how to configure alerting to be proactively notified of critical issues.
Introducing the VMware Rapid Migration Plan (1st party)
Like many customers today, you are probably reevaluating how to best run your VMware workloads, and whether to keep them on-premises or move them to the cloud. Whichever path you choose, it will require an investment of time and resources. This is an opportunity to consider your long-term platform strategy – so you spend your resources wisely to reduce technical debt while you set yourself up for success in the future. With the era of AI upon us, the benefits of running your workloads in the cloud will grow in ways that you have not yet imagined. For your company to be a leader in its industry, your IT organization needs to be ready to meet new demands.
General availability: Application Gateway Web Application Firewall (WAF) inspection limit & size enforcement (1st party)
Azure’s regional Web Application Firewall (WAF) integrated with Application Gateway v2 now supports greater control over inspection limits and size enforcement for WAF policies running Core Rule Set (CRS) 3.2 or later. This feature allows you to control request body inspection, maximum request body limit, and maximum file upload limit independently of each other. Additionally, you can now disable maximum request body limit enforcement and/or maximum file upload limit enforcement without disabling request body inspection. With this update, now you have more flexibility on how WAF inspects requests while allowing larger requests to pass without being blocked.
?
Server
If you have been following this series, I hope you have been able to enforce NTLMv2, remove SMBv1 from your domain controllers, and you are ready to tackle the next important topic which is enforcing LDAP signing.? Preventing unsecure LDAP communication by enforcing signing is an issue that the security community feels strongly about, and much has already been written on the topic.? However, there seems to be a considerable amount of confusion and misunderstanding about the impact of enforcing LDAP signing.? I hope to clear things up today and give you the information you need to move forward with confidence.
Windows Server Advanced Auditing Policies (1st party)
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows Server and Active Directory environments, security auditing is the features and services that log and review events for specified security-related activities. Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. Audit policies are configured through Group Policy. You can configure local policies, but in most Windows Server Active Directory environments, auditing is configured through application of policies at the Domain, Site or Organizational Unit Level. The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they're recorded and applied differently.
You probably already came across the challenge to make sure that administrators using a highly privileged administrative role in Entra ID or an Azure RBAC role which allows control over sensitive resources should be only allowed if administrators use a dedicated administrative workstation. At Microsoft we call those devices Privileged Access Workstations (PAW). PAWs are highly restricted and protected devices with the single purpose to secure and protect the admin’s credentials following Zero Trust and Clean Source Principle. Now, the issue is that Admins could either employ that device or simply ignore it and use their office computers instead, which seems to be much more convenient. The same applies for the attackers, because admins not using a PAW makes their life much easier as they would have a direct attack path at hand. This is not what you want!
Agent-based migration architecture (1st party)
This article provides an overview of the architecture and processes used for agent-based replication of VMware VMs with the Migration and modernization tool. Using the Migration and modernization tool, you can replicate VMware VMs with a couple of options: migrate VMs using agent-based replication, as described in this article and migrate VMware VMs using agentless replication. This migrates VMs without needing to install anything on them. Learn more about selecting and comparing migration methods for VMware VMs.
Enterprise Impacting: Microsoft has confirmed customer reports of NTLM authentication failures and high load after installing last month's Windows Server security updates. According to a new entry added to the Windows health dashboard on Tuesday, this known issue will only affect Windows domain controllers in organizations with a lot of NTLM traffic and few primary DCs. The list of impacted Windows versions and buggy security updates includes Windows Server 2022 (KB5036909), Windows Server 2019 (KB5036896), Windows Server 2016 (KB5036899), Windows Server 2012 R2 (KB5036960), Windows Server 2012 (KB5036969), Windows Server 2008 R2 (KB5036967), and Windows Server 2008 (KB5036932).
