This is the second in a series of articles on the Office 365 Secure Score feature. In the first article I covered the basic interface and usage of the Secure Score feature. In this article I will review it more in-depth and cover the practicality of the recommendations present in the ‘Tasks’ section. What does this mean? It means we are going to dive into as many tasks in-depth and examine them in-depth as well as determine what it actual means to put the item in place.
Tasks
As we saw in the previous article, there is a list of tasks that Microsoft provides the Office 365 tenant administrator to assist them in securing their tenant to a greater degree than is the default or maybe even beyond the admins own knowledge level. The tasks listed in this article may or may not match what you see in your tenant.
Each task in the list expands to provide more information on the issue identified by Microsoft:
In the expanded version of the task we get access to some new information in the form of a summary on the left and on the right some properties of the task – Category, User Impact, Implementation Cost and Action Score. Additionally we see the threat that is being mitigate [‘Data Exfiltration’ in this case] and a link to what that means. Below that we have three more links – Learn More, Ignore or Third Party. If we click on ‘Learn More’ an information box appears with a more detailed description of the change being made:
The explanation provided here is provided at a technical, but not in-depth technical, informational level. Now, if you are satisfied with the explanation and believe it will help with securing your Office 365 tenant, go ahead and click on the ‘Apply’ button at the bottom. This will enable the current feature in your Office 365. When it is complete, you should receive a notification that it’s complete and that you will receive points for your Secure within 24 hours:
There is also a button called ‘MORE’ which is essentially a shortcut to the admin page where this feature can be configured – HERE for this check.Going back to the main screen for this particular task, there are two other options that can be selected, Ignore and Third Party, in either case, the task is no longer counted in your security score and any point that were awarded are removed. You will also see this as the setting change is made:
If you’ve decided to allow the task to be completed by this wizard, then a new Transport rule will appear in Exchange Online like so:
In terms of whether the task is practical and/or necessary I would have to say that this particular one is worth is and the configuration itself is made quite easy with this feature. I would recommend applying this one if you would to prevent auto-forwarding of emails outside of your Exchange Online tenant.Other Tasks
Now that we’ve reviewed the general expectations from one particular task, let’s review as many tasks as we can.
—————————————————————————————————————————————————————-
Enable MFA for all global admins
According to Microsoft
“You should enable MFA for all of your admin accounts because a breach of any of those accounts can lead to a breach of any of your data.”
Microsoft considers this to be of high importance and has assigned 50 pts. to this task alone.
Threats – Account Breach and Elevation of privilege
My thoughts
This change will only affect your Global Admins for your Office 365 tenant and no end-users will be affected by the change. The second factor is typically a code that is sent via txt to a cell phone registered to that user and then entered when prompted. This change is worth it, however it may cause issues with those using PowerShell programmatically with no way to enter the second authentication information. Possible scenarios for this are Quest migration tools and running scheduled PowerShell scripts against Office 365 workloads.
Clicking on ‘Launch Now’ for this feature takes you right to the MFA configuration in Azure AD – MFA Page. Quite convenient and no need to dig into Azure AD to find this to enable it.
Recommendation
Although it will not work for 100% of your Office 365 scenarios, I would enable MFA for as many Global Admins as you can, if not all of them.—————————————————————————————————————————————————————-
Enable MFA for all users
According to Microsoft
“You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.”
Microsoft considers this to be of high importance and has assigned 30 pts. to this task.
Threats – Account Breach and Elevation of privilege
My thoughts
This is one of those features that can turn into a double-edge sword. Adding a layer of security to protect end-users from a data breach is generally considered a good idea. However, this change will disrupt an end-users normal flow when logging into apps for Office 365. They will have to use the second factor of authentication every day. While some organizations can require this for auditing or compliance reasons, most organizations may see this change as overkill for regular user accounts.
Clicking on ‘Launch Now’ for this feature takes you right to the MFA configuration in Azure AD – MFA Page. Quite convenient and no need to dig into Azure AD to find this to enable it.
