SharePoint Stuff



Posts Tagged ‘Microsoft’

Microsoft Cloud App Security (CAS) and Squid

Written by Luke Smith. Posted in Microsoft

The below are the high level steps to configure squid syslog to Microsoft Cloud App security using the CASCollector (an ubuntu vm which runs on Azure\Hyper-V\AWS)

Install CAS Collector

Follow steps here: https://docs.microsoft.com/en-gb/cloud-app-security/discovery-docker-ubuntu-azure

Summary of commands below which are run on the CASCollector Ubuntu server

sudo -i

curl -o /tmp/MCASInstallDocker.sh https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh

(echo cb83b3f208347603e38ea2816c7503ec257159001225001c2b8efa6e06f49951) | docker run –name CASLogCollector -p 514:514/udp -p 21:21 -p 20000-20099:20000-20099 -e “PUBLICIP=’10.10.10.12′” -e “PROXY=” -e “SYSLOG=true” -e “CONSOLE=cas.eu2.portal.cloudappsecurity.com” -e “COLLECTOR=CASLogCollector” –security-opt apparmor:unconfined –cap-add=SYS_ADMIN –restart unless-stopped -a stdin -i microsoft/caslogcollector starter

sudo docker logs UKADLogCollector

Confirm it is running

Install IP Traffic monitor (to review incoming syslogs)

On the CASCollector Ubuntu server
Sudo apt-get install iptraf

Setup SQUID (note squid 2.7 at minimum is required for syslog support)

Open Squid.config and make sure the following 2 entries exist

access_log C:/ClientSiteProxy/var/logs/access.log squid
access_log udp://172.18.1.150:514 squid

Save the file and then restart the squid service

The “squid” value at the end of the path sets the format to native, Microsoft CAS (out of the box) supports Native and Common, customised formats can be created but we are keeping this simple.

Make sure the CAS data source is selected with the format Squid (Native)

Troubleshooting

Review “sudo iptraf” network traffic and confirm you can see the incoming UDP traffic on the log collector
Review the governance logs from the CAS portal (gear icon > governance log)
Install a separate syslog receiver test tool (confirm syslog traffic is appearing)
Install a separate syslog transmitter test tool (confirm syslog udp traffic is appearing)

NB: this article relates to squid 2.7 or above and Symantec client site proxy (was known as messagelabs)

Windows Defender Advanced Threat Protection (WDATP) Q&A

Written by Luke Smith. Posted in Microsoft

Q:Can you configure Defender ATP to use additional or different security threat feeds such as: FireEye, LookingGlass, Infoblox, SecureWorks, RSA, McAfee, Customer prebuilt feed)
A: TBC
Q: Are you able to block particular MD5\applications
A: You can create custom IOC’s and TI;s using API or PS (https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
Q Can you define automatic custom isolation and block rules (based on MD5 and application names)
A: TBC
Q: Can you Change the ratings of the existing threat categories?
A: Only for the custom Indicators of Compromise IOC’s or Threat Intelligence TI’s
Q:Can you Integrate with other SIEMs\SOCs
A: Currently only HP and splunk
Q: Can Defender ATP Integrate with third-party CMDBs
A: AD using AD connect – TBc for third-parties such as SCCM\LANDesk
Q: Can Windows Defender ATP integrate with Office ATP
A: Yes, WDATP and O365ATP can be integrated and needs enabling as per the following: https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512 and https://docs.microsoft.com/en-gb/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with older versions of Windows below 8.1?
A: No, but does work with Windows Server 2012R2 and above https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with non-windows based machines
A: Yes, requires Bitdefender and can run on macOS, Linux, iOS and Android: https://www.bitdefender.com/business/end-point-security-linux-mac.html (Other third-parties such as Lookout and Ziften will be added Nov 2017)
Q: Can Defender integrate with Cloud App Security?
A: TBC
Q: How can I test Defender ATP
A: see: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:DOS/EICAR_Test_File – text file containing remove the <>
A: once configured and also run:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\test-WDATP-test\invoice.exe’);Start-Process ‘C:\test-WDATP-test\invoice.exe’

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
Windows Defender Advanced Threat Protection – Ransomware response playbook https://www.microsoft.com/en-us/download/confirmation.aspx?id=55090

Capacity Planning for Active Directory Domain Services

Written by Luke Smith. Posted in Microsoft

Microsoft guidelines for sizing server specification for Windows Active Directory Domain Services (AD DS)

Component Estimates
Storage/Database Size 40KB to 60KB for each user
RAM Database Size

Base operating system recommendations

Third-party applications

Network 1 Gb
CPU 1000 concurrent users for each core

Link to Microsoft Article: http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx

Download in a word document Capacity Planning for Active Directory Domain Services