Skip to content

This site is automatic translation of http://www.marcelosincic.com.br, original in portuguese

Enabling remote work during the Corona Virus period

In this period when many employees are being moved to remote office, what solutions can be quickly adopted for this?

Scenario 1 – Use of VPN

The first solution is the use of VPNs, where the employee will access the company’s network environment via the internet from home.

What are the advantages?
This method is very interesting because it is fast to implement, usually in the firewall that the company already uses. The user will be able to access his e-mails, servers and applications as if he were physically inside the company, using his personal computer. As it uses an existing product in most environments, the cost is minimal to enable it on the firewall and many manufacturers just need to enable it.

What are the disadvantages?
The biggest risk in using VPNs is the lack of security arising from direct external connections, from unknown equipment. For example, imagine that the employee’s machine is the same as he downloads content from the internet, games and others. What guarantee do I have that a worm or virus will not come through this connection? None.

What solutions can I use to complement security?
NAC (Network Access Control) are protocols and protections installed on the firewall that when trying to connect a script is executed on the remote equipment to validate that it has valid anti-virus, operating system updates, etc. through an NPS (Network Policy) rule Service / Server) . However, NPSs are usually limited in what they can check and that is when we need to install an agent in advance and only validate when entering the network without validating settings that can be changed or allow the equipment to be unprotected.
The MDM solution in the Microsoft portfolio is Microsoft Intune, which is now called Microsoft Endpoint Management Service for joining SCCM (System Center Configuration Manager) .
Intune is a cloud solution with functions similar to SCCM, but with modules for devices such as phones and tablets. It allows the administrator to create validation rules to be applied to the user’s machine from the monitoring software and these rules may involve:

• Operating system updates
• Installing corporate applications automatically
• Compliance rules such as mandatory and password type, use of resources shared between different environments on mobile (KNOX and Apple Secure)

• Restriction on the exchange of information between applications classified as corporate (copy and paste)
• Several other rules that vary between Android, iOS, MAC and Windows
Integrate with various physical NAC models

Scenario 2 – Use of PaaS and SaaS for work applications

Well known as Modern Workplace, these solutions in the Microsoft portfolio are in Microsoft Office 365.
Sold in individual service packages, Business package (up to 300) and enterprise (Office 365 and Microsoft 365), it allows an employee to work remotely without any type of access to the internal network.

What are the advantages?
Because they have different models of contractual acquisition (CSP on demand, MPSA and EA with fixed prices) it is accessible to all customers.
Data security is greater because the user accesses files and email directly from Microsoft through the common internet and does not have access to the company’s internal servers. As a model of cloud services, it does not need facilities, servers and local infrastructure other than the TCO for maintaining and operating these services.
Well, we don’t need to say much because today the PasS and SaaS model with Exchange, Teams, SharePoint, OneDrive and other products in the suite is already consolidated.

What are the disadvantages?
There are few negative points, since here we are dealing with essential services (email, messaging, audio and video conference, exchange of files). But unrestricted access to data without the facility to create security rules that we have with ACL on a physical file server scares a lot of people … Since the files are in the cloud and accessible from anywhere and device how to prevent unauthorized access ?

What solutions protect my content?
This is where things get easier! In the Office 365 PaaS and SaaS model we have security packages available for any of the options, both contractual and package type:

• Encrypt, categorize and identify protected content we have AIP ( Azure Information Protection ) which is the old Windows RMS, now in the cloud, which can identify for example that a user is passing CPFs and Passports to other people inside or outside the company
• Detect suspicious activity we have ATP ( Azure Advanced Threat Protection ) that analyzes activity in the on-premises and cloud AD

• With CASB ( Cloud App Security ) Make advanced usage detections, integrating third-party applications and identifying possible violations and problems such as logins in different locations simultaneously or in impossible displacements (Chile and Australia in less than 2 hours for example)
Allow the creation of access and login rules (similar to NAC) with AD Premium, which also allows detailed activity reports

These features are those that would cover the security of access to company data on any device!

Scenario 3 – Virtual Desktop

A well-known solution, it can be implemented in a model of direct access to applications from servers (RDS) or independent virtual machines for users (VDI).

What are the advantages?
Nothing is outside the company, there is no data exchange via the internet.
In this model, the data is accessed from within the company, since the user will see the screen of the server or his personal VM that is in the infrastructure and network of the corporation.
So access to data is very controlled and 100% similar to what the employee would be seeing and doing while sitting at his office desk.

