Keeping data and systems safe, accessible and fully backed-up.

, , , , , ,

Ransomware Backup Protection | 1 of 2

Given the breach at the UK Governments leader in all things cyber security, the National Cyber Security Centre, perhaps now is a good time to discuss cyber security again, especially ransomware backup protection? As a little background the NCSC was opened to much fanfare by Her Majesty the Queen, and is headed up by chief executive Ciaran Martin, Director-General Cyber at GCHQ. The centre was announced by then chancellor, George Osborne, with £1.9 billion being made available for tackling cyber crime by 2020. Interestingly, the budget indicated an undisclosed amount to launch cyber attacks against terrorists and other countries.

To sum up, they have the right people, they have plenty of money, they have the full backing of government and industry. So why exactly do they not have a clue? The deliverables of the Cyber Security Essentials are, in my opinion, woefully inadequate, with the assumption of an organisations IT being in the 20th Century and not the 21st Century. By way of a simple example, their infographic regarding Password Guidance is nothing short of laughable. Such as, “Only use passwords where they are needed?” Passwords are a minimum requirement for every single element of an organisational network. No ifs or buts, which I said in Password, encryption and good Practice in 2015. I can’t stress enough the importance of Multi-Factor Authentication alongside passwords.

Why use Ransomware Backup Protection?

Using the recent WannaCry Ransomware incident as an example of how ransomware backup protection should be used, in October 2016 the NCSC published the guidance Protecting your organisation from ransomware. In the original guidance they recommended:

“Backups should be considered a last resort only, as the adoption of good security practices will mean not getting ransomware in the first place.”

Where I agree wholeheartedly with good practice to begin with, ransomware backup protection must form part of that. In mid-December they received feedback that “this line could be misinterpreted by a busy reader as”

“the NCSC does not advocate keeping backups”

Which therefore precipitated clarification, almost a month later! Backing up a bit, proving the Technical Director for Assurance has a sense of humour at least, although falling short of recommending ransomware backup protection:

Just to be clear: the NCSC recommend organisations use backups as a way to help mitigate against a wide range of potentially catastrophic problems, such as fire, theft, flooding, and – naturally – ransomware. Our intention with this paragraph was to note that whilst a backup can help minimise the harm that a ransomware incident causes to an organisation (assuming the backup is current, and is not able to be compromised itself by the ransomware), backups shouldn’t be seen as the primary defence against ransomware. Backups are a last resort, rather than a primary protection. It’s better to design and operate your systems in such a way as to minimise the chances of ransomware gaining a foothold, and to use backups as a mitigation should this occur.

Right then. Ransomware backup protection is good, according to the NCSC. In part two I’ll dicuss what to backup, and how to backup, whilst still wondering that perhaps the undisclosed element of the £1.9 billion was the greater proportion of the pot. And constantly looking over my shoulder, as I’m probably on a list, because of Britain’s nuclear submarines at risk of same cyber attack that crippled the NHS say experts on 21st May. The 36 page follow-up report, released by BASIC last week, HACKING UK TRIDENT: A Growing Threat makes really interesting reading.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , ,

Office 365 App Password with MFA | HowTo | 1 of 2

Part One | Part Two

If you’re using Multi-Factor Authentication for your organisation, and want to use applications which connect to your Office 365 account, you will need to create an Office 365 App Password. This is to enable the App to connect to Office 365. For example, if you’re using Outlook 2016 or earlier, Apple Mail App, Skype for Business or any other third party client with Office 365, you’ll need to create an App Password.

Thankfully, creating an Office 365 App Password is really easy to do, if a little hard to find.

Log in to the portal here: https://portal.office.com

  1. Once logged in, click on the Profile Picture on the top right:

    Office 365 App Password Portal Login Step One

    Office 365 Portal Login Step One

  2. Click on View account:

    Office 365 View Account App Password Step Two

    Office 365 View Account Step Two

  3. Click on Manage Security & Privacy:

    Manage Office 365 App Password Security Privacy Step Three

    Manage Security & Privacy Step Three

  4. Click on Additional security verification:

    Office 365 App Password Security Privacy Step Four

    Additional Security Verification Step Four

  5. Click on Update your phone numbers used for account security:

    Office 365 Update Numbers App Password Step Five

    Update Numbers Step Five

  6. Click on app passwords:

    Office 365 Select App Passwords Step Six

    Select App Passwords Step Six

  7. Click on create:

    Create Office 365 App Password Step Seven

    Create Office 365 App Password Step Seven

  8. Enter a Name in the box, something unique is recommended. I usually name the client application the App Password is associated with. In the example below I have used Apple Mail App. Click next:

    Name Office 365 App Password Step Eight

    Name Office 365 App Password Step Eight

  9. Now either copy by selecting the line, taking care not to pick up any spaces or other characters, or click on copy password to clipboard. You can now use this App Password in your client application, such as Apple Mail App, Thunderbird, iPhone, iPad. Take care as this is the only time you will see Your app password. They cannot be viewed or changed once you click close:

