Microsoft 365 Security Best Practices for your Business
Since the COVID pandemic started, the uptake of digital services has exponentially increased. This is largely due to the new way of working that requires online collaboration through software like Microsoft Teams. While the primary and initial focus would have been to ensure the continuation of daily operation for the business, the cyber-security aspects may have been put in the backseat or even long forgotten.
If your business is using Microsoft 365 products such as Outlook, Teams, OneDrive, and SharePoint, the following security best practices are highly recommended:
Identity
How and what you access (identity and access management) is managed via Azure Active Directory. It is important to review the following areas:
Multi-Factor Authentication / Conditional Access Policies
Your login is your first layer of defence from cyber-attacks and a simple username and password just doesn’t do it anymore. The idea is to have multiple factors of authentication, ie..
Something you know (username / password)
Something you are (biometrics)
Something you have (authenticator / tokens)
Somewhere you are (location)
Multi-factor Authentication should be enabled on all accounts with the exception of those that need to be exempt. This can be achieved through a variety of ways, but the best two ways of achieving this would be to perform one of the two actions in Azure Active Directory:
Enable Security Defaults (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
Provides a quick security fix using Microsoft’s recommended settings for identity
Minimal configuration required with minimal impact to daily operations
Setup Conditional Access Policies (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access)
Licensing requirement: Azure AD Premium P1 or P2
Complex implementation and more suited to organisations with dedicated IT teams
Principle of Least Privilege
A security concept that emphasises on giving users, processes and systems only the minimum level of access necessary to perform their intended functions. This reduces the security risk from breaches by limiting the potential damage that can be caused by a malicious actor.
It is important to regularly review:
Accounts that have privileged access / administrative roles
Effective account segregation (separate daily user / admin account)
Access to systems based on user roles
Application access to systems
Account Hygiene
Important for maintaining the security and integrity of the identity and access management system. This refers to the regular review and clean-up of user accounts in Azure Active Directory, to ensure they are accurate, up-to-date, and no stale or unnecessary accounts exist.
The following key tasks should be undertaken:
Review and update of user accounts
User information
Group memberships
Role assignments
Disable or delete stale or unnecessary accounts
Review accounts that have not been used for a certain period of time
Remove users that have left the organisation
Remove users that no longer perform the same function due to role change in the organisation
Password policy review
Enforce password policy
Reset accounts that have been inactive for a long period of time to reduce the risk of password attack
Review Identity Secure Score
Microsoft provides a Secure Score for Identity (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score), that can be used to validate any changes made from the above actions. This section provides palatable actions to remediate your security posture in Microsoft 365 & Azure.
Secure Mail
One of the main entry points for cyber-attacks and is therefore to crucial to secure it.
Authentication methods
To prevent malicious access to your emails, the first line of defence is your login credentials. Basic Authentication is a legacy method of connecting to your emails allowing potential credential capture for cyber-attackers as it stores data on the device used. Microsoft introduced Modern Authentication to mitigate this issue by moving to token-based authentication using Active Directory Authentication Library (ADAL) and Open Authentication 2.0 (OAuth 2.0). However, due to the number of clients still using legacy systems, Basic Authentication was left enabled to allow backwards-compatibility.
Recommendation: Disable Basic Authentication and legacy mail protocols (SMTP, POP3, IMAP)
Encryption
For email systems to communicate to each other messages are sent via the internet. These can be sent both unencrypted or encrypted based on the way they are setup. It is important to ensure your data-in-transit is encrypted to prevent eavesdropping, tampering, and message forgery. This ensures that only authorised parties can read the message and it has not been tampered with in transit.
Recommendation: Use at minimum opportunitistic TLS
Protection Policies
Exchange Online Protection is a security feature provided by Microsoft. It is used to filter email for spam, malware, and other threats to protect against malicious or unwanted messages reaching an organisations’ users.
Recommendation: Ensure default protection policies are applied to mailboxes in Exchange Online for Anti-Spam, Anti-Malware, and Anti-Phishing
Anti-Spoofing
Sophisticated attackers can use spoofing to impersonate someone or something in order to gain unauthorised access or information. Without the correct measures to mitigate these spoofing attempts, would-be attackers could take advantage of this. Microsoft provides the following features that are configurable:
SPF (Sender Policy Framework): Validation protocol to ensure that email originates from authorised IP addresses
DKIM (DomainKeys Identified Mail): Email authentication method that allows the person receiving the email to check that it was actually sent by the domain it claims to be sent from
DMARC (Domain-based Message Authentication, Reporting & Conformance): Email authentication protocol that allows the owner of a domain to protect it from unauthorised use
Recommendation: SPF is configured by default, however DKIM should be configured and DMARC at minimum be configured in monitoring / alerting mode
Endpoint Protection
Protection of the devices where your organisation’s information is accessed from - corporate devices, user devices, tablets, and smartphones.
Microsoft Endpoint Management / InTune
A management interface designed to manage devices and company data used in applications.
Corporate devices that are owned by the organisation should have MDM (Mobile Device Management) policies applied to protect them from data loss and unauthorised actors.
With cloud-based services being readily accessible with smartphones, it is important to apply controls to protect your data on non-corporate devices. MAM (Mobile Application Management) policies can be used to achieve this in Microsoft 365.
Recommendation: Review how devices are used and apply the necessary MAM / MDM policies to each.
Device Encryption
The process of encoding data stored on a device, making it unreadable to unauthorised parties.
Recommendation: Use BitLocker or Device Encryption for Windows devices and FileVault for MAC OS
Collaboration & Sharing
Sharing is caring, but oversharing does have its drawbacks. Sharing information means increased productivity, however with an organisation this can potentially mean unintentional sensitive information leakage. Therefore, it is important to review how your data sharing is setup within and outside of your organisation.
Review Data Exchange Processes
This refers to the process in which data is exchanged. Determine how your organisation is sharing data within the Microsoft 365 platform. Start the conversation on what to use to suit the organisation’s needs.
Recommendation: Review sharing practices in the organisation.
Sharing Settings
Aside from the above mentioned process in sharing data, the sharing settings allow administrators of the organisation to provide guardrails when it comes to exchange information within and outside of the organisation.
Recommendation: Review sharing settings for SharePoint, OneDrive files and folders, and Exchange Online calendar sharing
Policy & Procedure
More to do with how an organisation functions and healthy operational function of IT from a security lens.
Company Policy on BYOD (Bring-Your-Own Devices)
With the convenience of a smartphone and its ability to access company information, it is important to have a policy on how they will be governed.
Recommendation: Review company policies on personal devices
Environment Maintenance
Operational management of your organisation’s assets. When a user joins or leaves, a standard process should exist for accounts, devices and any other workflows in Microsoft 365. In general IT system hygiene should be practiced to secure your organisation.
Recommendation: Review provisioning and deprovisioning processes
Cyber Security Training
Protecting your organisation goes beyond technology as it comes down to how staff utilise the systems. To deal with social engineering and phishing attacks, it is important to keep up a regularly training regime, and to adjust to recent threats.
Recommendation: Regular Cyber Security Training
Cloud Security Essentials for Microsoft 365
Developed by URSA Cloud through a decade and a half of experience.