Affordable Office 365 Backups with Synology Active Backup
When it comes to backups and Office 365, there are plenty of misconceptions in the industry. Yes, you do need to backup Office 365 data; No, it doesn’t have to cost you an arm and a leg. Synology’s Active Backup for Office 365 gives you backups without breaking your budget.
Synology reached to me and asked if I would be interested in reviewing their Active Backup suite. To help, they have supplied me with one of their latest generation devices a DiskStation DS920+. This is not a sponsored post and the thoughts within are my own.
Why Backup Your Office 365
Too many organisations and IT professionals believe that you do not need to perform backups of Office 365 data. The truth is, just like any other production system, you need to have a backup plan for this data.
Typically, backups are described as a copy of data that is taken and stored away from the original. A backup can be used to restore the original after a data-loss event. To be clear, backups are independent copies; they should be stored separately of the original data.
Microsoft doesn’t provide any services as part of Office 365 that fit this description. If you don’t believe me, just checkout their Office 365 compliance documentation (Microsoft O365 Mapping of CSA CMM v3.0.1):
Microsoft O365 Mapping of CSA CMM v3.0.1
People confuse backups for redundancy, particularly geo-redundancy that Microsoft provides with Office 365. Geo-redundancy involves replicating data between multiple sites, with the aim of ensuring that access to data is always available, even in the event of hardware or site failures. With replication, data deletion requests or data corruption will be replicated to each site. Replication doesn’t stop deletion or corruption; it doesn’t let you go back in time as there are no separate copies of the data.
People also confuse litigation holds and retention policies with backups. These controls allow you to specify how long data is held or retained by Office 365 even after a user deletes it. There are no separately stored copies of the data, for later restoration. If a file or message is corrupted, retention policies will simply define how long Office 365 keeps a copy of that corrupted piece of data.
Another consideration is compliance – everyone’s favourite topic. Most level and regulatory frameworks define a backup requirement or the ability to retrieve past data. Retention policies can help here, but backups are the only tool to ensure you truly meet your compliance requirements.
Synology Active Backup for Office 365
When you talk about backup products, Synology might not be the first vendor you think about. I am here to tell you needs to change. Synology’s Active Backup Suite is here to challenge the status-quo.
The Active Backup Suite comes as free packages that can be installed on any compatible Synology hardware. It offers a wide range of protection, including:
- Client PCs, servers, file servers and virtual machine hosts – with Active Backup for Business,
- Office 365 including Exchange, SharePoint and OneDrive – with Active Backup for Office 365, and,
- G Suite including Gmail and Google Drive – with Active Backup for G Suite.
The focus of this review is Active Backup for Office 365, but I encourage you to check out the rest of the Active Backup Suite.
Cost Effective Backups
I am impressed with how Synology has positioned itself in what could be considered a crowded solution space. They have positioned themselves as being cost-effective, by ditching the per-user licensing model of their competitors. All you need is a compatible Synology NAS and enough storage, and you are good to go.
I will admit, the licensing model grabbed my attention when Synology first contacted me. No per-user licensing, they must be crazy. As the Head of Information Technology at Telstra Purple, I spend a significant portion of my time navigating vendor licensing models. Most products in the Office 365 backup space make use of a per-user monthly or yearly subscription model, something that looks low cost for small user counts, but as you scale out, the cost can get out of hand.
I wanted to get a rough idea of the cost difference between Synology and one of its competitors. As I said, this is a rough estimate, but helps to show how Synology are positioning Active Backup for Office 365. In this example, I will be working with an Office 365 tenant that has 500 users, and I want to retain the backups for 7 years. Below are my estimates (in AUD).
| Active Backup for Office 365 | Competitor's Product | |
|---|---|---|
| User licensing | $0 | $10,000/year |
| Server | Synology DiskStation DS3617xs @ $3900 | Azure D4v3 @ $500/month |
| Storage | 12 NAS rated 10TB Disks @ $550/each | Azure Storage @ $2000/month |
| Total Costs | ||
| Yearly cost | $10,500 | $40,000 |
| Total cost over 7 years | $10,500 | $280,000 |
I realise this this isn’t the fairest of comparisons, with power, cooling and replacement hard disks have not factored into the Synology estimate. I have also assumed a fixed amount of Azure Storage consumption for the competitor. What should be clear is that the biggest factor on overall cost is the yearly per user licensing.
