Introduction
If you have an Office 365 tenant and you have explored the Security and Compliance Center, or your dashboard, or home screen, you may have noticed an item called ‘Microsoft Secure Score’.
Now, your score will be different (higher or lower) depending on the features you have enabled in Office 365 (due to licensing) or items that you may have already configured yourself. For this chapter we are going to take a peek at this feature in the Security and Compliance Center starting with an introduction and then diving deep into each of the tasks later in the chapter.
When you first bring up the secure score, Microsoft provides a set of introductory slides at the top of the screen (which you can close once you’ve read them). These slides are intended to provide a quick preview of the features of Secure Score for those who have not read into the feature:
Just below these slides is your tenant’s ‘Secure Score Summary’. The graphic provides a visual representation of your score but also provides it relative to the maximum that your tenant’s maximum score could be. Note that this again will be different tenant to tenant due to the feature set or licensing that is enabled. The current maximum with all features available is over 800 now. However, in the tenant I am using, mine is 547 as of this week:
Next to this we also see a ‘What’s New’ and a ‘Risk Assessment’.
- What’s New: Provides a quick view of the new features that are now available in the Secure Score feature of Office 365
- Risk Assessment: A series of shortcuts to vulnerability assessments that Microsoft thinks you should review
Next up we have a slider called ‘Take Action, Improve Your Score’:
This nifty little feature allows you to essentially make a target score of where you would like to be and then displays a series of actions below to help you attain that score. These tasks range from securing email to enabling auditing to just reviewing reports on a timely basis for your tenant. With my tenant, my current target score of 547 means there are 37 actions in my queue. When the target is increased or decreased, my task list changes as well:
As previously mentioned, the score slider provides you with a list of recommended tasks to be completed in order to attain your score. This list can be long or short depending on where you are in your task to secure your tenant. Some possible actions items are listed below:
Additionally, at the very bottom of this page is link for getting advice on these changes.
The link goes to a Tech Community page, a place where you can ask questions about a particular subject and get answers to those questions from experts in the field.
Score Analyzer
Last, but not least, is the Score Analyzer tab at the top. This tab provides a bird’s eye view of the changes over the past month or so for a tenant. This chart provides you with a quick view of your security score over time.
A summary table of score vs. actions is also provided:
Finally a list of actions completed with its resulting points/score awarded is at the bottom:
** Note ** The task list seems a bit disorganized at best and the ordering leaves much to be desired. While there are some sorting actions, I would much prefer a default sort either alphabetic or with color codes for the various levels (based on points) for these tasks, starting with the highest and ending with the lowest.
Secure Score has recently had some significant additions and removals to reflect an evolution in what Microsoft considers important to the security of your Office 365 tenant. What I noticed immediately is that the max score is over 800 now, when at one time it was between 300-450 within the past year. Also, the number of tasks has increased to 73. Microsoft has made a lot of changes to what is counted towards the Secure Score Report and has even renamed it to the ‘Microsoft Secure Score’. Additionally there is a new ‘Windows’ score that has been added to the Secure Score report page:
There is now a greater emphasis on using Intune to help secure your Office 365 tenant. Lockbox checking was removed, which is interesting. There is more emphasis on Risk when it comes to clients and devices (sign-in, jailbreak, etc.). Most of these changes and additions appear to be a good thing on first review.
Removed Tasks in 2018
- Review sign-in devices report weekly
- Review account provisioning activity report weekly
- Review non-global administrators weekly
- Review list of external users you have invited to documents monthly
PowerShell and Microsoft Secure Score
As of the printing of this book, there was no real good interface into the Secure Score. No direct reporting or ways to automate processes in order to raise your Secure Score. Thus, for this purpose of this book, this chapter is purely for reference. Hence the fact that it is in the very last Appendix for the book.
Detailed Analysis
For this next section we are going to review each and every task as of the printing of this book. The intent is to provide the reader a guide to the tasks listed in the Microsoft Secure Score Report. Remember this is a guide and not an absolute final answer as which tasks your tenant should apply.
————————————————————————————————————————————————
Designate less than five global admins
According to Microsoft
“You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker. We found that you have ‘X’ admins designated.”
Threats – Password Cracking, Account Breach, Elevation of Privilege
Recommendation & Thoughts
Even for a large organization, more than five global admins can be a bit excessive. Remember these are individuals that have full control over EVERYTHING in your tenant. Do you need more than five?
So the recommendation is a definite yes, as the lower this number is the better. I feel this is on the same level as your Enterprise Admin group in AD. It is almost always too large no matter how large your environment is. Reduce it, keep it small. Even better, tie in something like Privileged Identity Management (PIM) in Azure to make the environment dynamic and manageable without exposing yourself to the risks of too many full control admins in Office 365.
————————————————————————————————————————————————
Do not expire passwords
According to Microsoft
“While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong in 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason. We found that your current policy is set to require a password reset every 999 days.”
Threats – Password Cracking and Account Breach
Recommendation & Thoughts
This idea has gained more traction with Microsoft over the years for many reasons. The first is that it removed some of the challenge that a regular user has trying to come up with an original password every 60 to 90 days. No need to use sticky notes or other reminders of a constantly changing password. A consistent, secure password is much better in the long run.
This one is a maybe, if only because now Microsoft is pushing for password-less access with tokens and other MFA controls. Take a look here for this option – https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in.
** Note ** NIST 800-63 (co-authored by Microsoft) is a NIST recommendation to not expire passwords on a regular basis.
Do not allow users to grant consent to unmanaged applications
According to Microsoft
“You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. We found that your policy to allow third party integrated applications to access your service is currently configured to False.”
Threats – Data Exfiltration & Data Spillage
Recommendation & Thoughts
Any strengthening of security for your tenant is a good idea in general. Adding third party app integration should require a security analysis to make sure that you are not providing an attack vector. To lessen an attack vector, work with your app provider to ensure appropriate security and controls.
This is a definite yes and a no-brainer. Any third party app that is integrated with your tenant then their security needs to be in place as well. If you don’t have any apps, then make sure the setting is False.
—————————————————————————————————————————————————————Enable versioning on all SharePoint online document libraries
According to Microsoft
“You should enable versioning on all of your SharePoint online site collection document libraries. This will ensure that accidental or malicious changes to document content can be recovered. We found that you do not have versioning enabled on ‘X’ out of ‘Y’ of your site document libraries.”
Threats – Data Deletion
Recommendation & Thoughts
Unless there is a business case for not enabling versioning in SharePoint, I agree that this is a good recommendation from Microsoft. Just like using versioning on documents and files that your end users edit, this would enable a similar function for your SharePoint sites in Office 365.
