Quadra

Connecting Technology and Business.

Windows Hello for Business

The current methods of authentication with passwords alone are not sufficient to keep users safe. Users reuse and forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also get difficult to remember and prone to attacks like “pass the hash”.

What is Windows Hello for Business?

Windows Hello for Business is a private/public key or certificate-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on key pair credentials that can replace passwords and are resistant to breaches, thefts, and phishing.

Windows Hello for Business lets a user authenticate to a Microsoft account, a Windows Server Active Directory account, a Microsoft Azure Active Directory (Azure AD) account, or a non-Microsoft service that supports Fast IDentity Online (FIDO) authentication. After an initial two-step verification during Windows Hello for Business enrollment, Windows Hello for Business is set up on the user's device, and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello for Business to authenticate the user and help them to access protected resources and services.

The private key is made available solely through a “user gesture” like a PIN, biometrics, or a remote device like a smart card that the user uses to sign in to the device. This information is linked to a certificate or an asymmetrical key pair. The private key is hardware attested if the device has a Trusted Platform Module (TPM) chip. The private key never leaves the device.

The public key is registered with Azure Active Directory and Windows Server Active Directory (for on-premises). Identity Providers (IDPs) validate the user by mapping the public key of the user to the private key, and provide sign-in information through One Time Password (OTP), PhoneFactor, or a different notification mechanism.

Why should enterprises adopt Windows Hello for Business?

By enabling Windows Hello for Business, enterprises can make their resources even more secure by:

  • Setting up Windows Hello for Business with a hardware-preferred option. This means that keys will be generated on TPM 1.2 or TPM 2.0 when available. When TPM is not available, software will generate the key.
  • Defining the complexity and length of the PIN, and whether Hello usage is enabled in your organization.
  • Configuring Windows Hello for Business to support smart card-like scenarios by using certificate-based trust.

How does Windows Hello for Business work?

  1. Keys are generated on the hardware by TPM or software. Many devices have a built-in TPM chip that secures the hardware by integrating cryptographic keys into devices. TPM 1.2 or TPM 2.0 generates keys or certificates that are created from the generated keys.
  2. The TPM attests these hardware-bound keys.
  3. A single unlock gesture unlocks the device. This gesture allows access to multiple resources if the device is domain-joined or Azure AD-joined.

How does the Windows Hello for Business lifecycle work?

  • The user proves their identity through multiple built-in proofing methods (gestures, physical smart cards, multi-factor authentication) and sends this information to an Identity Provider (IDP) like Azure Active Directory or on-premises Active Directory.
  • The device then creates the key, attests the key, takes the public portion of this key, attaches it with station statements, signs in, and sends it to the IDP to register the key.
  • As soon as the IDP registers the public portion of the key, the IDP challenges the device to sign with the private portion of the key.
  • The IDP then validates and issues the authentication token that lets the user and the device access the protected resources. IDPs can write cross-platform apps or use browser support (via JavaScript/Webcrypto APIs) to create and use Windows Hello for Business credentials for their users.

What is the deployment requirement for Windows Hello for Business?

At the enterprise level

The enterprise has an Azure subscription.

At the user level

The user's computer runs Windows 10 Professional or Enterprise.

-from a document in Microsoft Docs

Password Spray attacks and Four sure steps to disrupt them

As long as we’ve had passwords, people have tried to guess them. Let us get up to speed on a common attack called password spray which has become MUCH more frequent recently.  There are some best practices that we can adopt to defend against this sophisticated attack.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers.

Four easy steps to disrupt password spray attacks:

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Microsoft’s security detection algorithms allow them to detect and block attacks as that are happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, Microsoft uses Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. They can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018. They can look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect an organization from threats like password spray attacks.

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys.

Always-on multi-factor authentication

For even more security, Enterprises can use Azure MFA to require multi-factor authentication for their users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for the enterprise. This should be enabled for every admin in an organization.

Azure MFA as primary authentication

In ADFS 2016, Microsoft has the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, enterprises can now use password as the second factor only after an OTP has been validated with Azure MFA.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defence is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. Microsoft builds the list of the most commonly attacked passwords and updates it frequently.

