What Is EMS?
EMS (Enterprise Mobility & Security) is a Microsoft security suite for mobile and desktop devices. EMS is designed to work with Windows 10 and to use Azure security to manage the device and user infrastructure. There are two capabilities of EMS that are extremely useful for companies: EMS protects and empowers workers to better perform the duties assigned to them, and EMS allows the CISO to manage the activity of the users and prevent bad actors from accessing the data. One of the latest features to be deployed in Azure AD is smart lockout . Smart Lockout locks out bad actors who are trying to guess your users’ passwords. The Azure intelligence is developed in such a way that the systems will recognize when a password is being breached and will force password authentication to happen.
There are different password programs and methods. We may think our passwords are unique, but in many cases, they are not and have already been compromised. When you deploy EMS subscriptions (or in this case, when you use one of the Microsoft 365 suites), you are protected by the constantly changing landscape of protecting your users’ accounts. This capability is included in the Azure Active Directory Premium P2 component of the EMS suite.
Looking at the business from a CISO point of view, a CISO now can deploy the sets of tools and services that protect the company assets. In Chapter 3, we configured the security score for both Office 365 and the Windows Security Center to manage our environment; now we are taking a deep dive to tightly configure our environment to manage the information that we communicate internally and externally in the organization. To get started, let’s look at the components of EMS and understand how we are going to deploy them in our business.
Adding the Azure AD Privileged Identity Management
There are three Azure Ad services that we will configure in our Azure dashboard . We are going to walk through the steps of the initial configuration of these services. In some cases, the services have additional configuration or customization.
Azure AD Privileged Identity Management
Azure AD Identity Protection
Azure Information Protection
EMS includes Intune. Intune is the Mobile Device Management component of EMS and will be focused on in Chapter 5. In Chapter 5, we will set up two types of Mobile Device Management: a Manage Application Management (MAM) and a full Mobile Device Management (MDM) deployment. Before we jump into device management, let’s focus on the information protection and identity management.
Let’s begin the process of configuring the different information and identity services for our EMS deployment.
Note
Azure Information Protection is briefly covered later in this chapter. My goal is to address the issues associated with identity management and device management and give you an overview of Azure Information Protection. Azure Information Protection is an important topic, but it is an orthogonal topic that is best covered as a stand-alone feature.
Step 1: Adding Azure AD Privileged Identity Management
Privileged Identity Management (PIM) is used to manage user accounts’ access to higher-level administrative functions. All of the new compliance audits require that IT administrators operate at the lowest level of permissions possible. Besides, this is just good business practice. Here, we are using PIM to manage administrator access to the global administrator account. The user accounts that require access are set up as password administrators. This is a lower-risk admin account since all users in our environment are running multifactor authentication. So, if we have a bad actor as an administrator, that person can only reset account passwords that have a lower privilege level, and since those users are running MFA, the exposure is minimal (users can reset their own passwords and requires a mobile number to confirm identity). All of the administrator accounts have a Microsoft 365 E5 subscription assigned to them. In the configuration that we are walking through, the administrator account that is used to set up the PIM service has Microsoft 365 E5. If you are setting up the service with an account without Microsoft 365 E5, you will generate an error on the configuration. The error is generated because you need a EMS E5 license component, e.g. the Azure AD Premium P2 license. This license is included with the MS 365 E5 or EMS E5, but not with the EMS E3.
PIM creates a new level of security controls for your administrators. Typically, organizations like to maintain control over administrator accounts. So, the user operates at a lower level of administrator. When a user needs to operate at a higher level, such as a global admin, they use PIM to request approval for the higher level of service. The increased credentials permissions are provided for only a limited time, and then the user account is reduced to the previous level. This is a compliance requirement and allows you to control the access of users and verify their access for the type of work they are performing.
Note
In Chapter 3, we touched briefly on Compliance Manager. We did not go into too much detail (Compliance Manager is a book in itself), but we provided some requirements for control. As an example, in NIST 800-35 there is a compliance requirement to use the minimal permissions to manage the environment. To meet this directive, you need to use a tool like PIM where the access to the global admin is activated for a limited period of time. This reduces the risk of a credential breach.
Step 2: Verifying Your Identity
Step 3: Set Up PIM
The next step is to select the Active Directory role and sign up for access. This sets the user account as the security manager for the PIM process. Once you have PIM in place, the users’ access is managed. Configuring user access is described later in this chapter. At this point, the goal is to set up PIM so you can manage user access to the global admin account.
