Category: Microsoft
Category Archives: Microsoft
Secure Your Machine Learning Workspace with Virtual Network
Introduction
Machine learning (ML) is a branch of artificial intelligence that enables computers to learn from data and make predictions or decisions. ML applications often require access to large amounts of data, compute resources, and external services. To ensure the security and privacy of these resources, it is essential to isolate the ML workspace from unauthorized or malicious access. One way to achieve this is by using a virtual network (VNet).
What is a Virtual Network?
A virtual network is a logical representation of a network that is isolated from other networks. A VNet can have its own IP address space, subnets, routing tables, firewalls, and network security groups. A VNet can also connect to other VNets, on-premises networks, or the internet, depending on the configuration and permissions. A VNet allows the user to control the network traffic and access policies for the resources within the VNet.
Why Use a Virtual Network for Machine Learning?
Using a VNet for machine learning has several advantages, such as:
Enhanced security: A VNet can protect the ML workspace and its associated resources from unauthorized or malicious access. For instance, a VNet can restrict the access to the data sources, compute targets, and web services that are used by the ML workspace. A VNet can also prevent the leakage of sensitive data or intellectual property from the ML workspace to the internet or other networks.
Improved performance: A VNet can improve the performance of the ML workspace by reducing the latency and bandwidth consumption of the network traffic. For instance, a VNet can enable the ML workspace to access the data sources and compute targets within the same region or data centre, avoiding the cross-region or cross-premises network overhead. A VNet can also optimize the network routing and traffic management for the ML workspace.
Increased flexibility: A VNet can increase the flexibility of the ML workspace by allowing the user to customize the network configuration and policies. For instance, a VNet can enable the user to choose the IP address range, subnet size, firewall rules, and network security groups for the ML workspace. A VNet can also enable the user to integrate the ML workspace with other VNets, on-premises networks, or the internet, depending on the business needs and compliance requirements.
What is a Microsoft Managed Virtual Network Workspace?
A Microsoft managed virtual network workspace is a type of ML workspace that is created and managed by Microsoft on behalf of the user. A Microsoft managed virtual network workspace uses an isolated and dedicated VNet that is automatically configured and secured by Microsoft. A Microsoft managed virtual network workspace provides the following benefits:
Simplified setup: A Microsoft managed virtual network workspace does not require the user to create or manage the VNet, subnets, routing tables, firewalls, or network security groups. The user only needs to provide the name and region of the ML workspace, and Microsoft will create and manage the VNet for the ML workspace.
Optimized security: A Microsoft managed virtual network workspace uses a VNet that is isolated from other networks and has strict access policies. The VNet only allows the ML workspace and its associated resources to communicate with each other and blocks any external or internal access. The VNet also encrypts the network traffic and data within the VNet.
Seamless integration: A Microsoft managed virtual network workspace supports the integration with other VNets, on-premises networks, or the internet, using the Azure Private Link service. The Azure Private Link service enables the user to securely connect the ML workspace and its associated resources with other resources, without exposing them to the public internet or other networks.
Reduced Dependency: A Microsoft managed virtual network workspace reduces the dependency on the customer to provide an IP address range for the VNet for the workspace. This is because the VNet is automatically configured and secured by Microsoft, which simplifies the setup process and reduces the burden on the customer. As a result, the customer can focus on their machine learning tasks without worrying about the complexities of VNet configuration.
Conclusion
A VNet can provide enhanced security, improved performance, and increased flexibility for the ML workspace and its components. The user can opt for a Microsoft managed virtual network workspace, which simplifies the setup, optimizes the security, and enables the seamless integration of the ML workspace with a VNet.
Microsoft Tech Community – Latest Blogs –Read More
How to Secure Your Machine Learning Workspace with Virtual Network
Introduction
Machine learning (ML) is a branch of artificial intelligence that enables computers to learn from data and make predictions or decisions. ML applications often require access to large amounts of data, compute resources, and external services. To ensure the security and privacy of these resources, it is essential to isolate the ML workspace from unauthorized or malicious access. One way to achieve this is by using a virtual network (VNet).
What is a Virtual Network?
A virtual network is a logical representation of a network that is isolated from other networks. A VNet can have its own IP address space, subnets, routing tables, firewalls, and network security groups. A VNet can also connect to other VNets, on-premises networks, or the internet, depending on the configuration and permissions. A VNet allows the user to control the network traffic and access policies for the resources within the VNet.