Recommendation
If your users can be trained and adjust to the extra login step, then setting this feature up would be worth it.—————————————————————————————————————————————————————-
[Not Scored] Enable audit data recording
According to Microsoft
“You should enable audit data recording for your Office 365 service to ensure that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur. ”
Microsoft has assigned this one at 15 total points, making it a lower importance than previously reviewed tasks.
Threats – Account Breach, Data Exfiltration, Data Deletion, Elevation of Privilege, Malicious Insider
My thoughts – As this turns on auditing of all User and Admin activity and is enabled in the service (i.e. no extra load or end user impact, it’s hard to argue against enabling this feature. The auditing is useful for determining what your admins are doing in your tenant as well as what the end users are doing. You can even review end user activity and check security information relating to password changes.
Recommendation
I would recommend enabling this feature because of its added benefits in your tenant.
—————————————————————————————————————————————————————-
Review signs-ins after multiple failures report weekly
According to Microsoft
“You should review the Azure AD Sign-ins after multiple failures report at least every week. This report contains records of accounts that have successfully signed-in after multiple failures, which is an indication that the account has a cracked password. ”
Microsoft has assigned this one at 15 total points, making it a lower importance than some other tasks.
Threats – Account Breach, Password Cracking
My thoughts
Certainly an easy requirement to meet. The key thing is that this requirement needs to be met on a weekly basis. One can assume that if the information is not reviewing in that week timeframe, the Secure Score report would drop 15 points.
Recommendation
Put this on a weekly reminder or bi-weekly reminder so that you get the points and so that your environment is monitored that much closer. So, this is a recommended action to take.—————————————————————————————————————————————————————-
[Not Scored] Set outbound spam notifications
According to Microsoft
“You should set your Exchange Online Outbound Spam notifications to copy and notify someone when a sender in your tenant has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails to other people.”
Microsoft has assigned this one at 15 total points, making it a lower importance than some other tasks.
Threats – Account Breach, Phishing/Whaling, Spoofing
My thoughts
Any feature or automatic function that helps with outgoing or incoming SPAM is welcome. In this case a notification for excessive outbound SPAM is key to alerting an admin to a possible issue with a user’s account.
Recommendation
Turn this feature on for sure, it’s an easy 15 points.
—————————————————————————————————————————————————————
Review sign-ins from unknown sources report weekly
According to Microsoft
You should review the Azure AD Sign-Ins from Unknown Sources Report at least every week. This report contains records of accounts that have signed-in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network). This isn’t necessarily bad, but it is relatively rare, and could be an indication of a breached account.
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach
My thoughts
Another no brainer. It’s a report. Read it.
Recommendation
Again, it’s a serious no brainer. 10 easy points for your Secure Score.
—————————————————————————————————————————————————————-
Review signs-ins from multiple geographies report weekly
According to Microsoft
“You should review the Azure AD Signs-ins from Multiple Geographies Report at least every week. This report contains records of successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. This isn’t necessarily bad, and there are several potential causes including sharing passwords, using VPNs, or using devices with unusual IP addresses. You should still be aware of the sources of these as it can be a very clear indication of a breached account. ”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach
My thoughts
Even if you are a small company, this report should be reviewed for any suspicious activity.
Recommendation
Again, it’s a serious no brainer. 10 easy points for your Secure Score.
—————————————————————————————————————————————————————-
Review role changes weekly
According to Microsoft
“You should review user role group changes at least every week. There are several ways you can do this, including simply reviewing the list of users in different administrative role groups in the Office 365 Admin Portal, or by reviewing role administration activity in the last week from the Audit Log Search. You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy. ”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege
My thoughts
This one will take a bit more work than the past couple of tasks. It will require you to do one of two things: (1) Have a previous list of Global Admins / other admins and compare that to what is currently configured or (2) Run an Admin Audit log report looking for these changes. Perhaps the easiest ways to do this is to run a scheduled task that exports this to a weekly report for review. The included ‘Review’ for this feature only takes you to the lists of users in your organization. So the trigger for this task is not obvious and it is possible that the PowerShell script may not be enough.
