LepideAuditor Suite Review

Posted by Ahmed Nabil | 2 comments»
Securing the Infrastructure and company domain is one step and auditing is another step that works side by side to close any gap. Unfortunately some system admin or security admins invest time, effort and money in several solutions and devices to protect their network under the assumption that these devices or software are working out of the box with no need to continuously monitor and audit them.

Most of your domain infrastructure as Active Directory, Exchange, File servers, SQL.........etc generate a lot of log files and we as administrators tend to turn on logging for everything but the question is do you periodically check these intense detailed deep logs and the answer is that only few admins periodically check it while others will only check the log when a problem occur as User lockout, file deletion............etc

Auditing is very crucial and it need to be done periodically and not after the fact, you need to have a system that fully audit your Infrastructure and generate easy to use reports and provide the capability to customize your reports as per your domain. This will help draw a baseline of your environment and alert you with any abnormal behavior. Being proactive and fully visualizing your environment will surely pay off than being reactive.

During the last week i have been reviewing the LepideAuditor Suite and I thought of sharing my feedback for this Audit tool starting by the setup, configuration till the reporting phase.

Setup and Installation:

  1. The full auditor suite can be downloaded from Lepide website, the trial version runs for 15 days with all needed features.                                                                                                                      
  2. The Suite was installed on a Windows 10 (1703) machine.                                                                        
  3. SQL 2016 Express was installed and a DB for Lepide was created (Installed SQL Management Studio).                                                                                                                                                         
  4. Group Policy Management console need to be installed to collect/get Group policy data.                             
  5. After downloading the LepideAuditor Suite, you get a Zip folder with 4 files as shown below                                                                                                                                                                                                                          
                                                                                                                           
  6. I picked the LepideAuditor Suite and installed the EXE in this folder.                                                    
  7. It took me another 3 or 4 clicks (Next) and the suite was installed. The overall process is around 7-8 minutes.


Configuration:

  1. After Installation and opening the Lepide Icon you get prompted to either use the logged in account or another account.
  2. The Next screen is to start adding the components that you would like to Audit                                                                                                                                                                                                                                          
                                                                                                                             
  3. For the trial purpose I picked the AD, Exchange, GP........etc components which will give you great details and deep auditing on your domain, Exchange, Usernames.....etc since everything is tied to the Active directory. For the configuration type you get the Express option and the advanced option, as the name implies the express is the quicker way to setup your domain configuration with default values and you have the flexibility to change it later from the Lepide settings. I picked the Express option to get my system up and running in few clicks.                                                                                                                                                                                                                                              
                                                                                                                                                    
  4. Enter your domain credentials and pick the option of Auditing with or Without agent. I tried both and i can't see major difference regarding the audit data. For large Organizations with huge data activity the agent option can provide better option for data compression and reporting.                                                                                                                                                                                                                                                                                                                            
         
                                                                                                                                                        
  5. I picked all options on the next configuration screen, the wizard already listed all Domain controllers, Exchange servers in the environment and Group policy servers with health monitoring and change Auditing enabled.                                                                                                                                                                                             
                                                                                                                                                   
  6. The next step is to configure the SQL DB, I already installed SQL express on my PC and I created a DB named Lepide using the SQL Management studio. I entered my local machine details and picked the DB I created earlier.                                                                                                                                                              
                                                                                                                                         
  7. Finish and that's it, you have a running Auditing system for your AD, Exchange, Group Policy, User modifications in 5 clicks. LepideAuditor Suite will restart and you will get the dashboard/360view and it start pulling data within few minutes.                                                                                                                                                                                                                                    


Example of Auditing report:

I started to run several changes and check whether they are reflected in the LepideAuditor Suite, One of the changes was moving a mailbox from one Exchange DB to another Exchange DB (This is common task for Exchange admins to provide the user with better mailbox storage or even move him to the cloud)

I moved the user mailbox and after the batch move was done i checked Lepide Audit Reports - Domain - Exchange Modification Reports - MS Exchange Modification Reports - Mailbox Modifications - Mailbox Moved and it was logged as shown below.