As someone who is responsible for maintaining an IT budget, I must admit, it would be hard to choose the more expensive option.
Easy to Configure Backups
From personal experience, enterprise backup solutions were always complicated to configure and maintain. I still have nightmares about troubleshooting backups on Exchange 2010! Due to this experience, I allocated plenty of time to setup Active Backup for Office 365, only to be surprised when it took all of 10 to 15 minutes. I was also impressed to see support for multiple Office 365 tenants.
Currently, Active Backup offers protection for OneDrive, Exchange Online (mail, contacts, calendar and online archive) and SharePoint sites. In the beta release, there is addition support for Office 365 groups. The only thing I really would like to see is support for Microsoft Teams chat and conversation history.
I really liked how you can specify if newly created Office 365 user accounts are automatically included in each backup tasks. This is a great touch as it reduces the amount of work required when onboarding new users, awesome for those forgetful system administrators.
My only disappointment when configuring backup tasks was how you specify data retention. Active Backup for Office 365 provides two options: keep all versions or specify how many days a copy should be kept. Every vendor has their own approach for specifying retention policies, and Synology isn’t alone with the all or number of days approach. I personally prefer how retention policies are specified in Azure Recovery Vaults. This issue isn’t a showstopper, but more fine-grained policies might allow for better storage efficiency.
Easy to Restore Content
Synology haven’t just made running backups easy, they also made it easy to restore content with an end-user accessible self-service portal. From the Active Backup for Office 365 Portal, users can choose to restore data that may have been deleted or corrupted, without the need for administrator involvement.
Providing self-service options to your users is a critical aspect to the success of any IT team. The simple option of allowing users to perform tasks, like restoring Office 365 files and content makes them feel empowered and most importantly, frees up your IT team to work on more important tasks. Self-service will make you and your users happy.
Unfortunately, I found the portal a little bit difficult to navigate. I wish the interface more closely resembled the Office 365 user interface, as that would have felt more intuitive. I felt the mechanism to switch between viewing mail, OneDrive, contacts and calendar items wasn’t obvious at first.
Synology recommends enabling single sign-on (SSO) with Azure Active Directory. This will allow users to connect to the portal using their Office 365 credentials, no need for separate accounts. This isn’t required, but I would expect this to be setup for production environments. If you wish to use accounts created on the Synology, just ensure that the email address matches between the Synology account and the Office 365 account.
Synology currently only supports one SSO provider, so if you are performing multi-tenant backups, you will need to consider which Azure AD you federate with. SSO is configured via Azure AD application registration, so you will not need Azure AD Premium licenses.
Overall Thoughts
| ✔ | Setup is simple. |
| ✔ | Support for user self-service data restoration. |
| ✔ | Support for multiple Office 365 tenancies. |
| ✔ | No per user licensing, subscriptions or renewals. |
| ❌ | No support for Teams conversation history. Currently supports OneDrive, Exchange (mail, contacts, calendar and online archives) and SharePoint sites. |
| ❌ | Retention policies are someone limited. |
| ❌ | Requires the purchase of hardware. |
I am really impressed by Active Backup for Office 365. Setting up Synology appliances and applications has always been very user friendly. The setup and restore experience are well designed and when integrated with Azure AD sign-on, provide end-users with self-service content restoration.
I believe the licensing model will be highly attractive to many organisations, even large enterprises; however the misconception that Synology’s market is home users, hobbyists and small businesses may result in many IT professionals to not thoroughly consider Active Backup for Office 365. Don’t fall for this misconception.
