Nexus: News

Now that the University is beginning to roll out multi factor authentication (MFA) it is worth reviewing the reasoning behind it, and what future authentication might look like for staff and students at Oxford.

Bear in mind that I’m not critiquing the concept of MFA here: it is a vital step to improve security at a time when Universities are being actively sought as a hackable target, with potentially huge rewards for the malicious. So what I’m writing about here is considering the best second-factor one should use, of all the available MFA options.

By far the easiest way to compromise someone’s account is social engineering – persuading a user to volunteer their information. Adding a second factor, beyond just a password, adds complexity and challenges for the nefarious. It’s far less likely that a user will be persuaded. More specifically it also ensures that both password and MFA have to happen at the same place and time, returning some semblance control to the legitimate user even when their password has been compromised.

“…the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
Alex Weinert (Director of Identity Security at Microsoft.)

TL;DR: You should use an authentication app on your preferred device.

Here’s why:

Text Messages
The underlying design of SMS has no capability to add encryption or verification. The need for backwards compatibility on billions of existing users’ devices, and vendors choosing to cease providing software updates after a couple of years, means that retro-fitting improved security can’t be done. The hardware to spoof a number is already out there, SMS signals can be intercepted, and it’s conceivable that anyone within range of a compromised user’s phone could generate fraudulent texts directed at that individual, or redirected elsewhere. SIM-swap fraud, where a ne’er-do-well impersonates you, to obtain a Porting Authority Code (PAC) to steal your phone number, is already a fairly common tactic.
The message size limit of 160 characters, roughly halved for some encoded languages, also limits the amount of information which can be transmitted at a time. And, finally, SMS lacks a mechanism to confirm delivery, or retry: messages can be delayed in transit or simply lost entirely.

Phone call
The public switched telephone network (PSTN) is similarly vulnerable: no encryption and no simple way to add any. The same issues of number spoofing exist and eavesdropping on a call is not beyond the capability of the determined criminal. The simplicity of the telephone system, based on well-known international standards, make it vulnerable to a whole host of attack vectors. Phone redirection is also simple and easy in most organisations, and is not (yet) widely recognised as an attack vector: it may be easier to socially engineer a telecoms department to get a user’s phone calls sent elsewhere. It’s probably that this could be done without the eyebrow-raising that asking for a password would provoke.

Hardware tokens
These are far more secure than PSTN or SMS second-factor authentication but have to be purchased. And if their security is ever compromised in the future it’s next to impossible to resolve that without simply having to replace them en masse.

App-based auth
The authentication app can take advantage of encryption and security features that are simply absent from the other authentication methods, and it’s updateable as new threats, or future vulnerabilities are discovered. Microsoft have already updated their authentication app several times this year – Microsoft’s Alex Weinart again:

“In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”

Microsoft Teams has slowly been taking over all of the functionality that was previously reserved for Skype. And I’m delighted to be able to say that we now have a very limited trial running that enables Nexus365 users to make calls to fixed landlines, mobile phones, and other conventional phone numbers.

For the purposes of this trial we have purchased 15 licences (all of which have been allocated: sorry!)

For users on the trial:

Once enabled for calling your Chorus phone number will be diverted to Teams. Please be aware that this will have the effect of removing any pre-existing Chorus forwards you might have in place.

The Teams client will now have a dialling pad on the ‘calls’ tab.

You can dial either by clicking the numbers on screen, by typing a number, or by entering a name that’s known to the system: it can resolve a name to a number.

The ‘History’ tab shows all your calls, inbound and outbound, and the ellipsis button on the far right gives you a menu including options to either add callers to your speed dial, or to block them.

The ‘Voicemail’ tab will show any messages which have been left, with an automatically generated transcription of what the caller’s message is. Of course you can also play back the message from here too: 

From the server-side we also have some great diagnostic tools to troubleshoot call-related issues:

I’m liking this functionality very much, particularly now that we’re enabling MultiFactor authentication – it’s wonderfully simple to receive a second-factor phone call from within the Teams app I’m already logged into, rather than search for a text message, look up a code on a hardware dongle, or install an app on another device.

This is a reminder that personal chats within Microsoft Teams should NEVER be used to store essential business data.

