5 steps to securing identity infrastructure

According to Microsoft, in Azure Active Directory, there are 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as multi-factor authentication (MFA). Attackers who get control of privileged accounts can do tremendous damage, so it’s critical to protect these accounts. Read our checklist to learn more:

Strengthen your credentials
Strengthen your credentials by enabling strong authentication, banning commonly attacked passwords, implementing expiration rules, protecting against leaked credentials, adding resilience against outages, and implementing AD FS extranet smart lockout.

Reduce your attack service area
Reduce your attack service area by implementing cloud authentication, blocking legacy authentication, blocking invalid authentication entry points, implementing privilege access management, and restricting user consent operations.

Automate threat response
Automate threat response by implementing sign-in and user risk security policies, integrating Microsoft 365 Defender with Azure AD identity protection, and setting up monitoring and alerting.

Utilize Cloud Intelligence
To utilize cloud intelligence, your organization should monitor Azure AD, Azure AD Connect Health in hybrid environments, Azure AD Identity Protection events, apps, and consented permissions.

Enable end-user self-service
Implementing self-service password reset, self-service group and application access, Azure AD access reviews, and automatic user provisioning will create efficient ways for end-users to secure your organization’s identity infrastructure.


Now Micro Professional Services

Systems Management
We create a simplified desktop and data center management experience for your robust, complex, and heterogeneous environments. Through configuration and automation of systems management tasks, we allow you to keep control of your complex IT business, whether it is on-premises, in the cloud, or across the country.


Cloud Productivity
Now Micro helps you implement a cloud-based infrastructure, giving you unparalleled access, robust security, and greater control in your environment. Moving the infrastructure to the cloud pushes technology out of the way so you can focus on your job.


Identity Management
Our identity management solutions help you create simplified synchronization between identities on-premises and in the cloud while allowing administrators to monitor user access and behavior.

How to Equip Your Office for Hybrid Work

The ongoing pandemic is changing the way companies are structured. Remote work adds flexibility to workers’ lives and protects them from COVID-19, while in-person work allows staff to communicate nuances and socialize. Companies are now offering their employees the best of both worlds: a hybrid office. Read our top 4 tips on providing the right technology for a smooth transition into hybrid work.

Hoteling Stations

The new hybrid office system can look different for every company or for different departments within one company. For example, not all employees work on the same day in many companies, so to save space, a company could opt to have unassigned desks, also known as hoteling. Pairing hoteling with seamless workstations makes for a great hybrid office that saves space and money.

Invest in seamless workstations

After working the last two years at home, many employees have perfected their home technology to be able to work exactly how they want. However, with hybrid schedules, going back and forth between home and the office can be quite the hassle if you’re bringing things like laptops, headsets, and charging cables back and forth. A way to solve that challenge is to invest in seamless workstations for assigned desks or hotel stations. The arrangement can look different depending on each company’s needs. The setup used at Now Micro allows staff to bring only their laptops and plug them into monitors, which connect the laptop to charging, a wireless keyboard, and a mouse.

Conference Room AV Setup

Some days employees may choose to be in the office, while others work remotely. However, that doesn’t mean meetings have to only occur in person on only by video. Simply adding a small media player, a display on the wall, a web camera, and a speaker/microphone can equip conference rooms to help teams collaborate no matter where they are working.

Borderless Data Center

Storing company data can be challenging when employees are based in many locations. A solution to this is the borderless data center. The borderless data center is a hybrid cloud concept that brings the basic tenants of cloud computing to the brick-and-mortar data center for seamless application operation. Disaggregating the traditional physical infrastructure through a cloud-enabled Hyperconverged Infrastructure (HCI) facilitates a software-defined, unified system combining all the elements of a conventional data center: storage, compute, networking, and management into a cloud infrastructure on-premises with lower costs, more control, and improved security.

Office setup and workplace culture are not going back to the way things were before. Therefore, it is essential to adapt to the times and equip offices that push us towards a more innovative future. Now Micro and its partners are here to help your office transition to a hybrid office. To learn more, visit nowmicro.com or email sales@nowmicro.com.

The Consequences of a Cyberattack on SMBs

Nearly every company relies on the internet for its business operations, which means almost every company is at risk for a cyber-attack. In last week’s blog post, we discussed why Cybercriminals are targeting SMBs, but what are the consequences of falling victim to a cyberattack or data breach for SMBs?

