©  Matthew Katzer 2018
Matthew KatzerSecuring Office 365https://doi.org/10.1007/978-1-4842-4230-8_3

3. Microsoft Secure Score

Matthew Katzer1 
(1)
Hillsboro, OR, USA
 

You are the corporate information security officer (CISO), responsible for managing activities in the United States and in the European Union. As part of your role, you are the data production officer (DPO) under GDPR, and you are also the Compliance Manager under your corporate responsibilities. Your company has made the strategic decision to purchase Office 365 and integrate the on site active directory into Office 365 Azure services. The problem is where do you begin. You have spoken with a number of Microsoft partners and they point to two areas: Azure security services and Microsoft Secure Score. You are worried about phishing attacks and the next generation of worms that are AI based. You are using an older version of anti virus that is signature based. Your security tools are out of date and you need to look at the problem from a new perspective. What do you do next? The answer is simple - deploy Microsoft Secure Score! 

Ninety-five percent of penetration attacks begin with a phishing attack. The bad actors data mine LinkedIn and other social media sites to find information about a target using an approach that is no different than what most companies use for marketing programs. The bad actors start to develop a relationship and become trusted. How does a bad actor become trusted? They start to imitate your friends and contacts through phishing and spoof attacks and then breach your network.

What is a CISO to do? The simple answer: you’ll want to configure the Security & Compliance Center (see Figure 3-1) to provide early notification and access and deploy Microsoft Secure Score.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig1_HTML.jpg
Figure 3-1

Office 365 Security & Compliance Center

There is so much to do. The EU new regulation- GDPR, requires you start a security training and proactively manage your cloud and on-site resources. Account breaches start with users. As a CISO, your job is to educate workers and put in place the necessary monitoring and analysis tools to keep your enterprise safe. You need to deploy additional security tools, such as multifactor authentication to control credentials and Windows 10 E5 Advanced Threat Protection (see Figure 3-2) to actively manage and protect your companies resources. The new Windows 10 E5 Advance Threat Protection (WATP) give you a deep understanding of the scope of the problem. Before you were worried about how to detect data breaches from emails, now you have the tools to look at data breaches real time and take proactive steps to block the breaches.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig2_HTML.jpg
Figure 3-2

Walking through an alert

Security can no longer be an afterthought. Microsoft refers to this constant vigilance as intelligent security . As a CISO, you need to be configuring user identify and access, protecting corporate information, constantly looking at threats (predicting and responding to problems), and managing the overall security. Along with this, is the impact to your business environment that the latest changes in compliance (such as the GDPR and the CCPA) can have on Intelligent security (see Figure 3-3).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig3_HTML.jpg
Figure 3-3

Intelligent security (courtesy of Microsoft)

As I’ve said repeatedly, security is a landscape in flux. As attacks become more vicious, we as custodians for our company information need to change our policies and approaches. Traditionally, IT has been a service and support organization. Because of data threats, support organizations need to change and adopt new policies for audit and security management. One trend that we are seeing is the addition of a security operations center (SOC) to the help desk. Typically, IT services do not include all three branches: the help desk, the network operations center (NOC), and the security operations center (SOC). Today, SOCs enlist predictive tools to spot and analyze trends, and include machine learning, behavior analysis of users, and deep learning.

Deep learning is one of the latest tools added to security suites and involves the analysis of large data sets. It is likened to a neural network resembling the human mind, and is capable of analyzing all sets of data. To be a successful CISO, you need to deploy the tools that will provide the necessary protection and analysis of the threats your company is facing.

Note

Deep learning is used to develop neural networks, which are a key component in next-generation AI tools. Deep learning software is self-learning and is used to drive automobiles, analyze legal cases, and install threat detection/remediation software. If you look at Windows Advance Threat Protection (part of the Windows 10 E5 solution), you will see an implementation of neural network or deep learning model.

There is an ongoing war between companies and bad actors. To win, you need to constantly look at new tools and integrated solutions. The best-in-class solutions all offer different tools. Your challenge is finding the necessary tools to win the battle (Figure 3-4).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig4_HTML.jpg
Figure 3-4

Product-focused solutions (courtesy of Microsoft)

The third step is to analyze the data, draw conclusions, and provide a set of recommendations with a timeframe for implementation. The tools are constantly changing, with more options for configuration and analysis. As compliance becomes more part of our business activities, we need to deal with the risk of devices, users’ access, and identity management. The question that we ask ourselves is how can we configure the environment and set up the necessary components that we require to be successful in our deployment? Where do we start, and how do we proceed?

This is where Microsoft Secure Score and Microsoft Compliance Manager come into play. Microsoft Secure Score gives you a comparison metric based on other businesses your size in the same market (see Figure 3-5). Microsoft Compliance Manager extends Microsoft Secure Score and gives you a grade for how you are doing according to the compliance guidelines in your organization. In addition, Microsoft Secure Score compares how you are doing against other members in the same industry. This way you can accurately compare yourself against other organizations to see if you are doing enough.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig5_HTML.jpg
Figure 3-5

Microsoft Secure Score

Secure Score is a feature in the Office 365 Compliance Security Center and is available to all users who have an Office 365 subscription. The purpose of Microsoft Secure Score is to get you headed in the correct direction, with a measurement that can be used to see if you have improved your security posture. The Microsoft Secure score is designed so you can measure your deployment so you can improve upon it.

There is a lot of work required to set up your 365 tenants to be monitored and analyzed under Microsoft Secure Score. Each of the Security Centers has a different function associated with it. After you set up the security scoring, the next step is to configure Mobile Device Management and Mobile Application Management for Office 365 (see Chapter 5). Once you complete the MDM/MAM setup, you have a secure environment. The setup order is important, though. Each Security Center feeds on the previous one to provide you with a 360-degree view of the security process.

The goal of this chapter is to provide you with the tools necessary to manage your Office 365 tenant in a secure way. At the end of this chapter, you will have Secure Score and Compliance Manager configured and set up to record information for your security process. As part of this process, you want to record your security score at the start of the process so you can see the impact to the changes that you make on your Office 365 account. The Microsoft Secure Score is composed of two scores when this book was published. The Microsoft Secure Score includes the Office 365 Secure Score and the Windows Secure Score. Let’s get started in building out our Microsoft Secure Score and enable the security implementation tracking. 

