Monday 22 March 2021

Best Practices for Azure Multifactor Authentication (MFA)

When configuring Azure MFA and Conditional Access there is the potential to lock out all users from the system including the Azure Portal. As with any security control/mechanism, the costs of implementation and maintenance always need to be commensurate with the risks and costs of not implementing the control (e.g. assets at risk, reputational risk).

With this in mind, here are some key best practices you should follow when enabling MFA:

  1. Ensure that end users are informed adequately that MFA is coming as it can negatively affect the user experience and cause confusion. Microsoft provides communication templates and end user documentation for this purpose - Microsoft provides communication templates and user documentation - per (per https://www.microsoft.com/security/blog/2020/01/15/how-to-implement-multi-factor-authentication/)  
  2. Always grant exclusions for every MFA policy - this will ensure there is always an MFA backdoor so you don't completely lock yourself out (especially if conditional access rules apply to all apps or the Azure portal). When enabling conditional access, make sure exclusions are made for 
    1. Administrators 
    2. Support staff.
    3. Any trusted IPs and known IP addresses/named locations.

  3. Testing - Use what-if policies to test effective permissions when making changes.
  4. Pilot changes using select groups to apply and test MFA policies.
  5. Don't block users who report fraud as users can lock themselves out (though this is less secure there is a danger of false positives). 
  6. Don't use MFA portal and Conditional access at same time - It's not a good idea to use MFA through the MFA control panel as well as conditional access. Disable user accounts for MFA management in the MFA portal prior to if you are using conditional access - otherwise you'll have 2 competing rulesets.
  7. Use Azure Identity Protection (IdP) - as good way to ensure users are forced to register MFA (MFA needs to be configured first) and to ensure MFA coverage. Also allows notifications, blocks or requires MFA when administrative accounts are logged into during high sign-in risk activities such as when seeing anomalous travel of sign-ins. 

Monday 1 March 2021

CalDigit TS3 Plus Thunderbolt 3 Docking Station - Issues with Windows 10 USB Devices

Background:
I've been having a few USB connection and power issues with the CalDigit TS3 Plus Docking Station (even after the January 2021 version 44.1 firmware update from CalDigit themselves). This is especially the case when I power up the laptop separately from the dock and then plug it in whilst still on.

The Problem:
The display adapters would work - but USB connectivity and audio was failing  - even after plugging and unplugging USB and associated devices and powering down the hub. All USB devices wouldn't even power up when the issue was in effect.

Discovery/Resolution Steps: 
The only thing that would fix it (most of the time) was a full power down restart.

Looking at Device Manager - I was getting a Code 31 saying that the "Object Name Already Exists". In the Device Event history, the following error kept appearing:

Device PCI\VEN_1B73&DEV_1100&SUBSYS_11061AB6&REV_10\8&1b6ac812&0&0000000800E0 was not migrated due to partial or ambiguous match.

Uninstalling and reinstalling these Generic USB Host Controllers "USB xHCI Compliant Host Controller" didn't work.


There is a teardown video of this dock with details of all the chips/controllers inside that gave me an idea - https://www.youtube.com/watch?v=8f6Zs1JyZBQ. Looking up the Vendor and Device details in the red error above, it seems that the USB Controller Chip used in the CalDigit docking station is the Fresco Logic xHCI 1100 (USB3) Controller.

After a short search I found the following device driver page for that company to try (rather than the Generic Microsoft xHCI Host Controller driver) - https://support.frescologic.com/portal/en/kb/articles/latest-drivers  

Once I installed this, the device was correctly recognised in Windows and no reboot required. It has worked without issue post installation of the Fresco driver (fingers crossed!). I believe that this Fresco Driver installation should go on the CalDigit support page to resolve this issue as the default Generic Drivers seem to have problems.