Nathan McNulty Profile picture
Loves Jesus, loves others | Husband, father of 4, security solutions architect, love to learn and teach | @TribeOfHackers | 🦋@nathanmcnulty.com
3 subscribers
Jan 25 6 tweets 2 min read
Hello for Business works great with AD integrated apps (Kerberos/NTLM), but it requires setting up a trust model

Very poorly generalized, Hello uses certificates that AD doesn't understand, so we need a way to request a Kerberos ticket with the certs

This is crazy easy now 🧵 Before I share how easy it is now, I want to share why people still hate Hello because its history was way more complicated

Originally we had certificate trust which required full PKI deploying certificates to all of your devices and AD

Doing this properly was really hard...
Jan 24 7 tweets 2 min read
I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work

Conditional Access performs authorization by evaluating tokens from the authentication service This provides important insights 💡

CA policies cannot block anything until AFTER authentication occurs

This means CA cannot help with password spray/credential stuffing. This is why we have Password Protection and Smart Lockout.

learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…
Jan 20 6 tweets 3 min read
You likely aren't collecting all available events to the Unified Audit Log

First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).

Retention is based on license... Image This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!)

Second, this still doesn't get everything..
Sep 6, 2024 5 tweets 3 min read
A common ask I get often is:

I want to require fresh strong authenticaton from a compliant device (or specific devices) when someone activates a role via PIM

So let's walk through that scenario really quick

If anything is unclear, just try harder!

I'm kidding, ask away 😜 First, if the built-in phishing resistant auth strength works for you, use it

If not, we can customize exactly what we want (avoid requiring one not allowed in another poilcy)

We can even define AAGUIDs to specify exact models of keys that must be used

learn.microsoft.com/en-us/entra/id…
Image
Aug 8, 2024 6 tweets 2 min read
In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…
@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory
Jul 31, 2024 5 tweets 2 min read
How non-privileged users can make themselves admin of your SaaS apps - a short story :)

Let's say your company uses Salesforce and has configured SAML for SSO with your Identity Provider

Salesforce's SAML implementation lets us pass identity and roles (permissions) on the token So we create a security group named "Salesforce Admins" and add our admins to the group

Then we configure the claims rule in our Identity Provider to send the role value of System Administrator for members of a group with the display name of "Salesforce Admin" 🚩
Jun 15, 2024 4 tweets 3 min read
The OP is about excluding networks from MFA requirements (I'm not a fan)

But I want to focus on why we should set up Named/Trusted Locations and use them in a CA policy

Primarily, this enables Continuous Access Evaluation and tunes Identify Protection

learn.microsoft.com/en-us/entra/id…

Image That doc is a long but valuable read, especially since CAE affects things you probably don't realize

To start, CAE aware tokens are only supported for Exchange, SharePoint, Teams, and Graph

While any 3rd party can integrate and use CAE, I am not aware of any vendor who did so Image
Jun 7, 2024 8 tweets 2 min read
Managing policies for Defender AV on Servers is a big pain point

We have like 6 ways to do it, and for many orgs, there is no single option that covers everything you want.. 😩

Join me on this thread where I'll discuss the options, limitations, and design considerations Group Policy - well known, easy to evaluate against benchmarks

Downsides:

Must be bound to AD (Azure VMs, backup systems, etc. often are not)

Need line of sight to a DC (usually not an issue for servers)

No additional Tamper Protection like we get from Intune sources
May 22, 2024 5 tweets 2 min read
I'm so excited to see these new records available to everyone :)

But also, please make sure you enable all of the audit records that you want to collect

Below, you will see the default records as compared to everything you could collect, and this is just for Owner events..

🧵
Image First, if auditing isn't enabled, you aren't getting anything...

# Users w/o auditing
Get-Mailbox -Filter "AuditEnabled -eq 'False' -and RecipientTypeDetails -eq 'UserMailbox'"

To enable, add:

| ForEach-Object { Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true
Apr 11, 2024 11 tweets 7 min read
And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)
Image Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered Image
Mar 27, 2024 5 tweets 2 min read
You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) Image After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned
Image
Image
Dec 6, 2023 6 tweets 3 min read
This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping 9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…
Nov 20, 2023 9 tweets 5 min read
Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof… 1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods Image
Nov 4, 2023 5 tweets 2 min read
This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵 First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well
Oct 27, 2023 10 tweets 4 min read
I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…
Oct 6, 2023 9 tweets 3 min read
Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!
May 14, 2023 7 tweets 3 min read
Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Image Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next Image
Apr 25, 2023 7 tweets 3 min read
I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :) // PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName Image
Feb 26, 2023 8 tweets 5 min read
What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
Image While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed Image
Sep 16, 2022 4 tweets 2 min read
If you have secrets in PowerShell scripts, at the very least, log in with the account that will be running the script and do the following:

Get-Credential | Export-CliXml -Path $env:USERPROFILE\creds.xml

In your script:

$creds = Import-CliXml -Path $env:USERPROFILE\creds.xml What happens here is that Export-CliXml sees the credential object and uses DPAPI to encrypt the output

This is why you must run the command as the account that will run the script. It's also why this is Windows only.

For scripts run with a gMSA, use PSExec to run PS as gMSA
Aug 13, 2022 5 tweets 2 min read
You can easily block these attacks by enforcing Code Integrity Guard for teams.exe and onedrive.exe using Defender Exploit Protection

This mitigation won't work for everyone, especially if you rely on 3rd party plugins, but you should at least put it in audit mode

Here's how :) First, open Windows Security, go under App & browser control, then click Exploit protection settings

Now click Program settings in the top right, then click Add program to customize, and click Add program to customize

Add an entry for teams.exe and onedrive.exe and enable CIG