Month: June 2017

Watch out bad guys, here comes Windows Defender ATP

Ulv BjørnssonLeave a comment

Busy days, we had WannaCry remind us about the importance of patch compliance and mitigation (add political pun about encryption and weapons) and we saw IT and business rally to mitigate, patch and get their heads over water.

NotPetya spread over the same attack vector and utilized PsExec with the SMBv1 vulnerability but had a much more complicated payload, which turned out to not be ransomware, but a wiper prompting for a ransom, allowing no way to decrypt essentially rendering the data lost.

chrome_2017-06-30_15-40-58.png

So with that in mind I decided to write a post about the upcoming Windows 10 Fall Creators Update, touching on Windows Defender ATP and security in general, and my thoughts surrounding it..

chrome_2017-06-30_15-44-39.png

First off, it integrates Windows Defender Advanced Threat Protection (ATP) into Windows 10 essentially unifying the Windows threat protection stack.

To sum it up, it’s built in and not added on. 

Security is complicated, it involves layer upon layer, there is exterior security, interior security, network, information, os hardening, user training and so on.

One of the best things with ATP?

It integrates with cloud intelligence and the rest of your security, giving you a single pane of glass for administration.

windows-defender-atp-new-dashboard
Windows Defender ATP dashboard view

Now what is the ATP? It covers a range of features such as:

Windows Defender Exploit Guard

Windows Defender Explot Guard (WDEG) uses information from the Microsoft Intelligent Security Graph (ISG) and provides a heavy set of intrusion rules and policies to assist and prrevent advanced threats, as well as zero day exploits.

windows-defender-atp-exploit-guard
Machine timeline from Exploit Guard

 

Windows Defender Application Guard

A real winner here I believe, we’ll see how it turns out when it goes live for everyone, but I like the idea of Windows Defender Application Guard (WDAG) because even if the OS stack, network stack is secure, does not necessarily mean your third-party applications for example your browser is. Example and point: when Tim in accounting accidentally downloads malicious malware or Rambo in security triggers a zero-day worm whilst researching in the wrong container, WDAG will isolate and contain the threat. Keeping your device, apps and data secure. At least in theory.

Windows Defender Device Guard

Also integrated into ATP, Device Guard allows whitelisting of applications on a per-device basis and if anything it gives the Security Operations Center better insight, and automated application control as well as implementation of DDG into ATP gives organizations an easy implementation.
so-what.jpgWell improved detection, response capabilities and a growing detection dictionary that includes more indicators of attacks (IoA) with a large suite being gathered into one product in the Windows threat protection stack will allow you to remedy, as well as spot weaknesses far faster then before, and reduces the overhead required and the custom implementations required to make all the systems “talk“.

 

Updated-Figure-3.jpg

So what is my take from this? I thoroughly believe that the creator of a product (Microsoft) is most likely the best to create a security solution best suited for their product (Windows and surrounding services).

windows-defender-atp-security-analytics.png

To sum it up ATP integrated with Windows 10, and Cloud Intelligence (Office 365, Microsoft Azure) will be a huge step in the right direction, and be a valuable asset to any Service Operations Center or IT operation team.

download (1).png

As always if you have any suggestions about topics, articles, how-to’s and what not hit me up here or on twitter at @UlvBjornsson

Microsoft Azure: Configuring auto-shutdown

Ulv BjørnssonLeave a comment

So, in Azure you pay for what you use. If it’s on (or if it is allocated), you are paying for it, until it is deallocated.

So what can we do to save costs? We can configure automatic shutdown.

2017-06-08_13-58-35.png

So if we enter “Auto-shutdown” on the left panel in the VM:

chrome_2017-06-08_14-02-47.png

So let’s enable it, and set our preferred time for shutdown. Ensure that you have configured the timezone correctly so that it shutsdown when you expect it to.

 

chrome_2017-06-08_14-05-14.png

There you go, you’ve configured automatic shutdown on a schedule.

Next up, we’ll be looking at runbooks and the possbility of turning your virtual machines off, but also on again on a fixed schedule.

Stay tuned for more, and always you can reach me here or over on twitter at @UlvBjornsson.

If you are curious about the Azure exam 70-533, you can check out my write up on it over here.

Until next time!

Ulv

Powershell: Move objects from OU to target OU

Ulv BjørnssonLeave a comment

Simple way to move computers from one OU to a target OU using –LDAPFilter which allows you to modify it. Current form is objectClass meaning it’ll move anything that is designated an objectclass from OU to target OU, you can change this to be (name=PC*) with * being a wildcard moving any object starting with PC from OU to target OU.

<#
.SYNOPSIS  

Sets Moves AD object based on -LDAPFilter from OU to target OU.

.DESCRIPTION  Script will search through Active Directory OU and move all objects matching -LDAPfilter to target OU.

.PARAMETER $OU    Enter full name of OU you wish to limit search to

.NOTES  
Version:        1.0  
Author:         ulbjo  
Creation Date:  07/06/17  
Purpose/Change: Initial script development  
.EXAMPLE (name=PC*) will filter search and move only PC starting with PC* to target OU.

#>
$computerstomove = Get-ADComputer -LDAPFilter "(objectClass=*)" -SearchBase "CN=Computers,DC=Customer,DC=ulvbjornsson,DC=com"foreach ($computertomove in $computerstomove) { Move-ADObject $computertomove -TargetPath "OU=Computers,OU=Production,DC=Customer,DC=ulvbjornsson,DC=com"
}

#(name=PC*)

 

As always hit me up, I got a lot of articles in the pipeline so stay tuned.

You can find me here, or interact with me over twitter @UlvBjornsson