As someone who leads the internal IT team for a cloud first organisation, I can see the requirement to purchase Synology hardware a drawback. This could be a real blocker. Synology have some cloud offerings, perhaps their next step would be to offer Active Backup as a SaaS product.
I recommend that anyone supporting Office 365 environments to look at Active Backup for Office 365. It allows you to meet your organisations backup and data protection requirements as a cost-effective price point. I am and will recommend Active Backup for Office 365 to customers, clients, friends.
Active Backup for Office 365 is under active development, there are additional features and fixes already available in the public beta release.
I want to thank Synology for giving me the opportunity to work with DiskStation DS920+, it is a remarkable device that is very suited for IT professional and hobbyist use.
Protecting yourself against the BlueGate RDP Gateway vulnerability
Schadenfreude is a wonderful feeling, but when it comes to information security, we must always remember that we live in glass houses. Over the past few months, as vulnerabilities have been rampantly exploited in SSL VPN products like those from Pulse, Fortinet and Citrix; I found myself deriving some enjoyment. Karma of course, was on its way.
Microsoft patched two vulnerabilities, dubbed BlueGate, as part of the January Patch cycle. These vulnerabilities are pre-authentication Remote Code Execution (RCE) rated. The vulnerabilities could allow remote code execution when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests. MFA will not protect you from this vulnerability. These vulnerabilities can be found in Windows Server 2012, 2012R2, 2016 and 2019.
Considering that RDP Gateway servers typically exist to provide a mechanism for users outside of to access trusted internal systems, exploiting this vulnerability could potentially provide network wide access to an attacker.
Security researcher Ollypwn has released proof-of-concept (PoC) that results in a denial of service (DoS). Luca Marcelli has also released a video showing a working RCE exploit.
Thankfully there is a small glimpse of hope. The vulnerability only affects the UDP transport (port 3391) option of the RDP Gateway components. Depending upon the configuration, administrators may have only exposed the HTTPS transport to the Internet. One potential mitigation, if patching is not an option, is to disable or block the UDP transport.
If you run RDP Gateways, please work to ensure that you patch or disable the UDP transport as quickly as possible. As with the Shitrix or SSL VPN vulnerabilities, once RCE exploit code is released, I expect attackers to include this in their ransomware toolkit much as they have.
Mitigating IE Zero-Day (CVE-2020-0674/ADV200001) with PowerShell and Intune
Microsoft published a security advisory (ADV200001) containing mitigations against an actively exploited zero-day remote code execution (RCE) vulnerability in Internet Explorer. At time of writing, there is no patch for the vulnerability. Microsoft is expecting to release a patch as part of the usual Patch Tuesday (Wednesday for some of us) cycle.
Microsoft has provided some mitigation steps that can be applied; however, they only recommend taking these steps if there is an indication you are under elevated risk. One of the problems with the mitigation steps is that you MUST revert the changes before you can install any future updated.
The mitigations also come with some side-effects; their impact might be too much for some organisations. Side-effects include:
- Printing to HP printers and other USB printers mail fail.
- Windows Media Player is reported to break on playing MP4 files.
- Sfc.exe will break.
- Printing to "Microsoft Print to PDF" is reported to break.
- Proxy automatic configuration scripts (PAC scripts) may not work. For me, I couldn’t imagine managing some enterprise environments without PAC scripts. That alone would be a good reason to not deploy these fixes.
If after all of this, you want to still apply these mitigations. I put together some quick guidance for their implementation with Intune.
Enabling the mitigations
- Get a copy of the Enable-ADV200001.ps1 script from my GitHub repository.
- Sign-in to the Microsoft Endpoint Manager Admin Center.
- Select Devices > PowerShell scripts > Add.
- In Basics, enter the Name: Enable IE Mitigations for ADV200001, and select Next:
- In Script settings, browse to where you downloaded the Enable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
- Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
- Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
- In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.