Recommendation
This is worth the effort and should be put on your task list.
—————————————————————————————————————————————————————-
Store user documents in OneDrive for Business
According to Microsoft
“You should store user documents in OneDrive for Business because it safeguards this content against data loss.”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Data Exfiltration, Data Deletion
My thoughts
While I understand Microsoft would love you to use all of the workloads in Office 365, I don’t necessarily agree that this is a good ‘security’ decision. This doesn’t mean that using One Drive is bad or the wrong thing to do or that it might make your users more productive. Once Drive is just a file storage in the cloud. It has its limitations. It has had client issues in the past and is not perfect. Administrative tools are not complete and could use a serious revamp. Storing files on-premises is not a bad idea. While there is the risk of data leaks and ransomware, these can be mitigated/eliminated with proper administration. The tools available for reporting/administration/management are much more sophisticated as of now for files on-premises.
Recommendation
I don’t either recommend or not recommend this feature. Using One Drive for your organization is a decision that needs to be planned for and then executed properly while realizing the caveats of moving to a cloud storage platform.—————————————————————————————————————————————————————-
[Not Scored] Enable Information Rights Management (IRM) services
According to Microsoft
“You should enable IRM services so that your users can implement encryption and data leakage policies on specific documents and emails. This will make it more difficult for an attacker to steal valuable data.”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Data Spillage, Data Exfiltration
My thoughts
If you have the proper licensing for this and have data that needs to be protected, then this is an option that should be pursued. With regulations that are either in process or in place today, having a way to control and protect your data and corporate information is paramount and may save you fines down the road.
** Note ** The ‘Launch Now’ button takes you to Rights Management from the main Admin page in your Office 365 tenant.
Recommendation
If you have the licensing for this feature and have sensitive data to protect in One Drive, SharePoint or email, enabling this is a must.—————————————————————————————————————————————————————-
Use audit data
According to Microsoft
“You should consume your audit data either through the audit log search or through the Activity API to a third party security information system at least every week. This data enables a wide range of illicit activity detection and security breach scoping and investigation capabilities. Consuming and reviewing it regularly makes it less likely that an attacker will operate in your tenancy undetected for long periods of time.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Deletion, Elevation of Privilege, Malicious Insider
My thoughts
Office 365 provides this for free and is a valuable resource for monitory activity in your Office 365 tenant. Any responsible admin should use logging on-premises or in Office 365. The fact that it takes so little to setup (just enable it) and costs your or your internal resources ‘0’ to maintain it would seem to be a smart task to add to your list of management / monitoring tasks.
** Note ** Clicking on review takes you to the same Audit Log Search https://protection.office.com/#/unifiedauditlog page as we used to enable auditing to begin with.
Recommendation
Absolutely this should be monitored for your tenant.
—————————————————————————————————————————————————————-
Do not use transport rule to external domains
According to Microsoft
“You should set your Exchange Online mail transport rules to not forward mail to domains not registered in your tenancy. Attackers will often create these rules to exfiltrate data from your tenancy.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage, Malicious Insider
My thoughts
I can see the benefits of not having transport rules forwarding emails to external email addresses. It would take some effort for an external attacker to find the rule that would allow for this, but it could happen. That being said, I don’t think this is a big deal necessarily and to be honest, I haven’t run into any clients that have this sort of rule set up.
Recommendation
I would recommend removing any of these transport rules. If a rule is needed for business reasons, it should be reviewed to see if there are other options available.—————————————————————————————————————————————————————-
Do not use transport white lists
According to Microsoft
“You should set your Exchange Online mail transport rules to not whitelist specific domains. Doing so bypasses regular malware and phish scanning, which can enable an attacker to launch attacks against your users from a safe haven domain”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Phishing/Whaling, Spoofing
My thoughts
I am of a mixed opinion on this one as whitelisting is a fact of life. The one caveat to this is I think Microsoft wants to restrict the whitelisting to individual email address versus a carte blanche whitelisting of an entire domain. While I can understand Microsoft’s point, the flip side is if a lot of email addresses from one domain need whitelisting, then whitelisting a domain might be the best solution.
