Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Security Components

Nerdio Fundamentals: Security Components

0 commentsJuly 02, 2019Videos

Joseph Landes:
In this session we’ll talk about one of the most frequently asked about topics when it comes to Microsoft Azure and Nerdio for Azure, security components. Building a successful cloud practice in Microsoft Azure requires having a strong foundation in security fundamentals, as it is something your customers will not just ask about, but demand. We’ll dive into multifactor authentication in the Nerdio Admin Portal and in Office 365, self-serve password reset, content filtering, encryption, and much more. Enjoy the session.

Vadim Vladimirskiy
Today we’re going to talk about various security components that Nerdio for Azure helps provision when standing up an IT environment in Azure and Office 365. There are number of elements that go sort of under the security heading. We’re going to cover a few of them in the different groups, and then we’ll also look at the various reports and Secure Score that brings those elements all together and presents them and kind of is a single view, a unified view in the NAP.

Vadim Vladimirskiy
The first thing I want to talk about is multifactor authentication. Multifactor authentication as we obviously all know very well is a highly recommended security practice to prevent and protect against password theft. If password is stolen, then the second factor is still required in order to be able to log into a particular system. NAF helps with multifactor authentication or two-factor authentication, whichever term you feel like using. Both of them are correct. It helps with MFA across various different components of this system. Let’s take a look at the specific.

Vadim Vladimirskiy
The easiest one to look at and understand is MFA or two-factor authentication for the NAP itself. NAP is a place where somebody can come in and really make lots of different changes to the system. So being able to protect the NAP with second factor is important, and that is implemented in the portal, either as an opt-in type of a situation, meaning that it starts out as turned off by default, and it’s something that an administrator would need to come in and enable.

Vadim Vladimirskiy
MFA for the Nerdio Admin Portal can be enabled at multiple different levels. Remember, there are different roles of users in the NAP. There is partner administrators, distributor administrators, and then individual IT admins within individual accounts within the platform. So for all of those there is a way to enable two-factor authentication. Let’s look at it from an account administrator, from an IT administrator perspective first.

Vadim Vladimirskiy
I’m currently logged into as an account ID administrator in 5,009. If I go under Settings and Security, I will have this check … this on off toggle at the top. It’s going to be turned off by default. If I turned this on, what’s going to happen is the following. It’s going to give me the ability to enter whitelist ranges of IP addresses or individual IP addresses. Then if the connection is coming from these addresses, there will be no second factor challenge. The login will proceed just with the username and password. However, if you’re coming in from an IP address that’s not in one of these whitelisted ranges, then there will be a challenge. And that challenge is going to be sent as an SMS code to the user’s phone number.

Vadim Vladimirskiy
Now the phone number could be, depending on the type of user account, the phone number comes from a different place. For instance, if you have a customer’s user, let’s say the IT administrator who is going to be logging into the Nerdio Admin Portal with their standard username and password. Then if two-factor authentication is enabled and they are not coming from a whitelisted IP range, they are going to … there must have a phone number in this field in order for them to be able to log into the Nerdio Admin Portal. If they don’t, on login they will get an error message saying that 2FA is enabled but a phone number is not specified. Then they will not be able to log in. And the only way to log them in is going to be either disabling 2FA at the account level, adding their IP address into the whitelist, or giving them a phone number so they can get a text message on their phone.

Vadim Vladimirskiy
That is one place where the phone number is pulled from if the user who’s logging in is an end user, a customer’s end user. Let’s go back in here and just turn this off. All right. Let’s say off. Now, if you go one level up and you’re now looking at the system from the partner administrator perspective, there is also a security screen here with an enhanced security toggle that can be turned on. Same concept here. You will get a whitelist, a range of IP addresses that can be whitelisted. And here it’s giving you a little warning so you know what the effect is. There are going to be 13 NAP users that are part of this particular partner account.