Enable Hardened UNC Paths - What Why and How? (3rd party)
UNC (Universal Naming Convention) identifies servers, printers, and other resources in the UNIX/Windows Community. Unlike drive letters used in Windows Explorer, UNC paths specify a network location directly, ensuring a standardized approach across Windows and Unix systems. In Microsoft Windows, a remote code execution vulnerability is present for how connection data is received and applied by the Group Policy when a system joined via domain is connected to a domain controller. If an attacker successfully exploits this vulnerability, you can compromise the complete control of the affected system. After this, the attacker can view, delete, modify data, install programs, create user accounts with full privileges.
领英推荐
RDP Configuration & RDS Hardening Guide (3rd party)
Windows Remote Desktop Service (RDS) is a component of Microsoft Windows that allows users to take control of a remote computer or a virtual machine that supports the Remote Desktop Protocol (RDP) via a network connection for RDP access. When enabling remote desktop access using remote desktop protocols, it is crucial to implement strong passwords to thwart potential brute force attacks to ensure a secure remote desktop. Therefore it is more critical than ever to invest to secure remote desktop and to secure RDP, especially for companies relying on cloud-based solutions like Amazon RDS. The first and most basic step towards secure remote access is to implement secure configurations and harden the RDP server. The best approach for this task is using automation tools that promise a secure infrastructure with minimal effort invested and minimal chances for outages.
?
Identity Protection and Management
Managing external identities, including customers, partners, business customers, and their access policies can be complex and costly for admins, especially when managing multiple applications with a growing number of users and evolving security requirements. With External ID, you can consolidate all identity management under the security and reliability of Microsoft Entra. Microsoft Entra provides a unified and consistent experience for managing all identity types, simplifying identity management while reducing costs and complexity. Building External ID on the same stack as Entra ID allows us to innovate quickly and enables admins to extend the Microsoft Entra capabilities they use to external identities, including our industry-leading adaptive access policies, fraud protection, verifiable credentials, and built-in identity governance. Our launch customers have chosen External ID as their CIAM solution as it allows them to manage all identity types from a single platform.
We really, really want to eliminate passwords. There’s really nothing anyone can do to make them better. As more users have adopted multifactor authentication (MFA), attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks, which trick people into revealing their credentials. How can we defeat these attacks while making safe sign-in even easier? Passkeys! A passkey is a strong, phishing-resistant authentication method you can use to sign in to any internet resource that supports the W3C WebAuthN standard. Passkeys represent the continuing evolution of the FIDO2 standard, which should be familiar to anyone who’s followed or joined the passwordless movement. We already support signing into Entra ID using a passkey hosted on a hardware security key and today, we’re delighted to announce additional support for passkeys. Specifically, we’re adding support for device-bound passkeys in the Microsoft Authenticator app on iOS and Android for customers with the strictest security requirements.
The Department of Defense (DoD) Zero Trust Strategy and accompanying execution roadmap sets a path for achieving enterprise-wide target-level Zero Trust by 2027. The roadmap lays out vendor-agnostic Zero Trust activities that DoD Components and Defense Industrial Base (DIB) partners should complete to achieve Zero Trust capabilities and outcomes. Microsoft commends the DoD for approaching Zero Trust as a mindset, not a capability or device that may be bought. Zero Trust can’t be achieved by a single technology, but through tight integration between solutions across product categories. Deciphering how security products achieve Zero Trust based on marketing materials alone is a daunting task. IT leaders need to select the right tools. Security architects need to design integrated solutions. Implementers need to deploy, configure, and integrate tools to achieve the outcomes in each Zero Trust activity.
