On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Workarounds
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”
Microsoft Defender Detections & Protections
Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:
Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
Suspicious behavior by an Office application
Suspicious behavior by Msdt.exe
FAQ
Q: Does Protected View and Application Guard for Office provide protection from this vulnerability?
A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.
Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases.
Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply.
Replacing passwords with passkeys
Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.
We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.
Going passwordless
We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum.
Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one.
Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless:
Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure
Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.
Windows Hello for Business Cloud Trust
Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2.
Multiple passwordless accounts in Microsoft Authenticator
When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.
Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.
Temporary Access Pass in Azure AD
Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month.
End user experience for Temporary Access Pass in Windows 11 onboarding.
Customers implementing passwordless today
We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users.
What could the world achieve if we had trust in every digital experience and interaction?
This question has inspired us to think differently about identity and access, and today, we’re announcing our expanded vision for how we will help provide secure access for our connected world.
Microsoft Entra is our new product family that encompasses all of Microsoft’s identity and access capabilities. The Entra family includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity. The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.
The need for trust in a hyperconnected world
Technology has transformed our lives in amazing ways. It’s reshaped how we interact with others, how we work, cultivate new skills, engage with brands, and take care of our health. It’s redefined how we do business by creating entirely new ways of serving existing needs while improving the experience, quality, speed, and cost management.
Behind the scenes of all this innovation, millions and millions of connections happen every second between people, machines, apps, and devices so that they can share and access data. These interactions create exciting opportunities for how we engage with technology and with each other—but they also create an ever-expanding attack surface with more and more vulnerabilities for people and data that need to be addressed.
It’s become increasingly important—and challenging—for organizations to address these risks as they advance their digital initiatives. They need to remove barriers to innovation, without the fear of being compromised. They need to instill trust, not only in their digital experiences and services, but in every digital interaction that powers them—every point of access between people, machines, microservices, and things.
Our expanded vision for identity and access
When the world was simpler, controlling digital access was relatively straightforward. It was just a matter of setting up the perimeter and letting only the right people in.
But that’s no longer sustainable. Organizations simply can’t put up gates around everything—their digital estates are growing, changing, and becoming boundaryless. It’s virtually impossible to anticipate and address the unlimited number of access scenarios that can occur across an organization and its supply chain, especially when it includes third-party systems, platforms, applications, and devices outside the organization’s control.
Identity is not just about directories, and access is not just about the network. Security challenges have become much broader, so we need broader solutions. We need to secure access for every customer, partner, and employee—and for every microservice, sensor, network, device, and database.
And doing this needs to be simple. Organizations don’t want to deal with incomplete and disjointed solutions that solve only one part of the problem, work in only a subset of environments, and require duct tape and bubble gum to work together. They need access decisions to be as granular as possible and to automatically adapt based on real-time assessment of risk. And they need this everywhere: on-premises, Azure AD, Amazon Web Services, Google Cloud Platform, apps, websites, devices, and whatever comes next.
This is our expanded vision for identity and access, and we will deliver it with our new product family, Microsoft Entra.
Video description: Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity and Management, and Joy Chik, CVP of Identity, are unveiling Microsoft Entra, our new identity and access product family name, and are discussing the future of modern identity and access security.
Making the vision a reality: Identity as a trust fabric
To make this vision a reality, identity must evolve. Our interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions. We need to build upon and expand our capabilities to support all the scenarios that our customers are facing.
Moving forward, we’re expanding our identity and access solutions so that they can serve as a trust fabric for the entire digital ecosystem—now and long into the future.
Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:
Protect access to any app or resource for any user.
Secure and verify every identity across hybrid and multicloud environments.
Discover and govern permissions in multicloud environments.
Simplify the user experience with real-time intelligent access decisions.
This is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family.
“Identity is one of the cornerstones of our cybersecurity for the future.”
—Thomas Mueller-Lynch, Service Owner Lead for Digital Identity, Siemens
Microsoft Entra at a glance
Microsoft Azure AD, our hero identity and access management product, will be part of the Microsoft Entra family, and all its capabilities that our customers know and love, such as Conditional Access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be our identity solution for customers and partners under the Microsoft Entra family.
Additionally, we are adding new solutions and announcing several product innovations as part of the Entra family.
Reduce access risk across clouds
The adoption of multicloud has led to a massive increase in identities, permissions, and resources across public cloud platforms. Most identities are over-provisioned, expanding organizations’ attack surface and increasing the risk of accidental or malicious permission misuse. Without visibility across cloud providers, or tools that provide a consistent experience, it’s become incredibly challenging for identity and security teams to manage permissions and enforce the principle of least privilege across their entire digital estate.
With the acquisition of CloudKnox Security last year, we are now the first major cloud provider to offer a CIEM solution: Microsoft Entra Permissions Management. It provides comprehensive visibility into permissions for all identities (both user and workload), actions, and resources across multicloud infrastructures. Permissions Management helps detect, right-size, and monitor unused and excessive permissions, and mitigates the risk of data breaches by enforcing the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. Microsoft Entra Permissions Management will be a standalone offering generally available worldwide this July 2022 and will be also integrated within the Microsoft Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.
Additionally, with the preview of workload identity management in Microsoft Entra, customers can assign and secure identities for any app or service hosted in Azure AD by extending the reach of access control and risk detection capabilities.
Enable secure digital interactions that respect privacy
At Microsoft, we deeply value, protect, and defend privacy, and nowhere is privacy more important than your personal identity. After several years of working alongside the decentralized identity community, we’re proud to announce a new product offering: Microsoft Entra Verified ID, based on decentralized identity standards. Verified ID implements the industry standards that make portable, self-owned identity possible. It represents our commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when they share it, with whom they share it, and—when necessary—take it back.
The potential scenarios for decentralized identity are endless. When we can verify the credentials of an organization in less than a second, we can conduct business-to-business and business-to-customer transactions with greater efficiency and confidence. Conducting background checks becomes faster and more reliable when individuals can digitally store and share their education and certification credentials. Managing our health becomes less stressful when both doctor and patient can verify each other’s identity and trust that their interactions are private and secure. Microsoft Entra Verified ID will be generally available in early August 2022.
“We thought, ‘Wouldn’t it be fantastic to take a world-leading technology like Microsoft Entra and implement Verified ID for employees in our own office environment?’ We easily identified business opportunities where it would help us work more efficiently.”
Next, let’s focus on Identity Governance for employees and partners. It’s an enormous challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. Then, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization.
Identity Governance addresses this with identity lifecycle management, which simplifies the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights, and monitoring and tracking access, as user attributes change. Lifecycle workflows in Identity Governance will enter public preview this July 2022.
“We were so reactive for so long with old technology, it was a struggle. [With Azure AD Identity Governance] we’re finally able to be proactive, and we can field some of those complex requests from the business side of our organization.”
—Sally Harrison, Workplace Modernization Consultant, Mississippi Division of Medicaid
Create possibilities, not barriers
Microsoft Entra embodies our vision for what modern secure access should be. Identity should be an entryway into a world of new possibilities, not a blockade restricting access, creating friction, and holding back innovation. We want people to explore, to collaborate, to experiment—not because they are reckless, but because they are fearless.
Visit the Microsoft Entrawebsite to learn more about how Azure AD, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID deliver secure access for our connected world.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Microsoft has been quite aggressive in its moves to get people away from Google Chrome and over to its revamped Edge browser. In its latest move, Microsoft Edge is adding a feature that imports data from Google Chrome constantly.
As highlighted by the folks over at Windows Latest, Microsoft Edge has an option to automatically import data from another browser, specifically Google Chrome. The previous “import browser data” page in Edge’s Settings menu used to simply offer a one-time import option for your data, syncing over bookmarks, passwords, your browsing history, and more. Clicking the option to import browser data would simply open a menu for a one-time import from any other browser on your computer.
