Microsoft 365’s default settings are optimized for productivity and collaboration, not security. Unfortunately, improving the security posture of the tenant can significantly impact the user experience of services such as Teams and OneDrive. Before
making changes, security teams must understand the micro and macro impacts of those settings on users and the overall organization. This piece outlines the key considerations and recommends settings within five primary areas of M365 that will provide
the best security return-on-investment (ROI) with the least user experience impacts.
M365 Security Challenges
M365’s complexity creates problems in understanding exactly where to focus security teams’ efforts. For example, every user within the M365 environment has over 7,500 combinations of settings that can be configured. Not all of these have security
ramifications, but many do and they are often obfuscated and only available as PowerShell or GraphAPI settings configured through command line tools, and not through the administrative portals associated with each M365 service.
Getting Started with M365 Security
To prioritize security efforts within M365 tenants, we recommend getting starting with:
- Setting privileged user conditional access policies and using multifactor authentication (MFA).
- Eliminating anonymous access to Teams and improving app hygiene.
- Enhancing SharePoint access settings and content hygiene (which also govern OneDrive).
- Hardening Exchange Online against the latest attacks.
- Implementing strict mobile device policies through Intune/Endpoint Manager.
Five Ways to Secure M365
1. Protect Privileged Users from Sophisticated Attacks
Key steps to protecting privileged users from sophisticated attacks include:
- Ensuring only Azure AD accounts have privileged access to M365 tenant configuration options. As a result of the Dark Halo attacks on U.S. government M365 tenants, the U.S. National Security
Agency (NSA) published guidance for protecting SaaS services from sophisticated attackers. Key to that guidance is eliminating the use of third-party identity providers to allow privileged access to M365. Make sure users do not have an association
between their everyday account (which they use for email/collaboration) and their privileged roles within M365.
- Using hardware security keys for MFA tokens and avoiding the use of software MFA, like authenticator apps. Over the last year, we saw an increase in the number of attacks against vulnerable mobile devices with the aim of cloning the authenticator apps
installed on them. To get off the mobile vulnerability treadmill, IANS strongly recommends all privileged identities within the tenant rely on a security key, such as a YubiKey or other hardware-separated cryptographic security token (such as a contact
smartcard).
- Practicing least privilege. Instead of allowing for the co-mingling of privileges among different services and administrative functions, users should isolate their use of privileges to a single service. There should be very, very few global administrators
in the M365 tenant, and many per-service administrators. This allows for the isolation of privileges for an active administrative session to a single M365 service, instead of an over-privileged account, which could be abused to make configuration
changes that can help attackers hide their activity from security teams across the tenant.
2. Improve Teams Security
Microsoft claims nearly 100 million people use Teams every day as the result of the huge push to remote work over the last 18 months. Unfortunately, the default Teams security settings leave a lot to be desired. Key steps here include:
- Requiring all Teams users to have a Microsoft account. This is an effective way to reduce the likelihood of account spoofing and anonymous access to files shared in Teams meetings. For example, if the Teams service is left in its default configuration,
anyone can spoof a display name (while a Guest label may be added) to attend a Teams meeting.
- Coordinating SharePoint and Teams security settings. Any files shared within the Teams collaboration session are copied to a SharePoint site, and any attendees are automatically granted access to those files if SharePoint and Teams settings are not properly
set.
- The downside to making these security improvements is the Teams user experience is significantly impacted for users outside the organization, so proceed with care.
- Implementing policies to restrict which applications users can install within their Teams clients. Microsoft envisioned Teams becoming a platform where third parties could develop apps for tasks like meeting transcription and robotic process automation,
and users could then install those apps. However, when a user installs an application, the app can grant the app developer access to content shared through Teams (e.g., voice, video, chats and files). Teams administrators should create application
approval processes and set the application control policies to only allow for the installation of approved applications.