This is a yes and a definite option I would enable on any SharePoint sites you have in your Office 365 tenant.
————————————————————————————————————————————————————Use non-global administrative roles
According to Microsoft
“You should leverage non-global administrator roles to perform required administrative work with the least privileges necessary to complete the task. Using roles like Password Administrator or Exchange Online Administrator will reduce the number of high value, high impact global admin role holders you have, which will in turn reduce the likelihood of a breach of an account with global administrative privileges. We found that you have ‘X’ users in global admin roles.”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
Recommendations & Thoughts
The least privilege model is one that should be used in any security situation, whether this is with your Office 365 tenant or on-premises. The only exception that could present itself in this model is the single administrator or small IT department where duties are not segregated due to lack of personnel.
Even with the caveats spelled out above, I would still recommend this being implemented if at all possible. Larger organizations should absolutely be using this and hopefully follow their model from on-premises AD security configuration. PIM is also another viable option.
————————————————————————————————————————————————————
Ensure all users are registered for multi-factor authentication
According to Microsoft
“You should register all users for MFA because MFA allows end users to prove their identity during risky sign-ins. We found that you had users out of ‘X’ that did not have MFA registered. If you register those users, your score will go up points.”
Threats – Password Cracking & Account Breach
Recommendations & Thoughts
Currently this is more of an ideal scenario. This setting will require end user education, training and possibly even a cultural shift for this to work properly. Many organizations are certainly asking for this to be put in place and it is a goal to strive for.
Yes. This should be done. This increases security and adds a rather small amount of complexity for the end user.
—————————————————————————————————————————————————————
Review permissions & block risky OAuth applications connected to your corporate environment
According to Microsoft
“Cloud App Security app permissions enables you to see which user-installed applications have access to Office 365 data, what permissions the apps have, and which users granted these apps access. We found you haven’t investigated and banned OAuth apps connected in your tenant. We found that your enablement of this feature is set to false. If you block access to a risky OAuth App, your score will go up by 15 points. ”
Threats – Data Exfiltration & Data Spillage
Recommendations & Thoughts
A consideration for this is if you have the licensing to use the Cloud App Security feature from the Security and Compliance Center. This feature requires an EMS E5 or as a separate add-on in order to make it available. Otherwise it does appear to be a good recommendation. It certainly needs to be evaluated on a case by case basis depending on what apps you are using in your tenant and if there is any need to analyze the authentication used.
Maybe – only because this is an instance where apps and the consequences of the change need to be analyzed.
—————————————————————————————————————————————————————
Detect Insider Threat, Compromised account, and Brute force attempts in cloud applications
According to Microsoft
“Cloud App Security anomaly detection policies provide UEBA and advanced threat detection across your cloud environment. We found you haven’t reviewed anomaly detection alerts in your tenant. We found the enablement of this feature is set to False. If you remediate an alert, your score will go up by 15 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
Recommendations & Thoughts
Another feature that requires the Cloud App Security feature and thus an EMS E5 license in order to use. If you have the right licensing, then this is a worthy feature to enable in your tenant.
Yes. Do this. There are enough attacks out there that this should be monitored in Office 365.
————————————————————————————————————————————————————
Enable self-service password reset
According to Microsoft
“You should enable self-service password because this allows banned password checking every time a user resets password. You have ‘X’ users out of ‘Y’ without self-service password reset. If you enable this, your score will go up 5 points.”
Threats – Password Cracking & Account Breach
Recommendations & Thoughts
Self-service password resetting is a good feature for your tenant as it will alleviate some of the pressure and effort of any companies help desk team.
** Note that this requires it to be configured in Azure AD and P1 licensing in order to get the full effect.
Yes. Put this in place. Pilot it first as there are many options to enable to get this just right for your user base.
—————————————————————————————————————————————————————
Do not allow mailbox delegation
According to Microsoft
“You should ensure that your users do not use mailbox delegation. While there are many legitimate uses of mailbox delegation, it also makes it much easier for an attacker to move laterally from one account to another to steal data. We found that you had ‘X’ active accounts out of ‘Y’ with mailbox delegation. If you remove delegate permissions from all of your mailboxes, your score will go up 1 points.”
Threats – Account Breach, Elevation of Privilege, & Malicious Insider
Recommendations & Thoughts
There are way too many legitimate uses of this feature for me to recommend not using mailbox delegation. Understand like a lot of other features in Exchange Online that are convenient that there is always a risk that the resource will be used as an attack vector.
Maybe – Only because you may be in an environment where this is possible. Maybe you’ve never used delegation or permissions or anything like this. In that case, this should be pretty easy. However, the vast majority of my clients use mailbox delegation is some form or fashion and would have a hard time not using this feature.
Discover risky and non-compliant Shadow IT applications used in your organization
According to Microsoft
“Cloud discovery analyzes firewall traffic logs to provide visibility into cloud application usage and security posture of each. Log collectors enable you to easily automate log upload from firewall appliances in your network. We found your tenant doesn’t have continuous discovery report configured. We found that your enablement of this feature is set to False. If you add a data source, your score will go up by 20 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
This features comes as part of the previously mentioned Cloud App Security, thus it requires EMS E3 or an add-on to use. It can provide some worthwhile reports if you need help with this part of your infrastructure.
If you have the licenses, then I would certainly enable the feature, if you don’t but have other items in Office 365 that require an E5, this may be worth getting the E5 for those features and then utilizing all the features therein.
—————————————————————————————————————————————————————
Set automated notification for new OAuth applications connected to your corporate environment
According to Microsoft
“App permission policies enable you to discover OAuth abuse in the org by identifying trending applications based on usage & permissions granted. We found that your enablement of this feature is set to False. If you enable this feature, your score will go up by 20 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
Recommendations & Thoughts
This does seem like a good, no-brainer to enable. If there is a way to monitor these types of connections, I am sure the security people/department at your organization would like to hear or see what is being used when connecting.
Yes. This is a security enhancement with little to no downsides. So definitely do it!
—————————————————————————————————————————————————————
Enable sign-in risk policy
According to Microsoft
“You should enable sign-in risk policy. This will ensure that suspicious sign-ins are challenged for MFA. We found that you had ‘X’ users out of ‘Y’ that did not have sign-in risky policy enabled. If you enable sign-in risk policy for those ‘Y’ users, you score will go up 30 points.”
Threats – Password Cracking & Account Breach
Recommendations & Thoughts
Another good security recommendation from Microsoft for maintaining the integrity of your logins to your Office 365 tenant. I would be hard pressed to find a good reason to not enable this feature. Yes. This is a definite one to implement. May require additional licensing.
