Search This Blog

Thursday, April 2, 2020

Defender tamper protection

Microsoft Defender

When our clients get unwanted guests, one thing they will often try is to disable Windows security features, like our antivirus protection.

Now with the right license in place we can prevent this from occurring, the following actions can be prevented:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

Tamper protection will prevent changes to Windows Defender using PowerShell, registry changes and through group policy settings.

In order to use tamper protection you nee access to Microsoft Defender Advanced Threat Protection through a Windows 10 enterprise E5 license.

Before changing anything we can verify the current status of this feature in Virus and threat protection settings.

image

The status can also be seen with the PowerShell command Get-MpComputerStatus | select IsTamperProtected.

image

We will then try to see that we can disable Windows Defender by a simple policy change.

image

Update policies.

image

And shortly after the services will change status from running to nothing.

image

And we can see that Virus and threat protection is not running.

image

So we are able to stop Windows defender with a GPO, let’s make sure the GPO is disabled again and that the services are restarted.

image

Now it’s time to try to enable the tamper protection feature with the Microsoft Endpoint manager admin center (https://endpoint.microsoft.com/).

Here we create a new configuration profile.

image

Select Platform as Windows 10 and later and Profile as Endpoint protection, and then click Create.

image

Name the profile and select Microsoft Defender Security Center.

image

Enable Tamper Protection and click OK.

image

Click OK again.

image

And the Create the profile.

image 

Whit the profile created , assign it to a group.

image

Select the desired group and Save.

image

Sync your device or just wait for the configuration to be assigned.

image

Now we can see that tamper protection is active with PowerShell.

image

And in Virus and threat protection settings.

image

No let’s try to change the GPO again.

image

This time nothings happen, the GPO is written to registry as expected.

image

But Windows defender stays active.

image 

Posted by at No comments:
Links to this post
Labels: ,

Monday, March 9, 2020

Windows Virtual Desktop and Azure File Shares

In our original series on Windows Virtual Desktop we used a standard file server to host the FSLogix Profiles, this was the only option at the time - if used together with our on-premises Active Directory.

Now it’s possible to use Azure file shares and on-premises Active Directory together (Preview of Active Directory authentication support on Azure Files).

So let’s try it out - still using the same setup as described here:

  • Part 1 - Created a Windows Virtual Desktop tenant – Part 1
  • Part 2 - Created a service principal and some customization of our on-premises AD – Part 2
  • Part 3 - Provisioning a host pool – Part 3
  • Part 4 – FSLogix – Part 4
  • Part 5 – Test Part 5

The difference is that the file server in part 4 will be replaced by an Azure file share.

And before we start it’s important to note that Azure Files AD authentication is not available in the following regions(time of writing):

  • West US
  • West US 2
  • East US
  • East US 2
  • West Europe
  • North Europe

The first thing we need is to download the AzFilesHybrid module found here: https://github.com/Azure-Samples/azure-files-samples/releases

2020-02-24 15_12_55-Releases · Azure-Samples_azure-files-samples · GitHub

Unzip the downloaded file, here in a folder called C:\AzFilesHybrid:

2020-02-24 15_17_01-LAB-DC01 on PCP70 - Virtual Machine Connection

Next we will create a Storage account in the Azure portal.

2020-03-06 09_12_29-Window

Select Add.

image

Enter name and options for storage account.

image

For this test I will us a Public endpoint, but choose what suits your situation best.

image

Advanced settings.

image

Select Review + create.

image

When validation has been passed click Create.

image

When deployment is complete select Go to resource.

image

Select File shares.

image

Select File share.

image

Name the new file share and set Quota.

image

Start PowerShell elevated:

2020-02-24 15_52_55-LAB-DC01 on PCP70 - Virtual Machine Connection

Navigate to where the files are unzipped.

2020-02-24 15_53_45-LAB-DC01 on PCP70 - Virtual Machine Connection

If you run in to problems during this sequence, you might be missing the PowerShell modules Az.Resources and AZ.Storage

image

2020-02-24 16_00_27-LAB-DC01 on PCP70 - Virtual Machine Connection

Run command to copy the files into the path.

.\CoptToPSpath.ps1

2020-02-24 15_54_13-LAB-DC01 on PCP70 - Virtual Machine Connection

Import the AzFilesHybrid module.

Import-Module -name AzFilesHybrid

2020-02-24 16_01_45-LAB-DC01 on PCP70 - Virtual Machine Connection

Login with an Azure AD account that has storage account owner or contributor assignment, here I will use my global administrator.

Connect-AzAccount

image

Select the target subscription for the current session with the command.

Select-AzSubscription -SubscriptionId "<subscription-id>"

image

Now register the storage account with our active directory environment under an OU.

join-AzStorageAccountForAuth -ResourceGroupName "<resource-group>" -Name "<storage-account"  -OrganizationalUnitDistinguishedName "<ou-name"

image

In the OU specified you should now the a computer account created.

image

Let’s confirm that the feature is enabled by running the commands:

$storageaccount = Get-AzStorageAccount -ResourceGroupName "<resource-group>" -Name "<storage-account>

$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

image

If we go to configuration on the storage account we should now see that Active Directory is enabled.

image

Now go to the file share created and set share access.

image

Use the role Storage File Data SMB Share Contributor and assign it to our group of Windows Virtual Desktop users, here I a group created and synchronized from the local Active Directory.

image

We can now use the net use command to mount the Azure file share, like this:

net use <drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:azure\<storage-account-name> <storage-account-key>

image

You can get the needed information from Access keys under the storage account:

image

The NTFS permissions can now be set on the mapped drive (file explorer) just like what we used for the traditional file server:

image

We need to change the GPO for FSLogix so that the new Azure file share is used.

image

Please also note that the user should not already have a profile on the computer, so use a new account or delete the existing profile.

image

After sign-in to our Windows virtual desktop the FSLogix profile is now created on the Azure file share:

image

We can test if port 445 outbound communication to the Azure Files datacenter is blocked with the commands:

$storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>"

Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

image

Posted by at No comments:
Links to this post
Labels: , , ,
Subscribe to: Posts (Atom)