Work and live with IT

/en/jit-role-assignment-microsoft-defender/images/PIMMicrosoft365Defender.png

Just-In-Time role assignment in Microsoft Defender

Fabian Bader published on 2021-11-29 included in Azure AD Entra ID Identity and Access Security Defender for Endpoint

For a long time assigning multiple Entra ID (Azure AD) roles to a user was a tedious task in not done via a script. Every role assignment had to be made separately. This also made it hard to change role assignments for a group of people. That all changed when Microsoft introduced Entra ID (Azure AD) role-assignable groups. It is now possible to assign multiple roles to one group and add the users to this group.

/en/manage-group-policies-powershell/images/Preview.png

Manage group policies with PowerShell

Fabian Bader published on 2021-11-22 included in Active Directory GPO PowerShell HHPSUG

Despite Intune, DSC and Azure AD; group policies are still a widely used method to manage Windows clients and servers in many companies. However, the MMC is not really suitable for managing several hundred GPOs. But that’s what PowerShell is designed for.

/en/alert-sensitive-ad-groups-mdi/images/Preview.png

Alert changes to sensitive AD groups using MDI

Fabian Bader published on 2021-11-05 included in Active Directory Defender for Identity Identity and Access Advanced Hunting KQL

Microsoft Defender for Identity is a very powerful tool when it comes to track changes to users and groups in your on-prem Active Directory. When used in combination of the advanced hunting capabilities available in the Microsoft 365 Defender portal and custom detection rules you can very easily automate the change tracking. If you protect any on-prem Active Directory, you should be aware to changes to any privileged groups. Microsoft itself list a few of them in their documentation on Active Directory Domain Services and in the Defender for Identity documentation adds additional ones.

/en/automated-response-c2-traffic-devices/images/Preview.png

Automated response to C2 traffic on your devices

Fabian Bader published on 2021-10-18 included in Defender for Endpoint Security Advanced Hunting KQL

The Feodo Tracker from abuse.ch provides a list of active ip addresses that are used for C2 servers. With MDE and a bit automation you can easily block your clients connecting to those servers and get an alert if they do.

/en/defender-identity-npcap-windows-server-2022/images/Preview.png

Defender for Identity, Npcap on Windows Server 2022

Fabian Bader published on 2021-10-05 included in Defender for Identity Security Windows Server

Microsoft Defender for Identity is a very useful tool for gaining deep insight into an Active Directory environment. The agents installed on each domain controller collect information directly from the server’s network traffic and forward it to Microsoft Defender. For this analysis, the agent uses the WinPcap driver by default. This leads to the following error message on a Windows Server 2022 even under moderate load: However, the CPU, RAM and network load of the affected domain controller is not particularly high.

/en/bypass-sensitivity-label-restrictions/images/Preview.png

Bypass sensitivity label restrictions with mobile Edge and conditional access policies

Fabian Bader published on 2021-08-30 included in Azure AD Entra ID Conditional Access Identity and Access Microsoft Information Protection Security KQL

Vulnerability assesment by MSRC Severity Important Security Impact Security Feature Bypass Scope of the security vulnerability This article describes a security vulnerability that allowed an authenticated Microsoft 365 user to bypass additional protective measures based on sensitivity labels to download content to an unmanaged device. The user could not access files that she otherwise would not have access to. Fixed The issue has now been fixed by Microsoft and it is no longer possible to reproduce this behavior.