In the vein similar to the one I wrote at the beginning of the year, I am going to walk through the various Secure Score tasks that are listed in the Security and Compliance Center. With each new task I will assess what I think is the practical effect or purpose of accomplishing the task.
New Tasks – Since January 2018
Here are the new tasks:
———————————————————————————————————————————————————–
Designate less than 5 global admins
According to Microsoft
“You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker. We found that you have ‘X’ admins designated.”
Threats – Password Cracking, Account Breach, Elevation of Privilege
My thoughts
Even for a large organization, five global admins can be a bit excessive. Remember these are individuals that have full control over EVERYTHING in your tenant. Do you need more than 5?
Recommendation
This is a definite yes. The lower this number the better. I feel this is on the same level as your Enterprise Admin group in AD. It is almost always too large no matter how larger your environment is. Reduce it, keep it small. Even better, tie in something like Privileged Identity Management (PIM) in Azure to make the environment dynamic and manageable without exposing yourself to the risks of too many full control admins in Office 365.—————————————————————————————————————————————————————-
Do not expire passwords
According to Microsoft
“While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong is 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason. We found that your current policy is set to require a password reset every 999 days.”
Threats – Password Cracking and Account Breach
My thoughts
This idea has gained more traction with Microsoft over the years for many reasons. The first is that it removed some of the challenge that a regular user has trying to come up with an original password every 60 to 90 days. No need to use sticky notes or other reminders of a constantly changing password. A consistent, secure password is much better in the long run.
Recommendation
This one is a maybe, if only because now Microsoft is pushing for password-less access with tokens and other MFA controls. Take a look here for this option – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in.—————————————————————————————————————————————————————-
Do not allow users to grant consent to unmanaged applications
According to Microsoft
“You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. We found that your policy to allow third party integrated applications to access your service is currently configured to False.”
Threats – Data Exfiltration & Data Spillage
My thoughts
Any strengthening of security for your tenant is a good idea in general. Adding third party app integration should require a security analysis to make sure that you are not providing an attack vector. To lessen an attack vector, work with your app provider to ensure appropriate security and controls.
Recommendation
This is a definite yes and a no brainer. Any third party app that is integrated with your tenant then their security needs to be in place as well. If you don’t have any apps, then make sure the setting is false, which it should be by default.—————————————————————————————————————————————————————-
Enable versioning on all SharePoint online document libraries
According to Microsoft
“You should enable versioning on all of your SharePoint online site collection document libraries. This will ensure that accidental or malicious changes to document content can be recovered. We found that you do not have versioning enabled on ‘X’ out of ‘Y’ of your site document libraries.”
Threats – Data Deletion
My thoughts
Unless there is a business case for not enabling versioning in SharePoint, I agree that this is a good recommendation from Microsoft. Just like using versioning on documents and files that you end users edit, this would enable a similar function for your SharePoint sites in Office 365.
Recommendation
This is a yes and a definite option I would enable on any SharePoint sites you have in your Office 365 tenant.
—————————————————————————————————————————————————————-
Use non-global administrative roles
According to Microsoft
“You should leverage non-global administrator roles to perform required administrative work with the least privileges necessary to complete the task. Using roles like Password Administrator or Exchange Online Administrator will reduce the number of high value, high impact global admin role holders you have, which will in turn reduce the likelihood of a breach of an account with global administrative privileges. We found that you have ‘X’ users in global admin roles.”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
My thoughts
The least privilege model is one that should be used in any security situation, whether this is with your Office 365 tenant or on-premises. The only exception that could present itself in this model is the single administrator or small IT department where duties are not segregated due to lack of personnel.
Recommendation
Even with the caveats spelled out above, I would still recommend this being implemented if at all possible. Larger organizations should absolutely be using this and hopefully follow their model from on-premises AD security configuration.
—————————————————————————————————————————————————————-
Ensure all users are registered for multi-factor authentication
According to Microsoft
“You should register all users for MFA because MFA allows end users to prove their identity during risky sign-ins. We found that you had users out of ‘X’ that did not have MFA registered. If you register those users, your score will go up points.”
