Microsoft Security Defaults - A Step in the Right Direction, but Customers Should Do More
Apr 21, 2020
We understand that managing security for Office 365 can be difficult and complex. As we continue to see common identity-related attacks against authentication like password spray, replay, phishing and malware-based increasing into today’s uncertain world it's imperative that we understand Microsoft’s “Security Defaults”.
In this blog we will discuss Security Defaults in Azure Active Directory (Azure AD) and how it makes it easier to help secure your overall environment. Microsoft is making security defaults available to everyone, so this is a very important topic. We will also discuss some of the legacy features that are being deprecated and why this should matter to you. Lastly, we will cover current security control adoption by industry, why some of the new setting are not the end of your Microsoft security journey but are a good place to start to having a long and successful security journey. So, let’s get started.
If you have created a new Office 365 tenant recently, or if you administer an Office 365 environment, you may have noticed a few changes.
First – as you can see in the following screenshots, new tenants are created with ‘Security Defaults’ enabled:
Second, users of Azure Active Directory will see that some baseline conditional access policies have been deprecated and can no longer be used, as presented in the following screenshot:
So – what are ‘Security Defaults’, and why are some legacy features being deprecated now?
Current State of Azure Active Directory Security
On January 9th, Microsoft announced Security Defaults for Azure Active Directory customers.
Since 2012, the Microsoft Identity Protection team has implemented security standards for consumer accounts (personal emails, Xbox accounts, Skype, etc.). This included requirements for multi-factor authentication, enforcing access challenges when abnormal activity was identified, and forcing password resets when customer information was identified in breach data.
Microsoft has observed significant security benefits from these changes – the ability to challenge users when risk was identified led to a 6x decrease in compromise rate. Even as users increase, there are fewer compromised Microsoft accounts than ever before.
In 2014, Microsoft started making these technologies available to Azure Active Directory (AAD) organizational customers. These controls really work – Microsoft telemetry indicates that more than 99.9% of organization account compromise could be stopped by simply using MFA and disabling legacy authentication. Also last year Google research stated that account recovery procedures (using MFA when suspicious activity is identified) could block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during their investigations. (https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html).
Unfortunately, while the tools are in place for customers to stop attacks, actual adoption of these capabilities is significantly low. Despite significant efforts, Microsoft’s most optimistic measurement of MFA usage shows that only about 9% of organizational users ever see an MFA claim.
At SecureSky, we unfortunately observe the same conditions that Microsoft does. Example average Secure Scores for several client verticals are presented below – flatlines, no improvement over the life of the environment.
CSP/MSP Secure Score Average
Manufacturing Secure Score Average
Healthcare Secure Score Average
Microsoft needed to take a different tack – to protect organizational accounts just like they do with consumer accounts. Security Defaults provide secure default settings that Microsoft manages on behalf of organizations to keep customers safe until they are ready to manage their own identity security.
What are Security Defaults? To begin, Microsoft is doing the following:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
- Disabling authentication from legacy authentication clients, which can’t do MFA.
These controls are intended for organizations that are not configuring their own security. If you have configured security settings in your own environment, Microsoft isn’t going to jump in and change your settings – clients that are already using Conditional Access will not see Security Defaults implemented in their tenant.
A Great Step Forward
SecureSky is happy to see Microsoft enforcing Multi-factor Authentication as part of Security Defaults. It is a critical control for securing Office 365 environments.
The big question is will companies respond to Microsoft’s nudge to securely configure your O365 and Azure environment, hopefully history isn’t an indicator.
However, Multifactor Authentication is not a silver bullet. With wider adoption of MFA, we anticipate seeing more attack techniques designed to circumvent it. Multi-factor Auth protects against password guessing or brute-force attacks and credential disclosure via data breaches. However, it is critical to remember that any authentication that relies on something the user knows and types in can be phished. Attacks against MFA include:
Man in the middle frameworks – There are a number of open source projects that exist to help attackers build infrastructure to sit between a victim and MFA websites, so that the attacker can steal all tokens and take over sessions. A screenshot of the Github repository for a popular framework is presented in the following screenshot:
MFA attack approaches include:
SMS Phishing attacks – Social engineering of users
SIM Swap Attacks – Social engineering of provider to change SIM/phone linkage
Compromised Endpoint Attacks – Attack can steal session credentials and start second sessions.
Login Recovery Attacks – Can bypass MFA to recover account, potentially change user settings.
Attacks that use these techniques are often highly targeted. For example, a SIM swap attack was recently used to compromise the account of Twitter CEO Jack Dorsey and SMS.
Going beyond MFA
While Default Security is a great first step by Microsoft, organizations must take it upon themselves to extend the security controls implemented in their cloud environments.
- Organizations must properly configuration and harden their entire O365 environment. Recommendations of key settings to implement in Office 365 environment are presented in the following SecureSky blog posts. Additionally we recommend that organizations evaluate the comprehensive controls provided in the Center for Internet Security Microsoft 365 Foundations Benchmark, to which SecureSky contributes.
- Enablement of effective detection capabilities in O365, as well as timely monitoring and analysis of detected threat events.
As always if you have more questions about Microsoft Security Defaults please feel free to reach out to us any time. firstname.lastname@example.org