Step 4: Configure the Initial Role
As an example, take a user who is a password administrator and wants to run as a global administrator. The user logs into Azure, accesses PIM, and requests the global administrator access. The role is assigned for a limited period of time (30 minutes in this example) to allow the user to perform the necessary actions. Global administrator rights are temporary. At the end of the time period, the user permission is restored to the nonglobal admin permissions.
PIM requires that the user have some administrator privilege level to use the service. We use a password administrator as the default administrator account (all our users have MFA deployed, so this has little impact on the user in the case of an issue with an authorized administrator). At this point, we will move to the next step and set up Identity Access Manager.
Adding the Azure AD Identity Protection
Step 1: Installing Azure AD Identity Protection
To install Azure AD Identity Protection, open the Azure dashboard at https://portal.azure.com , click “Create a resource,” click Identity, and click Azure AD Identity Protection(see Figure 4-16). This will start the installation of the Azure AD Identity Protection service. The Azure AD Identity Protection service is the service that monitors user access to Office 365 and Azure resources. Once you select the resource, then click Create and pin the resource to your Azure dashboard. This will create the Azure subsystems necessary to use the resource you selected.
Note
Azure resources are dependent on the EMS license type. In our case, we are using the Microsoft 365 E5 license for all configuration (which includes the EMS E5 subscription). If you do not have the Microsoft 365 E5 license in your tenant, you may not be able to fully configure the resources we are using.
Step 2: Setting Alerts in Azure Identity Protection
- 1.
Click Alerts.
- 2.
Set the alert to level Low.
- 3.
Click Included and then + Add (to add a user for the alerts).
- 4.
Select the user.
- 5.
Click the Select button.
- 6.
Click Done.
- 7.
Click Save.
Step 3: Setting Up a Weekly Digest in Azure Identity Protection
Step 4: Configure the Risk Policy
There are three different configurations for a risk policy. Risk policy is actions taken on a user account to protect company information. A risk can be a password attack, or any type of activity that is nonstandard user behavior. Risk level is what the business assigns to different levels of attacks on an account that may become compromised (e.g. the credentials are stolen). To combat risk, you may force users to authenticate with MFA. Keep in mind that any action you take on risk policy is a global action and effects all users. After you have configured Office 365 and see the type of events that are happening, you can tighten the different risk policies to have better control over the Office 365 user access. The critical users that you want to worry about are the administrators. The administrators are the targeted users in Office 365.
Configuring risk policies for the administrators and making them subject to MFA is simple. You add the administrator users that you want subject to the MFA authentication and you enforce the MFA policy. In this example, we selected two users, set the controls to require MFA, and set enforced to on (see Figure 4-20).
Note
Before you start enabling the functionality, take your time and develop a plan for how you want to enforce risky behavior. Look at the data, and then enforce the controls. A lot of companies enable the features. The best practice is to set up a test group and apply the control to the test group, before you enable the control for all users (or administrators). Make sure you leave yourself a back door for testing.
At this point, you have configured the alerting activity for privilege access. You can now turn on additional security features to help manage user accounts. We recommend that you enable only a few test accounts to verify the functionality. Once you are satisfied, then you can roll this out in mass to all users. The next step is to configure Azure Information Protection.
Note
Testing accounts is easy. Just create a test group (set to include) to test out the new feature. Once you are satisfied with the process, you can either include all users or create a new static or dynamic group for the user accounts.
Azure Information Protection
Azure Information Protection allows you to control information, classify documents, and set the information characteristics of those documents that are added. We can also send out documents where the information cannot be shared externally to an organization, the document can be configured to block printing or being forwarded to a third party. We can also add controls in a document template (or the document metadata) to block theses activities. This is known as data loss prevention (DLP) rules on documents. This has been enhanced by Microsoft with other third-party services, so those services now understand documents that can be managed. As an example, you can define a set of documents (or rules on documents) that are restricted to internal use. This means when a document is sent externally to another user in a different company, the external user would be forced to login with credentials to access the document. Since the user is unknown to the company, the user would be blocked from accessing the document. As an example, in sales we want to send out proposals and statements of work and have those proposals expire after 30 days. We would use AIP to manage the document type so anyone who received the document would be blocked from reading the document in 30 days.
- 1.
Install and configure the Azure dashboard (select Protection Activation).
- 2.
Define the labels for document management.
- 3.
Configure the global document policy.
- 4.
