Administration

Setting up Microsoft Authenticator on a Second Device

Look, maybe this is old news but it’s new to me!  I like to think of this as more of a ‘how to‘ for me since I’m likely to run into this in a year or so 🙂

Two Factor Authentication (2FA) / Two-Step Verification (2SV) / Multi-Factor Authentication (MFA)

Years ago I setup the Microsoft Authenticator for my personal Microsoft account and I love how it not only makes the sign-in process easy, but gives me peace of mind that should my password get compromised, I have that extra layer of protection.  I’m a strong supporter of two factor authentication (2FA) or two step verification (2SV) and I urge everyone to enable it where possible so if you haven’t already done so, get 2FA/2SV setup on your Microsoft account.  Go ahead, I’ll wait:

Multi-Factor Authentication (MFA) for Azure AD

When our organization started focusing more on Azure AD, it only made sense that we would create a Conditional Access Baseline Policy to require our Azure admins to setup multi-factor authentication MFA.  With that policy in place, the process of setting up my corporate account in the Microsoft Authenticator was quite simple.

Setting Up 2FA for Personal Accounts

Fast forward some time later: During Google Fi’s special birthday promotion I managed to secure a Pixel 3 XL and when it arrived it was time to get the Microsoft Authenticator setup for my corporate accounts.  Having been through the process of adding accounts to authenticator apps multiple times, I assumed it was going to be simple:

  1. Open the Microsoft Authenticator app
  2. Tap the menu button (three dots in the top right) & select + Add Account
  3. Select Work or school account
  4. Enter in my corporate email
  5. Be redirected to our identity provider
  6. Enter my corporate credentials
  7. Accept the authentication prompt on my original phone
  8. All setup!

Turns out I was very wrong because, to my surprise, at step 4 I was prompted to scan a QR code or enter in the details manually.

Setting up MFA for Azure AD Accounts

While configuring 2FA/2SV/MFA for personal accounts starts from within the Microsoft Authenticator, setting up MFA for Azure AD accounts for the first time typically happens during your first login after the organization has enabled your account for MFA.  This is really easy as it steps you through a wizard like process and takes a minute or so.  However if you need to setup the Microsoft Authenticator on a new device, you are required to initiate the process from within your tenant while logged in using the account you want to configure MFA for.  There are a few ways to get to where you want to go, this is one of them:

Method 1

  1. Login to https://portal.azure.com
  2. Click your name/avatar in the top right
  3. Click View Account
  4. On the following page click the Additional security verification link on the right

Method 2

  1. Login to https://myapps.microsoft.com with your corporate credentials
  2. Click your avatar in the top right
  3. Select Profile in the drop down
  4. On the following page click the Additional security verification link on the right

Missing the ‘Additional security verification’ Link?

When I’m login with my Azure account that has been added to the Global Administrator role, the ‘Additional security verification’ link is not present when I view my profile/account.  However when I login with my standard account, the link is present.  I assume this has to do with the conditional access policy but I have not been successful in locating official documentation so your guess is as good as or better than mine.  The good news is there are a few warp zones to get you where you want to be!

Configuring Authentication Verification Options

Once you’re on the ‘Additional security verification’ page

Authenticator__ASV

You can configure the methods you want to use to verify your identity (notification vs code vs phone number if allowed by your organization) but most importantly you can setup an Authenticator app

  1. In the browser, click the ‘Setup Authenticator app’ button and within a few moments you’ll see this:
    • 2SV-Barcode
  2. On your phone, open the Microsoft Authenticator app and:
    • iOS: Select + to add an account.
    • Android: Tap the three dots then + Add account
  3. Select Work or school account
  4. Scan the QR code
  5. Back in the browser, click the Done button
  6. On your phone positively acknowledge the authenticator prompt to verify it’s been setup correctly

Great Documentation

So my sleuthing didn’t require more than 5 minutes of time thanks to the great documentation Microsoft has been creating and/or updating over the past few years.  Everything covered here is listed below and I recommend you give it a read. 🙂

Two-step verification overview
Manage your settings for two-step verification

Good Providence to you!