    Copy Office 365 App Password Step Nine

    Copy Office 365 App Password Step Nine

  10. When you Enrolled in Multi-Factor Authentication you were given an initial App Password. I recommend deleting the initial app password, in favour of creating individually named App Passwords. This allows you to ensure each device or client is separate, which is more secure and easier to manage when you want to remove authentication. Click Delete:

    Delete Office 365 App Password Step Ten

    Delete Office 365 App Password Step Ten

  11. Confirm you want to delete the App Password and click Yes:

    Confirm Delete Office 365 App Password Step Eleven

    Confirm Office 365 App Password Step Eleven

  12. The App Password has been successfully deleted. Click close:

    Change Office 365 App Password Step Twelve

    Change Office 365 App Password Step Twelve

  13. Thats it. You now have an App Password for your Apple Mail App. Repeat steps 7, 8 and 9 to create additional App Passwords.

    Review Office 365 App Password Step Thirteen

    Review App Password Step Thirteen

In Part Two, coming soon, I will demonstrate how you can add your App Password to a variety of clients and devices, including Apple Mail App, iPhone, iPad and Outlook 2016.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , ,

Cyber Security: Office 365 as 802.1X RADIUS Password Authentication

Security is paramount for any business, especially given the rise in cyber attacks, data thefts and major network breaches. I won’t list the major names, as that’s been done, but you can read the Cyber Security Breaches Survey 2016. Much of that research was aimed at larger organisations, even though it’s far easier for enterprise-level companies to secure their resources. But what about the rest of us, Startups, Micro-Businesses and Small to Medium sized organisations?

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online | HowTo | 2 of 2

Part One | Part Two

In Part One we learnt:

  1. Install and update Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

  2. Set-up AD FS for Office 365 for Single Sign-On.

    To continue . . .

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Use the following procedure to add a set of claim rules that make the new claim types available to the policy engine. In this step, you will have to add five acceptance transform rules for each of the new request context claim types using the following procedure.  On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

    a. Select Start, go to Programs, then to Administrative Tools. Click on AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule; in Incoming Claim Type, paste the Issued Claim Type URL, and then select Pass through all claim values. Complete this step for all five Issued Claim Type URLs below:

    Rule Name Issued Claim Type URL
    EQ-Forwarded-client-ip http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
    EQ-client-application http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
    EQ-client-user-agent http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
    EQ-Proxy http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
    EQ-endpoint-absolute-path http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path


    f. To verify the first rule, EQ-Forwarded-client-ip select it in the list and click Edit Rule, then click View Rule Language. The claim rule language should appear as follows:

    c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”%5D => issue(claim = c)

    g. Click Finish and in the Edit Claim Rules dialog box, click OK to save the rules.

  4. Create a rule to block all external IP address access to Office 365 & Exchange Online

    If you want to simply block access to Office 365 & Exchange Online from the public Internet you need to carry out the following:

    a. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule, such as Block Office 365 Exchange Online from the Internet. Under Custom Rule, paste the following claim rule language syntax:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    customer-provided public ip address regexBuilding the IP address range expression

  5. Update the Microsoft Office 365 Identity Platform relying party trust

    This step allows you to configure what type of clients to block. Below there is a custom block scenario. Block all external access to Office 365, except Exchange ActiveSync and browser-based applications such as Outlook Web Access or SharePoint Online.

    exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) && 

    The ‘Type’ x-ms-proxy exists. This  means that the claim came through an ADFS Proxy (or other compatible proxy such as Azure).

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.Autodiscover.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.ActiveSync.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/ls/”])

    The type x-ms-endpoint-absolute-path exists and has a value of for the ls policy. This is the name of the endpoint for _Active_ ADFS Claim.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value=~”\b192\.168\.1\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b255\.255\.255\.255\b”]) &&

    The value for the type x-ms-forwarded-client-ip has a value that DOES NOT MATCH the regular expression “”. The only allowed range is 192.168.1.0 to 192.168.1.255 plus a single address 255.255.255.255.

    i. What is the source of “x-ms-forwarded-client-ip” and what are the values we should expect to see? ii. What is the format of the expression? Building the IP address range expression

    => issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);


With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online: Limiting by Network, IP, Client, Group or Policy | HowTo | 1 of 2

Active Directory Federation Services (AD FS) 2.0 provides a way to configure access restriction policies. Office 365 & Exchange Online customers using Single Sign-On (SSO) who require these policies can now use Client Access Policy rules to restrict access based on the location of the computer or device that is making the request and prevent access from the Internet

Part One | Part Two

Restricting access to email and communications services in the cloud from the Internet, in Office 365 & Exchange Online, may at first seem a little counter intuitive, however, it is very sensible. Data loss is minimised. Time and working hours restrictions are adhered to. Personal devices and the compromised security they pose are removed. Compliance and regulatory restrictions, for example for finance or health care sectors, are met. Fundamentally, it ensures the control an organisation requires, whilst meeting the needs of flexibility and reduced costs, that the cloud offers.