The change is already logged in the Exchange changes from the Main Dashboard change.

Active Directory has several detailed reports including computer, user, printers, containers, OUs and many other reports.




File Server Audit Setup/Installation:

The Next thing i planned to do during my Lepide test was Auditing the file share server and the installation was straight forward as shown below:

  1. Go to Settings - Component Management and add component (File Server)                                                    
  2.  In the File server Console Settings, click on the + Icon to add the Windows File server                                                                                                                                                                        
                                                                                                                                                             
  3. You need to enter the Server IP, Domain and User credentials.                                                                                                                              
                                                         
                                                                                                                                      
  4. Enter the SQL settings. You can use an existing DB or create a new one to host your File Server Audit changes.Tracking.                                                                                                                                                                      
                                                                                                                                                  
  5. The Wizard will install the agent and then Finish.  
  6. The File Server Reports in the Audit Reports are very detailed including file modifications, deletions, permissions.......etc                                                                                                                                                                                                                                                                                     
  7. The first thing to test the FileServer Audit was to delete a test file from one of the shares and check the Audit Reports (File and Folder Deletion) for the File Server and it was clearly shown with all details on which file, who deleted, when..........etc                                                                                                                                                                                                                                                                                                                             


Compliance Reports:

One very nice feature that might be required by several organizations is the compliance reports. The LepideAuditor Suite provides detailed list for several regulatory reports.                                                                            

The Reports in general in Lepide can be easily grouped, filtered as if you are playing with native SQL reporting system with enhanced GUI options and you can save all these reports to PDF or CSV.


Health Monitoring:

This a nice feature added to the Auditor Suite which monitors the health of your servers (Active Directory, Exchange........etc) and lists the general health (Processors and RAM), services status, AD DB performance, Replication status, LDAP status, NTDS counters and many other indicators. This option is not present in several other Audit tools and i find it very beneficial.






Conclusion:

Auditing is very critical and should be thoroughly considered for all Organisations since we all depend on our systems and use them on our day to day operations, I have seen several issues that were re-mediated at early stages due to a correct audit and alerting rule. LepideAuditor Suite provides an easy to use and very simple installation and setup tool to audit your environment. The reporting will provide with huge amount of data and the nice thing is that you can customize a lot of your audit and reporting settings.


For more Information on LepideAuditor Suite - https://www.lepide.com/lepideauditor/


To download LepideAuditor Suite - https://www.lepide.com/lepideauditor/download.html








Microsoft OMS: Antimalware Assessment Not Reporting/Unknown Clients

Posted by Ahmed Nabil | 0 comments»
Microsoft OMS (Operations Management Suite) offers a very nice solution in its gallery which is the Antimalware assessment.  After installing the OMS agent on all your servers (On-premise or Azure) this solution will check the Antimalware/AV status, whether its lacking real time protection, not updated............etc.

For more information on this solution please check the below link

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware

I noticed in my environment that i have several clients with insufficient protection




After clicking the assessment for more details, i noticed that these 13 clients have status of Not Reporting. Upon checking them one by one i noticed that most of them are 2008 and 2008 R2 servers. They have Antimalware client updated and real time protection configured. I suspected the AV client as some of them are not microsoft client but rather Symantec and/or Trend Micro however these clients were approved and added to the list queried by OMS

https://blogs.technet.microsoft.com/msoms/2017/01/19/oms-security-malware-assessment-adds-support-for-more-antimalware-vendors/

So to make the story short one of the major requirements for OMS Antimalware Assessment that these clients should have Windows Management Framework 3 or higher installed which includes Power shell V3 which is not installed by default on Server 2008R2.

So the fix was simply installing the WMF 3 update on the 2008 Servers from the below link (6.1 for 2008R2 and 6 for 2008)


https://www.microsoft.com/en-us/download/details.aspx?id=34595

After updating these clients and installing the WMF 3, i expected the issue will be resolved and they will get reporting to the OMS assessment however their status turned to be Unknown !!