This follows a report in The Register that, due to a policy being mis-applied globally instead of individually, KPMG staff mistakenly had their personal chat histories irrevocably erased.
Only personal chats were lost according to the article, not chats conducted as part of a Teams meeting or Teams channel, and not any files uploaded to personal chat threads. Although the circumstances that caused this issue are highly specific, and our processes make it unlikely that it would be repeated at the University, unfortunate accidents and mis-clicks can happen to anyone in any organisation at any time. It is never wise to be complacent.

For this reason it is important to set user expectations that personal chat data should be treated as ephemeral, rather than permanent: there are limited options to recover it.

Microsoft have reported an issue which is affecting a number of their education tenancies, including ours. The issue is that when a user pins an app to their sidebar in Teams it may be removed automatically. Affected users sees a message like the one below:

However the management setting in our administrative console is set to ‘Allow User Pinning’ – this is not happening because of an administrative decision taken by the Nexus Team, and has not been set in any of our App-related policies. Other Universities have reported the same issue and are working with Microsoft to resolve this.  Microsoft support staff have said:

“I have reached out to the engineering team regarding the case and have found that this has been already noted and the team is actively working on the issue. This behaviour is found with most of the EDU tenants. I’m glad to tell you that a fix for this is already being developed and would be in future releases for teams.”

If you’re not using the central University VPN for your Nexus365 users you may be concerned about the load on your VPN from self-isolating remote workers.

VPN server load can be drastically reduced by ensuring that Nexus365 traffic is NOT routed over your VPN connection and is instead sent directly to the cloud service. To do this requires global routing to be disabled in the VPN’s configuration, limiting the traffic routed through the VPN’s tunnel to internal-only content. In Cisco’s VPN client this may be as simple as ticking a box.

To allow VPN-server-side direct internet routing for Nexus365 only, Microsoft provide a Powershell script which can be used to identify the current IP ranges used by their services and another for URL/IP/Port information. Microsoft’s suggestion is that you use their API which queries Microsoft Service Endpoints, which can also be queried via script.

By making this configuration change you can ensure that even with a significantly higher number of remote workers, the amount of traffic using your connection is limited to essential-only.

Microsoft have made plans to ensure service continuity should their staff be affected.  There are currently no known impacts to Microsoft 365 services
Heightened awareness is in place for the following areas:

Service scale and operations – One of the benefits of a cloud service is the ability to scale dynamically, including utilisation of supply chain, reallocation of resources between services, and redistribution of load.Microsoft have already seen an increase in the use of Teams to which they have responded.

Supporting systems – A general principle of cloud service operations is remote management and administration.  Microsoft anticipate no effect to their ability to manage the systems used to support Microsoft 365, and have confirmed adequate capacity for staff to work remotely at scale.

External systems – Microsoft are working across industry with a focus on networking infrastructure. They are seeing some utilisation issues with public ingress / egress to China, but otherwise there are no issues identified.

Impact to location –Microsoft’s services are designed for remote administration; however, with the recent news that the Seattle area represents a higher incidence of COVID-19 they have provided specific details around support of the service should Microsoft engineers be constrained to work from home. Microsoft employs a security first approach to administering Microsoft 365 service.  Each engineering resource that is accountable for managing the service has the ability to securely administer the service without direct access to the corporate location. Microsoft maintains multiple geographic locations outside the Seattle area with individuals who are capable of maintaining and managing the service.

People – As the largest provider of commercial services Microsoft have the capability of ensuring continued operations with multiple subject matter experts in each discipline, with geographic diversity being a consideration. Employees responsible for managing the service all have access to needed resources to take action from home or the office. An on-call rotation allows for sustained support should issues arise and ensures that resources are available should individuals fall ill.

While Microsoft puts the safety and well-being of its employees at the forefront, their “defence-in-depth” approach is expected to allow for uninterrupted service operation should the virus spread significantly.

Microsoft will make updates on the Message Centre should the situation change.