Note

Before you proceed, you will want to purchase the following Office 365 subscriptions for your account: Microsoft 365 E5 and an Azure $100 CSP subscription. To fully understand the concepts in this book, you must have these subscriptions deployed on your administrator account. You can deploy these subscriptions from your current Microsoft partner. If you are worried about the long-term commitment of Office 365, check out www.kamind.com/csp for the different subscription offerings.

Security & Compliance Center

You are the CISO. Your Managed IT Department (MID) outsource has provisioned you with the Microsoft 365 E5 subscription and has set up your 365 account with an Azure CSP subscription. You are set up as the contributor of the CSP subscription for your Azure deployment. The first place you should go is the Security & Compliance Center. Log in at https://portal.office.com (see Figure 3-6) and click Security & Compliance.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig6_HTML.jpg
Figure 3-6

Office 365 admin screen with Security & Compliance link

Note

The IT support industry is changing. There are three types of outsourced IT organizations in the United States: break fix (you call them and they fix things for you), Managed Service Provider (MSP) (these are companies that provide you with a managed services plan and have a limited scope of work to do), and Managed IT Department (MID). The vendor that supplies you MID services becomes the vendor that helps your business move to the next level. The MID organization is your strategic advisor. This is very much like they are in your office and they take care of issues and problems associated with the activities of the IT organization.

The Security & Compliance Center is a data aggregation dashboard for all the Office 365 services. The dashboard is highly configurable, based on the user’s desired outlook. The default dashboard will show some key security areas: Data admin, Security admin, Compliance officer, and Security operator. In Figure 3-7, we set the dashboard with information about the GDPR.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig7_HTML.jpg
Figure 3-7

Security & Compliance Center

At this point you may be wondering as to why we are scoring our configuration and this has to do with Office 365 security. The Microsoft Security Score contains baseline configuration data of companies in the same market segment. In essence, we are measuring ourselves against our competitors. The objective is to set up a baseline measurement that we can use to compare our Office 365/Azure tenant implementation to other organizations. As new threats emerge, the security posture changes and our baseline number will change. We can see the impact of changes and take appropriate actions to improve our security posture. This is why Microsoft Secure Score is important to us and our company. A low score means higher risk. A higher score is implying lower risk. Our discussion on compliance (later in this chapter) will also look at the Microsoft Compliance Score to see how we are doing in compliance and see areas where we need to improve. The security and compliance scores provide us with meaningful metrics to assist us in managing our business in the Microsoft Intelligent cloud.

The security score is critical to managing our cloud security posture. To access the Microsoft Secure Score, in the “Security admin” area, select Office 365 Secure Score. This will redirect you to the Microsoft Secure Score dashboard (which includes Office 365 Secure Score and Windows Secure Score, see Figure 3-8). We will be looking at both security score settings in this chapter. Keep in mind that the secure score settings are a comparison of the different configurations of Office 365 combined with the threat intelligence from the Microsoft security graph. The score is a weighted value based on the importance of the security control and the impact of the control to various threats. If an Office 365 tenant is attacked by a bad actor and the attack is thwarted by a control setting, then this control setting will have a higher value than a different control.

The security score is a weighted value that compares the configuration of your Office 365 and Windows 10 deployment as compared to other companies the same size in the same market segment. This comparison will give you a security position. If you find you have a low score compared to other Office 365 and Windows 10 users, then you need to seriously look at your configuration and see what changes you need to make. A low score means that you have a higher probability of penetration by a bad actor. On the other hand, a high score means you have less likely of a penetration.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig8_HTML.jpg
Figure 3-8

Microsoft Secure Score administration center

Note

The Microsoft Secure Score is only a number that gives you a probability of penetration. This does not mean you should set the number to be the maximum value. On the contrary, you need to look at the controls and determine what makes business sense for your organization. Typically smaller companies will have a lower score and larger companies with a security department will have a higher score. In all cases, you need to continuously monitor the events and take actions as necessary.

Secure Score Overview

Secure Score is composed of two parts: Office 365 Secure Score and the Windows Secure Score from the Windows Security Center ( https://securitycenter.windows.com ). Before you can start using the Microsoft Secure Score, you will need to deploy Windows Security Center Advanced Threat Protection (part of Windows 10 E5).

Deploying the Windows Security Center

The subscriptions that we have deployed in our test organization are the Microsoft 365 E5 and Azure CSP subscriptions. One of the components in Microsoft 365 E5 is the Advanced Threat Protection upgrade for Windows Defender. This is the next-generation end-client threat protection agent. The agent is linked to the larger Microsoft threat brain (called the threat intelligence graph ) and is able to protect against endpoint threats (servers, desktops and non Microsoft endpoints). The desktop agents are AI-based and deploy deep learning methodologies that you find in neural networks.

The Microsoft 365 E5 subscription includes the Windows 10 E5 subscription which is a digital licenses upgrade to Windows 10 pro systems to Windows 10 Enterprise (no code changes to upgrade subscriptions). This upgrade includes the next-generation Advanced Threat Protection. This software is a key threat protection tool that is used to defend the endpoint from attacks and is a crucial tool in the defenses of your network by bad actors. The following steps will configure the Windows Security Center to be used by your Office 365 tenant. The account you are using must be configured with this subscription as a global administrator and cannot be configured with partner-delegated admin rights.

Installing Windows Advanced Threat Protection

The Windows Security Center score is based on the data collected from the Windows 10 desktops and evaluates the desktop configurations. The Windows Security Center ( https://securitycenter.windows.com ) requires a work account (aka Office 365 account) with global administration access. The Windows Advanced Threat Protection Security Center gives the administrator an integrated view of the Windows desktop and key Office 365 services. Information is presented in the Security Center dashboard. The dashboard status changes all the time depending on what is happening on the client (see Figure 3-9).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig9_HTML.jpg
Figure 3-9

Secure Score admin center in https://securitycenter.windows.com

The installation process for Advanced Threat Protection is straightforward as outlined below.
  1. 1.

    Make sure your account is provisioned with a Microsoft 365 E5 subscription.

     
  2. 2.

    Log in with a global admin account (and not a delegated admin) to Office 365.

     
  3. 3.