Threats – Password Cracking & Account Breach
My thoughts
Currently this is more of an ideal scenario. This setting will require end user education, training and possibly even a cultural shift for this to work properly. Many organizations are certainly asking for this to be put in place and it is a goal to strive for.
Recommendation
Yes. This should be done. This increases security and adds a rather small amount of complexity for the end user.
—————————————————————————————————————————————————————-
Review permissions & block risky OAuth applications connected to your corporate environment
According to Microsoft
“Cloud App Security app permissions enables you to see which user-installed applications have access to Office 365 data, what permissions the apps have, and which users granted these apps access. We found you haven’t investigated and banned Oauth apps connected in your tenant. We found that your enablement of this feature is set to false. If you block access to a risky OAuth App, your score will go up by 15 points. ”
Threats – Data Exfiltration & Data Spillage
My thoughts
A consideration for this is if you have the licensing to use the Cloud App Security feature from the Security and Compliance Center. This feature requires an EMS E5 or as a separate add-on in order to make it available. Otherwise it does appear to be a good recommendation. It certainly needs to be evaluated on a case by case basis depending on what apps you are using in your tenant and if there is any need to analyze the authentication used.
Recommendation
Maybe – only because this is an instance where apps and the consequences of the change need to be analyzed.
—————————————————————————————————————————————————————-
Detect Insider Threat, Compromised account, and Brute force attempts in cloud applications
According to Microsoft
“Cloud App Security anomaly detection policies provide UEBA and advanced threat detection across your cloud environment. We found you haven’t reviewed anomaly detection alerts in your tenant. We found the enablement of this feature is set to false. If you remediate an alert, your score will go up by 15 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
My thoughts
Another feature that requires the Cloud App Security feature and thus an EMS E5 license in order to use. If you have the right licensing, then this is a worthy feature to enable in your tenant.
Recommendation
Yes. Do this. There are enough attacks out there that this should be monitored in Office 365.
—————————————————————————————————————————————————————-
Enable self-service password reset
According to Microsoft
“You should enable self-service password because this allows banned password checking everytime a user resets password. You have ‘X’ users out of ‘Y’ without self-service password reset. If you enable this, your score will go up 5 points.”
Threats – Password Cracking & Account Breach
My thoughts
Self-service password resetting is a good feature for your tenant as it will alleviate some of the pressure and effort of any companies help desk team.
** Note that this requires it to be configured in Azure AD and P1 licensing in order to get the full effect.
Recommendation
Yes. Put this in place. Pilot it first as there are many options to enable to get this just right for your user base.
—————————————————————————————————————————————————————-
Do not allow mailbox delegation
According to Microsoft
“You should ensure that your users do not use mailbox delegation. While there are many legitimate uses of mailbox delegation, it also makes it much easier for an attacker to move laterally from one account to another to steal data. We found that you had ‘X’ active accounts out of ‘Y’ with mailbox delegation. If you remove delegate permissions from all of your mailboxes, your score will go up 1 points.”
Threats – Account Breach, Elevation of Privilege, & Malicious Insider
My thoughts
There are way too many legitimate uses of this feature for me to recommend not using mailbox delegation. Understand like a lot of other features in Exchange Online that are convenient that there is always a risk that the resource will be used as an attack vector.
Recommendation
Maybe – Only because you may be in an environment where this is possible. Maybe you’ve never used delegation or permissions or anything like this. In that case, this should be pretty easy. However, the vast majority of my clients use mailbox delegation is some form or fashion and would have a hard time not using this feature.
—————————————————————————————————————————————————————-
Discover risky and non-compliant Shadow IT applications used in your organization
According to Microsoft
“Cloud discovery analyzes firewall traffic logs to provide visibility into cloud application usage and security posture of each. Log collectors enable you to easily automate log upload from firewall appliances in your network. We found your tenant doesn’t have continous discovery report configured. We found that your enablement of this feature is set to false. If you add a data source, your score will go up by 20 points.”