Perhaps you want to ensure Outlook users can only use corporate laptops to connect as long as they establish a VPN tunnel to the corporate network? Outlook Web App (OWA) can be used from any machine without restrictions within the corporate network or from a named IP or IP address range? ActiveSync can be used from any device, as long as the device or user has been approved by an administrator, and that device is secured according to the policy regarding passcode length, installed OS etc? Restrict or block access based upon Group Policy membership?

The simple scenario options are:

Scenario Description
Block all external access to Office 365 & Exchange Online
Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSync
Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online
Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groups
This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.

If you are a little overwhelmed by PowerShell and expressions there is a useful GUI for PowerShell which builds the expressions for the most common scenarios:

Office 365 & Exchange Online Client Access Policy Builder

In order to enable an external access policy for Office 365 & Exchange Online the following steps are required:

  1. Ensure you have a Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

    After the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package has been installed on all federation servers and federation server proxies, restart the AD FS Windows service.

  2. Follow the video guide here to Set-up AD FS for Office 365 for Single Sign-On.

    a. If you do not have Active Directory Federation Services installed, add ADFS by using the Add Roles and Features Wizard. If you are using Windows Server 2008, you need to download and install ADFS 2.0: Active Directory Federation Services 2.0 RTW. After the installation, use Windows Update to install all applicable updates and reboot as required.

    b. Request a certificate from a third-party CA for the Federation server name as Office 365 needs a trusted certificate on your ADFS server. You need to obtain a certificate from a third-party certification authority (CA). When you customise the certificate request, ensure you add your Federation Server name in to the Common Name field.

    The video only explains how to generate a certificate signing request (CSR). You need to send the CSR file to a third-party CA. Once the CA has returned a signed certificate, follow these steps to import the certificate to your certificate store:

    i. Run Certlm.msc to open the local computer’s certificate store.
    ii. In the navigation pane, Expand Personal, expand Certificate, right click the Certificate folder, and then click Import.

    The Federation Service name is the Internet-facing domain name of your ADFS server. Your Office 365 users will be directed to this domain for authentication, therefore, make sure that you add a public A record for the domain name in your DNS.

    c. To configure ADFS you cannot manually type a name as the Federation Server name. The name is determined by the subject name (Common name) of a certificate in the local computer’s certificate store.

    In ADFS 2.0, the Federation server name is determined by the certificate that binds to “Default Web Site” in Internet Information Services (IIS). You must bind the new certificate to the Default website before you configure ADFS.

    You can use any account as the service account. If the service account password is expires, ADFS will stop working. Therefore, make sure that the password of the account is set to never expire.

    d. Download the Office 365 tools, including Windows Azure Active Directory Module for Windows PowerShell and Azure Active Directory sync appliance. They are available in the Office 365 portal. Go to Active Users, and then click Single sign-on: Set up.

    d. Now you need to add your domain to Office 365 as the first video does not explain how to add and verify your domain to Office 365. For more information about that procedure, see the video below:
    .

    e. You can now connect ADFS to Office 365 by running the following commands in Windows Azure Directory Module for Windows PowerShell. In the Set-MsolADFSContext command, specify the FQDN (Fully Qualified Domain Name) of the ADFS server in your internal domain instead of the Federation server name. In the example below I have used adfs.serviceteamit.co.uk.

    Enable-PSRemoting  Connect-MsolService  Set-MsolADFSContext –computer <the FQDN of the ADFS server> Convert-MsolDomainToFederated –domain adfs.serviceteamit.co.uk

    If the command ran successfully, you should see the following: A “Microsoft Office 365 Identify Platform” Relying Party Trust is added to your ADFS server.

    f. Once the ADFS domain is added you need to Synchronise the local Active Directory user accounts to Office 365. If your internal domain or suffix is different from the external domain, you have to add the external domain as an alternative UPN in the local Active Directory. For example, the internal domain name is “serviceteamit.local” but the external domain name is “serviceteamit.co.uk.” So, serviceteamit.co.uk needs to be added as an alternative UPN suffix. Now you can synchronise the local user accounts to Office 365 by using the Directory Sync Tool.

    If you are using ADFS 2.0, you must change the UPN of the user account from “serviceteamit.local” to “serviceteamit.co.uk” before you synchronise the accounts to Office 365. If not, the user will not be validated on the ADFS server.

    g. Finally you can now configure the client computer for Single Sign-On. After you add the Federation server name to the local Intranet zone in Internet Explorer, the NTLM authentication is used when users try to authenticate on the ADFS server. Therefore, they are not prompted to enter their credentials.

    Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

    If you wish to enable additional services, such as Secure ID or Oracle Identity use the AD FS 2.0 Step-by-Step and How To Guides.

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Continue to Part Two in order to add the rules.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!