Content From Vic .Net Presentation

Last week I had the wonderful pleasure of presenting to the Victorian .Net User Group. I want to thank Mahesh, the other organizers and SportsBet for the wonderful facilities.

I have been extremely lucky to present to a wide range of audiences on the security challenges that PowerShell brings to our organisations. From security groups to architecture to infrastructure and now development focused groups.

As promised, here is the content, code and links to more information.

You can download the PowerPoint slides here, or find them on SlideShare here.

If you want to take a look at the "malware" script that I created, you can find that up GitHub here. The repository includes two files, an example of the Excel spreadsheet which contains a macro that would infect a system, and then the SystemInformation.ps1, which is the actual "malware" that is the basis for all of my demonstrations.

I mentioned Matt Graeber's write up on PowerWorm, and this can be found here at his site, www.exploit-monday.com. Matt has rewritten the code to be more safe, as well as provide some tools to detect and remove PowerWorm infections and this can be found on his GitHub.

Another important set of resources are the 5 part series from the Microsoft's Hey Scripting Guy.

I recommend reading the final two parts, I have made use of the code from these within SystemInformation.ps1.

 

Kieran

Please update your RSS subscriptions

This is just a quick public service announcement, if you subscribed to my blog back on the old domain name, aperturescience.su, then please update your readers settings to point to the new RSS feed address: http://www.poshsecurity.com/?format=rss

At the end of April my old domain, aperturescience.su will be switched off and I would hate for you to miss out on further content.

Thanks!

Kieran Jacobsen

Enabling Mobile Device Management with Office 365

Microsoft recently announced that they would be including a Mobile Device Management (MDM) platform as part of Office 365. What this means is that organisations, both small and large now have an extremely easy and powerful MDM available to them, without any additional charge to their Office 365 licencing. Administrators can manage Android, iOS and Windows Phone devices, and enforce various corporate policies and standards.

To support the new MDM functionality, you will need to create two new DNS records in each of your Office 365 domains. I have updated the Posh-Office365CloudFlare script to support the creation of these two additional records. You can create these records via the -MDMEnable parameter.

The process for creating the entries is as simple as:

Register-Office365.ps1 -CloudFlareApiToken <token> -CloudFlareEmailAddress <email> -Domain <domain> -MDMEnable

Just a quick note, I am yet to fully test out the new MDM functionality as none of my existing tenants have enabled for it yet. 

Kieran Jacobsen

Upcoming Presentation at Victorian .Net User Group

I am excited to announce that I will be presenting PowerShell Shenanigans – Lateral Movement with PowerShell, to the Victorian .Net User Group.

This presentation will be an updated version of the one from CrikeyCon 2014, BIG and OWASP Brisbane.

Information about the session is listed below, and you can register here at Eventbrite.

PowerShell Shenanigans (Lateral Movement with PowerShell)

PowerShell, the must have tool and the long overlooked security challenge. Learn how PowerShell’s deep integration with the Microsoft platform can be utilized as a powerful attack platform within the enterprise space. Watch as a malicious actor moves from a compromised end user PC to the domain controllers and learn how we can begin to defend these types of attacks

About the Speaker

Specialising the automation of Windows Server environments, and with 10 years’ experience in the managed services and financial services sectors, Kieran Jacobson recently moved from sunny Brisbane to Melbourne to pursue a role as a Technical Lead with Readify. Kieran has always been a passionate member of the technical community, beginning as a Microsoft Student Ambassador and then as a presenter at a number of conferences including Infrastructure Saturday, CrikeyCon and Risky Business. Kieran maintains the Posh Security website, http://poshsecurity.com, with content ranging from automation, architecture, troubleshooting and software development.

Event Details

Automating Office 365 deployments in CloudFlare

A few weeks ago, I wrote about Posh-CloudFlare, a PowerShell module I created for managing CloudFlare hosted domains. Since then, I was working on extending an Office 365 deployment, and realized that what was needed was a script which could automate the configuration of new domains. With that in mind, I developed a new PowerShell script,  Posh-Office365CloudFlare.

Let's understand the process for the addition and configuration of a new domain for Office 365.

The process starts with the Office 365 Portal. We navigate to the Domains section, click the "Add Domain" button, and after ignoring the introduction, we proceed to step 1. This step starts with us entering our domain name, let's use our old favorite contoso.com. Now we will be asked to verify that we own this domain, either through the creation of a TXT record or an MX record. The typical method is to use is that of a TXT record, created at the root of our desired domain with a value something like "MS=mx********".