But now, Microsoft has been allowing users to import browser data from Google Chrome on every launch. From what we can tell, the feature has been available in some capacity for at least a few months, but went largely under the radar until now, even as it’s live on Edge 101. It seems that new updates may be putting more emphasis on the feature. u/Leopeva64 notes that Edge 104, now in the Canary channel, redesigns the import page with a new look for this tool that puts much more emphasis on this setting.
Edge 104
Chrome is, notably, the only option for this automatic import setting, with Mozilla Firefox not showing up as an option as it does on the manual import option. Microsoft explains the feature:
Import browser data on each launch
Always have access to your recent browsing data each time you browse on Microsoft Edge
Importing data from another browser on your computer isn’t a new idea, and it’s certainly something Edge is more than happy to do. This latest change will simply do that automatically, in what’s clearly a move to make it easier for Google Chrome users to use Edge more often.
There are also a couple of new options for this. Microsoft Edge can import data from Chrome as usual, with bookmarks (though not automatically, right now), passwords, browsing history, settings, saved passwords, personal information, and payment details. But now, Edge can also pull open tabs and extensions over from Chrome. This would effectively mean that Edge can pick up where Chrome left off. Extensions, though, are also not available automatically at this point.
Windows Latest notes that imported tabs are marked as such, and Microsoft mentions on a support page that it can import up to 50 tabs at once. Microsoft has yet to update that same page with this automatic import option.
9to5Google’s Take
Being able to use Microsoft Edge as a mirror of Google Chrome is a pretty great idea, admittedly. The idea of being able to use Chrome with a specific set of extensions, settings, and more while essentially having a backup of that data in Edge is nice. It removes a barrier from switching between the two.
However, it still feels like Microsoft is trying too hard – again. Edge is a great browser on its own, and tools like this are indeed very helpful. But is this targeted behavior really necessary? At a technical level, this might only be possible with Chrome, but it’s surely no coincidence that Microsoft is clearly marking the feature as something you can do only with Chrome. It wouldn’t be surprising if, in the future, Microsoft turned on this feature by default either during or after setup.
Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives.
In this blog, we start by surveying the anatomy and landscape of amplification attacks, while providing statistics from Azure on most common attack vectors, volumes, and distribution. We then describe some of the countermeasures taken in Azure to mitigate amplification attacks.
DDoS amplification attacks, what are they?
Reflection attacks involve three parties: an attacker, a reflector, and a target. The attacker spoofs the IP address of the target to send a request to a reflector (e.g., open server, middlebox) that responds to the target, a virtual machine (VM) in this case. For the attack to be amplified the response should be larger than the request, resulting in a reflected amplification attack. The attacker’s motivation is to create the largest reflection out of the smallest requests. Attackers achieve this goal by finding many reflectors and crafting the requests that result in the highest amplification.
Figure 1. Reflected amplification attack
The root cause for reflected amplification attacks is that an attacker can force reflectors to respond to targets by spoofing the source IP address. If spoofing was not possible, this attack vector would be mitigated. Lots of effort has thus been made on disabling IP source address spoofing, and many organizations prevent spoofing nowadays so that attackers cannot leverage their networks for amplification attacks. Unfortunately, a significant number of organizations still allow source spoofing. The Spoofer project shows that a third of the IPv4 autonomous systems allow or partially allow spoofing.
UDP and TCP amplification attacks
Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake.
While UDP makes it easy to launch reflected amplification attacks, TCP has a 3-way handshake that complicates spoofing attacks. As a result, IP source address spoofing is restricted to the start of the handshake. Although the TCP handshake allows for reflection, it does not allow for easy amplification since TCP SYN+ACK response is not larger than TCP SYN. Moreover, since the TCP SYN+ACK response is sent to the target, the attacker never receives it and can’t learn critical information contained in the TCP SYN+ACK needed to complete the 3-way handshake successfully to continue making requests on behalf of the target.
Figure 2. Reflection attack in TCP
In recent years, however, reflection and amplification attacks based on TCP have started emerging.
Independent research found newer TCP reflected amplification vectors that utilize middleboxes, such as nation-state censorship firewalls and other deep packet inspection devices, to launch volumetric floods. Middleboxes devices may be deployed in asymmetric routing environments, where they only see one side of the TCP connection (e.g., packets from clients to servers). To overcome this asymmetry, such middleboxes often implement non-compliant TCP stack. Attackers take advantage of this misbehavior – they do not need to complete the 3-way handshake. They can generate a sequence of requests that elicit amplified responses from middleboxes and can reach infinite amplification in some cases. The industry has started witnessing these kinds of attacks from censorship and enterprise middle boxes, such as firewalls and IDPS devices, and we expect to see this trend growing as attackers look for more ways to create havoc utilizing DDoS as a primary weapon.
Carpet bombing is another example of a reflected amplification attack. It often utilizes UDP reflection, and in recent years TCP reflection as well. With carpet bombing, instead of focusing the attack on a single or few destinations, the attacker attacks many destinations within a specific subnet or classless inter-domain routing (CIDR) block (for example /22). This will make it more difficult to detect the attack and to mitigate it, since such attacks can fly below prevalent baseline-based detection mechanisms.
Figure 3. Carpet bombing attack
One example of TCP carpet bombing is TCP SYN+ACK reflection, where attacker sends spoofed SYN to a wide range of random or pre-selected reflectors. In this attack, amplification is a result of reflectors that retransmit the TCP SYN+ACK when they do not get a response. The amplification of the TCP SYN+ACK response itself may not be large, and it depends on the number of retransmissions sent by the reflector. In Figure 3, the reflected attack traffic towards each of the target virtual machines (VMs) may not be enough to bring them down, however, collectively, the traffic may well overwhelm the targets’ network.
UDP and TCP amplification attacks in Azure
In Azure, we continuously work to mitigate inbound (from internet to Azure) and outbound (from Azure to internet) amplification attacks. In the last 12 months, we mitigated approximately 175,000 UDP reflected amplification attacks. We monitored more than 10 attack vectors, where the most common ones are NTP with 49,700 attacks, DNS with 42,600 attacks, SSDP with 27,100 attacks, and Memcached with 18,200 attacks. These protocols can demonstrate amplification factors of up to x4,670, x98, x76 and x9,000 respectively.
Figure 4. UDP reflected amplification attacks observed from April 1, 2021, to March 31, 2022
We measured the maximum attack throughput in packets per second for a single attack across all attack vectors. The highest throughput was a 58 million packets per second (pps) SSDP flood in August last year, in a short attack campaign that lasted 20 minutes on a single resource in Azure.
Figure 5. Maximum pps recorded for a single attack observed from April 1, 2021, to March 31, 2022
TCP reflected amplification attacks are becoming more prevalent, with new attack vectors discovered. We encounter these attacks on Azure resources utilizing diverse types of reflectors and attack vectors.
One such example is a TCP reflected amplification attack of TCP SYN+ACK on an Azure resource in Asia. Attack reached 30 million pps and lasted 15 minutes. Attack throughput was not high, however there were approximately 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure elements.
Figure 6. TCP SYN+ACK amplification attack volume on an Azure resource in Asia
We see many TCP SYN+ACK retransmissions associated with the reflector that doesn’t get the ACK response from the spoofed source. Here is an example of such a retransmission:
The retransmitted packet was sent 60 seconds after the first.
