Automation to Block Brute-force Attacked IP detected by Azure Security Center

Automation to Block Brute-force Attacked IP detected by Azure Security Center

This article is contributed. See the original author and article here.

According to Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually take places for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there are also brute-force against SSH (TCP 22).. Nowadays with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH. Users with weak passwords and without MFA enabled, are more susceptible to be compromised by and RDP brute force attack.. Keep in mind that compromising a server via RDP brute force is just the initial foothold, once the threat actors gain access to target machine, it will continue conducting malicious activities which may include coin mining and even ransomware type of attack.

 

One way to reduce the likelihood that your machine will be compromised via RDP brute-force is by reducing the exposure, in other words, limiting the amount of time that a port is open by securing your management ports using Just-in-time access, capability available in ASC Standard Tier.

 

This blog explain how to leverage automation to block traffic of specific IP to a VM in the NSG as a response to a Brute-force alert detected by Azure Security Center.

 

How does the automation work?

When Azure Security Center detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the ‘entities’ field of the alert.

 

The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App’s Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Azure Security Center.

Refer to the Readme file in our GitHub Repository for detailed procedure.

 

Deployment process and details

Navigate to Azure Security Center GitHub repository and select “Deploy to Azure” or “Deploy to Azure Gov”, as shown in Image 1:

Image 1: Git Hub repositoryImage 1: Git Hub repository

 

Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:

Image 2: Azure portal, Custom DeploymentImage 2: Azure portal, Custom Deployment

 

The ARM template will create the Logic App Playbook and an API connection to Office 365, and ASCalert.

You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.

 

Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)

 

Image 3: Summary of the resources created from the ARM templateImage 3: Summary of the resources created from the ARM template

Define when the Logicapp should automatically run:

Workflow automation feature of Azure Security Center can trigger Logic Apps on security alerts and recommendations. For example, you might want Security Center to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions as show in Image 4, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains “bruteforce” is generated.

Image 4: Workflow AutomationImage 4: Workflow Automation

 

Note: Read more about workflow automation here

 

When a Bruteforce attack is detected by Azure Security Center as shown in Image 5, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert as shown in Image 6

Image 5: Brute force attack alertImage 5: Brute force attack alert

 

Image 6: IP blocked by ASCImage 6: IP blocked by ASC

 

You would receive an email notification on the alert details as shown in Image 7:

Image 7: Email notification from the logicappImage 7: Email notification from the logicapp

 

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Azure Security Center GitHub Repo

 

Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoy reading this article and implementing, testing it as much as I enjoyed writing it.

 

Reviewer

Special thanks to:

Yuri Diogenes, @Yuri Diogenes, Senior Program Manager (CxE ASC Team)

Introducing a simpler way to secure your Windows 10 computers with Microsoft 365 Business Premium

Introducing a simpler way to secure your Windows 10 computers with Microsoft 365 Business Premium

This article is contributed. See the original author and article here.

Applying security policies to the computers in your organization is a foundational security practice.  It’s especially important now that more employees are using these devices away from the office.  To make it easier for you to protect your organization’s devices, we’ve added a new setup experience to the Microsoft 365 admin center that allows you to establish a security baseline for all of the Windows 10 PCs in your organization in just a few clicks. 

 

This new experience is available to customers with Microsoft 365 Business Premium.  It has begun rolling out and will reach all eligible customers within the next few months. Let’s take a closer look at what’s new.

 

To access these new capabilities, in the Microsoft 365 Admin Center, open Setup on the left menu.

 

Opener.png

 

In the Sign-up and Security section, find Secure your Windows 10 computers, and click the View button.

 

2.png

 

On the Secure your Windows 10 computers page, you can read about the streamlined process for securing Windows 10 devices and access relevant documentation.  As the page notes, this experience is built with small and medium-sized businesses in mind.  It simplifies the process of setting up Intune-powered devices policies.  Larger enterprises and advanced users can go to the Endpoint Manager admin center instead.  Click the Get Started button to continue.