After we create the domain, and the wizard successfully sees the appropriate record, we will be allowed to proceed to the next step. Step 2 isn't one that I usually make use of. I typically don't want to modify my users email domains, nor do I want to add new users at this time. I skip this step and move straight on to step 3.

Step 3 starts with another quick introduction screen, and then we will be asked if we would like the DNS for this domain to be managed by Microsoft. Obviously, we are going to answer no and move on. Finally, we reach an important step, we are asked what we want to do with this domain. First, "Outlook for email, calendar, and contacts", or in other words, email; the second, "Lync for instant messaging and online meetings", which is kind of obvious.

If you select “Outlook for email, calendar, and contacts”, then we will be told to create the following records in contoso.com:

  • MX - @.contoso.com - which points to contoso-com.mail.protection.outlook.com (priority 0)
  • CNAME – autodiscover.contoso.com – which points to autodiscover.outlook.com
  • CNAME – msoid.contoso.com – which points to clientconfig.microsoftonline-p.net
  • TXT – @.contoso.com – which contains a SPF record

If you select “Lync for instant messaging and online meetings”, then we will need to create the following records for contoso.com:

  • CNAME - sip.contoso.com - which points to sipdir.online.lync.com
  • CNAME - lyncdiscover.contoso.com - which points to webdir.online.lync.com
  • CNAME – msoid.contoso.com – which points to clientconfig.microsoftonline-p.net
  • SRV - _sip._tls.contoso.com - with its appropriate port, weight, priority and target
  • SRV - _sipfederationtls._tcp.contoso.com - with its appropriate port, weight, priority and target

Reviewing this list of records, we will notice that the only record that changes for each domain is the MX record. The record consists of the domain name we want to add, with dashes replacing the original dots in the domain name. As you can see in the above example, cotoso.com's MX record points to contoso-com.mail.protection.outlook.com, where as awesomecompany.net would point to awesomecompany-net.mail.protection.com. 

What about some records that could actually help our users? What if I said we could redirect sub domains of our own to the Outlook Web Access page? Wouldn't it be awesome if a user entered https://mail.contoso.com into their browser, and ended up with the Outlook Web Access? This can be achieved by creating a CNAME record that points to mail.office.com. Let's have our script create entries for mail and webmail perform this redirection.

Now back to the script.

This was a simple script, it doesn't have any complex logic, it will need the following information:

  • CloudFlare API Token and email address; this is obvious as we need to talk to the CloudFlare Client API.
  • The domain name.
  • Do we want to create mail records? Lync records or both?

This is a very, very simple script, we just need to have a set of New-CFDNSRecord calls, with various controls depending on what we require.

For example, creating the MX record is as simple as:

This script only took an hour or so for testing and development time, however there was quite a bit of effort directed to changes in the Posh-CloudFlare and the New-CFDNSRecord CMDLet. If you look at the diff's between the last few versions, you will notice the following changes:

  • The CMDLet now accepts input from the pipeline (in this case via property name).
  • Restructure the CMDLet into Begin/Process/End (required for proper handling of pipeline input).
  • Implementation of parameter sets.
  • Cleanup of the validation of parameters.

I added parameter sets to New-CFDNSRecord with the aim to remove the somewhat faulty validation that I had previously. Whilst this sounded, and looked like it was simple, it actually took a few tried to ensure that the CMDLet would function appropriately. This was really interesting and deserves its own post in the future.

Parameter validation was updated in all of the CMDLets to improve email address validation. Previously, validation consisted of testing for an "@" character. Now I am using a regular expression.

Finally, I have spent some time cleaning up the code, not just within New-CFDNSRecord, but across all of the CMDLets. I have been trying, where possible to use ISE Steroids to ensure that everything I right is neat and presentable; it is a fantastic resource.

My final thought on all of this journey is, why couldn't Microsoft have implemented something like this? Microsoft has integrated the process with a bunch of other DNS providers, including the likes of GoDaddy, Network Solutions, 1 and 1 and even Yahoo Small Business. Why can't it also look at CloudFlare?

You can find the finished script over at GitHub, at Posh-Office365CloudFlare, the script is called Register-Office365.ps1. I have included comment based help with examples.

Kieran Jacobsen