What's New in Azure Active Directory for February 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2021:

What’s Planned

Email one-time passcode authentication on by default

Service category: B2B
Product capability: B2B/B2C

Starting October 31, 2021, Azure AD email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts.

Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access

Service category: Authentications (Logins)
Product capability: Platform

Currently, applications using dynamic permissions are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only user.read that also has consent for files.read to be forced to pass the Conditional Access assigned for the files.read permission.

To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request.

What’s New

Authentication Policy Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.

Domain Name Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies.

For on-premises environments, people with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synchronized via Azure AD Connect, so users also have permissions to manage Azure AD Connect.

User collections on My Apps General availability

Service category: My Apps
Product capability: End User Experiences

People can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator.

Autofill in Authenticator General availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Microsoft Authenticator provides multi-factor authentication (MFA) and account management capabilities, and now also will autofill passwords on sites and apps people visit on their mobile devices running iOS or Android.

To use autofill on Authenticator, people need to add their personal Microsoft account to Authenticator and use it to synchronize their passwords. Work or school accounts cannot be used to synchronize passwords at this time.

Invite internal users to B2B collaboration General availability

Service category: B2B
Product capability: B2B/B2C

Organizations can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows organizations to keep that user's object ID, userPrincipalName, group memberships, and app assignments.

Use a Temporary Access Pass to register Passwordless credentials Public Preview

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of passwordless credentials and recovery when a person has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator app) and needs to sign in to register new strong authentication methods.

Keep me signed in (KMSI) in next generation of user flows Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The next generation of B2C user flows now supports the keep me signed in (KMSI) functionality that allows customers to extend the session lifetime for the people of their web and native applications by using a persistent cookie. This feature keeps the session active even when the person closes and reopens the browser, and is revoked when the person signs out.

External Identities Self-Service Sign-up in AAD using Microsoft accounts Public Preview

Service category: B2B
Product capability: B2B/B2C

External people will now be able to use Microsoft Accounts (MSAs) to sign in to Azure AD first party and line of business (LOB) apps.

Reset redemption status for a guest user Public Preview

Service category: B2B
Product capability: B2B/B2C

Organizations can now reinvite existing external guests to reset their redemption status, which allows the guest user account to remain without them losing any access.

/synchronization (provisioning) APIs now support application permissions Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. This is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Azure AD Connect Cloud Sync.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2021, Microsoft has added following new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

10 Azure Active Directory roles now renamed

Ten Azure AD built-in roles have been renamed so that they're aligned across the Microsoft 365 admin center, Azure AD portal, and Microsoft Graph.

New Company Branding in MFA/SSPR Combined Registration

Service category: User Experience and Management
Product capability: End User Experiences

In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of MFA/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page.

Second level manager can be set as alternate approver

Service category: User Access Management
Product capability: Entitlement Management

An extra option when admins select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, they will have another option, Second level manager as alternate approver, available to choose in the alternate approver field. If admins select this option, they need to add a fallback approver to forward the request to in case the system can't find the second level manager.

Authentication Methods Activity Dashboard

Service category: Reporting
Product capability: Monitoring & Reporting

The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant(s). The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset.

What’s Deprecated

Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired

Service category: Other
Product capability: User Authentication

Refresh and session token lifetimes configurability in CTL are retired. Azure AD no longer honors refresh and session token configuration in existing policies.

Posted on March 5, 2021 by Sander Berkouwer in Azure Active Directory, What's New

0  

HOWTO: Hunt for abuse of Azure AD Connect’s AD Connector account

Azure AD Connect Sync’s uses three separate accounts. Its AD Connector account is an account that has several permissions that warrant a closer look at how the account can be abused. Of course, we’ll need command lines to hunt for any misuse.

About the AD Connector account

Since Azure AD Connect version 1.4.18.0, the use of an account that is a member of the Enterprise Admins and/or Domain Admins is no longer supported as AD Connector account.

As John McCash pointed out in the comments, any account with the 'Replicate Directory Changes All' delegated permission is effectively a Domain Admin account, and should be secured appropriately. While John points to the Active Directory administrative tier model, it’s not a true ‘Assume breach’ perspective. Let’s provide this perspective today.