Downtime

After a cyberattack, an SMB is likely to face significant downtime, which means their employees cannot do their jobs. While one can expect revenue to take a substantial hit from downtime, employee productivity usually is the most significant consequence. Employers are still required to pay their employees, they may be missing deadlines, and downtime may cause excess stress on their employees.

The cost of downtime = minutes of downtime x cost per minute.

Damage to hardware 

In the event of a cyberattack, malware, or data breach, not only is your data at risk, but it can also cause damage to your hardware such as PCs, Servers, and more. In addition, the repair or replacement of hardware can be very costly.

Fines and penalties

Legal and regulatory requirements seem to be constantly changing, which can be very overwhelming for a business owner. However, business owners must comply with these rules and regulations, and when they don’t, they are subject to fines and penalties costs.

Damage to reputation and loss of customers

When a company falls victim to a cyberattack, their customer data is often compromised, leading to a loss of customer trust, which leads to customers taking their business elsewhere. Data breaches also hurt attracting and obtaining new customers when the news is public.

High costs

In the event of a cyberattack, an SMB is likely to experience downtime, damage to hardware, fines and penalties, damage to reputation and loss of customers, and more. Each of these consequences has its own cost, and sometimes it is enough for a business to close its doors for good. Forbes states that the average cost of a single data breach on an SMB is $149,000. Additionally, 76% of SMBs have experienced a cyberattack in the last 12 months.

We’ve said it before, and we will say it again: It is no longer a question of if your business will be the target of a cyberattack, but when. Can you afford the consequences of a data breach?

Working with a Managed Service Provider can help you better secure your network and prevent cyberattacks from happening. To learn more about our managed services, visit our website or reach out to Sydney Ellison at sydneye@nowmicro.com.

Top 4 Windows 11 Interface Updates

Microsoft has launched the all-new Windows 11, bringing users some much-needed improvements and updates. Take a look at the top 4 interface updates on Windows 11:

Overall Interface

The Windows 11 interface will soon rival the design world’s beloved MacOS interface. Features include a cleaner, minimalist design with rounded corners and light, pastel shades.

Start Button

Since Windows 95, the Windows Start Button has always been in the lower-left corner. On Window’s 11, it will now be placed at the bottom center of the screen. This is one of the most significant changes in interface and navigation, allowing the start button to be more visible.

Taskbar

When Windows 11 first rolled out, users found the taskbar not as configurable as Windows 10, and some customization needed to be done. Since then, Microsoft has made some changes making the taskbar more manageable. For example, users can decide whether the taskbar shows more of their chosen pins, recommendations from the software, or the default combination of both. Users can also view the full taskbar on 2nd or 3rd monitors and choose the size of the taskbar.

Microsoft Teams Integration

Microsoft Teams is essential for productivity with the continued importance of remote work. Microsoft Teams will be located in the Windows taskbar, allowing the app to be more integrated than before. This is comparable to Apple’s FaceTime app in macOS, where launching video calls is easy to navigate. As always, Microsoft Teams will be available on Mac, iOS, Android devices, and Windows PCs.

Now Micro is ready to deploy devices that are compatible with Windows 11 for your organization. Visit our website or reach out to our Senior Systems Consultant and Windows expert, Jon Anderson at jona@nowmicro.com to learn how you can integrate Windows 11 into your network.

Users: Your largest and weakest attack surface

October is Cyber Security month! When you exclaim that this month’s focus is security to most admin and IT stakeholders, you’re likely to receive a chuckle or an eye roll. They know the truth of the matter. Our mindfulness of security can’t be limited to a singular month. 

It’s an ongoing process that literally never ends.

Who then is Cyber Security month for? I’ll give you a hint. They interface with your organization’s data, devices and services daily and often don’t regard security as their first or even third priority. You got it; Cyber Security month is all about making your users more aware of the threats your organization faces.  

We often spend a lot more time discussing our plans to harden servers, implement new identity security policies or protect our users’ credentials with MFA. Don’t get me wrong, those things are essential in today’s world, but it’s hard not to notice a gap in those strategies. That gap is the users.  

Most experts estimate that 70% – 90% of malicious breaches start with or include some form of social engineering. Our users are every organization’s largest attack surface and softest target. Bad actors know this and are increasingly aggressive and cunning in their attempts. Every user holds something a bad actor would like to get their hands on. 

Take a user who doesn’t need access to any data or systems but needs email to communicate. If that user leaks credentials, it can still be a treasure trove for a bad actor in the form of a global address list harvest or intel derived from exfiltrated emails that allows them to refine and target spear-phishing attempts. When we read about a large breach in the news, we often picture a group coordinating an attack to launch all at once when it’s far more likely that attack started very small and happened over time.

