User Profile
Sergg
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Microsoft Defender EASM should be part of Microsoft Defender XDR
It looks like there is an early attempt to integrate EASM into Defender XDR. If you navigate to https://security.microsoft.com/exposure-initiative?initiativeId=easm you can pick one of the predefined EASM discovered businesses and attach to your Defender XDR customer. Unfortunately, you can attach a custom company; it is fairly basic (but free, you are not charged for assets), and it seems like there is no option to detach it!Re: Testing of web content filtering policy from M365 Defender
I would also like to see Microsoft adding various test categories URLs to https://demo.wd.microsoft.com/ portal. I worked with multiple SWG (Secure Web Gateway) URL filtering products before, and most of the vendors offer a list of "safe" test URLs pretending to be in certain categories. It has been few years since URL filtering has been in GA but https://demo.wd.microsoft.com/ section for Web protections has not been updatedRe: IIS hardening with CIS standards - tools and options
To anyone interested, i ended up using https://github.com/fbprogmbh/Audit-Test-Automation FREE tool to scan and then manually tune IIS until most of the IIS CIS settings were green. It is really good. If you are ready yo pay you can get a version which is able to harden the settings. It is from the same company - https://www.fb-pro.com/en/DirectAccess multiple servers per site without NLB - is it a bad idea?
What are the issues of running few Direct Access servers (let's say 3-4) per site without External or built-in NLB, please? Aside from manually configuring each server and lack of granular control over how many clients there is on each server, what are other issues, please? According to https://directaccess.richardhicks.com/f5-big-ip-load-balancer/ there are many: NLB has some serious drawbacks and limitations and should typically be avoided for most enterprise deployments. NLB is broadcast-based and generates a tremendous amount of noise on the network. Heartbeat messages are broadcast to the subnet every second. As more nodes are added to the cluster, the broadcast traffic grows exponentially. Microsoft suggests a limit of 8 nodes per NLB cluster, practically speaking NLB clusters should be limited to no more than 4 nodes. In addition, NLB lacks the visibility and granular control of network traffic often required by network administrators. Further, troubleshooting NLB is prohibitively difficult. There are also challenges getting NLB to work correctly in virtual environments, making NLB difficult to support.Re: "New" home endpoint https://security.microsoft.com/?tid=<TenantGUID> does not work
Neil GoldsteinI agree the situation should be more consistent. And thank you very much for sharing the link for switching Azure AD in Office 365!!! M365AdminCenter: https://portal.office.com/Partner/BeginClientSession.aspx?CTID=%3CClientTenantID%3E&CSDEST=o365admincenter The above works well.IIS hardening with CIS standards - tools and options
Hello IIS experts. Please suggest on best strategy for hardening on-prem IIS farm to CIS standards. I'm also interested in recurring audit of the results. There is a number of commercial products allowing to scan IIS for CIS Benchmarks. The latest "CIS Benchmark for Microsoft IIS 10" available to download in PDF format free of charge at https://www.cisecurity.org/cis-benchmarks/. However in this instance CIS does not offer "Build kit". Depends on product to be hardened, CIS "build kit" can be set of scripts, GPO policy or similar to allow rapid hardening deployment. Since there is no Official build kit I'm looking for alternatives. Can you please share your experience on this subject? I found few blogs but those are quite old.Azure CSP customer - downgrade foreign principal CSP group – what can get wrong?
Hello, What is the significance of partner-managed CSP group in Azure CSP subscription? I noticed foreign principal CSP group in Owner role. Obviously, the owner role has maximum level of privileges. But is this really required for billing? Can this group be removed or downgraded into some other role? I was not able to find Microsoft documentation on this subject. There is info on how to reinstate this, but no information on why this is required.Is AIP correct product for discover file hoarding and clean up / lock down sensative documents
Below is a typical situation I see time after time and want to know if there is a product and process in MS portfolio to improve it. Imagine consultant type SMB organization hoarding documents for 10-15 years stashing into Windows shares and later finding too difficult to sort this pile, so migrating entire lot to SharePoint Online. On the SharePoint there is a minimal sorting by project name or customer name. But there is less structure with personal files. Some consultants could have filing system inside their mailbox or local drives, but OneDrive migration is going steady and info from the local drives to Personal One Drives Is AIP right product to scan and classify the lot and tell how much "stuff" there is ranking by keywords like project name, customer name, year etc. Where I can read more about the whole journey of information management and retention for a digital artifacts? Is there a well-known "must read" book or blog on the subject? Just trying to understand this for myself.How to set Impersonation Protection users with Preset Policies?
Hello, Microsoft suggesting using preset (Standard or Strict) policies for EOP and Defender for Office. Is there a list of settings to tune after applying presets? https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365 For example found that Impersonation Protection cone with ZERO protected users (i also read there is an overall 60 user limit per rule). How do i set my protected users? Microsoft link suggests: The default anti-phishing policy in Microsoft Defender for Office 365 provides https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide#spoof-settings and mailbox intelligence for all recipients. However, the other available https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365 features and https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#advanced-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365 are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies. But i thought one can not modify default policies. Here is how it looks in default strict settings:Re: SignInLogs are not showing in Log Analytics / Azure Monitor
Hello, I got the same issue in my purpose built demo tenant - all the eval licenses present, everything is configured, EMS E5 (Eval), Azure (Free Eval with credit), AAD is P2 (eval) but SignIn logs are not showing in Log Analytics Workspace. What is the final take on this? It is about 12 hours since config applied. How to get this flushed?Re: Advanced Hunting for SmartScreen events
Thank you for pointing to new Security GUI reports ( https://security.microsoft.com/webprotection ). The old GUI reports ( https://securitycenter.windows.com/reports/webThreatProtection ) are not the same as the new ones. The main difference - "Details" buttons are missingRe: Advanced Hunting for SmartScreen events
I found it difficult to investigate Web Content Filtering as well. Besides it is impossible to the category of Web Filtering blocked URL. There is https://incompass.netstar-inc.com/urlsearch but it s unclear how this is correlates to Microsoft MDATP Network Protraction Web Filtering decisions.
Groups
