Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for December 2018

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner

Last Updated on December 27, 2018 by Dishan M. Francis

In my previous blog posts, I explained what Azure information protection is and how we can use it to do data classification and protect sensitive data. In those, I was using data stored in corporate OneDrive accounts. But in most cases organizations use on-premises file servers. in this blog post I am going to explain how we can use Azure information protection with on-premises file shares.

To do this we are going to use component called Azure Information Protection Scanner. This comes with Azure Information Protection add-on that we normally install in user computers. 

Pre-requisites 

1) Windows Server 2012 R2 or newer

2) Minimum SQL Server 2012 (Express, Standard or Enterprise)

3) Service Account to run the service – Ideally this should be AD sync account and should have log on locally & log on as a service permission. If you have lockdown environment, you can use local account to run service and separate Azure AD account to do authentication. In my demo I am going to use this method. 

4) The Azure Information Protection client installed

5) Classification with automatic protection – More details can find under https://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Create Service Account

In my demo server I have created a local user called aipsa and assign local administrator rights. 

File Share

For demo purpose I have created a file share called DataShare and add different types of files to it. 

SQL Server 2017 Express

In my demo server I have SQL Server 2017 Express installed. This will use for AIP Scanner. 

AIP Client Install

We need full AIP client install before we start the scanner configuration. 

1) Log in to the server as Administrator

2) Download AIP client from https://www.microsoft.com/en-gb/download/details.aspx?id=53018

3) Run the AzInfoProtection.exe as Administrator

4) Accept terms & conditions in first screen

5) It will start the installation

[Read more…] about Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner

Step-by-Step Guide: Automatic Data Classification via Azure Information Protection

Last Updated on December 20, 2018 by Dishan M. Francis

In my previous blog post I explained how we can use Azure information protection to protect sensitive data in an organization. You can access it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ . In that post I have created labels with permissions and assign it to documents to protect sensitive data. But in an organization, we deal with lots of data. So, applying label manually is not practical. Therefore, AIP offers automatic data classification to overcome this challenge. Using this feature, we can apply conditions to labels. When conditions are met, it will automatically apply the relevant label to data. 

This feature supports many industry recognized information types. It also allows to create our own conditions with information patterns specific for our requirements. In below I list some examples for predefined information types available in AIP.

Canada Bank Account Number

Canada Driver's License Number

Canada Health Service Number

Canada Passport Number

Canada Personal Health Identification Number (PHIN)

Canada Social Insurance Number

Chile Identity Card Number

China Resident Identity Card (PRC) Number

Credit Card Number

EU Debit Card Number

EU Driver's License Number

EU National Identification Number

EU Passport Number

EU Social Security Number or Equivalent ID

EU Tax Identification Number

U.K. Driver's License Number

U.K. Electoral Roll Number

U.K. National Health Service Number

U.K. National Insurance Number (NINO)

U.S. / U.K. Passport Number

U.S. Bank Account Number

U.S. Driver's License Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN) 

Actions followed by condition can be either automatic classification or recommended classification. If it is automatic classification, label will apply immediately after conditions are met. If its recommended classification, system will recommend the label but will not apply it to data. 

So, let’s see it in actions. 

in my demo environment I have a label setup under AIP called Sales confidential. In my previous blog post I have demonstrate how to setup a label so I am not going to repeat it again. You can read step-by-step guide about it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

in my label I have setup my sales manager Megan as the co-owner for the data and sales executive Isaiah a viewer. I am going to apply this label to any document which have credit card number in it. My label settings are as following,

[Read more…] about Step-by-Step Guide: Automatic Data Classification via Azure Information Protection

Step-by-Step Guide: Protect confidential data using Azure information protection

Last Updated on December 17, 2018 by Dishan M. Francis

Data is the new oil. It created new currency, it opened up new opportunities, new revenue streams. When more and more data been transferred in to digital format, it opens up new security concerns about confidential data. How we can make sure corporate confidential data not been shared? 

I have some confidential data saved in OneDrive. It is being shared with my sales team. Majority of team members are working from home at least 2-3 days in the week. I need to make sure this confidential data not been shared with anyone else. In this demo I am going to show how I fix with this issue. 

The solution that I am going to use in here is Azure Information protection. This works with labels & permissions. We can label data and associate relevant permissions to it. Permissions define what users can do and can’t do with data.

So, let’s see this in action. As first step we need to go ahead and setup labels. To do that,

1. Log in to https://portal.azure.com as global administrator

2. Then go to All Services | Azure Information Protection 

[su_note]You need to have relevant subscription in place to use this feature. More info about it available on https://azure.microsoft.com/en-gb/pricing/details/information-protection/[/su_note]

3. Then click on Labels | Add a new label 

4. In new page, provide name and description for the label. Then click on protect under Set permissions for documents and emails containing this label

5. Click on Azure (cloud key) and in new window click on Add permissions

[Read more…] about Step-by-Step Guide: Protect confidential data using Azure information protection

Step-by-Step Guide to Microsoft Intune Device Compliances

Last Updated on December 2, 2018 by Dishan M. Francis

In my previous posts I explained how we can add devices to Intune and how we can push applications to those. This is another blog post under same category and in here I am going to talk about managing device compliances using Microsoft Intune. 

In an infrastructure, we know how trusted device should looks like. We use different tools and services to make sure those does. As a simple example, most use group policies to make sure firewall, windows updates are up and running. But now, it is hard to define infrastructure boundaries as many people use same device for work and personal stuff. More and more people are working remotely. So, administrators are losing control over the devices. With Microsoft Intune we can easily define compliance policies and detect devices which is not meeting infrastructure requirements. It is similar how network policy server works in BYOD environment. 

In this demo I am going to create compliance policy to detect the devices which doesn’t have firewall and antivirus services running. once it detects, it also should send notification to IT department so they aware that non-compliance device is in network.  

1. To start, log in Azure portal as Global administrator

2. Then go to All Services | Intune | Devices

3. Under devices I can see my demo device is in healthy state. 

4. First, we need to create device group, so I can target it with the policy. to do that go to Intune home page and click on Groups

5. Then click on New Group

6. Then create the new security group with demo device. 

[Read more…] about Step-by-Step Guide to Microsoft Intune Device Compliances