Nathan McNulty Profile picture
Jesus follower, family man, security solutions architect, love to learn and teach | Board @OpsecEdu | @TribeOfHackers | AD, Azure, M365 + Defender, MEM, etc
I'm learning Azure Profile picture 1 added to My Authors
Apr 21 13 tweets 10 min read
I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :) First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
Nov 10, 2021 9 tweets 3 min read
Lots of good patches today. Doing a quick thread on them as some of these have Event IDs that should be collected.

Domain controller impersonation using sAMAccountName spoofing

After applying KB5008102, collect System Log Event IDs 16990-16991 on DC's

support.microsoft.com/en-us/topic/kb… To discover non-compliance sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" | ? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

Non-compliant UserAccountControl:
Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512"
Nov 2, 2021 4 tweets 2 min read
So you don't enforce MFA on all Azure admin roles? Not really sure where to start?

Looks like Microsoft has added a nice doc (and script in the doc) to help discover and assess your privileged users so you can minimize potential impacts ;)

docs.microsoft.com/en-us/azure/ac… I think it's great they are pushing more and more content to make the message clear - all admins should be covered by strong authentication / conditional access policies

I am really curious about this though.. Anyone know what this refers to? Image
Oct 29, 2021 14 tweets 10 min read
Who wants to play with Defender for Endpoint's Removable Storage Access Control?

Yeah, me neither, but I'm doing it anyway

So what is it?

Well, it lets us do things like block writing to all removable media except specific ones using serial numbers

docs.microsoft.com/en-us/microsof… If you try to read the docs.. I apologize for the aneurism. They're pretty rough, but we'll get through it.

First, we need serial numbers for all our USB drives we want to allow 😬

"Hey Bob, here's an 8 step process to get serial numbers for me. No, you don't have to press F12"
Sep 23, 2021 11 tweets 10 min read
DMARC: Domain-based Message Authentication, Reporting and Conformance

Phew, that's a mouthful. Let's simplify this a bit.

DMARC lets you tell other mail servers what to do about email sent from your domains - apply policy and report

If you haven't done SPF/DKIM, do that first: If you're using O365 and don't have DMARC reports going somewhere useful, you can now set this up for free:

microsoft.com/security/blog/…

Now, I'm not a big fan of how they handle DNS... but it's free? I've always used @dmarcian and really prefer the way they do it.

But let's test!
Sep 18, 2021 16 tweets 10 min read
Let's walk through setting up email in Office 365 :D

If you haven't added a custom domain or signed up for a free M365 Developer account, check the QT thread

To get started, let's sign into the M365 admin center (admin.microsoft.com) and sign into the DNS for your domain :) While doing this setup through the M365 admin center is not required, it sure makes life easier if you don't know the DNS records off the top of your head

So we go under Settings - Domains, and you should see something like the picture below

Check your domain and continue setup Image
Aug 15, 2021 4 tweets 2 min read
I'd like to talk about #windows for a minute

I know it's hard to do something that will last 20+ years, and maybe design choices from the 90's weren't the best ideas...

There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation. The amount of failures I'm seeing are just unacceptable. We can all agree who is mostly to blame, but that won't help fix the years of rot we're looking at.

I do believe this can be fixed, but it's going to require removing old, vulnerable crap and rebuilding with a better base
Jul 16, 2021 20 tweets 13 min read
It's finally time to learn about Groups in Azure AD :)

Groups are foundational components for granting access to resources, email delivery, and even assigning licenses within Azure AD.

But first, you need users, so if you haven't yet, go create some :)

In Azure AD, we have a few different types of groups

The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context

Each group also has an assigned and dynamic membership type
May 25, 2021 21 tweets 12 min read
Let's learn about Users in Azure AD :)

In this thread, I'm covering the Azure Portal and Powershell modules. We'll look at Graph API later (setup required).

If you haven't already signed up for a M365 dev account, check the thread below and follow along!
whoami

I've been managing AAD/O365 for almost a decade, and I absolutely can (and will) be wrong

Please correct me, nerd snipe, whatever your style is, if you see something wrong or have suggestions

I want value here for beginners and veterans alike, but we start with basics
May 19, 2021 10 tweets 5 min read
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications?

I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :)

developer.microsoft.com/en-us/microsof… Upon visiting the Microsoft 365 Dev Center, it will ask you to sign in with your Microsoft account.

This will be the Microsoft account that your developer tenant will be associated with, but not the one you use to log into it.

You should see something like this 👇 Image
Feb 6, 2021 10 tweets 5 min read
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices 1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
Feb 5, 2021 10 tweets 4 min read
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them. First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
Feb 3, 2021 4 tweets 1 min read
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :) First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Jul 12, 2020 17 tweets 7 min read
This is such an awesome writeup, but it's missing one thing - remediation steps

Some AD admins may know how to fix these issues, but it's fair to assume some do not.

I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.

Thread time! @mysmartlogon 1) Remove user rights to join devices to AD

Powershell: Set-ADDomain -Identity <Domain> -Replace @{"ms-DS-MachineAccountQuota"="0"} -Verbose
GPO: Modify Default Domain Controller Policy and remove Authenticated Users from the user rights assignment (1st pic)
ADSI: (2nd pic)
Apr 6, 2020 11 tweets 3 min read
Re: NYC blocking Zoom

I like Matthew a lot, but I don't feel this is a "dumb overreaction."

As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us. First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.

Is that ever 100% effective?