Recommendation
The recommendation here is a maybe simply because of the two choices that need to be made. If you can use the restrictive single email address whitelisting, that would be ideal. However, if an entire domain needs to be whitelisted, do so understanding the caveats Microsoft’s expresses.—————————————————————————————————————————————————————-
Review mailbox forwarding rules weekly
According to Microsoft
“You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated. ”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Malicious Insider
My thoughts
Add this one to your weekly task list. This way you won’t be surprised to find what mailboxes are forwarding to where.
Recommendation
Do this one for sure. Make it one of your tasks. No question.
—————————————————————————————————————————————————————-
Review mailbox access by non-owners report bi-weekly
According to Microsoft
“You should review the Mailbox Access by Non-Owners report at least every other week. This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time, and can help discover malicious insider activity sooner. ”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Malicious Insider
My thoughts
Typically this sort of action is performed by a security team or security person, depending on your company. However, for a smaller IT shop, this would just be another weekly task for the Office 365 Administrator. Having been a part of a few forensic investigations, the more information you have to uncover things, the better it is for yourself and for your employer.
Recommendation
Do it. Add it to your weekly lists.
—————————————————————————————————————————————————————-
Review malware detections report weekly
According to Microsoft
“You should review the Malware Detections report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn’t strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Phishing/Whaling
My thoughts
Like your antivirus reporting PCs and Servers, having a malware report for your messaging environment is ideal. There should be no doubt that an Office 365 admin should review these reports on a constant basis.
Recommendation
Do it. Add it to your weekly lists.
—————————————————————————————————————————————————————-
Designate more than one global admin
According to Microsoft
“You should designate more than one global tenant administrator because that one admin can perform malicious activity without the possibility of being discovered by another admin. We found that you have 1 admins designated. If you designate at least two admins (but not more than five), your score will go up points.”
Microsoft has assigned this one at 2 total points, making it a low importance.
Threats – Malicious Insider
My thoughts
While in most security cases we would want to limit admin is with all rights to an environment, having a single account with all the rights is a bad idea as well. So the recommendation for more than one account with Global Admin rights is a valid task to perform.
Recommendation
Highly recommended. If you have this task, do it now.
—————————————————————————————————————————————————————-
Do not use mail forwarding rules to external domains
According to Microsoft
“You should not use mail forwarding rules to forward user mail to external domains. While there are some legitimate uses, attackers will often create these rules to exfiltrate data from your tenancy.”
Microsoft has assigned this one at 1 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Malicious Insider
My thoughts
This is similar to the task for no transport rules forwarding to external domains, this task is defined for forwarding on mailboxes to external domains. However, as Microsoft expresses in the task description above, there are some legitimate reasons for these. These business cases should be evaluated on a case by case basis to see if there are other solutions.
Recommendation
I rate this a maybe as it will depend on what your needs are as a company. As Microsoft has rated this 1 point, I would certainly put this lower on your priority list.—————————————————————————————————————————————————————-
SPO Sites have classification policies
According to Microsoft
“You should setup and use SharePoint Online data classification policies on data stored in your SharePoint Online sites. This will help categorize your most important data so that you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Data Exfiltration, Data Spillage, Malicious Insider
My thoughts
If you have someone that can work to classify data (internally or a consultrant), then this is a task worth pursuing. If only for the benefit of knowing the importance of data stored in SharePoint, that effort is alone worth it. Combined with DLP or other rights management policies, the classifications become a powerful tool for data control against leakage and loss.
Recommendation
If you are able to, this should be on your list of tasks to complete.
—————————————————————————————————————————————————————-
Review sign-in devices report weekly
According to Microsoft
“You should review your device sign-in report weekly. You should do this to look for anomalous or new device sign-ins from potentially breached user accounts.”
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Depending on what is deployed for device management, this could be a value task to perform. IF you are using MDM or InTune, then you may already be restricting new devices or device sign-ins.