The AD Connector account is only used to connect to Active Directory by Azure AD Connect. Typically, on Domain Controllers you would only see sign-ins from this account originating from the Azure AD Connect server and all sign-ins would be network sessions (logon type 3). On the Azure AD Connect server itself, you should not see any other type of sign-ins.

Now that we know what the audit trail should look like, we can hunt for anomalies in the event logs of Domain Controllers and Azure AD Connect servers.

Hunting in the Event Logs

For this purpose, we’ll use Windows PowerShell from the Azure AD Connect server to look at the event logs that might be of interest.

Hunt for sign-ins other than network logon sessions on all Domain Controllers

As the AD Connector account targets Active Directory Domain Controllers, you’re bound to see logon events on these servers. However, we want to hunt for all sign-ins that are not network sign-ins. We can use the following lines of Windows PowerShell on the Azure AD Connect server to interrogate each Domain Controller in the environment for all logon sessions that were not network sessions (logon type 3):

Note:
I’m assuming you have the Windows PowerShell module for Active Directory installed on the Windows Server running Azure AD Connect.

Note:
I’m assuming the Windows Firewall on the Domain Controllers allows remote event log management over RPC.

Import-Module ActiveDirectory

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

 

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

 

$domains = (Get-ADForest).domains

$DCs = Foreach ($domain in $domains) {

Get-ADDomainController -Filter * | Select Name -ExpandProperty Name | Sort-Object | Get-Unique
}

 

ForEach ($DC in $DCs) {

Get-WinEvent -ComputerName $DC -LogName Security -FilterXPath 'Event[System[EventID=4624] and EventData[Data[@Name="TargetUserName"]=$Acc] and EventData[Data[@Name="LogonType"]!=3]]'
}

Hunt for sign-ins from devices other than the Azure AD Connect server

The same method can be applied to find sign-ins that originate from other devices than the Azure AD Connect server. In the following lines of Windows PowerShell, specify the IP address of the Azure AD Connect server. Then, run the lines on the Azure AD Connect server to interrogate each Domain Controller in the environment:

Note:
I’m assuming you have the Windows PowerShell module for Active Directory installed on the Windows Server running Azure AD Connect.

Note:
I’m assuming the Windows Firewall on the Domain Controllers allows remote event log management over RPC.

Import-Module ActiveDirectory
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

$IP = (Test-Connection -ComputerName (hostname) –count 1).IPv4Address.IPAddressToString

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

$domains = (Get-ADForest).domains
$DCs = Foreach ($domain in $domains) {
Get-ADDomainController -Filter * | Select Name -ExpandProperty Name | Sort-Object | Get-Unique
}

ForEach ($DC in $DCs) {
Get-WinEvent -ComputerName $DC -LogName Security -FilterXPath 'Event[System[EventID=4624] and EventData[Data[@Name="TargetUserName"]=$Acc] and EventData[Data[@Name="IpAddress"]!=$IP]]'
}

Hunt for interactive logons on the Azure AD Connect server

To find logon events for the AD Connector account, we can use the following three lines of Windows PowerShell on the Azure AD Connect Server:

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

Get-EventLog -LogName Security -InstanceId 4624,4625 -message *'$Acc'*

As normal operations on Windows Servers running Azure AD Connect would only generate events with EventID 4648, you won’t expect events that would indicate successful logons with EventID 4624 or failed logons with EventID 4625. We can filter on this characteristics. We do so in the above lines of Windows PowerShell, after we get the AD Connector account from Azure AD Connect’s configuration.

Concluding

The above lines of Windows PowerShell can be used to test your breach hypothesis. These lines of Windows PowerShell should not provide any feedback or provide the following output:

No events were found that match the specified selection criteria.

If so, good job!

Posted on March 4, 2021 by Sander Berkouwer in Active Directory, Azure AD Connect, Security

0  

What Veeam Backup & Replication v11 means for Microsoft-oriented Identity-focused admins

Last week, Veeam released Veeam Backup & Replication version 11. Let’s take a quick look at what’s new and what this means to Microsoft-oriented Identity-focused admins.

