Friday, May 24, 2024

Remediate ICMP Timestamp Request Remote Date Disclosure

If your security team is sending you vulnerabilities about ICMP Timestamp Request Remote Date Disclosure, they might look like "Filter out the ICMP timestamp requests (13) and the outgoing ICMP timestamp replies (14)." Then the solution is to either create a GPO to manage a couple of firewall rules or create them locally.  Below is a quick script to create them locally:

$fwICMP13 = @{
    DisplayName = "Disable inbound ICMP timestamp requests"
    Direction = "Inbound"
    Protocol = "ICMPv4"
    ICMPType = 13
    Action = "Block"
}
$fwICMP14 = @{
    DisplayName = "Disable outbound ICMP timestamp replies"
    Direction = "Inbound"
    Protocol = "ICMPv4"
    ICMPType = 14
    Action = "Block"
}
 
New-NetFirewallRule @fwICMP13
New-NetFirewallRule @fwICMP14


Enjoy! 

Friday, May 17, 2024

Intune - Useful Entra-AD (Azure AD) Group Dynamic Queries

 Intune - Software Updates Deployment Ring 2
A random selection of aproximately 10% of the Windows devices in the environment

(device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000") and (device.deviceTrustType -eq "ServerAD") and (device.deviceOwnership -contains "Company") and (device.deviceOSType -eq "Windows") and (device.objectId -match ".{32}(2|3|b).{3}")

Intune - All Corporately Owned Windows Devices
All Windows devices that are joined to either Entra-AD or On-Prem AD and are corporately owned

(device.deviceOSType -eq "Windows") and ((device.deviceTrustType -eq "ServerAd") or (device.deviceTrustType -eq "AzureAd")) and (device.deviceOwnership -eq "Company")

- 

Tuesday, April 16, 2024

Intune - Detection and Remediation scripts for BitLocker key escrow to Entra-AD (Azure AD / AAD)

The following detection and remediation scripts should fix 99% of all escrowing problems.  The biggest surprise item that I found in working with my client trying to remediate escrow problems was that if there was more than one Password Protector key the escrow would fail.  The remediation takes care of that issue (along with others).

Detection Script:

Friday, April 28, 2023

What should your secure MFA solution look like?

 I have run across many "MFA" implementations that are only providing a false sense of security because they aren't actually MFA at all.  After the most recent one, which had to do with income and financial documents I decided to write up a blog post so that I can share it with people to help them understand.  Even though I am writing this to help people fix bad MFA implementation, hopefully at least a few readers will find this useful to set up MFA properly in the first place.

First, what is MFA?  MFA stands for multi-factor authentication.  The consensus is that there are only three possible factors that you can work with, so you MFA means that you MUST use at least two of these factors to access whatever it is that you are attempting to access.  The three possible factors are:

  1. Something you know (like a password)
  2. Something you have (a physical item like a security key card, a company laptop, a specific cell phone, etc)
  3. Something you are (biometrics like fingerprints, voiceprint, retinal scan, etc)
We've all seen in movies where someone has to use both a key card and a hand scanner to enter an area... that's MFA.  A password followed by a voiceprint, also MFA.  A password then authentication using an app on your phone, that's MFA.

The problem, where most people mess it up, is the "MUST" in the definition.  Often "MFA" (when I put that in quotes it is the false sense of security and not truly MFA)... often "MFA" is set up to require a password and then has an option for the second factor to be an email, a text, or an authenticator app.  Seems fine on the surface but let's look closer at how people actually use email, texts, and cell phones (authenticator apps)...  Here's an example scenario:
  1. A bad actor lifts a cell phone off the table at a local coffee shop while its owner is up getting their latte.  The owner didn't bother to lock the phone (which is why it was an ideal target for this bad actor) so as long as the thief keeps touching the screen every couple minutes it will never lock.
  2. The thief scrolls through the email on the cell phone and finds a link to an financial website (that is supposedly protected by MFA).
  3. The thief goes to the portal and finds that the username is an email address, so they use the email address of the account on the phone and select the "forgot password" link.
  4. Ding!  The phone gets a reset password email from the portal website.  The thief resets the password and attempts to log in.
  5. The thief is now presented with the "MFA" prompt, would they like to authenticate with:
    • An Email message
    • A text message
    • An authenticator app
  6. The thief chooses "an email message" because they know that they have the email account, though likely a text message would come right to this phone and also likely the authenticator would as well.
  7. Ding! The thief gets the email for "MFA" and logs into the financial site.
  8. The thief proceeds to buy a bunch of cryptocurrency with the victims money and the disperse that into their laundering crypto-wallets.
This scenario works no matter how the victim's email account is compromised.  The scenario shows that there is only 1 factor, the user's email account.  Everything else is window dressing to give a false sense of security.  I see this repeated over, and over, and over.