Advertisements

Privilege Account Management Solution Evaluation

For as long as I’ve been in IT professionally, users have been local administrators on their machines.  Time and time again, history has proven this approach undermines what might otherwise be successful IT strategies to improve an organization’s security posture.  Introducing a change requires addressing some facts:

Fact: Users do not need admin rights to accomplish day to day tasks.
Fact: Users have grown accustomed to having certain privileges on their machines
Fact: Some legitimate changes initiated by users do require elevated rights
Fact: Bears eat beets.  Bears.  Beets.  Battlestar Galactica.

Fortunately there are a sea of Privilege Account Management or Privilege Management solutions out there to control elevation rights eliminating the need to give users administrative rights.

I do want to highlight that although our research was done a few years back, the underlying concepts and organizational requirements continue to serve as the core framework for any future Privilege Management solutions we evaluate for implementation.

Executive Summary

Adhering to the principle of least privilege allows the day to day user to continue to work efficiently without interruption while introducing several desirable benefits including but not limited to:

  • Cost Savings – Successful vulnerability exploits often result in lost time, intellectual property, productivity, brand value and customers’ trust. System instability results in lost productivity. Lack of license compliance can result in unbudgeted expenses not to mention costly fines.
  • Regulatory Compliance – When users have administrator rights they can change system settings, which affect compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.
  • System Stability – When a user adds a new piece of software, installs a driver, or changes a setting, the stability of the system is affected.
  • Threat Protection – Running software with reduced privileges can mitigate a majority of software vulnerabilities that take advantage of the privileges of the running user.
  • License Compliance – When users have full control over what is installed on their computers, there is nothing to prevent them from intentionally or unintentionally using unlicensed software.

Vendor Identification

We identified the following five vendors (listed alphabetically) based on many factors including feature set, product maturity, industry reputation, community feedback and perceived position in the marketplace.

Avecto

Avecto is a leader in Windows privilege management, helping organizations to deploy secure and compliant desktops and servers. With its Privilege Guard technology, organizations can empower all Windows based desktop and server users with the privileges they require to perform their roles, without compromising the integrity and security of their systems.

BeyondTrust

BeyondTrust offers a complete Privileged Account Management (PAM) portfolio and was one of the first products on the market in this area. BeyondTrust has a worldwide presence with a large market share in the US of which banking and securities and retail organizations make up a significant share of the company’s customers.

Bit9+CarbonBlack

Bit9+Carbon Black offers a solution for advanced threat protection for endpoints and servers. Combined, it helps organizations protect themselves from advanced threats in two critical ways: by reducing their attack surface through new signature-less forms of prevention, and rapidly detecting and responding to threats.

Centrify

Centrify Privilege Management allows administrators to manage privilege globally across windows, Linux and UNIX. It is a flexible, highly granular privilege management solution that allows users get work done, reduces risks and makes implementing a least-privilege approach easy with role-based access controls.

ViewFinity

Viewfinity’s privilege management suite bolsters administrators’ ability to control user privileges on corporate desktops, helping to eliminate one of the biggest security holes on today’s enterprise networks: risky activities on corporate desktops that occur inside the firewall. Viewfinity is a suite of integrated management tools that simplify the processes involved in privilege management, enabling administrators to more effectively protect PCs from unauthorized use and providing granular control over who can do what on servers and endpoints across the enterprise.

Success Criteria

We designed designed a scoring system based on key areas of interest:

  • Solution deigned with mobility in mind (up to 15 points)
  • Application control/features (up to 15 points)
  • Experience in the legal vertical (up to 10 points)
  • Reputation and footprint by way of endpoint count (up to 10 points)
  • Client components (up to 5 points)
  • Implementation options (up to 5 points)
  • Considerations for VDI environments (up to 10 points)
  • Depth and breadth of reporting (up to 10 points)
  • Ease of use & management (up to 10 points)
  • Integrations with existing technology (up to 5 points)
  • Innovation (up to 5 points)

In addition, there were specific features and scenarios we were looking to cover in the demos:

  • Details of the elevation process (e.g.: token based)
  • Handling of products not explicitly whitelisted/blacklisted
  • Capable of elevating ActiveX controls
  • Whether or not it was offered some sort of sandboxing technology
  • Data aggregation and correlation
  • Level of customization for user facing elements

Vendor Reduction

After reviewing each product and comparing notes we decided the following vendors were not best suited for our particular requirements.