Why Use a Virtual Network for Machine Learning?
Using a VNet for machine learning has several advantages, such as:
Enhanced security: A VNet can protect the ML workspace and its associated resources from unauthorized or malicious access. For instance, a VNet can restrict the access to the data sources, compute targets, and web services that are used by the ML workspace. A VNet can also prevent the leakage of sensitive data or intellectual property from the ML workspace to the internet or other networks.
Improved performance: A VNet can improve the performance of the ML workspace by reducing the latency and bandwidth consumption of the network traffic. For instance, a VNet can enable the ML workspace to access the data sources and compute targets within the same region or data centre, avoiding the cross-region or cross-premises network overhead. A VNet can also optimize the network routing and traffic management for the ML workspace.
Increased flexibility: A VNet can increase the flexibility of the ML workspace by allowing the user to customize the network configuration and policies. For instance, a VNet can enable the user to choose the IP address range, subnet size, firewall rules, and network security groups for the ML workspace. A VNet can also enable the user to integrate the ML workspace with other VNets, on-premises networks, or the internet, depending on the business needs and compliance requirements.
What is a Microsoft Managed Virtual Network Workspace?
A Microsoft managed virtual network workspace is a type of ML workspace that is created and managed by Microsoft on behalf of the user. A Microsoft managed virtual network workspace uses an isolated and dedicated VNet that is automatically configured and secured by Microsoft. A Microsoft managed virtual network workspace provides the following benefits:
Simplified setup: A Microsoft managed virtual network workspace does not require the user to create or manage the VNet, subnets, routing tables, firewalls, or network security groups. The user only needs to provide the name and region of the ML workspace, and Microsoft will create and manage the VNet for the ML workspace.
Optimized security: A Microsoft managed virtual network workspace uses a VNet that is isolated from other networks and has strict access policies. The VNet only allows the ML workspace and its associated resources to communicate with each other and blocks any external or internal access. The VNet also encrypts the network traffic and data within the VNet.
Seamless integration: A Microsoft managed virtual network workspace supports the integration with other VNets, on-premises networks, or the internet, using the Azure Private Link service. The Azure Private Link service enables the user to securely connect the ML workspace and its associated resources with other resources, without exposing them to the public internet or other networks.
Reduced Dependency: A Microsoft managed virtual network workspace reduces the dependency on the customer to provide an IP address range for the VNet for the workspace. This is because the VNet is automatically configured and secured by Microsoft, which simplifies the setup process and reduces the burden on the customer. As a result, the customer can focus on their machine learning tasks without worrying about the complexities of VNet configuration.
Conclusion
Using a VNet for machine learning is a trade-off between security, performance, flexibility, complexity, cost, and compatibility. A VNet can provide enhanced security, improved performance, and increased flexibility for the ML workspace and its components, but it can also introduce increased complexity, additional cost, and potential compatibility issues. Therefore, the user should carefully evaluate the advantages and drawbacks of using a VNet for machine learning and choose the best option for their specific scenario and needs. Alternatively, the user can opt for a Microsoft managed virtual network workspace, which simplifies the setup, optimizes the security, and enables the seamless integration of the ML workspace with a VNet.
Microsoft Tech Community – Latest Blogs –Read More
Auto Rollout of Conditional Access Policies in Microsoft Entra ID
The linked blog post was originally published on the Microsoft Security Blog on November 6th, 2023. We are sharing it again on the SMB Tech Community blog channel to ensure that all of our partners, who manage customer tenants and their conditional access policies, are informed about the upcoming policy changes.
Microsoft announced the automatic rollout of Conditional Access polices in Entra ID back in November 2023.
This feature automatically creates new Conditional Access policies in report-only mode for eligible customers of Microsoft Entra ID P1/P2 (M365 E3/M365 E5/M365 Business Premium). Between November 9th, 2023, and December 31st, 2023, policies were created in all eligible tenants. Customers will have at least 90 days to review the policy’s impact, manage exclusions, turn the policy on, or turn it off if necessary.
This 90-day period is ending soon, and enforcement will begin on a rolling basis in February and March 2024.
