securing your infrastructure with azure multi-factor ... · securing your infrastructure with azure...
TRANSCRIPT
April 28th New-York City
Securing your infrastructure with Azure Multi-Factor Authentication
Prabhat Nigam – Golden Five LLC
CTO and Architect
4/28/2017 – New-York City Page 2
Blog: http://powertoe.wordpress.com/
Twitter: @toenuff
Tome Tanasovski PowerShell MVP
Blog: http://blog.reefsolutions.com
Twitter:@bserebin
Ben Serebin Exchange Junkie
Eric Fellen
Website: http://www.nyewin.org
Ken Reid
Website: http://www.nyewin.org
Thanks to our Organizers!
Blog: http://dsebban.wordpress.com
Twitter: @davidsebban
David Sebban Windows IT Pro MVP
4/28/2017 – New-York City Page 3
User Group Communities
NYC PowerShell User Group
• Meetings: Second Monday of the month, 6:00PM, Microsoft NYC Office
• Web: http://powershellgroup.org/nyc
• Meetings: Second Tuesday of the month, 5:45PM to 9PM, Microsoft NYC Office
• Web: www.nyexug.com
New York Exchange User Group (NYExUG)
• Meetings: First Thursday of the month, 6:00PM, Microsoft NYC Office
• Web: http://www.meetup.com/ddugny
Devices and Datacenter User Group New York (DDUGNY)
4/28/2017 – New-York City Page 4
Event Sponsors
4/28/2017 – New-York City Page 5
Event User Groups
4/28/2017 – New-York City Page 6
Introduction
Prabhat Nigam3xMVP, Blogger, Speaker, Author, Father, Husband
CEO - LAEXUG Foundation
Blog: MSExchangeguru.com
Email: [email protected]
@PrabhatNigamXHG
Website: GoldenFiveConsulting.com
4/28/2017 – New-York City Page 7
Agenda• Identifying the Security Risk
• Security Options
• Azure Multi-Factor Authentication
• Secure Your Infrastructure with Azure MFA
4/28/2017 – New-York City Page 8
Ask Me and Get Some thing
Ask me a Great Question and win.
$100 Gift card for Azure.
Make sure to use it before 5/22/2017
Not for every one
Not for Organizer
Not for Speaker
Not for Microsoft and Golden Five Consulting Employees
4/28/2017 – New-York City Page 9
Security Analysis shared By Microsoft
160 million customer records compromised
140-200+ days between infiltration and detection
87% of senior managers admit using personal accounts for work
50% year over year growth in electronic data
Ever-evolving industry standards across geographies
4/28/2017 – New-York City Page 10
Recent Cyber Attacks
My Doom A Virus which caused $38.5 Billion Financial damage
Year 2016 witnessed frequent cyber-attacks Increased by 400 hundred percent
Malware Attack nearly doubled 8.19 billon
Ransomware or Crypto Virus or Crypto-Locker Chief of Police wrote this:
http://www.officer.com/article/12304582/alert-ransomware-and-crypto-virus
4/28/2017 – New-York City Page 11
Reality Check of Cyber Attack• How many here has been experienced of cyber attack?
Or
• Your Organization has been attacked.
Let us check here.
http://map.norsecorp.com/#/
4/28/2017 – New-York City Page 12
Survey
How many of us are planning for Multi-Factor Authentication?
4/28/2017 – New-York City Page 13
Security Options
• No Internet
• DMZ
• VPN
• Enforce Paraphrase Password
• MFA or Two Factor Authentication
4/28/2017 – New-York City Page 14
Multi-Factor Authentication options• OCTA MFA
• AWS MFA
• RSA Token
• Symantec VIP
• CA Advance authentication
• Duo Two Factor Authentication
• Eset Two Factor Authentication
• Azure MFA
4/28/2017 – New-York City Page 15
Azure MFA Options
There are two versions of Azure MFA• Office 365 version• On-Premise version
• Azure Multi-Factor Authentication Server
Conditions
Allow access
Or
Block access
Enforce MFA per
user/per app
Location (IP range)
Device state
User groupUser
MFA
Risk
Azure MFA O365 Version
4/28/2017 – New-York City Page 17
Download Azure MFA Server
4. Click on “Go to the Portal”
5. Click on Downloads then on Download
1. Login to Azure
2. Add either of these licenses
Azure Multi-Factor Authentication,
Azure Active Directory Premium,
Enterprise Mobility Suite
Enterprise Cloud Suite.
