Part 3 on MDATP series, this time about Attack Surface Reduction basics
Posts made by Ambarishrh
RE: PDQ Link
The only catch I could see is the mandatory port 443 as per their site
The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.
If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.
Hope all well and everyone safe! Long time haven't gotten a chance to come back here.
Just got an email from PDQ about their new product called PDQ link
From their site and videos it looks like a simplified and automated implementation on built-in Windows Server roles Remote Access Server(RAS) and Network Policy Server(NPS). From the newsletter I got they've mentioned:
Your next question might be, how much is this going to cost me? We’re offering PDQ Link as a free download through 2020. Download it before the end of 2020 and keep using this version of PDQ Link through 2020, 21, 22, 23, and beyond at no cost.
Also asked them few questions I could think of and got the answers as well
Does it support change AD password via PDQ link?
Because PDQ Link relies on user authentication rather than machine authentication, it is only able to communicate with remote devices while a user is logged in. While a user is logged in and connected through PDQ Link, they and their computer will be able to communicate with your domain controllers for things like password changes and group policy updates like normal. Since that connection is not made until after a user is logged in however, you will not be able to remotely reset the password for a user who is not already logged in.
Once PDQ link is enabled and connected, assuming we can continue using PDQ deploy & inventory to do its job without additional changes on DHCP/DNS?
As long as you're making use of AD-integrated DNS zones, PDQ Link is able to update DNS and DHCP as clients connect and disconnect. After the initial configuration, you will not need to make additional changes to DNS or DHCP in order to use PDQ Deploy or PDQ Inventory while connected with PDQ Link.
Any limits on concurrent connections?
While there may be limits based on the bandwidth of the server on which you install PDQ Link, there are no hard caps on the number of connections that PDQ Link allows. PDQ Link can be configured to assign IP addresses to clients either from a static list or using your existing DHCP server, so the only technical limit to the number of connections will be the number of IP addresses available for assignment though whichever method you select at setup.
Can we use AD based user authentication (yes, assuming users are given access based on AD group membership)?
Yes, PDQ Link functions entirely based off of AD user authentication. Machine-based authentication and authentication for non-AD users are not possible at this time. This authentication is managed through the NPS server role that is installed along with PDQ Link on your server.
Does the client auto update or via PDQ deploy schedule updates?
PDQ Link does not currently have any ability to update itself automatically. In the future when updates are released, it should be possible to install these with PDQ Deploy as long as machines are able to maintain a connection to the PDQ Deploy server while disconnected from Link for the update installation.
Can we make this VPN transparent to users to ensure that they don't disconnect it? This way, IT department can ensure that its always connected to PDQ for patch management
There is not currently any way to prevent users from disconnecting from PDQ Link. By default users will be automatically connected at login and will not need to have any interaction with PDQ Link to make the connection, but an icon does exist in the system tray which can be used to open the console that includes an option to disconnect. Even if disconnected in this way, your users will be reconnected the next time they log in.
Does it support AD single sign on?
PDQ Link does make use of AD credentials for authentication. The connection is made using the logged in user's credentials when they log into a computer with the PDQ Link client installed, without any manual entry of credentials being necessary.
Will this be part of PDQ suite (PDQ deploy+Inventory paid) or is it a separate product that we need to buy? If separate license, how much does it cost?
PDQ Link is a separate product independent from PDQ Deploy and PDQ Inventory. It is currently being offered for free until at least the end of 2020, but we're still evaluating the best way to address licensing and costs beyond the end of the year.
What do you guys think?
I am going to test this in my lab!
RE: SOLVED: Unable to get rid of windows update group policy
While searching for this scenario, came across a topic called "tatooing" from https://docs.microsoft.com/en-us/archive/blogs/grouppolicy/gp-policy-vs-preference-vs-gp-preferences
I then looked at the registry entry and found this.
Changed the NoAutoUpdate value set to 0, did another gpupdate /force and now I dont see any GP policies on the windows update settings!
Will need to restart and confirm once more
SOLVED: Unable to get rid of windows update group policy
I am trying to use Widows update rings on intune replacing our old group policy. Our machines were set with "disable automatic updates" via gpo. Our service provider at that time who managed our infrastructure used the default domain policy to disable windows updates!
I disabled those policies from the default domain policies, did gpupdate on my computer and found that the policy was changed to MDM managed. The next day, the 3 policies are back on the machine and now I am not able to figure out where is this policy from. Checked each and every GPO settings on my server and confirmed that there are no policies related to windows update.
Checked gpedit.msc as admin on my computer
My gpresult html report which has Windows update search result
Not sure where else to look at and possibly remove this policy
RE: My O365 training video series
I finally managed to get another video out and really hope I could continue this!
This time, its about Microsoft Defender ATP.
Would love to hear your feedback on this.
@DustinB3403 this time, I've used Streamlabs OBS, used the filters as you suggested and I believe the audio quality is improved. Still need to fine tune it. Thanks a lot for that.
RE: DLP (Data Loss Prevention) solution
About windows information protection
Helping prevent accidental data disclosure to removable media. WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.