Trusted Signing is in Public Preview (1st party)
The Trusted Signing service (formerly Azure Code Signing) is a Microsoft fully managed end-to-end signing solution for developers. Trusted Signing is a complete code signing service with an intuitive experience for developers and IT professionals, backed by a Microsoft managed certification authority. The service supports both public and private trust signing scenarios and includes a timestamping service. With Trusted Signing, users enjoy a productive, performant, and delightful experience on Windows with modern security protection features enabled such as Smart App Control and SmartScreen.? We manage the full certificate lifecycle – generation, renewal, issuance – and key storage that is FIPS 140-2 Level 3 HSMs. The certificates are short lived certificates, which helps reduce the impact on your customers in abuse or misuse scenarios. We have integrated into popular developer toolsets such as SignTool.exe and GitHub and Visual Studio experiences for CI/CD pipelines enabling signing to easily integrate into application build workflows. For Private Trust, there is also PowerShell cmdlets for IT Pros to sign WDAC policy and future integrations with IT endpoint management solutions. Signing is digest signing, meaning it is fast and confidential – your files never leave your endpoint. We have support for different certificate profile types including Public Trust, Private Trust, and Test with more coming soon! Trusted Signing enables easy resource management and access control for all signing resources with Azure role-based access control as an Azure native resource.
Zero Trust – Dope or Nope (3rd party) [VIDEO]
Sami Laiho, a Microsoft MVP in the core operating system, delivers an insightful presentation on Zero Trust security principles, emphasizing the importance of understanding concepts over products. He shares his journey as an expert in Windows internals and security, advocating for a positive approach to security measures. Laiho discusses the evolution of Zero Trust, its core components, and the significance of implementing Multi-Factor Authentication (MFA) across internal and external networks. He also addresses the challenges of removing admin rights, the impact of least privilege access on system longevity and security, and the psychological aspects of security adoption.
It is no secret that some multifactor authentication (MFA) methods are more secure than others. Microsoft has made the case to remove phone-based MFA and would like everyone to use the most secure methods (the authenticator app, Windows Hello, and FIDO2 keys), but I have always been a bit skeptical. While I agree that some methods for MFA responses have security issues, people often overlook their practical advantages. Not everyone is ready to dump a valid authentication method. In this article, I want to take you on a journey to remove phone-based responses from your tenant while considering some practical implications. This is an important topic because Microsoft will soon introduce a system-preferred authentication policy that will make Azure AD accounts use the most secure method available to an account.
NTLM v1 and NTLM v2 vs Kerberos (3rd party)
NTLM v1, NTLM v2, and Kerberos are authentication protocols used to enhance security in Active Directory environments. However, they are also popular attack vectors, allowing attackers to gain access and elevate privileges. It’s crucial to choose the most secure protocol for your environment and configure it properly to mitigate these risks. NTLMv1 is the oldest among the three authentication protocols, while NTLMv2 offers incremental security enhancements. However, Kerberos authentication is notably more advanced and provides greater security compared to both NTLMv1 and NTLMv2.
According to Microsoft in early 2024, only 38% of Entra ID accounts use multifactor authentication (MFA). Although this percentage has improved over the years, it remains alarmingly low. Another concern is that many think that SMS-based challenge/response is an adequate authentication method. As Thijs Lecomte points out in a 2023 article, it’s long past time to move away from phone-based authentication methods to something offering better protection against phishing attempts.
?
Information Protection and Management
Microsoft Purview Audit provides an integrated solution to help organizations effectively respond to security incidents, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Today, we are excited to announce the upcoming launch of the Microsoft Purview Audit Search Graph API, a new capability that is currently in Public Preview and will be Generally Available by June 2024. With this release, Microsoft Purview Audit will offer a new API available through Microsoft Graph to programmatically search and retrieve relevant audit logs with improvements in search completeness, reliability, and performance.
I explained the concept of retention labels and related use cases in some of my previous posts. However, sometimes you not only want to retain documents and content and prevent their deletion for a certain number of years, but you might also want to prevent the editing of documents altogether because those documents represent official company records. So, in this article, I would like to explain the concept of a Record Label, how to set a document as a Record via retention labels, and several important nuances.