A very common case for this Unknown status after checking with Microsoft team is that the WMI provider is not registered.

So the resolution is as follows:


  1. Open administrator Powershell on these Unknown computers                                                                 
  2. Ensure the "Execution Policy" allows running scripts. You can check it by running get-executionpolicy                                                                                                                                           
  3. Import the needed Power Shell module by running                                                                                                                                                                                                                       Import-module "$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1"
                                                                                                                                                             
  4. Run the command  Get-MProtComputerStatus                                                                                          
  5. Most probably you will get invalid Namespace error                                                                               
  6. If so then you need to run the below command to register the WMI provider                                
    Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate                                                                                                                                                                                  
  7. This will register the ProtectionManagement provider and fix the agent Unknown problem.                    
  8. If you changed the execution policy to allow running scripts, you may need to turn it back to the default restricted mode or at least remotesigned.



Hopefully this post is useful for anyone encountering the same issue.




Server Manager Refresh Failed: Call was Cancelled by the Message Filter

Posted by Ahmed Nabil | 1 comments»
Lately I noticed that the server manager of one of the Windows 2012 R2 File servers refresh is failing continuously, a normal reboot and normal checks/scans didn't fix the problem and i ended having the below screen shot.


The details of the failure was "Call was cancelled by the message filter"

I have noticed in the event viewer that the below error is repeated all the way in the server event viewer (Event ID 1000 - Faulting application Cscript.exe)


The Server Manager wasn't the only one with error but the File Server Resource Manager (FSRM) MMC returned error when i opened it and it was unable to connect to the WMI repository.

So after extensive search the most recommended solution was to recompile and refresh the MOF files on the Windows 2012R2 server. Several people reported that it didn't work with them so i am sharing below the exact steps i did to work it out.




  1. Ensure all MMC including Server Manager is closed.                                                                                        
  2. Open Elevated CMD prompt                                                                                                                      
  3. Navigate to C:\Windows\Ssytem32\wbem\AutoRecover (Its very important to run it from the AutoRecover folder and not the wbem root.                                                                                               
  4. Type for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s                                                                                       
  5. It will start Parsing the MOF files (one by one) till the end as shown in the below screenshot                                                                                                                                                                                          
                                                                                                                                                 
  6. You should get the done confirmation after each MOF file is parsed. If it hanged on "Storing data in the repository" for long time with no action then you need to kill the "WMI Provider Host" from the Task Manager as shown below. As soon as the WMI provider task is ended the above command that was hanged will continue running without any problem.                                                                                                                                                                                                                                            
                                                                                                                                                 
  7. Reboot the Server


After rebooting the server the Server Manager opened and refreshed its status without any problem as well as other MMC as the File Server Resource Manager.

Hopefully this might be beneficial for users facing the same issue.






Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 2

Posted by Ahmed Nabil | 7 comments»
On part 1 of this series i went through the configuration of the new Windows Defender ATP service, in this blog post i will move forward and try a demo attack and how its analyzed in the ATP portal.

For more Info please check Part 1

http://itcalls.blogspot.com.eg/2016/12/microsoft-windows-defender-atp.html

The main goal of this article is to understand how the attacks are reported and how to analyze and move through the ATP portal. Microsoft did a good job and provided a Do IT Yourself (DIY) document for any user who is undergoing ATP trial. These are safe Scenarios with no harm to test and explore the functionality of ATP (Only to be used on test environments)

So based on this DIY attack scenario document, the attack sequence is as follows:


  1. User will receive a link in the email (Typical type of attack) that will ask him to download a normal word file. This "Fake" word document has a bad fake macro that drops malicious executable file on your machine.                                                                                                                                                                                                                                                         Few points to consider here is that the attacker will search on the best user who can click this link without hesitation. The attacker need to target specific profile users who won't take security seriously. The number one source to get this information on your users, their interests is the social media as LinkedIn and Facebook. User might be huge football fan and the whole document/process will be geared towards this interest (Targeted attacks). A very nice tool that can help you in scanning each and every link in your email is the Office 365 Advanced Threat Protection which is different that the Defender ATP as i explained in my first blog.                                                                              
  2. This executable will open a backdoor that allows the attacker to run commands on the victim machine. In our test scenario (Microsoft DIY document) it will open Power Shell.                                                                
  3. Last step will be running couple of reconnaissance commands, copying few files and getting some system info to complete the scenario. In real life scenarios this can be wiping your hard disk or encrypting it (Ransomware)

So in our case i received the file, opened it and its done, the executable will run and session will be open with the attacker server and i am completely hacked.

So let us take a look on the ATP Portal dashboard after simulating the attack.



An active alert is displayed showing that a Right to Left Override technique is used. Right to left is an encoding mechanism for those who writes from Right to Left as the Arabic Language, the problem is that you can use this method to hide something bad and show it in another state. In our case the malware was hidden in this file and using this technique it was shown to users as word file which they didn't suspect and opened it.

For more info on the RLO, please check the below link

https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/

You can click on this warning which will dive in more details on how this attack occurred and how it was triggered on the user machine and which applications were used........etc






This will give you more info on the attack and how it was triggered on the user, starting by getting it from outlook.exe, then opening the email and clicking on the attachment which opened the word file with the malware that loaded the powershell. This is a complete detailed tree of the attack process using the RLO technique.

We can also check the machines and open this suspected machines to check other event as shown below:



The machine view will display all attacks, warnings and event on this machine. Other stages of our attack scenario is listed here. The RLO technique, Hiding files, running suspicious Power shell and running some commands (The whole picture)




Of course you can configure the ATP to send you email alerts once these attacks are listed and reported.

One important thing to note about Windows Defender ATP is that its an EDR product (Endpoint Detection and Response). Its a behavior based and it takes some time to detect these attacks that other real time protection tools as Antivirus, Firewalls........etc.

Detection will vary based on the complexity of the attack. If its a simple attack it will be displayed on the ATP portal in no time. If its very complex it will take some time before it show up on the portal as it need more time for analysis.

ATP team is working hard on improving this accuracy and adding integration to other services as Office 365 and Microsoft ATA solution.

I would highly recommend going on a trial and checking this nice solution. The industry average standard to detect a breach without EDR is 146 days so definitely detecting them in few hours using ATP will add more defense to your current environment.

Hope this post was helpful and enjoy your ATP trial.



Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 1

Posted by Ahmed Nabil | 5 comments»
Before the close of year 2016 i would like to share with you a very cool new security service offered recently by Microsoft to detect and respond to advanced targeted attacks. Information security attacks are getting more complex and needs several layers of protection and more importantly different way of analyzing and detecting such threats.

Windows Defender Advanced threat protection is based on Windows 10 clients and serves as a post breach protection for investigating and responding to threats while the Windows 10 client itself is already fully packed with Pre-Breach protection as credential guard, Device guard, information protection........etc.

For some reason Microsoft is using the term Advanced Threat Protection widely in several products which is causing confusion for the users. Basically there are three services/tools sharing the same name as follows:


  1. Office365 Advanced Threat Protection (ATP). This service is mainly concerned about protecting your email from advanced threats in real time. For example inspecting all Internet links coming in your email. You need to have Office365 E5 license to work.                                                                                                                                                                       
  2. Microsoft Advanced Threat Analytics (ATA). This tool is based on user behavior and machine learning to detect attacks with main focus on credentials as Pass the Hash, Pass the Ticket.......etc as well as common and know threats to your network. Please check my earlier blog series on ATA https://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata.html                                                                                                                                              
  3. Windows Defender Advanced Threat Protection. This is our blog target service and its mainly concerned with your end point device (Windows 10 device). You need to have Windows E5 License to run it.