    Log into https://securitycenter.windows.com and follow the steps outlined next.

     

The detailed steps to set up Windows 10 ATP are outlined next. There is additional software that you will need to deploy to the desktop to enable Windows analytics and to collect data for Azure security services. The Azure security deployment and the Windows 10 analytics are used to address security issues on clients and the actions of bad actors. We deployed the Azure Security Center (in the previous chapter) first so we could enable the additional security monitoring of the Windows Security Center and the Azure security monitoring services. If you have not configured your Azure security services (described in Chapter 2), please return to that chapter and configure them now.

Note

To access a free trial of Windows Defender Advanced Threat Protection, go to https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp . Before you start the free trial, make sure you are logged into the Office 365 tenant as a global admin. The free trial will be added to your 365 tenant.

Microsoft requests that you log in a second time to verify your account. The other way to use Windows 10 ATP is to use a Microsoft 365 E5 subscription.

Step 1: Log In to securitycenter.windows.com
The first step is to log into Office 365 with the global admin account that is configured with the Microsoft 365 E5 subscription. Open a new tab on your browser and log in to https://securitycenter.windows.com . When you log in, you will need to create your security tenant (see Figure 3-10). The setup process requires that you install the active agents on all Windows 10 systems that have the Windows 10 E5 subscription. Windows 10 Build 1803 or later is required to use the next-generation software. After you log in to the Security Center, you will set up the monitoring agents. Click Next and follow the wizard.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig10_HTML.jpg
Figure 3-10

Setup Windows Defender Security Center

Step 2: Set Up the Data Repository
You need to select the data repository for either the United States or Europe (Figure 3-11). Additional countries will come online eventually. The repository is subject to local laws, and both repositories are GDPR compliant. 
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig11_HTML.jpg
Figure 3-11

Setting up the data center location preference

Step 3: Set Up Data Retention Preferences
The next screen (Figure 3-12) defines how long data will be maintained in the repository. I recommend that you select 180 days. However, be aware that if you have a system that is in the repository and you decide to rename the system, you will have the old systems and the new system. The repository systems’ names are unique, and the data sets are not merged. Later, I will show you a set of systems in the repository that have the same name. If you are deploying Windows 10 ATP in a new environment, make sure the systems are named correctly before you deploy the agents and the data collection tools.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig12_HTML.jpg
Figure 3-12

Setting up data retention

Step 4: Set Up the Organization’s Data Size
The next screen (Figure 3-13) sets up the unique characteristics of the organization. Currently, this is the size of the repository.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig13_HTML.jpg
Figure 3-13

Defining the organization’s size

Step 5: Identify the Organization Type
The next screen (Figure 3-14) is used to define the organization type. There are two locations where this information is maintained: in the Windows Security Center and the Office 365 Security & Compliance Center. This information is crucial for Secure Score operation. The configuration in step 3 allows you to compare how you run your organization against other companies. This allows Microsoft to identify potential threats that target companies in your market segment. Remember, the secure score is not just a reflection of your own configuration. It is also how your Office 365/Azure configuration tacks up against external threats and other organizations.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig14_HTML.jpg
Figure 3-14

Identifying your organization’s market segment

Step 6: Click Preview and Set Up the Cloud Instance
Advance the wizard through the next two steps to set up the preview (click Yes for new features) and to enable the cloud instance. The cloud instance (the data repository, etc.) will take anywhere from 5 to 20 mins to create depending on the organization size (Figure 3-15).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig15_HTML.jpg
Figure 3-15

Creating the cloud instance for Security Center

Step 7: Download the Client Software
The next step is to download the client software endpoint and upgrade Windows Defender to ATP with the next-generation detection software (Figure 3-16). At this point, you have all the components necessary to start collecting information for a Windows secure score. As a reminder, make sure you have already renamed the system to the production name. Windows Security cannot tell if the system is the same and will not merge data or delete data form a systems that does not report status.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig16_HTML.jpg
Figure 3-16

Installing the desktop agent

Step 8: Download the Client Software for Azure Log Analytics
In Chapter 2, we configured the Azure security services and Log Analytics. At this point, we need to download the Log Analytics agent to install on the Windows 10 desktops. In Chapter 2, you configured the Azure dashboard and already placed the Log analytics workspace on your dashboard. Select the Log Analytics workspace agent (see Figure 3-17).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig17_HTML.jpg
Figure 3-17

Select the Log Analytics workspace to download and install the data collection agent

After you have selected the Log Analytics workspace in the Azure dashboard, click “Advanced settings” and then select Connected Sources. Then click Windows Servers to access the monitoring agent. Even though you are installing desktops, the agent on the server and Windows 10 clients are the same (see Figure 3-18).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig18_HTML.jpg
Figure 3-18

Downloading the data collection agents for Windows connected devices

You can also download the same agent for all Windows and non-Windows devices. Data collection for analyzing threats is key to deploying Office 365. If you do not install the data collection agents, you will not have visibility into the threats against your system. As an example, you now have the ability to look at systems’ configuration and performance and take appropriate actions. One of the new threats that is emerging is crypto-jacking. Crypto-jacking takes over a system using the computer’s resources. If your systems have been operating slowly for no apparent reason, then deploy the monitoring agents to see what is happening in your systems through the Log Analytics dashboard.

Note

The Log Analytics monitoring agent supports Windows and non-Windows devices. If you have not looked at the connected services, take the time now to examine what needs to be done to connect the rest of your monitoring services to Office 365 and Azure. To manage your cloud-based services, you will need to install the monitoring agents.

After you have downloaded and installed the agent, move on to step 9 and configure the Windows 10 analytics environment with the commercial ID.

Step 9: Configure the Windows 10 Environment
The final step is to configure the data collection agents on the Windows 10 devices. This is the Windows 10 commercial ID. The commercial ID collects information on the Windows 10 device and uploads the data to Log Analytics and Microsoft. The commercial ID is enabled when the “Update compliance” blade is enabled in the Log Analytics portal. If you did not record the commercial ID in Chapter 2, refer to the section “Retrieving the Commercial ID for Windows 10 Devices” later in this chapter. The commercial ID allows you to collect data about your Windows 10 clients for security analysis. Because this data may contain business information, the service is disabled and will need to be enabled by the IT department or your end users. To deploy the commercial ID, you need to add the Intune blade to your Azure portal. The steps to add the Intune portal are listed below.
  1. 1.