In my last article about Microsoft 365 Backup, I explained that I liked the ease of use of the product but had problems restoring data to SharePoint Online sites and OneDrive for Business accounts. Here I want to discuss the cost of using Microsoft 365 Backup (preview). Microsoft charges for backups on a pay as you go basis at a rate of $0.15/month per gigabyte of protected content. The costs are paid through an Azure subscription The documentation includes a calculator to help estimate how much it will likely cost to use Microsoft 365 backup. An essential part of that is to know the size of the sites, accounts, and mailboxes chosen for backup.
?
Device Management
In the ever-evolving landscape of technology, the history of vulnerable drivers in Windows operating systems stands as a testament to the constant battle between innovation and security. From its inception, Windows has been a prime target for malicious actors seeking to exploit vulnerabilities in its drivers. These vulnerabilities, often overlooked, have played a significant role in the history of Windows, shaping its security policies and prompting a continuous cycle of patches and updates. The technique known as Bring Your Own Vulnerable Driver (BYOVD) has become a favored strategy among threat actors. This involves introducing a digitally signed and trusted vulnerable driver into the kernel and exploiting it to gain kernel-level access. With this access a threat actor can undermine security measures, extract sensitive credentials, or alter system behavior to remain undetected.
Microsoft recommended driver block rules (1st party)
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against non-Microsoft-developed drivers across the Windows ecosystem.
LAPS is deployed in many of my enterprise clients. But the classic version has an issue. It is based on on-premises technologies, like Windows Active Directory, which makes it hard to use in a modern workspace especially when Windows endpoint is a cloud-managed solution as there is no Windows Active Directory for those endpoints, and the classic version of LAPS does not work in this situation. To address the problem, Microsoft recently released a revamped version of LAPS that can store the local admin password in Entra ID to work with cloud-managed endpoints. Let’s get into the details about deploying LAPS and how to leverage this solution to further enhance the security of Windows endpoints.
Group Policy Guide for Baseline Hardening (3rd party)
Creating a safe and secure environment is a top priority for all types of organizations. To accomplish this goal, it is essential to adhere to group policy best practices, particularly in the realm of GPO security. By configuring fundamental Group Policy Settings correctly, organizations can significantly enhance their security posture. When Group Policies are utilized effectively, they play a crucial role in safeguarding users’ computers from various threats and potential breaches.
This week is basically a brief follow-up on one of my sessions at the Modern Endpoint Management Summit 2024. More specifically, my session about Protecting corporate data on personal Windows devices – Your options. During that session I went into a bit more detail about the discussion that I started earlier on Twitter/X around enrolling personal Windows devices. My opinion around that might be lightly biased from what I’ve seen over the years, but I do think that I can provide some insights into why I think that it’s not a good idea to enroll personal Windows devices. In this blog post, I’ll provide a short summary of what I’ve shared during my session. It’s good to have an opinion, but it’s even better to actually add some context to that opinion.
?
Scripting and Automation
The enterprise journey toward operational excellence is ongoing, and the adoption of hyperautomation has become a pivotal milestone. Microsoft Power Platform stands at the forefront of this movement, offering a suite of tools that transform the way businesses approach digital transformation at scale – and Microsoft Power Automate is a key accelerator. Imagine a world where every repetitive task, every mundane process, and every time-consuming operation is transformed into a symphony of automated actions, working in perfect harmony to deliver results at lightning speed. This isn’t just a fantasy; it’s a reality that Power Automate can bring, and it’s revolutionizing the way enterprises operate on a global scale.
Like many other languages, PowerShell has commands for controlling the flow of execution within your scripts. One of those statements is the switch statement and in PowerShell, it offers features that aren't found in other languages. Today, we take a deep dive into working with the PowerShell switch.
