Get Smarter

The last thing that standard users need on Windows 10 machines is access to REGEDIT.  It is one of the first things we block access to with Group Policy.  Surprising though, there is no native way in Intune to block it however.  The good news is that you can do it by creating a custom profile in Intune or any MDM.  I have included the information you need to create it below.  Now you can be rest assured that users won't be causing issues and circumventing policies by messing with the registry.

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="REG.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

Group Policy admins have been blocking access to command prompt for standard users since the beginning.  That is why it is frustrating for MDM admins having no native way in Intune to block it in the same fashion of Group Policy.  Well in actuality, you can block the cmd prompt, it just takes a custom profile, which is something that not everyone likes to do much.  Below is how you set it up so feel free to use the settings.  

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

Here is the XML code to paste in:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

                    <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="CMD.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

In Part 1, of our blog series outlining the details of Azure security defaults, we left off on the topic of MFA registration, which utilizes the Microsoft Authenticator app.  While all users MUST register for MFA, MFA is not required for all users every time.  Security defaults does enforce MFA for privileged accounts every time they log on as these accounts have increased access to your environment.  Security defaults requires added authentication for the following nine Azure administrator roles.

• Global administrator
• SharePoint administrator
• Exchange administrator
• Conditional Access administrator
• Security administrator
• Helpdesk administrator or password administrator
• Billing administrator
• User administrator
• Authentication administrator

MFA should be standard policy for all Azure admin account as account takeover attacks are one of the leading types of threats today.  Cybercriminals specifically target privileged accounts so special attention is needed.

Protecting all users

Security defaults is about improving the protection for all users, not just admin accounts.  While MFA is not required of every logon attempt, non-admin users are prompted for additional authentication when connecting from a new device or app.  There may be other instances that trigger MFA for standard users as well.

Limitations of MFA using security defaults

As mentioned, security defaults gives you free access to Azure AD MFA.  Free however, has its limitations.  Some of these shortcomings are listed below.

• Admins have no control over verification methods
• SMS and phone calls are not available as second factors
• You cannot configure trusted IPs for MFA exclusion
• An exclusion account for emergency access
• No MFA reports or fraud alerts

Again, keep in mind that Azure security defaults gives you the bare security minimum.  To obtain more features and control over MFA, you will need to ante up some additional money.  If you have a license for Conditional Access but have not yet enabled it, you can use security defaults as a temporary security band-aid until you are ready to enable Conditional Access policies.

Blocking legacy authentication

The majority of compromising sign-in attempts come from legacy authentication.  These credential stuffing or account takeover attacks tend to be automated and performed by bot nets.  Legacy authentication utilizes protocols that only use basic authentication.  These outdated protocols only require single factor authentication and cannot enforce a second factor as part of the natural authentication flow.  This is in contrast to modern authentication, which does support second factor authentication.  Using legacy authentication, an imposter can simply bypass your active MFA policy.

Client applications or services that use legacy authentication also have a blaring vulnerability in that credentials are collected and then stored until validated against an authority.   Apps or services that utilize modern authentication never store credentials.  Instead, they only present them.  In other words, modern authentication never trusts the app or service that is requesting your credentials. 

For these reasons, it is highly recommended that legacy authentication protocols such as IMAP, SMTP and POP3 be blocked.  This means that clients cannot use an older version of Office 2010 but can use a more current version such as Office 2016.  Some email/faxing software and other types of applications require the use of these older protocols.  Make sure that none of your applications are using legacy authentication protocols before enabling security defaults.   

Protecting privileged actions

We mentioned how security defaults uses MFA to protect privileged user accounts.  It also protects privileged actions as well.  This is important because non-admin users can be delegated to Azure Resources.  Azure services can be managed through the Azure Resource Manager API.  These services include:

• Azure portal
• Azure PowerShell
• Azure CLI

These services give users tenant wide powers such as the ability to modify configurations, service settings and billing subscriptions.  This is why it is imperative to verify the identity of users that utilize them.  When enabled, security defaults will require added authentication before allowing delegated access. 

