Understanding The Microsoft 365 Stack For Cloud Security

Microsoft 365 (M365) provides businesses with a solution that empowers people to fully utilize their creativity while working together securely.

All of the features that you get should enhance the productivity of your business. But, the key to all of this is keeping your data secure.

Incidents of security breaches have been steadily increasing over the last few years so data security should be a top priority for all businesses. By understanding how the Microsoft 365 stack operates, we can see how the available features can strengthen your cybersecurity.

What’s in it?

The first question that one may ask is what will you get with Microsoft 365? And is it actually any different from Office 365 or is this merely a rebranding exercise?

Firstly, clients get local apps and cloud-based apps, and productivity services. These include both M365 Apps for enterprise, the latest Office apps (such as Word, Excel, PowerPoint, Outlook, and others), and a full suite of online services.

Secondly, you’ll also receive Windows 10 Enterprise which is the most productive and secure version of Windows. It meets the needs of users and IT for both large and medium enterprises.

And finally, you also benefit from device management and advanced security services including Microsoft Intune. So all in all, Microsoft 365 is designed to be a more comprehensive solution and the name change is more reflective of the range of features and benefits in the subscription.  

Businesses are vulnerable

The importance of cloud security to a business cannot be overstated. Especially when you take into consideration the study by the University of Maryland showing that cybercriminals infiltrate business data about once every 39 seconds.

And as remote work continues to expand, the use of personal devices to access sensitive data can be a massive additional risk. This is why businesses need platforms like Microsoft 365 Stack to not only enhance productivity but safeguard business data as well.

Backing up your data

Arguably one of the first things to consider in your data protection strategy is cloud backup. Because there are so many threats – internal and external – to data security, having your data backed up is a must. Using the Microsoft 365 Cloud Backup comes with several benefits that you simply cannot ignore. And these include:

  • Protection against accidental deletion of data which is something that will happen occasionally.
  • Protection against data losses resulting from cyberattacks.
  • Threats don’t always come from outside actors so backups will also protect you from the nefarious actions of internal actors.
  • Backups can help you to manage legal and compliance requirements.

Working from anywhere

One of the key selling points of Microsoft 365 is how it enables people to collaborate on various projects from just about anywhere. And this is made possible because the responsibility of your data’s security lies with Microsoft.

Businesses can rest easy knowing that their data is highly secure on the OneDrive platform or when shared across Teams and SharePoint.

What this also means is that you have fewer expenses by eliminating the need to maintain expensive hardware.

Furthermore, built-in security features such as the robust data loss prevention policy, Advanced Threat Analytics, and Exchange Online Protection will enable your employees to work remotely as securely as possible.

Secure access to data

The Microsoft 365 stack ensures that even when employees are using personal devices, the security of your data is still maintained. This is possible because of features like multi-factor authentication (MFA) that add a layer of protection to the sign-in process.

So users will have to provide additional identity verification, such as scanning a fingerprint or entering a code received by phone.

Also, you can add solutions like Microsoft Intune to use advanced capabilities that can enforce mobile device encryption and enable the use of PIN numbers. Microsoft ­365 has several threat protection tools that all businesses should know:

  • Microsoft Defender ATP: offers clients excellent endpoint protection and prevents cyberattacks and data breaches. With the increase in use of personal devices, this feature works great on mobile devices, which are particularly vulnerable to attacks.
  • Office 365 ATP: this feature aims to secure your communications by dealing with phishing attacks, zero-day threats, and other types of malware that users may encounter in emails and links.
  • Microsoft Cloud App Security: detects abnormal usage and incidents, alerting you to threats to your cloud apps.
  • Azure ATP: makes use of on-site active directory to keep your identities secure and also reduce the attack surface.

Simplifying update processes

One of the major advantages of having cloud-based software is the ability to have regular updates. This is particularly necessary when we consider the sophistication of the constant cyber threats that businesses have to contend with.

And the great thing about these updates is that Microsoft allows organizations to sign up to an update schedule that is convenient for them. By doing this, regular updates will stop being a nuisance that people sometimes ignore.

Especially given how important they are for bug fixing and patching up security issues. When organizations can have the most up-to-date software versions in their hands, this can significantly enhance their cloud security.