What’s New

In case you missed it, here’s what’s new in Veeam Backup & Replication version 11:

Continuous Data Protection (CDP)

For Tier-1 VMware vSphere-based workloads, Veeam now offers Continuous Data Protection (CDP). Veeam CDP captures all write I/O directly in the data path with a VMware-certified I/O filter driver, eliminating the need to create snapshots as with classic replication jobs. And with I/O-level tracking, only the data actually changed is sent over to the VMware vSphere implementation at the Disaster Recovery (DR) site, as opposed to the larger virtual disk blocks returned by the changed block tracking feature.

Hardened Repository

With Veeam Backup & Replication version 11, admins can now keep backups safe in hardened, malware- and hacker-proof repositories with immutable backups preventing encryption and deletion by ransomware and malicious actors on Linux-based hardened repositories. Credentials to access a hardened repository are never stored in the database. As such, criminals cannot extract these credentials from a compromised backup server.

With this feature, version 11 successfully passed a 3rd party assessment of compliance with the U.S. financial industry regulations for WORM (Write Once Read Many) storage.

However, with hardened repositories, you are limited to classic forward incremental backup with periodic full backups.

Expanded Object Storage Support

Reduce the costs of long-term data archival and retention by up to 20 times, replace manual tape management and achieve end-to-end backup life cycle management with version 11’s expanded support for hot object storage in the Capacity Tier and support for cold object storage in the new Archive Tier of the Scale-out Backup Repository (SOBR).

For the Capacity Tier and NAS file version archiving, in addition to the wide variety of existing choices, organizations can now use Google Cloud Storage (GCS) as the object storage repository. For the Archive Tier, Veeam is delivering Amazon S3 Glacier (including Deep Archive) and Microsoft Azure Blob Storage Archive Tier support.

To help meet the compliance requirements, in Amazon S3 Glacier, the archived backups can be optionally made immutable for the entire duration of their retention policy.

Expanded Instant Recovery

Make even more of the datacenter’s workloads available instantly with the seamless restore of the following new workloads:

  • Instant Recovery of Microsoft SQL Server and Oracle databases
  • Instant Publish of NAS backups
  • Instant Recovery to Microsoft Hyper-V

Other enhancements

In addition to the above-mentioned major new features, Veeam Backup & Replication version 11includes over 200 other enhancements. You can read all of them in the What’s New in Veeam Backup & Replication version 11 document (PDF).

What’s version 11 means

Everybody benefits from immutable backups. In addition to hardened repositories, Microsoft-oriented Identity-focused admins can harness the new Veeam Backup & Replication version 11 features in the following ways:

DFS configuration restore

Listed as other enhancement, DFS Configuration Restore is announced.
Active Directory admins can now perform restores of the Distributed File System (DFS) configuration in the System Container with the Veeam Explorer for Microsoft Active Directory bundled with version 11.

Continuous Data Protection and Domain Controllers

When Domain Controllers are virtualized on VMware vSphere, you can use the Continuous Data Protection (CDP) feature to replicate Domain Controllers to the Disaster Recovery (DR) site. Combined with the right Site Recovery Manager (SRM) method for making Active Directory available in case of a disaster, this can be very powerful. Veeam CDP beats Active Directory replication, as it offers asynchronous replication of I/O, combined with network traffic compression, whereas Active Directory replication acts on a 15-minute replication schedule between Active Directory sites with default settings…

Instant Recovery to Hyper-V

Veeam Backup & Replication version 11 enables additional data recovery and portability use cases by letting you instantly recover any physical server, workstation, virtual machine or cloud instance backups to a Microsoft Hyper-V virtual machine, regardless of what Veeam product was used to create the backup.

While P2V’ing Domain Controllers is not something I’d advise because your mileage may vary, but for many other Identity-related physical workloads, instant recovery to Hyper-V is a beautiful addition to the migration story: AD FS servers, Web Application Proxy servers, Azure AD Connect servers.

Automation

Graphical User Interfaces (GUIs) can be beneficial in many scenarios. However, especially when you’re testing or creating automated pre-production environments, you need robust automation features.

Veeam Backup & Replication version 11 ditched the PowerShell snap-in and now offers a PowerShell module. The module no longer requires PowerShell 2.0. Version 11 adds 184 new cmdlets for both newly added functionality and expanded coverage of the existing features with a particular focus on restore functionality.

Veeam Backup & Replication version 11 also offers a RESTful API for the backup server.