    In the azure portal (portal.​azure.​com) select favorites (next option located under create a resource on left hand menu)

     
  2. 2.

    Scroll down to Intune service

     
  3. 3.

    Select the Intune service – click on the star so it is yellow. This will add Intune to the favorites on the left hand menu.

     
  4. 4.

    Select Intune (it will be at the bottom of list, unless already added).

     
Once you have added the service, select Intune, then Device configuration, then create profile (see Figure 3-19). Select the plus sign to create a profile. The profile we will create is called Deploy Commercial ID.  Before you proceed to the next section, make sure you have the Windows 10 Commercial ID. The process to retrieve the Commercial ID is described later in this chapter in the section called Retrieving the Commercial ID for Windows 10 Devices. The Commercial ID is where the windows devices (Server 2016, Windows 10 and later and versions) will report telemetry data collected from the devices. Windows Advance Threat Protection services use telemetry data to pinpoint threats in your enterprise and to detect lateral security attacks with stolen credentials. Commercial ID telemetry data is crucial for a threat prevention and is a key part of an active defense against bad actors.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig19_HTML.jpg
Figure 3-19

Expanding the Intune blade in Azure to set up the commercial ID deployment

Once you have the Commercial ID, there are three ways to deploy it. You can deploy it with Group Policy, Local Policy, or EMS deployment (version 1803 or later). In the following steps, we will use Local Policy to configure the Commercial ID. If you want to configure the commercial ID data collection on the local systems, see “Deploying the Commercial ID on Windows 10 Devices” later in this chapter. In this case, we will configure the Commercial ID deployment via the MDM wizard (MDM is covered in detail in Chapter 5).

The approach we are using here is to deploy the Commercial ID via the MDM/MAM capabilities that are part of the Microsoft 365 E5 license. In the Azure dashboard, select the Intune blade and device configuration. Create a new profile for Windows 10 (see Figure 3-20).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig20_HTML.jpg
Figure 3-20

Creating the custom deployment for a registry update to a Windows 10 device

Select “Create profile” to create a new profile for deployment. Make sure you have selected Windows 10 and later and Custom profile. Once you have set up this information, you can add the deployment information to Windows 10 (see Figure 3-21).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig21_HTML.jpg
Figure 3-21

Enabling the Commercial ID via the MDM deployment

The information that you need to add for the row is the following:
  • Name: Windows 10 Systems – Telemetry

  • Description: Enable Commercial ID

  • OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowTelemetry

  • Data Type: Integer

  • Value: 1

The last step is to make sure you have assigned this deployment to a security group for deployment to the Windows 10 devices (see Figure 3-22). Once you have configured any MDM feature, you will need to assign the deployment to the different groups. In our case, we assign this to a test group for deployment (more in Chapter 5 about this configuration).

If you are not ready to deploy MDM and want to test the data collection, refer to the section called “Deploying the Commercial ID on Windows 10 Devices” later in this chapter. This section will walk you through the same steps, but each system will be deployed individually.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig22_HTML.jpg
Figure 3-22

Assigning the Commercial ID deployment to three different deployment groups

Step 10: Verify the Windows 10 ATP Deployment
The configuration of Windows 10 ATP is complete. We have set up the Windows Security Center and deployed the necessary data collection tools on our systems. These tools include the following:
  • ATP agent for Security Center

  • Microsoft Monitoring Agent for data collection

  • Commercial ID for detailed systems analysis

To make sure that our systems have been deployed, go to the https://securitycenter.windows.com and verify the systems are listed in the dashboard. Log in to the Security Center and select the machine icon. This should look similar to Figure 3-23.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig23_HTML.jpg
Figure 3-23

Machines deployed with ATP

Reviewing Windows Security Center Settings
Once the data starts flowing into the Security Center (it takes 24 hours for a complete data snapshot), you can examine the configuration of the Windows devices and determine what changes need to be made to raise the Windows Security Score. In Figure 3-24, we have selected the Application Guard to see the configuration of the desktop. The Windows Secure Score will show the areas that need to be addressed to raise the score. In this case, the Applications Guard is only 33 percent deployed. To address this, we need to enable the attack surface reduction rules, set controlled folder access (used to control ransomware), and use Windows Defender next generation AI versus a legacy third-party product).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig24_HTML.jpg
Figure 3-24

Expanding the security score for Application Guard 

When you select the Application Guard card icon, you will see some areas highlighted (see Figure 3-25). In each of these cases, you need to look at the configuration and determine what features your business wants to enable and what features you do not have enable for a secured environment. Earlier, we used MDM to configure telemetry for the desktop clients. We can also do the same with Application Guard. Application Guard helps isolates enterprise-defined untrusted sites. This protects the company and blocks employees from accessing those sites.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig25_HTML.jpg
Figure 3-25

Detailed look at the Application Guard deployment recommendation

To configure the Application Guard feature, we use the same methods that we used earlier. We configure the OMA-URI for the Application Guard deployment (see https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp ). Once this is deployed, our Windows Secure Score will increase with the new policy. Later in this chapter, you will examine how you configure the OMA-URI settings to push notifications to your managed clients. In Chapter 5, I will discuss these settings and others in more detail when talking about the MDM/MAM configuration.

So far, we have configured the Windows Secure Score; the other half of the problem is the Office 365 Secure Score. Let’s move to the Office 365 Secure Score and configure the services so we can review the security positioning of our Office 365 environment.

Note

There are many different philosophies on what to configure or not to configure. My best advice is to look at each feature and independently make a decision to deploy or not to deploy. If you leave the defaults without understanding why they are in place, your configuration may not be as secure as needed and you have drastically effected the end user experience in a negative way.