Mitigating amplification attacks in Azure
Reflected amplification attacks are here to stay and pose a serious challenge for the internet community. They continue to evolve and exploit new vulnerabilities in protocols and software implementations to bypass conventional countermeasures. Amplification attacks require collaboration across the industry to minimize their effect. It is not enough to mitigate such attacks at a certain location, with a pinpoint mitigation strategy. It requires intertwining of network and DDoS mitigation capabilities.
Azure’s network is one of the largest on the globe. We combine multiple DDoS strategies across our network and DDoS mitigation pipeline to combat reflected amplification DDOS attacks.
On the network side, we continuously optimize and implement various traffic monitoring, traffic engineering and quality of service (QoS) techniques to block reflected amplification attacks right at the routing infrastructure. We implement these mechanisms at the edge and core of our wide area networks (WAN) network, as well as within the data centers. For inbound traffic (from the Internet), it allows us to mitigate attacks right at the edge of our network. Similarly, outbound attacks (those that originate from within our network) will be blocked right at the data center, without exhausting our WAN and leaving our network.
On top of that, our dedicated DDoS mitigation pipeline continuously evolves to offer advanced mitigation techniques against such attacks. This mitigation pipeline offers another layer of protection, on top of our DDoS networking strategies. Together, these two protection layers provide comprehensive coverage against the largest and most sophisticated reflected amplification attacks.
Since reflected amplification attacks are typically volumetric, it is not only enough to implement advanced mitigation strategies, but also to maintain a highly scalable mitigation pipeline to be able to cope with the largest attacks. Our mitigation pipeline can mitigate more than 60Tbps globally, and we continue to evolve it by adding mitigation capacity across all network layers.
Different attack vectors require different treatment
UDP-based reflected amplification attacks are tracked, monitored, detected, and mitigated for all attack vectors. There are various mitigation techniques to combat these attacks, including anomaly detection across attacked IP addresses, L4 protocols, and tracking of spoofed source IPs. Since UDP reflected amplification attacks often create fragmented packets, we monitor IP fragments to mitigate them successfully.
TCP-based reflected amplification attacks take advantage of poor TCP stack implementations, and large set of reflectors and targets, to launch such attacks. We adopt our mitigation strategies to be able to detect and block attacks from attackers and reflectors. We employ a set of mitigations to address TCP SYN, TCP SYN+ACK, TCP ACK, and other TCP-based attacks. Mitigation combines TCP authentication mechanisms that identify spoofed packets, as well as anomaly detection to block attack traffic when data is appended to TCP packets to trigger amplification with reflectors.
Figure 7. Amplification attack detection
Get started with Azure DDoS Protection to protect against amplification attacks
Azure’s DDoS mitigation platform mitigated the largest ever DDoS attacks in history by employing a globally distributed DDoS protection platform that scales beyond 60Tbps. We ensure our platform and customers’ workloads are always protected against DDoS attacks. To enhance our DDoS posture, we continuously collaborate with other industry players to fight reflected amplification attacks.
Azure customers are protected against Layer 3 and Layer 4 DDoS attacks as part of protecting our infrastructure and cloud platform. However, Azure DDoS Protection Standard provides comprehensive protection for customers by auto-tuning the detection policy to the specific traffic patterns of the protected application. This ensures that whenever there are changes in traffic patterns, such as in the case of flash crowd event, the DDoS policy is automatically updated to reflect those changes for optimal protection. When a reflected amplification attack is launched against a protected application, our detection pipeline detects it automatically based on the auto-tuned policy. The mitigation policy, that is automatically set for customers, without their need to manually configure or change it, includes the needed countermeasures to block reflected amplification attacks.
Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs.
To strengthen the security posture of applications, Azure’s network security services can work in tandem to secure your workloads, where DDoS protection is one of the tools we provide. Organizations that pursue zero trust architecture can benefit from our services to achieve better protection.
Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks. The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.
As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework.
Collaboration among security researchers, software vendors, and the security community is important to continuously improve defenses for the larger ecosystem. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats, regardless of the platform or device they are using.
Uncovering the vulnerabilities
Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.
The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.
According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as mce Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers.
Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues. As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.
We initially discovered the vulnerabilities in September 2021 and shared our findings with mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities, which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.
The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601. We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework.
Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. The affected providers linked below have made updated app versions available to users before this disclosure, ensuring devices can be protected before these vulnerabilities could be exploited. We encourage these providers’ customers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkup, com.att.dh, com.fivemobile.myaccount, com.freedom.mlp,uat, and com.ca.bell.contenttransfer.
Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.
Analyzing apps that use the mce framework
App manifest and permissions
When analyzing an Android application, the first thing that comes to mind is checking its manifest, maintained under the AndroidManifest.xml file. The manifest describes the application itself and its components, such as the following:
Permissions (for example, camera access, internet access, and others)
Activities and how they respond to Intents sent to them
Content providers
Receivers and the kind of content they expect to receive
Services
Checking the manifest of an app affiliated with mce Systems’ framework shed light on some of its features and capabilities but did not immediately indicate that any vulnerabilities or security issues were present. Therefore, further research into the app’s functionality was needed by understanding its permissions.
Analysis of the app’s permissions on the mobile device revealed authorizations that could lead to powerful access and capabilities for an attacker. Those permissions included control over the following:
Networking: access the internet, modify Wi-Fi state, network state, NFC, and Bluetooth
File access: read and write to the external storage
Peripherals: access the camera, record audio, get fingerprint information, and get the device’s physical location
Private information: read phone numbers, account information, and contacts
Management: install apps and modify device settings
With access to these valuable resources, the app could be abused by an attacker to implant a persistent backdoor on the device.
BROWSABLE activities
The “Activities” section of the app’s manifest detailed that the Intent-filter element included activities with a “BROWSABLE” category. While most Intents do not require a category, category strings detail the components that should handle the Intent. In particular, the BROWSABLE category allows the target Activity to be triggered from a web browser to display data referenced by a link, like an image. BROWSABLE activities appeal to attackers as the latter can exploit them via malicious web pages and other Intent-based attacks.
Figure 1: BROWSABLE Activity with the “mcedigital://” scheme
The Intent-filter element in the manifest dictates how the Activity can be triggered. In the app’s case, the Activity could be triggered by simply clicking a link with the “mcedigital://” scheme. This would start the com.mce.sdk.AppActivity Activity with an Intent with arbitrary data (besides the scheme).
Digging deeper: Reviewing the mce framework’s main functionality
We reviewed the effects of triggering the com.mce.sdk.AppActivity. Also known as appActivity, this Activity refers to the different functionalities provided by the app. AppActivity extends Activity and therefore has an onCreate method, which traditionally handles the creating Intent.
AppActivity
Here’s a brief description of AppActivity:
AppActivity has a member called “webView” and type “JarvisWebView,” a specialized class that extends WebView.
Upon creation, AppActivity has some optional display choices from the Intent (if they exist) and then loads a predefined web page to the WebView. That predefined page can get arbitrary query parameters from the Intent’s data; that is, everything after a “\?” will be added to the web page.
A JavaScript Interface is a conspicuous target to look for security issues, as it uses a JavaScript Bridge to allow invoking specific methods inside an Android app. In the case of JarvisJSInterface, three methods are exported:
init(String): takes a string that will be used as a JavaScript callback method; in our case, it will always be window.AndroidCallback
windowClose(): runs a callback registered by the Android app
request(String): sends a service request from the JavaScript client to the server (Android app)
The request method is by far the most interesting, as it performs the following:
Interprets the given string as a JSON object
Extracts the following pieces from the JSON object:
Context: a random GUID generated by the client, used to link requests and responses
Service: the service we are about to call to
Command: an integer
Data: optional parameters sent to the service call
Invokes the method serviceCall, which finds the registered service, gets the method based on the command number, and eventually invokes that method using Java reflection
Figure 2: Service::callServiceMethod
The serviceCall is a powerful method, as it allows the WebView to invoke “services” freely. But what are these services, exactly?