So how do we go about hardening our users? It would be nice if we could just apply a patch or update their firmware, but a more tactful approach is needed. We believe that process is three-pronged.

Communication

Your organization culture around communicating anything IT-related is very important and often overlooked. 

Simply making your users aware of the current threats and where to report them can go a long way to thwarting social engineering. Be consistent with your communications. Set up a shared mailbox so multiple crafting IT-related messages can appear as one unified voice. Apply templates to your emails, so the appearance is consistent. Be concise; not enough or too much information can be harmful. Stick to the who, what, why, and how of the threat. Don’t forget to include where a user should go to report social engineering attempts.

Training

This can mean different things depending on the size of your organization. In smaller organizations, it may mean taking 10 minutes during a company meeting to show examples of social engineering attempts. In larger organizations, it may mean contracting a professional trainer to speak to individual business units or even training leaders in those units to talk about threats to their teams.

Attack Simulation

The benefits of a simulated penetration test against our networks are obvious, but we can also apply this approach to our users. An attack simulation targeting your users with social engineering or a fake malware payload will not only give your organization an idea of its vulnerabilities but is also one of the best ways to raise your users’ awareness. The approach of an attack simulation with training and communication as a fast follow can grab your users’ attention far better than any of these components on their own.

How do I simulate attacks? 

Just like network penetration testing, there are plenty of tools to help you launch attack simulations and parse the data you receive.  

  • Microsoft 365 Defender P2 – If you happen to have Defender P2 or an M365/O365 A5/M5/E5 plan, you have a very robust set of tools for simulating attacks.
  • Choose from a wide variety of templated attacks that help target specific business units, just like a seasoned spear-phisherman.
  • Simulate malware payloads and malicious links with a variety of different delivery methods.
  • Automatically assign pre-built training modules to users that click malicious links or input their credentials.
  • Robust after-action reporting to help you know where to invest in training.   
  • Now Micro Security Awareness Training – If you don’t have Microsoft Licensing, you’re not out of luck, Now Micro has the tools to simulate attacks against your Microsoft or Google environments.
    • Phishing Security Tests
    • Automated Security Awareness Program
    • Security Hints & Tips
    • Automated Training Campaigns
    • Phish Alert Button (Ability to report & delete phishing emails)
    • Phishing Reply Tracking (Track if a user replies to a simulated phishing email & what information)
    • Industry Benchmarks
    • Monthly Email Exposure Check: Monthly reports show which email addresses are exposed on the Internet and are a target for phishing attacks

Recognizing the growing need to protect all your endpoints, including your users, is our focus at Now Micro.  If you have any questions or would like our help, visit our Managed Services page on our website.

Are you prepared for IT threats?

Many things cause a business owner to have nightmares — at the top of the list is a computer failure that stops operations in its tracks. Unfortunately, no company is immune to the threat of data failure. Recently, for retail giant Target, the fear became a reality as nearly every register in all stores throughout the United States went down.

Fortunately, the system outage only lasted two hours. But, that two hours of downtime cost Target roughly $50 million in lost sales and caused their stock shares to drop by two percent. In reality, Target’s ability to go from a catastrophic outage to getting back online in such a short time is a huge accomplishment. With significant IT infrastructure in place to respond, the company could investigate the problem, determine that there had been no data breach, and reboot all systems to full operation quickly. For the company, assuring that no data had been compromised was vital. In 2013, a data breach affected 41 million customers and resulted in a legal settlement costing them millions.

How you protect your data is critical to the success of your business — no matter your size. For a health organization, your data includes detailed medical and insurance information. There are endless client files and records for law offices, financial planners have high-level access to sensitive financial portfolios, the list goes on. No matter the industry, data is critical. In many cases, data security methods are heightened by legally mandated regulations like HIPAA and PCI.

Be Prepared

So, how do you protect your company from cybersecurity threats and data failure? Target spends hundreds of millions of dollars each year. The key is to find an affordable technology partner who you can trust. As seen in the Target event, data issues and cyber attacks don’t only happen during business hours. You have to be prepared to respond 24/7. At Now Micro, we make it a priority to be available when the need for help arises. Our service desk technicians answer the phone live 24 hours a day. But that is only a tiny piece of your Cyber Security response plan. Most of our work occurs before disaster strikes. We help ensure that you have up-to-date systems needed to prevent an attack or data failure and back-ups in place when an attack occurs.