Custom banned passwords

To make banned passwords even better, Microsoft is going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so enterprises don’t have to choose one or the other. It’s in limited preview now and will be rolling out this 2018.

Banned passwords for on-premises changes

This spring, Microsoft is launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to the on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes his/her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behaviour: for example, requiring certain character types and periodic password changes both result in specific password patterns. If an enterprise is using Active Directory with PTA or ADFS, they have to update their password policies. If they are using cloud managed accounts, enterprises need consider setting their passwords to never expire.

Step 4: More awesome features in ADFS and Active Directory

If an enterprise is using hybrid authentication with ADFS and Active Directory, there are more steps they can take to secure their environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible.  The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. Microsoft has made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If enterprises do not have extranet lockout in place at the ADFS Web Application proxy, they should enable it as soon as possible to protect their users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives admins additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

(To deploy, admins must download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016).

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

  • Certificate based authentication allows username/password endpoints to be blocked completely at the firewall.
  • Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray.
  • Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app.
- Based on a blog from Microsoft Security

A free ticket to kickstart your Digital Transformation journey with Amazon

If your enterprise is preparing for a digital transformation journey and is looking for a simple strategy to test waters (or road testing, if you want), here is what none can refuse to accept – a free ticket to kick start your journey and that with the pioneer that offered infrastructure as a service – Amazon.

Let us first look at what services are offered for free for 12 months by AWS in its Free Tier

(Only available to new AWS customers, and are available for 12 months following an AWS sign-up date).

Elastic Compute Cloud (EC2)

Use this to create Virtual machines for your workloads.

  • 750 hours of Amazon EC2 Linux t2.micro instance usage (1 GiB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month
  • 750 hours of Amazon EC2 Microsoft Windows Server† t2.micro instance usage (1 GiB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month

Elastic Load Balancer

Automatically distributes incoming application traffic across multiple targets – Available as Application load balancer, Network load balancer and Classic load balancer

  • 750 hours of an Elastic Load Balancer shared between Classic and Application load balancers, 15 GB data processing for Classic load balancers, and 15 LCUs for Application load balancers

Elastic Block Storage

Persistent block storage volumes for EC2 instances / Virtual machines

  • 30 GB of Amazon Elastic Block Storage in any combination of General Purpose (SSD) or Magnetic, plus 2 million I/Os (with EBS Magnetic) and 1 GB of snapshot storage

Elastic Container Registry

A fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.

  • 500 MB-month of Amazon Elastic Container Registry storage for new customers

Amazon Simple Storage Service (S3)

Object storage built to store and retrieve any amount of data from anywhere

  • 5 GB of Amazon S3 standard storage, 20,000 Get Requests, and 2,000 Put Requests

Amazon Elastic File System (EFS)

A simple, scalable file storage for use with Amazon EC2 instances

  • 5 GB per month of Amazon EFS capacity free

Amazon Relational Database Service (RDS)

Set up, operate, and scale a relational database in the cloud.

  • 750 hours of Amazon RDS Single-AZ db.t2.micro Instances, for running MySQL, PostgreSQL, MariaDB, Oracle BYOL or SQL Server (running SQL Server Express Edition) – enough hours to run a DB Instance continuously each month
  • 20 GB of database storage, in any combination of RDS General Purpose (SSD) or Magnetic storage
  • 10 million I/Os (for use with RDS Magnetic storage; I/Os on RDS General Purpose (SSD) storage are not separately billed)
  • 20 GB of backup storage for your automated database backups and any user-initiated DB Snapshots

Amazon Cloud Directory

Enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions. With Cloud Directory, you can create directories for a variety of use cases, such as organizational charts, course catalogs, and device registries including AD LDS

  • 1GB of storage per month; 10,000 write requests per month; 100,000 read requests per month;

Amazon Connect

A self-service cloud-based contact center service to deliver better customer service

  • 90 minutes per month of Amazon Connect usage; A local direct inward dial (DID) number for the AWS region; 30 minutes per month of local (to the AWS region) inbound DID calls; 30 minutes per month of local (to the AWS region) outbound calls; For US regions, a US toll-free number for use per month and 30 minutes per month of US inbound toll-free calls