BeyondTrust:

  • The SaaS/Web solution for a mobile workforce, it wasn’t as easy to use as Avecto and Viewfinity.
  • Insignificant presence in the legal vertical.

Bit9 + Carbon Black:

  • Lack of a method for elevating the execution of processes. Users would not be able to install applications, even those approved to be installed.
  • Core focus is application whitelisting (i.e.: whether or not a process can execute) versus allowing process that require elevation to elevate automatically based on a ruleset.

Centrify:

  • Application control functionally was not nearly as robust as their competitors.
  • Product is best suited for environments where Mac’s are deployed
  • PAM is only part of a much larger product versus the primary focus of the product.
  • Lack of an appreciable presence in the legal vertical.

I want to be clear:

  • These were not bad solutions by any means.
  • They just didn’t meet enough of our core requirements for us to move forward to the next phase.
  • Also, again, this being a fairly dated review, it’s quite possible things have changed since we originally evaluated them so do your due diligence.

Reference Checks

We received a list of references from both Avecto and ViewFinity, setup calls and included those findings for consideration in our recommendation.

Avecto

  • The “best of breed” and innovative solution compared to other products on the market.
  • Integration with existing A/V and HIPS solutions allowing for centralized management and reporting
  • Able to easily workaround special handling scenarios needed for certain users and applications.
  • Support has been great, fast turn around for critical issues and the product is well documented.
  • Successful implementations not just from the IT perspective but also from the user perspective as it was completely transparent.
  • Works as designed and is easy to work with.

ViewFinity

  • Smooth transition from another competitors on-prem solution to ViewFinity’s hosted solution.
  • SaaS solution works well, delivers updated configuration to clients faster than GPO
  • No issues they couldn’t work through or around.
  • Works well for a highly mobile workforce
  • Support is responsive with no gaps in communication
  • Easy and straightforward to use with little ongoing management required

Pilot Result

We tested each solution for one month at a time on our primary systems (aka our daily driver machine).  Although they were both different, there were a lot of similarities that carried over between each product.

ViewFinity

  • Only vendor with a completely separate SaaS/Web PAM solution and we were impressed with it.  Viewfinity seems to better understand the differences of a mobile user and their Saas/Web product is solely built for a mobile population.
  • Established presence in law firms of significant size
  • Has grown substantially in install count and product maturity over the past few years.

Avecto

  • Has a mechanism to distribute updates, but it’s built on a traditional group policy based management delivery approach.
  • Appears to be the strongest and fastest innovator the PAM vertical.
  • Had features in product that Viewfinity didn’t have yet.

These findings were then added to our success criteria.

Final Score

Before I reveal the results, I want to point out a few very important items:

  1. This review took place a few years ago so I imagine that each of the products mentioned here have matured for the better since then and that there may be new players in this space.
  2. Both solutions are very solid products, each with their own set of features that clearly distinguished it from the other in a few key categories.
  3. We ultimately did not move forward with either product because of a change in strategic initiatives.

Having said that we said we gave:

  • Avecto: 79 out of 100
  • ViewFinity: 81 out of 100

From a scoring perspective, the difference was almost negligible and after some discussion we made a recommendation to move forward with one vendor.  However, it was not solely based on the numerical score but on, what I feel is, an oft overlooked point:  The level of expertise of the vendor’s technical lead assisting with the implementation.  Their technical lead driving these demos and Q&A’s demonstrated a deep level of understanding and was able to think and respond quickly when in ‘uncharted territory’; atypical use cases, examples etc.  After putting each vendor through the ringer, one gave us the confidence that they would be able to assist us in meeting the our objective to make this a successful implementation.