In this scenario, simply having the user's logon name not be the email address AND blocking storage of that logon name in the browser might have prevented the theft.  I say "might" because the major underlying problem is using the primary email account as a recovery method.  If the attacker were able to click a "forgot username" link and get the username sent to that primary email address, they are still able to pull off the attack.

The fix is pretty simple... allow the option for a "recovery email address" that is separate from the email address used for normal correspondence.  Sure, many users will not avail themselves of the option, but that is on the user and not on you as the provider of the MFA system.

Also, not all authenticator apps are equal.  Only allow ones that require a second factor (preferably biometric, like fingerprint scan on the smartphone) before it will present the code/authentication item.
As of the time of this writing:
  • Apple Passwords has an option to require a fingerprint, PIN or password when you open the app or approve a notification and it is on by default on iDevices.
  • Google Authenticator has an option to require a fingerprint, PIN or password when you open the app or approve a notification and it is on by default on Android devices.
  • Microsoft Authenticator has an option to require a fingerprint, PIN or password when you open the app or approve a notification.
  • Okta Verify does not have an option to require a fingerprint, PIN or password before displaying the authentication code.  So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
  • SecurID does not have an option to require a fingerprint, PIN or password before displaying the authentication code.  So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
  • Symantec VIP Access does not have an option to require a fingerprint, PIN or password before displaying the authentication code.  So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
So, yeah, the scenario could have been thwarted if an authenticator were required, provided it was one of the big three providers, AND, big and here... the account recovery email address was different than the correspondence email address.  If the account recovery (not just password recovery. but account recovery) is on that primary email address then the attacker clicks the "recover my account", gets the email, and resets the MFA to either turn it off or uses their own phone to create a new one.  So again, the major underlying problem is using the primary email account as a recovery method.  In order to provide security to your clients you must give them the option to set a different email account as the recovery account.

So... what should your secure MFA solution look like?
  1. The user should be able to set up a second email account for any/all recovery options.  This is the most common mistake that I see made across "MFA" solutions.
  2. The user should choose an MFA solution (text/email/app/etc) at the time of their account setup and the other options should not be available during normal logon.  Either use the one that was set up or use a recovery option.  This is the second most common mistake that I see; what is the point of me setting up an authenticator app if you are still going to offer the would-be attacker the option of getting an SMS text or an email?
  3. A secure authenticator app (one that allows for that 2 factor on the phone) should be highly recommended during account setup.
  4. Email address should not be used as a username (not precisely an MFA item, but a basic security principle).
  5. Changing both the correspondence and recovery email addresses should be possible by the user.  Yes, I have actually seen quite a few sites that do not allow you to change your email address.  Usually the same ones that are using that email address as the logon.
  6. Require re-validation of the MFA (check their credentials again) to display/change the recovery address.
If you get those six things right then I'm pretty sure everything else will fall into place and you will have an actual MFA solution, not a "email is the only factor" solution.

Wednesday, December 7, 2022

Setting Peer Download options for SCCM boundary groups using Powershell

 If you have more than just a few boundary groups you have probably wanted a way to quickly set these options across all of them.  I suggest setting the options for your VPN boundary group(s) first. For VPN you probably want to prefer cloud based sources and not use peer downloads at all (to prevent peering with internal computers).  Once you have that set then you can run this little gem to set all of the others for what I believe is the best settings.  Of course you can modify it if you think other settings are best.