Services offered by the mce framework
After we examined the services offered by this framework per the app manifest, we then obtained a list of services that practically give the WebView complete control over the device. The most notable services include:
Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
Camera: take a silent snapshot
Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
Discovery: set the device to discoverable
Location: obtain the location in various modes and set the location state
PackageManager: acquire package info and silently install a new app
Power: obtain charging state
Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
Storage: obtain content such as documents, media, images, and videos
These services inherit from a base class named “Service” and implement two methods:
setServiceName: for service identification purposes
setServiceMethodMap: for setting up the mapping between the command integer and the method name, argument names, and argument types
For example, here is the Camera service setting its methods:
Method 0 is “getCameraList” and expects no arguments.
Method 1 is “captureStillImageNoPreview” and expects one String argument.
Figure 3: The Camera service setting its methods
Vulnerability findings
Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities.
We found a command-injection vulnerability, tracked as CVE-2021-42599, in the Device service mentioned in the previous section. This service offers rich functionality, including the capability to stop activities of a given package. The client fully controls the argument “value,” and simply runs the following command:
am force-stop "value"
Since the argument is not sanitized, an attacker could add backticks or quotation marks to run arbitrary code, like the following:
am force-stop "a"; command-to-run; echo "a"
Figure 4: Command injection proof-of-concept (POC) exploit code implemented in the Device service
According to mce Systems, they have since removed the functionality behind this vulnerability and it is no longer present in more advanced framework versions.
Exploitation by JavaScript injection with PiTM in certain apps
The services offered by the mce framework further indicated that the following vulnerability resided in the logic of the JavaScript client for apps that are configured to enable plaintext communications such as the app that we initially analyzed. Interestingly, the code for the client is a heavily-obfuscated dynamic JavaScript code that is implemented over several files, mainly bundle.js. Due to the blind trust between the JavaScript client and the JarvisJSInterface server, an attacker who could inject JavaScript contents into the WebView would inherit the permissions that the app already has.
We conceived two injection strategies most likely to be leveraged by attackers:
Affect the JavaScript client behavior by supplying specific GET parameters from the BROWSABLE Intent.
Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and view the device’s entire traffic. Inject JavaScript code if the client ever tries to fetch external content and interpret it as a script or HTML.
Once we reverse-engineered the client’s obfuscated code, we discovered that it could not inject JavaScript from the GET parameters. The only capability permitted was to affect some of the client’s self-tests upon initialization, such as a battery-draining test or a Wi-Fi connectivity test. However, the WebView-fetched plaintext pages that we discovered could be injected into with a PiTM attack.
Our proof-of-concept (POC) exploit code was therefore:
Perform a PiTM for the target device and lure the user into clicking a link with the “mcesystems://” schema.
Inject JavaScript into one of the plaintext page responses that does the following:
Hijack the JavaScript interface by calling init with our callback method
Use the JavaScript interface request method to get servicing
Send the data to our server for information gathering using XHR (XMLHttpRequest)
Figure 5: Injecting a similar JavaScript code to the WebView could allow an attacker to call arbitrary services and methods
Local elevation of privilege with deserialization followed by injection (CVE-2021-42601)
Some of the apps we analyzed did not pull plaintext pages. Thus, we looked for a local elevation of privilege vulnerability, allowing a malicious app to gain the system apps’ privileges, tracked as CVE-2021-42601.
In the apps mentioned above, we discovered that the main Activity attempted to handle a deep link (a link that launches an app instead of a browser on click) with Google Firebase. Interestingly, this deep-link handling tried to deserialize a structure called PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA. This structure was used later by the mce framework to generate various JSON Objects that might contain data from a categoryId query parameter in the original link, and eventually ended up in the member mFlowSDKInput to be injected into the JarvisWebView instance in an unsafe way:
Figure 6: Unsanitized JavaScript loading allowed arbitrary code injection to the WebView
Since the categoryId query parameter might contain apostrophes, one could inject arbitrary JavaScript code into the WebView. We decided to inject a code that would reach out to a server and load a second-stage code, which was the exact one we used for our PiTM scenario.
Figure 7: Local injection POC exploit
Software design against JavaScript injection vulnerabilities
We worked closely with the mce Systems engineering team and discovered that the reason for unsafe loadUrl invocations with JavaScript injections was that the framework used an asynchronous model of operation. When the JavaScript client performs a request, it expects to be notified later when there are results. Since Android JavaScript Bridge only allows primitive types to be sent (for example, Strings), the mce framework notified the JavaScript client by injecting JavaScript with potentially unsafe arguments (the results themselves).
We offered mce Systems a slightly different software design that prevents unsafe JavaScript injection. The description of the flow of information in our proposal is as follows:
The JavaScript client invokes the request method on the Android JavaScript Bridge, supplying the request itself along with a request ID.
The Java server performs the request and stores the result in a cache. The said cache then maps request IDs to results.
The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult(<requestID>);”) into the WebView. Note that the only non-constant string is the request ID, which can easily be sanitized. This method “wakes the client up”
The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge with the method String fetchResult(String requestId). Note that this method returns a string (which contains the result).
This way, the JavaScript client does not need to poll for asynchronous results while data is safely transferred between the client and the server.
Interestingly, Google AndroidX offers a very similar API: webMessageListener. While the said API works quite similarly to our suggestion, it only supports Android versions greater than Lollipop. Thus, the new mce framework now checks the Android version and uses this new Google API if supported or our offered solution for older devices.
The above is just one example of our collaboration to help secure our cross-platform ecosystem. According to mce Systems, all of our reported vulnerabilities were addressed.
Improving security for all through threat intelligence sharing and research-driven protections
Microsoft strives to continuously improve security by collaborating with customers, partners, and industry experts. Responding to the evolving threat landscape requires us to expand our capabilities into other devices and non-Windows platforms in addition to further coordinating research and threat intelligence sharing among the larger security community. This case highlighted the need for expert, cross-industry collaboration to effectively mitigate issues.
Moreover, collaborative research such as this informs our seamless protection capabilities across platforms. For example, intelligence from this analysis helped us ensure that Microsoft Defender Vulnerability Management can identify and remediate devices that have these vulnerabilities, providing security operations teams with comprehensive visibility into their organizational exposure and enabling them to reduce the attack surface. In addition, while we’re not aware of any active exploitation of these mobile vulnerabilities in the wild, Microsoft Defender for Endpoint’s mobile threat defense capabilities significantly improve security on mobile devices by detecting potential exploits, malware, and post-exploitation activity.
We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats, turning a variety of wide-reaching issues into tangible results and improved solutions that protect users and organizations across platforms every single day. Similarly inquisitive individuals are encouraged to check opportunities to join the Microsoft research team here: https://careers.microsoft.com/.
Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar Microsoft 365 Defender Research Team
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.
The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.
“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.
According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.
The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.
MSDT is short for Microsoft Support Diagnostics Tool, a utility that’s used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.https://www.youtube.com/embed/GybD70_rZDs
“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.
“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” the researcher added.
In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (“RDF842l.html”) that triggers the exploit originated from a now-unreachable domain named “xmlformats[.]com.”
“A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,” Huntress Labs’ John Hammond said. “Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”
Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.
What’s more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.
“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” Beaumont said. We have reached out to Microsoft for comment, and we’ll update the story once we hear back.
IT teams rely on Active Directory (AD) to keep networks secure and maintain user accounts — but they often need to adhere to strict budget limitations when it comes to selecting software to help. That’s why we’ve put together this list of the top free Active Directory management tools.