No local admin requirement

In Veeam Backup & Replication version 11, the backup console no longer requires operators to use an account with a membership to the local Administrators group on the Windows Server that runs the backup console. This helps to improve security by not having to assign administrative privileges to the console operators.

When console update installation is required and for restore scenarios that actually do require Local Administrator privileges, you will be offered the opportunity to restart the console with appropriate privileges.

No additional costs

Veeam Backup & Replication version 11 uses the same license file format introduced back with v10. Such license files are no longer tied to a particular software version, allowing organization to use their existing v10 license file for v11 as long as the maintenance contract is still active.

All the above features are part of the Veeam Universal License. When using a legacy Socket-based license, Enterprise Plus edition is required for Veeam CDP and the RESTful API.

Concluding

Veeam offers a compelling new version of its Backup & Replication solution. Simply upgrading gets your organization many of the benefits, but some other benefits may only be reaped when you make additional changes, like removing admin permissions and redoing your automation work. I think these additional actions are worth performing.

Posted on March 3, 2021 by Sander Berkouwer in Veeam, Veeam Vanguard

0  

HOWTO: Find out the capabilities Domain Controllers may offer your device

One of the hard nuts to crack in Active Directory is meeting the requirements for the infrastructure features your organization’s business needs to operate reliably, securely and smooth.

About Active Directory requirements

Throughout Microsoft’s recent history, features have been introduced in all sorts of products that have certain Active Directory requirements.

The perfect example is Kerberos Armoring (FAST). Besides a Group Policy setting, it requires a sufficient number of Domain Controllers running Windows Server 2012, or Domain Controllers running newer versions of Windows Server.

A recent example that comes to mind is Windows Hello for Business in recent versions of Windows 10. In most deployment types, you need Windows Server 2016-based Domain Controllers, or Domain Controllers running newer versions of Windows Server.

Here’s a table with requirements for Windows Server 2003 through Windows Server 2008 R2. Here’s the table for Windows Server 2012.

Pile-on effects

If these requirements are not met, the feature cannot be used. If requirements are met inadequately, the feature may behave surprisingly.

Throughout Active Directory’s history, there have been features that were unlocked by adding the first Domain Controller with the latest Windows Server Operating System (OS). However, what wasn’t always clear is that meeting the requirement with the bare minimum (one Domain Controller running the latest and greatest) might lead to a pile-on effect. This could lead to all Read-only Domain Controllers communicating to only one Domain Controller, all clients communication to the latest Domain Controller when Kerberos Armoring was enabled…

Finding out Domain Controllers’ capabilities

Before you turn on any feature that has Active Directory requirements, my recommendation is to check your Domain Controllers’ capabilities.

Your knee-jerk reaction as an AD admin might be to open the Active Directory users and computers MMC Snap-in (dsa.msc), but this usually doesn’t do the trick:

  1. It’s tedious to double-click each Domain Controller to look up its Operating System, then close the Properties window to go to the next Domain Controller.
  2. The MMC snap-in doesn’t provide an overview on what a device thinks about your Active Directory sites lay-out. This requires a look in the Active Directory sites and services MMC snap-in (dssite.msc).
  3. This investigation doesn’t account for network connections being blocked between certain devices and networks to other networks with Domain Controllers, doesn’t account for DNS issues, replication issues and deviations in netLogon.dns files.
  4. All of the above means cannot be  utilized by device administrators. They may not have sufficient permissions and they lack the tools on the device they’re enabling the new feature on.

What we need is a simple command line admins can run on devices to find out what capabilities your Domain Controllers may offer to the device, from the device itself. his is fully possible using nltest.exe.

What you need is a Command Prompt window (cmd.exe) to run the nltest command on. The command prompt doesn’t even have to be elevated…

But, you must also know how to specify to filter for the Windows Server version running on Domain Controllers. For this, you can use the following table:

ds_6Windows Server 2008
ds_7Windows Server 2008 R2
ds_8Windows Server 2012
ds_9Windows Server 2012 R2
ds_10Windows Server 2016

Now, by simply specifying the below command, substituting the domain name for your domain, you can find out if your Domain Controllers run Windows Server 2016, or up:

nltest.exe /dsgetdc:domain.tld /ds_10 /force

You can do all sorts of other reconnaissance with the nltest command. For instance, to find out what features the Primary Domain Controller (PDC) is offering, because you need ds_8 for Domain Controller cloning, simply type:

nltest.exe /dsgetdc:domain.tld /pdc

Concluding

Finding out if the environment meets the requirements for certain infrastructure features can be time-consuming in some organizations. If you have a domain-joined device with access to the Command Prompt, you can easily find out for yourself, without setting off any alarm bells.