Securing your business

Cyber threats are targeting all kinds of organizations and small businesses are no exception. Without effective solutions in place, you are at risk of being shut down by cybercriminals. But by using Microsoft 365 Stack, you get a robust solution that is designed to provide companies with all the features they need to run a more secure and efficient business.

All the available tools and features will help you to address the data security and compliance issues that you are bound to encounter as time goes on. It may just be time to utilize the enterprise-grade service and protection of the M365 stack. 

What You Need to Know about Microsoft Endpoint Manager’s Tamper Protection

With cyber threats being such a huge problem, the last thing your organization needs is vulnerable security. And this can be worsened if malicious actors manage to disable your security.

So with that in mind, Microsoft introduced Tamper Protection to increase your organization’s security by making it significantly harder for cybercriminals to infiltrate your network.

It gives you a better security posture and allows your IT team to ensure greater protection over corporate resources. And so today we’re going to dive into what exactly Microsoft Endpoint Manager Tamper Protection is and what it can do for your organization.

What is Tamper Protection?

Microsoft Endpoint Manager Tamper Protection is a relatively new feature that was created to prevent potential attackers from making changes to the configuration of Microsoft Defender on Windows 10 clients. Therefore, this feature doesn’t allow malicious actors to disable features such as:

  • Real-time protection,
  • Anti-virus protection,
  • Cloud-delivered protection,
  • Removing security intelligence updates.

By blocking these actions, Tamper Protection keeps attackers from getting easy access to your data or installing malware. Without being able to do this, attackers can’t compromise your devices or exploit sensitive information.

Functionality

The key thing that Microsoft Endpoint Manager Tamper Protection does for you is it locks Microsoft Defender Antivirus to keep people from making modifications to your security system. These modifications could otherwise be made through apps and methods like:

  • Configuring settings in Registry Editor on your Windows device
  • Using PowerShell cmdlets to make changes to settings
  • Using group policies to edit or remove security settings

However, Tamper Protection won’t stop you from seeing your security settings or affect how third-party antivirus apps register with the Windows Security app. For organizations using Windows 10 Enterprise E5, it’s the security team that will manage Tamper Protection and so individual users can’t change the setting.

How to enable Tamper Protection

Your IT admins can use Microsoft Intune to turn Tamper Protection on or off for all managed computers using the Microsoft Endpoint Manager (MEM) admin center portal. And to make changes to Microsoft Endpoint Manager Tamper Protection, admins will need to have permissions such as security or global admin. To have access to Tamper Protection, your organization should:

  • Have Intune licenses such as Microsoft 365 E5,
  • Have computers running Windows 10 versions 1709, 1803, 1809, or later,
  • Use Windows security with security intelligence updated to version 1.287.60.0 or later,
  • Have machines using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).

With all the requirements met, follow the steps below to get access:

  • Go to MEM admin center and sign in with the right credentials,
  • Select Devices and choose Configuration Profiles,
  • Create a profile with the characteristics below:

Once you turn on Tamper Access, you won’t have any need to turn it off unless if it affects other validated tools.  

Tamper Protection for Configuration Manager

With version 2006 of Configuration Manager, you can leverage tenant attach to manage Tamper Protection settings on:

  • Windows 10,
  • Windows Server 2016, and
  • Windows Server 2019.

Tenant attach allows you to sync your on-premises-only Configuration Manager devices into the MEM admin center. Following this, you can deliver endpoint security configuration policies to on-premises collections and devices. A few simple steps are all you need:

  • Set up tenant attach,
  • Go to the MEM admin center > Endpoint security > Antivirus,
  • Choose Create Policy,
  • You can now deploy the policy to your device collection.

Continuous reviewing

Even with Microsoft Endpoint Manager Tamper Protection enabled, your admins need to have the ability to continually review your security posture. Otherwise, you won’t fully benefit if you cannot see the tamper attempts or report them.

To resolve this challenge, you can subscribe to the Microsoft Defender for Endpoint service. This will provide you with a dashboard that shows you all the security issues that you need to be aware of. These include flagged tamper attempts with all the necessary details to investigate further.

Using third-party security tools

Although Microsoft Endpoint Manager Tamper Protection can work with third-party security tools, some of these can make changes to security settings. By using real-time threat information, Tamper Protection can assess the potential risks of software and suspicious activities. Ideally, your IT admins should update your security intelligence to version 1.287.60.0 or later. And this action will protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.       

What about endpoint management tools?

