Office365 — A Quick Security Review

Securing Office365 can be a daunting task and a constantly moving target. Microsoft recently released a new Secure Score as part of their 365 Security Threat Protection suite. While it’s a phenomenal resource, some of the recommended changes have unclear (or expensive) implementation actions.

This is a quick security guide to significantly increasing your secure score at no additional cost with relatively little effort.

Quick Wins

Requiring MFA for Azure AD Privileged Roles and all users

Requiring multi-factor authentication (MFA) for all Azure Active Directory accounts with privileged roles makes it harder for attackers to access accounts. Privileged roles have higher permissions than typical users, and include all admin roles such as global admin, SharePoint admin, or Exchange admin. If any of those accounts are compromised, critical devices and data will be open to attacks.

Requiring multi-factor authentication (MFA) for all user accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as Microsoft Authenticator or a phone number, increases the level of protection in the event that one factor is compromised.

Remediation

Active the baseline policy through the Azure AD conditional access portal to require MFA for all your privileged roles:

1. Select Baseline policy: Require MFA for admins (Preview)
2. Select Baseline policy: End user protection (Preview)
3. Enable policy (“Use policy immediately”)
4. Save

Turn on audit data recording

Turning on audit data recording for your Office 365 service ensures that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data makes it possible to investigate and scope a security breach, should it ever occur. All activity is recorded and retained for 90 days.

Remediation

Activate audit logging by visiting the audit log search page. At the top of the page, there is a warning banner advising that the functionality is not currently enabled and a button to “Turn on auditing”. Click it.

Block Client Forwarding Rules

Client Rules Forwarding Block lets you manage email auto-forwarding in your organization. The use of client-side forwarding rules to exfiltrate data to external recipients is becoming an increasingly used vector for attackers. It also provides some mitigation for the creation of a Remote Domain with auto-forwarding enabled to a specific namespace, and some mitigation for the alteration of the Default Remote Domain settings, through an Admin account.

Remediation

Disable automatic forwarding.

1. Open the exchange admin center
2. Go to mail flow
3. Go to remote domains
4. Edit the Default name
5. Uncheck Allow automatic forwarding
6. Save

Set outbound spam notifications

Setting your Exchange Online Outbound Spam notifications gives you visibility into when a user has been blocked for sending excessive or spam emails. The accounts will always be blocked, but when you configure notifications you will be notified and sent a copy of the email that caused the block to occur. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails.

Remediation

1. Open the exchange admin center
2. Go to protection
3. Go to outbound spam
4. Edit the Default name
5. Go to outbound spam preferences
6. Check the option Send a notification to the following email address or addresses when a sender is blocked for sending outbound spam.
7. Provide the email address to send notifications to
8. Save

Register all users for multi-factor authentication

Registering all users for multi-factor authentication (MFA) allows you to provide a second layer of security to user sign-ins and transactions, beyond just a username and password. It plays a key role in protecting your accounts and recovering from compromised accounts. MFA also delivers strong authentication with many verification options.

Remediation

If you’ve enabled Require MFA for all users, then this check will automatically clear after 14 days (grace period for users to register MFA).

Store user documents in OneDrive for Business

Storing user documents in OneDrive for Business safeguards content against data loss. Keeping documents on local client machines leaves them vulnerable to malware attacks like Ransomware that destroy or leak that data. OneDrive for Business gives you an effective backup and restore mechanism to recover from an attack on your locally stored documents.

Remediation

Upload a file to any OneDrive account/folder.

Enable self-service password reset

With self-service password reset in Azure AD, users no longer need to engage helpdesk to reset passwords. This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.

Remediation

1. Go to the password reset page on your Azure AD.
2. Set Self service password reset enabled to All
3. Save

Review mailbox forwarding rules weekly

Regularly reviewing mailbox forwarding rules to external domains maintains visibility into a popular data exfiltration tactic used by attackers.

Remediation

If you’ve addressed Block Client Forwarding Rules, then this check will automatically clear after 24 hours.

Review malware detections report weekly

Weekly reviewing the Malware Detections report gives you a sense of the overall volume of malware being targeted at your users. This report shows specific instances of Microsoft blocking malware attachments, which can be used to determine if you need to adopt more aggressive malware mitigations.

Remediation

Setup a weekly report to be emailed to you.

1. Open the Malware Detections Report
2. Click Create Schedule
3. Create

Designate more than one global admin, but less than five

Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It’s important to have a delegate or an emergency account someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

Reducing the number of global admins limits the number of accounts with high privileges that need to be closely monitored. If any of those accounts are compromised, critical devices and data are open to attacks. Designating fewer than 5 global admins reduces the attack surface area.