3. Enhance SharePoint (and OneDrive) Security
From a security policy perspective, it is important to recognize all security policies configured for OneDrive are controlled through the SharePoint administrative functions. Improving one automatically improves the other. Key steps here include:
- Configuring file inspection to avoid the distribution of ransomware through SharePoint Online. With ransomware in the headlines recently, it is important to realize SharePoint can be used to distribute any kind of malware very rapidly through an organization.
By default, SharePoint file hygiene is not fully enabled, so one of the first things to focus on is ensuring all malicious file types are being monitored and isolated using the SharePoint Online controls.
- Restricting re-sharing of files by non-owners. When SharePoint is initially enabled, the default settings allow for files to be shared in ways file owners may not be aware of or approve. IANS highly recommends administrators set the flag for most SharePoint
sites and folders so no files can be re-shared by non-owners. In conjunction with restricting access to only authenticated users, this significantly reduces the likelihood files are shared with unauthorized users.
- Eliminating all legacy apps and plug-ins. SharePoint supports some legacy plugins and applications datig back over 15 years. Many of these allow for the installation of helper applications and expose APIs that could be exploited by attackers. IANS strongly
recommends eliminating all legacy support options for the best protection of data within SharePoint Online.
4. Harden Exchange
Key steps to hardening Exchange, include:
- Isolating malicious file types: Like SharePoint, Exchange Online can also be used to facilitate the lateral movement of attackers distributing malware within an organization. IANS strongly recommends implementing all malicious file blocking capabilities
within Exchange Online, even if an organization uses a third-party email hygiene service (like Proofpoint or Mimecast).
- Blocking basic authentication: Many M365 attackers use basic authentication to bypass MFA policies and access user information. Set conditional access policies to
deny the use of basic authentication to all users, and then monitor to ensure conflicting or cancelling policies are not implemented by attackers.
- Ensuring auditing and logging remain enabled for all users: Most Exchange Online attacks originate with the attackers disabling auditing and logging for specific users (especially privileged users and high-value targets like executives). Organizations
should constantly monitor the status of auditing and logging functions within all M365 services [link to post titled: What to Log and Monitor in M365], but Exchange Online specifically.
- Eliminating hybrid Exchange dependencies: The recent Hafnium attacks underscored how all on-premises Exchange environments can suffer from significant vulnerabilities. In many cases, Hafnium attacks were used to pivot into M365. Eliminating hybrid Exchange
environments can reduce the operational complexity of email infrastructure and help security teams with monitoring and detection.
5. Implement Intune Mobile Device Security Policies
Microsoft is always changing the names of its M365 services, but most of its documentation still refers to Intune as the tool to use for mobile device management. Re-branding is under way to change everything to Endpoint Manager, but that’s still
a few months away. For ease of reference, Intune settings that can be easily searched are referenced here. Key steps here include:
- Reducing the likelihood of identity abuse through device hygiene: In my opinion, the biggest risk associated with mobile devices connected to an M365 tenant revolves around the abuse of identities stored on a vulnerable mobile device. Over the last year,
we saw a significant uptick in attacks against privileged users, but also thousands of opportunistic attacks against vulnerable mobile devices that could allow attackers to gain access to credentials, and consequently, all the email in a user’s
inbox. To reduce the risks of vulnerable mobile devices, conditional access policies can be configured to ensure only up-to-date devices are allowed to synchronize email and install Microsoft Authenticator. Obviously, the age of the mobile device
fleet will need to be considered before enabling this, but reporting options within Intune and Exchange Online can help admins understand just how many legacy devices are currently synchronizing email.
- Limiting information to managed applications: In addition to basic operating system hygiene, IANS strongly recommends using Intune policies to limit how an organization’s email can be read and shared. Setting the conditional access policy to allow
only managed applications to be used for email and access to Microsoft collaboration documents can significantly reduce the likelihood of data leakage through mobile devices.
Securing M365 with IANS
The M365 platform is incredibly complex and the security options for each service change frequently. As part of our Consulting offering, we offer M365 security assessments that can be run to improve baseline configurations as
well as detect changes. Get in touch to learn more about how our Consulting and other service offerings can help improve your security program.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.