Our picks focus on AD tools that will help you complete routine AD management tasks much faster so your team has time to focus on other priorities. We’ve grouped these free Active Directory tools into three categories:
Active Directory Reporting, Monitoring and Auditing Tools
Microsoft Active Directory Explorer
Microsoft Active Directory Explorer is an advanced administration tool that makes it easy to search for, view and edit extended information about AD objects. It is similar to AD Users and Computers but has at least one key additional benefit — it allows you to view object properties and attributes without opening additional dialog boxes.
AD Explorer also enables you to save snapshots of an AD database for offline viewing and database version comparisons. When you load a saved snapshot, you can work with it as you would use a live database.
Other features include:
Defining favorite locations
Editing permissions
Viewing an object’s scheme
Executing sophisticated searches that you can save and re-execute
Netwrix Auditor for Active Directory (free community edition) gives you visibility into what’s happening inside domains while eliminating the time-consuming tasks of analyzing endless native logs. Netwrix Auditor tracks logons and all changes to Active Directory users, groups, organizational units and Group Policy. It generates a daily activity summary that details all changes and logon activity that occurred during the previous 24 hours, including the before and after values for each modification.
Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is well known as one of the best Active Directory tools for quickly resolving one of the most pressing issues with AD: account lockouts. It enables you to identify the root cause of lockouts in a single keystroke, slashing troubleshooting time by up to 90 percent. This lightweight and intuitive tool empowers you to investigate issues like why the same account repeatedly locks out without having to slog through a mountain of cryptic event logs — just enter the username and click a button.
Netwrix Effective Permissions Reporting Tool
Netwrix Effective Permissions Reporting Tool simplifies auditing of access permissions in Active Directory. You can view a user’s account group membership, the permissions the account has to every AD object and how those permissions are granted. It also shows file and folder effective permissions, so you can determine who has access to your data and how their access was gained. You can export this information to an HTML file.
Netwrix Bulk Password Reset
Netwrix Bulk Password Reset enables you to reset local admin and user passwords across multiple workstations at once, remotely, without actually logging into them. This functionality enhances Windows Server security.
Netwrix Inactive User Tracker
Netwrix Inactive User Tracker provides insight into stale Active Directory user accounts so you can disable or delete unneeded accounts before malicious actors can exploit them to gain access to resources and services on your network.
Netwrix Password Expiration Notifier
Netwrix Password Expiration Notifier automatically sends notifications about upcoming AD password expiration to users and their managers. This proactive approach enables you to remain in compliance with password security best practices without sacrificing user productivity or increasing helpdesk workload.
Cjwdev Active Directory Info
Cjwdev Active Directory Info is a free Active Directory reporting and analysis tool that enables you to review the configuration settings of AD objects. You can quickly generate CSV, HTML or TXT reports to gain insight into things like:
Cjwdev Active Directory Permissions Reporter extracts all permissions for every object in your domain. Note that the free edition of Cjwdev AD Permissions Reporter does not support the command line and you cannot filter or export results.
ENow Compass
ENow Compass provides real-time network monitoring to help you identify issues that could evolve into bigger problems. ENow Compass is a powerful toolset, but the company does not offer a free version. Users can start with a 14-day free trial with registration.
MaxPowerSoft Active Directory Reports Lite
MaxPowerSoft Active Directory Reports Lite allows you to load up to 200 objects from Active Directory and generate auditing reports on users, groups, organizational units, computers and GPOs. The paid version of grants access to more reports and many more features.
Active Directory FastReporter
Active Directory FastReporter generates a variety of predefined reports on your AD infrastructure. The free version doesn’t allow you to create custom reports, export reports or use automation features.
LDAPSoft Active Directory Browser
LDAPSoft Active Directory Browser simplifies SSL communication and streamlines the process of browsing your AD hierarchy. You can search for entries, view all available attributes and run SQL-LDAP statements.
Softerra Browser for LDAP
Softerra Browser for LDAP is a lightweight tool that allows you to view, browse, search and export information from LDAP. It is free to use for 30 days — you’ll need to register a paid account to use it past this point.
WiseSoft Password Control
WiseSoft Password Control can reset user passwords in bulk, which saves time and effort when managing service account passwords. It also includes the ability to make other bulk changes, such as enabling and disabling user accounts, group membership functions, descriptions and departments.Handpicked related content:
Albus Bit Active Directory Administrator enables you to manage user and computer accounts across your Active Directory domain from a single interface. You can use the built-in search templates or create your own, and use the results to disable inactive accounts, move accounts to different organizational units or remove users from groups.
CjWdev Active Directory Tidy
CjWdev Active Directory Tidy allows you to easily manage your AD accounts in bulk. For example, you can add multiple accounts to a specific security group, or set random passwords or a particular expiry date for a set of accounts.
The tool’s filtering functionality makes it easy to clean up your AD. For example, you can filter by last login date to find all inactive user and computer accounts to determine whether you should remove them from your domain. The paid version of this tool also enables you to export AD settings to XML.
Spiceworks People View
Spiceworks People View allows you to view and update AD user account properties, such as email, phone number, title and department. You can also add devices to user profiles to monitor installed software programs and update it when needed. You can also reset passwords and enable or disable user accounts. The tool also offers self-administered password and user profile management on a self-service web portal, and real-time status monitoring of all your devices.
Spiceworks offers other useful tools. For example, Network Monitor performs real-time status monitoring of all your devices.
Microsoft AdRestore
Microsoft AdRestore is a single-task tool that enumerates all tombstoned objects in your AD domain and enables you to restore them individually as needed.
Windows PowerShell
Windows PowerShell is undoubtedly the most powerful Active Directory tool. However, it can be challenging to use because it lacks a graphical interface. To accomplish your tasks, you’ll need to use cmdlets and scripts like the following:
Disable a user account: Disable-ADAccount username
Enable a user account: Enable-ADAccount username
Unlock a user account: Unlock-ADAccount username
Delete a user account: Remove-ADUser username
Find all empty groups: Get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
Add a member to a group: Add-adgroupmember “groupname” –username
Enumerate the members of a group: Get-ADGroupMember “groupname”
See what groups a user account is a member of: Get-aduser username -property Memberof | Select -ExpandProperty memberOf
Disable a computer account: Disable-ADAccount -Identity “computername”
Create an organizational unit: New-ADOrganizationalUnit -Name OUname -Path “dc=domainname,dc=com”
Create a computer account: New-ADComputer -Name username -Path “ou=OUname,dc=DCname,dc=com”
Create a user account: New-ADUser -Name username -Path “ou=OUname,dc=DCname,dc=com”
Adaxes
Adaxes streamlines routine management functions in Active Directory, Microsoft Exchange and Microsoft 365 environments. You can use it to delegate privileges, control authorizations and stay in compliance with data mandates. Softerra offers a 30-day free trial.
CENTREL Solutions XIA Automation
CENTREL Solutions XIA Automation helps you automate IT management tasks, such as account provisioning, user management and password changes. It includes time-saving features like bulk provisioning of accounts from CSV to AD, Exchange, Google or Office 365.
Dameware Remote Everywhere
Dameware Remote Everywhere is a pricey commercial-grade tool at $540 (and up), but it is notable for its powerful functionality — especially for enterprise-level network needs.
“Remote Everywhere” refers to the tool’s cloud-based solutions. Users enjoy safe, remote support with advanced encryption and multifactor authentication, essential endpoint support for any computer or device, and a reporting engine that can handle virtually any reporting task. New users can get a fully functional version of Dameware Remote Everywhere for 14 days.
Active Directory Utility Tools
Microsoft Active Directory Replication Status (ADREPLSTATUS) Tool
Microsoft ADREPLSTATUS Tool is a single-purpose tool that helps you analyze the replication of domain controllers in your network.
