Microsoft Security Matter Newsletter – June 2019

As Microsoft wraps up its fiscal year this past week here’s the latest newsletter for Microsoft Security.  There’s a lot of good content in this edition to be consumed but have called out ones that should be prioritized in italics.

General News

Microsoft 365 Security (All Up News)

Identity & Data Protection (Azure AD, Intune, AIP, MCAS)

Latest Azure AD Stats

Identity stats

Threat Protection (Office ATP, Windows Defender ATP, Azure ATP/ATA)

MDATP engines

MDATP protection

Troy Hunt’s (@troyhunt) “Have I Been Pwned” is for Sale and Microsoft Should Acquire

Early this morning, Security Researcher Troy Hunt posted on his blog (Project Svalbard: The Future of Have I Been Pwned) that he’s taking steps to have his data breach service be acquired.  If you are not familiar with “Have I Been Pwned” I suggest reading the post from Troy linked above as he goes into details about this great service that he has been providing since 2013.

Ok, now for the reasons Microsoft should acquire this service from Troy:

  1. Microsoft has established itself as a security vendor over the past several years with similar technologies being provided to enterprise customers.  Adding “Have I Been Pwned” to their existing services could enhance their existing offering for enterprise customers.  For example, Troy’s service allows IT admins to search his service for email addresses from their company to see if they have been in any data breach.
  2. “Have I Been Pwned” also allows for the everyday consumer the sign-up to be alerted when their personal email address shows ups in a data breach.  Acquiring this service would allow Microsoft to expand its consumer-facing security services.
  3. “Have I Been Pwned” is a stellar example of an Azure-based solution that Microsoft can showcase to customers from App Dev perspective.  As this service continues to grow, as we all know breaches aren’t slowing down, showing how the Azure platform can be used to handle this growth and leverage new features in the service.

Note:  The above is just my 2 cents on this major announcement from Troy and not that of my employer.



Just Do the Basics to Protect the EndPoint

Over the past few years, as part of my current role, I have had the pleasure of engaging in security conversations with customers.  These discussions have ranged from protecting the identity to securing the endpoint and sensitive data in the enterprise.  What has been consistent in these conversations is that individuals and organizations are chasing the next shiny object to solve their security problem.

Shiny ObjectWhile the latest and greatest security technologies are amazing and should be explored to help protect a company’s assets, the reality is that most enterprises aren’t even doing the basics when it comes to endpoint security.

Jessica Payne

The quote above is good guidance that everyone in enterprise IT Operations and Security should be following.  In most cases, a few tools that are either free or already licensed by most enterprises can improve the security posture overnight once implemented.

Security Tweet

So let’s take a look at the basics the enterprises should be leveraging in their environment.

Implement LAPs yesterday, It’s Been Free Since 2015

Microsoft LAPS (Local Administrator Password Solution) is a free tool from Microsoft that randomizes the local administrator password on workstations which in turn makes it more difficult for attackers to move laterally using the same admin password.


Do Not Turn Off Windows Firewall….Yes, this is still occurring in 2019

Most IT professionals know that the Windows Firewall comes as part of the Windows OS yet some enterprises turn it off because they believe it is impacting applications in their environment.  Instead of turning it completely off take the time to tune it to your needs and help the workstation stay protected.  To better understand how the Windows Firewall works please take a look at Jessica Payne‘s session on “Demystifying the Windows Firewall“.

windows firewall

It’s Not 1990….Turn Off SMB1

SMB (Server Message Block) is a remote file protocol commonly used by Microsoft Windows clients and servers that dates back to 1980’s and heavily used by enterprise applications in 90’s.  However, in the 25-30 years security attacks have become more commonplace such as man-in-the-middle attack which takes advantage of SMB1.  Most recently, SMB1 was used in the Petya outbreak which impacted systems worldwide.


While this protocol is disabled in newer versions of Windows, enterprises are enabling it so that legacy applications can work.  Please work with these vendors to move onto a new version of SMB to minimize the risk to your organization. Ned Pyle with Microsoft maintains a list (link below) of companies that still require SMB1 for their applications.  Highly suggest reviewing this list to see if these applications are in use in your organization.

Get Started on the right foot…with Windows 10 Security Baselines

Historically, enterprises, especially regulated ones, have leveraged STIG (Security Technical Implementation Guide) to deploy a set of recommended security policies on Windows workstations.


Beginning with Windows 10, Microsoft began delivering Security Baselines for each build they deliver twice a year.  These baselines are a set recommended security policies that should be considered/implemented as enterprises deploy Windows 10.


Windows 10 SmartScreen

Smartscreen is yet another free tool within Windows 10 that helps protect the endpoint by:

SmartScreen determines whether a site is potentially malicious by:

  • Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
  • Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:

  • Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
  • Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.


Leverage Cloud-Based AV…Consider Windows Defender

Given today’s threat landscape enterprises should be leveraging an anti-virus(AV) solution on the endpoint the leverages the cloud for faster analysis versus waiting on traditional definitions to be delivered.