Closing Thoughts

This was probably one of the more fun projects we took on and some part of me was disappointed we didn’t move forward with any of the recommended products.  But on the other hand, after removing local Administrator rights and implementing Microsoft’s Local Administrator Password Solution (LAPS) we learned that we really didn’t need a solution to achieve our primary objective.

I’m eager to hear from others who are in the process of implementing – or have just implemented – a PM/PAM solution, so please let me know in the comments.

 

Good Providence!

An authentication error has occurred. The function requested is not supported. This could be due to CredSSP encryption oracle remediation. CVE-2018-0886

Problem:

I’ve been working furiously on some Citrix XenApp stuff recently on shiny new Server 2016 boxes.  Yesterday was a productive day and all was well.  With it also being Patch Tuesday and my machines part of the Patient Zero Device Collection targeted for updates I received May’s patches last night/this morning.

Today, when I attempted to RDP into Server 2016 boxes I received the following error:

CredSSPOracle

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: <remote computer>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

[OK]

Cause:

This is intentional and I urge you to direct your attention to the URL in the message: https://go.microsoft.com/fwlink/?linkid=866660

Cliff’s Notes version of the cause from the article:

  • The initial March 13, 2018, release updated the CredSSP authentication protocol but did NOT enforce the new version of the CredSSP protocol.
  • The April 17, 2018, Remote Desktop Client (RDP) update in KB 4093120 enhances the error message that is presented when an updated client fails to connect to a server that has not been updated.
  • The May 8, 2018, update makes the new updates CredSSP protocol mandatory.
    This intentional change adjusts the default setting from ‘Vulnerable’ to ‘Mitigated’.

Solution:

In reviewing the interoperability matrix there are only a few blocked scenarios:

  1. Server Patched ‘Force updated clients’ + Clients Unpatched = Blocked
  2. Server Unpatched + Clients Patched ‘Force updated clients’ = Blocked
  3. Server Unpatched + Clients Patched ‘Mitigated’ = Blocked

Well I know my client is patched so that rules out Scenario 1, making it clear our Server 2016 servers are missing KB 4103723.

Solution: Patch your servers!

Fauxlution

This is not a solution.  It’s a fake solution or as I like to call them faux-lutions.

So is there a workaround?  Sure.  So in my particular scenario, I would set the patched client(s) to ‘Vulnerable’  which means that I would then be exposing remote servers to attacks by supporting fallback to insecure versions.

Arguments can be made either way to justify this but I don’t think its wise:

  • It negatively affects our security posture
  • I’m human thus prone to forgetting things and then I’ll never undo it.

I’d rather submit an emergency change request to patch the servers.

In fact, Microsoft’s recommendation is to set AllowEncryptionOracle on clients and server computers as soon as possible to one of the following:

  • Force updated clients = 0
  • Mitigated = 1

But if you want to go down this slippery slope at your own risk, set on your patched client(s), set AllowEncryptionOracle to 2 and you’ll be able to connect to your unpatched server(s):


reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /d 2 /t reg_dword

The documentation states a reboot is required but in testing, a reboot is not required.

References:

  1. CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability
  2. Windows 10 1803 May 8, 2018—KB4103721 (OS Build 17134.48)
  3. Windows 10 1709 May 8, 2018—KB4103727 (OS Build 16299.431)
  4. Windows 10 1703 May 8, 2018—KB4103731 (OS Build 15063.1088)
  5. Windows 10 1607 & Server 2016 May 8, 2018—KB4103723 (OS Build 14393.2248)

 

Whatever route you take, I bid you Good Providence!

Getting Real Lenovo Model Details

Our computer naming convention includes a portion of the model number to make it easier to identify trends and those with old, or new, assets.  Coming from a Dell shop where we did something similar, I was disappointed to learn that Lenovo machines didn’t populate the Model details the same way.  So instead of seeing something like ThinkPad W541, we were seeing something very cryptic: 20EFCTO1WW

Get your Decoder Ring

Thinking something was up with the built-in scripts or logic I ran the below on a Lenovo machine which confirmed it was what it was:


wmic path win32_computersystem get model

Model
20EFCTO1WW

For a while we kept a matrix of sorts that we’d feed into our CustomSettings.ini to ensure machines were named correctly.  We expected this pain as models were phased out and new models came in, but it was also very frustrating as the details would change mid-stream for the same model.  This led us to studying the Lenovo Product Specifications Reference or PSREF.