As for endpoint management tools, you can use them with Microsoft Endpoint Manager Tamper Protection. With limits, of course. Admins retain the possibility of establishing a centralized setting for Tamper Protection using management tools.

However, other tools/platforms cannot change settings that are under the protection of Tamper Protection. For that, admins would require Windows Security to manage those.

If you have a Windows enterprise-class license or computers running Windows 10 Enterprise E5, you need to opt into global Tamper Protection. Below are some unified endpoint management platforms that cannot override Tamper Protection:

  • Microsoft Intune,
  • System Center Configuration Manager,
  • Windows System Image Manager configuration,
  • Group Policy,
  • Any other Windows Management Instrumentation tools and administrative roles.

Wrap up

The key to staying ahead of cybercriminals is a continual upgrading of existing security features. And this is precisely what Microsoft is doing with Tamper Protection. With this feature, you can address one of the potential areas of weakness in your security infrastructure. You can prevent unwanted visitors from disabling critical security features.

Since Microsoft Endpoint Manager Tamper Protection was specifically designed for enterprise environments, it is ideal for enhancing organizational security and making your organization less vulnerable to attack. Class-leading security has become a necessity for all of us and features like this can play a massive role in safeguarding our enterprises.

How AppLocker Improves Security and Compliance

The security of your organization is not something that you can afford to leave to chance. The wave of cybercrime over the last few years has been unrelenting. This is why you need to take advantage of platforms such as AppLocker. By leveraging its application whitelisting feature, you’ll get a very powerful way of stopping a multitude of attacks. And if you configure it correctly, you can massively increase the amount of time it would require for a cyberattacker to get around the system. This is the kind of technology that can enhance the security of your organization. Hence why we need to discuss just how AppLocker will help you with security and compliance measures.

Securing your organization

Arguably the biggest security risk for most organizations comes from employees simply running applications. As long as users can run executables or have access to files that can potentially contain malicious code, your organization is at risk. Such incidents could compromise the entire network and not just a single device. So by helping you to determine which files and applications users can run, AppLocker immediately improves your security. These files can include DLLs, scripts, Windows Installer files, and packaged app installers. Giving system admins greater control in these particular areas will shore up your business’ defenses.

Control allowed software

To maintain high-level security for corporate data and your business as a whole, system admins need to be strict about which softwares and applications are allowed to run. Otherwise, you risk giving access to software that can create vulnerabilities in your network. AppLocker is fully capable of denying applications from running when you exclude them from the list of allowed apps. And in the production environment, when AppLocker rules are enforced any apps that are not in the allowed rules are blocked from running. Therefore, users can’t intentionally or accidentally run software that is explicitly excluded from the allowed list.

AppLocker rules

AppLocker has several different types of files that it can block. This makes it extremely efficient in its whitelisting capabilities because it’s highly unlikely that anything that you want to block will make it through. The types of files that AppLocker can block include the following:

  • Executable files such as .exe, and .com
  • Windows installer files such as .mst, .msi and .msp
  • Executable files such as .bat, .ps1, .cmd, .js and .vbs
  • DLL executables
  • Packaged app installers such as .appx

The organization of the above into rule collections is something that will help you to easily differentiate the rules for different types of apps.

Default rules

In addition to the above, AppLocker also gives you default rules for each rule collection. These rules are allowed in an AppLocker rule collection and they are necessary if Windows is to function correctly. To start, you’ll have to go and open the AppLocker console. Having done that, right-click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules. Lastly, click on Create Default Rules.

Monitoring app usage

After you set your rules and deploy the AppLocker policies, monitoring app usage can help you assess whether policy implementation is per your expectations. To understand what application controls are currently enforced through AppLocker rules, you can:

  • Analyze the AppLocker logs in Event Viewer.
  • Enable the Audit-only AppLocker enforcement setting to ensure that the AppLocker rules are properly configured for your organization.
  • Review AppLocker events with Get-AppLocker File Information.
  • Review AppLocker events with Test-AppLocker Policy Windows PowerShell cmdlet to see whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.

