Announcement by Microsoft that they had removed the 16-character limit for passwords in Azure Active Directory had been coming for a while. It takes time for Microsoft to deploy such a fundamental change across all the places in their cloud systems where passwords can be changed. The first leaks that something was happening came in late April when people noticed that the user interface in components like the Azure AD portal and Office 365 Admin Center offered administrators the chance to set 256-character passwords.
The new password limit is also mentioned in the Microsoft 365 User Management blog for April 2019 (posted on 7 May). You can’t say that Microsoft didn’t give us hints that this was coming. Continue reading
Administrators have always been able to access user content and don’t need eDiscovery functionality to do this. Administrators can log onto someone’s mailbox or give themselves permission to access a user’s OneDrive account, or use the Search-Mailbox cmdlet to copy messages from user mailboxes to another mailbox. And they can run content searches to scan mailboxes, SharePoint, OneDrive, Teams, Office 365 Groups, and public folders and export whatever they find to PST files, ZIP files, or individual files. In short, many ways are available to an Office 365 administrator to poke around in user content if they so wish. Continue reading
A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
But one of the challenges some customers are concerned about is that this type of deployment requires that some communication take place between Exchange Online and Exchange on-premises. This communication takes place over the Internet and so this traffic must pass through the on-premises company firewall to reach Exchange on-premises.
The aim of this post is to explain in more detail how this server to server communication works, and to help the reader understand what risks this poses, how these connections are secured and authenticated, and what network controls can be used to restrict or monitor this traffic. Continue reading
By now you will have heard about the new General Data Protection Regulation (GDPR) that will be coming into effect shortly. This was started by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016. This new plan is to replace the current Data Protection Directive 95/46/ec.
Most companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018. There are some core areas that are of great importance when trying to understand this new policy, as well as seeing how it fits into existing policies and also platforms that you may be using. Continue reading
Recently there has been a lot of attention and a few different blog posts (references at the end of the post) regarding the use of Discretionary Access Control List (DACL) for privilege escalation in a Domain environment. This potential attack vector involves the creation of an escalation path based in AD object permissions (DACLs). For example, gaining “Reset Password” permissions on a privileged account is one possible way to compromise it by DACL’s path.
Although DACL permissions are not the easiest topic to cover in one post and should be digested slowly, there are examples of potential attack scenarios we want to share. The following blog tries to shed some light on the subject, present the possible escalation paths and suggest relevant mitigations.