What are the disadvantages?
Cost, both of equipment and licensing.
To build a RDS (Remote Desktop Service) structure, it is possible to directly use Windows Server and have a much more attractive cost or solutions such as VMWare Horizon and Citrix.
As for the VDI (Virtual Desktop Infrastructure) solution, we have a high cost, since for each user logged in it is necessary to have a Windows 10 VM activated.
Therefore, if there are 200 remote users, it will be necessary to have 200 VMs active on physical servers, which after the outbreak would no longer be necessary.

What alternatives for the lack of Hardware in this moment of isolation?
Microsoft has a service called WVD ( Windows Virtual Desktop ) which is a hosted VDI, with the advantage of being scalable and can go from 1 to 25,000 VMs in minutes! This service is open to all customers through an Azure account and Windows Enterprise with SA or Windows E3 subscription.
Users who already have Microsoft 365 (except F1) are already enabled, since the M365 E3 and E5 include Windows Enterprise licensing.
And for those who don’t, you can subscribe to Windows E3 licenses in the monthly CSP model, where you will only pay for what you activate from WVDs.

Unidentified CPU usage in Task Manager

This tip is old, but important.

When using the Windows Task Manager, the System process gets stuck between 20-30% CPU usage.

The System process should never have constant use, it is triggered every time a Kernel task is executed and returns at rates between 0-1%.

Task Manager symptom

See that the process is high, despite having no reason since memory is less than 100Kb, no disk and network activity.

tela1

What normally causes this behavior?

If memory and disk were high it could be an update or process that crashed and the operating system is trying to recover, but it doesn’t match the above situation.

This indicates that the process is derived not from a program, but from a device that does not use system resources such as a video card, controller or other.

How to find the source of the problem?

Since Task Manager is a user tool, it omits important internal details. Therefore, download and use the Process Explorer tool from SysInternals (belongs to Microsoft) at https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

After opening PROCEXP you can see the same System process now in detail and see what it is running:

tela2

Right-click and see the details of the process where you can see in the Threads tab to see what the System process is controlling and the CPU usage to identify who is responsible for the high CPU usage:

tela3

By clicking on the “criminal” process, we see the details and understand what is causing the high CPU usage:

tela4

Now it would be enough to search the internet for what this process is and I would discover that it is very basic and it is the equipment’s energy management driver ( Power Interface).

So, I went to the manufacturer’s website and downloaded the updated drivers and the result after the boot is the System process in its proper place in the task list:

Telafinal

Conclusion

This process does not mean that the error is always the same, this is an example of how to find a process or program that crashes your machine.

Many users do not have much knowledge to solve themselves, but it is possible to find many references on the internet after identifying the process that causes the problem.

This tip applies mainly to processes with dependencies as is the case with the System that in the Task Manager are hidden.

Office 365 Compliance Supervisory Dashboard

As discussed in the previous post https://msincic.wordpress.com/2020/03/08/new-compliance-and-risk-dashboard-in-office-365/ we have a new panel aimed at the Risk Management team.

Now let’s talk about the Supervision panel where it is possible to monitor actions, very similar to what the administrator already sees in the Office 365 protection panel. Unlike the Compliace panel and the management panel, the rules in the supervision panel have filters for specific users and definition of reviewers.

The link to this panel is at https://compliance.microsoft.com/supervisoryreview

See that different from the initial compliance management panel, this panel has its own dashboards and callsigns:

Painel

Once the rules are created, it will be possible to see the effectiveness, applications and users with the most occurrences:

t1

Creating Rules for Supervision with Models

In this example I created a policy based on sensitive data such as CPF, CNPJ and RG, but the list is quite large including data such as checking accounts and credit cards in addition to the ones you create yourself.

t2b

In this second example the rule is for offensive language, where he uses the Office 365 dictionary to detect this type of action:

t3

After creating the rules-based policies it is possible to create notice templates, which are the emails that I will send to the user in case of notice of an unwanted action:

t4

Editing Policies Created by the Model

Now when editing the policies that the models create, we can see what it uses and also customize:

t5

t6

New Compliance and Risk Dashboard in Office 365

As is already known, with Microsoft 365 or EMS 365 licenses several security features are enabled. I have already addressed one of them who is Compliance Manager at http://www.marcelosincic.com.br/post/LGPD-disponivel-no-painel-de-Compliance-do-Office-365.aspx

In addition to this panel we have two more that are very interesting, the first one treated here is the Compliance and Risks Panel. This panel allows a management area to create rules monitoring policies.

This means that in addition to the DLP rules already existing in the Office 365 configuration panel ( https://protection.office.com ) we have this other panel.

The difference is that the protection panel creates the rules with several actions blocking the sending of emails and documents with confidential data.

The risk panel, on the other hand, serves to generate data without creating reprisals or blockages, that is, for the risk area to be able to measure data that is traveling regardless of whether the corporation has a specific DLP rule for blocking.

