Events

System Center User Group – Clients days 2018

System Center User Group Sweden (SCUGSE) Client Days, a 2 day event with many interresting sessions.

Date:
October 8th
October 9th

Location:
Microsoft Office – Stockholm
Finlandsgatan 36
36 Finlandsgatan
164 74 Akalla

On this 10 years celebration of SCUGSE, David James from the Config Manager product team will come to Sweden and present.

Description

Agenda (as per June 28th)

Day 1

  • 0815 – Doors Open
  • 0900 – 0915 – Welcome – Jörgen & Stefan
  • 0915 – 1015 – State of the union – David James
  • 1015 – 1030 – Break / Networking
  • 1030 – 1115 – TBA – David James
  • 1115 – 1130 – Break / Networking
  • 1130 – 1215 – What’s new from Ignite! – Stefan Schörling / TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – TBA
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – TBA – David James
  • 1430 – 1445 – Break / Networking
  • 1445 – 1530 – TBA – TBA
  • 1530 – 1615 – Q&A DJAM and Speakers

Day 2

  • 0815 – Doors Open
  • 0900 – 1000 – Windows 10 as a Service, the good the bad and the ugly – Stefan Schörling / Jörgen Nilsson
  • 1000 – 1015 – Break / Networking
  • 1015 – 1100 – Managing and Securing Web browsers in Windows 10 – Jörgen Nilsson
  • 1100 – 1115 – Break / Networking
  • 1115 – 1215 – From the Community – TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – Lookout
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – What’s new in Windows 10 1809 – TBA
  • 1430 – 1445 – Break / Networking
  • 1445 – 1545 – Advanced Windows 10 Deployment Tricks “TS End2End” – Nickolaj A
  • 1545 – 1600 – Closing and Price Drawings

OBS! Genom att anmäla mig binder jag mig till en no-show avgift på 500kr om jag anmäler mig till en fri-biljett och inte kommer på eventet. Jag godkänner även att mina uppgifter kan även komma att delas med sponsorerna.

THE EVENT WILL BE HELD IN SWEDISH FOR THE MAJORITY OF OUR SESSIONS EXCEPT FOR OUR INTERNATINAL SPEAKERS

For tickets and further information, please visit:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2018-tickets-47148736139

SCUG SE on Facebook:
https://www.facebook.com/groups/241438124169/

 

 

Links from our TechDays Presentation

 

Image may contain: 2 people, people smiling, people standing

Here are a link collection and some brief information from our TechDays session.

We’ll skip the wannacry part from the post because it’s everywhere anyway except for the fact that patching is extremely important.

Selecting hardware

There is no secret that Microsoft is working hard to reduce the use of passwords. It’s simple, It’s something you know and someone else can find it out.

Windows Hello Requirements
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise
Hardware Security Testability Specification
https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification

Managing firmware patches

Firmware also needs patching. You need to be able to deploy firmware patches to your clients which is already in the environment

TPM Recommendations
https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendations

BitLocker mitigation plan for vulnerability in TPM

https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm

UEFI Secure Boot


https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

Security features

Credential guard
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Device Guard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide

Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

Attack Surface Reduction
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

This security feature really harderns the client. Especially when it comes to office applications.
As an example, one of the rules, will stop office applications form starting another process like CMD or powershell using DDE.

PowerShell Example
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled

 

Controlled Folder Access
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard

This is the new ransomware protection. It looks great but too soon to call it the silver bullet since you can still to a full disc encryption.
But ransomware’s that encrypt files this is something that has to be configured for your protection. Sec-Labs R&D will dig deeper into this feature.

PowerShell Downgrade Attacks

All new cool security features are being added in PowerShell version 5.0.
AMSI (Antimalware scan interface) – Not that many 3rd party AV vendors are supporting this which is a shame when we look at real world attacks today
Constrained Language Mode – Lock down, no api calls just legacy powershell
System Wide Transcript
Script Block Logging

PowerShell -version 2 and you’re in… (more or less)

PowerShell version 2 is deprecated since Windows 10 1709. When you install .net 3.5 it will be enabled and then you’ll have to disable it.

PowerShell downgrade attacks can be found in the event viewer, ID 400 and then the host version less than 5.0

Oldschool configurations which should already be in place

Local firewall – Enabled!

Applocker
We always get’s questions about applocker. It is builtin since Windows 7.
Build, evaluate and push a baseline to take control of executions no need for 3rd party here.