From zero to hero VSCode, PSADT and GIT with Chris Gerke (3rd party) [VIDEO]
In this comprehensive tutorial, Chris Gerke demonstrates the powerful combination of VSCode, PowerShell App Deployment Toolkit (PSADT), and Git for creating streamlined Win32 app deployments within Intune. He emphasizes the toolkit’s utility in filling gaps that Intune hasn’t yet addressed, comparing it favorably to SCCM. The video walks viewers through forking the toolkit from GitHub, setting up a personal repository, and cloning it to a local machine. Chris showcases VSCode’s integrated terminal, customizable settings, and the ability to make the shell project-aware. He also highlights the importance of creating a template system to simplify the build process and introduces viewers to useful extensions like PowerShell and Todo Tree. The tutorial concludes with a demonstration of using VSCode’s task runner to execute the toolkit help, illustrating how to install applications like 7-Zip using the toolkit’s auto-detection for MSI files.
PSAppDeployToolkit 3.10.0 Released (3rd party)
The latest release of PSAppDeployToolkit, version 3.10.0, introduces a suite of powerful enhancements and fixes that streamline software deployment and management. Notably, it adds the capability to configure Microsoft Edge Extensions, simplifies file operations with Robocopy integration, and enhances user interface elements for High DPI support. Additionally, it improves multi-language support with updated translations, and boosts performance with optimized codebase and functions. This release also addresses several issues, ensuring a smoother and more reliable toolkit experience for administrators and users alike.
Create Tabs that Transform Your Power Apps Gallery! (3rd party) [VIDEO]
This video tutorial, hosted by Laura Rogers and Joelle Jobson, provides a comprehensive guide on creating tabs in Power Apps galleries to mimic filtered SharePoint views. The presenters demonstrate how to design tabs that act as filters for a SharePoint list, allowing users to view data by different statuses like ‘Active’, ‘Quote Sent’, or ‘Statement of Work Sent’. They explain the process of setting up variables to filter the gallery, customizing the appearance of tabs, and managing gallery visibility based on the selected tab. Additionally, they discuss performance considerations when using multiple galleries and the use of collections to improve app performance. The tutorial also covers inserting images in galleries and utilizing metadata like thumbnails and extracted text from SharePoint documents.
?
Security Tools and Guides
The domain name code.microsoft.com has an interesting story behind it. Today it’s not linked to anything but that wasn’t always true. This is the story of one of my most successful honeypot instances and how it enabled Microsoft to collect varied threat intelligence against a broad range of actor groups targeting Microsoft. I’m writing this now as we’ve decided to retire this capability. In the past the domain ‘code.microsoft.com’ was an early domain used to host Visual Studio Code and some helpful documentation. The domain was active until around 2021, when this documentation was moved to a new home. The site behind the domain was an Azure AppService site that performed the redirection thus preventing existing links from being broken. Sometime around mid-2021 the existing Azure AppService instance was shutdown leaving code.microsoft.com pointing to a service that no longer existed. This created a vulnerability.
Microsoft Secure in San Francisco (1st party) [AUDIO]
On this week's episode of The Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is Live from Microsoft Secure in San Francisco and is joined by Brandon Dixon and Vasu Jakkal. As Group Product Manager for Security Copilot, Brandon is helping to shape how generative AI is used to empower professionals to focus on what matters most. Brandon reflects on how security practices have changed, mental health in the security industry and how AI can empower individuals in the tech and infosec fields. Vasu discusses her passion for cybersecurity and its impact on global safety. She emphasizes the importance of inclusivity and optimism in tackling security challenges and shares her journey into cybersecurity, which was influenced by her love for technology instilled by watching Star Trek. Vasu also highlights the transformative potential of AI, particularly Microsoft Copilot for Security, in enhancing defense capabilities and catching new threats.
CISA - Protective Domain Name System Resolver Service (3rd party) [PDF]
The Cybersecurity and Infrastructure Security Agency (CISA) will offer its Protective Domain Name System (Protective DNS) Resolver Service as part of CISA’s broader effort to provide federal agencies with high performing, cost-effective cyber solutions that secure federal networks and enhance the government’s cybersecurity position at large. CISA’s Protective DNS Resolver Service is a device-centric service that secures and blocks government web traffic from reaching malicious destinations, and alerts security organizations within agencies when incidents occur. This service uses state-of-the-art DNS technologies and commercial threat intelligence to prevent malicious DNS content from compromising government networks, devices, and information.