Enable user risk policy
According to Microsoft
“You should enable user risk policy. This will ensure that potentially compromised users are automatically remediated. We found that you had ‘X’ users out of ‘Y’ that did not have user risk policy enabled. If you enable user risk policy for those ‘Y’ users, you score will go up 30 points.”
Threats – Password Cracking & Account Breach
Recommendations & Thoughts
This is a feature that should be investigated before implementing it for any users in Office 365. However, it does sound like a good idea in order to again ensure account login integrity for your Office 365 tenant.
Yes. This is a feature that should be enabled. Just like any change of this nature, test as much as possible before rolling it out to all of the users that will be targeted by this policy.
—————————————————————————————————————————————————————
Enable policy to block legacy authentication
According to Microsoft
“Blocking legacy authentication makes it harder for attackers to gain access. Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client have registry keys set. You have ‘X’ of ‘Y’ users that don’t have legacy authentication blocked. .”
Threats – Password Cracking & Account Breach
Recommendations & Thoughts
This is an easy yet hard one to give a good recommendation for. The reason for that is simply put you would have to know what legacy auth apps are out there. If this cannot be validated, then it will be hard to turn this off tenant wide.
Yes. With a caveat. If you have no apps using legacy authentication, then it is a definite yes. Otherwise, there should be an effort made to eliminate these connections.
—————————————————————————————————————————————————————
Enable Office 365 Cloud App Security Console
According to Microsoft
“You should adopt the Office 365 Cloud App Security Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity. We found that your enablement of this feature is set to False. If you enable this feature, your score will go up by 20 points. ”
Threats -Account Breach, Elevation of Privilege, Malicious Insider, Data Exfiltration & Data Spillage
Recommendations & Thoughts
If you have the licensing for the Cloud App Security Console, then there is no reason not to do this.
Yes. Like a lot of other recommendations, this is seemingly a no-brainer as it will help the admin get better visibility into their own tenant.
—————————————————————————————————————————————————————
Set automated notifications for new and trending cloud applications in your organization
According to Microsoft
“Discovery policies enable you to set alerts that notify you when new apps are detected within your organization. We found your tenant doesn’t have any app discovery policies configured. We found the enablement of this feature is set to False. If you enable this feature, your score will go up by 15 points. ”
Threats – Data Exfiltration
Recommendations & Thoughts
Since this is all about discovery and notification of the admin of changes, I am all for this. As IT should have visibility into what is installed in their environment, this would be good step in that direction.
Yes. Turn it on. No other comment needs to be made.
—————————————————————————————————————————————————————
Enable Advanced Threat Protection safe attachments policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Attachments feature. This will extend the malware protections in the service to include routing all messages and attachments that don’t have a known virus/malware signature to a special hypervisor environment where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. We found that your enablement is set to False. If you enable Safe Attachments, your score will go up 15 points.”
Threats – Phishing/Whaling & Spoofing
Recommendations & Thoughts
This task should only appear if you have an ATP license or E5 in your tenant. If you have that, then yes, this should be enabled.
Yes. Protect your users from bad attachments now!
—————————————————————————————————————————————————————
Enable Advanced Threat Protection safe links policy
According to Microsoft
“You should enable the Office 365 Advanced Threat Protection Safe Links feature. This will extend the phishing protection in the service to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after it has been delivered to the end user. We found that your enablement is set to False. If you enable Safe Links, your score will go up 15 points.”
Threats – Phishing/Whaling & Spoofing
Recommendations & Thoughts
Same as the previous ATP feature. Same comment on licensing and visibility.
Yes. Have the license? Enable it.
—————————————————————————————————————————————————————
Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps
According to Microsoft
“Activity policies enable you to detect risky behavior, violations, or suspicious data points in your cloud environment, and if necessary, to integrate remediation work flows. We found your tenant didn’t have any activity policies configured. We found the enablement of this feature is set to False. If you enable this policy, your score will go up by 10 points. ”
Threats – Account Breach, Elevation of Privilege & Malicious Insider
Recommendations & Thoughts
Another automated security monitoring feature for your tenant. Implement it.
Yes. If you have the required licenses, enable it.
—————————————————————————————————————————————————————
Identify Shadow IT application usage in your organization by automating log upload from firewalls
According to Microsoft
“Cloud Discovery analyzes firewall traffic logs to provide visibility into cloud application usage and security posture of each. We found your tenant didn’t have Cloud Discovery configured. We found that your enablement of this feature is set to False. If you create a new Cloud Discovery snapshot report, your score will go up by 5 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
Requires Cloud App Discovery licenses, so if you have the license, then yes, do this.
Yes, implement this.
—————————————————————————————————————————————————————
Create a Microsoft Intune Compliance Policy for iOS
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of iOS Compliance Policy is False. If you create and assign an iOS Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Compliance Policy for Android
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of Android compliance policy is False. If you create and assign an Android Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Compliance Policy for Android for Work
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of Android for Work compliance policy is False. If you create and assign an Android for Work Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
Create a Microsoft Intune Compliance Policy for Windows
According to Microsoft
“Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of Compliance Policy for Windows is False. If you create and assign an Windows Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams help decide how to implement these policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Compliance Policy for macOS
According to Microsoft
”Microsoft Intune Compliance Policies compare a devices security configuration and health against an admin defined baseline. Corporate data and resources can be restricted based on this security compliance of a managed devices. We found that an enablement of compliance policy for macOS is False. If you create and assign an macOS Compliance Policy, your score will go up 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams help decide how to implement these policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune App Protection Policy for iOS
According to Microsoft
“Microsoft Intune App Protection Policies provide data security and data loss prevention for iOS and Android apps. We found that an enablement of Intune App Protection Policies is False. If you create and assign an iOS App Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune App Protection Policy for Android
According to Microsoft
“Microsoft Intune App Protection Policies provide data security and data loss prevention for iOS and Android apps. We found that you have no Intune App Protection Policies for Android configured. We found that an enablement of Intune App Protection Policies for Android is False. If you create and assign an Android App Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Windows Information Protection Policy
According to Microsoft
“Windows Information Protection provides data security and data loss prevention for Windows 10. We found that an enablement of Windows Information Protection policies is False. If you create and assign a Windows Information Protection Policy, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
This can be done with Intune, SCCM and some other third-party apps as well (https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). This is a form of DLP and worth investigating.
Yes. Protect your workstations.