Remediation

Create a second global admin. Have less than 5 global admins.

Do not expire passwords

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason.

Remediation

1. Open the Security & privacy admin center
2. Edit password policy
3. Toggle Set user passwords to never expire
4. Save

Do not allow calendar sharing

If anonymous calendar sharing is allowed, your users could share the full details of their calendars with external, unauthenticated users. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack or traveling.

If calendar sharing is allowed, your users could share the full details of their calendars with external users. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, like when they are on vacation.

Remediation

1. Open the services and add-ins admin center
2. Select Calendar
3. Uncheck Allow anyone to access calendars with an email invitation
4. Uncheck Let your users share their calendars with people outside of your organization who have Office 365 or Exchange
5. Save

Do not allow users to grant consent to unmanaged applications

Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.

Remediation

1. Open the services and add-ins admin center
2. Select Integrated Apps
3. Uncheck Let people in your organization decide whether third-party apps can access their Office 365 information
4. Save

Allow anonymous guest sharing links for sites and docs

Allowing the use of anonymous guest sharing links for SharePoint Online sites and documents dissuades users from finding more risky methods of sharing sites and documents. While there are inherent risks, you can monitor for signs of exfiltration by an attacker and educate users on the risks of sharing anonymously.

Remediation

1. Open the Sharepoint admin center
2. Go to sharing
3. Go to Sharing outside your organization
4. Check Allows users to invite and share with authenticated external users
5. Save

Configure expiration time for external sharing links

Description Restricting the length of time that anonymous access links are valid helps you manage avenues into your organization. Even if a user account is only compromised for a short period of time, an attacker can retain access to sensitive documents if an anonymous sharing link has been sent to an external account. Business partners with external accounts can also be compromised, meaning an attacker can have access to anonymous sharing links sent to those external entities long after the data has been shared.

Remediation

If you’ve addressed Allow anonymous guest sharing links for sites and docs, then this check will automatically clear after 24 hours.

Involved Remediation

Consume audit data weekly

Consume your audit data either through the audit log search or through the Activity API to a third-party security information system at least every week. This data allows for a wide range of illicit activity detection, security breach scoping, and investigation capabilities.

Remediation

If you have addressed Turn on audit data recording in section 3 (above), then this check will automatically clear after 24 hours.

No transport rule to external domains

Prohibiting mail forwarding to domains outside your organization prevents attackers from creating rules to exfiltrate data. This can be set using Exchange Online mail transport rules.

Remediation

There isn’t any proactive remediation available for this other than manually reviewing the rules.

To review the current rules:

1. Open the exchange admin center
2. Go to mail flow
3. Go to rules
4. Review if any exist

Do not use mail flow rules that bypass anti-spam protection

Mail flow rules (also known as transport rules) identify and take action on messages that flow through your Exchange Online organization. They can also be used to bypass anti-spam filtering for all senders or specific senders in a domain (the rule condition identifies the senders; the rule action sets the message spam confidence level (SCL) to bypass spam filtering). However, sender email addresses are easily spoofed by bad actors for phishing and spamming, particularly easily-guessed or publicly-known email addresses. And, you should never allow your own domain or the domains of free email services (for example, gmail.com or outlook.com) to bypass anti-spam filtering.

Remediation

There isn’t any proactive remediation available for this other than manually reviewing the rules.

To review the current rules:

1. Open the exchange admin center
2. Go to mail flow
3. Go to rules
4. Review if any exist

Review mailbox access by non-owners bi-weekly

Regularly reviewing mailbox access by non-owners can help you discover malicious activity.

Remediation

There isn’t any proactive remediation available for this other than manually reviewing the rules.

To review the current rules:

1. Open the non-owner access report
2. Set the date range to the last week
3. Set Search for “access by” to All non-owners
4. Search

Do not use mail forwarding rules to external domains

Setting up mail forwarding rules to external domains is a popular data exfiltration tactic used by attackers. Your users may not know the rule was set up unless they check. To make your data less vulnerable to exfiltration, do not allow the use of mail forwarding rules to external domains.

Remediation

There isn’t any proactive remediation available for this other than manually reviewing the rules.

To review the current rules:

1. Open the exchange admin center
2. Go to mail flow
3. Go to rules
4. Review if any exist

While there are nearly 140 other checks available, many of them have negligible score impacts or drive addition licensing and cost discussions. To download a security report for your Office365 tenant (including your secure score), check out the Monitoring and Reporting docs.

Originally published at https://lorenzo.aiello.family on September 22, 2019.