azure

Microsoft 365 InTune with Azure AD - Recommended Features

We have recently deployed Microsoft Intune in 365 for a customer and would like to share some great features of this product with you!

InTune is for device management being mobile phone, PC or Mac , you can control this from your 365 tenant and devices check in through an internet connection meaning no need to take the PC back to the office to deploy software or settings.

Deploy InTune with Azure AD

We recommend the minimum license you will need for this is Enterprise Mobility + Security E3 ( 6.60GBP / month/ user ) you can get Intune on its own as a seperate license , however you will want to setup auto enrollment so that users can join Laptops to Azure AD by themselves and it will deploy the needed apps and setting.

Windows Update Management

Enforce PC’s to update and have a global WSUS control panel in InTune to check the status of devices

Only allow Email on enrolled Mobile device

You can set security so only devices enrolled in InTune can receive emails. As you get Azure P1 License with the E3 Mobility License , this also enables you to get Azure Conditional Access which allows you to set these options

Deploying MSI are easier than Win32 Application Deployment

Hopefully most of your company apps will have MSI’s. These are very straight forward to deploy. If your app only has an .exe . then hopefully it has a silent installer. You can use the Win32 Packager to zip this up with the needed files for deployment. Tricky situations are when the .exe do not have silent .exe installation so you need to build an .msi from scratch using packaging software

Useful Items to configure with InTune

We really found no limitation thanks to powershell and Win32 Packager to what we could deploy. We replicated a whole standard Group Policy deployment and more

  • Rename PC using company name and serial or random number

  • Create a local admin for PC in case PC falls of Azure AD Domain

  • Enable Bitlocker

  • Deploy Signatures and ‘mail merge’ details from AD

  • Add Firewall Policies

  • Deploy Fonts

  • Deploy Outlook Settings

  • Deploy Printers with drivers

  • Deploy Drive Shares



Azure SQL Advanced Threat Protection (ATP) can save you being hacked and plastered on haveibeenpwned.com

People who code their own login forms and database-backed apps available publically should be careful of the SQL famouse Injection : 

'OR 1=1

For poorly coded forms this changes an SQL Query searching for a Username/Password to list all the logins

SELECT userid
FROM users
WHERE username = ''OR 1=1/*'
    AND password = ''
    AND domain = ''

You only need to look at Troy Hunts site and method to hack databases  to see how easy and how many people have been effected.

Azure SQL Advanced Threat Protection can detect these kinds of attacks for you stop or notify you as soon as they happen as well as let you know the hack 

specific_alert[1].png

Other Features is can help you with 

Vulnerability to SQL Injection:

This alert is triggered when an application generates a faulty SQL statement in the database. This may indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for the generation of a faulty statement:

A defect in application code that constructs the faulty SQL statement

Application code or stored procedures don't sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection

Potential SQL injection

This alert is triggered when an active exploit happens against an identified application vulnerability to SQL injection. This means the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.

Access from unusual location:

This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (former employee, external attacker).

Access from unusual Azure data center

 This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual Azure data center that was seen on this server during the recent period. In some cases, the alert detects a legitimate action (your new application in Azure, Power BI, Azure SQL Query Editor). In other cases, the alert detects a malicious action from an Azure resource/service (former employee, external attacker).

Access from unfamiliar principal

This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). In some cases, the alert detects a legitimate action (new application, developer maintenance). In other cases, the alert detects a malicious action (former employee, external attacker).

Access from a potentially harmful application

This alert is triggered when a potentially harmful application is used to access the database. In some cases, the alert detects penetration testing in action. In other cases, the alert detects an attack using common attack tools.

Brute force SQL credentials

This alert is triggered when there is an abnormal high number of failed logins with different credentials. In some cases, the alert detects penetration testing in action. In other cases, the alert detects brute force attack.

Cost

The cost of around  £11.18/node/month with a 60 day free trial, You will be needing to use a Managed SQL instance ( PaaS ) fo this feature

 



Costs of Azure VS AWS for Virtual Tape Library and Veeam

VTL_Architecture_diagram[1].png

For organisations wanting to ultilse a VTL setup for Veeam instead of Veeam Cloud connect , they should be aware that VTL won't be able to roll up incremental backups into synthetic fulls, meaning every full back you are going to do will copy then entire full backup set to AWS.

AWS

Each virtual tape is limited to 30MB/s of upload throughput. To get up to the gateway maximum of 120MB/s, you need to have 4 virtual tapes running simultaneously

Guide

Amazon vtl is 20-30 megabytes per second

Gateway : Maximum of 95 GBP / Month

Archive Glacer Storage : 0.0034 GBP per GB / Month

Azure

You will need a Starwind VTL Virtual Machine running ( is free software ) 

You will need to pay for this VM in Azure : 133 GBP / Month

Azure Cool Storage : £0.0079 per GB ( first 50TB ) 



SMBv1 now disabled by default in Azure VMs

https://blogs.msdn.microsoft.com/azuresecurity/2017/08/18/disabling-server-message-block-version-1-smb-v1-in-azure/?

Flow on effect from the recent WannaCry and Petya epidemics. Applies to only new Azure VMs that are created through the Azure Marketplace, does not impact existing VMs. Funnily enough Server 2016 Core is the only VM image that still has SMBv1 enabled by default.

If SMBv1 is required, it can be re-enabled using the steps in this article: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows



What is Azure Information Protection (AIP)

Azure Information Protection (AIP) allows you to classify and add security directly to your sensitive data so that it's always protected and identifiable.

Example : 

Admin creates policies for data classification, labeling, and protection. Sally, an accountant, creates a document that has customer PII, including credit card numbers.

When Sally saves the document, it’s automatically classified CONFIDENTIAL and encrypted with permissions

When she emails the document to her team, she accidentally includes two unauthorized users. Sally’s team are able to open the file, but cannot print, save, copy text, or forward the file. The two unauthorized users are unable to open the file or forward the email.

Sally and IT can view successful/unsuccessful attempts to open the file. Sally or IT can quickly recall the document from unauthorized users.

Requirements 

Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans.

Extra Licenses can be found here


You need to install the client Manually ( AzInfoProtection.exe )

You should then have the task bar and can change categories



Azure now offers a 99.9 percent service-level agreement (SLA) commitment option on single-instance virtual machines with Premium Storage

Just to show Microsoft's commitment to it's infrastructure in Azure to host your Virtual Machines, it has now increased it's SLA to the highest yet 99.9%

Previously, receiving an SLA required a minimum of two virtual machines configured for high availability. However, some IT organizations need SLAs for single-instance virtual machines, forcing those virtual machines to stay on-premises. With this new option in Azure, we are empowering organizations to move more workloads to the cloud.

To qualify for the single-instance virtual machine SLA, all storage disks attached to the virtual machine must be our Premium Storage, which offers up to 80,000 input/output operations per second (IOPS) and 2,000 MB of disk throughput per virtual machine. Customers can continue to build for high availability by having two or more virtual machines deployed in the sameavailability set, which provides a 99.95 percent SLA, or by utilizingAzure Virtual Machine Scale Sets.

For more information about our SLA for Azure Virtual Machines, please visit the SLA for Virtual Machines webpage. For more information on Premium Storage and how to begin migrating your workloads, please visit theDisk Storage webpage.

What is an SLA?

This stands for service level agreement. It is what service providers agree with their customers on uptime of a service before a payment or credit will be applied to their bill.

What is the Refund?

Microsoft are not offering a refund, but service credit which can be used for the following months server : 

< 99.9% Uptime = 10% Service Credit

< 99% Uptime = 25% Service Credit