Also, you don't need PowerShell for this; most cmdlets require installation of the Windows PowerShell module for Active Directory and, thus, require administrator privileges.

Good ol' nltest to the rescue.

Posted on March 2, 2021 by Sander Berkouwer in Active Directory, Systems Administration

0  

On-premises Identity-related updates and fixes for February 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for February 2021:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB4601318 February 9, 2021

The February 9, 2021 update for Windows Server 2016 (KB4601318), updating the OS build number to 14393.4225 is a security update that includes quality improvements.

This update configures the Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) countermeasures to enable Enforcement mode to require Netlogon secure channel connections.

It includes the following identity-related improvements:

  • It enables administrators to disable standalone Internet Explorer using a Group Policy while continuing to use Microsoft Edge's IE Mode.
  • It addresses an issue that causes LSASS.exe to stop working because of a race condition that results in a double free error in Schannel. The exception code is c0000374, and the Event Log displays Schannel event 36888, fatal error code 20, and error state 960. This issue occurs after installing Windows updates from September 2020 and later.
  • It addresses an issue that fails to log events 4732 and 4733 for Domain-Local group membership changes in certain scenarios. This occurs when you use the Permissive Modify control. The Active Directory (AD) PowerShell modules use this control.
  • It addresses an issue that incorrectly reports that Lightweight Directory Access Protocol (LDAP) sessions are unsecure in Event ID 2889. This occurs when the LDAP session is authenticated and sealed with a Simple Authentication and Security Layer (SASL) method.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4601345 February 9, 2021

The February 9, 2021 update for Windows Server 2019 (KB4601345), updating the OS build number to 17763.1757 is a security update.

This update configures the Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) countermeasures to enable Enforcement mode to require Netlogon secure channel connections.

KB4601383 February 16, 2021

The February 16, 2021 update for Windows Server 2019 (KB4601383), updating the OS build number to 17763.1790 is a preview quality improvement update. It includes the following identity-related improvements:

  • It turns off token binding by default in Windows Internet (WinINet).
  • It addresses an issue that displays a User Account Control (UAC) dialog box unexpectedly when you turn on speech recognition.
  • It removes the history of previously used pictures from a user account profile.
  • It addresses an issue that prevents the Trusted Platform Module (TPM) from starting. As a result, TPM-based scenarios do not work.
  • It addresses an issue with Key Distribution Center (KDC) code, which fails to check for an invalid domain state when the domain controller restarts. The error message is:

STATUS_INVALID_DOMAIN_STATE

  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerformTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, KRB_GENERIC_ERROR, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
  • It addresses an issue that fails to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
  • It addresses an issue with updating to Windows Server 2019 using a .iso image. If you renamed the default administrator account, the Local Security Authority (LSA) process might stop working.

Posted on March 1, 2021 by Sander Berkouwer in Microsoft Windows Server 2016, Microsoft Windows Server 2019, Security Updates

0  

I’m a 2021 Veeam Vanguard

Today, I received an e-mail from Nikola Pejková from Veeam congratulating me with being selected for the 2021 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous five Veeam Vanguard Awards, dating back to 2016. The Veeam Vanguard program provided a different experience in 2020, but it was still extremely enjoyable and rewarding.

I feel honored.

Thank you!

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

The full list of Veeam Vanguards will be available shortly here.

FURTHER READING

I’m a 2020 Veeam Vanguard 
I am a 2019 Veeam Vanguard
I am a 2018 Veeam Vanguard
I am a 2017 Veeam Vanguard
I am a 2016 Veeam Vanguard

Posted on February 26, 2021 by Sander Berkouwer in Veeam, Veeam Vanguard

0  

Older versions of Azure AD Connect will be retired on February 29th, 2024

If you are using an older version of Azure AD Connect, you might want to consider upgrading it. Yesterday, Microsoft published new information on changes to come.