Recommended actions
To avoid any potential disruption to users’ access and to ensure these policies meet your organization’s needs, take the following actions within 90 days of their creation, before they’re moved to the On state:
Read the original blog announcement By Alex Weinert, Vice President, Identity Security
Review the effects and benefits of the new policies. If you don’t want us to enable them automatically, set them to Off. Or, you may set them to On at any time.
Customize these policies according to your specific needs, such as excluding emergency access accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.
Verify that all users covered by these policies have enabled and registered at least one multifactor authentication method. If necessary, run a registration campaign to set up the Authenticator app.
Microsoft Tech Community – Latest Blogs –Read More
Azure Arc-Enabled Kubernetes now available on Azure Marketplace!
Earlier this year, Kubernetes Apps in the Azure Marketplace became Generally Available on Azure Kubernetes Service (AKS). With Kubernetes Apps, teams can extend the capabilities of their deployments with a vibrant ecosystem of tested and transactable third-party solutions from industry-leading partners and popular open-source offerings. Now we’re excited to announce that we are expanding the range of offers to include Arc-Enabled Kubernetes. Azure Arc-Enabled Kubernetes allows you to connect, manage, and operate Kubernetes clusters and applications running anywhere using Azure Arc. With this offer expansion, Kubernetes apps on Marketplace can be deployed to Azure Arc-enabled Kubernetes connected clusters.
An Azure Arc-enabled Kubernetes connected cluster is a Kubernetes cluster that is hosted on an on-premises, hybrid, or multi-cloud environment and connected to Azure Arc. This type of cluster allows customers to manage their on-premises and cloud-based resources from a single unified platform. It also provides a secure, reliable, and cost-effective way to manage and deploy applications across multiple environments. The Azure Arc-enabled connected cluster is designed to simplify the deployment and management of hybrid cloud architecture. With the GA release of Azure Arc-Enabled Kubernetes connected cluster-based apps on Azure Marketplace, we have pre-defined billing meters available. Pre-defined meters allow customers to easily monitor and track their usage of Azure Arc-enabled connected clusters and applications. With usage based pre-and take action to optimize their cost savings. Get started today with Azure Arc-Enabled Kubernetes on Azure Marketplace!
For more information please visit:
Partners:
Overview of Azure Arc-enabled Kubernetes – Azure Arc | Microsoft Learn
Plan an Azure Container offer – Marketplace publisher | Microsoft Learn
Create an Azure Container offer on Azure Marketplace – Marketplace publisher | Microsoft Learn
Customers:
Deploy an Azure Kubernetes application programmatically by using Azure CLI – Azure Kubernetes Service | Microsoft Learn
Deploy a Kubernetes application from Azure Marketplace – Azure Kubernetes Service | Microsoft Learn
Samples:
This sample shows how ISV can prepare a Kubernetes application that can be installed on Azure Arc-enabled Kubernetes clusters.
This sample shows how ISV can prepare a Kubernetes application that can be installed on Azure Kubernetes Service (AKS) clusters or Azure Arc-enabled Kubernetes clusters.
Microsoft Tech Community – Latest Blogs –Read More
Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets
Dear customers,
We are writing to inform you about an upcoming change that will affect the way you access and manage your Exchange Online audit logs. Starting from April 30, 2024, we will be deprecating the following four cmdlets in the Exchange Online V3 module:
Search-AdminAuditLog
Search-MailboxAuditLog
New-AdminAuditLogSearch
New-MailboxAuditLogSearch
These cmdlets will no longer be available for use after this date, and you will need to switch to a Search-UnifiedAuditLog cmdlet or Microsoft Purview portal to access your audit logs.
Why are we deprecating these cmdlets?
We are working towards streamlining the audit log search experience of our customers by deprecating four older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet has been in use for a long time and offers several advantages, including:
Support for a wider variety of record types.
More filtering options to refine your search.
A range of output formats to suit your needs.
To make things simpler and more efficient, it’s recommended to use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here: Search-UnifiedAuditLog (ExchangePowerShell) | Microsoft Learn
What do you need to do if you are using the deprecated cmdlets?