Here you go:

<#
.Synopsis
   Set SCCM Boundary Group Peer Cache options to Allow peer cache downloads within this Boundary Group but restrict downloads to peers within the same subnet.
.DESCRIPTION
   Use this in order to quickly change the peer cache options for a set of boundary groups.  The more boundary groups you have
   in your organization, the more beneficial this becomes.
   The flags (at time of writing) that you will see in the boundary groups are:
   0 - Allow peer downloads in this boundary group (only first check box is checked)
   1 - Do not allow peer downloads in this boundary group (no check boxes are checked)
   2 - Allow peer downloads in this boundary group but During peer downloads only use peers within the same subnet (first two check boxes are checked)
   9 - Prefer cloud based sources over on-premises sources and Do not allow peer downloads in this boundary group (only last check box is checked)
   I have not experimented to find out what results come from other combinations of check-boxes.
#>

#Change testmode to false to save the changes
$testmode=$false

#The Configuration Manager site code
$sitecode="ABC"

#The Configuration Manager Primary Server
$SMSProvider="SCCMserver.domain.com"

#the flag you want to set
$newflag=2
$BoundaryGroups = (get-wmiobject -Namespace root\sms\site_$sitecode -Class SMS_BoundaryGroup -computername $SMSProvider) | Where-Object {($_.Flags -NE 2) -and ($_.Flags -le 2)}
Foreach ($BoundaryGroup in $BoundaryGroups) {
    write-host "Setting $($BoundaryGroup.name) flags to $newflag (previously $($BoundaryGroup.flags))"
    $BoundaryGroup.Flags = $newflag
    Try {
        If (-not $testmode) {
            $result=$BoundaryGroup.Put()
            write-host "saved" -ForegroundColor green
        }
    } Catch {
        write-host "failed to set flag" -ForegroundColor red
    }
}

Thursday, December 1, 2022

Controlling SCCM bandwidth Utilization

 

There are four items that control network bandwidth utilization within SCCM: 

  1. BITS client setting – The download of data from the distribution point to the client is a BITS download.  In the client settings of the clients the rate of those downloads can be adjusted.  However, this is client side and does not know about bandwidth on the network so if enough clients, even if all configured to 1Mbps, are trying to download at the same time it can still clog the WAN.
    https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#background-intelligent-transfer-service-bits

    I recommend setting the BITS settings but to something that will work for your organization.  Exactly what that is varies greatly from one organization to another.

    Client Settings items for BITS


  2. Rate Limit Schedules –  Set in the Distribution Point properties, this controls maximum data that can be sent to each distribution point  at any given time of day.  This is to prevent WAN saturation while getting the data onto the distribution points prior to deployment to clients.
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/manage-network-bandwidth#BKMK_PlanningForThrottling

    I recommend setting the rate limits but to something that will work for your organization.  Exactly what that is varies greatly from one organization to another.  Remember that this is set individually for each distribution point.

    Distribution Point properties setting for Rate Limits


  1. LEDBAT - Where BITS worked client side, LEDBAT works server side to control bandwidth usage.  Like the throttling rate limits it is enabled on each distribution point individually.  The idea is that it dynamically adjusts transfer rates so that clients only use network bandwidth when it's available.
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#windows-ledbat

    I recommend turning this on for every distribution point.

    Distribution Point properties setting for LEDBAT

  1. Peer caching technologies – Peer caching takes at least a portion of the load off of the WAN by allowing clients to share cached deployment data with each other.  We would limit this to only peers that are on the same subnet in order to ensure that they are never going cross-WAN. There are three peer caching technologies available in SCCM.  Without going deep on all of them I will just say that the on I recommend using is “Peer cache” for on-premises and Delivery Optimization for cloud (Intune).  Yes, use both if you have both on-prem SCCM and Intune because Delivery Optimization gives no benefit to your Line-of-Business applications or anything else that is not delivered from Microsoft's global distribution network.
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#peer-caching-technologies

    I suggest turning on Peer Cache for all non-VPN connected clients and enabling peer downloads, but limited to same subnet, on all non-VPN boundary groups.

    Client Settings items for Peer Cache

    Boundary Group Setting for Peer Cache