Threats – Data Exfiltration
My thoughts
This features comes as part of the previously mentioned Cloud App Security, thus it requires EMS E5 or an add-on to use. It can provide some worthwhile reports if you need help with this part of your infrastructure.
Recommendation
If you have the licenses, then I would certainly enable the feature, if you don’t but have other items in Office 365 that require an E5, this may be worth getting the E5 for and then utilizing all the features therein.
—————————————————————————————————————————————————————-
Set automated notification for new OAuth applications connected to your corporate environment
According to Microsoft
“App permission policies enable you to discover Oauth abuse in the org by identifying trending applications based on usage & permissions granted. We found that your enablement of this feature is set to false. If you enable this feature, your score will go up by 20 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
My thoughts
This does seem like a good, no-brainer to enable. If there is a way to monitor these types of connections, I am sure the security people/department at your organization would like to hear or see what is being used when connecting.
Recommendation
Yes. This is a security enhancement with little to no downsides. So definitely do it!
—————————————————————————————————————————————————————-
Enable sign-in risk policy
According to Microsoft
“ou should enable sign-in risk policy. This will ensure that suscipious sign-ins are challenged for MFA. We found that you had ## users out of ## that did not have sign-in risky policy enabled. If you enable sign-in risk policy for those ## users, you score will go up 30 points.”
Threats – Password Cracking & Account Breach
My thoughts
Another good security recommendation from Microsoft for maintaining the integrity of your logins to your Office 365 tenant. I would be hard pressed to find a good reason to not enable this feature.
Recommendation
Yes. This is a definite one to implement.
—————————————————————————————————————————————————————-
Enable user risk policy
According to Microsoft
“You should enable user risk policy. This will ensure that potentially compromised users are automatically remediated. We found that you had ## users out of ## that did not have user risk policy enabled. If you enable user risk policy for those ## users, you score will go up 30 points.”
Threats – Password Cracking & Account Breach
My thoughts
This is a feature that should be investigate before implementing it for any users in Office 365. However, it does sound like a good idea in order to again ensure account login integrity for your Office 365 tenant.
Recommendation
Yes. This is a feature that should be enabled. Just like any change of this nature, these as much as possible before rolling it out to all of the users that will be targeted by this policy.
—————————————————————————————————————————————————————-
Enable policy to block legacy authentication
According to Microsoft
“You should block legacy authenticaiton because bad actors prefer legacy authentication. We found that you had 395 users out of 395 that did not have legacy authentication blocked. If you block legacy authentication for those 395 users, your score will go up 20 points.”
Threats – Password Cracking & Account Breach
My thoughts
This is an easy yet hard one to give a good recommendation for. The reason for that is simply put you would have to know what legacy auth apps are out there. If this cannot be validated, then it will be hard to turn this off tenant wide.
Recommendation
Yes. With a caveat. If you have no apps using legacy authentication, then it is a definite yes. Otherwise, there should be an effort made to eliminate these connections.
—————————————————————————————————————————————————————-
Enable Office 365 Cloud App Security Console
According to Microsoft
“You should adopt the Office 365 Cloud App Security Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity. We found that your enablement of this feature is set to false. If you enable this feature, your score will go up by 20 points. ”
Threats -Account Breach, Elevation of Privilege, Malicious Insider, Data Exfiltration & Data Spillage
My thoughts
If you have the licensing for the Cloud App Security Console, then there is no reason not to do this.
Recommendation
Yes. Like a lot of other recommendations, this is seemingly a no-brainer as it will help the admin get better visibility into their own tenant.
—————————————————————————————————————————————————————-
Set automated notifications for new and trending cloud applications in our organization
According to Microsoft
“Discovery policies enable you to set alerts that notify you when new apps are detected within your organization. We found your tenant doesn’t have any app discovery policies configured. We found the enablement of this feature is set to false. If you enable this feature, your score will go up by 15 points. ”
Threats – Data Exfiltration
My thoughts
Since this is all about discovery and notification of the admin of changes, I am all for this. As IT should have visibility into what is installed in their environment, this would be good step in that direction.