Cloud AV

In addition, as AV solutions become more of a commodity for today’s IT operations companies should consider utilizing Windows Defender solution that comes with Windows 10.  Their solution continues to achieve perfect scores in the industry accepted AV testing scores.

Industry Tests

Windows BitLocker

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.  This native Windows solution does not require an additional agent and makes OS upgrades for the enterprise a whole less complex than using a 3rd party tool.

Let’s Say it 3 Times…Patch, Patch, Patch

Per NIST guidance, and in an ideal world, enterprises would patch vulnerable systems when the updates are released.  However, with most organizations, this poses a challenge as they need to test the impact that the updates will have on their environment.  This issue is that a lot of companies either do not have a formal patching process or pick and choose patches (example below) neither of which are good for the overall security posture.

windows patching

A quick example of a Windows patching for enterprises to consider:

  • Microsoft Patch Tuesday updates are released on the second Tuesday of the month and these are tested on local devices by IT and if no issues then sent out to a group of workstations that are a good sampling in productions that are tested for the next 5-10 business days before rolling out to overall production.
  • The exception to the above is if there’s an out-of-band update or one severe enough that the vendor recommends patching immediately due to the potential impact.

Too Much to Sift Through

Most large organizations have adopted a SIEM to collect event logs but the reality this results in their SOC analysts in drinking from a:


and then trying to find a “Needle” in a:


Customers should consider keeping it simple by leveraging “Weffles” ( or streamlining the event logs from Windows endpoints to the following:

  • Security Event Logs being cleared (1102)
  • New Local User Created (4720)
  • High-value groups, ie Domain Admins, being changed (4728)
  • Local administrator groups being changed (4732)
  • New Services being installed, particularly on Domain Controllers (4697)
  • Scheduled Task was registered or executed (106/200)
  • Successful Logon (4624)
  • Unsuccessful Logon (4625)
  • Logon was Attempted with Explicit Credentials (4648)










  • Windows Version:  Pro & Enterprise


AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.  It’s ideal to use AppLocker in the following scenarios:

  • Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • In addition to other measures, you need to control the access to sensitive data through app usage.
  • Additional AppLocker details:


Aaron Margosis at Microsoft recently created a solution called “Aaron Locker” that makes it easier for enterprises to implement and maintain AppLocker.  Details on this solution can be found in the following links.

This Will be Living Guide

My hope is to keep this a living guide that will get updates as new recommended best practices or technologies come out about for Windows endpoints.  If there are other items that you feel need to be included or have general comments please let me know.

In addition, there will be a Part 2 to this post called “Up Your Game” so stay tuned for that coming out in the near future.

Microsoft Security Matters Newsletter – May 2019

While there were several product updates over the past month (listed below) there was a pretty significant vulnerability that was patched by Microsoft.  If you read nothing else in this edition of the news letter, please read the following:  A Reminder to Update Your Systems to Prevent a Worm .

General News

Microsoft 365 Security (All Up News)

Identity & Data Protection (Azure AD, Intune, AIP, MCAS)

Threat Protection (Office ATP, Windows Defender ATP, Azure ATP/ATA)



PSA: Azure AD Customer Training Webinars Started Back Up this Week

The week’s half over and you may have missed out on the first few webinars this week but it’s not too late to join in and catch these great sessions on Azure Active Directory.

Topics of the Webinars

  • Getting Ready for Azure AD
  • Secure Your Identities with Azure Multi-Factor Authentication
  • Intro to Azure AD B2C: Make it easy for your customers to securely Sign In and Sign Up to Your Applications
  • Hybrid Azure AD Join
  • The Basics of Governing your Azure AD and Office 365 Deployment
  • Choosing the Right Authentication Method for Azure AD
  • Manage Your Enterprise Applications with Azure AD

The following link will get you to the resources to register for the webinars.


Microsoft Continues Its Azure ATP Webinar Series

Back in April, Microsoft did a series of webinars for its security products with one of those tracks being focused on Azure Advanced Threat Protection (AATP).  They are following up those sessions with two additional ones they announced today.

The next session will be on June 19th, at 8:00 AM PT / 11:00 AM ET / 15:00 UTC. It will discuss the new Unified SecOps Experience for Identities, which brings together Azure Advanced Threat Protection, Microsoft Cloud App Security, and Azure AD Identity Protection in a single console.

Part 2 of our Azure Advanced Threat Protection Detections Webinar coming on July 10th, at 8:00 AM PT / 11:00 AM ET / 15:00 UTC. The Azure ATP engineering team is hosting a second webinar to help demystify Azure ATP detections.

If interested you can register for these webinars at



Microsoft Security Matters Newsletter – January 2019 Edition

After 2018 being packed with major security & compliance solutions/features added to Microsoft 365, 2019 is off to a bang with key announcements in the areas of Identity & Threat Protection.  Enjoy going through the resources below in the first newsletter of 2019.

General News

Microsoft 365 Security (All Up News)

Identity & Data Protection (Azure AD, Intune, AIP, MCAS)

Threat Protection (O365 ATP, Windows Defender ATP, Azure ATP/ATA)


Jeremy Windmiller | Enterprise Security Architect, CISSP, ITIL | Microsoft – Healthcare