Cjwdev Group Manager
Cjwdev Group Manager allows the manager of a group to manage roles and settings for the group, including adding and removing other users and exporting group members to a CSV file. The free edition enables you to manage only a single group, and you cannot or add new members from other domains.
Cjwdev Active Directory Photo Edit
Cjwdev Active Directory Photo Edit enables you to import and upload images to an AD attribute that can be displayed in Outlook 2010, Lync and SharePoint. The free edition can’t process pictures for users and contacts in bulk, but the paid version offers this feature.
Cjwdev Managed Service Accounts GUI
Cjwdev Managed Service Accounts GUI helps you configure managed service accounts using an intuitive GUI that eliminates the need for PowerShell commands.
Specops Password Auditor
Specops Password Auditor scans your Active Directory and identifies password-related vulnerabilities so you can reduce your attack surface and maintain compliance.
Specops Software Gpupdate
Specops Software Gpupdate enables remote administration of computers and organizational units. For example, you can refresh Group Policy or wake up, shut down or restart a PC remotely.
Specops Command
Specops Command is a PowerShell and VBScript interface that helps you automate many Active Directory administrative tasks.
Zohno Z-Hire and Z-Term
Zohno Z-Hire and Z-Term are single-task tools. Z-Hire speeds the user account creation process for new hires, while Z-Term helps with account removal when an employee leaves the organization.
SysOpsTools Active Directory Query
SysOpsTools Active Directory Query is a free executable tool — no installation required — that can be used to quickly search AD for information about a specific user or computer, including schema attributes that are normally not readable.
SysAdmin and SysAdmin Anywhere both offer a free trial.
Codeplex ADModify.NET
Codeplex ADModify.NET is a single-use tool that allows you to modify multiple user attributes at once.
WiseSoft Bulk Password Control
WiseSoft Bulk Password Control enables you to change passwords on multiple accounts at the same time using the tool’s password generator feature. You can also enable, disable and unlock AD accounts in bulk.
Conclusion
With so many options to choose from, it can be challenging to find the right mix of AD management tools for your needs. The most effective way to make that choice is to install different tools and try them out in your AD environment. This will give you insight into how well they will work for your specific needs and preferences.
Sustainability action is a necessity for organizations looking to satisfy stakeholders, prepare their business for the effects of climate change, and reduce their environmental impact. While more organizations are implementing environmental sustainability practices—such as using sustainable materials, becoming more energy efficient, and embedding sustainability into employee training—these efforts alone are not enough to eliminate waste and reach net zero.
In a recent survey of executives, Deloitte found that more than a third of organizations are only implementing one out of five “needle-moving” sustainability actions. To begin moving the needle quickly, IT executives can help their organizations accelerate sustainability by reducing the environmental impact of IT, facilitating a more circular economy, working with sustainable partners, and leading efforts that support environmental, social, and governance (ESG) measurement and reporting.
Sustainability pressures are becoming policies
The pressure for more transparent sustainability action is continuing to rise: For the first time, the US Securities and Exchange Commission has proposed a rule to make environmental reporting mandatory. The recently proposed rule would require public companies to disclose climate-related risk management as well as direct and indirect greenhouse gas emissions (scope 1 and 2), eventually phasing in reporting for material emissions from value chains (scope 3).
The EU has long been ahead of the US when it comes to requiring organizations to report on emissions. Last year, the European Commission adopted a proposal for a Corporate Sustainability Reporting Directive (CSRD), which extends the scope of the Non-Financial Reporting Directive (NFRD) adopted in 2014. The CSRD proposal expands the number of companies required to report, introduces an audit and more detailed reporting, and would require organizations to report according to EU sustainability reporting standards.
Though policies and reporting requirements intensify the pressure for more corporate sustainability action, there is also pressure coming from consumers and employees. According to a PwC survey, 86% of employees prefer to work for organizations that share their values, and 76% of consumers would “discontinue [their] relationship with companies that treat the environment, employees, or the community in which they operate poorly.” This sentiment is matched by the results of a survey from OnePulse, which found that 88% of consumers want companies to help them be more sustainable.
There’s a growing need for IT sustainability guidance
To address sustainability reporting requirements and demands from customers, employees, and boards, IT executives are stepping up. But amidst ever-changing guidelines and new climate data, knowing where and how to start implementing more sustainable IT practices remains challenging. Research from Capgemini found that only 18% of organizations have a defined sustainability strategy for IT.
Nonprofits like SustainableIT.org are starting to fill the growing need for guidance by providing benchmarks for ESG measurements. Launched by CIOs and other tech leaders, the nonprofit plans to define sustainable digital transformation programs and provide best practices, education, and training for technology leaders that help support sustainable actions across their operations.
IT executives can also look to research and consulting firms like Gartner, who recently released a report that provides a framework to help organizations plan for infrastructure and operations sustainability goals.
In addition to peer groups and research firms, IT executives can also use widely accepted measures provided by organizations such as:
Cloud solutions help reduce the environmental impact of IT
On-premises infrastructure often requires large amounts of power and additional physical materials to scale. According to estimates from Cloudscene, there are over 8,000 data centers worldwide and these data centers are estimated to account for nearly 1% of global energy consumption.
IT leaders can reduce the carbon footprint of their computing infrastructure simply by moving to cloud systems. The cloud can help reduce greenhouse gas emissions, as cloud computing is more efficient than what organizations can achieve with on-premises infrastructure. Cloud data centers have higher utilization rates, use advanced cooling technologies that are more energy efficient, and are often powered by renewable energy. As more businesses migrate to the cloud, these efficiencies are estimated to potentially prevent more than 1 billion metric tons of CO2 from entering the atmosphere over the next few years.
One customer case study found a 93% reduction in greenhouse gas emissions associated with migrating from a customer hosted Oracle ERP solution to Oracle ERP on Oracle Cloud Infrastructure. This included a 71% reduction in scope 1 emissions, 100% reduction in scope 2 emissions, and 84% reduction in scope 3 emissions (Figure 2).
The cloud can also promote a more circular economy
A key tenet of the circular economy is to decouple physical assets from the services they provide. This is exactly what the cloud provides. The cloud can contribute to a more eco-optimized supply chain by eliminating the need to procure and physically own your computing hardware.
As organizations make the transition to cloud, they should also account for the impact that retired hardware has on the environment. To address this, IT executives can look to cloud providers that offer services like Oracle’s take back programs to help dispose of and recycle excess products in an environmentally responsible manner.
IT executives can accelerate sustainability with analytics
More transparency and better emissions data isn’t just about meeting reporting requirements—it’s also an essential component of reaching net zero. IT executives can help accelerate progress towards net zero by leading efforts to measure ESG performance.
Deloitte found that “difficulty measuring environmental impact” was identified by executives as one of the five biggest obstacles to their sustainability efforts. By investing in cloud solutions and services such as integrated analytics platforms and IoT, AI and ML capabilities, IT executives can embed environmental-related data collection and reporting into the mainstream of business operations and associated IT infrastructure.
At Oracle, we’ve been transforming our business operations to be more environmentally friendly by leveraging Oracle’s own innovative technology. Sustainability is now inherent in the way think about and approach nearly every aspect of our business, from operational efficiency, to product development and to employee engagement. We use our own technology because Oracle Cloud is the only end-to-end cloud platform that enables the cross-functional process flows required to increase sustainability.
Partners and providers should meet your sustainability requirements
Providers and partners play a pivotal role in reducing your environmental impact, either helping or hindering your ability to achieve sustainability goals. Ensuring that business partners and suppliers meet your sustainability requirements is one of the five key actions that businesses need to take to realize the benefits of sustainability, according to Deloitte’s 2022 CxO Sustainability Report.