Recommendation
If you are not using an MDM solution then perhaps this report will help you spot something that is new and may not be one of your users devices. IF you have MDM, obviously use it to control access and use the reports for validation of you efforts to control access.—————————————————————————————————————————————————————-
Do not allow anonymous calendar sharing
According to Microsoft
“You should not allow anonymous calendar sharing. This feature allows your users to share the full details of their calendars with external, unauthenticated users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.”
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Data Spillage
My thoughts
I find this feature useful for sharing a calendar with an external entity or person. While I understand Microsoft’s contention that this information could be used for reconnaissance or nefarious activities. It’s my opinion that there can be some legitimate usages for anonymous calendar sharing. Should everyone be able to do this, probably not, but should be available for true business cases.
Recommendation
If you can, don’t use this feature based on Microsoft’s real world recommendations. However, this should prevent you from doing so if there is a true business for this feature.—————————————————————————————————————————————————————-
Do not allow external domain skype communications
According to Microsoft
“You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
I find this recommendation a bit odd. As a consultant, I find that being able to communicate with my clients who use a variety of domains to be a great resource to have at my disposal. In fact, almost every company I’ve used Skype or Lync with has enabled external sharing.
Recommendation
I rate this one as a no. While I understand the tradeoff involved in the anonymous sharing, I also see real world use of allowing anonymous sharing.—————————————————————————————————————————————————————-
Review account provisioning activity report weekly
According to Microsoft
“You should review your account provisioning activity report at least weekly. This report includes a history of attempts to provision accounts to external applications. If you don’t usually use a third party provider to manage accounts, any entry on the list is likely illicit. But, if you do, this is a great way to monitor transaction volumes, and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
My thoughts
Going to keep this one simple. It’s a report and one that should be checked. Add this to your weekly checklist.
Recommendation
Add it to your to do’s!
—————————————————————————————————————————————————————-
Review non-global administrators weekly
According to Microsoft
“You should review non-global administrator role group assignments at least every week. While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If you see something unusual contact the user to confirm it is a legitimate need.
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
My thoughts
Same as the previous one. Any sort of report, even for slightly elevated granted permissions, should be reviewed.
Recommendation
Add it to your to do’s!
—————————————————————————————————————————————————————-
Do not allow calendar details sharing
According to Microsoft
“You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Data Spillage
My thoughts
For most scenarios, sharing all of your calendar’s free busy is a bad idea. In select scenarios where you are sharing information with a sister company, subsidiary, partner or other trusted entity, this option makes sense. There is a middling ground where the setting can be changed to simply Free/Busy with no details shared beyond that.
Recommendation
This recommendation ends up in the ‘Maybe’ pile. Most cases this should be off or if necessary change the sharing to Free/Busy only.—————————————————————————————————————————————————————-
IRM protections applied to documents
According to Microsoft
“You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy. ”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
If your Office 365 tenant has any confidential data or documents or intellectual property stored in it, enabling IRM is THE way to go. The same applies to securing emails. Enable the Encryption or making use or IRM for certain emails is a good thing in Office 365.
Recommendation
This one is a definite if you have emails, documents, etc that need to be protected from being copied or leaked outside your company.—————————————————————————————————————————————————————-
IRM protections applied to email
According to Microsoft
“You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
Like the previous recommendation for using IRM for documents and files in Office 365, securing your emails can be just as important. Maybe you have emails that need to remain internal or perhaps they need to be blocked from printing, forwarding and more. IRM is the solution for this. If you have the licensing for these features, investing time in applying this functionality is worth it.
Recommendation
Again, if you have licensing for this, do it. Secure your emails and prevent potential data leakage.
—————————————————————————————————————————————————————-
Configure expiration time for external sharing links
According to Microsoft
“You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account and then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared.
Microsoft has assigned this one at 2 total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
This setting is for your SharePoint links that are being shared out anonymously. The links could be shared with internal personnel, but are more likely to be shared with people that are outside of your organization. Tweaking the default expiration from infinite (no expiration of days) to something more realistic like 30, 90 or 120 days would be a good practice.