So what is the requirement to get enrolled and run Windows Defender ATP

  1. This will run only on Windows 10 Update 1 and later (Windows 10 RTM won't work). Also not all Windows 10 clients are approved (Home Edition won't work)                                                                       
  2. This service is on the cloud so the Windows 10 client need to have access to the Internet to contact this service.                                                                                                                                                              
  3. Windows Defender ATP is not the same as the local Windows Defender AV installed by default on Windows 10 however it needs some components from it as the ELAM driver (Early Launch Anti Malware). So the ideal situation is that you have the default Windows Defender as your main real time protection against viruses, in this case you don't have to worry about anything. However if you are using other AV protection as Symantec or McAfee acting as the main real time protection then ATP needs the ELAM driver to be running. By default when you install a 3rd party AV as Symantec or Kaspersky, the Windows defender local AV will enter passive mode where the ELAM will be running and engine updated however not acting as your real time protection. So if you have 3rd part AV don't block or Disable the Windows defender on your local machine as this will cause the ATP to stop functioning.                                                                                                                                                                                                           For more details on Windows Defender ATP requirements, please check below                      https://technet.microsoft.com/en-us/itpro/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection

So the normal process is that you will contact your Microsoft Account Manager and ask for the Windows Volume License E5 and after getting/purchasing the needed licenses you will get notification that its activated. The Process of configuring and implementing the ATP once its purchased is as follows:

  1. Open the Windows Defender ATP Portal https://securitycenter.windows.com/ and login using your corporate credentials and on the Welcome screen click Next as shown below.                                                                                                
                                                                                                                                                                                                                                                         
  2. The next step is very crucial decision because it cannot be reverted back later after your are up and running. This is mainly dealing with the storage location of your data and whether you prefer to store it in US or Europe (Some Organizations have policies to store their data in Europe for example). If you wana change it later you will need to off board all your clients and reset the whole subscription (Need Microsoft Support) and create everything from scratch again.   
                                                                                                                                                     
  3. Choose the period of time you wana keep your data in the cloud (you can change this later if needed)
  4. Pick your organization size and anticipate any planned growth (This preference cannot be changed later on)         
                                                                                                                                                                                                                                                                                                       
  5. Choose your industry and your organization main scope of work. This setting can be changed later and will provide insights on any alerts or threats that are targeted to a specific industry.                                                                                                                                                                                         
                                                                                                                                                                                                                                                                                                
  6. You will get a warning that some changes cannot be reverted as we mentioned earlier as the storage and organization size. Click Continue to create your cloud instance.                                                                                                                                                                                                                                                                                                                                        
                                                                           
                                                                     
  7. The final step after the ATP cloud instance is created is to on board your clients (Point them to the ATP instance) and activate this protection on their machines. To do so you need to install a very simple package on your client machines, in this step you are offered all kind of distribution types as SCCM for your domain machines with SCCM client or intune package for your BYOD devices or via group policy......etc. In our test case i used the local script which is just installing the need files and getting it manually on the client.  You need to run this script file using elevated Command Prompt.                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                           

  8. In our case i installed the ATP on 3 machines and the ATP portal dashboard is shown below.                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
This concludes Part 1 which was mainly dealing with the installation and configuration. In Part 2 I will start simulating an attack and how to analyze it in ATP. Happy new year everyone and see you on Year 2017 :)





Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring Azure Multi Factor Authentication (MFA) for VPN connection - Part 4

Posted by Ahmed Nabil | 4 comments»
In part 1,2 and 3 of this series we discussed the VPN role and its step by step installation, configuration, integration with the RADIUS server and the VPN client configuration with the main common problems from the client side

For more information, please check Part 1, 2 and 3 from this series.