If you are currently using any or all the above-mentioned cmdlets, you will need to take the following actions before April 30, 2024:
For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command:
Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
For Search-MailboxAuditLog, you may also replace it with Search-UnifiedAuditLog. You can use the Exchange Online PowerShell V2 module to query the unified audit log for Exchange-related events. The cmdlet allows you to filter the results by record type, date range, user, and operation. For example, if you want to search for all Exchange mailbox actions in the last 30 days, you can use the following command:
Search-UnifiedAuditLog -RecordType ExchangeItem -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
You can also export the results to a CSV file for further analysis. To use the cmdlet, you need to have the View-Only Audit Logs or Audit Logs role assigned. You can learn more about the cmdlet here: Search-UnifiedAuditLog.
For New-MailboxAuditLogSearch and New-AdminAuditLogSearch you will need to use the Microsoft Purview portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Microsoft Purview
We are also working on a new Audit Search API using Microsoft Graph which is expected to become available in Public Preview by February 2024. This will allow our customers to programmatically access the new async Audit Search experience, which also provides improved reliability and search completeness.
Note on default enablement of Auditing based on SKU:
To use the Search-UnifiedAuditLog command, auditing needs to be enabled for your tenant. Auditing is by default only enabled for the following SKUs:
A1/A3/A5/Edu
O365E1/E3/E5
Defender
If you are using any different SKU, you will need to enable the Auditing manually by following the steps as mentioned here: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable. Please note To ensure you have access to the last 90 days of logs once the cmdlets are deprecated, it’s crucial to enable auditing before January 31st. If you enable auditing after this date, you’ll only have access to logs from the day you activate it and onwards.
We are here to help
We understand that this change may cause some inconvenience or disruption to your workflows, and we apologize for any inconvenience this may cause. We are committed to providing you with the best tools and services to manage your Exchange Online environment, and we appreciate your understanding and cooperation.
If you have any questions or feedback about this change, please feel free to contact us through our support channels or post a comment on this blog post. We are always happy to hear from you and assist you in any way we can.
Sincerely,
The Exchange Online Team
Microsoft Tech Community – Latest Blogs –Read More
Late January 2024 Viva Glint newsletter
Welcome to our late January 2024 edition of our Viva Glint newsletter. Our communications are full of information that help you get the most from your Viva Glint programs. You can always access the current edition and past editions of the monthly Viva Glint news update on our blog page.
Our next features release date
Viva Glint’s next features release is scheduled for February 10, 2024. Your dashboard will provide date and timing details two or three days before the release.
In your Viva Glint programs
Viva Glint admins can consent to use of external benchmarks, allowing Microsoft to use their survey data to refresh external benchmark suites. Consent is required to use external benchmarks in the platform. Once consent is given, a Viva Glint admin can select one or more external benchmarks for managers to use when viewing reports. Learn more about opting into using external benchmarks.
Need to delete a Distribution List? You can! Admins can delete a list from the Distribution Lists page, accessible from their admin dashboard. Names of any program using that list will display and you’ll need to remove the list from the target audience of those programs before the list can be deleted. Distribution List deletions are permanent, but the data of the members in the list is not deleted. Read about Distribution Lists.
Admins can also delete custom content resources that have been added to their Action Plans. As with Distribution Lists, a window displays any dependencies on the content, advising that any resource linked to this custom resource will have a broken link and also that all actions plans containing this resource will be deleted. Read about customizing action plans.
News from Viva People Science
The Microsoft Viva People Science team hosts events and authors blogs on current tips and trends to empower you to improve your business. Check out our most recent content:
Think like a People Scientist webinars premiere in February and were created based on customer feedback. These monthly webinars will deep-dive into topics you may encounter on your Viva Glint journey:
Think like a People Scientist: Understanding and interpreting your survey data
Think like a People Scientist: Telling a compelling story with your data
Think like a People Scientist: Influencing action without authority
Think like a People Scientist: Designing a survey that meets your organization’s needs
Look forward to an upcoming series on AI! We’re eager to provide you with the knowledge and resources to feel ready and excited for AI. We’ll cover topics such as AI and the employee experience, how to use AI in everyday work, and how to get your organization and employees AI-ready. Watch for our event listings in this monthly newsletter and on the Viva Glint Community.
Connect and learn with Microsoft and Viva Glint
Join us on February 6th for our first Viva Glint: Ask the Experts session! This inaugural session is geared toward new Viva Glint customers who are in the process of deploying their first programs. You must be registered to attend Ask the Experts. Bring your questions! Use this registration link.
We have platform trainings for Viva Glint admins and managers on Microsoft Learn! Use step-by-step guides to understand our dashboards, reports, and how to have quality team conversations.