Recommendation
This is a must. Any anonymous links should have some sort of expiration.
—————————————————————————————————————————————————————-
Tag documents in SharePoint
According to Microsoft
“You should apply labels to documents in SharePoint Online. If you use document classification tags, you can author rules that leverage the label to implement specific retention/deletion policies using data loss protection (DLP) in the Security and Compliance Center. In the future there will more DLP actions possible when labels are detected on documents.”
Microsoft has assigned this one at 2 total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
If you plan to use DLP to control content in your tenant, then having a categorization system or a plan on how documents should be labeled, applying controls later will be much easier. Labeling your content will also make it easier to manage later even without DLP. Take some time to plan out these labels with content owners.
Recommendation
Worth the time if you have content that needs to be managed online.
—————————————————————————————————————————————————————-
Review list of external users you have invited to documents monthly
According to Microsoft
“You should review the list of external users that you have invited to sensitive documents on a weekly basis. Attackers that have compromised accounts with sharing privileges will be able to expose sensitive data to external users for long periods of time without regular review of who has access.”
Microsoft has assigned this one at 2 total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
External sharing, similar to the anonymous links, is something that should be monitored because the access is granted to people outside of your organization. The method to check the access however, as directed by Secure Score, is far from ideal. Depending on your experience level, using PowerShell to automatically generate these reports might be a better option. There are existing scripts created by SharePoint experts on how to do this already.
Recommendation
Just do it. This is a no brainer.
—————————————————————————————————————————————————————-
Disable accounts not used in last 30 days
According to Microsoft
“You should disable any accounts that have not been used in the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
My thoughts
For this task, I think 30 days is a bit aggressive. A slightly less aggressive approach of 90 days may be better. Either way it does point out a weak area that is sometimes overlooked and that is accounts for people that have left or are on leave. In some cases there are legitimate reasons to leave the accounts and sometimes these are accounts that are forgotten about. The biggest issue I see with this task is that the User management in the Office 365 Admin center does not expose last logon times. You cannot event create a ‘Custom View’ for this. To find this, PowerShell might be your best bet.
Recommendation
I put this at a yes, with caveats, because of the 30 days. This isn’t to say you shouldn’t review these accounts and the recommend interface from Microsoft is lacking. You should have a process in place for off-boarding users.—————————————————————————————————————————————————————-
Allow anonymous guest sharing links for sites and docs
According to Microsoft
“You should allow your users to use anonymous guest sharing links for SharePoint Online sites and documents. While there are inherent risks in sharing documents anonymously, Microsoft has found that when anonymous sharing is disabled, users often use more risky methods of sharing sites and documents, email for example. A proactive approach would be to enable anonymous sharing links for customers while also educating users on the pitfalls with sharing anonymously and monitoring links shared for signs of exfiltration by an attacker.”
Microsoft has assigned this one at 1 total point, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
The irony is thick with this one, but as Microsoft points out, it makes sense. Allowing users to send out anonymous links to external users is better than alternative methods like email or even another file service like Drop Box. If the users are sending out anonymous links, you have control over how long they are active and can create reports on what is shared as well.
Recommendation
This is a good one to implement IF you follow the previous recommendation of restricting how long the links are active for.
—————————————————————————————————————————————————————-
Enable Data Loss Prevention policies
According to Microsoft
“You should enable Data Loss Prevention (DLP) policies to help protect your data from accidental, or malicious exposure. DLP allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords, and will alert users and administrators that this data should not be exposed.”
Microsoft has assigned this one at 20 total points, making it a higher importance.
Threats – Data Exfiltration, Data Spillage
My thoughts
If you deal with PII like credit cards, Social Security Numbers, bank account numbers and more, then implementing DLP is a must. Microsoft has provided quite a few default templates or this type of data and covers more than just the US data types as well. If there isn’t a data type present, then you can create a custom classification to be used against emails or documents in your tenant.
Recommendation
If you have the license to use DLP and have PII in the cloud, this is an absolute must to enable.