Recommendation
Yes. Turn it on. No other comment needs to be made.
—————————————————————————————————————————————————————-
Enable Advanced Threat Protection safe attachments policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Attachments feature. This will extend the malware protections in the service to include routing all messages and attachments that don’t have a known virus/malware signature to a special hypervisor environment where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. We found that your enablement is set to False. If you enable Safe Attachments, your score will go up 15 points.”
Threats – Phishing/Whaling & Spoofing
My thoughts
This task should only appear if you have an ATP license or E5 in your tenant. If you have that, then yes, this should be enabled.
Recommendation
Yes. Protection your users from bad attachments now!
—————————————————————————————————————————————————————-
Enable Advanced Threat Protection safe links policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Links feature. This will extend the phishing protection in the service to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after it has been delivered to the end user. We found that your enablement is set to False. If you enable Safe Links, your score will go up 15 points.”
Threats – Phishing/Whaling & Spoofing
My thoughts
Same as the previous ATP feature. Same comment on licensing an visibility.
Recommendation
Yes. Have the license? Enable it.
—————————————————————————————————————————————————————-
Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps
According to Microsoft
“Activity policies enable you to detect risky behavior, violations, or suspicious data points in your cloud environment, and if necessary, to integrate remediation work flows. We found your tenant didn’t have any activity policies configured. We found the enablement of this feature is set to false. If you enable this policy, your score will go up by 10 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
My thoughts
Another automated security monitoring feature for your tenant. Implement it.
Recommendation
Yes. If you have the required licenses, enable it.
—————————————————————————————————————————————–
Identify Shadow IT application usage in your organization by automating log upload from firewalls
According to Microsoft
“Cloud discovery analyzes firewall traffic logs to provide visibility into cloud application usage and security posture of each. We found your tenant didn’t have cloud discovery configured. We found that your enablement of this feature is set to false. If you create a new Cloud Discovery snapshot report, your score will go up by 5 points.”
Threats – Data Exfiltration
My thoughts
Requires the Cloud App Security, so if you have the license, then yes, do this.
Recommendation
Yes.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Compliance Policy for iOS
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of iOS compliance policy is False. If you create and assign an iOS Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Compliance Policy for Android
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of Android compliance policy is False. If you create and assign an Android Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Compliance Policy for Android for Work
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of Android for Work compliance policy is False. If you create and assign an Android for Work Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Compliance Policy for Windows
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of compliance policy for Windows is False. If you create and assign an Windows Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Compliance Policy for macOS
According”Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of compliance policy for macOS is False. If you create and assign an macOS Compliance Policy, your score will go up 10 points.” to Microsoft
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune App Protection Policy for iOS
According to Microsoft
“Microsoft Intune App Protection Policies provide data security and data loss prevention for iOS and Android apps. We found that an enablement of Intune App Protection Policies is False. If you create and assign an iOS App Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune App Protection Policy for Android
According to Microsoft
“Microsoft Intune App Protection Policies provide data security and data loss prevention for iOS and Android apps. We found that you have no Intune App Protection Policies for Android configured. We found that an enablement of Intune App Protection Policies for Android is False. If you create and assign an Android App Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Windows Information Protection Policy
According to Microsoft
“Windows Information Protection provides data security and data loss prevention for Windows 10. We found that an enablement of Windows Information Protection policies is False. If you create and assign a Windows Information Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
This can be done with Intune, SCCM and some other third-party apps as well (https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). This is a form of DLP and worth investigating.