Vadim Vladimirskiy
I’m logged in as one of the partner administrators and I am enabling two-factor for the partner administrator’s account, so for the reseller and all of the resellers users, so the sales team, their engineering team, their support team. Whoever is using the NAP is going to be affected by this change. NAP is telling me there are 13 such users in the system. And if I enable this, if I go ahead and click Enabled, you can see these various whitelists that exist that can be edited, et cetera.

Vadim Vladimirskiy
But the important thing to keep in mind is that each user has a phone number associated with their account. If I go under NAP users, you can see these are the 13 users that the system was telling me about. If I go and edit any one of them. Let’s pick on Carl, going to edit Carl, and there should be a phone number in this field. If there’s no phone number in this field, then again, they will not be able to log into the NAP unless they’re coming from a whitelisted address.

Vadim Vladimirskiy
A user can change their own phone number by managing their profile from the top right. So going to Manage Profile, and here again you can specify that phone number. Specifying the number here will update that same record that you see for the users listed right here.

Vadim Vladimirskiy
Now, not all users will have access to this NAP users module because they may not be an administrator. For example, Pat1 Partner is a tier one support user. They will be able to update their phone number from here. Or someone else can update their phone number from here, but they won’t be able to go in and update phone numbers for anyone else.

Vadim Vladimirskiy
2FA for the NAP is enabled either on a per account basis or per partner admin account basis, in which case in both cases you need to make sure that the people who are trying to connect, they’re either coming from whitelisted IP addresses, or they have a phone number specified, so they can get a code and be challenged by that code. Otherwise, they’ll get an error message and won’t be able to log in.

Vadim Vladimirskiy
Let’s move on to the next multifactor authentication capability, and that is in Office 365. In Office 365 there is an option to enable MFA on a particular user’s account. That will require them to specify a phone number or mobile device, or whatever. It will enroll them into that particular to 2FA account or 2FA functionality. And then every time they log into Office 365 through the web or through one of the apps on the mobile device or on the computer, they’re going to be asked for that second factor.

Vadim Vladimirskiy
In the Nerdio Admin Portal, there are a couple things that we help with when it comes to 2FA in Office 365. First there is this on and off button. Having this button set to off, I believe is the default setting when an account gets provisioned. Now, this doesn’t actually affect anything that’s going on in Office 365. What it does do is it changes the UI on each individual users accounts, and you will not see in Office 365 enabled/disable kind of a toggle here. You can see this looks like a regular user edit screen, their user add screen, and this area right here where I’m moving my mouse, hopefully you can see that, this area is blank.

Vadim Vladimirskiy
If I go into Settings and I turn this option on, this will enable a UI element. Now you can see I turned 2FA or MFA for Office on. All right, so now I have that setting turned down. Now I have a UI element here that I can go in and enable MFA for a particular user. By default that user’s MFA in Office 365 is turned off, this is going to read that setting and show me that it’s off, and it’s going to give me an option to enable it on a per user basis. This will then require the user to enroll themselves in MFA in Office 365 the next time they log into Office 365 through the web browser.

Vadim Vladimirskiy
There is also a way to send a notification either via email or via text to the user to let them know that this has been done and giving them instructions on how to go through the process of enrolling themselves into it.

Vadim Vladimirskiy
This is completely independent of two-factor authentication that happens at the NAP level to log into the NAP as an admin portal. This is purely for Office 365 and any of the Office 365 property. So it would be email, it would be a team, Skype for business, stream. Any of those services that are part of Office 365 would be affected by this.

Vadim Vladimirskiy
Now when you enable someone, it doesn’t force them to use MFA. If they have Outlook already configured on their mobile device or on their desktop, it is going to just continue allow Outlook to continue working because it’s not enforcing MFA. In order to enforce MFA, which means you force them to enroll, and without enrolling they won’t be able to use their existing devices. We don’t have an option for that in the NAP intentionally. You can go into Office 365 and set the users setting to enforced, in which case it’s going to now allow them to use existing configure devices.