 

3.png

 

The pane that appears on the right side shows the five policies recommended for applying a security baseline.  The policies that you can enable here are a lightweight set designed to elevate your protection while minimizing user impact and limiting management complexity. They were selected based on input from IT partners who serve small and medium sized businesses, telemetry on the most commonly applied Intune policies, and feedback from customers.

 

The recommended security settings are:

  • Help protect PCs from viruses and other threats using Windows Defender Antivirus: Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet.
  • Help protect PCs from web-based threats: Turns on settings in that help protect users from malicious sites and downloads. It also prevents the launching off applications with Microsoft Office.
  • Prevent network access to potentially malicious content on the Internet: Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.
  • Help protect files and folders on PCs from unauthorized access with BitLocker: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
  • Turn off device screen when idle for this amount of time:  Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off.

When you click Apply Settings, the system will create these policies in Intune.  For these policies to actually take effect, the conditions noted in the gray box must be true.

 

4.png

 

The most important of these is that the user’s computer must be enrolled in Intune.  That is how the computer knows to check the cloud to see which settings should be applied. For information about Intune enrollment in an environment where PCs are joined to an on-premises Active Directory domain, see Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium, an article that we recently improved based on customer feedback.

 

Note: You typically will not need to change Azure Active Directory settings noted in the gray box unless you have previously customized them.  

After the policy setup is complete, you can access and modify the policies at any time by clicking Devices and then Policies

 

5.png

 

The policy called “Device Policy for Windows 10” is the one created in the setup experience.  You can modify that policy or create additional ones.

When you edit the settings, you’ll notice the original settings plus additional ones you can activate; related to keeping devices up to date, allowing users to download apps from the Microsoft store, and so on. 

 

6.png

 

Advanced users who are familiar with Intune can also edit these policies and create others in the Endpoint Manager admin center, which is accessible in the left navigation.

 

We’re rolling these capabilities out right now, and are eager for you to put them to work to secure the devices in your organization.  If you have questions about the new setup experience, or feedback for the team, let us know here in the Tech Community.

What is Azure SQL Edge | Data Exposed

This article is contributed. See the original author and article here.

In part one of this three-part series, Vasiya Krishnan introduces Azure SQL Edge and its features that make it the optimized database engine for IoT Scenarios. In part two, Vasiya will review customer examples and use cases, and in part three, she’ll conclude with a demo that demonstrates how to use Azure SQL Edge to build smarter renewable resources.

 

Watch on Data Exposed

 

Additional Resources:
Microsoft Industry Solutions
Learn more about Azure SQL Edge
Learn more about the features and building an end to end solution
Azure SQL Edge customer stories
Azure SQL Edge whitepaper

 

View/share our latest episodes on Channel 9 and YouTube!

From Tasks in Microsoft Teams to whiteboarding during remote meetings—here’s what’s new to Microsoft 365

From Tasks in Microsoft Teams to whiteboarding during remote meetings—here’s what’s new to Microsoft 365

This article is contributed. See the original author and article here.

This month, we’re releasing new features in Microsoft Teams to help users automate more of their workflow, ideate on digital whiteboards more easily, help improve readability while browsing the web, and more.

The post From Tasks in Microsoft Teams to whiteboarding during remote meetings—here’s what’s new to Microsoft 365 appeared first on Microsoft 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Koenig—a world leader in delivering Microsoft training online

This article is contributed. See the original author and article here.

As part of our blog series on the value of training and certification, we’re talking with some of our top Learning Partners who deliver Microsoft training and who currently offer training for Business Applications. We kicked off the series with a post based on a conversation with representatives of Global Knowledge, the 2019 Microsoft Learning Partner of the Year. Today’s post focuses on Koenig Solutions and is based on a conversation with Subodh Kumar Chaudhary, Group Manager, Alliance and Corporate Sales (India), and Neeraj Sharma, Group Technical Manager, Dynamics 365 (India), both of Koenig.