Download the Azure agent for Office applications for document classification.
Once you have taken these steps, you can send protected documents (or block them from distribution).
Document management is a large activity that can easily consume a lot of time. The best way to look at document management is to make it self-service. This model of self-service builds on the labels that the organization puts in place to manage information and train your users on how to classify documents.
Step 1: Install Information Protection
The first step is to enable the AIP service in the Office 365/Azure tenant. To set up the service, go to the Azure dashboard and add the service to the dashboard. You can pin the AIP service, or you can add it to your favorites. See Figure 4-22.
Note
Earlier we used the term pin. In this case, we are not pinning the tool to the dashboard, but we are adding this to our favorites (under the star in Figure 4-21). To add to the favorites (the left side of the dashboard), all you need to do is to select “All services” and click the star to add the element to the dashboard. This process is detailed later in the chapter.
Once we have selected the service, we will create the service (see Figure 4-23). This is a simple process; just select the service under Identity and Azure Information Protection and then click Create to start the service. This will start the service and set up some of the background configuration that is required for your Office 365 account. Once you have enabled the service, you can add this to your dashboard by selecting All Services, finding the services, and then adding them to the favorites (by clicking the star next to the service). Microsoft is working to make this more of an automatic process that is tied to the subscription type.
Note
Classifying information is a large task. To address the classification, the best way to handle this is to configure the base parts of Azure Information Protection and enable data auto classification in the Office 365 Security & Compliance Center. Document classification needs to be created by the end user creating the document. The automated tools (such as the AIP scanner that scans documents located on file servers) need to be used to validate the document classifications that were created.
Setting up a policy on credit cards is simple and has little effect on the organization. Do not get me wrong; protecting the organization from sending out credit card information in the e-mail is critical. We need to protect the organization from violations that will result in fines. Under the new California law (CCPA), this data breach could result in fines of up to $750 per record, on the assumption that the consumer was harmed. The changes that we see in the new laws (like CCPA) are over assumed harm. Under old laws, harm had to be proven by the consumer. Under the new laws, harm is assumed. Businesses need to prove that protected personal information was not distributed to unauthorized third parties. This is why the Azure Information Protection is so critical to businesses, and the distribution of information needs to be tracked.
As an example, we can create a credit card protection rule where we allow documents (that contain credit card information) only to be read internally but not e-mailed externally. If a user e-mails the document externally, our labeling will block external user access to the document. The document rules are managed in the Office 365 Security & Compliance Center.
Step 2: Define Additional Label Classification
The first step after you have enabled the service is to define an additional documentation label that can be used to govern your business. Once you have defined the labels, the labels are now part of the documentation classification in the Office 365 Security & Compliance Center administration center.
Our approach is to walk you through the label configuration process on how to set up a credit card for detection and analysis. Once we are completed with this, we will quickly review the automatic label generation process.
- 1.
Turn on the service (enable it and define the label), in our example we used Credit Card as the name of the rule.
- 2.
Select the label to protect the documents.
- 3.
Select Azure Protection; this will launch the protection options.
- 4.
Select Add permissions to the document. (If you want to restrict e-mail distribution, select set user define permissions).
- 5.
Specify the users and groups who will access this document label; in our case, this is only users from our e-mail domain.
- 6.
Define the type of access users will have (make them all reviewers). Click OK and Save to return to the main blade.
- 7.
Set visual marketing’s (watermark) on the document.
- 8.
Define a header for the document and a color (in this case red) .
- 9.
Select a document to have a watermark and enter the watermark.
- 10.
Display the watermark as a horizontal or diagonal in the document.
- 11.
Select the condition for the protection (in this case we are using credit cards).
- 12.
Select the industry type (aka financial).
- 13.
Select the credit card condition, in this case we are using card number as a condition.
The basic label has been created. Save the changes on each of the blades. The next step is to apply the new document classification to all documents. There are additional document selection parameters. I recommend you leave these at the defaults and change them later after you have tested the document in production.
The new document classification called Credit Card has been added.
The document policy requires that the document be marked.
The document policy also states that the document is protected.
Step 3: Applying the Document Classification Globally
In Figure 4-29, we need to add the new document classification to our global default policy. This simply requires adding the document classification type. In Figure 4-29, once you are in the global document classification, the next step is to add the document and select Credit Card. This will immediately begin the document classification process. The next step is to download the right management protection tool.
