Recently, the U.S. Cybersecurity and Infrastructure Agency (CISA) published a report on their security observations on Office 365. In it, they detail some configuration vulnerabilities. I’d like to touch on these and build upon their recommendations of changes that will increase your environment’s security.
- Multi-factor Authentication: CISA points out that MFA is not enabled for Global Administrator accounts by default. A Global Administrator in Office 365 is the equivalent of a Domain Administrator in your on-premise environment. However, unlike your on-prem network, which is protected by a security perimeter, Office 365 is in the cloud and directly exposed to the internet. While enabling MFA for at least your Global Admin accounts will give a welcomed layer of security, we like to take that recommendation a step further and advise MFA to be enabled for all your accounts. Used wisely by a savvy bad actor, a compromised standard user account can be just as dangerous as an administrator.
- Legacy authentication protocols: The modern method used by O365 for authentication with Exchange Online is Azure AD. However, there are a few other protocols associated with Exchange Online that are legacy authentication methods that older email clients use. These methods are POP3, IMAP, and SMTP. You can disable them per account or at the tenant level.If none of your users have a business critical need to use an older email client, we recommend to disable this at the tenant level. If some users do still have a need, which hopefully you are working to migrate away from, then disable these protocols for all but those who still need them.
Corrected Security Settings Since Report
CISA also outlines a concern with Mailbox Auditing being disabled by default, but since the time of publishing their report, this feature is now enabled by default for all new and existing tenants.
Additionally, they detail a concern with the use of Azure AD Connect and the Password Sync feature. The potential threat scenario was in the case that an on-prem admin account was compromised, the same credentials could then be used to access the Office 365 portal as an admin. However, Microsoft has since disabled the capability to use AD Connect to match certain administrator accounts. Using MFA on administrator accounts, as well as strong password policies, will further mitigate this concern.
Additional Office 365 Security Recommendations
Below are additional changes I recommend making to further secure your Office 365 tenant. Some of these are simple setting changes. Others include planning and configure policies. For the purpose of this blog, I will not be going into technical detail on these suggestions. Some I already have in past blog posts, others I hope to in the future.
- Disable auto-forwarding to remote domains
- Disable the ability to configure forwarding in OWA
- Configure a basic DLP policy to prevent sending sensitive data via plain text messages
- Set up Alert Policies to notify of potential malicious activity on accounts
- Configure the default anti-phishing policy for your domain, and critical users
- Enable safety tips to notify users that a message is from an external sender
- Block top-level foreign domains for countries that you do not do business with
- Configure Message Encryption to send sensitive information externally
- Configure Advance Threat Protection (additional add-on license needed)
If you have any security concerns regarding your Office 365 tenant, please reach out to Sikich for a consultation!
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.