Office 365 Secure Score

We spent a considerable amount of time building out the Windows Secure Score. We also introduced the configuration of the device using Intune MDM for device management (OMA extensions). The next step is to look at the Office 365 security score. If you made changes in the Security Center, those changes will impact the security score (see Figure 3-26). At this time, let’s examine the Office 365 Secure Score.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig26_HTML.jpg
Figure 3-26

Microsoft Secure Score, via the Office 365 security admin center

The Office 365 Secure Score is easy to configure; there is little setup required to collect the information. The Office 365 information is collected in your tenant based on your configuration of the different Office 365 services. There are three components that make up the security score. These are your Office 365 configuration, your organization size, and your market segment. Keep in mind that the security score values are recommendations. You will need to look at each of the recommendations to see the impact on your business. In some cases, there is no impact. In other cases, there could be a significant impact on the organization productivity. The goal of Microsoft Secure Score is to set up a configuration that meets your security needs. Do not try to max out the configuration. You want to select the configuration that makes sense for your business.

Comparison Score

What is the comparison score? I have had many discussions with Microsoft over the years on the features of the Microsoft Secure Score. The comparison provides a look into your target market and your company size and the typical configuration of the 365 tenants. This gives you an idea of what you are doing and what your fellow competitors are doing. This is important because bad actors look to target certain industries with different types of attacks. If your industry is banking, it is common that the attack will take on a form that is recognized by your fellow workers as a valid e-mail. In this case, the score gives you a metric to show that you need to be better to reduce your risk. Microsoft has extended the Microsoft Secure Score with threat intelligence, so if you are in a targeted industry that is exposed to certain types of threats and you turn the defenses off, your Microsoft Secure Score will be impacted.

There are three components to the Microsoft Secure Score comparison in Office 365: location, industry, and Office 365 user account. Microsoft Secure Score gives you a comparison against this metric. To set up your industry, go to the Microsoft Security & Compliance Center. Select Service Assurance and then Settings. Select your location and organization size and save the data (Figure 3-27).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig27_HTML.jpg
Figure 3-27

Setting the organization information

Once you set the organization size, in a few hours, your score will be adjusted based on your competitors. This will give you a good idea to the configuration of your environment compared to others in your industry. As an example, looking at our security score, we show a range of 171, and our industry is at a level of 45 for the same size and type of company (Figure 3-28). In our case, this number may look good, but it is far below our metric.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig28_HTML.jpg
Figure 3-28

Comparison settings

Note

Secure Score is nothing more than the gamification of security. We all are competitive in one way or another. What we are doing here is getting a target so we can improve. Remember, what is measured can be improved, and what is tracked exponentially improves. In our case, we want to raise our security score.

Microsoft Secure Score Target

Once you have selected your business type and configured the region where your business is located, Microsoft will begin calculating your Office 365 Secure Score. In the Security & Compliance Center, look for the “Security admin” section (shown in Figure 3-29). Click Office 365 Secure Score.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig29_HTML.jpg
Figure 3-29

Accessing the Office 365 Secure Score

Review the configuration of the Microsoft Secure Score and review your comparison. Select the target you are looking to achieve. In our case, the target score is 407 (see Figure 3-30). To set a target score, you simple move the slider based on your business needs. Once you move the slider, the next step is to configure the services.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig30_HTML.jpg
Figure 3-30

Setting the target

Once you set the target, all that is needed is to look at the actions necessary to adjust the score. In our case, there are 22 actions that we need to complete. The filter on the actions is extremely useful to separate the easy configuration changes from the more difficult configuration changes. Many of the changes will require you to use PowerShell (see Chapter 7 for an overview) to configure your Microsoft Secure Score.

When you set up the task list, filter out the easy-to-do tasks (Figure 3-31), and let’s walk through the configuration. If this is the first time you are using Microsoft Secure Score, set the user impact to Low, and filter the list.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig31_HTML.jpg
Figure 3-31

Filtering the easy-to-do tasks

As an example, our list has the following:
  • Enable MFA for global admins

  • Enabling audit data recording

  • Review signings after multiple failures report weekly

  • Set outbound SPMA notification

  • Enable mailbox auditing for all users

  • Review role changes weekly

  • Enable information rights management

  • User audit data

  • Do not use transport rule to external domains

In the list of tasks that we need to compete, some of these tasks require reviewing reports and others require configuring a specific function. If you expand the action items and add up the score, this would add about 15 points to our score, which would place us at 295 security scores, which is less than 120 points away from our target of 407.

Increasing the Microsoft Secure Score

Looking at the security score recommendation, let’s walk through the process of one item to give you a feel for the necessary complexity. If you expand the “enable MFA” item, you can see that there are specific tasks associated with enabling MFA (see Figure 3-32). Each score contains three pieces of information: an overview of the service, security threat information if the service is not implemented, and implementation instructions for the specific service. In this case, the goal is to reduce the threat of a breach by stolen credentials.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig32_HTML.jpg
Figure 3-32

Enabling MFA

Implementation is easy; just click the “Learn more” button, and Microsoft Secure Score will walk you through the process to enable the specific feature. You can read the explanation and click Launch Now to configure the services that you will be using (see Figure 3-33).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig33_HTML.jpg
Figure 3-33

Configuring MFA

After you configure the MFA function to increase the score, walk through the renaming options to configure the services. The benefit is that your Office 365 tenant will have a secured configuration. Will this block all bad actors? We hope so! What Microsoft Secure Score does is make your data more difficult to compromise. So, the bad actors will be blocked the majority of the time. MFA raises the bar and forces the bad actors to look elsewhere. This is no different from homes that are well-lit and have barking dogs versus home that are quiet and not well-lit. Bad actors will go for the homes that look like they are easy to break into. You need to think of your Office 365 tenant in the same manner. Raise the security level and direct the bad actors to other homes.

Score Analyzer and Next Steps

The impact of the changes can be readily seen in 24 hours. In our example, we enabled MFA on all users, configured the “Lock box” option, adjusted the transport rules for mail forwarded, and reviewed the Azure security logs. These actions move our security score from 170 to xxx (see Figure 3-34). To see the impact of your changes, look at the Score Analyzer tab and click “Compare scores.” This will show you the changes that you made and the impact they have on your Office 365 account.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig34_HTML.jpg
Figure 3-34

Comparison measurement of Secure Score over time

Microsoft Secure Score is designed to be constantly evaluating the configuration of your Office 365 tenant. The evaluation happens at least once a day. The best practice is to make changes in the areas where there is the least impact on your users. In the areas where there is impact (such as setting up MFA) and configuration of the application ID, these changes need to be rolled out more slowly.