Opening the Dashboard

The Risks panel is at https://compliance.microsoft.com/insiderriskmgmt and when opened it is already possible to see alerts, general security scores, compliance with rules, etc:

painel1

The score on Office 365 panels is important, since from them we know the rules of a standard and what to do to adapt to it and be closer to a 100% safe environment:

Painel2

Creating an example rule

To create rules you can use the menu on the side and in the example below I show how I created a rule to warn me about various actions that may indicate a data leak.

For example, when users share a SharePoint site with someone outside, it is one of these possible indications. It is also possible to link the DLP rules that you have already created in Office 365, avoiding duplication of settings if the corporate rule is implemented:

t1

t2

Note that it is possible above to choose the different risk protection templates, each one will present data that will be monitored. In my example I used Data Leak and chose All Users , after enabling the pre-configured items:

t4

Conclusion

This new panel will greatly help companies that have a separate Governance department from the one that manages IT, allowing them to have a view of the risks in the company without the need for administrative access.

Some items are additional and need configuration, for example the HR data requires a connector.

For more details see the links below:

https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies
https://docs.microsoft.com/en-us/microsoft-365/compliance/import-hr-data

Integrating Manufacturer Updates with System Center Configuration Manager (Endpoint Protection Server)

One of the needs that many IT administrators have is to update centrally.

This is due to having a single point of contact, to avoid installing more software from manufacturers, mainly for drivers of clients and servers with several manufacturers.

Already well structured and since the 2012 version, SCCM has the capacity called SCUP (System Center Update Service) for this.

Using SCUP

It is very simple to use, go to the manufacturer’s website which can be HW or SW and get the URL with the updates cab file. Within this file you will have the XML definitions of updates and requirements. For example, it contains updates with the list of compatible servers and machines, or software requirements for updates such as Adobe and Autodesk.

Once you have the URL go to Software Library -> Software Updates -> Third-Party Software Updates and include the catalog as the image below:

Anotação 2019-12-30 180714-2

Anotação 2019-12-30 180714-3

From there on, just wait for it to finish the synchronization process and use the Subscribe to Catalog button to start the updates:

Anotação 2019-12-30 180714-4

They will appear with the Windows updates to be approved, with a separate class to create the automatic Deploy rules.

Azure Sentinel – New Security Product Now Available

Azure Sentinel had been in Preview for some time (since March) but was already proving to be a very interesting product https://azure.microsoft.com/pt-br/blog/azure-sentinel-general-availability-a-modern-siem-reimagined-in-the-cloud/?wt.mc_id=4029139

Its function is to analyze the data collected by Log Analytics and generate dashboards, reports and custom alerts based on Machine Learning.

In this first post we’ll talk about Sentinel’s initial setup and its cost.

Note: In a second article we will talk about Incidents (cases), Search, Notebook, Analysis and Strategic Guides.

How to Enable Azure Sentinel

To create an instance of Sentinel you must have Log Analytics (formerly OMS) enabled and running. If you don’t know it, you can see what we’ve covered earlier at https://msincic.wordpress.com/2018/12/10/operations-management-system-oms-is-now-azure-monitoring/

It is not necessary to do all the configuration of Log Analytics, it will depend on what you will analyze. For example, if you parse DNS but use Azure DNS, Office 365, Azure Activity, and other features that are already part of Azure, the data is parsed without the need for agents.

On the other hand, if you are going to analyze general security threats, AD login and logout, and environment security, you must have the agent installed on Windows or Linux to collect log data.

Once the Log Analytics workspace is created it is possible make the link.

1-Sentinel

With the open workspace it is possible to have an overview of the collected data, nothing very sophisticated but enough to keep up with what is being analyzed.

2-visao geral

By clicking on any of the summary items you can open the log of which generated the alerts or anomalies.

3-Detalhes

How to Define What Will Be Analyzed

In the Sentinel console you can see the tab "Connectors" where we have several connectors already created and available, some as preview and indicated which have already been linked.

4-Conectores

See in the last item that for each different connector the cost becomes effective, that is, depending on the number or type of connector will be charged data processing.

For each connector you must open the workbook and configure the connection, for example if Azure indicates the subscription and if Office 365 is the user to log in and capture the data. As each of the connectors has wizard is a very simple process to perform.

Consuming Reports and Dashboards

In the Sentinel tab see the option "Workbooks" where we can choose which dashboards we want to make available or create your own.

For example if I click on the Exchange Online connector I can view or save the workbook with reports.

5-Pastas de trabalho

In the case above see that the option of Save does not appear but Delete, since I have previously saved as one of the most used dashboards (workbook).