 

Koenig Solutions has been partnering with Microsoft for 22 years, and in 2014 it was recognized as a Gold Partner. The company offers training for all major Microsoft Certifications, including Microsoft Dynamics 365 and Microsoft Power Platform, with a focus on financials. “Koenig works with more than 25 vendors,” Chaudhary notes, “but Microsoft holds a special place for the company.” This is due in part, he explains, to the fact that its Microsoft trainings are its biggest revenue generator. But more importantly, “We greatly appreciate our working relationship with Microsoft.” Microsoft has a “genuine partner-centric approach that enables us to work together as a true team.”

 

Here’s one example of how that collaboration works. Every year in July, Koenig representatives attend the Partners Conference, so they can find out what’s new, track changes, discover technical approaches, and create new training or adjust existing training. After learning about Dynamics and the Microsoft emphasis on CRM at the 2006 conference in Boston, Koenig launched a CRM training program. At the time, it was the only Microsoft partner in India that was delivering CRM training. And the first instructor of Koenig’s Dynamics course was Sharma. Over the years, as Dynamics grew and became Dynamics 365, Sharma built a team that led Koenig’s journey as a Dynamics specialist. Today, Sharma is Practice Head for the Dynamics team, and most of his 15-member team members have been working with him for seven or eight years. “Koenig is in love with Dynamics,” he says. “Our practice with Dynamics is always evolving.”

 

Koenig offers Microsoft training in 182 countries, including Greenland, Norway, and the United States and on every continent (“Except Antarctica!” Chaudhary jokes. “No training there yet.”) With 170+ in-house instructors and 200,000 people trained, it’s one of the largest global training organizations. The commitment to retaining all in-house trainers and not hiring freelance trainers is one of its strengths and provides many benefits to the instructors, the learners, and the quality of the training it offers. It means, for instance, that Koenig can ensure a great work-life balance for its instructors. Each year since 2010, Koenig has been certified as a “Great Place to Work” by the Great Place to Work Institute in India. Why is its staff’s “happiness quotient” so consistently high? “Because we recognize that we’re in the service industry,” Chaudhary says, “and that human resources, our trainers, play a big role.” That’s why Koenig doesn’t overload its instructors. It keeps them operating at about 70 percent, leaving them enough time to learn and upgrade their own skills, which is essential for their motivation. That also means they don’t burn out and their motivation and excitement for teaching remains high. This translates to a great retention rate for the company and consistently engaging instruction for learners.  

 

Using only in-house trainers also helps Koenig respond to three common industry challenges. First, in cases where an instructor cancels the day before a course is to begin, Koenig can supply another trainer, so the course proceeds as planned and learners don’t lose out. Second, it gives the company the flexibility to start courses when it suits the market—not based on the availability of a freelance instructor. Third, it helps keep costs in check. With a group of in-house trainers, some training many students at a time and others only a few, the cost of instruction can be spread out. This benefits students, as well. They can count on every course being offered as scheduled. All Koenig courses are “guaranteed to run,” which means that if three students sign up for a course, or even one, it will be offered. Koenig does not cancel classes, so students can depend on the fact that the training they plan and sign up for will take place.

 

Another benefit of using only in-house trainers is the ability to develop and maintain excellence in instruction. As practice head for Dynamics, one of Sharma’s tasks is to support the instructors. He meets regularly with them, to make sure they’re keeping up their technical skills and to hear and respond to any grievances. And the company maintains a shared repository of content that instructors can contribute to and consult to help them develop and improve the way they teach their courses. For instance, they can add case studies and other supporting content to the repository. And other instructors can use those resources to get up to speed fast—for example, if they’re teaching Microsoft Power Platform or Microsoft Dynamics 365 for an industry they’re not as familiar with.  

 

Having in-house trainers also means Koenig can operate more cooperatively than competitively with other training organizations. If a freelance instructor is unable to teach a scheduled course for another organization, that organization can call Koenig and hire one of its instructors. This is especially important now that all classes are online.