Note
The best way to deploy document classification is by training the end user to classify the documents when they are created. You can also deploy the automated AIP scanner that scans documents located on file servers to collect data and classify documents that have not been uploaded to Office 365.
Step 4: Downloading the Document Classification Tool
Documents are automatically classified based on the process that we defined in step 3. The document classification tool allows users to classify documents according to our company standards. There is so much information that we have created; the only way that we can truly become compliant is that we train the users in document classification. Granted, not all users think the same, which is why we create special rules and procedures to keep our users in check (so to speak). From a compliance management perspective, if you rely only on automated tools, you will not catch everything. You need the users’ help.
Keep in mind that the user needs to control the flow of information that is sent externally and manage the documentation workflow. As an IT administrator, you can set polices on documents from a global sense, but it will be the individual users who need to manage the document they distribute to their customers. As an example, say we have a sales document that we use and distribute to potential clients. As a salesperson, I will manage my own information based on client needs. You cannot do this action globally; otherwise, you will affect sales in the organization.
Note
The AIP client is the same client as the document scanner for servers. This client tool runs as a background process and can be used to process the document on your server. In this example, we downloaded the document scanner for the end user to use. If this was a server and we wanted to run the AIP scanner, we download the same tool, install it on the server, and run a set of PowerShell commands to process documents. The document scanner requires that the account used to install on the server is the same account with the correct permission (and license) for Azure Information Protection services. See the “References” section for links where you can learn more about the AIP scanner.
Step 5: Enabling the RMS Tracking Service
Step 6: Test the Document Classification Service
Step 7: Configure the Data Loss Prevention Rules
Additional Configuration
There are many ways to configure Enterprise Mobility & Security (EMS) for your environment. In this section, I have detailed some of the additional customization that you can do. I wanted to provide you with the information on the service customization but handle that in a different section so you would not be distracted from deploying the service. Once you have the service in place, you can change the service to match your business needs.
Password Smart Lock Protection
Looking at Figure 4-39, you will notice that there are some additional configuration options such as the number of failed attempts (called lockout threshold) and the lockout duration. In our example, we allow up to ten attempts, and then we lock the user access for 60 seconds. Every business is different, and the lockouts will be shorter depending on the organization risk and compliance regulation.
Adding Applications to the Favorites List on the Azure Dashboard
In Figure 4-40, I have highlighted two areas to look at: favorites and all resources. To add an application (or blade) to the favorites, all that is needed is to select the application and add the element. The process is simple; select All Services from the sidebar. Find the service you are looking for (in this case, the Azure Information Protection application is located under Identity); then click the star (and turn it yellow).
Adding Office 365 E-mail Encryption
Adding e-mail encryption is easy to do in Office 365. This is a requirement for any type of compliance management. In this section, we will show how to add e-mail encryption and customize the e-mail portal that is presented to clients. Customization is key to ensure that secured e-mail messages that you send to your client are easily recognizable as coming from your organization. In our example, we customized our e-mail encryption with our contact information, logo, and description of who to contact about the e-mail in case there are any questions. This is important because phishing attacks target a large number of different Office 365 users. If you want to reduce your threat level, you need to customize your e-mail encryption portal when you add e-mail encryption.
When a user clicks a secure e-mail that has been configured, they see the configured e-mail portal (see Figure 4-42). The user can enter their ID, or they can request a passcode to be e-mailed to them. Either approach works and is simple to use.
- 1.
Activate the Office 365 Rights Management service (should already be completed).
- 2.
Enable the encryption service in Azure Active Directory (should already be completed).
- 3.
Configure the Automatic Encryption transport rules (optional).
- 4.
Customize the e-mail encryption service for your business.
- 5.
Download the AIP client to allow users to classify and encrypt e-mails.
Let’s walk through the steps to configure e-mail encryption.
Step 1: Setting Up the Office 365 Rights Management Service
Office 365 encryption is easy to set up and configure. The first step to use encryption is to enable the Office 365 Rights Management service. Once you have enabled the Rights Management service, you select the various rules that you want the Rights Management service to use in automatic processing communications external to your organization, as well as manual configuration of a confidential service.
Step 2: Enable Azure Information Protection
Step 3: (Optional) Configure the Automatic Encryption Rules for HIPAA and PII
Click Next to customize the content you want to protect. In this case, we are looking only at HIPAA information. In Figure 4-50, if you click Edit, you can define the accuracy of the content match. As an example, for PII information (such as Social Security numbers), you have a range that starts at 75 percent.