The Only PowerShell Command You Will Ever Need to Find Out Who Did What in Active Directory (3rd party)
While the title of this blog may be a bit exaggeration, the command I'm trying to show here does it's best to deliver on the promise. What you're about to witness here is something I've worked on for a while now, and it meets my basic needs. If you don't have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don't have much experience in reading Event Logs. If you'd like to learn about working with Windows Event Logs here's a great article I wrote recently – PowerShell – Everything you wanted to know about Event Logs and then some. This blog entry is based on PSWinReporting (more specifically on PSWinReportingV2) PowerShell Module – just in case you wonder.
?
Microsoft News
Azure high-performance computing leads to developing amazing products at Microsoft Surface (1st party)
The Microsoft Surface organization exists to create iconic end-to-end experiences across hardware, software, and services that people love to use every day. We believe that products are a reflection of the people who build them, and that the right tools and infrastructure can complement the talent and passion of designers and engineers to deliver innovative products. Product level simulation models are routinely used in day-to-day decision making on design, reliability, and product features. The organization is also on a multi-year journey to deliver differentiated products in a highly efficient manner. Microsoft Azure HPC plays a vital role in enabling this vision. Below is an account of how we were able to do more with less by leveraging the power of simulation and Azure HPC.
Sanctuary AI Announces Microsoft Collaboration to Accelerate AI Development for General Purpose Robots (3rd party)
Sanctuary AI, a company on a mission to create the world's first human-like intelligence in general purpose robots, is collaborating with Microsoft on the development of AI models for general purpose humanoid robots, including Sanctuary AI’s Phoenix?. Sanctuary AI and Microsoft will work together to bolster AI research and development and Sanctuary AI will leverage Microsoft’s Azure cloud resources for their AI workloads. Building on the foundation of Large Language Models (LLMs), Sanctuary AI is making progress towards "Large Behavior Models" (LBMs) that ground AI in the physical world by enabling systems to understand and learn from real world experience.
This post discusses Microsoft’s response to criticism from the US Department of Homeland Security regarding their security practices and provides some critical (in both senses of the word) feedback about how this sits in the real world. Kevin Beaumont, a former Microsoft employee, shares insights on internal challenges and discusses the company’s recent efforts to improve transparency and governance in security matters, suggesting that these changes are crucial for Microsoft to regain trust and lead in cybersecurity. He highlights the company’s new cybersecurity focus, with six prioritized security pillars aimed at enhancing internal corporate systems. The post emphasizes the importance of Microsoft’s role in societal safety due to its vast influence and the need for addressing accumulated security debt.
?
Security News
Attackers are constantly seeking new vulnerabilities to compromise Kubernetes environments. Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity. Microsoft highly recommends customers to check clusters that run OpenMetadata workload and make sure that the image is up to date (version 1.3.1 or later). In this blog, we share our analysis of the attack, provide guidance for identifying vulnerable clusters and using Microsoft security solutions like Microsoft Defender for Cloud to detect malicious activity, and share indicators of compromise that defenders can use for hunting and investigation.
Foreign malign influence in the U.S. presidential election got off to a slower start than in 2016 and 2020 due to the less contested primary season. Russian efforts are focused on undermining U.S. support for Ukraine while China seeks to exploit societal polarization and diminish faith in U.S. democratic systems. Additionally, fears that sophisticated AI deepfake videos would succeed in voter manipulation have not yet been borne out but simpler “shallow” AI-enhanced and AI audio fake content will likely have more success. These insights and analysis are contained in the second Microsoft Threat Intelligence Election Report published today.
The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days. The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives."
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution.
Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces. In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said. The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures. Yesterday, McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repositories for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg, and the STL library.