————————————————————————————————————————————————————
Create a Microsoft Intune Configuration Profile for iOS
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices We found that an enablement of Intune Configuration Profiles for iOS is False.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Configuration Profile for Android
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles for Android is False. If you create and assign an Android Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
—————————————————————————————————————————————————————
Create a Microsoft Intune Configuration Profile for Android for Work
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles for Android for Work is False. If you create and assign an Android for Work Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. If not, a third-party application could be used and marked as such.
Create a Microsoft Intune Configuration Profile for Windows
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices We found that an enablement of Intune Configuration Profiles for Windows is False. If you create and assign an Windows Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————
Create a Microsoft Intune Configuration Profile for macOS
According to Microsoft
“Microsoft Intune Configuration Profiles configure device security options for mobile devices. We found that an enablement of Intune Configuration Profiles for macOS is False. If you create and assign an macOS Configuration Profile, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
On this one it will be a depends only because it depends on your licensing and if you have a third party MDM solution already in place. So if you have licensing for Intune and are not using another MDM solution, then this is something that should be implemented. I would recommend that your legal and security teams be looped in so they can help decide how to implement policies.
Yes, if you are going to use Intune. Otherwise no.
—————————————————————————————————————————————————————
Mark devices with no Microsoft Intune Compliance Policy assigned as Non-Compliant
According to Microsoft
“If users are not targeted by Microsoft Intune Compliance Policies, they may be accessing corporate data on unmanaged/insecure devices. By configuring this setting, you’re marking devices Not Compliant by default if the user has no Compliance Policy assigned. We found that your enablement of this feature is set to False. If you set this to Not Compliant, your score will go up by 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
This is only really valid if you are using no MDM solution at all. However there are plenty of organizations that are not using Intune and already have an app to handle this management.
This is an automatic check and while it can be ignored, you won’t get any points for it’s ignored.
—————————————————————————————————————————————————————
Enable Enhanced Jailbreak Detection in Microsoft Intune
According to Microsoft
“Enhanced Jailbreak detection uses Location Services to trigger Jailbreak evaluation more frequently. By enabling Enhanced Jailbreak detection, your score will go up by 10 points. We found that your enablement of this feature is set to false. By enabling Enhanced Jailbreak detection, your score will go up by 10 point.”
Threats – Data Exfiltration
Recommendations & Thoughts
If using Intune, this is a good feature. Being able to handle Jailbroken phones in a BYOD corporate environment is key.
Yes, if using Intune, otherwise no because it would not make any sense.
—————————————————————————————————————————————————————
Enable Windows Defender ATP integration into Microsoft Intune
According to Microsoft
“Windows Defender ATP provides visibility into your organizations security posture and provides recommendations to improve it. We found that your enablement of this feature is set to False. Connect Windows Defender ATP with Microsoft Intune to up your score 10 points.”
Threats – Data Exfiltration
Recommendations & Thoughts
Have Intune licensing? Then this make sense to utilize.
Yes, if licensed, otherwise no.
—————————————————————————————————————————————————————
Enable mobile device management services
According to Microsoft
“You should use a mobile device management service such as Office 365 Mobile Device Management or Microsoft Intune. Devices, especially mobile devices, are vulnerable to attacks such as malware that can lead to account and data breaches. We found that your enablement of mobile device management services is False. If you enable a mobile device management service, your score will go up 20 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
Recommendations & Thoughts
If you are not using a third-party product, then this should be used. The basic MDM can be used with certain license levels. An additional license would be required is using the higher end MDM.
Yes, implement.
—————————————————————————————————————————————————————
Review blocked devices report weekly
According to Microsoft
“You should review your blocked devices report weekly. You should do this to look for devices and users that violated your mobile device management policies so you can determine if those violations were malicious or non-malicious. If you review this report, your score will go up 5 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
Recommendations & Thoughts
It’s a report, read it.
Yes. No further response needed.
—————————————————————————————————————————————————————
Require PC and Mobile devices to be patched, have anti-virus, and firewalls enabled
According to Microsoft
“You should configure your mobile device management policies to require the PC and mobile device to be patched, have anti-virus, and have a firewall enabled. If you do not require this, users will be able to connect from devices that are vulnerable to basic Internet attacks, leading to potential breaches of accounts and data. We found that your policy is configured to [Not Measured]. If you enable this policy, your score will increase by 10 points.”
Threats – Account Breach, Data Exfiltration & Data Spillage
Recommendations & Thoughts
In an ideal world, yes. If this can be enabled in your environment and be successful then it’s a yes.
Yes. Anything that can be done to keep managed devices up to date on patches is a good thing.
—————————————————————————————————————————————————————
Enable MFA for all global admins
According to Microsoft
“You should enable MFA for all of your admin accounts because a breach of any of those accounts can lead to a breach of any of your data.”
Microsoft considers this to be of high importance and has assigned 50 points to this task alone.
Threats – Account Breach and Elevation of Privilege
Recommendations & Thoughts
This change will only affect your Global Admins for your Office 365 tenant and no end-users will be affected by the change. The second factor is typically a code that is sent via txt to a cell phone registered to that user and then entered when prompted. This change is worth it, however it may cause issues with those using PowerShell programmatically with no way to enter the second authentication information. Possible scenarios for this are Quest migration tools and running scheduled PowerShell scripts against Office 365 workloads.
Clicking on ‘Launch Now’ for this feature takes you right to the MFA configuration in Azure AD – MFA Page. Quite convenient and no need to dig into Azure AD to find this to enable it.
Although it will not work for 100% of your Office 365 scenarios, I would enable MFA for as many Global Admins as you can, if not all of them. ** Note ** An AADP P1 license is not required for Administrator MFA.
—————————————————————————————————————————————————————
Enable MFA for all users
According to Microsoft
“You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.”
Microsoft considers this to be of high importance and has assigned 30 points to this task.
Threats – Account Breach and Elevation of privilege
Recommendations & Thoughts
This is one of those features that can turn into a double-edged sword. Adding a layer of security to protect end-users from a data breach is generally considered a good idea. However, this change will disrupt an end-user’s normal flow when logging into apps for Office 365. They will have to use a second factor of authentication. While some organizations can require this for auditing or compliance reasons, most organizations may see this change as overkill for regular user accounts.
Clicking on ‘Launch Now’ for this feature takes you right to the MFA configuration in Azure AD – MFA Page. Quite convenient and no need to dig into Azure AD to find this to enable it.
If your users can be trained and adjust to the extra login step, then setting this feature up would be worth it as Microsoft has stated that MFA will prevent 99+% of attacks.
————————————————————————————————————————————————————
Enable audit data recording
According to Microsoft
“You should enable audit data recording for your Office 365 service to ensure that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur. ”
Microsoft has assigned this one at 15 total points, making it a lower importance than previously reviewed tasks.