EDIT: Microsoft have backtracked on this policy. Now Bing will only be forced as the default search engine in Chrome/Firefox if the admins enforce that. We will not be enforcing this. 🙂
https://techcommunity.microsoft.com/t5/office-365-blog/update-to-microsoft-search-in-bing-through-office-365-proplus/ba-p/1161030

Microsoft have snuck a little ‘treat’ into version 2002 of Office 365 Pro Plus which, fortunately, does not yet affect educational institutions on our licencing model. From version 2002 – which starts being deployed in mid February 2020 – Microsoft are installing an add-in into the Chrome browser, if present, that makes Bing the default search engine. This will happen with new Office installations and when existing ones are updated. A further update due later will do the same for Firefox. The deployment is currently location-based, depending on IP address, so the add-in might appear suddenly on a laptop used at a new location. Currently deployment is limited to Australia, Canada, France, Germany, India, the UK, and the USA.

This isn’t just a shot at Google’s market share, however.  The logic is that if Bing is your search engine, you can query for your corporate Office365 content, whether it’s  in SharePoint Online, OneDrive, or  Teams, directly from your browser’s own search bar. If you use Google as your search engine, you can’t do that. Microsoft’s angle is therefore that this is a reasonable, sensible, and proportionate way for centrally-controlled business computers to operate. However comments on the proposal have not gone down well…

If you want to avoid this extension from being deployed to your users you may want to exclude it via the Office Deployment Tool, or via Group Policy. It can also be excluded via EndPoint Configuration Manager or InTune. A particularly nasty feature of the add-in is:

Once this feature has rolled out, your end users can change their search engine preferences only via the toggle in the extension; they cannot modify the default search engine in browser preferences.

Belatedly applying the exclusion will NOT uninstall this add-on: you must set your exclusions up before it is deployed to your users’ computers, if you wish to avoid it.
Microsoft’s admin guide on this whole can-of-worms can be found here: https://docs.microsoft.com/en-us/deployoffice/microsoft-search-bing

Currently the University is on an A1 educational licencing model which exempts us from this feature but we will be moving to E3 soon which, alas, is one which applies this approach.

Microsoft have finally started to deploy support for Private Channels within the Teams application, allowing you to share content with a subset of a Team’s members. This is described as ‘rolling out’ in their roadmap here.

The functionality has started to appear to Teams users within the Nexus365 tenancy already, although you may need to quit and re-launch the Teams application to gain the functionality.

We are pleased to announce that it is now possible to add almost anyone to a Nexus365 team. All that is required is for the individual you wish to add to your team to have a valid email address and a Microsoft account. If they don’t yet have a Microsoft account they will be prompted to create one (free). This Microsoft account will always remain separate from and unrelated to the Nexus service.

How to add a guest to a Team

These are the steps a team owner needs to follow in order to add a guest to their Nexus365 team:

1. From within the Teams app, the owner needs to select ‘Add member’ as shown below.
   :

2. In the ‘add members’ dialogue box you can now enter any valid email address – you are no longer limited just to Nexus365 user accounts:

3. Once you’ve added the email address an email is sent immediately to that address to notify the person that they’ve been added to the team. The link will open the Teams web app by default but will also provide a download link to the full Teams client software, if it’s available for their operating system:

4. If they already have an account with Microsoft associated with their email address, they’ll be prompted to log in. If not they will be asked to create an account with Microsoft:

5. The final step before they are granted access to the team is for them to review and accept the access permissions that Nexus will request in order to give them access to the team’s content.

Team owners can review the status of prospective members by checking the ‘source’ column when looking at their team’s members.

• ‘Azure Active Directory’ is a Nexus365 user.
• ‘External Azure Active Directory’ is someone from another organisation who also uses Office 365, which includes the Said Business School members.
• ‘Invited user’ is an external email address for whom access has not yet been given, but they have been sent the team membership email.
• ‘Microsoft account’ is an external email address to which access to the team has been granted.

Notes and queries

1. It is not possible to remove a team, or the last owner of one, while guest accounts are still members of one. This is to ensure that there are no teams to which only external people have access.
2. Guests can view the team’s membership but not amend it.
3. Removing a guest from a team revokes their access instantaneously. If logged in at the time, their window will go blank.
4. Reinstating a guest’s access is also instantaneous.
5. Guests are unable to send email to the team’s email address.
6. The maximum ratio is five guests per full team member.