Click Next; then choose your label that is appropriate for this content (see Figure 4-52).
Click Next to review your settings. If everything looks correct, then click Create. This will create the encryption rules for you in your Office 365 tenant. This process of rule creation will take a few minutes. Once the rules are completed, they will show up in the Office 365 Security & Compliance Center’s DLP portal.
Step 4: Customize the E-mail Encryption Service for Your Business
Adding your logo
In Figure 4-54, we branded the encrypted e-mail to use our KAMIND IT logo. To add your logo to Office 365 encryption, run the PowerShell commands shown here. Your customized logo will be displayed to the recipient.#Load the JPG file to the user tenantSet-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:customerskamindkamind_new_2014_v3.jpg" -Encoding byte)
Adding your customized text
- In Figure 4-54 we added customized text to display information for KAMIND IT. To add your customized text, execute the PowerShell command shown here:#Load the JPG file to the user tenantSet-OMEConfiguration -Identity "OME configuration" -DisclaimerText "This message contains confidential information and is intended for the recipient. If your e-Mail account is not set up to read encrypted e-Mail, you can add this feature by adding security credentials to your existing e-Mail using the Microsoft website at http://account.live.com. If you have any questions, please call KAMIND IT at (503) 726-5933."
Customizing the encrypted e-mail portal
- In Figure 4-55, we added customized text to display the branded portal and our KAMIND message. To add your customize text, execute the PowerShell command shown here:#Set the Customize text and Portal TextSet-OMEConfiguration -Identity "OME configuration" -EmailText "Encrypted message from [email protected]" -PortalText "KAMIND IT Inc. Secure E-Mail Portal – www.kamind.com (503) 741-8922"
Step 5: Download the AIP Client
We have already downloaded the AIP client and installed it in Outlook. There is no additional configuration necessary. For the installation instructions, please review the previous section on Azure rights management. That is all that is required to set up Office 365 e-mail encryption and to customize the portal for our clients to use. Once you have set up the e-mail encryption portal, you can extend the service to other parts of AIP. As an example, you can set up documents with metadata policy strings that the DLP rules can process to determine the best way to control information that is being sent externally. As an example, strategic plans may have a “Company Confidential” description placed in the metadata. The DLP rules can be configured to find the information and block the distribution of documents externally from the company.
Configuring Manual Encryption for Confidential Documents (Legacy)
To configure these policies, you need to be a global administrator, and the configuration will be made in the Exchange admin center of Office 365. We are going to add a custom Exchange transport mailbox rule. The mailbox rule simply states that if an e-mail has Sensitivity set to Confidential, then encrypt the e-mail. The user has the ability to manually set the document sensitivity. Likewise, you can create transport rules to disable encryption. Let’s walk through the creation of a custom transport rule in the Office 365 Exchange administration center.
Step 1: Create a New Rule in the Exchange Admin Center
Step 2: Enter the Name for the Rule ManualEncryptEmail, and Select the Conditions of the Rule
- 1.
Click the blue link “More options” to expand the encryption options (see Figure 4-58).
Step 3: Add the Encryption Rule Actions
Step 4: Test the E-mail, and Use Outlook to Send an E-mail
Summary
This chapter focused on Identity Management and Information Protection. These tools are powerful and provide you with the necessary flexibility to configure your Office 365 services. As a bonus, I walked you through the configuration of Exchange encryption. We spent some time setting up e-mail encryptions and customizing the service portal. As Microsoft develops the Security & Compliance Center, these capabilities will be upgraded and enhanced. At this point our baseline is completed and data is being logged for security analysis.
Next Steps
This chapter was focusing on completing the basic configuration for security with Office 365 and Azure. In Chapter 2, we built out the necessary data collection repositories in Azure under Log Analytics. In Chapter 3, we expand the capabilities and added data from Windows device endpoints (Windows 10, Windows servers and Linux devices) to give us the 360 view of activities in our tenant. In this chapter, we built out the remaining identity services for EMS. The next step is to leverage all of the services we enabled in our MAM and MDM deployment. Once this is completed, we have a secure environment where our corporate data and devices are protected. Our next stop - Mobile Device Management!
References
We covered a lot of information in this chapter. My goal was to give you an overview of the various components to give you a head start on the configuration of protection management and security. If you follow the steps, you will be able extend the capabilities of your security deployment. The following are good reference links that will assist you in reaching the next level of securing your Office 365 and Azure environment.