The Azure AD Connect product team is constantly making updates to Azure AD Connect Sync to ensure optimal security and performance of organizations’ synchronization processes.

Therefore, Microsoft retires older versions of Azure AD Connect on February 29th, 2024. On that date versions published before 5 May 2018 will be retired.

Older versions of Azure AD Connect and Windows Server

Azure AD Connect version 1.1.751.0, and all older versions of Azure AD Connect, will be retired at this point.

If you’re running Azure AD Connect on Windows Server 2012 or Windows Server 2012 R2, it is also good to keep in mind that these Operating Systems will reach their end of support on October 10th, 2023 (four months earlier).


Action required

To minimize service disruption, please upgrade to a newer version of Azure AD Connect Sync. Review the options in the migration guide to perform the upgrade.

More information

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, please create a support request.

Further reading

Please upgrade your Azure AD Connect sync to a newer version by 29 February 2024

Posted on February 25, 2021 by Sander Berkouwer in Azure AD Connect, Security Updates

0  

VMSA-2021-0002 updates for VMware ESXi and vCenter address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

Yesterday, VMware released an update that addresses three vulnerabilities in its ESXi, vCenter Server and Cloud Foundation products:

About the vulnerabilities

Remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

  • vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
  • vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
  • vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
  • Cloud Foundation (vCenter Server) version 4.2
  • Cloud Foundation (vCenter Server) version 3.10.1.2

SSRF vulnerability in the vSphere Client (CVE-2021-21973)

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

  • vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
  • vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
  • vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
  • Cloud Foundation (vCenter Server) version 4.2
  • Cloud Foundation (vCenter Server) version 3.10.1.2

ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Lucas Leong of Trend Micro's Zero Day Initiative reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

  • ESXi version ESXi70U1c-17325551
  • ESXi version ESXi670-202102401-SG
  • ESXi version ESXi650-202102101-SG
  • Cloud Foundation (vCenter Server) version 4.2
  • Cloud Foundation (vCenter Server) version 3.10.1.2 with EP 18 (6.7.0-17499825)

Concluding

Please install the updates for the version(s) of ESXi, vCenter Server and/or Cloud Foundation in use within your organization, as mentioned above and in the advisory for VMSA-2021-0002.

Alternatively, perform the workarounds as mentioned in KB82374 for vCenter Server (pertaining to CVE-2021-21972 and CVE-2021-21973) and KB76372 for ESXi (pertaining to CVE-2021-21974).

FURTHER READING

VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)
Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)

Posted on February 24, 2021 by Sander Berkouwer in VMware, VMware vExpert

1  

Identity-related sessions at Microsoft Ignite 2021 Spring Edition

Microsoft’s Ignite 2021 Spring event kicks off in one week.

For 2020, Ignite is organized differently to align with the new reality. Microsoft has announced that they will organize virtual events only until July 2021. Instead of an in-person event, a virtual Ignite event is organized from Tuesday March 2nd to Thursday March 4th, 2021.

The big advantage for you, is that you can attend Ignite for free again, just like last year’s Microsoft Ignite.

As Identity geeks, we encourage you to attend the following Identity-related sessions at Microsoft Ignite 2021 Spring Edition:

Live sessions

FS195 Azure Active Directory: our vision and roadmap for strengthening Zero Trust defenses in the era of hybrid work

Thursday, March 4, 2:00 AM – 2:30 AM CET 
Thursday, March 4 11:30 AM – 12:00 PM CET 
Joy Chik, Ramiro Calderon, Inbar Kobrinsky, Sana Noorani, Ricky Pullan and Preeti Rastogi

As cyberattacks get more sophisticated, securing hybrid work environments is more complex—and more critical. Adopting a Zero Trust approach and upgrading your identity infrastructure hardens your defenses now and for the long-term. In this demo-heavy, can’t-miss session, we’ll share how Azure AD helps you maximize control while enabling a seamless and secure user experience. Join us to see and learn how to eliminate passwords, simplify onboarding, and secure access to all your apps.

FS198 Security for All

Tuesday, March 2, 8:00 PM – 8:30 PM CET    
Wednesday, March 3, 5:30 AM – 6:00 AM CET 
Irina Nechaeva and Alym Rayani

Learn how to reduce complexity and defend your organization against business risk with innovations in security, compliance, identity, and management.

