Office 365 Security Hardening Service

Office 365 Security Hardening

Microsoft has configured the defaults for Office 365 to work for everybody from a single person to large enterprises to be a “work out of the box” solution as a baseline, but there are many, many security settings that can and should be adjusted to your specific business.

Leaving the default settings in place leaves your data, company and users at a great security risk. For most companies, no 3rd party tools such as spam filtering is needed if the built-in options are configured properly. This helps reduce the cost of external spam filtering as well as simplifies troubleshooting if the need arises since you don’t have to track issues through multiple cloud hosted applications looking for the issue.

  • Enable MFA for users
    • You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.
  • Enable MFA for Admins
    • You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.
  • Enable Client Rules Forwarding Block
    • This is a transport rule to help stop data exfiltration with client created rules that auto-forwards email from user’s mailboxes to external email address. This is an increasingly common data leakage method in more organizations.
  • Enable Audit Log Search
    • You should enable audit data recording for your Office 365 service to ensure that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur.
  • Enable Mailbox Auditing for All Users
    • By default, all non-owner access is audited, but you must enable auditing on the mailbox for owner access to also be audited. This will allow you to discover illicit access of Exchange Online activity if a user’s account has been breached.
  • Set Up Outbound Spam Notifications
    • Setting your Exchange Online Outbound Spam notifications gives you visibility into when a user has been blocked for sending excessive or spam emails. The accounts will always be blocked, but when you configure notifications you will be notified and sent a copy of the email that caused the block to occur. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails.
  • Review Role Changes Weekly
    • You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and malicious things in your tenancy.
  • Designate More than 1 global Admin but fewer than 5
    • You should designate more than one global tenant administrator because that one admin can perform malicious activity without the possibility of being discovered by another admin. You could also set this second admin up with a mailbox in which all of the reports discussed in this playbook are filtered into.
      Reducing the number of global admins limits the number of accounts with high privileges that need to be closely monitored. If any of those accounts are compromised, critical devices and data are open to attacks. Designating fewer than 5 global admins reduces the attack surface area.
  • Configure Expiration Time for External Sharing Links (Typically we do 30 days, but can be adjusted)
    • You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared.
  • Enable Versioning on all SharePoint Online Document Libraries
    • You should enable versioning on all of your SharePoint online site collection document libraries. This will ensure that accidental or malicious changes to document content can be recovered.
  • Review Mailbox Forwarding Rules Weekly
    • You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated.
  • Review the Mailbox Access Non-Owners Report Biweekly
    • This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time and can help discover malicious insider activity sooner.
  • Review the Malware Detections Report Weekly
    • This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn’t strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigation practices
  • Do not allow Calendar details sharing
    • You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling
  • Enable Self-Service Password Reset
    • With self-service password reset in Azure AD, users no longer need to engage helpdesk to reset passwords. This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.
  • Warn Users when email arrives from sender with same display name
    • Here we create a mailflow rule that will help users detect spoofing by displaying a warning in their inbox when a new email was sent from a sender with the same display name as another user in your organization.
  • Do not expire passwords
    • Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason. Make sure you have MFA enabled before making this setting change.
  • Exchange Online Protection/Anti-spam Policies
  • Configure Connection Filtering
  • Configure Spam Filtering
  • Configure Outbound filtering
  • Configure Mail Flow Rules
  • Configure Malware Settings
  • Configure SPF Record
    • SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain which helps prevent spoofing
  • Configure DKIM Record
    • DKIM lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if incoming email that they receive is legitimate.
  • Configure DMARC Record
    • DMARC helps receiving mail systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners.

If you need help with securing your Office 365 environment, give us a call at 319-227-7000 or fill out our contact form.