Main advantages

Several benefits come with AppLocker that help to make it a more attractive option for any business looking to enhance security and compliance. The first thing is the cost. How much you ask? Well, if you already have the enterprise edition of Windows Server, then there is no extra cost to talk about. Moreover, AppLocker comes as an integrated part of Group Policy, which most Windows Admins are already familiar with. Because of that, this can simplify the AppLocker user experience and make it a seamless one. Also, any AppLocker policy can be imported into Intune as an XML file giving you a similar level of control of apps for MDM-enrolled devices as you would for on-premises, domain-joined devices. And to further save you productive time, Windows internal apps are automatically whitelisted.

Why consider AppLocker?

Even with all the security benefits available, as an organization, you still have to determine whether or not you actually need AppLocker. And for most, the answer will probably be a resounding yes. If your organization needs the ability to verify which apps are allowed to run on your corporate network, then you need AppLocker. Furthermore, if you want to check which users are allowed to use the licensed program, then you probably also need it. To these, you can also add organizations that need to provide audit logs containing the type of apps that clients have been running. And of course, wherever there is a need to prevent overzealous users from running random software, AppLocker can play a significant role.

Wrap up

Only the best technology will do for any organization that seeks to keep cybercriminals away. Attacks are being orchestrated from all around and the degree of sophistication is constantly changing. Therefore, organizations need to take proactive measures to stay ahead of hackers. And platforms such as AppLocker can enable you to do that. By setting up blocks for different types of files and software, you instantly reduce your surface area of attack. It’s time to leverage all available technology to fight back against cybercrime.

Controlling User App Access With AppLocker

Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.

Installation

Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.

Features of AppLocker

AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.

In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.

Enhancing security

AppLocker works well at addressing the following security scenarios:

  • Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
  • Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
  • Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
  • Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
  • Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.

Apps to control

Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.

Allow and deny actions

Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.

Administrator control 

The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.

Is AppLocker for you?

If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.

Wrap up

Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.

Using SCCM CI Baseline to check for expiring user certificates

The topic is almost self explaining.

You need to monitor specific user-based certificates, to avoid a situation where they have already expired.

You can add this to your daily security compliance checklist.

Prerequisites for running CIs can be found here: Compliance Baseline prerequisites

  1. Create Configuration Item

Go to Assets and Compliance, Compliance settings Configuration Items, right click and select Create a new configuration item:

Create Configuration Item

Provide the name CI – Script – USER CERT Expiration check, leave the configuration item type as Windows and press Next:
Configuration Item Wizard

Optionally you can provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console.

Select the OS where this configuration item assumes to be applied and click Next
client operating systems that will assess this configuration item for compliance

To create Configuration Item, click New:
Create Configuration Item Wizard

Type in the name CI – Script, from drop down of settings type select Script and data type as String.

There are two options to specify where a script would reside

– Discovery Script

– Remediation Script

Remediation is not handled in this post.

To place discovery script since to evaluate compliance, click on Add Script.

Please note that this script needs to be runin the logged-on user context, therefore please check “Run scripts by using the logged on user credentials”

Create Setting

Select script language as Windows PowerShell and type in the script (see attached USER_CERT_Expiration _Discovery.ps1) in the Script field:
Edit Discovery Scripts

#

$Compliance = ‘Compliant’

$Check = get-childitem -path cert:\currentuser -recurse | where-object {$_.thumbprint -eq ‘‎‎‎‎‎‎245c97df7514e7cf2df8be72ae957b9e04741e85’}| where { $_.notafter -le (get-date).AddDays(30)}

If ($Check) {$Compliance = ‘NonCompliant’}

$Compliance

#

Script download: USER_CERT_Expiration _Discovery

and click OK

Click Next

Specify settings for this operating system

After the script is in place, you can click the “Compliance Rules” tab. Now compliance rule needs to be created. This rule will determine how the compliance is reported once the script runs on a computer (based on how the compliance a machine could be either Compliant or NonCompliant).

 

Click on New

Specify complance rules for this operating system

Type in the comSpecify rules to define compliance conditions for this settingpliance rule name and click on Browse:

Select the name of the configuration setting that just created (if not already selected and then click on Select):
Select a setting for this rule

In the Rule Type select Value and then select if the value returned is Equals to Compliant.

Click OK

Click Next
Use compliance rules to specify the condition that make a configuration item setting compliant

Next screen presents the summary of the settings, if any changes are needed then you can go back and make changes here. Click Next.

create an operating system configuration item with the following settings

Configuration Item is ready now.
The Create Configuration Item Wizard completed successfully

Next step is to create Configuration Baseline.