LRN250 Defend against threats in Teams

Tuesday, March 2, 10:00 PM – 11:15 PM CET
John Gruszczyk and Brett Polen

Microsoft Teams provides your users with a powerful cloud-based collaboration experience. In this session, you'll learn about the powerful tools that can help identify and protect your cloud-based services using Advanced Threat Protection (ATP), Cloud App Security, and Conditional Access.

LRN252 Plan, implement and administer conditional access

Wednesday, March 3, 10:30 AM – 11:45 AM CET
Stefan van der Wiele and Peter van Leeuwen

Conditional access gives a fine granularity of control over which users can do specific activities, access resources, and ensure data and systems are safe. This session will highlight how to plan and implement security defaults, test and troubleshoot conditional access policies implement application controls and session management as well as how to configure smart lockout thresholds.

Ask the Experts sessions

ATE-FS195 Azure Active Directory: our vision and roadmap for strengthening Zero Trust defenses in the era of hybrid work

Thursday, March 4, 5:30 AM – 6:00 AM CET 
Ramiro Calderon, Inbar Kobrinsky, Sana Noorani, Ricky Pullan and Preeti Rastogi

Join this Ask the Expert session that corresponds to Featured Session FS195 “Azure Active Directory: our vision and roadmap for helping defend against advanced threats.”

ATE109 Deploying secure passwordless solutions

Wednesday, March 3, 2:00 AM – 2:30 AM CET
Inbar Kobrinsky and Ricky Pullan

Join this Ask the Experts session for a live discussion with Microsoft experts on going passwordless in your organization. We will discuss deploying MFA, Windows Hello for Business, FIDO security keys, the Microsoft Authenticator application and more.

ATE112 Zero Trust – The proactive approach to cybersecurity

Wednesday, March 3, 8:00 PM – 8:30 PM CET 
Nitika Gupta and Mayunk Jain

Join this Ask the Expert session that corresponds to on-demand session OD362 "Zero Trust – The proactive approach to cybersecurity" for a live discussion with Microsoft experts on how the Microsoft platform enables you to implement an end-to-end Zero Trust security model today.

Table Talk sessions

CON251 Future of Cybersecurity

Thursday, March 4, 10:30 AM – 11:00 AM CET 

Alex Benoit, Mike Jankowski-Lorek, Paula Januszkiewicz, Gokan Ozcifci and Tomas Vileikis

Join this Teams Meeting to connect with the most experienced cybersecurity professionals in the community! Get familiar with the biggest mistakes in infrastructure and teamwork security, a hacker’s perspective of your security system and come away with suggestions & ideas on how to reach the next level of security in your workspaces. Unmute yourself, turn your camera on – No presentations here! Join the Cybersecurity Table Talk and be prepared for chat and a fun interactive discussion!

On Demand sessions

OD356 Taking identity and privacy to a new level | Verifiable Credentials with decentralized identity using blockchain

Joy Chik

Today your identity and related credentials are spread across multiple directory services and institutions. Decentralized identity has the power to move identity lookups securely to blockchain’s distributed ledger to put YOU in control of your identity, credentials and privacy. In this demo-rich tour, we’ll show you how it works and how you can set this up to issue or verify credentials, along with the simple end user experience with their digital wallet.

OD360 Prevent attacks by protecting your applications with Azure Active Directory

Jasmine Betthauser and Michelle Swafford

Remote work and recent security attacks have heightened the need for a cloud first approach to identity and access management. On-premises applications and infrastructure can be targets for attackers. It’s time to upgrade to a cloud first approach, protecting your organization from compromise by connecting all your apps to Azure AD. Learn how you can protect your on-premises apps and upgrade your app authentication from legacy solutions like AD FS to Azure AD without modifying your apps.

OD 362 Zero Trust – The proactive approach to cybersecurity

Nitika Gupta and Dilip Radhakrishnan

As technology becomes increasingly sophisticated, so are hackers, continually working on new ways to exploit and compromise it. Recent incidents have taught us that we need to up-level our security strategy to be more proactive by identifying threats and addressing security weaknesses before an attack occurs. Learn how Zero Trust can help manage the evolving global threat landscape and embrace the "assume breach" mindset through thorough and continuous security monitoring of our environments.