Note

Microsoft Secure Score is a set of baseline numbers that give you a recommendation on how your Office 365 tenant should be configured. As a CISO, you need to look at the reports generated in the Security Center and evaluate your business risk. Microsoft Secure Score is a tool that dynamically adjusts your score based on your Office 365 and Windows configuration and compares this to the risk associated to your business in a specific target market. The Microsoft Secure Score is design to assist you in building a solution that has less vulnerabilities. However, if a bad actor has targeted the organization, there is a high probability of penetration by the bad actor. 

Compliance Manager

Microsoft introduced a new tool for Office 365 administrators and compliance officers called Compliance Manager, located at https://servicetrust.microsoft.com . Compliance Manager provides you with an assessment of your configuration of Office 365 as compared to the assessment analysis that you use to look at your business. Compliance Manager evaluates your response and scores you according to governmental standards. The most common analysis is the impact of the GDPR on the business. As an example, if we look at the securing data in the public network and what the requirements are under the GDPR, the Compliance Manager allows us to assign a resource that is responsible for the management and implementation of that function. When we successfully complete the task, we are scored (see Figure 3-35).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig35_HTML.jpg
Figure 3-35

Compliance Manager

I do not want to lose sight as to what the problem is and what the regulations are trying to correct. The new regulations are putting in place a set of universal standards to safeguard personal information. The new compliance regulation is all about personal data and data privacy, and we are the custodians for personal information in our organizations. The best definition (which is being mainstreamed as the personal data standard) is from Article 4 of the GDPR regulation.

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 1

The difference between Secure Score and Compliance Manager is technical implementation versus business process implementation. Compliance Manager is about the business processes being compliant with the different governmental entities. The score that is used in Compliance Manager is a relative weight of the importance of the activity when you look at the overall requirements. In the case of the GDPR, we are looking at changes in how we store and manage information. When you are audited by a governmental agency, the audit looks at who is responsible for the implementation of the various regulations in your business.

So far, we just looked at the EU GDPR requirements. Let’s look at the NIST 800-53 requirements. These are the requirements for U.S. federal contractors. If your business receives federal funds, you are required to be compliant with the NIST-800-53 standard.

If we look at Compliance Manager with the NIST 800-53 requirements for federal contractors, we have a similar set of controls for the management of the activities that would be associated with an audit. As an example, at KAMIND IT, we have customers with NIST audit requirements for breaches and remediation (see Figure 3-36). What we need to do is ensure that the documents that we generate for breach analysis are documented in our clients’ Compliance Manager tenant.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig36_HTML.jpg
Figure 3-36

Remediation under NIST 800-53

When an auditor approaches an organization, the organization must show that it has implemented the necessary processes and controls and that it has the necessary documentation and checklist assigned to complete the activity. If the organization does not show the necessary controls and documents to support the audit request, the organization is fined.

Note

Compliance Manager supports the EU regulation GDRPR and NIST 800-35 for federal contractors. The next change we will see is the implementation of the California Consumer Privacy Act (CCPA). CCPA also includes fines.

The fines for noncompliance can be large and even close businesses. In the case of the European Union, the fines start at 20 million euros. In the United States, it depends on the agency, but it is not uncommon to have fines of $10,000 per incident with forfeiture of the government contracts.

This is why Compliance Manager is extremely important to your business. If you are subject to any state, federal, or international regulation, you must manage the information from a legality point. For all other businesses, you need to look at the regulations (GDPR and NIST 800-53) and use the same process to manage your internal activity. When the CCPA becomes more widespread, this is the tool you will use to ensure that your organization is complaint.

The purpose of Compliance Manager is to provide you with a set of checklists, where your business can assign resources to resolve the different compliance needs. If this is the first time you have been exposed to the compliance requirements, you need to make sure your business meets the necessary compliance standards. Figure 3-37 shows an update with the status of the different regulations and your internal business process changes.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig37_HTML.jpg
Figure 3-37

Compliance Manager

Compliance is a big topic. My objective here was to introduce you to the service trust center and the configuration necessary to manage your Office 365 tenant. Compliance is all about business processes and changes. Just like with Secure Score, we have a compliance score.

Next Steps

We use Compliance Manager as a check list when we audit a customer for GDPR compliance and NIST 800-53 compliance. This is the check list that your organization needs to implement. All companies should do what is necessary to be NIST 800-53 compliant. If we add into this the change under California’s CCPA, our businesses will fundamentally change. What are the steps that you need to follow to implement the necessary changes in your organization? I have outlined some typical questions that you need to ask.

Step 1: Review Your Business

The first step is to determine what regulations you are subject to and what actions you need to implement (this is where Compliance Manager really helps). There are a number of categories for Compliance Manager. The common ones are : NIST 800-53 and the GDPR. One of the nice features of the Compliance Manager is the cross matching of the different compliance category. As an example, if you filled out the audit requirements for NIST 800-35, this would cross reference the task to other regulations. This cross reference allows an organization to look at multiple regulations and fill a number of requirements where there is overlap. The common question you need to ask are the following:
  • GDPR
    • Do you have customers from the European Union?

    • Do you supply product or services to EU entities (people and/or businesses)?

  • NIST
    • Do you have a federally funded contract for products or services?

    • Do you supply products or services to a vendor that is a government contractor?

  • CCPA (use the NIST compliance tool)
    • Do you have customers in California?

    • Do you supply products or services to vendors in California?

    • Is your state passing a law similar to CCPA?

Step 2: Engage with a Licensing/Compliance Partner

Compliance Manager does a good job of helping you with the requirements of compliance. However, you may need a facilitator to provide you with accountability to make sure you are doing the work correctly. Compliance is about record-keeping an inventory assessment. Assign owners to the various regulations, and manage the activity like you would any other project. Set start dates and define a time line for implementation.

The goal of this type of engagement is to identify the compliance gap and who owns the gaps. Bear in mind that everything needs an owner, and everything must be tracked to make progress.

When you engage a Microsoft Partner, they will generate a document that is composed of a series of questions and build out a document (see Figure 3-38) that addresses the different areas. A GDPR assessment is composed of 191 questions and can take 40 to 160 hours to complete depending on the size of the organization and complexity of the problem.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig38_HTML.jpg
Figure 3-38

Partner data collection form for Compliance Manager (courtesy of Microsoft)

Once you have completed the compliance management process, Compliance Manager can assist you to make sure the data is kept up-to-date. This will help an organization meet the compliance needs. However, this is not a one-time action. It is a continuous process.