Threats – Account Breach, Data Exfiltration, Data Deletion, Elevation of Privilege, Malicious Insider
Recommendations & Thoughts
As this turns on auditing of all User and Admin activity and is enabled in the service (i.e. no extra load or end user impact), it’s hard to argue against enabling this feature. The auditing is useful for determining what your admins are doing in your tenant as well as what the end users are doing. You can even review end user activity and check security information relating to password changes.
Yes, enable this feature because of its added benefits in your tenant.
—————————————————————————————————————————————————————
Review signs-ins after multiple failures report weekly
According to Microsoft
“You should review the Azure AD Sign-ins after multiple failures report at least every week. This report contains records of accounts that have successfully signed-in after multiple failures, which is an indication that the account has a cracked password. ”
Microsoft has assigned this one at 15 total points, making it a lower importance than some other tasks.
Threats – Account Breach, Password Cracking
Recommendations & Thoughts
Certainly an easy requirement to meet. The key thing is that this requirement needs to be met on a weekly basis. One can assume that if the information is not reviewed in that week time frame, the Secure Score report would drop 15 points.
Put this on a weekly reminder or bi-weekly reminder so that you get the points and so that your environment is monitored that much closer. So, this is a recommended action to take.
————————————————————————————————————————————————————— Set outbound spam notifications
According to Microsoft
“You should set your Exchange Online Outbound Spam notifications to copy and notify someone when a sender in your tenant has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails to other people.”
Microsoft has assigned this one at 15 total points, making it a lower importance than some other tasks.
Threats – Account Breach, Phishing/Whaling, Spoofing
Recommendations & Thoughts
Any feature or automatic function that helps with outgoing or incoming Spam is welcome. In this case a notification for excessive outbound SPAM is key to alerting an admin to a possible issue with a user’s account.
Turn this feature on for sure, it’s an easy 15 points.
Review sign-ins from unknown sources report weekly
According to Microsoft
“You should review the Azure AD Sign-Ins from Unknown Sources Report at least every week. This report contains records of accounts that have signed-in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network). This isn’t necessarily bad, but it is relatively rare, and could be an indication of a breached account.”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach
Recommendations & Thoughts
Another no-brainer. It’s a report. Read it.
Again, it’s a serious no-brainer. Ten easy points for your Secure Score.
—————————————————————————————————————————————————————
Review signs-ins from multiple geographies report weekly
According to Microsoft
“You should review the Azure AD Signs-ins from Multiple Geographies Report at least every week. This report contains records of successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. This isn’t necessarily bad, and there are several potential causes including sharing passwords, using VPNs, or using devices with unusual IP addresses. You should still be aware of the sources of these as it can be a very clear indication of a breached account. ”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach
Recommendations & Thoughts
Even if you are a small company, this report should be reviewed for any suspicious activity.
Again, it’s a serious no-brainer. Ten easy points for your Secure Score.
—————————————————————————————————————————————————————
Review role changes weekly
According to Microsoft
“You should review user role group changes at least every week. There are several ways you can do this, including simply reviewing the list of users in different administrative role groups in the Office 365 Admin Portal, or by reviewing role administration activity in the last week from the Audit Log Search. You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy. ”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege
Recommendations & Thoughts
This one will take a bit more work than the past couple of tasks. It will require you to do one of two things: (1) Have a previous list of Global Admins / other admins and compare that to what is currently configured or (2) Run an Admin Audit log report looking for these changes. Perhaps the easiest ways to do this is to run a scheduled task that exports this to a weekly report for review. The included ‘Review’ for this feature only takes you to the lists of users in your organization. So the trigger for this task is not obvious and it is possible that the PowerShell script may not be enough.
This is worth the effort and should be put on your task list.
—————————————————————————————————————————————————————
Store user documents in OneDrive for Business
According to Microsoft
“You should store user documents in OneDrive for Business because it safeguards this content against data loss.”
Microsoft has assigned this one at 10 total points, making it a low importance.
Threats – Data Exfiltration, Data Deletion
Recommendations & Thoughts
With recent improvements in the product, OneDrive is a good opportunity for customers to leverage a sharing platform, especially if all of their users are in Office 365. Automatic file rollback, files on demand, and file versioning as well as protection from ransomware all make for a good use case scenario. Sharing possibilities as well as integration with Office, Exchange and more also provide benefits to end users in Office 365.
While not all organizations will be convinces to use this feature, due to either limitations of storage, compliance or security requirements, Microsoft has a compelling product at this time. Using One Drive for your organization is a decision that needs to be planned for and then executed properly while realizing the caveats of moving to a cloud storage platform.
—————————————————————————————————————————————————————
Enable Information Rights Management (IRM) services
According to Microsoft
“You should enable IRM services so that your users can implement encryption and data leakage policies on specific documents and emails. This will make it more difficult for an attacker to steal valuable data.”
Threats – Data Spillage, Data Exfiltration
Recommendations & Thoughts
If you have the proper licensing for this and have data that needs to be protected, then this is an option that should be pursued. With regulations that are either in process or in place today, having a way to control and protect your data and corporate information is paramount and may save you fines down the road.
** Note ** The ‘Launch Now’ button takes you to Rights Management from the main Admin page in your Office 365 tenant.
If you have the licensing for this feature and have sensitive data to protect in One Drive, SharePoint or email, enabling this is a must.
Use audit data
According to Microsoft
“You should consume your audit data either through the audit log search or through the Activity API to a third party security information system at least every week. This data enables a wide range of illicit activity detection and security breach scoping and investigation capabilities. Consuming and reviewing it regularly makes it less likely that an attacker will operate in your tenancy undetected for long periods of time.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Deletion, Elevation of Privilege, Malicious Insider
Recommendations & Thoughts
Office 365 provides this for free and is a valuable resource for monitory activity in your Office 365 tenant. Any responsible admin should use logging on-premises or in Office 365. The fact that it takes so little to setup (just enable it) and costs your internal resources ‘0’ to maintain it would seem to be a smart task to add to your list of management / monitoring tasks.
** Note ** Clicking on review takes you to the same Audit Log Search page as we used to enable auditing to begin with. Integrating this with your SEIM product may add additional cost if they charge on Events per minute.
Absolutely this should be monitored for your tenant.