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html

https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access_30.html

https://itcalls.blogspot.com.eg/2016/11/implementing-microsoft-remote-access.html


In this final post we will be adding to our solution the Multi factor Authentication using Azure MFA On-premise server. The MFA will add an extra security layer instead of depending only on the User name/Password. We will be using the model of something you know (Which is your password) + something you have (which is your device - Cell phone)

If you have Azure Active Directory Premium or Enterprise Mobility suite (EMS) then you already have the Azure MFA included. For more details on Azure MFA licensing and pricing, please check the below link

https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/



Installing and Configuring Azure MFA On-Premise Server


  1. Log in to your Azure Portal - Active Directory - Multi factor Authentication Providers. If you have a provider you can directly manage it however if not as in our case you need to create an Authentication Provider                                                                                                                                                               
                                                                                                                                
  2. Creating one is very easy Wizard as shown below however you have to make one important decision regarding the License model (Check above link for licensing)                                                                                                                                                                                                     
                                                                                                                          
  3. After Creating the provider you will be directed to the Azure Multi Factor Authentication page where you can find downloads and pick the one that suites your environment (In our case i am installing it on 64 Bit Windows server 2016).                                                                                                                                                                                              
                                                                                                                                     
  4. I will pick the 2012 R2 version since the 2016 wasn't available at that time and generate the activation codes. Please note this activation code will last for 10 minutes only to enter it in the MFA installation wizard later, if you took more than 10 minutes before you reached the Wizard part requiring it then you will get an error. Don't panic, all you need to do is come back here and generate a new code.                                                                                                                                                                                                              
                                                                                                                            
  5. Launch/Run the downloaded file, it will require couple of components and updates to be installed as shown below (Prerequisites).                                                                                                                                                                                                             

                                                                                 
                                               
  6. Go ahead and select the installation folder (You can safely have it in the default location)                                                                                                                                                                                                              
                                                                                         
                                                  
  7. After Installation, it will launch the configuration page - Click Next and add the activation code you copied from step 4                                                                                                                                                                                                                
                                                                                   
                                    
  8. The next option will be which service you need to apply MFA ? In our case we are applying it on the VPN service. This is is a very critical step, we will add here the VPN Server IP address and shared secret (You can use the one we used before with RADIUS). Now the VPN server Security was previously configured pointing to the RADIUS server, we need now to change it in VPN server to point to the MFA server (as if its the RADIUS server) and the MFA will connect on behalf of it to the RADIUS server.                                                                                                                                                                                                                                                                                                                                                                                 Check Part 2 of this series to add the MFA server instead of the RADIUS server directly and also check Part 2 on how to add a new RADIUS client (This time it will be the MFA server). So previously VPN server contact RADIUS directly, now Its VPN to MFA to RADIUS.                                                                                                                                                                                                                       
                                                                                     
                         
  9. Add the RADIUS server IP. Again remember the MFA is a broker now receiving requests from VPN (claiming to be RADIUS) and then contacting the real RADIUS.                                                                                                                                                                                                                                  
                                                                                 
                  
  10. After finalizing the Wizard, open the Azure MFA Server application located on the Start Window and click on Users.                                                                                                                                                                                                                   
                                                                                                                                         
  11. Pick any user to enable the MFA.  Add the Phone number and pick the MFA method (Phone call, Text, Mobile App....etc.) and then click on Enabled.                                                                                                                                                                               
                                                                                                              
  12. Make sure that the user Account in Active Directory - Dial In Tab                                                                                                                                                                                             Network Access Permission = Allow                                                                                             Call Back Options = Set by Caller (RRAS)                                                                                                    
  13. In the Azure MFA server Application - Click on Radius Authentication. On the Client you should have the IP address of the VPN server and on the Target you should have the RADIUS server IP.                                                                                                                                                                                                                                            
By that you are ready to turn on to your client and connect your VPN and it won't sign you until you pick your phone and press the # key to complete authentication.

Through this 4 blog posts, i tried to detail each and every step with screen shots to make sure nothing is missed, Hopefully you enjoyed this series and you will try the VPN solution on your devices especially the portable ones (Tablets and phones).

See you on the next post.