Step 3: Complete the Assessment

There is no way to get around this; you will need to complete the assessment and generate your business compliance score. The deliverable in the compliance score is the detailed process document that your organization needs to execute against for the different areas.

Other Configurations

Microsoft Secure Score is a powerful way to build out your Office 365 configuration and Azure configuration. This section contains some miscellaneous helpful hints on where to find and configure certain information required in Microsoft Secure Score. The techniques to deploy the configurations to the desktops are covered in the Mobile Device Management (Chapter 5).

Retrieving the Commercial ID for Windows 10 Devices

A commercial ID is the ID used to organize information that is shared with Microsoft. This information consists of diagnostic data. The diagnostic data is extremely useful for the care and health of your Office 365 environment. The data collected is used to assist Microsoft in better supporting our environment. Retrieving the commercial ID for Office 365 and Azure joint systems is a two-step process. In Chapter 2, we configured the Windows Update Management compliance blade for Log Analytics (see Figure 3-39).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig39_HTML.jpg
Figure 3-39

Adding Update Management to the Log Analytics blade

The commercial ID is used to collect information for Windows 10 desktop devices and supply the information to Microsoft. In this way, Microsoft can advise on the upgrade readiness. The second use of the commercial ID is to collect information that we can use in our security analysis of the workstation and the external threats form bad actors.

What we are doing from a security perspective is adding the Windows information from the desktops (and servers) and linking the information with the Active Directory and Office 365 information to build a full, 360-degree view of the security profile of the user. When we add Windows 10 Advanced Threat Protection, we are also linking information so we can see different threats to the environment that we are mitigating. To retrieve the Commercial ID, follow the steps outlined next.

Note

To retrieve the Commercial ID, you need to have completed the Azure Log Analytics setup described in Chapter 2. If you have not completed those steps, please return to Chapter 2 and configure Log Analytics so can you add data analysis to your environment. Security defenses requires that data is collected form different endpoints and analysis with the data form the cloud services.

Step 1: Select Log Analytics and Update Management

Select Log Analytics and then workspace summary. After you have selected workspace summary, select the Update Compliance blade. Then click Solution Settings (see Figure 3-40).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig40_HTML.jpg
Figure 3-40

Selecting the Update Compliance blade in Log Analytics

Step 2: Copy the Commercial ID from the Update Compliance Blade

The Commercial ID is located in the Update Compliance Settings section of the log analytics (called update Insights). Click Update Compliance Settings, and copy the Commercial ID (Figure 3-41). This is the ID used to organize the data that has been relayed to Microsoft. Our objective here is to make a copy of the key so any information that is uploaded to Microsoft is also uploaded to the security center for analysis.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig41_HTML.jpg
Figure 3-41

Retrieving the commercial ID from the Update Compliance settings section

Deploying the Commercial ID on Windows 10 Using Local Policy

There are three ways to deploy the commercial ID. You can deploy this with Group Policy, Local Policy, and EMS deployment (version 1803 or later). In the following steps, we will show how to use Local Policy to configure the commercial ID. In this case, we will use the Group Policy editor to configure the necessary entries for data recording.

Step 1: Edit the Group Policy by Using the MMC Component

On your Windows 10 system, open an administrator prompt and type in MMC (Microsoft Management Console). In the MMC snap-in, select File, select Add/Remove Snap-in, and select Group Policy Object, then Local computer policy. Click Add (see Figure 3-42).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig42_HTML.jpg
Figure 3-42

Setting up the MMC to retrieve the group Security Policy Editor

Step 2: Expand Data Collection and Preview Builds

Once the Group Policy editor is loaded, select Administrative Templates, Windows Components, and then Data Collection and Preview Builds. You want to configure two areas (see Figure 3-43): Allow Telemetry and Configure the Commercial ID.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig43_HTML.jpg
Figure 3-43

Options under the Data Collection and Preview Builds

Step 3: Expand Telemetry

Expand the Allow Telemetry section, select Enabled, and select option 3 - Full (see Figure 3-44).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig44_HTML.jpg
Figure 3-44

Enabling Telemetry

Step 4: Enter the Commercial ID and Enable Upload

Expand the Configure Commercial ID section, select Enabled, and enter the commercial ID (see Figure 3-45).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig45_HTML.jpg
Figure 3-45

Enabling the commercial ID and entering the commercial ID on Windows 10/Server 2016

Setting Custom OMA-URI Settings for Microsoft Intune

The Open Mobile Alliance Uniform Resource Identifier (OMA-URI ) setting allows you to customize the local security policy settings for Windows 10 and Server 2016 devices. These settings are used to control the features of the device such as the Active Directory group policy. Windows 10 and Service 2016 make many configuration service provider (CSP) settings configurable through Intune MDM policies. Setting up a new policy is easy. (See https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference for the different CSP policy options.) You need to pay attention to the version of Windows 10. CSP support is variable on the OS build, and you want to deploy CSP only on the latest Windows 10 systems. Figure 3-46 shows a snapshot of the different CSP offerings for MDM/MAM management. The footnote means that only Windows 10 version 1803 or later is supported, and there is no support for Windows Home or Windows Mobile.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig46_HTML.jpg
Figure 3-46

Custom OMA-URI configuration settings for Windows 10 (courtesy of Microsoft)

Once you review the available configuration options, the next step is to examine the policy and then deploy the policy. In Figure 3-47, we expanded the AccountManagement CSP policy to see the policy in a tree format.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig47_HTML.jpg
Figure 3-47

Expansion of the AccountManagement CSP (courtesy of Microsoft)

Once you have reviewed the CSP policy, you can select the necessary configuration elements. In this case (looking at the AccountManagement CSP for our Windows Holographic Business edition), we want to set up the device so that profiles are deleted when the storage is full or after a period of inactivity. As an example, the data we will need to configure is shown here and in Figure 3-48:
  • Name: Windows 10 Account Management – Holographic Delete policy