—————————————————————————————————————————————————————
Do not use transport rule to external domains
According to Microsoft
“You should set your Exchange Online mail transport rules to not forward mail to domains not registered in your tenancy. Attackers will often create these rules to exfiltrate data from your tenancy.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage, Malicious Insider
Recommendations & Thoughts
I can see the benefits of not having transport rules forwarding emails to external email addresses. It would take some effort for an external attacker to find the rule that would allow for this, but it could happen. That being said, I don’t think this is a big deal necessarily and to be honest, I haven’t run into any clients that have this sort of rule set up.
I would recommend removing any of these transport rules. If a rule is needed for business reasons, it should be reviewed to see if there are other options available.
—————————————————————————————————————————————————————
Do not use transport white lists
According to Microsoft
“You should set your Exchange Online mail transport rules to not whitelist specific domains. Doing so bypasses regular malware and phish scanning, which can enable an attacker to launch attacks against your users from a safe haven domain”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Phishing/Whaling, Spoofing
Recommendations & Thoughts
I am of a mixed opinion on this one as whitelisting is a fact of life. The one caveat to this is I think Microsoft wants to restrict the whitelisting to individual email address versus a carte blanche whitelisting of an entire domain. While I can understand Microsoft’s point, the flip side is if a lot of email addresses from one domain need whitelisting, then whitelisting a domain might be the best solution.
The recommendation here is a maybe simply because of the two choices that need to be made. If you can use the restrictive single email address whitelisting, that would be ideal. However, if an entire domain needs to be whitelisted, do so understanding the caveats Microsoft’s expresses.
—————————————————————————————————————————————————————
Review mailbox forwarding rules weekly
According to Microsoft
“You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Malicious Insider
Recommendations & Thoughts
Add this one to your weekly task list. This way you won’t be surprised to find what mailboxes are forwarding to where.
Do this one for sure. Make it one of your tasks. No question.
—————————————————————————————————————————————————————
Review mailbox access by non-owners report bi-weekly
According to Microsoft
“You should review the Mailbox Access by Non-Owners report at least every other week. This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time, and can help discover malicious insider activity sooner. ”
Threats – Account Breach, Data Exfiltration, Malicious Insider
Recommendations & Thoughts
Typically this sort of action is performed by a security team or security person, depending on your company. However, for a smaller IT shop, this would just be another weekly task for the Office 365 Administrator. Having been a part of a few forensic investigations, the more information you have to uncover things, the better it is for yourself and for your employer.
Do it. Add it to your weekly lists.
Review malware detections report weekly
According to Microsoft
“You should review the Malware Detections report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn’t strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Phishing/Whaling
Recommendations & Thoughts
Like your antivirus reporting PCs and Servers, having a malware report for your messaging environment is ideal. There should be no doubt that an Office 365 admin should review these reports on a constant basis.
Do it. Add it to your weekly lists.
—————————————————————————————————————————————————————
Designate more than one global admin
According to Microsoft
“You should designate more than one global tenant administrator because that one admin can perform malicious activity without the possibility of being discovered by another admin. We found that you have ‘X’ admins designated. If you designate at least two admins (but not more than five), your score will go up points.”
Microsoft has assigned this one at two total points, making it a low importance.
Threats – Malicious Insider
Recommendations & Thoughts
While in most security cases we would want to limit admins as with all rights to an environment, having a single account with all the rights is a bad idea as well. So the recommendation for more than one account with Global Admin rights is a valid task to perform.
Highly recommended. If you have this task, do it now.
————————————————————————————————————————————————————
Do not use mail forwarding rules to external domains
According to Microsoft
“You should not use mail forwarding rules to forward user mail to external domains. While there are some legitimate uses, attackers will often create these rules to exfiltrate data from your tenancy.”
Microsoft has assigned this one at one total point, making it a low importance.
Threats – Account Breach, Data Exfiltration, Malicious Insider
Recommendations & Thoughts
This is similar to the task for no transport rules forwarding to external domains, this task is defined for forwarding on mailboxes to external domains. However, as Microsoft expresses in the task description above, there are some legitimate reasons for these. These business cases should be evaluated on a case by case basis to see if there are other solutions.
I rate this a maybe as it will depend on what your needs are as a company. As Microsoft has rated this one point, I would certainly put this lower on your priority list.
—————————————————————————————————————————————————————
SPO Sites have classification policies
According to Microsoft
“You should setup and use SharePoint Online data classification policies on data stored in your SharePoint Online sites. This will help categorize your most important data so that you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Data Exfiltration, Data Spillage, Malicious Insider
Recommendations & Thoughts
If you have someone that can work to classify data (internally or a consultant), then this is a task worth pursuing. If only for the benefit of knowing the importance of data stored in SharePoint, that effort is alone worth it. Combined with DLP or other rights management policies, the classifications become a powerful tool for data control against leakage and loss.
If you are able to, this should be on your list of tasks to complete.
—————————————————————————————————————————————————————
Review devices sign-in report weekly
According to Microsoft
“You should review your device sign-in report weekly. You should do this to look for anomalous or new device sign-ins from potentially breached user accounts.”
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Depending on what is deployed for device management, this could be a valuable task to perform. If you are using MDM or Intune, then you may already be restricting new devices or device sign-ins.
If you are not using an MDM solution then perhaps this report will help you spot something that is new and may not be one of your user’s devices. If you have MDM, obviously use it to control access and use the reports for validation of your efforts to control access.
Do not allow anonymous calendar sharing
According to Microsoft
“You should not allow anonymous calendar sharing. This feature allows your users to share the full details of their calendars with external, unauthenticated users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.”
Microsoft has assigned this one at 10 total points, making it a medium importance.
Threats – Data Spillage
Recommendations & Thoughts
I find this feature useful for sharing a calendar with an external entity or person. While I understand Microsoft’s contention that this information could be used for reconnaissance or nefarious activities. It’s my opinion that there can be some legitimate usages for anonymous calendar sharing. Should everyone be able to do this, probably not, but it should be available for true business cases.
If you can, don’t use this feature based on Microsoft’s real world recommendations. Setting this could block this could block a potentially useful feature down the road.
—————————————————————————————————————————————————————
Do not allow external domain skype / teams communications
According to Microsoft
“You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
I find this recommendation a bit odd. As a consultant, I find that being able to communicate with my clients who use a variety of domains to be a great resource to have at my disposal. In fact, almost every company I’ve used Skype or Lync with has enabled external sharing.
I rate this one as a no. While I understand the trade-off involved in the anonymous sharing, I also see real world use of allowing anonymous sharing.
—————————————————————————————————————————————————————
Review account provisioning activity report weekly
According to Microsoft
“You should review your account provisioning activity report at least weekly. This report includes a history of attempts to provision accounts to external applications. If you don’t usually use a third party provider to manage accounts, any entry on the list is likely illicit. But, if you do, this is a great way to monitor transaction volumes, and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
Recommendations & Thoughts
Going to keep this one simple. It’s a report and one that should be checked. Add this to your weekly checklist.