 

Over the past several years, Koenig has invested in more online training. “Online training is not traditional in India,” Chaudhary explains. ”People want face-to-face, instructor-led training.” Three years ago, however, it started offering 5 percent of its trainings online, to help defray the cost of travel for companies and to accommodate international companies’ teams with members that work in different time zones. Ever since then, its online offerings have been steadily growing, so that just before the COVID-19 pandemic hit, 25 percent of its trainings were virtual instructor-led training (VILT). Now, during the pandemic, all of its trainings are online.

 

This is actually a good development, Chaudhary emphasizes. Rohit Aggarwal, CEO and founder of Koenig Solutions, notes one reason for this: “COVID has made the world flat for us as a training organization. Previously, distance, visas, and flights often limited access for some customers. Not anymore. Now all the world’s a stage. Thus, even specialized skills like those in Microsoft Dynamics 365 can now become truly big for us.” Moving everything online has brought other improvements as well, Chaudhary explains. Though reluctant at first to investigate more online training, the company now finds that virtual instructor-led training—with the delivery methods put in place by Koenig—is as good as in-person training. The company’s organization, along with several changes made to the delivery method, enabled it to transition so successfully.

 

First, he says, “When you have in-house trainers, you can efficiently make changes in delivery methods across the board.” Second, Koenig asked its learners what pain points they experienced in online learning, and in all learning, and then implemented changes to respond to those. For example, now that people are working from home, they find they’re not able to concentrate for eight hours or even to sit uninterrupted for eight hours. Learners also reported, and research confirmed, that their ability to absorb knowledges declines after four hours. So Koenig now gives learners two options: they can take a course for four hours a day for 10 days (in the afternoon or morning) or eight hours a day for five days. The company’s name for this is spaced learning, and it has found that with spaced learning the rate of knowledge absorption improves.

 

Koenig supports its learners in multiple ways. Learners reported that they were reluctant to take exams because of the fear of failing. Since passing the exams validates the skills they’ve learned and earns them certification, Koenig steps in to help allay learners’ fears. It designed a simple set of questions in-house that learners can answer to see whether they’re ready for the official exam. If they get 70–75% correct, they’re ready for the exam. It works like a “small test engine,” says Chaudhary. “It’s a great morale booster.” One more way it supports learners is by offering Doubt Clearing. Once you’ve attended a training, you get the opportunity to attend a Doubt Clearing session without cost. Learners can go to the session to practice their knowledge and to ask questions of trainers about issues that they’ve encountered using the software in their workplace.

 

Though its Azure trainings are among the most popular, due to demand for cloud skills, Koenig offers 86 Dynamics 365 trainings. As more and more companies have adopted Dynamics 365 and Microsoft Power Platform, it has continued to add training. These trainings cover all the major areas of Dynamics 365—sales, marketing, customer service, field service, and supply chain management—but they have a special emphasis on finance and Microsoft Power Platform, because of customer demand. “Every customer needs expertise in these two areas,” Chaudhary explains, “no matter which industry they’re in.” That’s borne out by popularity.

 

The Koenig Dynamics team works hard to keep its training up to date with the fast pace of Dynamics 365 changes. The team “actively watches” Microsoft Docs and Microsoft Learn, taking note of any updates. “It’s our routine practice,” Sharma says, “to keep us on our toes.” The skills expectations and help available on Microsoft Learn are “just great,” Chaudhary adds. Team members also try out exams themselves, so they can design better training. Another way Koenig “stays vigilant” about the changes is by having its instructors routinely talk with subject matter experts, especially in Azure, Dynamics 365, and Microsoft Power Platform.

 

Commitment to staying ahead of the curve is evident in the new courses the Koenig Dynamics team is working on—trainings in the latest Dynamics 365 offerings, Business Central, and Dynamics 365 Commerce. Though certification for Business Central was just announced and certification for Commerce is on the way, Koenig is ready to help learners learn and validate these skills. “There’s lots of material on Microsoft Learn and Microsoft Docs,” Sharma says, “and our team has been preparing courses that may launch as early as August of this year.”

 

Koenig’s record of partnership with Microsoft and its commitment to that close, ongoing teamwork at all levels are summed up well by Chaudhary when he says, “We love delivering Dynamics training, and all our Microsoft trainings, with pride.”