<img src="https://ws.zoominfo.com/pixel/JV60JGR5LG4sEWlH3Xte" width="1" height="1" style="display: none;">

Implementing Foundational Security Controls for Every Office 365 Environment

Posted by Brian Greidanus on Aug 4, 2020
Brian Greidanus
Find me on:

In our previous post, we provided an overview of each of the 12 Foundational Security Controls that should be implemented for every Office 365 environment to deter business email compromise (BEC), account takeover (ATO) attacks, and unauthorized data access.

Please note Microsoft continues to evolve their platform and these recommendations are current as of this posting.

In this post, we will walk through recommendations for implementing each of the controls.

Cyber Kill Chain® developed by Lockheed Martin 

1. Implement Multi-Factor Authentication (MFA) for Privileged Roles – the best way to protect against account compromise is to enforce multi-factor authentication for all users in your environment.

There are multiple valid approaches to implementing MFA, including configuration enforcement, conditional access policies, and use of third-party integrated products like Okta or DUO. The recommendation here will discuss configuration enforcement. To review current MFA settings, log in to an environment, and then access the following URL:

URL to Access MFA Settings

https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365

From this page, MFA status for all users in the environment can be viewed and modified.

Configure MFA Settings

 

2. Limit Number of Global Administrator Accounts – Global administrators should be kept to a minimum to limit accounts with superuser privileges. SecureSky recommends reviewing accounts with global administrator privileges and identifying those that can be given less privileged permissions while still able to perform necessary functions. Microsoft recommends 3 to 5 global administrators per environment.

To confirm the number of global administrators in your environment, authenticate to your M365/Azure environment, and then browse to the following URL:

URL to Access Role Assignment for Global Administrator Account

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators

3. Limit User Privileges – By default, all users can invite guests, guests can invite guests, and guest invites can be sent to any domain. Unmanaged guest creation multiplies the chances an attacker can remain a persistent threat in your environment. SecureSky recommends configuring the policy so that:

  • Only Admins and Users in the “Guest Inviter” role can invite guests
  • “Guest” user permissions are limited
  • “Members” and “Guests” cannot invite guests
  • If possible, enable “Collaboration Restrictions” which permits invitations only to authorized domains

To confirm Guest user privileges in your environment, authenticate to your M365/Azure environment, browse to the following URL, and select “Manage external collaboration settings:"

URL to Access Guest User Settings

https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/UserSettings

These settings are presented in the following screen shot:

 

4. Restrict 3rd Party Application Integrations - By default, all users can register applications that can access organizational data. Attackers can create malicious applications and trick users into registering them. SecureSky recommends administrators control which applications that are registered.

URL to Access User Application Registration Permissions

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings

Azure Active Directory - User Settings

 

5. Outlook Add-in Permissions – Outlook add-ins are programs that run within Outlook to perform actions that Outlook does not provide. By default, users can install add-ins in their Outlook client, allowing the add-ins to access emails and the data contained within them. SecureSky recommends controlling which add-ins are permitted and removing a user’s ability to install them by modifying the “Default Role Assignment Policy.” Administrators can select and deploy add-ins for users as required.

To confirm Outlook Add-in privileges in your environment, authenticate to your M365/Azure environment, browse to the following URL:

URL to Access Outlook Add-in Permissions

https://outlook.office.com/ecp/

From here, select “Permissions”, then “User Roles”, then select “Edit” to review the Default Role Assignment Policy. To prevent users from installing Outlook add-ins, remove the following roles: “My Custom Apps”, “My Marketplace Apps”, “My ReadWriteMailbox Apps.”

A screen shot of Outlook Add-in Permissions in a Default Role Assignment Policy is presented below:

Default Role Assignment Policy

 

6. Add-in Permissions (Word, Excel, PowerPoint) - Office add-ins are programs that run within Microsoft applications (Word, Excel, and PowerPoint) and perform actions that these applications do not provide. By default, users can install add-ins in their Word, Excel, and PowerPoint applications, allowing the add-ins to access the data contained within Word, Excel, and PowerPoint. SecureSky recommends controlling which add-ins are permitted and removing a user’s ability to install them by removing their ability to access the Office Store and preventing them from installing trial applications and services in the Microsoft Admin Portal.

To confirm Word, Excel, and PowerPoint Add-in privileges in your environment, authenticate to your M365/Azure environment, browse to the following URL:

URL to Access Word, Excel, PowerPoint Add-in Permissions

https://admin.microsoft.com/AdminPortal/Home#/Settings/Services/:/Settings/L1/Store

This URL is presented in the following screen shot. Select “User owned apps and services” and disable both "Let users access the Office Store" and "Let users install trial apps and services:"

Add-in Permissions for Word, Excel, PowerPoint

 

7. SharePoint Legacy Authentication - Legacy authentication in SharePoint uses only username and password for client access, effectively bypassing modern authentication mechanisms such as MFA. SecureSky recommends disabling legacy authentication in SharePoint to require modern authentication for client access requests.

To confirm Word, Excel, and PowerPoint Add-in privileges in your environment, authenticate to your M365/Azure environment, browse to the following URL:

URL to Access Word, Excel, PowerPoint Add-in Permissions

https://secureskycom-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl

 

A note on Basic & Modern Authentication for Exchange Online: Last year, Microsoft announced they would fully decommission Basic Authentication on October 13th, 2020. However, in their April 2020 update, Microsoft announced they are deferring this effort until 20201 in response to COVID-19. Microsoft will continue to disable Basic Authentication for newly created tenants by default and disable Basic Authentication in tenants that have no recorded usage starting October 2020. As disabling Basic Authentication can affect multiple points of authentication, SecureSky recommends investigating where Basic Authentication is being used and establish a plan for disabling and transitioning to close this attack vector. Update URL: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508

8. Disallow Forwards Outside of Organization - It is common for attackers to set up mail forwarding rules to auto-forward messages to an external mailbox, as presented in the following screenshot:

Forwarding Enabled in User Account in Office 365

The intent of this forwarding is to ensure that the attacker can see and archive inbound emails to compromised accounts, including any potential responses to phishing emails the attacker sends. Because of this risk, users should not be permitted to create auto-forwarding rules to inboxes that are not located within the organization.

