Viewing entries tagged
microsoft

The Problem With Sleeping

The Problem With Sleeping

Laptop advancements have been significant over the years. They are the productivity tool of today. A simple example of this is how we can put a laptop to sleep by simply closing the cover. Users quickly get back to work simply by reopening the cover. We continue working as if we never left.

While this is great for productivity, it has a significant negative impact on security. Laptops are being rebooted much less frequently than ever before. In fact, people often don’t remember when they last did a full reboot.

In many cases, a system isn’t protected by the patch until a full reboot is performed.

Because of this, ZAG has moved to standardize reboot enforcement to ensure patches are completely installed. We do this in a user-friendly manner by giving the user ample opportunity to reboot. Without forced reboots, an environment can never be considered secure.

ZAG encourages everyone to review their patching methodology and ensure that systems are truly patched. If you do anything short of this, you are susceptible and vulnerable to a potential attack. IT must manage your environment actively to ensure the company is protected.

Unexpected Results from Safe Senders and Blocked Senders Lists

Unexpected Results from Safe Senders and Blocked Senders Lists

While antispam solutions have their various whitelist and blacklist options for specific senders and domains, Office 365 is no different.  Most of these antispam solutions have options for the entire organization as well as providing customizable lists to the users.  The one area that can cause confusion is the way that Microsoft has integrated the Safe Senders and Block Senders of a user’s mailbox to the Exchange Online Protection solution. 

When a user adds entries to these Senders lists through Outlook or Outlook on the Web (formerly Outlook Web App or OWA) small mistakes can have serious ramifications.  If a user adds a sender or domain to the Safe Senders list it will override the organization’s Office 365 EOP AntiSpam filtering settings.  This information can be verified within the message headers.  The X-Forefront-Antispam-Report will have an indicator of SFV:SFE which translates to “Filtering was skipped and the message was let through because it was sent from an address on an individual's safe sender list.”  Additionally, the same header will display an SCL:-1 which indicates ”Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner).”

Example:

safe sender blog1.PNG

The result of this configuration in the individual’s Safe Senders list is that messages which should have been flagged as spam will now be delivered to the user’s inbox.  This includes messages that fail DMARC tests and are potential phishing attempts.

Additionally, the reverse effect can occur when users are modifying their Blocked Senders lists.  The same X-Forefront-Antispam-Report header will be stamped with SFV:BLK if the sender is entered in the user’s Block Senders list.

What can be done?

As a general guidance, to your user community, it is recommended to avoid using domain names in the Safe or Blocked Senders/Domains lists whenever possible.  Whitelisting or blacklisting entire domains will almost always produce unexpected results.  If an entire domain needs an action the application of this change should typically be handled by the IT Administrator, not the end user.  Also, they should not whitelist anyone from your company as this is not necessary and can potentially create a vulnerability to phishing.

As an administrator, you can make modifications to the user’s Safe or Blocked Senders lists using Exchange Online PowerShell.  Once you are connected, you can use the Get-MailboxJunkEmailConfiguration and Set-MailboxJunkEmailConfiguration commands to adjust the user settings.  The items that we recommend the most are:

  • The ContactsTrusted setting should always be set to False or it will whitelist any contact added by the user to their Outlook profile.

    • Since it is common to add your coworkers to your contacts list, this setting will result in also whitelisting anyone using those Display Names for phishing attacks and spamming.

  • For TrustedSenderAndDomain, here are a couple of rules.

    • Do not add email addresses for your own domain or the domain itself

      • These types of additions will allow those email addresses and display names to be used by phishers to bypass antispam scanning

    • Avoid whitelisting entire domains whenever possible

      • This allows too wide of an exposure for potential phishing and spamming.

In the end, it is your own policies that you configure but it is important to understand these other configuration layers that can undo the security solutions you have implemented.

Windows 10 Lifecycle

Windows 10 Lifecycle

You may have noticed that Windows 10 is designated with different version numbers like 1611, 1703, 1709, etc. For the most part we think of these incremental updates as feature enhancements and not that important. We think of these as simply feature updates because Microsoft categorizes them as “Feature Updates”. These updates are more than that and have much larger ramifications in your environment. What Microsoft is calling a feature update is really a full in-place OS upgrade. Like any other OS upgrade you need to test your applications and hardware to be sure that everything will work post deployment. These updates could also take a considerable amount of time. More on that later in the article.

Microsoft’s shift to this new “Semi-Annual Channel” model also has a shelf life. At the time of this writing Microsoft has promised to “Service” these Operating Systems for 18 months or 30 months depending on the edition. See chart below. There is an exception to this rule, Long Term Servicing Branch or LTSB, but that is beyond the scope of this article.

win10 Lifecycle blog insert.png

https://support.microsoft.com/en-us/help/4462896

What exactly does “Service” mean? You know the monthly updates that Microsoft releases to keep us all safe? Those are considered part of servicing. In some cases, Microsoft will make an exception for major security issues like we have seen with Windows XP security updates but for the most part consider your OS as not getting monthly updates based on the chart above. If your Windows 10 computers are running at the 1511 version (Enterprise or Education) or earlier, you are not receiving the monthly updates and you are putting your environment at risk. The chart below lists the end of service dates for Windows 10 version as of now.

https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

These feature update packs are deployed through the standard Windows Update (UPDATE ASSISTANT) mechanism as well as the Windows Upgrade Assistant. They can also be deployed as stand-alone installations through System Center Configuration Manager or other software deployment tools. These alternative methods become important as they bring advanced validation steps and logging which is important when troubleshooting deployment issues. An important thing to note is that these installations can take 2 hours or more to install on a computer with a spinning disk or 30 – 45 minutes to install on a computer with a Solid-State Drive (SSD). When choosing replacement PCs and laptops for your environment it will be important to select models with SSDs.

If you would like more information on Microsoft’s Lifecycle Policy including Windows 10 LTSB, Office 365, SQL Server and Windows Server feel free to reach out to me or visit the Microsoft Lifecycle Homepage.

ZAG is experienced in Windows 10 deployments.  Our mission is to “enable our clients to succeed”. To know more about ZAG Technical Services and the services we offer contact us at 408-383-2000.