3. Expand the Active Directory Clicked
on Configure browse down to “multi-
factor Authentication” Clicked on
“Manage Service Settings”
4/28/2017 – New-York City Page 18
Applications Required to Secure InfrastructureWe need to deploy the following:
On Premises
• Server 1 with the following:• Active Directory Federation Services (ADFS)
• Azure Multi-Factor Authentication (AMFA)
• Server 2 with the following:• Remote Desktop WEB (RDW)
• Remote Desktop Gateway (RDG)
• Network Policy Server (NPS)
• Web Application Proxy (WAP).
4/28/2017 – New-York City Page 19
Configure Secure Office with Azure MFA 1We need to configure the following:
• Obtain an SSL Cert with the private key
• Install & Configure Azure MFA Server
• Install & Configure ADFS. Also configure to use Azure MFA
• Install & Configure Web Application Proxy to connect to ADFS Server
• Install and Configure RDWeb, RDGateway and Network Policy Server for Radius pointing to Azure MFA
• Configure Azure MFA for Radius Server
• Configure Certificate at all the places.
4/28/2017 – New-York City Page 20
Configure Secure Office with Azure MFA 2
• Configure external dns for ADFS url to Point to WAP Server
• Point your RDWeb Portal and RDGateway DNS to the same WAP server.
• In ADFS configure the following:• Add Relying party trusts for OWA and ECP and add claims.
• Add Non-Claims aware Relying party Trust in the ADFS server
• Add Office 365 relying party Trust and add claims.
• Configure WAP all the External URL except OWA/ECP
• Configure Exchange server for Azure MFA
• Configure Application for the RDWeb Portal Page.
Allow access
Or Block access
Enforce MFA per
user/per app
User
MFA
Azure MFA Server Architecture
AD FS
AD DC
WAP |RDW|RDG
Exchange
Azure AD and MFA Token
server
RDWEB will send direct request to MFA Server
Azure MFA
12
3
4
4/28/2017 – New-York City Page 22
Azure MFA Server: Known Issues• Twice MFA Prompt for MAC Users
• Expected behavior• Work around is to add cache
• NPS Database Corruption• Uninstall and Reinstall NPS, RDGateway • Restart the server then reconfigure everything.
• OWA Showing Blank Page• Configure OWA Redirection in IIS at “Default Web SiteOWAAuth”
• Unable to connect to the Master MFA server• Add MFA computer object in “PhoneFactor Admins” Group membership
• Unable to Open Application on Non-IE Browsers• Use correct parameter with the cmd Set-RDSessionCollectionConfiguration
• Thin PC Getting Certificate popup• Add Certificate thumbprint using GPO
4/28/2017 – New-York City Page 23
Takeaways
• Reasons to secure your Infrastructure?
• Ways to Secure your Infrastructure?
• How can we Use Azure MFA to Secure whole Infrastructure
• Places to troubleshoot Azure MFA
4/28/2017 – New-York City Page 24
Reference
• http://msexchangeguru.com/2017/01/16/unable-to-download-azuremfa/
• http://msexchangeguru.com/2017/01/28/azure-mfa1/
• http://msexchangeguru.com/2017/01/28/azure-mfa2/
• http://msexchangeguru.com/2017/02/02/mfa-for-rds1/
• http://msexchangeguru.com/2017/02/02/mfa-for-rds2/
• http://msexchangeguru.com/2016/12/09/wap-adfs-mfa-part-1/
• http://msexchangeguru.com/2016/12/09/wap-adfs-mfa-part-2/
4/28/2017 – New-York City Page 25
Other information
• All slide decks will be posted on http://www.techstravaganza.com
• Grand Prize Raffle at 5:15pm
• Day is not ending in Microsoft Office. There is an after Party.
Join us for Cash Bar & Free Food @ Guys American @ 5:45pm
4/28/2017 – New-York City Page 26
Connect For More✓ Twitter: @MSExchangeGuru
@PrabhatNigamXHG
✓ Facebook: Microsoft Exchange 2016 Group
✓ YouTube: MSExchangeGuru Channel
✓ LinkedIn: Microsoft Exchange Server
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
User Groups: LAEXUG
LACIUG
LAEXUG_ALL_IT
4/28/2017 – New-York City Page 27
σας
ευχαριστώधन्यवाद
Merci mulțumesc