Conclusion

Azure AD security defaults certainly has its shortcomings and should not be considered a long-term solution for any sizable organization.  It also does not provide the rich security protections that many organizations need to satisfy security policies or compliances.  It does provide a “one-click” easy button that new tenants can use to protect themselves right out of the gate while they begin to learn their solution options.  While it may provide ample protection for small organizations, tenant owners should view it as a transitory measure only.  Security defaults is a great first step and one that hopefully, will better secure the entire O365 community as well. 

The old adage, “You can lead a horse to water but you can’t make them drink,” certainly applies to cybersecurity today.   You can provide users and organizations with all types of cybersecurity tools and policies, but as long as they are optional, you cannot make them utilize them.  A case in point is the enforcement of multifactor authentication (MFA) for Azure.  Despite the fact that Microsoft attests that MFA will prevent 99.9 percent of account compromises, only around 8 percent of administrative accounts in Azure AD use it.  In a world in which credential stuffing attacks initiate billions of malicious login attempts on a monthly basis, MFA should be an enforced policy for every organization.  The hard truth is that we live in a digital world in which security is no longer optional. 

Depreciation of Baseline Security Policies

Microsoft has already been providing a set of predefined policies to help organizations protect themselves against common attacks.  There were four baseline policies.

• Require MFA for admins (preview)
• End user protection (preview)
• Block legacy authentication (preview)
• Require MFA for service management (preview

Azure admins could enable or disable them for their Azure userbase.  Unfortunately, too many organizations have not taken advantage of these policies or the rich set of security capabilities such as Conditional Access.  This not only makes them more vulnerable, but adds to the collective threat environment for everyone else as well.  Every computer that is compromised serves as one more potential attack vehicle that perpetrators can use for malicious deeds towards others.  The IT industry is starting to recognize that organizations not only have a responsibility to protect their own users, but share in the universal collective effort to make the world a less vulnerable place.  By hardening up our own attack surfaces, we harden the world as well.  As a result, Microsoft is depreciating these predefined policies on February 29, 2020, replacing them with the new “Security Defaults.”

What are Azure Security Defaults?

The intention of Security Defaults is simple; provide an enforced default security state for all Azure organizations that do not implement security policy initiatives on their own.  Security Defaults are available to all tenants and like Baseline Security policies, are offered at no additional cost.  New tenants will automatically have security defaults enabled by default.  If your tenant was created on or after October 22, 2019, chances are that security defaults is already enabled.  In the coming phase, Microsoft will begin retroactively enabling it for existing domains who have failed to enact any security measures on their own.  These security defaults enforce the following:

• Unified Multi-Factor Authentication registration
• Multi-Factor Authentication enforcement
• Blocking legacy authentication
• Protecting privileged actions

If you are an existing tenant prior to the October date and currently and currently do not utilize security policies of any kind, you will need to enable Security Defaults for now.  You can do this by going to Azure Active Directory > Properties > “Manage Security defaults” and set the Enable security defaults toggle to Yes as is shown below.

If you currently utilize Conditional Access, Classic or Identity Protection policies that consist of settings that may conflict with any of the security default offerings, you will receive an error message when trying to enable default security policies as is shown below.

Note that you will have to disable Security defaults before creating conditional access or other security policies that involve conflicting settings.  Keep in mind too that Security defaults is a bare minimum.  While they may be appropriate for small organizations, medium or large enterprises should expand into policies that are more comprehensive. 

MFA Registration

Let’s start with multifactor authentication.  Security defaults require all users within the tenant to register for MFA.  MFA requires a user to use a second method of authentication to prove their identity in addition to their logon credentials.  The most popular method currently is SMS MFA in which the user must type in a unique one-time code sent to their cell phone after logging on with their assigned credentials.  While this and other methods are available in Azure Conditional Access policies, it is not an available option under Security defaults.  Azure Security defaults only utilizes the Microsoft Authenticator app

Once you enable Security defaults, users are required to register for MFA within 14 days.  The 14-day clock starts from the time the user logs on for the first time once the security defaults are enabled.  Should a user fail to register within this required time frame, the user will not be able to logon until the FMA registration is completed.  The screenshot below shows what users will see during the 14-day registration period.

In addition to completing the MFA registration process, users must also install the Microsoft Authenticator app on their cell phone.  We will cover Multi-Factor Authentication enforcement in Part 2 of this blog series.