Not being keen on this, I learned somewhere (unsure of the actual source) that Lenovo stashes the bits we were after in Win32_ComputerSystemProduct under Version


wmic path win32_computersystemproduct get version

Version
ThinkPad W541

Once confirmed across a few machines, I went right to work.

UserExit Script: GetAbbrModel.vbs

This is a modified version of the script we use in production but the result is the same: It gets the human-readable format of the model, trims the parts we don’t want and returns an abbreviated version of the model.  So a ThinkPad W541 ends up being returned to MDT/SCCM as W54.  You can modify to suit, like creating a new property/variable called RealModel and assigning the script output to that or overwrite the existing Model property via the script itself.

The script works on 99% of the machines in our environment but it does occasionally fail:

  • some unexpected data is in there: sometimes it’s really bizzare or mirrors Model in Win32_ComputerSystem or Name in Win32_ComputerSystemProduct.
  • most of the time it’s because the field is blank/null/empty and we typically see this on machines that were serviced, specifically a board replacement, and tech didn’t run the utility to set the bits in the BIOS.  Accidents happen.
  • it’s running on very hardware that should have been retired 🙂

Good Providence to you as you adjust it to suit your needs!


' //***************************************************************************
' //
' // Solution:Get Model Abbreviation for Microsoft Deployment
' // File: jgp_GetAbbrModel.vbs
' //
' // Purpose: Gets & sets the correct model abbreviation for use in computer name and other custom configurations
' //
' // ***** End Header *****
' //***************************************************************************

'//----------------------------------------------------------------------------
'//
'// Global constant and variable declarations
'//
'//----------------------------------------------------------------------------
Option Explicit

'//----------------------------------------------------------------------------
'// End declarations
'//----------------------------------------------------------------------------

'//----------------------------------------------------------------------------
'// Main routine
'//----------------------------------------------------------------------------
Function UserExit(sType, sWhen, sDetail, bSkip)
	UserExit = Success
End Function

Function GetAbbrModel()
	on error goto 0
	Dim sMake : sMake = oEnvironment.Item("Make")
	Dim sModel : sModel = oEnvironment.Item("Model")
	Dim sAbbrModel : sAbbrModel = "UNK"

	Select Case UCase(sMake)

		Case UCase("Dell")

			If InStr(1,sModel,"OptiPlex ",1) > 0 Then
				sAbbrModel = Left(Replace(sModel,"ptiPlex ","",1,-1,1),3)
			elseif InStr(1,sModel,"Latitude ",1) > 0 Then
				sAbbrModel = Left(Replace(sModel,"Latitude ","",1,-1,1),3)
			elseif InStr(1,sModel,"XPS",1) > 0 Then
				sAbbrModel = Left(Replace(sModel,"PS","",1,-1,1),3)
			end if

		Case UCase("Lenovo")
			Dim oCSP
			For Each oCSP in GetObject("winmgmts:").ExecQuery("SELECT Version,Name FROM Win32_ComputerSystemProduct")
				Dim sLenovoModel : sLenovoModel = oCSP.Version
				Dim sLenovoProductType : sLenovoProductType = oCSP.Name
				exit for
			Next