The council for Comhairle nan Eilean Siar, also known as the Outer Hebrides — the chain of islands off the west coast of Scotland — has said it may cost up to £500,000 to repair its computer systems following a ransomware attack last November. An update about the response to the incident from the local authority, which governs more than 26,000 people, was delivered Tuesday in Stornoway, the largest town in the Outer Hebrides.
?
Industry Specific News
Customer Service - Transform the service experience with Microsoft Copilot for Service | Demo (1st party) [VIDEO]
The video showcases Microsoft Copilot for Service, a powerful assistant designed to enhance customer service experiences. Edgar Wilson, a customer service agent, demonstrates how Copilot integrates with tools like Microsoft 365, Outlook, Teams, and CRM systems such as Salesforce, ServiceNow, Zendesk, and Dynamics 365. Copilot streamlines workflows by summarizing emails, providing context, and drafting responses using generative AI to analyze CRM data and internal knowledge bases. It enables quick resolution of customer issues, like expediting orders and addressing damaged products, directly within the service platform. The demo highlights Copilot’s ability to improve efficiency, customer satisfaction scores, and first call resolution rates, marking a significant step towards service excellence.
Energy - From pledge to action: Enabling the multidimensional energy transition with data and AI (1st party)
There is no denying the need to accelerate the shift to cleaner energy, whether through cleaner hydrocarbons or renewables. Yet, the last few years have revealed that a global energy transition is more complex and less linear than we anticipated. While urgency builds for decarbonization, so does the demand for energy. Moreover, our economic growth and quality of life depend on the availability of affordable, cost-effective energy resources. Energy security is especially vital for the developing world, home to 80% of the global population. To ensure that no one is left behind amidst rapid change, resolving the energy trilemma is a top priority for the industry with a focus on decarbonization, security, and reliable access to affordable energy.
Healthcare - How AI can help cancer patients receive personalized and precise treatment faster (1st party)
During a typical 15- to 20-minute clinic visit with patients, oncologist Dr. Rom Leidner opens around 20 different files on his computer. They are pieces of a puzzle, creating a picture of the patient’s cancer – blood-test results, weight trends, radiology images, microbiology, pathology, cardiology, electronic messages from other doctors, electronic messages from patients, text pages from nurses and clinic staff, prescriptions, chemotherapy orders, insurance forms. For some files, he has to log in to specialized software for access. And after reviewing all that, he can actually examine the patient and discuss their cancer care. To keep to his schedule for seeing patients, Dr. Leidner and many doctors resort to spending their weekends copying and pasting all this information into medical charts ahead of time. “The last hope of our profession may well be AI-assisted curation of information streams that converge in the exam room,” says Dr. Leidner, a medical oncologist specializing in hematology at Providence Cancer Institute Franz Clinic in Portland, Oregon.
Manufacturing: Microsoft announces new industrial AI innovations from the cloud to the factory floor (1st party)
After years of uncertainty from supply chain disruption and increased customer expectations, to changes in consumer demand and workforce shortages, manufacturing remains one of the most resilient and complex industries. Today, we are witnessing the manufacturing industry enter a transformative era, fueled by AI and new AI-powered industrial solutions. This AI-driven shift is prompting many organizations to fundamentally alter their business models and re-evaluate how to address industry-wide challenges like data siloes from disparate data estates and legacy products, supply chain visibility issues, labor shortages, and the need for upskilling employees, among others.? AI is more than just an automation tool, it’s a catalyst for innovation, efficiency and sustainability. AI innovation creates an opportunity to help manufacturers enhance time-to-value, bolster operations resilience, optimize factory and production costs and produce repeatable outcomes. Ahead of Hannover Messe, one of the world’s largest manufacturing innovation events, Microsoft is announcing new AI and data solutions for manufacturers to help unlock innovation, enable intelligent factories, optimize operations and enhance employee productivity.
Happy National Nurses Day. ?? Impressive stats on the newsletter growth, keep up the good work. ???? Ryan Parsons