CISA Recommendations for Securing Office 365

On May 13th CISA (Cybersecurity and Infrastructure Security Agency) posted security recommendations for organizations migrating to Microsoft Office 365. Planet Technologies is a leader in Office 365 migrations and recommends/utilizes these best practices in most migrations. The CISA post can be found here, this blog post goes a bit deeper into each of the recommendations, for more information, please

Enable MFA (Multi-Factor Authentication)

It has been said by security experts that simply using MFA will prevent 99% of attacks! This applies not just to Office 365 but to any online account that supports MFA. I personally have MFA setup on my work and all personal accounts that support it.

Simple right? Wrong! Implementing MFA for all users must be well thought out and implemented correctly (with Conditional Access) so as not to cause user frustration and helpdesk calls. That said, it is highly recommended that MFA is implemented for Office 365 Administrators permanently, in fact, this should be done before the migration. This can easily be done with AAD (Azure Active Directory) which is required to setup Office 365 to begin with. Moving forward it is recommended to enable MFA with conditional access for all users, again, this is fully supported in AAD.

Enable Unified Audit Logging in the Security and Compliance Center

Microsoft cloud services include several auditing and reporting features you can use to track user and administrative activity within their tenant, Examples include changes made to Exchange Online and SharePoint Online tenant configuration settings, and changes made by users to documents and other items. You can use audit information and reports available in Microsoft cloud services to more effectively manage user experience, mitigate risks, and fulfill compliance obligations.

Security & Compliance Centers

The Office 365 Security & Compliance Center, the Microsoft 365 Security Center, and the Microsoft 365 Compliance Center are one-stop portals for protecting data in your organization, and they include many auditing and reporting features. These centers help you with your data protection or compliance needs and audit user and administrator activity. You can access these centers using your subscription admin account.

Enable Mailbox Auditing for Each User

As of July 2018, Microsoft has made a welcomed change to the default behavior of mailbox auditing within the Microsoft 365 service. By default, all mailboxes are enabled for auditing upon their creation, and existing mailboxes have had auditing enabled since October 2018. In addition, the number and types of events that are audited has been increased. There are several key actions that generally can be used to correlate bad-actor activity. These include non-owner access, mail actions to create, update, or delete content in folders, and the addition of delegate access to a mailbox.

With these additional auditing activities now enabled, their collection and use become more powerful to be connected to other activities, such as sign-in events, forwarding rules, and legacy authentication request.

Ensure Azure AD Password Sync is Planned for and Configured Correctly, Prior to Migrating Users

Azure Active Directory (Azure AD) provides the underlying identity infrastructure to support not only Microsoft 365 services, but other cloud apps, and SaaS services. Prior architecture recommendations generally pointed towards using Active Directory Federation Services (ADFS) to support on-premises federation for Single Sign-On (SSO). With the advent of both Pass-Through Authentication (PTA), and Password Hash Sync (PWHS), the need to have dedicated, complex infrastructure to support Azure AD has been lifted.

With PWHS, an organization can utilize just a single Azure AD Connect server to provide seamless single sign-on to the Microsoft 365 platform, other SaaS apps (such as SalesForce, Concur, or Workday), as well as on-premises and in-house developed applications. By utilizing this single identity, supported by standards-based authentication and security technology, organizations can better understand the sign-in activities, secure the sign-in experience, and provide for a better end-user experience.

Disable Legacy Email Protocols, if Not Required, or Limit Their Use to Specific Users

We’re often asked, “what is the least known and secured part of Microsoft 365, and how do I remedy this?” The answer is always “legacy authentication.” Legacy authentication is the use of non-modern authentication clients to access the service. This comes in many forms, but generally many organizations have no need to support it. IMAP, POP, and non-Microsoft mail applications are the culprits. However, most organizations choose to advocate for the use of modern versions of the Office desktop clients as well as the Outlook mobile application on iOS and Android. By using these well-known applications, the support for the most modern security and protection of the identity and data is enabled. This includes the support for Multi-factor authentication (outlined above), conditional access (limit who can access what, from where), and session control. The creation of conditional access is key to the limitation of legacy authentication. We can specify that those legacy protocols are blocked completely or are only able to be used by certain users, devices, or on certain networks.

We hope that these 5 important tasks can be implemented in your Microsoft 365 environment to provide a more secure, resilient, and user-friendly experience, and as always, Planet can assist with the deployment with these technologies in your tenant, please contact us if we can be of service. Follow us on Twitter at http://@PlanetCloudStrt