Vadim Vladimirskiy
But these settings now again reflect exactly what’s in Office 365. Making a change we’ll go into Office 365 and turn it on or off. Whereas this setting is controlling the UI element in the users edit module, either making Office 365 part of the UI or not part of the UI.

Vadim Vladimirskiy
Then the third component for two-factor authentication is the desktop login, so the Windows desktop login. We call it two-factor authentication Windows. This is the capability that’s provided by the SMS Passcode product that is integrated into the Nerdio deployment, which is running on DC01 and has an agent in every desktop, whether those are RDS session hosts or VDI workstations. So if you have this turned on, which by default currently it is, I think we’re in the process of making it also an opt-in type of a service where you have to come in and turn it on, currently it’s on by default, and the way it’s configured out-of-the box is as you all know, in order to make that apply to individual users, you have to specify the phone number in here. By just specifying the phone number on the default configuration, a user will be able to, or a user will be prompted for a second factor when they’re logging into the desktop.

Vadim Vladimirskiy
This is all customizable. We have guides and instructions on how to go into SMS Passcode and configure it to use maybe voice, maybe email, maybe a soft authenticator. And I think there may be support for some hardware authenticators. But the most popular ways are either through SMS or through something like Microsoft authenticator or Google authenticator, and I believe both of those soft authenticators are supported with SMS Passcode. SMS Passcode protects a user from someone compromising their desktop login and is independent of Office 365 and is independent of the NAP 2FA. So each one of those three different multifactor features can be customized independently of each other.

Vadim Vladimirskiy
Now coming in here and setting this setting to off, we’ll basically globally disable it for everybody on the system and make it so that the phone number you entered in each individual user’s account basically inactive is just going to be a mobile phone number. It’s not going to enable anything from a two-factor authentication standpoint. Then turning it on doesn’t mean that it enrolls everybody in 2FA. It just means that now once it’s on and the phone number is specified, then the user will get challenged. If the phone number is not specified, whether this is on or off, the user will not get challenged. That is two-factor authentication.

Vadim Vladimirskiy
One other thing that I want to mention is this self-service password reset, also a feature of the SMS Passcode product that’s integrated into the Nerdio deployment. There is a URL that all users can go to from anywhere, from any internet connected device. This will prompt them to type in their username, and assuming that they have a personal pin and a phone number, a mobile phone number specified in their Active Directory account, they will be able to reset their Active Directory password without having to log into the system by just being able to use a web browser and a SM, excuse me, SMS text message that’s going to be sent to them to their registered phone number.

Vadim Vladimirskiy
If a partner wants to do a mass deployment and wants users to go through and change their own password, so the partner doesn’t have to do it for them, this is a popular way to do it. They would need to pre-configure the Active Directory with everyone’s mobile phone number, assign everyone a personal Passcode, which could be just a handful of digits, and then allow users to go to this URL and set their own password to whatever it is that they want it to be. That’s an additional security related password reset feature that’s available with MFA.

Vadim Vladimirskiy
The next thing I want to mention in regards to security is content filtering. Content filtering is a process that protects users who are using Nerdio desktops in the Nerdio deployment when they’re browsing the internet and allows you to manage their sort of web addresses or web URLs that they can access. It has a list of malicious ones that get blocked by default. It has categorization where you can go in and edit the various whitelists and blacklists, et cetera. It’s very similar to services like OpenDNS or now it’s called Cisco Umbrella, which uses DNS queries to determine the nature of the destination website and then applies the various policies that the administrator pre-configures for the organization based on those policies and those DNS queries.

Vadim Vladimirskiy
So a product that’s an alternative to something like Open DNS/Cisco Umbrella is integrated into here. It’s called SafeDNS. And the way that it works, it’s pretty straightforward, but let me just show you what’s necessary for it to work. So first thing is with any DNS based product, what you want to do is you want to prevent users from being able to override the DNS path, the DNS query path. By default, DC01 is the DNS server that services all the lookups, and DC01 uses forwarders to go to the SafeDNS DNS servers to know which policies need to apply. And that’s where all the categorization happens.