Beyond ensuring that your providers align with specific sustainability criteria, it’s also important to consider how they can contribute to changing business needs. As demands for greener products grow, IT executives should be primed to understand not only their risks, but also their ability to act on new opportunities. By partnering with cloud providers that offer advanced cloud technologies and a wide range of services and solutions, you can position your business to capture new value when it arises and do so quickly.
Take a step towards sustainability with Oracle Cloud Infrastructure
Oracle Cloud Infrastructure is a high-performance green cloud solution that provides customers with the opportunity to drive business value and reduce their environmental impact. Oracle data centers are 75% more energy efficient than a typical corporate data center. Because we design, build, deploy, and recycle our hardware, we are contributing to a more circular economy that minimizes waste, maximizes circularity, and helps achieve net-zero carbon.
By consolidating and optimizing our IT infrastructure while delivering advanced technologies, such as AI and blockchain, we help organizations reduce their environmental impact, measure progress, and achieve their sustainability goals.
1. OnePulse, 88% Of Consumers Want You To Help Them Make A Difference
2. IDC, Cloud Computing Could Eliminate a Billion Metric Tons of CO2 Emission Over the Next Four Years, and Possibly More, According to a New IDC Forecast
Active Directory (AD) allows object creations, updates and deletions to be committed to any authoritative domain controller (DC). This is possible because every DC (except read-only DCs) maintains a writable copy of its own domain’s partition. Once a change has been committed, it is replicated automatically to other DCs through a process called multi-master replication. This behavior allows most operations to be processed reliably by multiple domain controllers and provides for high levels of redundancy, availability and accessibility in Active Directory.Handpicked related content:
An exception applies to certain Active Directory operations that are sensitive enough that their execution is restricted to a specific domain controller. Active Directory addresses these situations through a special set of roles. Microsoft has begun referring to these roles as the operations master roles, but they are more commonly referred to by their original name: flexible single-master operator (FSMO) roles.
What are FSMO Roles?
The 5 FSMO Roles
Active Directory has five FSMO roles:
Schema Master
Domain Naming Master
Infrastructure Master
Relative ID (RID) Master
PDC Emulator
In every forest, there is a single Schema Master and a single Domain Naming Master. In each domain, there is one Infrastructure Master, one RID Master and one PDC Emulator. At any given time, there can be only one DC performing the functions of each role. Therefore, a single DC could be running all five FSMO roles; however, in a single-domain environment, there can be no more than five servers that run the roles.
In a multi-domain environment, each domain will have its own Infrastructure Master, RID Master and PDC Emulator. When a new domain is added to an existing forest, only those three domain-level FSMO roles are assigned to the initial domain controller in the newly created domain; the two enterprise-level FSMO roles (Schema Master and Domain Naming Master) already exist in the forest root domain.
Schema Master
Schema Master is an enterprise-level FSMO role; there is only one Schema Master in an Active Directory forest.
The Schema Master role owner is the only domain controller in an Active Directory forest that contains a writable schema partition. As a result, the DC that owns the Schema Master FSMO role must be available to modify its forest’s schema. Examples of actions that update the schema include raising the functional level of the forest and upgrading the operating system of a DC to a higher version than currently exists in the forest.
The Schema Master role has little overhead and its loss can be expected to result in little to no immediate operational impact. Indeed, unless schema changes are necessary, it can remain offline indefinitely without noticeable effect. The Schema Master role should be seized only when the DC that owns the role cannot be brought back online. Bringing the Schema Master role owner back online after the role has been seized from it can introduce serious data inconsistency and integrity issues for the forest.
Domain Naming Master
Domain Naming Master is an enterprise-level role; there is only one Domain Naming Master in an Active Directory forest.
The Domain Naming Master role owner is the only domain controller in an Active Directory forest that is capable of adding new domains and application partitions to the forest. Its availability is also necessary to remove existing domains and application partitions from the forest.
The Domain Naming Master role has little overhead and its loss can be expected to result in little to no operational impact, since the addition and removal of domains and partitions are performed infrequently and are rarely time-critical operations. Consequently, the Domain Naming Master role should need to be seized only when the DC that owns the role cannot be brought back online.
RID Master
Relative Identifier Master (RID Master) is a domain-level role; there is one RID Master in each domain in an Active Directory forest.
The RID Master role owner is responsible for allocating active and standby Relative Identifier (RID) pools to DCs in its domain. RID pools consist of a unique, contiguous range of RIDs, which are used during object creation to generate the new object’s unique Security Identifier (SID). The RID Master is also responsible for moving objects from one domain to another within a forest.
In mature domains, the overhead generated by the RID Master is negligible. Since the primary domain controller (PDC) in a domain typically receives the most attention from administrators, leaving this role assigned to the domain PDC helps ensure its availability. It is also important to ensure that existing DCs and newly promoted DCs, especially those promoted in remote or staging sites, have network connectivity to the RID Master and are reliably able to obtain active and standby RID pools.
The loss of a domain’s RID Master will eventually lead to result in an inability to create new objects in the domain as the RID pools in the remaining DCs are depleted. While it might seem that unavailability of the DC owning the RID Master role would cause significant operational disruption, in mature environments the impact is usually tolerable for a considerable length of time because of a relatively low volume of object creation events. Bringing a RID Master back online after having seized its role can introduce duplicate RIDs into the domain, so this role should be seized only if the DC that owns it cannot be brought back online.
Infrastructure Master
Infrastructure Master is a domain-level role; there is one Infrastructure Master in each domain in an Active Directory forest.
The Infrastructure Master synchronizes objects with the global catalog servers. The Infrastructure Master will compare its data to a global catalog server’s data and receive any data not found in its database from the global catalog server. If all DCs in a domain are also global catalog servers, then all DCs will have up-to-date information (assuming that replication is functional). In such a scenario, the location of the Infrastructure Master role is irrelevant since it doesn’t have any real work to do.
The Infrastructure Master role owner is also responsible for managing phantom objects. Phantom objects are used to track and manage persistent references to deleted objects and link-valued attributes that refer to objects in another domain within the forest (e.g., a local-domain security group with a member user from another domain).
The Infrastructure Master may be placed on any domain controller in a domain unless the Active Directory forest includes DCs that are not global catalog hosts. In that case, the Infrastructure Master must be placed on a domain controller that is not a global catalog host.
The loss of the DC that owns the Infrastructure Master role is likely to be noticeable only to administrators and can be tolerated for an extended period. While its absence will result in the names of cross-domain object links failing to resolve correctly, the ability to utilize cross-domain group memberships will not be affected.Handpicked related content:
The Primary Domain Controller Emulator (PDC Emulator or PDCE) is a domain-level role; there is one PDCE in each domain in an Active Directory forest.
The PDC Emulator controls authentication within a domain, whether Kerberos v5 or NTLM. When a user changes their password, the change is processed by the PDC Emulator.
The PDCE role owner is responsible for several crucial operations:
Backward compatibility. The PDCE mimics the single-master behavior of a Windows NT primary domain controller. To address backward compatibility concerns, the PDCE registers as the target DC for legacy applications that perform writable operations and certain administrative tools that are unaware of the multi-master behavior of Active Directory DCs.
Time synchronization. Each PDCE serves as the master time source within its domain. The PDCE in forest root domain serves as the preferred Network Time Protocol (NTP) server in the forest. The PDCE in every other domain within the forest synchronizes its clock to the forest root PDCE; non-PDCE DCs synchronize their clocks to their domain’s PDCE; and domain-joined hosts synchronize their clocks to their preferred DC. One example of the importance of time synchronization is Kerberos authentication: Kerberos authentication will fail if the difference between a requesting host’s clock and the clock of the authenticating DC exceeds the specified maximum (5 minutes by default); this helps counter certain malicious activities, such as replay attacks.