Add it to your to do’s!
—————————————————————————————————————————————————————
Review non-global administrators weekly
According to Microsoft
“You should review non-global administrator role group assignments at least every week. While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If you see something unusual contact the user to confirm it is a legitimate need.
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
Recommendations & Thoughts
Same as the previous one. Any sort of report, even for slightly elevated granted permissions, should be reviewed.
Add it to your to do’s!
—————————————————————————————————————————————————————
Do not allow calendar details sharing
According to Microsoft
“You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.”
Threats – Data Spillage
Recommendations & Thoughts
For most scenarios, sharing all of your calendar’s Free/Busy is a bad idea. In select scenarios where you are sharing information with a sister company, subsidiary, partner or other trusted entity, this option makes sense. There is a middle ground where the setting can be changed to simply Free/Busy with no details shared beyond that.
This recommendation ends up in the ‘Maybe’ pile. Most cases this should be off or if necessary change sharing to Free/Busy only.
IRM protections applied to documents
According to Microsoft
“You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy. ”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
If your Office 365 tenant has any confidential data, documents or intellectual property stored in it, enabling IRM is THE way to go. The same applies to securing emails. Enable the Encryption or making use of IRM for certain emails is a good thing in Office 365.
This one is a definite if you have emails, documents, etc that need to be protected from being copied or leaked outside your company.
—————————————————————————————————————————————————————
IRM protections applied to email
According to Microsoft
“You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
Like the previous recommendation for using IRM for documents and files in Office 365, securing your emails can be just as important. Maybe you have emails that need to remain internal or perhaps they need to be blocked from printing, forwarding and more. IRM is the solution for this. If you have the licensing for these features, investing time in applying this functionality is worth it.
Again, if you have licensing for this, do it. Secure your emails and prevent potential data leakage.
—————————————————————————————————————————————————————
Configure expiration time for external sharing links
According to Microsoft
“You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account and then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared.
Microsoft has assigned this one at two total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
This setting is for your SharePoint links that are being shared out anonymously. The links could be shared with internal personnel, but are more likely to be shared with people that are outside of your organization. Tweaking the default expiration from infinite (no expiration of days) to something more realistic like 30, 90 or 120 days would be a good practice.
This is a must. Any anonymous links should have some sort of expiration.
—————————————————————————————————————————————————————
Tag documents in SharePoint
According to Microsoft
“You should apply labels to documents in SharePoint Online. If you use document classification tags, you can author rules that leverage the label to implement specific retention/deletion policies using data loss protection (DLP) in the Security and Compliance Center. In the future there will be more DLP actions possible when labels are detected on documents.”
Microsoft has assigned this one at two total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
If you plan to use DLP to control content in your tenant, then having a categorization system or a plan on how documents should be labeled, applying controls later will be much easier. Labeling your content will also make it easier to manage later even without DLP. Take some time to plan out these labels with content owners.
Worth the time if you have content that needs to be managed online.
—————————————————————————————————————————————————————
Review list of external users you have invited to documents monthly
According to Microsoft
“You should review the list of external users that you have invited to sensitive documents on a weekly basis. Attackers that have compromised accounts with sharing privileges will be able to expose sensitive data to external users for long periods of time without regular review of who has access.”
Microsoft has assigned this one at two total points, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
External sharing, similar to the anonymous links, is something that should be monitored because the access is granted to people outside of your organization. The method to check the access however, as directed by Secure Score, is far from ideal. Depending on your experience level, using PowerShell to automatically generate these reports might be a better option. There are existing scripts created by SharePoint experts on how to do this already.
Just do it. This is a no-brainer.
Disable accounts not used in last 30 days
According to Microsoft
“You should disable any accounts that have not been used in the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Elevation of Privilege, Malicious Insider
Recommendations & Thoughts
For this task, I think 30 days is a bit aggressive. A slightly less aggressive approach of 90 days may be better. Either way it does point out a weak area that is sometimes overlooked and that accounts for people that have left or are on leave. In some cases there are legitimate reasons to leave the accounts and sometimes these are accounts that are forgotten about. The biggest issue I see with this task is that the User management in the Office 365 Admin center does not expose last logon times. You cannot event create a ‘Custom View’ for this. To find this, PowerShell might be your best bet.
I put this at a yes, with caveats, because of the 30 days. This isn’t to say you shouldn’t review these accounts and the recommend interface from Microsoft is lacking. You should have a process in place for off-boarding users.
—————————————————————————————————————————————————————
Allow anonymous guest sharing links for sites and docs
According to Microsoft
“You should allow your users to use anonymous guest sharing links for SharePoint Online sites and documents. While there are inherent risks in sharing documents anonymously, Microsoft has found that when anonymous sharing is disabled, users often use more risky methods of sharing sites and documents, email for example. A proactive approach would be to enable anonymous sharing links for customers while also educating users on the pitfalls with sharing anonymously and monitoring links shared for signs of exfiltration by an attacker.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
The irony is thick with this one, but as Microsoft points out, it makes sense. Allowing users to send out anonymous links to external users is better than alternative methods like email or even another file service like Drop Box. If the users are sending out anonymous links, you have control over how long they are active and can create reports on what is shared as well.
This is a good one to implement IF you follow the previous recommendation of restricting how long the links are active for.
—————————————————————————————————————————————————————
Enable Data Loss Prevention policies
According to Microsoft
“You should enable Data Loss Prevention (DLP) policies to help protect your data from accidental or malicious exposure. DLP allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords, and will alert users and administrators that this data should not be exposed.”
Microsoft has assigned this one at 20 total points, making it a higher importance.
Threats – Data Exfiltration, Data Spillage
Recommendations & Thoughts
If you deal with PII like credit cards, Social Security Numbers, bank account numbers and more, then implementing DLP is a must. Microsoft has provided quite a few default templates of this type of data and covers more than just the US data types as well. If there isn’t a data type present, then you can create a custom classification to be used against emails or documents in your tenant.
If you have the license to use DLP and have PII in the cloud, this is an absolute must to enable.
—————————————————————————————————————————————————————
Enable Advanced Security Management Console
According to Microsoft
“You should adopt the Office 365 Advanced Security Management Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity. We found that your subscription to Advanced Security Management Console is set to False.”
Microsoft has assigned this one at 20 total points, making it a higher importance.
