Information Security

We use the built-in Windows VPN client to provide access to legacy applications that don't meet the security or usability requirements to be exposed to the internet. One of those applications just didn't work well over a VPN for various reasons but worked great over the internet. The application's network traffic was encrypted but the authentication was only username/password so just publishing it on the internet wasn't a good enough solution. Allowing access to the resource over the internet from a specific IP address would meet the security requirements of the application but keeping up with manually adding everyone's home IP address to the Azure Network Security Group (NSG) would be impossible. My solution in this case was to use a combination of the following resources to automate the process of adding a user's IP address to the NSG on a temporary basis: Microsoft Power Automation (Flow) Azure Automation Accounts Powershell Microsoft Graph API Si...

I wanted an easy way to keep track of changes made to our NSGs in Azure and through a combination of a few offerings in Azure I settled on what I feel is a pretty good solution. The runbook is on a schedule to run every day and performs the following: Get the current configuration of the Network Security Group (NSG) Push the current configuration of the NSG to a DevOps repository Compare the current configuration against the previous configuration If there are any changes, send an email Resources needed: Azure Automation Runbook Azure DevOps license (Basic Plan for access to use Repos) Powershell Azure Keyvault (for storing the DevOps API key) Runbook code:

We've always struggled with installers that create temporary exe files in various locations alongside Applocker. Sometimes we're able to grab a copy of the temporary file and whitelist it so the installation can continue but other times the installer bombs out too quickly and we just can't get the file. One solution is to whitelist the %OSDRIVE%\USERS\TEMP\APPDATA\LOCAL\TEMP directory but for security that's a terrible idea. I created a process which I'd like to share that uses Microsoft Power Automation (Flow), Azure Automation, and the Microsoft Graph API to achieve the following: Admin clicks a Flow button on their phone The Flow button takes user input in the form of Active Directory username (ex. rellington) and passes it to a webhook to an Azure Automation job Azure Automation job starts which removes the user from the Applocker enforced Active Directory Security Group (Applocker policy is enforced using Intune) Azure Automation job forces an Intune s...

Lately I've been trying to migrate a lot of GPOs to Intune so that our endpoints don't have to depend on a VPN for updating policy. Applocker was an important one for us since VPNs are flaky and it's important that users be able to run updated software while away from the office network. Chrome once updated its signing certificate and because it auto-updates itself we had users who couldn't launch Chrome until they were able to get connected to the VPN and run a gpupdate. I already had the plumbing in place which allows Admins to upload files to a file share and have them automatically added as whitelisted to the Applocker GPO . Now I just had to move the enforcement of the GPO into Intune. I decided to keep the dependency on our Domain Controllers merging the changes into the Applocker policy since there are some pretty good Powershell commands that take care of that. The GPO for Applocker is still being updated but is only used for Intune to pull from and turn int...

I'm fortunate enough to have application whitelisting in use on our domain using Windows Applocker policies. It does add quite a lot of administrative overhead to manage but I've done a few things to make it easier. The first is an automated whitelisting process using a Powershell script and the Windows Task Scheduler. Task Scheduler runs the Powershell script below every 5 minutes on a domain server and checks a file share in Azure for .exe files. Only Administrators have access to this directory so to add an app to the whitelist we just dump the .exe we want to whitelist into the directory, wait for it to disappear, and then run gpupdate to sync the new policy containing the whitelisted app. This is the Powershell code which the Task Scheduler runs every 5 minutes to monitor the fileshare for new files to whitelist: ======================================================================= # This script will auto-add stuff to the AppLocker Enforce GPO # Parse a direct...