Browsed by
Category: Security

Guardians of the Local Admin rights

Guardians of the Local Admin rights

Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately. You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions. You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields): Removing local admin permissions mitigates a lot of critical Microsoft…

Read More Read More

The never-ending Command Prompt

The never-ending Command Prompt

Some time ago I showed you the options you have to block the administrative tools like CMD and Regedit. Within the latest insider preview 20185 I noticed a new ADMX file So? We can block cmd and regedit by configuring a CSP, right? I enrolled a new Window 10 Enterprise VM and updated to the last insider preview update. After my new VM was configured, I tried to configure this CSP by creating a new device configuration profile like this:…

Read More Read More

The Place Beyond the Guests

The Place Beyond the Guests

Restricting guest access is very important. Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting. You can simply change this in the user manage external collaboration settings inside the azure ad portal. https://aka.ms/AADRestrictedGuestAccess Or just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten. get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’ Conclusion:…

Read More Read More

Thank you for Application Guard for Office apps.

Thank you for Application Guard for Office apps.

In this blog, I will show you, how to start testing with Application Guard for Office apps. To make sure Malware can’t get their foot in the door, you have to protect your endpoint. Hardening your Office apps is the first step. Some time ago Microsoft created the possibility to isolate your Office app documents you open from an untrusted location… First you have to meet the minimum software and license requirements Windows 10 Enterprise edition, Client Build version 2004…

Read More Read More

Interview with the ASR rules

Interview with the ASR rules

Protecting your devices with Windows Defender ASR rules is best practice but… make sure you’re aware of the caveats. The sun was probably shining when you configured your ASR rules! And after you decided you wanted to use Solarwinds for monitoring your devices, you pushed the agent to your endpoints. Then suddenly the weather changed… If like me, you configured a new Solarwinds Win32 with the packaging tool. After you start deploying it to some test devices. You’ll notice a…

Read More Read More

The men who stare at the AppLocker event log

The men who stare at the AppLocker event log

This short blog will be about the curious cage of AppLocker, MSI, Intune and the event log. As you probably already know you can deploy your AppLocker baseline with PowerShell within a few minutes. Let’s take a look at AppLocker… When deploying AppLocker you can check your configuration in the file system or registry (without Intune). File System: Take a look at c:\windows\system32\AppLocker. You’ll find all AppLocker policies in it. When using Intune all AppLocker policies will be placed inside…

Read More Read More

Reservoir update logs

Reservoir update logs

Making sure your devices are up to date with the latest Microsoft updates is one of the key pillars of hardening your endpoints.  Updating your devices through Intune is a piece of cake. Setting up your Windows 10 update rings can be done within a few seconds.   Setting up the Windows update rings can be done manually, or you can automate the whole process. I personally like to automate the whole tenant deployment process. But that’s not the main reason of this blog.    You need to ask yourself; how can I monitor my…

Read More Read More

What Happened to Monitoring External Access to Your Data?

What Happened to Monitoring External Access to Your Data?

Some time ago I wrote a blog about securing your data in which I described that this is only the first step in making sure your data is safe.   For example, whilst working with Teams, did you think about the “shadow users”? These users are not members of your Teams / Microsoft 365 groups but can still somehow access your data.  It’s very easy for an employee to share the whole Teams general folder within the Sharepoint site without you noticing. An employee just has to click on “share” to begin sharing it…

Read More Read More

Basic Authentication and the Last Crusade

Basic Authentication and the Last Crusade

In this blog I’ll show you a new option to disable basic authentication protocols. Like most of you probably know, Microsoft is going to disable basic authentication for ActiveSync, PowerShell, Exchange Web Service, POP3 and IMAP4. You should especially disable POP3 and IMAP basic authentication as soon as possible. Of course, implementing conditional access rules is the way to go. Read my other blog to learn how to automate your conditional access deployment. When not having the proper licensing for…

Read More Read More

Sherlock Holmes: A Game of Powershell

Sherlock Holmes: A Game of Powershell

My second blog in just one day, but sometimes you get scared as hell! Today at 13:00 AppLocker suddenly began blocking the famous psscriptpolicytest files on all our 2019 Remote desktop servers. That’s very weird behaviour. Why on earth is this happening at the same time on all our 2019 servers?  You almost feel like you need to prevent the collapse of the western civilization… no pressure. We are using Solarwinds as part of our SIEM (more on this subject…

Read More Read More