Your Industry Needs

Although all industries need comprehensive data and cybersecurity infrastructure, the needs vary depending on the types of data stored and industry-specific regulatory requirements. Here is a shortlist of how Now Micro customizes our services to serve the cybersecurity needs of different industries:

 Manufacturing

We protect your intellectual property — the core of your ability to be profitable for the long term — and put in place processes to ensure the reliability of manufacturing operations.

 Healthcare

HIPAA and other compliance requirements are critical in the healthcare industry. We address these needs and ensure brand protection, secure connectivity, and offer a unified security platform.

Small and Midsize Businesses

Each small and midsize business has its own unique needs, with expense management a key factor. Therefore, we provide affordable options, giving you access to the same level of expertise that large companies have at their disposal.

Retail

In a retail operation, the ability to continually process transactions without hiccups is critical. We help you ensure the reliability of your POS system while also assisting with compliance needs.

Law & Finance

Legal and financial institutions/advisors need to secure sensitive data and are subject to intense compliance regulations. We help ensure all needs are met and a backup system in place to allow recovery in the event of a data attack or failure.

Ready to Serve

Information technology and cybersecurity are overwhelming topics, but they don’t have to be. Click here to learn more about our comprehensive IT and Cyber Security services. Give Now Micro a call today, and we can work together to define a plan that meets your needs so that you can relax knowing that your business is well cared for.

Notable Microsoft Teams Announcements!

The Most Notable Microsoft Teams Announcements of 2020 (through Oct) 

The later part of 2020 has seen a flurry of updates, previews and announced roadmap items for Microsoft Teams.  Let us look at the announcements that are likely to have the most impact. 

HealthCare: Virtual Rounding and Care Coordination 

2020 has been a stressful time for health care professional across the globe.  From exposure risks to PPE shortages, healthcare providers are turning to technology to provide solutions.   Microsoft has answered this call by announcing Virtual Rounding and Care Coordination.   

Virtual rounding, a Teams app that aims to reduce exposure while health care professionals do their daily checkups on their patients.  The goal is to limit contact to infected or vulnerable patients by leveraging portable carts equipped with video screen, mics, camera’s, and speakers.  This allows healthcare professionals to maintain distancing when physical presence is not needed for diagnostics or treatment. 

Care Coordination, which began its private preview October 1st, allows healthcare to aggregate patient data, provide care plans and test results and communicate with each other regardless of physical location all in a HIPAA compliant platform.  The introduction of Teams for care coordination aims to improve efficiency while minimizing exposure. 

SharePoint home sites for Teams   

The SharePoint home site experience announced in 2019 allows organization to create a new or migrate their existing intranet sites to SharePoint.  With the increasing ability to embed your organizations apps and resources into Microsoft Teams many organizations are hoping Teams will be come the single pane of glass for all needs.   

So why create a home site to serve as your organizations intranet if it will detract from all the work you have done in teams?  

Enter the SharePoint home site app for Teams.  This home site app allows you to deploy your intranet home site through the Teams client. 

The announcement came to us in September 2020 and we are eagerly awaiting release details. 

https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/innovations-for-workplace-communications-and-employee-engagement/ba-p/1696149

Teams Breakout Rooms 

Many in person conferences and events will include a keynote or introduction meeting that all attendees are present for before breaking into smaller groups for more granular content.  Recreating this experience virtually has proven difficult.  Microsoft Teams breakout rooms hopes to simplify this experience.  

Teams Breakout Rooms will allow meeting organizer to split attendees into smaller groups and bring everyone back together without the need to drop and rejoin multiple meetings.   

The announcement for Teams breakout rooms came to us in July and we hope to see previews or general availability before the end of 2020. 

Advanced Communication Add-on 

2020 has seen an interesting race to provide more attendees, more features, and more video feeds between collaboration platforms.  The majority of normally in person conferences, large presentations and even college orientations have been converted to virtual events.  2020 more than ever has created a need for very large virtual events.   

Microsoft’s answer to this need is the advanced communications add-on.  At release, the advance communication add-on increased the maximum attendees for Teams live events to 20,000.   

Features coming later this year include: 

  • Teams meeting maximum members increase to 1,000 
  • The ability for a Teams meeting to have up 20,000 overflow participants in a view only meeting experience 
  • Custom Lobby Branding 

To take advantage of these features, the organizer of the meeting/live event will need the advanced communication add-on currently priced at $12 per user/month.  Attendees DO NOT need the add-on. There is also a 60-day trial available through the admin center. 