Password update processing. When computer and user passwords are changed or reset by a non-PDCE domain controller, the committed update is immediately replicated to the domain’s PDCE. If an account attempts to authenticate against a DC that has not yet received a recent password change through scheduled replication, the request is passed to the domain PDCE, which will process the authentication request and instruct the requesting DC to either accept or reject it. This behavior ensures that passwords can reliably be processed even if recent changes have not fully propagated through scheduled replication. The PDCE is also responsible for processing account lockouts, since all failed password authentications are passed to the PDCE.
Group Policy updates. All Group Policy object (GPO) updates are committed to the domain PDCE. This prevents versioning conflicts that could occur if a GPO was modified on two DCs at approximately the same time.
Distributed file system. By default, distributed file system (DFS) root servers will periodically request updated DFS namespace information from the PDCE. While this behavior can lead to resource bottlenecks, enabling the Dfsutil.exe Root Scalability parameter will allow DFS root servers to request updates from the closest DC.
The PDCE should be placed on a highly-accessible, well-connected, high-performance DC. Additionally, the forest root domain PDC Emulator should be configured with a reliable external time source.
While the loss of the DC that owns the PDC Emulator role can be expected to have an immediate and significant impact on operations, the seizure of the PDCE role has fewer implications to the domain than the seizure of other roles. Seizure of the PDCE role is a recommended best practice if the DC that owns that role becomes unavailable due to an unscheduled outage.
Identifying Role Owners
You can use either the command prompt or PowerShell to identify FSMO role owners.
FSMO roles often remain assigned to their original domain controllers, but they can be transferred if necessary. Since FSMO roles are necessary for certain important operations and they are not redundant, it can be desirable or even necessary to move FSMO roles from one DC to another.
One method of transferring a FSMO role is to demote the DC that owns the role, but this is not an optimal strategy. When a DC is demoted, it will attempt to transfer any FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be transferred only to DCs in the same domain, but enterprise-level roles can be transferred to any suitable DC in the forest. While there are rules that govern how the DC being demoted will decide where to transfer its FSMO roles, there is no way to directly control where its FSMO roles will be transferred.
The ideal method of moving an FSMO role is to actively transfer it using either the Management Console, PowerShell or ntdsutil.exe. During a manual transfer, the source DC will synchronize with the target DC before transferring the role.
To transfer an FSMO role, an account must have the following privileges:
To transfer this FSMO
The account must be a member of
Schema Master
Schema Admins and Enterprise Admins
Domain Naming Master
Enterprise Admins
PDCE, RID Master or Infrastructure Master
Domain Admins in the domain where the role is being transferred
How to Transfer FSMO Roles using the Management Console
Transferring the Schema Master Role
The Schema Master role can be transferred using the Active Directory Schema Management snap-in.
If this snap-in is not among the available Management Console snap-ins, it will need to be registered. To do so, open an elevated command prompt and enter the command regsvr32 schmmgmt.dll.
Once the DLL has been registered, run the Management Console as a user who is a member of the Schema Admins group, and add the Active Directory Schema snap-in to the Management Console:
Right-click the Active Directory Schema node and select Change Active Directory Domain Controller. Choose the DC that the Schema Master FSMO role will be transferred to and click OK to bind the Active Directory Schema snap-in to that DC. (A warning may appear explaining that the snap-in will not be able to make changes to the schema because it is not connected to the Schema Master.)
Right-click the Active Directory Schema node again and select Operations Master. Then click the Change button to begin the transfer of the Schema Master role to the specified DC:
Transferring the Domain Naming Master Role
The Domain Naming Master role can be transferred using the Active Directory Domains and Trusts Management Console snap-in.
Run the Management Console as a user who is a member of the Enterprise Admins group, and add the Active Directory Domains and Trusts snap-in to the Management Console:
Right-click the Active Directory Domains and Trusts node and select Change Active Directory Domain Controller. Choose the DC that the Domain Naming Master FSMO role will be transferred to, and click OK to bind the Active Directory Domains and Trusts snap-in to that DC.
Right-click the Active Directory Domains and Trusts node again and select Operations Master. Click the Change button to begin the transfer of the Domain Naming Master role to the selected DC:
Transferring the RID Master, Infrastructure Master or PDC Emulator Role
The RID Master, Infrastructure Master and PDC Emulator roles can all be transferred using the Active Directory Users and Computers Management Console snap-in.
Run the Management Console as a user who is a member of the Domain Admins group in the domain where the FSMO roles are being transferred and add the Active Directory Users and Computers snap-in to the Management Console:
Right-click either the Domain node or the Active Directory Users and Computers node and select Change Active Directory Domain Controller. Choose the domain controller that the FSMO role will be transferred to and click OK button to bind the Active Directory Users and Computers snap-in to that DC.
Right-click the Active Directory Users and Computers node and click Operations Masters. Then select the appropriate tab and click Change to begin the transfer of the FSMO role to the selected DC:
How to Transfer FSMO Roles using PowerShell
You can transfer FSMO roles using the following PowerShell cmdlet:
To transfers an FSMO role using ndtsutil.exe, take the following steps:
Open an elevated command prompt.
Type ntdsutil and press Enter. A new window will open.
At the ntdsutilprompt, type roles and press Enter.
At the fsmo maintenanceprompt, type connections and press Enter.
At the server connectionsprompt, type connect to server <DC> (replacing <DC> with the hostname of the DC that the FSMO role is being transferred to) and press Enter. This will bind ntdsutil to the specified DC.
Type quit and press Enter.
At the fsmo maintenance prompt, enter the appropriate command for each FSMO role being transferred:
transfer schema master
transfer naming master
transfer rid master
transfer infrastructure master
transfer pdc
To exit the fsmo maintenanceprompt, type quit and press Enter.
To exit the ntdsutilprompt, type quit and press Enter.
Seizing FSMO Roles
Transferring FSMO roles requires that both the source DC and the target DC be online and functional. If a DC that owns one or more FSMO roles is lost or will be unavailable for a significant period, its FSMO roles can be seized, rather than transferred.
In most cases, FSMO roles should be seized only if the original FSMO role owner cannot be brought back into the environment. The reintroduction of a FSMO role owner following the seizure of its roles can cause significant damage to the domain or forest. This is especially true of the Schema Master and RID Master roles.
To seize FSMO roles, you can use the Move-ADDirectoryServerOperationMasterRole cmdlet with the ?Force parameter. The cmdlet will attempt an FSMO role transfer; if that attempt fails, it will seize the roles.
How Netwrix Can Help
As we have seen, FSMO roles are important for both business continuity and security. Therefore, it’s vital to audit all changes to your FSMO roles. Netwrix Auditor for Active Directory automates this monitoring and can alert you to any suspicious change so you can take action before it leads to downtime or a data breach.
However, FSMO roles are just one part of your security strategy — you need to understand and control what is happening across your core systems. Netwrix Auditor for Active Directory goes far beyond protecting FSMO roles and facilitates strong management and change control across Active Directory.
By automating Active Directory change tracking and reporting, Netwrix Auditor empowers you to reduce security risks. You can improve your security posture by proactively identifying and remediating toxic conditions like directly assigned permissions, before attackers can exploit them to gain access to your network resources. Moreover, you can monitor changes and other activity in Active Directory changes to spot emerging problems and respond to them promptly — minimizing the impact on business processes, user productivity and security.
Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.
End user experience for Temporary Access Pass in Windows 11 onboarding.