By clicking View we can see the details of the Identity analysis dashboard that provides login and security information for my environment.

6-Minha Pasta-1

6-Minha Pasta-2

6-Minha Pasta-3

6-Minha Pasta-4

The level and detail of the data gives us a true view of what is happening in a particular security item connected.

Sharing and Accessing Reports (Dashboards)

In the same tab of "Workbooks" change to "My workbooks" and you can see the ones you have previously saved or customized.

In this example 7 folders are already saved (1 is customized) with 31 templates. Folders are custom or already imported from templates, while the number of “31 templates” is because the same set of connectors has more than one folder, as is the case with Office 365 which has a set of 3 different reports.

7-Pastas de trabalho-Salvas

When accessing one of the reports you can see the button “Share” where we can generate a link and send to others or use for easy access.

8-Compartilhar

To pin to the Azure portal home panel a shortcut use the folder icon in the preview screen and the "Pin to panel" option as below

9-Pinar

How Much Does Azure Sentinel Cost

We know that Azure features are mostly charged, and Azure Sentinel already has its value disclosed at https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/

The first option is to buy in packages of 100 to 500GB per day in advance model starting at the cost of $ 200 / day. Of course the early model is cheaper, but only useful if you consume 100GB per day, which would give you $ 7200 / month.

The second useful option for those who will analyze less than 100GB per day is the $ 4 per GB post-use or consumer payment model reviewed.

To know how much is being analyzed, see the second image in this article where we have the total data "ingested".

Important: If you collect Log Analytics data, the value must be summed as Log Analytics is a standalone solution.

Reserved Instance in Azure – Important Changes

For some time now we have available the ability to buy in advance an instance of virtual machine, called Reserved Instance.

Basically the process remains ( https://msincic.wordpress.com/2017/11/20/azure-reserved-instance-available-for-purchase/ ) but we have some news and alerts:

  1. VM Type Change
  2. Other Reservable Resources
  3. Change in billing method
  4. What is not included in a reservation
Possibility of Instance Change (VM profile)

This change is important, because in the first version (link above) it was not possible to change the type of VM.

The process to change was to request the refund of the already paid instance (remember that there was a penalty ) and redo with another type of VM, even from the family like D2 to D4.

To do this simply use the Exchange button on a booking and it will be possible to choose the new type of VM as below without the penalty of approximately 12% of fee.

image

However, obviously the cost of a D2 is different from a D4 and for this we have a table that can be used in the calculation to know the amount of difference that will be paid when switching between VM types at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/reserved-vm-instance-size-flexibility?wt.mc_id=4029139

Other Resource Types In addition to VMs

In the early version IRs were just VMs, but now it is possible to do with various types of services. The following is the list of supported ones:

  • Reserved Virtual Machine Instance
  • Azure Cosmos DB reserved capacity
  • SQL Database reserved vCore
  • SQL Data Warehouse
  • App Service stamp fee

This list changes as new features may be added and is available at https://docs.microsoft.com/en-us/azure/billing/billing-save-compute-costs-reservations?wt.mc_id=4029139

Important: See the topic below for what is included in and out of RI.

Monthly Payment Method

Until 8 / September / 19 only advance payment from Enterprise Agreeement credits or credit card payment was possible.

It is now possible to pay monthly, ie every month will consume the amount discounted equal to the annual as if it were a monthly subscription and not annual. Best to understand is that the commitment remains annual but paid monthly rather than upfront .

The other rules remain the same, penalty in case of cancellation, change of VM type or service, etc.

For those who already have reservations, it will be necessary to wait for the purchase period, once it has been paid in advance and therefore the cancellation fee would be charged.

https://docs.microsoft.com/en-us/azure/billing/billing-monthly-payments-reservations?wt.mc_id=4029139

Important: The monthly payment has not changed the form of booking being annual, so there will be a penalty in case of cancellation.

Separate Charged Resources

A common misconception for customers who purchased RIs is that there are still other charges for VMs and features appearing on their statements.

What needs to be clear is that reservations refer only to computational resources and not to aggregate resources such as licenses, storage and network traffic.

For example, in the type of reservation for VMs that are the most common:

  • Included in RI : CPU, Memory, and Allocation
  • Not included in RI : Storage, network traffic, and OS licensing if AHUB was not used

The reason is that these non-included features are part of the subscription and are either shared or optional (as is the case with the Windows or SQL license) and there would be no limit to using only those specific reserves, besides being volatile other than the type of one. VM for example.

Conclusion

New features that can be reserved, flexibility to change, new billing, and the right understanding can bring substantial savings to those who have migrated services.