Vadim Vladimirskiy
Now if someone were to go in, configure a desktop and change their DNS servers to be something like a Google 8.8.8.8 or some other publicly available DNS, DNS source, they would bypass the entire content filtering methodology here. In order to prevent that, what we have as a rule all the way at the bottom that denies all DNS traffic by blocking port 53, both TCP and UDP on the outbound from anything on the land, and then it explicitly allows DNS lookups to servers that are managed by SafeDNS, by basically punching a hole in this policy and saying this particular range of addresses can serve as DNS queries.

Vadim Vladimirskiy
So that means that since DC01 is already configured to use DNS servers at this range, this is just going to work right out-of-the-box. But if someone goes ahead and tries to change the DNS server to let’s say 8.8.8.8, they will be blocked by this firewall rule and their DNS lookups won’t work at all.

Vadim Vladimirskiy
The reason I’m showing you this is if someone wants to remove SafeDNS, replace it with something else, just disable it, et cetera, they need to take this firewalling setup into consideration when making the changes. For example, if someone wants to deploy Umbrella instead of SafeDNS, they would probably still keep this rule in place, and then they would edit the destination where the DNS queries are allowed to this … in this rule to a different set of IP addresses. That would be one of the steps in replacing SafeDNS with something like umbrella.

Vadim Vladimirskiy
There’s also an agent that is installed, a SafeDNS agent that’s installed on all of the desktop Vms, RDS session hosts and VDI desktops that does a lot of that sort of on the host filtering. That needs to be either disabled or removed in order for SafeDNS to no longer be in the DNS query path and then finally on DC01 there’s a configuration where referrals or refers are configured to be the servers from SafeDNS that would also need to be reconfigured.

Vadim Vladimirskiy
So firewall rules, number one, removing the agent or replacing the agent on the desktop VMs number two and then adjusting the DCL1. Default DNS configuration would be number three in order to replace SafeDNS with something else.

Vadim Vladimirskiy
All right, so that is SafeDNS and content filtering. There is a separate website, and each account gets a unique login obviously into this website. This is the website. You basically go into login, you put in the login credentials for a particular account, and then there is its own management portal that lets you manage and view audit logs on things like what websites have been visited, how many of them are productive, unproductive, so the types of things you would expect from a content filtering and web categorization type of a solution. It’s all managed through a separate third party portal, not through the NAP at this point.

Vadim Vladimirskiy
Let’s take a look at a couple of other things before we’re done. We talked about password reset, SafeDNS. Let’s look at a couple of the other features that come in under the security heading. So first thing, just a reminder. If you recall, a couple of months ago when we talked about Azure storage and encryption and disc storage and encryption, we touched upon it, but let me just mention it briefly here since we’re talking about security. Encryption of data both at rest and in motion is probably the first thing you think about when you talk about security.

Vadim Vladimirskiy
Let’s talk about data in motion first. Data in motion is always encrypted by default unless something is changed on the default deployment, and we recommend that it always is. Recall, there is a LAN and a DMZ network segmentation. And in the DMZ you have two internet facing servers. One is RDFS proxy to authenticate logins. This is using HTTPS with SSL encryption. And then there’s also an RD gateway server, which is used for tunneling connections to the desktop resources on the LAN. This also uses SSL encryption. So any traffic that comes into the environment in the default deployment will go through one of these two servers in the DMZ and both of them enforced network encryption. So all data in motion coming in or leaving the environment is encrypted in the default configuration of the system.

Vadim Vladimirskiy
Now as far as data at rest, if you recall, there are two ways to do data encryption at rest. There is encryption of the storage system that Microsoft now does by default. By default, you recall that Azure storage encryption is enabled on all discs and all storage that’s provision inside of these NFA accounts. Anytime you create a new VM or a new storage account and place data in it, the data will be encrypted at the storage system level by Microsoft with a key that’s going to be maintained and kept by Microsoft without your ability to control it.