			If InStr(1,sLenovoModel,"ThinkCentre ",1) > 0 Then
				sAbbrModel = Left(Replace(sLenovoModel,"ThinkCentre ","",1,-1,1),3)
			elseif InStr(1,sLenovoModel,"ThinkStation ",1) > 0 Then
					sAbbrModel = Left(Replace(sLenovoModel,"ThinkStation ","",1,-1,1),3)
			elseif InStr(1,sLenovoModel,"ThinkPad ",1) > 0 Then
				if Instr(1,sLenovoModel,"Carbon",1) > 0 Then
					If InStr(1,sLenovoModel,"Carbon 4th",1) > 0 Then
						sAbbrModel = Left(Replace(Replace(Replace(sLenovoModel,"ThinkPad ","",1,-1,1),"arbon 4th","")," ",""),3)
					elseif InStr(1,sLenovoModel,"Carbon 3rd",1) > 0 Then
						sAbbrModel = Left(Replace(Replace(Replace(sLenovoModel,"ThinkPad ","",1,-1,1),"arbon 3rd","")," ",""),3)
					elseif InStr(1,sLenovoModel,"Carbon 2nd",1) > 0 Then
						sAbbrModel = Left(Replace(Replace(Replace(sLenovoModel,"ThinkPad ","",1,-1,1),"arbon 2nd","")," ",""),3)
					elseif InStr(1,sLenovoModel,"Carbon",1) > 0 Then
						sAbbrModel = Left(Replace(Replace(Replace(sLenovoModel,"ThinkPad ","",1,-1,1),"arbon","")," ",""),3)
					end if
				else
					sAbbrModel = Left(Replace(sLenovoModel,"ThinkPad ","",1,-1,1),3)
				end if
			else
				' Alternatively you could build & maintain (yuck) a table of product types
				Select Case UCase(Left(sLenovoProductType,4))
					Case UCase("5032")
						sAbbrModel = "M81"

					case UCase("20EF")
						sAbbrModel = "W54"
				End Select
			end if

		Case UCase("innotek GmbH")
			sAbbrModel = UCase(Left(sMake,1) & Mid(sMake,8,1) & Right(sMake,1))

		Case UCase("VMware, Inc.")
			sAbbrModel = UCase(Left(sMake,3))

		Case UCase("Microsoft Corporation")
			sAbbrModel = "HPV"

	End Select
	GetAbbrModel = sAbbrModel
End Function

Generate WindowsUpdate.Log Without Get-WindowsUpdateLog

Just like knowing that a shrimps heart is located in it’s head area (thorax) you can file this tidbit under useless facts.

If you find yourself in a situation where you need to convert some Windows Update .ETL files into human readable format and the Get-WindowsUpdateLog PowerShell cmdlet isn’t available for whatever reason, you can use TraceFmt.exe to do this for you.

The TraceFmt utility, available through both the Windows Software Development Kit (SDK) and Windows Driver Kit (WDK), takes the details in the trace logs and outputs a human-readable text file containing the formatted trace messages.

Usage:


tracefmt.exe -o "%UserProfile%\Desktop\TraceFmt-WindowsUpdate.log" %SystemRoot%\Logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl -r srv*%SystemDrive%\Symbols*https://msdl.microsoft.com/download/symbols

Output:


Setting log file to: C:\windows\logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl
Examining C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\default.tmf for message formats,  3 found.
Searching for TMF files on path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64
Logfile C:\windows\logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl:
        OS version              10.0.14393  (Currently running on 10.0.14393)
        Start Time              2017-10-02-08:51:55.537
        End Time                2017-10-02-09:01:57.790
        Timezone is             @tzres.dll,-112 (Bias is 300mins)
        BufferSize              4096 B
        Maximum File Size       128 MB
        Buffers  Written        3
        Logger Mode Settings    (11002009) ( sequential newfile paged)
        ProcessorCount          1

Processing completed   Buffers: 3, Events: 70, EventsLost: 0 :: Format Errors: 0, Unknowns: 7

Event traces dumped to C:\Users\perkinsjg\Desktop\TraceFmt-WindowsUpdate.log
Event Summary dumped to C:\Users\perkinsjg\Desktop\TraceFmt-WindowsUpdate.log.sum

 

Comparison

TraceFMT:

TraceFMTWindowsUpdateLog.png

Get-WindowsUpdateLog:

Get-WindowsUpdateLog

In Closing

The TraceFmt generated log file will not be identical to the one generated by the Get-WindowsUpdateLog PowerShell cmdlet; but it’ll help in a pinch!

For now, I bid you Good Providence!