Windows Event Forwarding, WEF
When we asked, there were just a few actually using this.
There are lots of documentation on how to deploy this in an enterprise.
https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

Encrypt the harddrives, no excuses here.

DMA Protection
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security

Antimalware
Don’t spend your money here.

LAPS Local Admin Password Solution
Make sure you don’t have the same local admin password on all clients.

https://technet.microsoft.com/en-us/mt227395.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=46899

Guidelines to secure and lockdown you Internet Browsers
https://www.us-cert.gov/publications/securing-your-web-browser
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
https://docs.google.com/document/d/1iu6I0MhyrvyS5h5re5ai8RSVO2sYx2gWI4Zk4Tp6fgc/edit
https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#HE5XfCofMiy1S7QM.97

Windows Defender Advanded threat protection (WD ATP)

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

Built-in Security Stack (Agent-less)

Supported on:
Windows 10 1607 (minimum)
Windows Server 2012 R2
Windows Server 2016
X-Plat Support under Investigation

Licensing
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

 

Sysinternals Sysmon is also a great tool to deploy if you can’t use WD ATP for some reasons or just want to see more for yourself.
Should be used with Event Forwarding

Securing Privilege access
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access

 

Link to slides here

 

 

 

 

 

 

EVENT: Åtgärder mot finansiell brottslighet [Swedish Event]

 

SEC-Labs R&D will be presenting at – Åtgärder mot finansiell brottslighet – in Stockholm in December.

During the session – Digital World, Digital Criminals – From code to cash We will give you an insight to the darkest corner of the internet. We will share our knowledge about hackers and how they can get to your secret information without you even know it happened.

URL
http://insightevents.se/events/atgarder-mot-finansiell-brottslighet

 

Event: SCUG.SE – Client days in October 2017

The popular client event is back in October held by System Center User Group Sweden.

A mix of good to know and news where the field experts will share their knowledge during these two dates at the Microsoft office in Akalla – Stockholm

Most of the sessions are in Swedish

Date and Time
Thu, Oct 12, 2017, 8:30 AM –
Fri, Oct 13, 2017, 3:30 PM CEST

Location
Microsoft Sweden
36 Finlandsgatan
164 74 Akalla

Agenda (current)

Day 1

  • 0815 – Doors Open
  • 0830 – 0900 – Keynote – Future of a managed client – Jörgen & Stefan
  • 0915 – 1015 – What’s new in Configuration Manager 1706 and beyond! – Jörgen
  • 1030 – 1130 – The latest news on Windows 10 17xx modern management – TBA
  • 1130 – 1230 – Lunch
  • 1230 – 1315 – Sponsor Session
  • 1315 – 1345 – Scripting, Code and APIs the good, bad and the ugly – Fredrik Wall
  • 1400 – 1430 – Intune and PowerShell – Nickolaj Andersen
  • 1445 – 1545 – Best of Ignite – Stefan Schörling
  • 1545 – 1645 – Plan and deploy efficient content management – Andreas Hammarskjöld
  • 1645 – Q&A – Expert panel!
  • 1930 – Mingel på Stan

Day 2

  • 0815 – Doors Open
  • 0830 – 0930 – Windows 10 Enterprise Adoption – TBA
  • 0930 – 1030 – (EMS) TBA – Jan-Ketil Skanke
  • 1045 – 1115 – Using Ci’s in Configuration Manager deep-dive – Jörgen
  • 1115 – 1130 – Increase your patch compliance to 99% using ConfigMgr Health Script – Anders Rödland
  • 1130 – 1215 – TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1345 – Managing Office 365 using Configuration Manager real world challenges – Stefan Schörling
  • 1400 – 1500 – Task Sequence Optimizations and Tricks – Jörgen / Johnny / Nickolaj

Get your tickets here:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2017-tickets-37120053078

Join SCUG.SE User group on facebook

https://www.facebook.com/groups/241438124169

/SEC-LABS R&D

 

 

TechDays Sweden – Take care of your clients, you don’t WannaCry

In October SEC-LABS R&D Crew will be presenting at the Swedish Premier Microsoft IT Event TechDays. We will be talking about how to Secure your Windows clients, we are going to walk you through the Microsoft security stack you can use to protect your Windows client with. We will be focusing not only on Windows 10 but other solutions and practices you can leverage to build a more secure client environment.

http://tdswe.se/events/take-care-of-your-clients-you-dont-wannacry/ 

We hope to see you there / Stefan and Mattias

We have embedded a video from last years event below (Swedish)