  • Description: Set Account Delete Policy

  • OMA-URI: ./Vendor/ MSFT/AccountManagement/UserProfileManagement

  • Data Type: Integer

  • Value: 2

The configuration we are using is Microsoft 365 E5, and we have deployed the Intune MDM/MAM. To configure the policy, log in to https://portal.azure.com and select Intune on your Azure dashboard (if this is not present, you will need to add the service through the Azure search or Azure option “Create a resource”). Once you have selected Intune, select Device configuration and then Policies. Click “Create profile” to create a new profile for deployment. Make sure you have selected Windows 10 and Later as well as Custom profile. Once you have set up this information, you can now add the deployment information or Windows 10 Holographic edition.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig48_HTML.jpg
Figure 3-48

Deploying a custom configuration to the connected client

The scope for what you can deploy on Azure-connected clients is extremely broad and is being expended with every release. In Figure 3-49, you see the WiFi CSP. MDM can be set up to fully configure the WiFi configuration for the connected mobile or Windows 10 client.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig49_HTML.jpg
Figure 3-49

Exploring the WiFi CSP and changes on the connected client (courtesy of Microsoft)

Deploying DMARC/DKIM

Phishing e-mails and spam are becoming more and more common. One of the ways to combat them is to use Domain Keys Identified Mail (DKIM) in conjunction with the sender policy (SPF) to validate e-mail in Office 365. The combination of these two technologies is called Domain-based Message Authentication, Reporting and Configuration (DMARC), as shown in Figure 3-50. This ensures that the destination servers can trust your company e-mail and you can trust e-mail that has been sent to you from third parties (assuming you are using the Office 365 protection services).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig50_HTML.jpg
Figure 3-50

DKIM e-mail analysis (courtesy of Microsoft)

How does DMARC work? Simply put, it standardizes the send from address (5322 specification) and the mail from address (5321 specification). The deployment of DMARC/DKIM prevents spoofing. As an example, look at the simple mail transcription in Figure 3-50. Normal SPF checks will allow an e-mail to go through the message filters, but a DMARC/DKIM deployment will detect the phishing address and force a failure for DMARC.

DRMARC/DKIM simply forces the domain validation of the e-mail. In the example, DMARC validates that the e-mail addresses comes from a valid domain. This approach validates the sender e-mail; however, you can still be phished, but this minimizes the phishing from fake e-mail domains. The configuration of DMARC involves the following steps.

Step 1: Configure SPF Records

Configure your SPF records for your e-mail domain in Office 365. The typical Office 365 SPF record looks like this:
v=spf1 include:spf.protection.outlook.com -all
To access your SPF record, log in to the Office 365 admin panel and select Setup and Domains (see Figure 3-51).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig51_HTML.jpg
Figure 3-51

Collecting the SPF record from Office 365

Office 365 has a default DKIM and uses the onmicrosoft.com domain. Once you have verified your domain, you need to create the DKIM record that corresponds to the verified domains.

Step 2: Publish Two CNAMEs for Records in Your Custom Domain

Figure  3-52 shows the mail flow. The first step is to create two CNAME records for your custom domains. Figure 3-53 has the generic DKIM/DMARC records. The changes you make are in domain, domainGUID, initialDomain, and domainkey. Figure 3-54 shows the configured DKIM information for kamind.com. Once you have these records defined, upgrade the DNS services with the new records. DKIM works only with records that have been verified. You will need to have a DKIM record for each domain that you use.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig52_HTML.jpg
Figure 3-52

DKIM mail flow (courtesy of Microsoft)

../images/429219_1_En_3_Chapter/429219_1_En_3_Fig53_HTML.jpg
Figure 3-53

Microsoft generic Office 365 DKIM records (courtesy of Microsoft)

../images/429219_1_En_3_Chapter/429219_1_En_3_Fig54_HTML.jpg
Figure 3-54

Configured KAMIND.com DKIM structure for Office 365

Step 3: Enable DKIM in Office 365

Once you have created the DKIM records and installed them in your DNS server, you need to run the following PowerShell command. Once you have configured the DKIM, you can look at the internal properties of a sent message and you will see DKIM=pass or DKIM=OK in the Internet header.
New-DkimSigningConfig -DomainName kamind.com -Enabled $true

Step 4: Deploy the DMARC Identifier in Office 365

The next step is to configure the DMARC name for Office 365. The decision for which record to deploy is based on the policy of the organization. There are multiple policy options that you can deploy. A policy is what happens when you have a DMARC failure. Figure 3-55 shows the different configurations. The recommendation is to use a quarantine (or the junk folder).
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig55_HTML.jpg
Figure 3-55

PowerShell to enable DKIM for Office 365 (courtesy of Microsoft)

Using Azure Advisor

Once you have enabled all the security services, Azure Advisor will begin to analyze your configuration and make suggestions. In Figure 3-56, you see the advisor recommendations for Availability, Security, Performance, and Cost. You can expand the categories to look at the changes that you need to make for your Azure environment to function better. You can load the Azure Advisor from the “All services” option in the dashboard. Don’t forget to pin the new favorites to the dashboard for future reference.
../images/429219_1_En_3_Chapter/429219_1_En_3_Fig56_HTML.jpg
Figure 3-56

Azure Advisor (located in all services)

Summary

At this point you have expanded the type of data being collected in the Azure security center. You enabled the Commercial Id for windows devices (Server 2019 and Windows 10), and started to collect more data about your enterprise environment. At this point we can now see alerts in our enterprise and drill down on those alerts to remediate issue. One of your other accomplishments, is the integration with Microsoft Secure Score and you started to build a road map on the features you need to implement to secure the environment. We are on the path for success..

Next Steps

Now that our base logging configuration is completed, and the logs are collecting data, we move on to the next step. The next step in this case is the continue build out of the Enterprise Mobility and Security applications. These are not true applications, rather they are Azure extensions targeted to complete specific function, all revolving around Identity protection and information protection. Once we have completed the integration of the EMS services, we can move forward with Mobile application and device management.

Reference Links

There is a lot of information about Office 365 on the Web—the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information that has been published by third parties.

Compliance Manager and Service Trust
NIST Guide to Information Technology Security Services
EU Regulation directive 95/46/EC: General Data Protection Regulation
GDPR Compliance and Information Microsoft Collects
Custom OMA-URI Settings for Windows 10 Devices
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.54.75