The best approach to limit auto-forwarding in an environment can be dependent upon organizational need. To learn more about approaches to limit e-mail forwarding in your environment, please refer to the SecureSky blog here.

9. Email Flow Phishing Customizations – Mail flow policies should be enforced to protect end-users from suspicious emails indicating possible phishing attempts and can be customized for different environments. The following rules should be considered for implementation in Office 365 environments:
  • Implement a mail flow rule that provides a notification to users when messages are received from outside the company, enhancing user awareness for messages that are internal vs. external.
  • Where feasible, implement a rule that notifies the email recipient of the use of key words associated with phishing and Business E-mail Compromise attacks. For instance, user warnings can be prepended to emails with attachments with filenames that include keywords “remittance,” “invoice,” “bill,” or “payroll” to ensure that the recipient is aware that these messages could potentially be phishing attacks.
  • Where feasible, implement a rule that notifies the email recipient of the use of URL shorteners, which are used frequently in phishing attacks. For instance, user warnings can be prepended to emails that include URL shorteners, including “bit.ly,” “goo.gl,” and “tinyurl.com” to ensure that the recipient is aware that these messages could potentially be phishing attacks.

To review e-mail flow policy settings, access the following URL, then select “Mail Flow” and “Rules”:

URL to Access E-mail Flow Customization Settings

https://outlook.office.com/ecp/

E-mail Flow Customization Settings

 

10. Anti-Malware Policy Customization - The anti-malware policy can be customized to align with current and unique threats to the environment. SecureSky recommends configuring the policy to:

  • Notify admins when internal users are sending malware
  • To prevent skipping outbound and inbound messages (for On-Prem Exchange Only)
  • To delete malicious messages
  • To block specific file types
  • To enable Zero-Hour auto-purge

To review anti-malware policy settings, access the following URL:

URL to Access Anti-Malware Settings

https://protection.office.com/antimalware

Click on policy to edit, then select “settings” option in the anti-malware page are presented in the following screen shot:

Access Anti-Malware Settings

 

11. Mailbox Auditing - Mailbox auditing will track users accessing and performing actions within their own mailbox. Other mailbox statistics and telemetry data are also collected. When mailbox auditing is enabled, actions performed by administrators, delegates, and mailbox owners are logged by default. Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization. User, shared, and Microsoft 365 Group Mailboxes support this default mailbox auditing. However, resource, public folder, and the discovery search mailbox do not and must be enabled manually.  

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide

The following PowerShell can be utilized to ensure that mailbox auditing is enabled: 

Mailbox Auditing PowerShell 

Verify mailbox auditing is on by default (User, Shared, and MS 365 Group Mailboxes:

Get-OrganizationConfig | Format-List AuditDisabled 

Identify mailboxes not covered by the default mailbox auditing:

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.AuditEnabled -eq $false} 

Remediate mailboxes identified in the above step:

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.AuditEnabled -eq $false} | ForEach-Object {Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true}

 

12. Office 365 Security Monitoring – Establishing an effective security event detection and response process is a core element of information security programs. SecureSky recommends creating custom alert policies that trigger on suspicious behavior and responding to alerts in a timely manner. Effective Office 365 Security Monitoring requires development and maintenance of an organizational process to escalate, analyze, and respond to alerts generated by Office 365 (outsourcing this process to a security service provider is another alternative).

Some characteristics to look for to confirm that effective Office 365 Security Monitoring is in place in an environment include:

  • Configure Alert Notifications - Ensure that alerts are configured to be e-mailed to all appropriate parties. To ensure alerts are configured to be escalated properly, access the following URL:

URL to Access Alert Configuration

https://protection.office.com/alertpolicies

From here, select an alert, and confirm that e-mail recipients are properly configured, as presented in the following screen shot:

E-mail Alert Recipient Configuration

  • Investigate Alerts - Ensure that actions are being take in response to alert notifications. To do this, review alerts that have triggered in the environment, and ensure that they are being properly investigated, addressed, and closed.
To review current alerts in the environment, access the following URL:

URL to Access Current Alerts

https://protection.office.com/viewalerts

Current Alerts

  • Customize Alerts – Organizations that effectively monitor their environment will customize default Microsoft rules, as well as develop their own rules to detect potentially malicious activity. To review current alerts in the environment, access the following URL:

URL to View Current Alerts

https://protection.office.com/alertpolicies

Conclusion

Configuration of these 12 security controls builds a foundation for your organization’s Office 365 security configuration standard. While numerous security controls can be configured (SecureSky Office 365 Security Configuration Assessment checks for over 100 individual configuration settings), we believe these 12 controls, available at all license levels, are essential security controls for every Office 365 environment.

Topics: O365 Security, BEC, business e-mail compromise, Cloud Security, Azure, Microsoft 365, Office 365, Email Administration

Accelerating Your Cloud Security Journey!

SecureSky delivers a complete portfolio of cloud security solutions to help organizations secure their cloud applications, services, and Infrastructure.

Remember:

  • Visit our blog often to get actionable intelligence 
  • We will cover pervasive attacks impacting all industries  
  • Subscribe now and don't miss out on compelling content 

Subscribe Here!