  1. Create Configuration Baseline

Right click Configuration baseline and create configuration baseline.
Create Configuration Baseline

Type the name of configuration baseline CB – Script – USER CERT Expiration check. Click on add and select configuration item from drop down menu.
Specify general information about this configuration baseline

Please make sure that Purpose set to Required!

Select the configuration item just created and click OK. This would finish creating configuration baseline.

Add Configuration Item

Now it is time to deploy this base line to relevant Users Collection(-s).

  1. Deploy the Configuration Baseline

    Go to configuration baseline and right click and select Deploy.
    Deploy Configuration Baseline

Select the configuration baseline CB – Script – USER CERT Expiration check.

Browse and point it to targeted Users collection (its recommended to run it for some limited collection for testing before deployment to production)

Change the evaluation schedule as per as your requirements (taking in consideration that in case of it seems to be critical for your environment, in production running this CB probably once a day is recommended)

Again, the key thing here is to be sure that you deploy this CB to users and not to your systems!

Select the configuration baseline that you want to deploy to a collection

Click OK

Note: When the configuration baseline is deployed, please allow that it can be evaluated for compliance within about two hours of the start time that you schedule.

  1. Verify that a device has evaluated the Configuration Baseline

To check it on a Windows PC client (general recommendation to do it for all targeted OS client types)

On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at its specific schedule. Click on configurations and click on “Evaluate”, “Refresh” and then “View Report”.
As shown in the pictures below, Configuration Baseline was evaluated to be Compliant or Not
Configuration Manager Properties

Report view

Report view, non-compliant

 

Smart Card device integration into Windows 10

All the joys of Windows 10….. now on 1709

Last week after upgrading Windows 10, I came a cross this nice new integration for Smart Cards. (tokens)

 

 

 

 

 

 

 

Windows 10 new has support for eTokens (SafeNet Tokens)
I was very pleased with this update, it will save me yet another application to install.
I’ve been using the SafeNet Application from Gemalto and it has served me well for several years. So time for a changes, the integrated Smart Card application in Windows 10 works perfect for me.

I am using the following it with:

and my tokens? I ALWAYS use digicert for codesigning certificates:)

ps. A new version of Access Director Enterprise is on its way, signed and released to web.

Stay tuned!

Bad Rabbit Ransomware

A new ransomware has seen the light.

Bad Rabbit ransomware is currently roaming Eastern European countries.

Bad Rabbit is mainly delivered using a fake Flash Update.
This means we a looking a regular drive-by-attack and fake updates/malicious software from websites to get it started.

Secure you clients now!
1. Blacklist the hashes
2. Block the files
3. Lock the registry entries.
4. Remove your local administrative privileges, if you can’t? Limit them and monitor using: Access Director Enterprise

Bad Rabbit IOCs:

Hashes:

install_flash_player.exe: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
cscc.dat (dcrypt.sys): 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 
dispci.exe: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Files:

C:\Windows\infpub.dat
C:\Windows\System32\Tasks\drogon
C:\Windows\System32\Tasks\rhaegal
C:\Windows\cscc.dat
C:\Windows\dispci.exe

Registry entries:

HKLM\SYSTEM\CurrentControlSet\services\cscc
HKLM\SYSTEM\CurrentControlSet\services\cscc\Type	1
HKLM\SYSTEM\CurrentControlSet\services\cscc\Start	0
HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl	3
HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath	cscc.dat
HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName	Windows Client Side Caching DDriver
HKLM\SYSTEM\CurrentControlSet\services\cscc\Group	Filter
HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService	FltMgr
HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64	1

Network Activity:

Local & Remote SMB Traffic on ports 137, 139, 445
caforssztxqzf2nm.onion

Files extensions targeted for encryption:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

 

Protect Yourself Against Petya Ransomware

The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

Access Director can help you by removing permanent local admins.

Recommendations for Enterprises

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  • Consider disabling SMBv1 to prevent spreading of malware.
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access.

Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.

“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

 

Multiple subdomains with LetsEncrypt? YES!

Need to add multiple subdomains with LetsEncrypt?
maybe Certificate for WWW and non-WWW?

do a dry run, to test it

./certbot-auto certonly -d originaldomain.com -d www.originaldomain.com -d new.originaldomain.com -d new2.originaldomain.com -d new3.originaldomain.com –dry-run

I tested it with apache2 works great!