Disabling the mitigations
- Get a copy of the Disable-ADV200001.ps1 script from my GitHub repository.
- Sign-in to the Microsoft Endpoint Manager Admin Center.
- Select Devices > PowerShell scripts > Add.
- In Basics, enter the Name: Disable IE Mitigations for ADV200001, and select Next:
- In Script settings, browse to where you downloaded the Disable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
- Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
- Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
- In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.
More guidance can be found here Use PowerShell scripts on Windows 10 devices in Intune
Just remember that before your next patch cycle, you need to disable the mitigations, otherwise the updates will fail.
February 2020 Melbourne Microsoft Cloud and Datacenter Meetup
Just before I speak at Ignite The Tour Sydney, I will be presenting a preview of my talk to the Melbourne Microsoft Cloud and Datacenter Meetup on February 10th.
Our February 2020 meetup has an exciting double line up with Richard Benwell from Squared Up talking about how to effectively monitor your applications with Azure Monitor. Richard will show us how to get started, get some quick wins and create some killer Azure dashboards.
The event is hosted by Servian in their lovely offices in Tower 5, 727 Collins St in Docklands. I look forward to seeing everyone there.
Ensuring your Windows 10 Clients are protected from CryptoAPI bug
Two weeks ago, Microsoft patched a vulnerability in its cryptographic library (CryptoAPI) that was reported by the NSA. At the time, there were no reports that this vulnerability had being exploited in the wild, however both Microsoft and the NSA where keen for organisations to install patches as quickly as possible. In its second-ever emergency directive, DHS' CISA recommended organisations perform the required endpoint patching by the 29th of January. I wrote about the first CISA emergency directive in my Advice on Mitigating DNS Infrastructure Tampering.
Proof-of-concept exploit code was quickly made available, but there are still no reported attacks. With the potential of attackers exploiting the vulnerability to sign malicious executables, that is, making malicious executables appear as if they are from a trusted, legitimate source; there are plenty of reasons to make installing this patch a priority.
As administrators, we already have the tools at our disposal to ensure that our Windows 10 clients are protected. Intune and Azure AD Conditional Access can once again be used to protect clients, as we did with Spectre and Meltdown.
How does it work? Read my post Using Intune and AAD to protect against Spectre and Meltdown, to understand the basics of how we can implement checks to validate the version of Windows 10 installed for Intune enrolled devices.
You will need to specify either of these two values for the Minimum OS version in your Windows 10 complaince policy:
- For Windows 10 version 1903 (May 2019 Update): 10.0.18362.592
- For Windows 10 version 1909 (November 2019 Update): 10.0.18363.592
I recommend the later, 10.0.18363.592, as it will allow you to ensure that all your clients are running the very latest Windows 10 features.
Need help with Windows 10 version numbering? Check out Wikipedia’s Windows 10 Version History) page. It is an exceptionally detailed guide on what versions you need to be aware of.
Bank Grade Security at Microsoft Ignite The Tour Sydney
I am extremely excited to announce that I am presenting my talk, Bank Grade Security at Microsoft Ignite The Tour in Sydney next month. I have received such wonderful feedback from this talk when I presented it at DDD Melbourne, DDD Sydney and NDC Sydney. Speaking at a Microsoft event like this has been a dream for a long time and I am excited to share it with an even wider audience.
If you are attending The Tour in Sydney, please register for the session (session code BRK30215). In the session I will be talking about how Australian Banks rate in terms of the use of security practices like SSL/TLS configuration hardening, the use of HTTP security headers and their support for security.txt files. The results will probably surprise you.
This talk will be updated with the latest results of my analysis, if you have seen the session, please come and see how the banks have hopefully improved. The session will be of interest to everyone including developers, security and operations teams.
The Boring Security Talk at the Global Azure Bootcamp 2019
This weekend I spoke at the Global Azure Bootcamp 2019. This was another great day, this year hosted at Swinburne University.