Amazon GameLift

A managed service for deploying, operating, and scaling dedicated game servers for session-based multiplayer games

  • 125 hours per month of Amazon GameLift c4.large.gamelift On-Demand instance usage; 50 GB EBS General Purpose (SSD) storage

Data Transfer

  • 15 GB of data transfer out and 1GB of regional data transfer aggregated across all AWS services

Amazon Data Pipeline

A web service to reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals

  • 3 low frequency preconditions running on AWS per month; 5 low frequency activities running on AWS per month

Amazon ElastiCache

Fully managed Redis and Memcached to seamlessly deploy, operate, and scale popular open source compatible in-memory data stores

  • 750 hours of Amazon ElastiCache cache.t2micro Node usage - enough hours to run continuously each month.

Amazon CloudFront

A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to viewers with low latency and high transfer speeds.

  • 50 GB Data Transfer Out, 2,000,000 HTTP and HTTPS Requests of Amazon CloudFront

Amazon API Gateway

A fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale

  • 1 Million API Calls per month

Amazon Cognito

Add user sign-up, sign-in and access control of web and mobile application users

  • The Your User Pool feature has a free tier of 50,000 MAUs each month; 10 GB of cloud sync storage; 1,000,000 sync operations per month.

Amazon Sumerian

Create and run virtual reality (VR), augmented reality (AR), and 3D applications quickly and easily without requiring any specialized programming or 3D graphics expertise.

  • 50MB published scene that receives 100 views per month for free in the first year

Amazon Elasticsearch Service

A fully managed service to deploy, secure, operate, and scale Elasticsearch for log analytics, full text search, application monitoring etc.

  • 750 hours per month of a single-AZ t2.micro.elasticsearch instance or t2.small.elasticsearch instance; 10GB per month of optional EBS storage (Magnetic or General Purpose)

Amazon Pinpoint

Engage your customers by tracking the ways in which they interact with your applications

  • 5,000 free targeted users per month; 1,000,000 free push notifications per month; 100,000,000 events per month

AWS OpsWorks for Chef Automate

A fully-managed configuration management service that hosts Chef Automate, a suite of automation tools from Chef for configuration management, compliance and security, and continuous deployment.

  • 7500 node hours (which equals 10 nodes) per month

AWS OpsWorks for Puppet Enterprise

A fully-managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management.

  • 7500 node hours (which equals 10 nodes) per month

Amazon Polly

A Text-to-speech service that turns text into lifelike speech, allowing to create applications that talk, and build entirely new categories of speech-enabled products

  • 5 million characters per month

AWS IoT

A managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.

  • 250,000 messages (published or delivered) per month

Amazon Lex

An automatic speech recognition / speech-to-text service for building conversational interfaces into any application using voice and text

  • 10,000 text requests per month; 5,000 speech requests per month

Here below is the list of services that are always free (non-expiring)

These free tier offers do not automatically expire at the end of your 12 month AWS Free Tier term and are available to all AWS customers. 

Amazon DynamoDB


A fully managed, fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale


  • 25 GB of Storage, 25 Units of Read Capacity and 25 Units of Write Capacity – enough to handle up to 200M requests per month with Amazon DynamoDB.

Amazon Cognito

Add user sign-up, sign-in and access control of web and mobile application users

  • The Your User Pool feature has a free tier of 50,000 MAUs each month; The Federated Identities feature for authenticating users and generating unique identifiers is always free with Amazon Cognito.

(The Your User Pool feature is currently in Beta and you will not be charged for sending SMS messages for Multi-Factor Authentication (MFA) and phone verification. However, separate pricing for sending SMS messages will apply after the conclusion of Beta period.)

AWS CodeCommit

A fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories

  • 5 active users per month; 50 GB-month of storage per month; 10,000 Git requests per month

Amazon CloudWatch

A monitoring service for AWS cloud resources and the applications you run on AWS

  • 10 Amazon Cloudwatch custom metrics, 10 alarms, and 1,000,000 API requests; 5 GB of Log Data Ingestion; 5 GB of Log Data Archive; 3 Dashboards with up to 50 metrics each per month

AWS X-Ray

Analyze and debug production, distributed applications, such as those built using a microservices architecture

  • 100,000 traces recorded per month; 1,000,000 traces scanned or retrieved per month

Amazon Mobile Analytics – Now called Amazon Pinpoint

Engage customers by tracking the ways in which they interact with your applications.

