Disclaimer: The opinions expressed on this blog is a personal opinion and and do not express the opinion of my employer, Microsoft, Winsec or any other party.

Azure Active Directory Sync is now GA! #FIM2010 #DirSync #AADSync

Tue 16 Sep 2014 1 comment

Source: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx

New Azure Active Directory Synchronization Services (AAD Sync) has reached general availability.

Here are more details about this – and here is the related documentation.

If you just want to get started, just click here to download AAD Sync.

As discussed on the release blog post:

“AAD Sync capabilities in this release include the following;

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud.
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises.”

SCM Baselines for Windows 8.1, IE 11 and Windows Server 2012 R2 are now live!

Thu 4 Sep 2014 Leave a comment

Source: TechNet Blogs » Microsoft Security Guidance » SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!

Today the SCM team has finally released the SCM baselines for Windows 8.1, IE 11 and Windows Server 2012 R2.

To get the updates you can open the SCM tool and select the “Download Microsoft baselines automatically” in the tool:

SCM release

Please carefully read the Release Notes for these baselines in the Attachments/Guides section as there are a couple of known issues that may affect capabilities that worked in the past, but are no longer working with SCM and other related tools.

Alternatively, you can download all the CAB files directly from the following links:

8.1 Baseline and 8.1 Attachments -

IE 11 Baseline and IE 11 Attachments

Windows Server 2012 Baseline and Windows Server 2012 Attachments

Lastly, a HUGE thank you goes to the SCM team, Aaron Margosis and Rick Munck who have put huge efforts to release these baselines.

They have also produced the SCM materials, along with a more extensive set of GPO’s and security guide here for customers to use: http://blogs.msdn.com/b/aaron_margosis/archive/2014/08/15/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx.

See also:

  • SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
  • What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11
  • Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta
  • Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Hotfix rollup package (build 4.1.3599.0) is available for #FIM2010 R2 SP1

Wed 3 Sep 2014 Leave a comment

A hotfix rollup package (build 4.1.3599.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1). This hotfix rollup resolves some issues and adds some features that are described in the “More Information” section.

Details at: http://support.microsoft.com/kb/2980295/nl

For a complete list of the hotfixes for FIM 2010 (incl. R2…), go to http://aka.ms/FIMBuilds



Categories: FIM, Hotfix, Microsoft

Note-to-self: Microsoft announced the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

Thu 14 Aug 2014 Leave a comment

Source: http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx

Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.

There are a few changes between these recommendations and the beta version we released in April. They discuss those changes in more detail in two other blog posts: one about most of the changes, and another detailed post about the issues around account lockout recommendations.

Categories: Note-to-self, Security

AAD Sync Beta 3 is now available for download through MS connect #FIM2010

Tue 12 Aug 2014 Leave a comment

The Azure Active Directory Synchronzation services team has announced that the AAD Sync Beta 3 is now available for download through the Identity and Access Management program on Microsoft Connect.

You’ll find the download at https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=54059

In this release they made a lot of investments in our Hybrid Exchange and Multi-forest configuratrions and added the experience for multi-forest password write-back.

Make sure to read the documentation at  http://go.microsoft.com/fwlink/?LinkID=393942 before installing the product and visit it again for updates.

Provide feedback using “Feedback” on Connect. This will get you direct access to the PG and support.

#AADSync Beta2 available on Connect #FIM2010

Wed 16 Jul 2014 1 comment

Source: MS Connect announcement by the AADSync product group


Microsoft announced the the availability of AADSync Beta2 on Connect.

You can download it here : AAD Sync Beta2 (https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=53831)


With Beta 2 there are some new features frequently requested:

-       Select only required services/attributes to synchronize to AAD

-       Exchange hybrid deployments

-       Password write-back for multiple-forests (AAD Premium preview feature)


Good news: the AADSync product group is looking for customers who are interested in using Beta2 in production. If you are interested, then do the following:

-       Download the updated build from Connect and read the documentation on http://go.microsoft.com/fwlink/?LinkID=393942 for the latest information.

-       Install and verify the scenarios you plan for production use. You do not need permissions from Microsoft to start evaluating AADSync.

-       If you find any issues or need help, submit feedback through Connect. This is also the fastest way to get access to our beta support team.

-       When you have completed the verification and all issues have been resolved, send an email to “Azure AD Sync Service Feedback”AADSyncFB@microsoft.com with information which scenarios you plan to use and have verified are working. Also provide contact information. The team will respond back with information on how to get call-in support during the preview phase.

Thank you for helping us make AADSync a better product,


Find more information on AADSync on TechNet Wiki: http://aka.ms/AADSYnc.

Note-to-self: Update – New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks

Wed 9 Jul 2014 Leave a comment

Source: http://microsoft.com/pth

New blog post at : http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

Posted by Matt Thomlinson, Vice President, Microsoft Security

Microsoft released new guidance to help our customers address credential theft, called Mitigating Pass-the-Hash and Other Credential Theft, version 2.

“The paper encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our previously released guidance and mitigations for Pass-the-Hash (PtH) attacks. 

Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.

The guidance also underscores another important point – that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework.


Get every new post delivered to your Inbox.

Join 51 other followers