OD363 Winning Azure Active Directory strategies for identity, security, and governance

Rohini Goyal and Caroline Templeton

Identity-related cybersecurity incidents make news regularly, and the attacks have become more sophisticated for organizations to keep up. The key to successful identity management is moving towards an identity-centric security strategy that guards against insider and outsider attacks. In this session, we will discuss winning strategies you can do today with Azure Active Directory and achieve a stronger security posture with greater control over access rights and privileges.

OD386 Reimagining government services with digital identity

James Collins, Trever Esko and Ngozi Nwoko

We have seen governments modernize their technology and tools in response to COVID-19. They are re-creating their Digital Transformation strategies with a sharp focus on digital services that are no longer dependent on physical offices and face-to-face interactions. In this session learn how governments are deploying secure technology solutions for authenticating citizen requests and program delivery, via business methods that are not dependent on presenting documents

OD388 Enabling strong passwordless authentication at scale

Ashvin Saminathen

Passwords are fundamentally broken, as they are among the weakest forms of authentication. Learn how to implement the latest security protocol innovations, pioneered by Microsoft and Yubico, and the best way to deliver trust at scale with strong, passwordless authentication. We will cover how to approach improving security and usability that is critical to today’s businesses.

OD439 Role of IAM in securing the cloud

Vivin Sathyan, ManageEngine

As users continue to work from their homes, following tasks have become the foundation of any IAM-centric organization:

  • Enforcing centralized granular password policies across Active Directory and cloud applications
  • Securing work from home using System and VPN MFA
  • Standardizing user onboarding/ offboarding via automation to avoid common privilege escalation mistakes – AD/Exchange/M365/GSuite, etc.
  • Delegating tasks to technicians instead of delegating native privileges

OD449 SailPoint and Microsoft Fireside Chat: The Importance of Identity Governance

Matt Mills

Join SailPoint CRO, Matt Mills and Microsoft’s President of US Enterprise Business, Matt Renner as they discuss the importance of identity in today’s new world and how the SailPoint – Microsoft partnership is solving the complex security and compliance needs of enterprise organizations. This winning combination of Microsoft’s comprehensive cloud offerings coupled with SailPoint’s AI-driven cloud identity, creates a secure foundation for digital transformation during times of change.

Posted on February 23, 2021 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect

One of the issues you might encounter, when you misconfigure the delegated permissions for Azure AD Connect’s Active Directory connector account is events in your Domain Controllers’ event viewers every hour with event ID 1699.

The situation

You are using Azure AD Connect with Password Hash Synchronization as either the sign-in method to Azure AD or as an optional feature.

When you setup Azure AD Connect you did not take the opportunity to have Azure AD Connect create an account to connect to Active Directory. Or you changed the AD connector account credentials at a later date to an account you created yourself.

The issue

On the Domain Controllers that Azure AD Connect communicates to, you experience hourly events in the Directory Service event log with event ID 1699 and source ActiveDirectory_DomainService:

EventID 1699 (click for larger screenshot)

The event typically states that the user is the Azure AD Connect service account and that the computer is the server running Azure AD Connect. In the additional data field, the error value is stated:

8453 Replication access was denied.

The cause

This issue is caused by an absence of delegated permissions to Azure AD Connect’s Active Directory Connector account. It lacks the following delegated permissions in Active Directory:

  1. Replicate Changes
  2. Replicate Changes All

These permissions are needed for Password Hash Synchronization.

The solution

You can prevent the events from appearing by either disabling password hash synchronization in Azure AD Connect (not recommended), or by delegating the required access to Azure AD Connect’s AD Connector account by adding it to the previously configured PHS Permissions group (proper solution) or using the following command line (quick solution):

dsacls.exe "dc=domain,dc=tld" /G "DOMAIN\ADConnectorAccount:CA;Replicating Directory Changes;" "DOMAIN\ADConnectorAccount:CA;Replicating Directory Changes All;"

Replace the values for your domain, your top-level domain and your Azure AD Connect AD Connector account in the above command line.

Posted on February 22, 2021 by Sander Berkouwer in Active Directory, Azure AD Connect, KnowledgeBase Articles

2