—————————————————————————————————————————————————————-
Enable Advanced Security Management Console
According to Microsoft
“You should adopt the Office 365 Advanced Security Management Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity. We found that your subscription to Advanced Security Management Console is set to False.”
Microsoft has assigned this one at 20 total points, making it a higher importance.
Threats – Account Breach, Elevation of Privilege, Data Exfiltration, Malicious Insider, Data Spillage
My thoughts
This is a feature Microsoft added back in 2016 to give admins a deeper look into suspicious activity. The only caveat to it being on this list is the requirements for its usage – “Advanced Security Management is available in Office 365 Enterprise E5 or as an add-on subscription to Office 365”. For those with E3 licensing, you will not be able to complete this task.
Recommendation
My take is if you have E5 and can access this then you absolutely must. Dig deeper into your tenant.
—————————————————————————————————————————————————————-
Enable Advanced Threat Protection safe attachments policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Attachments feature. This will extend the malware protections in the service to include routing all messages and attachments that don’t have a known virus/malware signature to a special hypervisor environment where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent.”
Microsoft has assigned this one at 15 total points, making it a medium importance.
Threats – Phishing/Whaling, Spoofing
My thoughts
This is another good feature provided by Microsoft for protecting you end users. However, there is a specific licensing requirement per Microsoft – ” The ATP safe attachments features are only available in Advanced Threat Protection, available with Office 365 Enterprise E5″. So if you have the license, then the feature has the potential to scan for malicious content in attachments delivered to your domain.
Recommendation
My take is if you have E5 and can access this then you should give it a go.
—————————————————————————————————————————————————————-
Enable Advanced Threat Protection safe links policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Links feature. This will extend the phishing protection in the service to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after it has been delivered to the end user. We found that your enablement is set to False.”
Microsoft has assigned this one at 15 total points, making it a medium importance.
Threats – Phishing/Whaling, Spoofing
My thoughts
Same thoughts as the previous ATP feature, it requires an E5 license to enable and helps protect your users.
Recommendation
My take is if you have E5 and can access this then you should give it a go.
—————————————————————————————————————————————————————-
Enable mobile device management services
According to Microsoft
“You should use a mobile device management service such as Office 365 Mobile Device Management or Microsoft InTune. Devices, especially mobile devices, are vulnerable to attacks such as malware that can lead to account and data breaches. We found that your enablement of mobile device management services is False.”
Microsoft has assigned this one at 20 total points, making it a higher importance.
Threats – Phishing/Whaling, Spoofing
My thoughts
If you are not currently using MDM to protect your mobile devices, at the minimum you want to configure a good mobile device policy. You should also use the default MDM at a minimum as well for your mobile device management. If you have licensing or need greater controls, then investing in InTune would be the way to go.
Recommendation
Enabling this is a maybe only if you have an existing MDM solution. However, if you do not, then using the built-in MDM or InTune will help secure your mobile devices.—————————————————————————————————————————————————————-
Require mobile devices to use a password
According to Microsoft
“You should require your users to use a password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
When creating a policy for securing mobile devices, having some sort of Pin or password should be one of the first settings configured. The setting will at least prevent easy device access if the device is lost or stolen.
Recommendation
Definitely one to configure. This should be a basic mobile device security setting.