Vadim Vladimirskiy
There is an addition of level of encryption, which you can implement at the operating system level or at the VM level or precisely at the disc level, which is disc level encryption. Disc level encryption allows you to use BitLocker for windows VMs to encrypt individual discs inside of a VM and then Azure will recognize that those discs are encrypted. And then you’ll have dual level of encryption. You’ll have storage level encryption with a key managed by Microsoft, and you can have BitLocker level disc encryption that could be managed by the partner or the customer.

Vadim Vladimirskiy
We do not by default encrypt discs on top of the storage encryption. There’s storage encryption by default. Disc encryption is not enabled. It is something that can be done through the Azure portal or on each individual VM, but it is not something that’s currently available in the NAP, but it is something that’s in our roadmap for sometime in the future to implement.

Vadim Vladimirskiy
That’s as far as data encryption goes. Let’s look at a couple of other things here. So if we go under Settings and we go under Security, we already looked at the 2FA on and off toggle. We looked at two-factor authentication for Windows Office 365 and password reset.

Vadim Vladimirskiy
We also have this option here. This option allows you to block exchange online, which is part of Office 365, from forwarding emails to accounts that are outside of the organization, so things like Gmail accounts or Hotmail or whatever other accounts. This prevents the situation where someone’s credentials are compromised. Maybe they didn’t have two-factor authentication or maybe that was passed through as well. And someone comes in and enters a rule into Outlook to forward the inbox to some third party outside address. This prevents that from happening.

Vadim Vladimirskiy
So turning this on, which it’s not on by default, we’ll log into Exchange online and make that configuration, will basically silently prohibit forwarding of emails to outside accounts. Again, a nice little feature that’s just enabled with a single button click. The alternative would have to be going through the Exchange online config to make that change manually. That’s blocking email forwarding.

Vadim Vladimirskiy
We also have a few reports that come in really handy to really look at the environment on a regular basis and understand if there’s anything suspicious going on. You guys are familiar with this, users and servers report. Those don’t really play into security as much as the next two. There’s one called inbox rules. The inbox rules report will basically inventory on a schedule or on demand all of the various user mailboxes in the account and let you know if there are any inbox rules for things like forwarding to other users or to other external accounts. This is a report that can be scheduled to run may be on a weekly basis or monthly basis and email to maybe an administrator or the help desk, maybe an administrator add the customer to review or the help desk add the service provider to review on a regular basis, just to keep an eye on email potentially being compromised through some sort of phishing attack. That’s inbox rule.

Vadim Vladimirskiy
Then the other one is email forwarding rules. This is again, a similar concept specifically focused on forwarding of emails to other addresses. Also, a good thing to schedule this report to be delivered to individuals within the organization to evaluate on a regular basis to make sure there’s nothing nefarious going on with email.

Vadim Vladimirskiy
One other thing to show you and that is the Secure Score. Once we have all the security settings configured, we have users, two-factor authentication enabled, phone number specified, reports scheduled and running. Then we have a tool called the Secure Score which will analyze the various components of the system and assign points based on how well it complies with best practices around security and then generate the Secure Score and then track it over time. This is just a nice way of being able to work towards and improve security posture over time.

Vadim Vladimirskiy
So you can see things here like SAN-level encryption of data-at-rest. That is set to yes because as you recall, storage level encryption is enabled by default. Backup being enabled gives us five points, and then percentage of servers is 58% of servers are included in the backup, so we get six out of 10 servers. This may be appropriate for this particular environment, and that’s why the score doesn’t necessarily have to be perfect. But it is directionally useful to see which way it’s moving.

Vadim Vladimirskiy
Then there are policies around two-factor authentication. There’s policies around email forwarding, policies around what’s in the DMZ, password policy expirations, disabling logins for inactive users, et cetera. This looks at the various aspects of the system, everything from storage to networking, Office 365, and domain group policy, and gives you a composite score that can be used to improve the security posture.

Videos in the series