Posts

Automatically add trusted IPs to an Azure IP Group for Azure Firewall

Image
For many reasons we choose to not use a VPN for traffic which is already encrypted and authenticated. Sometimes this is a challenge though, especially when the authentication opens us up for password guessing attacks.  In this case, that vulnerability is our on-premises Exchange Server which is needed for Public Folder access amongst other things. We've tried different solutions to prevent this, including the Azure Web Application Firewall, but always end up needing to expose a portion of the Exchange Web Services to the internet.  I'm sure some of you are wondering what we are doing wrong with Exchange to need this but I really can't recall each of the obstacles we ran into while trying to nail this down.  Our latest attempt at mitigating this vulnerability collects the IP addresses of all of our trusted clients and automatically adds then to an Azure IP Group which is used in an Azure Firewall rule to allow HTTPS traffic to our on-premises Exchange Server. The solution ut

Making Airlock Easier

Image
 We recently switched from using Microsoft's built-in application AllowListing technology Applocker to a 3rd party product named Airlock. The reason for switching was due to a change Microsoft made in Intune that limited the amount of XML which could be posted for the policy config. We couldn't get around it and didn't want to switch back to using Group Policy to manage Applocker so we made the switch. We've been very pleased with the switch for several reasons which include ease of management and speed of applying policy changes. We didn't like having to monitor the GUI for blocked executables and wanted to be able to quickly allow a blocked executable from our phones without having to log into the Airlock console. We ended up creating a nice solution using a combination of the following: Airlock Restful API Syslog Collector Azure Sentinel SIEM Azure Sentinel Syslog Connector Azure Sentinel Playbook/Logic App Airlock Server is configured to export Syslog events to

Posting Mentions to Teams using Graph

I'm putting this out there because it took me some time to figure out and at the time I couldn't find any documentation on how to use the Graph API to post a mention to a Teams channel: GET Team ID: https://graph.microsoft.com/beta/me/joinedTeams GET Channel ID: https://graph.microsoft.com/beta/teams/{team-id}/channels GET User ID: https://graph.microsoft.com/v1.0/me/people/?$search="Firstname Lastname" POST https://graph.microsoft.com/beta/teams{Team ID}/channels/{Channel ID}/messages (Include the BODY of the POST as below) Minimum JSON needed for body of the POST: {   "body": {     "contentType": "html",     "content": "<at id=\"0\">Firstname Lastname</at>Boo"   },   "attachments": [],   "mentions": [     {       "id": 0,       "mentionText": "Firstname Lastname",       "mentioned": {         "application": null,         "

Auto-add NSG rules

Image
We use the built-in Windows VPN client to provide access to legacy applications that don't meet the security or usability requirements to be exposed to the internet. One of those applications just didn't work well over a VPN for various reasons but worked great over the internet. The application's network traffic was encrypted but the authentication was only username/password so just publishing it on the internet wasn't a good enough solution. Allowing access to the resource over the internet from a specific IP address would meet the security requirements of the application but keeping up with manually adding everyone's home IP address to the Azure Network Security Group (NSG) would be impossible. My solution in this case was to use a combination of the following resources to automate the process of adding a user's IP address to the NSG on a temporary basis: Microsoft Power Automation (Flow) Azure Automation Accounts Powershell Microsoft Graph API Si

Using Azure DevOps to track changes to Network Security Groups in Azure

I wanted an easy way to keep track of changes made to our NSGs in Azure and through a combination of a few offerings in Azure I settled on what I feel is a pretty good solution. The runbook is on a schedule to run every day and performs the following: Get the current configuration of the Network Security Group (NSG) Push the current configuration of the NSG to a DevOps repository Compare the current configuration against the previous configuration If there are any changes, send an email Resources needed: Azure Automation Runbook Azure DevOps license (Basic Plan for access to use Repos) Powershell Azure Keyvault (for storing the DevOps API key) Runbook code:

DHCP Approval using Azure Automation and Powershell

Image
I wanted to try to prevent someone from bringing in an unapproved device onto our local network by simply plugging it into an Ethernet jack and pulling an IP address using DHCP. Microsoft's DHCP server service has a feature named DHCP Filters  included with the Windows Server DHCP Server service which allows for MAC address white/black listing. I was able to use a combination of various Microsoft and Azure features to automate the process of approving and adding MAC addresses to our whitelist. Below is an explanation of how I was able to achieve this. Resources needed: Azure Automation Hybrid Worker agent installed on DHCP server Azure Automation Runbook with a webhook to start it Microsoft Power Automation Flow (formerly Microsoft Flow) Powershell Windows Task Scheduler Microsoft Office 365 Outlook and SharePoint The first step is to configure your Windows Server DHCP service scope so that IP addresses are only provided to computers with MAC addresses in the Allow List.

Temporarily Bypassing Applocker for Self Extracting Installers

Image
We've always struggled with installers that create temporary exe files in various locations alongside Applocker. Sometimes we're able to grab a copy of the temporary file and whitelist it so the installation can continue but other times the installer bombs out too quickly and we just can't get the file. One solution is to whitelist the %OSDRIVE%\USERS\TEMP\APPDATA\LOCAL\TEMP directory but for security that's a terrible idea. I created a process which I'd like to share that uses Microsoft Power Automation (Flow), Azure Automation, and the Microsoft Graph API to achieve the following: Admin clicks a Flow button on their phone The Flow button takes user input in the form of Active Directory username (ex. rellington) and passes it to a webhook to an Azure Automation job Azure Automation job starts which removes the user from the Applocker enforced Active Directory Security Group (Applocker policy is enforced using Intune) Azure Automation job forces an Intune s