  • 100 million free events per month

AWS Database Migration Service

Migrate databases to AWS quickly and securely

  • 750 Hours of Amazon DMS Single-AZ dms.t2.micro instance usage; 50 GB of included General Purpose (SSD) storage

AWS Storage Gateway

A hybrid storage service that enables your on-premises applications to seamlessly use AWS cloud storage for backup and archiving, disaster recovery, cloud bursting, storage tiering, and migration

  • Up to 100GB a month free; up to $125 a month maximum charges

Amazon Chime

A communications service for online meetings, video conferencing, calls, chat, and to share content, both inside and outside your organization.

  • Unlimited usage of Amazon Chime Basic

Amazon Simple Workflow Service (SWF)

A task-based API that makes it easy to coordinate work across distributed application components by providing a programming model and infrastructure for coordinating distributed components and maintaining their execution state in a reliable way.

  • 1,000 Amazon SWF workflow executions and a total of 10,000 activity tasks, signals, timers and markers, and 30,000 workflow-days.

Amazon Simple Queue Service (SQS) and Amazon Simple Notification Service (SNS)

SQS is a fully managed message queuing service to decouple and scale microservices, distributed systems, and serverless applications. SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients.

  • 1,000,000 Requests of Amazon Simple Queue Service; 1,000,000 Requests, 100,000 HTTP notifications and 1,000 email notifications for Amazon Simple Notification Service

Amazon Elastic Transcoder

A media transcoding service for developers and businesses to convert (or “transcode”) media files from their source format into versions that will playback on devices like smartphones, tablets and PCs.

  • 20 minutes of SD transcoding or 10 minutes of HD transcoding

AWS Key Management Service

A managed service to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys

  • 20,000 free requests per month

AWS Lambda

A platform service to run code without provisioning or managing servers

  • 1,000,000 free requests per month; Up to 3.2 million seconds of compute time per month

AWS CodePipeline

A continuous integration and continuous delivery service for application and infrastructure updates. 

  • 1 active pipeline per month

AWS Device Farm

An app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time.

  • Free one-time trial of 1,000 device minutes

AWS Step Functions

A serverless platform service to orchestrate AWS Lambda functions for serverless applications.

  • 4,000 state transitions per month

Amazon SES

A cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails to customers.

  • 62,000 Outbound Messages per month to any recipient when you call Amazon SES from an Amazon EC2 instance directly or through AWS Elastic Beanstalk.; 1,000 Inbound Messages per month.

Amazon QuickSight

A business analytics service that makes it easy to build visualizations, perform ad-hoc analysis, and quickly get business insights from your data

  • 1 user, 1 GB of SPICE (Super-fast, Parallel, In-memory, Calculation Engine)

Amazon Glacier

A secure, durable cloud storage service for data archiving and long-term backup

  • 10 GB of Amazon Glacier data retrievals per month for free. The free tier allowance can be used at any time during the month and applies to Standard retrievals.

Amazon Macie

A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

  • 1 GB processed by the content classification engine; 100,000 events

AWS Glue

A fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics

  • 1 Million objects stored in the AWS Glue Data Catalog; 1 Million requests made per month to the AWS Glue Data Catalog

AWS CodeBuild

A fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy

  • 100 build minutes per month of build.general1.small compute type usage

 † The following Windows variants are not eligible for the free tier: Microsoft Windows Server 2008 R2 with SQL Server Web, Microsoft Windows Server 2008 R2 with SQL Server Standard, Microsoft Windows 2008 R2 64-bit for Cluster Instances and Microsoft Windows 2008 R2 SQL Server 64-bit for Cluster Instances.

AWS Marketplace offers free and paid software products that run on the AWS Free Tier. If you qualify for the AWS Free Tier, you can use these products on an Amazon EC2 t2.micro instance for up to 750 hours per month and pay no additional charges for the Amazon EC2 instance (during the 12 months).

Refer this page for more details