This weekend I spoke at the Global Azure Bootcamp 2019. This was another great day, this year hosted at Swinburne University.
I presented a longer version of my talk, The Boring Security Talk. The longer format lets me get into some extra details. The extra time also provides some time to talk about some of the latest security incidents that have occured in the last few months.
I have put together a list of links and reference materials:
- Hackers exploit Jenkins servers, make $3 million by mining Monero
- DHS: Multiple US gov domains hit in serious DNS hijacking wave
- Advice on Mitigating DNS Infrastructure Tampering
- A Deep Dive on the Recent Widespread DNS Hijacking Attacks
- DNS Squatting with Azure App Services
- Microsoft loses control over Windows Tiles subdomain
- DNSControl
- Managing DNS with DNSControl, CloudFlare, DNSimple, GitHub, VSTS, Key Vault and Docker
- MX Toolbox
- PostMark DMARC reporting
- Report URI DMARC monitoring
- Phishing Scorecard
- UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned
- Malicious Docker Containers Earn Cryptomining Criminals $90K
- Postmortem for Malicious Packages Published on July 12th, 2018
- Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem
- Pipdig Update: Dishonest Denials, Erased Evidence and Ongoing Offences
Mitigating the risks of IMAP credential stuffing attacks in Office 365
A recent Bleeping Computer article reported that email security company Proofpoint, had observed a massive increase in credential spraying attacks that target Office 365 and G Suite. These attacks leverage legacy email protocols (IMAP) and credential dumps to bypass the multifactor controls provided by these platforms.
A recent Bleeping Computer article, Multi-Factor Auth Bypassed in Office 365 and G Suite IMAP Attacks, reported that email security company Proofpoint, had observed a massive increase in credential spraying attacks that target Office 365 and G Suite. These attacks leverage legacy email protocols (IMAP) and credential dumps to bypass the multifactor controls provided by these platforms.
Now I am a bit sceptical of some of the numbers in the Proofpoint report, however I have seen other similar reports. I personally believe it is a safe assumption that most Office 365 and G Suite tenants have been targeted and that these attacks have successfully breached some of these tenants.
These attacks have been successful because:
- IMAP bypasses MFA (and some conditional access controls) on these platforms. This is due to the lack of support for MFA in the base IMAP protocol.
- The attackers have taken care to avoid potential account-lockouts. As a result, the attacks look like isolated failed logins and go unnoticed.
- MAP is an easy protocol to develop automated attacks against.
How can we protect our Office 365 tenants from these types of attacks?
There are three steps you can take:
- Disable IMAP and POP access to mailboxes, and,
- Disabling legacy authentication using an Exchange Online Authentication Policy, and,
- Disable legacy authentication using a Conditional Access Policy.
Each of these steps targets different behaviours, and as such, I believe you should put all of these controls in place.
Disabling IMAP and POP client access
The first step is to disable users access to their mailboxes using IMAP and POP. Why do this? To be honest, why would any of your users be using these protocols? With Outlook applications on Windows, MacOS, iOS and Android and third party applications that support modern authentication, I don’t see any need for users to be sticking to these legacy protocols.
Unfortunately, you need to disable IMAP and POP at a mailbox level, you cannot disable it at a tenant level. To disable these protocols, we can connect to Exchange online and then use the set-CASMailbox CMDLet. Remember you need to do this for all mailboxes!
Set-CASMailbox -Identity $EmailAddress -PopEnabled $false -ImapEnabled $falseThis could be included as part of your user automation processes.
Disabling legacy authentication using an Authentication Policy
You can find a great guide on doing this at Microsoft Docs, Disable Basic Authentication in Exchange Online.
Disabling legacy authentication protocols using a Conditional Access Policy
There is also a guide on Microsoft Docs, How to: Block legacy authentication to Azure AD with conditional access, that will help you set up a Conditional Access Policy that blocks legacy authentication protocols from use.