For those in the NYC area, join us at Microsoft Discovery Day on January 29th. During this free half-day event, you will learn how AI-enabled technology helps you empower your workforce for innovation. Learn more here.
How are we doing?
Please share your feedback! Share with your Customer Experience Program Manager (CxPM) if you have one, or by emailing us here.
Also, if you do not want to receive these emails in the future, please let us know and you will be removed from the distribution list. Conversely, if there are people on your teams that should be receiving this monthly update, send us those emails and we’ll be sure they are added.
Viva Glint is committed to consistently improving the customer experience. The cloud-based platform maintains an agile production cycle with fixes, enhancements, and new features. Planned program release dates are provided with the best intentions of releasing on these dates, but dates may change due to unforeseen circumstances. Schedule updates will be provided as appropriate.
Microsoft Tech Community – Latest Blogs –Read More
Build your Web Apps faster with the Azure Cache for Redis: Quick Start Template
Are you a developer looking to quickly and securely spin up a Webapp with a database and cache? Look no further than the Azure Cache for Redis Quick Start Template, now available in the Azure Marketplace. This template allows developers to work across various databases and languages of their choice, making it easier than ever to get started.
The Quick Start Template is compatible with several popular programming languages, including **Java, .NET, Python, Go, PHP, and Node.js**. It also works with a variety of data services, such as **Azure SQL, Azure PostgreSQL, Azure MySQL, and Azure Cosmos DB for MongoDB**.
Azure Cache for Redis is a 1st party service that fully manages caching solutions based on open-source Redis, an in-memory data store that is commonly used for caching, message brokering, session management, and real-time data processing. The Quick Start Template lets you quickly and securely deploy an Azure Cache for Redis instance and connect it with your Webapp.
But that’s not all – the Azure Cache for Redis also offers several advanced features, such as data persistence, clustering, load balancing, and geo-replication, which make it easy to scale and deploy Redis-based solutions across multiple regions and data centers. Azure Cache for Redis can be used effectively with other Azure services, such as Azure App Service, Azure Kubernetes Service, Azure Functions, and Azure Logic Apps, enabling developers to easily incorporate caching into their applications without having to manage infrastructure or worry about scalability and availability.
And if you’re interested in learning more about the Azure Cache for Redis Quick Start Template, be sure to check out the upcoming Open at Microsoft episode that is all about this quick start template. The episode is hosted by Ricky Diep, Product Marketing Manager, and Catherine Wang, Senior Product Manager, and it’s a great opportunity to see the template in action and learn from the experts. In the episode, there will be a demo showcasing how Catherine quickly spun up a python web app using Azure Cache for Redis with PostgreSQL that is used for restaurant reviews.
In addition to its ease of use and advanced features, the Azure Cache for Redis Quick Start Template has several practical use cases that can enhance the performance and functionality of your web applications. For example:
Session Store: Storing user session data in Azure Cache for Redis can enhance web application performance by reducing the database server load, particularly beneficial for high-traffic or complex session data.
Message Broker: Azure Cache for Redis can also serve as a message queue broker for background processing tasks, allowing web applications to offload time-consuming tasks to background workers while maintaining reliability and scalability.
Distributed Caching: Implementing leaderboards, counters, or other real-time ranking systems can be achieved efficiently using Azure Cache for Redis, ensuring fast and accurate updates.
Content Cache: For web applications serving dynamic content, you can cache HTML fragments, page components, or entire rendered pages in Azure Cache for Redis. This approach can help offload the web server and reduce the generation time of dynamic content.
Cache-Aside is ideal for storing frequently accessed data like product catalogs, user profiles, or configuration settings. By caching this data in Azure Cache for Redis, you can reduce the latency associated with database queries. The Cache-Aside pattern is a smart caching strategy where the application itself is responsible for managing the cache. When a request for data arrives, the application first checks the cache. If the cache doesn’t contain the required data, the application retrieves the data from the primary data store, such as a database, and stores it in the cache for future use. This can improve performance and help maintain consistency between data held in the cache and data in the underlying data store.
So why wait? Head over to the Azure Marketplace and try out the Azure Cache for Redis Quick Start Template today!
TRY NOW
Resources
Learn More on Quick Deploy Template
Learn More on Azure Cache for Redis
Watch the Open at Microsoft Video
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More