Threats – Account Breach, Elevation of Privilege, Data Exfiltration, Malicious Insider, Data Spillage
Recommendations & Thoughts
This is a feature Microsoft added back in 2016 to give admins a deeper look into suspicious activity. The only caveat to it being on this list is the requirements for its usage – “Advanced Security Management is available in Office 365 Enterprise E5 or as an add-on subscription to Office 365”. For those with E3 licensing, you will not be able to complete this task.
My take is if you have E5 and can access this then you absolutely must. Dig deeper into your tenant.
—————————————————————————————————————————————————————
Require mobile devices to use a password
According to Microsoft
“You should require your users to use a password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
When creating a policy for securing mobile devices, having some sort of PIN or password should be one of the first settings configured. The setting will at least prevent easy device access if the device is lost or stolen.
Definitely one to configure. This should be a basic mobile device security setting.
Require mobile devices to block access and report policy violations
According to Microsoft
“You should configure your mobile device management policies to block access to devices that violate your policy and to report those violations to an administrator. Users will be able to connect with non-compliant devices unless you block access, leading to vulnerable devices connecting to your data.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
If you don’t have a third party MDM solution in place now, then this is a valid policy setting to put in place to keep mobile devices secure.
If using the built in MDM or Intune, then this setting should be put in place.
—————————————————————————————————————————————————————
Require mobile devices to manage email profile
According to Microsoft
“You should configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Similar to the previous two – this is a function of a good Mobile Device Management (MDM) solution. Even with Bring Your Own Device (BYOD) in today’s Office 365 environment, being able to control corporate data is a good thing.
If using the built in MDM or Intune, then this setting should be put in place. Outlook App profiles cannot be managed.
—————————————————————————————————————————————————————
Do not allow simple passwords on mobile devices
According to Microsoft
“You should require your users to use a complex password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at two total points, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
This goes hand in hand with requiring a password and is an enhancement of the password policy once it’s in place.
If using the built in MDM or Intune, then this setting should be put in place. Otherwise use Exchange ActiveSync policies.
—————————————————————————————————————————————————————
Require mobile devices to use alphanumeric password
According to Microsoft
“You should require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
More complex passwords should be put in place.
If using the built in MDM or Intune, then this setting should be put in place. Otherwise use Exchange ActiveSync policies.
—————————————————————————————————————————————————————
Require mobile devices to use encryption
According to Microsoft
“You should require your users to use encryption on their mobile devices. Unencrypted devices can be stolen and their data extracted by an attacker very easily.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Encrypting mobile devices is one way to protect any sensitive data that may be on your mobile devices. This feature provides another layer to your other configuration settings.
If using the built in MDM or Intune, then this setting should be put in place. Otherwise use Exchange ActiveSync policies.
—————————————————————————————————————————————————————
Require mobile devices to lock on inactivity
According to Microsoft
“You should require your users to configure their mobile devices to lock on inactivity. Attackers can steal unlocked devices and access data and account information.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Like your desktop or laptop, having an idle lockout is a good policy. This way if you accidentally misplace the device or set it down for a period of time, it will automatically lock out other people from accessing the device.
If using the built in MDM or Intune, then this setting should be put in place. Otherwise use Exchange ActiveSync policies.
—————————————————————————————————————————————————————
Require mobile devices to have minimum password length
According to Microsoft
“You should require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Continuing on the line of password protection for mobile devices, this simply requires a minimum length of password similar to how you configure this for your Active Directory login. While the minimum length should not be something like one or two characters and should probably be at a minimum six or eight characters.
If using the built in MDM or Intune, then this setting should be put in place. Otherwise use Exchange ActiveSync policies.
—————————————————————————————————————————————————————
Require mobile devices to wipe on multiple sign-in failures
According to Microsoft
“You should require your users to wipe the contents of the mobile device after no more than 10 sign-in failures. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. We found that your mobile device policy requiring wipe after multiple failed sign-ins is set to wipe after infinite failures.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Leakage
Recommendations & Thoughts
In today’s world of BYOD a lot of organizations are hesitant to implement such a policy. There are some that are prepared for complete device wipes by educating their users on the ramifications of this policy. Others will issue their own devices. However, in some cases simply using App security instead of device security eliminates the need for this policy altogether.
This is a solid maybe because it depends on if you have BYOD, issued devices or are using app security to handle mobile devices. Make a decision based on your device and user base for this one.
Do not allow Jail-Broken or rooted mobile devices to connect
According to Microsoft
“You should not allow your users to use to connect with mobile devices that have been jail-broken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
For corporate devices or mobile devices accessing corporate date, a jail-broken or rooted device should be blocked. If a user wants to have this device, it would be best left to keep it a personal device and not connected to any internal systems.
Apply this setting.
—————————————————————————————————————————————————————
Require mobile devices to never expire password
According to Microsoft
“While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong is 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
Mixed feelings on this one. If this policy would be put in place, I would recommend a longer, more complex password for securing devices. The problem here becomes the end user and the way they handle passwords. If they can choose a good, secure password, this is a good policy. If however, they do not, then obviously the reverse becomes try.
Enable long complex passwords if enabling this.
—————————————————————————————————————————————————————
Do not allow mobile device password re-use
According to Microsoft
“You should not allow your users to re-use the same password on their mobile devices. Devices without this protection are vulnerable to being accessed by attackers who can then steal account credentials, data, or install malware on the device.”
Microsoft has assigned this one at one total point, making it a very low importance.
Threats – Account Breach, Data Exfiltration, Data Spillage
Recommendations & Thoughts
If passwords change over time, then not re-using passwords makes sense. That way if a password were compromised and a user re-uses that compromised password, then this could lead to a security breach.
Not repeating passwords is a good policy to put in place.
—————————————————————————————————————————————————————
Enable customer lockbox feature
According to Microsoft
“You should enable the customer lockbox feature. This will require Microsoft to get your approval for any datacenter operation that grants a Microsoft employee direct access to any of your content.”
Microsoft has assigned this one at five total points, making it a low importance.
Threats – Data Exfiltration, Data Deletion, Data Spillage
Recommendations & Thoughts
This is another feature on the list that requires an E5 licenses, so if you don’t have one, then this one won’t apply to you. I personally do not like this option. If you want true security or control, then providing this access would go against that philosophy. While you can limit access to your data and set an expiration on it, I believe a more interactive approach is called for when there is an issue.
This one recommendation is a no for me. If you need Microsoft’s help, they are more than happy to use their screenshare technology and while this does grant them a view in to the environment, it can be limited and controlled by you. I would rather grant the access and watch. A controlled over the shoulder setup is ideal for the administrator to provide input while learning how to resolve an issue.