Thank god it’s Friday and finally time for some security chilling. Well, that sounds a bit contradictory since security is never about chilling. Security requires you to stay on top of things and to be proactive. What I mean is that it’s Friday and I finally have some time to lay down on a couch and read up on new security material I’ve queued up.
There are many tools and guidelines on how to secure your Microsoft cloud tenant but I’ve been looking for a fundamental checklist of the most important tasks.
We’ve had Microsoft Secure Score for some time and it’s a must for your security work. My tip is to check it monthly and assign different security actions to your IT team. You then validate the score again next month and put in some gamification using the score mechanism of Secure Score to make it more intresseting.
But Secure Score is not the tool for this blog post.
The CIS Microsoft 365 Foundations Benchmark
The Center for Internet Security (CIS) is a nonprofit organization set out to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace”.
CIS provides free benchmarks in PDF format for many different platforms like Linux, Windows Desktop, Windows Server, VMware and now cloud providers.
They recently announced, in partnership with Microsoft, the CIS Microsoft 365 Foundations Benchmark which helps you get the most important security settings in place in Microsoft 365. It’s a guidance for establishing a secure configuration posture for Microsoft 365 running on any OS.
This benchmark is free and you can sign up and download it from the CIS website. I’ve done so and gone through the benchmark document. I’ve put together an overview of what recommendations it provides. You can use this list as a fundamental checklist when planning your own Microsoft cloud security road map. However, I recommend you to download the official benchmark for full details and implementation guidelines.
The Security Checklist
The benchmark is divided into seven sections with a total of around 60 recommendations. I think it provides a decent order of priorities under each section so it can also work as a starting point for a road map.
Recommendations related to setting the appropriate account and authentication policies.
- Ensure multifactor authentication is enabled for all users in administrative roles.
- Ensure multifactor authentication is enabled for all users in all roles.
- Ensure that between two and four global admins are designated.
- Ensure self-service password reset is enabled.
- Ensure modern authentication for Exchange Online is enabled.
- Ensure modern authentication for SharePoint applications is required.
- Ensure modern authentication for Skype for Business Online is enabled.
- Ensure that Office 365 Passwords Are Not Set to Expire.
Recommendations related to the configuration of application permissions within Microsoft 365.
- Ensure third party integrated applications are not allowed (User Settings > No App Registrations).
- Ensure calendar details sharing with external users is disabled.
- Ensure O365 ATP SafeLinks for Office Applications is Enabled.
- Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled (blocks malicious files).
Recommendations for setting data management policies.
- Ensure the customer lockbox feature is enabled.
- Ensure SharePoint Online data classification policies are set up and used.
- Ensure external domains are not allowed in Skype or Teams.
- Ensure DLP policies are enabled.
- Ensure that external users cannot share files, folders, and sites they do not own.
- Ensure external file sharing in Teams is enabled for only approved cloud storage services.
Email security/Exchange Online
Recommendations related to the configuration of Exchange Online and email security.
- Ensure the Common Attachment Types Filter is enabled.
- Ensure Exchange Online Spam Policies are set correctly.
- Ensure mail transport rules do not forward email to external domains.
- Ensure mail transport rules do not whitelist specific domains.
- Ensure the Client Rules Forwarding Block is enabled.
- Ensure the Advanced Threat Protection Safe Links policy is enabled.
- Ensure the Advanced Threat Protection Safe Attachments policy is enabled.
- Ensure basic authentication for Exchange Online is disabled.
- Ensure that an anti-phishing policy has been created.
- Ensure that DKIM is enabled for all Exchange Online Domains.
- Ensure that SPF records are published for all Exchange Domains.
- Ensure DMARC Records for all Exchange Online domains are published.
- Ensure notifications for internal users sending malware is Enabled.
Recommendations for setting auditing policies on your Microsoft 365 tenant.
- Ensure Microsoft 365 audit log search is Enabled.
- Ensure mailbox auditing for all users is Enabled.
- Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly.
- Ensure the Application Usage report is reviewed at least weekly.
- Ensure the self-service password reset activity report is reviewed at least weekly.
- Ensure user role group changes are reviewed at least weekly.
- Ensure mail forwarding rules are reviewed at least weekly.
- Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly.
- Ensure the Malware Detections report is reviewed at least weekly.
- Ensure the Account Provisioning Activity report is reviewed at least weekly.
- Ensure non-global administrator role group assignments are reviewed at least weekly.
- Ensure the spoofed domains report is review weekly.
- Ensure Microsoft 365 Cloud App Security is Enabled.
- Ensure the report of users who have had their email privileges restricted due to spamming is reviewed.
Recommendations for securely configuring storage policies.
- Ensure document sharing is being controlled by domains with whitelist or blacklist.
- Ensure expiration time for external sharing links is set.
Mobile Device Management
Recommendations for managing devices connecting to Microsoft 365.
- Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks.
- Ensure that mobile device password reuse is prohibited.
- Ensure that mobile devices are set to never expire passwords.
- Ensure that users cannot connect from devices that are jail broken or rooted.
- Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise.
- Ensure that settings are enable to lock multiple devices after a period of inactivity to prevent unauthorized access.
- Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data.
- Ensure that mobile devices require complex passwords to prevent brute force attacks.
- Ensure that devices connecting have AV and a local firewall enabled (Windows 10).
- Ensure mobile device management policies are required for email profiles.
- Ensure mobile devices require the use of a password.
Go and download the benchmark from CIS and plan your security road map to strengthen your security posture in the cloud. I believe that this is a great starting point and I will use this list as a recommended path for customers. If you want more information, Microsoft also provides there own list and it looks something like this.
Please follow me here, on LinkedIn and on Twitter.