Recommendation
Yes. Protect your workstations.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Configuration Profile for iOS
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices We found that an enablement of Intune Configuration Profiles for iOS is False.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Configuration Profile for Android
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles for Android is False. If you create and assign an Android Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Configuration Profile for Android for Work
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles for Android for Work is False. If you create and assign an Android for Work Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Configuration Profile for Windows
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices We found that an enablement of Intune Configuration Profiles for Windows is False. If you create and assign an Windows Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Create a Microsoft Intune Configuration Profile for macOS
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles flor macOS is False. If you create and assign an macOS Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Recommendation
Yes if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————-
Mark devices with no Microsoft Intune Compliance Policy assigned as Non-Compliant
According to Microsoft
“If users are not targetd by Microsoft Intune Compliance Policies, they may be accessing corporate data on unmanaged/insecure devices.By configuring this setting, you’re marking devices Not Compliant by default if the user has no Compliance Policy assigned. We found that your enablement of this feature is set to false. If you set this to Not Compliant, your score will go up by 10 points.”
Threats – Data Exfiltration
My thoughts
This is only really valid if you are using no MDM solution at all. However there are plenty of organizations that are not using Intune and already have an app to handle this management.
Recommendation
This is an automatic check and while it can be ignored, you won’t get any points for it.
—————————————————————————————————————————————————————-
Enable Enhanced Jailbreak Detection in Microsoft Intune
According to Microsoft
“Enhanced Jailbreak detection uses Location Services to trigger jailbreak evaluation more frequently.By enabling Enhanced Jailbreak detection, your score will go up by 10 points. We found that your enablement of this feature is set to false. By enabling Enhanced Jailbreak detection, your score will go up by 10 point.”
Threats – Data Exfiltration
My thoughts
If using Intune, this is a good feature. Being able to handle Jailbroken phones in a BTOD corporate environment is key.
Recommendation
Yes if using Intune, otherwise no because it would not make any sense.
—————————————————————————————————————————————————————-
Enable Windows Defender ATP integration into Microsoft Intune
According to Microsoft
“Windows Defender ATP provides visibility into your organizations security posture and provides recommendations to improve it. We found that your enablement of this feature is set to false. Connect Windows Defender ATP with Microsoft Intune to up your score 10 points.”
Threats – Data Exfiltration
My thoughts
Have Intune licensing? Then this make sense to utilize.
Recommendation
Yes if licensed, otherwise no.
—————————————————————————————————————————————————————-
Enable mobile device management services
According to Microsoft
“You should use a mobile device management service such as Office 365 Mobile Device Management or Microsoft InTune. Devices, especially mobile devices, are vulnerable to attacks such as malware that can lead to account and data breaches. We found that your enablement of mobile device management services is False. If you enable a mobile device management service, your score will go up 20 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
My thoughts
If you are not using a third-party product, then this should be used. The basic MDM can be used with certain license levels. An additional license would be required is using the higher end ATP.
Recommendation
Yes.
—————————————————————————————————————————————————————-
Review blocked devices report weekly
According to Microsoft
“You should review your blocked devices report weekly. You should do this to look for devices and users that violated your mobile device management policies so you can determine if those violations were malicious or non-malicious. If you review this report, your score will go up 5 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
My thoughts
It’s a report, read it.
Recommendation
Yes. No further response needed.
—————————————————————————————————————————————————————-
Require PC and Mobile devices to be patched, have anti-virus, and firewalls enabled
According to Microsoft
“You should configure your mobile device management policies to require the PC and mobile device to be patched, have anti-virus, and have a firewall enabled. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. We found that your policy is configured to [Not Measured]. If you enable this policy, your score will increase by 10 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
My thoughts
In an ideal world, yes. If this can be enabled in your environment and be successful then it’s a yes.
Recommendation
Yes. Anything that can be done to keep managed devices up to date on patches is a good thing.
Do you need any kind of special licensing to use office 365 secure score ?
Or is it sufficient to have O365 admin roles granted to use the full functions of the tool.
You should not need special licensing to see it. In order to view it, I would imagine that you need to be a Global Admin.
Can I get some information about the minimum license per point.
Because your blog is the best information i got online about this topic.
I can’t find anything in the official documentation of Microsoft.
As far as I know there’s no real correlation between licensing and points. About the only thing would be if you needed to enable a feature that requires an additional license.