Considering this new and not quite yet saturated market, I would expect to see more feature announcements coming soon. 

https://docs.microsoft.com/en-us/microsoftteams/teams-add-on-licensing/advanced-communications#:~:text=%20Advanced%20Communications%20provides%20enhanced%20calling%20and%20meeting,across%20meetings%20for%20your%20internal%20and…%20More%20

Custom Meeting Layouts 

If you are looking to make a good impression on clients or impress you coworkers with your big presentation, Microsoft may have given you a secret weapon.  Teams custom meeting layouts allow you, the presenter to customize what attendees are seeing.  Microsoft Ignite gave us a preview of new tech allowing you to overlay the presenter on a PowerPoint slide.  Who knows, maybe someday virtual meetings may look more professional than traditional in-person meetings with half the effort! 

Using Power BI to Track M365 KPI’s In Your Remote Workforce

Even before the events of early 2020, many organizations and much of the workforce were realizing the benefits of telecommuting.  With a changing world, even the most die hard “butts in your seat” workplace cultures have had to adapt.  For some, trusting their flock to work efficiently and productively with little oversight can be a source of anxiety.  While the shift to working remotely may take some getting used to for everyone, a net positive in productivity is usually the result.   

So, your staff is no longer right outside your office doors and the conversations in the break room are no longer there to give you insight.  How do you measure your staff productivity?  Luckily, Microsoft M365 Usage analytics allow us to pull data from Teams, Outlook, OneDrive, SharePoint, Yammer and more into a sortable, consumable report. 

Prerequisites 

Licensing 

To install the M365 Usage Analytics app, you will need at least 1 Power BI Pro License.  If you would like to demo the app, you can sign up for a free Power BI Pro trial here

If the report is shared with additional users, they will also need a Power BI Pro License to view the report. 

Identities 

All the sorting done by the M365 Usage Analytics app is done by Azure AD user object attributes. It is recommended that you make sure the following attributes are populated and current. 

  • Company 
  • Department 
  • Country 
  • State 
  • City 

Tenant ID 

To connect your organizations data, you will need your Tennant’s ID.  The tenant ID can be easily obtained from the overview page in Azure Active Directory. Directions to obtain your tenant id are included in this post. 

Enable Power BI Reporting For Your Tenant 

In order for Power BI to access your organizational data, you must enable Power BI reporting with-in your Tenant. 

Enabling Power BI Reporting 

  • The link below will bring you to the Services and Add-ins configuration page with in the O365 Admin Portal. 
https://admin.microsoft.com/AdminPortal/Home#/Settings/ServicesAndAddIns
  • Click on “Reports”, select the option to “Make report data available to Microsoft 365 usage analytics for Power BI” and click “Save Changes” 
  • Selecting the option for “Display anonymous identifiers instead of user, group, or sites names in all reports” will obscure user identifiable data in the reports.  This reporting option will still allow you to discern organizational trends without specific user data. 

Retrieving Your Tenant ID 

  • Navigate to Azure Active Directory overview page. 
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
  • Sign in with an appropriate admin account. 
  • The Tenant ID is located near the top of the page. 

Installing the M365 Usage Analytics App 

  • Navigate to the Power BI Portal and sign in with a global admin account which has a Power BI Pro license. 

https://Power BI.microsoft.com/ 

  • The app automatically creates its own workspace upon installation. For this reason we can begin by clicking “My Workspace” and then “Get” under “Discover Content >> My Organization”.   
  • The easiest way to find the app is to search for “usage” in the search bar.  Once you have found the Microsoft 365 Usage Analytics app, click “Get in now”. 
  • The next screen allows you to review the app’s privacy policy, and terms of service as well as some additional info about the app.  Once you are satisfied, click install. 
  • After waiting for Power BI to Install the app, click the apps icon. 
  • The next Screen gives three options.  You can populate the app with sample data before connecting to your organization’s analytics, explore the workspace created along with the app or connect your organizations data.  If your comfortable pulling in your organizational data, click “Connect” under “Connect your data” 
  • For Power BI to find you data, you will need to input you Tenant ID.  Instructions on finding your tenant ID can be found above. Enter the Tenant ID in the field and click “Next” 

Scheduling Refreshes 

By default, the dataset create does a one time pull.  To see updated data each day or week, you will need to configure the refresh scheduler.  You can also configure alerting on refresh failures.   When the app was installed, a new workspace was created to house the report and dataset.  To access the refresh settings, we will first find and access the workspace.  