—————————————————————————————————————————————————————-
Require mobile devices to block access and report policy violations
According to Microsoft
“You should configure your mobile device management policies to block access to devices that violate your policy and to report those violations to an administrator. Users will be able to connect with non-compliant devices unless you block access, leading to vulnerable devices connecting to your data.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
If you don’t have a third party MDM solution in place now, then this is a valid policy setting to put in place to keep mobile devices secure.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to manage email profile
According to Microsoft
“You should configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Similar to the previous two – this is a function of a good MDM solution. Even with BYOD in today’s Office 365 environment, being able to control corporate data is a good thing.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Do not allow simple passwords on mobile devices
According to Microsoft
“You should require your users to use a complex password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at 2 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
This goes hand in hand with requiring a password and is an enhancement of the password policy once it’s in place.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to use alphanumeric password
According to Microsoft
“You should require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
More complex passwords should be put in place.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to use encryption
According to Microsoft
“You should require your users to use encryption on their mobile devices. Unencrypted devices can be stolen and their data extracted by an attacker very easily.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Encrypting mobile devices is one way to protect any sensitive data that may be on your mobile devices. This feature provides another layer to your other configuration settings.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to lock on inactivity
According to Microsoft
“You should require your users to configure their mobile devices to lock on inactivity. Attackers can steal unlocked devices and access data and account information.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Like you desktop or laptop, having an idle lockout is a good policy. This way if you accidently misplace the device or set it down for a period of time, it will automatically lock out other people from accessing the device.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to have minimum password length
According to Microsoft
“You should require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Continuing on the line of password protection for mobile devices, this simply requires a minimum length of password similar to how you configure this for your Active Directory login. While the minimum length should not be something like 1 or two characters and should probably be at a minimum 6 or 8 characters.
Recommendation
If using the built in MDM or InTune, then this setting should be put in place.
—————————————————————————————————————————————————————-
Require mobile devices to wipe on multiple sign-in failures
According to Microsoft
“You should require your users to wipe the contents of the mobile device after no more than 10 sign in failures. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. We found that your mobile device policy requiring wipe after multiple failed sign-ins is set to wipe after infinite failures.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats –
My thoughts
In today’s world of BYOD a lot of organizations are hesitant to implement such a policy. There are some that are prepared for complete device wipes by educating their users on the ramifications of this policy. Others will issue their own devices. However, in some cases simply using App security instead of device security eliminates the need for this policy altogether.
Recommendation
This is a solid maybe because it depends on if you have BYOD, issued devices or are using app security to handle mobile devices. Make a decision based on your device and user base for this one.—————————————————————————————————————————————————————-
Do not allow jail broken or rooted mobile devices to connect
According to Microsoft
“You should not allow your users to use to connect with mobile devices that have been jail broken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
For corporate devices or mobile devices accessing corporate date, a jailbroken or rooted device should be blocked. If a user wants to have this device, it would be best left to keep it a personal device and not connected to any internal systems.
Recommendation
Apply this setting.
—————————————————————————————————————————————————————-
Require mobile devices to never expire password
According to Microsoft
“While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong is 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
Mixed feelings on this one. If this policy would be put in place, I would recommend a longer, more complex password for securing devices. The problem here becomes the end user and the way they handle passwords. If they can choose a good, secure password, this is a good policy. If however, they do not, then obviously the reverse becomes try.
Recommendation
Enable long complex passwords if enabling this.
—————————————————————————————————————————————————————-
Do not allow mobile device password re-use
According to Microsoft
“You should not allow your users to reuse the same password on their mobile devices. Devices without this protection are vulnerable to being accessed by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at 1 total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
My thoughts
If passwords change over time, then not re-using passwords makes sense. That way if a password were compromised and a user re-uses that compromised password, then this could lead to a security breach.
Recommendation
No repeating passwords is a good policy to put in place.
—————————————————————————————————————————————————————-
Enable customer lockbox feature
According to Microsoft
“You should enable the customer lockbox feature. This will require Microsoft to get your approval for any datacenter operation that grants a Microsoft employee direct access to any of your content.”
Microsoft has assigned this one at 5 total points, making it a low importance.
Threats – Data Exfiltration, Data Deletion, Data Spillage
My thoughts
This is another feature on the list that requires an E5 licenses, so if you don’t have one, then this one won’t apply to you. I personally do not like this option. If you want true security or control, then providing this access would go against that philosophy. While you can limit access to your data and set an expiration on it, I believe a more interactive approach is called for when there is an issue.
Recommendation
This one recommendation is a No for me. If you need Microsoft’s help, they are more than happy to use their screenshare technology and while this does grant them a view in to the environment, it can be limited and controlled by you. I would rather grant the access and watch. A controlled over the shoulder setup is ideal for the administrator to provide input while learning how to resolve an issue.