  • Click on “Workspaces” on the left had blade and select the “Microsoft 365 Usage Analytics” workspace. 
  • Click on “Datasets” with in the workplace ribbon and expand the ellipses under “Actions”. From the drop-down menu, select “Settings” 
  • Expand “Schedule Refresh”.  Make sure the radio button for “Keep your data up to date” is turned on.  Configure your preferred refresh interval (Daily or Weekly). You can add additional times if you would prefer multiple refreshes per day.  If you wish to alert on failed refreshes, you can configure the notification settings. Click apply when finished. 

Viewing the Report 

  • From the workspace dashboard, select “Reports” from the ribbon and click “Microsoft 365 Usage Analytics”. 
  • You know have all your data in a prebuilt report for consumption. 

Sharing the Report 

  • If you wish the share the report with others, from the “Reports” page, click “Share” in the upper right-hand corner.   

Note: Any user the report is shared with will need a Power BI Pro license to view the report 

  • From the share dialogue, you have the option to add multiple recipients and dictate whether those recipients can share the report.  Deselect the “Allow recipients to build new content…” radio button if you do not wish recipients to have access to the underlying dataset.  

Summary 

Obviously, there is a lot more to cover with the Microsoft 365 Usage Analytics app and Power BI.  I hope to cover manipulating the dataset and building customized reports in a future blog post.  Thank you for reading! 

Always On VPN Overview

As technology continues to improve and the workplace continues to evolve, remote workers have become more common. Effectively supporting these remote workers means re-evaluating legacy remote access solutions. This post will look at Microsoft’s current remote access solution, Always On VPN.

Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution (DirectAccess).

When planning a deployment of Always On VPN, keep in mind that it is a solution for users or devices that need remote access to local resources on a corporate network. Users with access to cloud resources, and devices managed by cloud-enabled tools may not require a VPN connection.

How Does Always On VPN Work?

Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.

The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. A common solution is to use Windows Server with the Routing and Remote Access role installed for the VPN server, and Windows Server with the Network Policy Server role installed for the RADIUS server. However, these servers do not need to be Microsoft servers. Third party solutions or appliances can be used. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.

The Windows 10 VPN client can be configured to connect a user authenticated tunnel or a device authenticated tunnel. Both types of tunnels can be connected simultaneously if required.

User Tunnel

The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.

Here is a high-level overview of the connection process for a Always On VPN user tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
  4. The RADIUS server receives and authenticates the connection request
  5. The RADIUS server returns an accept or deny response to the VPN server
  6. The VPN server allows or denies the connection request based on the response from the RADIUS server

Device Tunnel

The Device Tunnel is established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.

Here is a high-level overview of the connection process for a Always On VPN device tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server validates the computer authentication certificate of the client and allows or denies the connection request

Notice that the device tunnel does not use RADIUS for authentication. The VPN server preforms the authentication. This prevents device tunnels from taking advantage of more advanced Always On VPN features like conditional access and multi-factor authentication. For more guidance on when to utilize device tunnels refer to this post.

VPN Protocols

Always On VPN utilizes familiar VPN infrastructure, which means that it can also utilize familiar VPN protocols. There are two main protocols that make the most sense to use when working with Always On VPN.

IKEv2

Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.

Note that when using a Always On VPN device tunnel, IKEv2 is the only supported protocol.

SSTP

Secure Socket Tunneling Protocol (SSTP) also has good security, and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.

ProfileXML

As I mentioned earlier, Always On VPN utilizes the built-in Windows 10 VPN client. This client is configured using the VPNv2 CSP node. Configuring the settings in the VPNv2 CSP node can be accomplished using an XML file. Once the XML file is created, it can be deployed to systems through Intune or through Configuration Manager using PowerShell. For more information on the XML configuration and deployment, see the Microsoft Documentation.

Additional Reading

This post was a high-level look at the technology behind Always On VPN. For a detailed guide on creating a basic Always On VPN deployment, refer to the Microsoft Documentation. I would also recommend reading Richard Hicks’s blog. Additionally, Now Micro will be hosting a Tech Connect webinar on Always On VPN next month (May 2020). More details can be found on our Events Page.

Office 365 Announces ProPlus Device-based Subscription for Education

Office 365 ProPlus Device-based Subscription for Education provides administrators an experience that mirrors the user-based model, but with ease of management and access to the desktop Office 365 desktop apps. You can assign the device-based subscription to any device within the institution’s organization, including, but not limited to open access, lab or library devices providing consistent user experience.

Attention IT administrators: Announcing Office 365 ProPlus Device-based Subscription for Education!