CISA reports that it continues to see companies not following best security practices for the operation of their Office 365. It is concerned that rushed implementations could trigger big security overviews that attackers might exploit. New advice from CISA is similar to an alarm issued last year after contractors deployed a low-security O365. This document includes links to related best-practice documents from Microsoft for stable Azure AD and Office 365 validation. “O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.” First of all, companies need to lock Azure Active Directory (AD) Multi-Factor Authentication (MFA) Global Administrators in Office 365. It is the platform used to build additional accounts and has the highest rights in an on-site AD system equal to the domain administrator. MFA is not activated for this account by default, so administrators must actively trigger it. CISA notices Microsoft’s security defaults launched in January helping companies defend their accounts on the same level as Microsoft defends user accounts against threats like spraying passwords and phishing. The method allows administrators to use MFA. Earlier this year Microsoft announced that 99.9% of the affected accounts do not use MFA and only 11% of businesses have used MFA. CISA says the Global Administrator account can only be used if it is “completely necessary” and administrator functions need to be delegated using role-based access control. “Using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators. Practicing the principle of ‘least privilege’ can greatly reduce the impact if an administrator account is compromised,” CISA notes. CISA recommends that admins require the Centralized Audit Log to assist incidents investigations at the Security and Enforcement Center. Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Staff, PowerBI, and Office 365 events are included in the Audit Report. The agency also recommends that MFA be required for all users even if their permissions are not increased. Admins should also disable legacy protocols, particularly if MFA features such as Post Office Protocol (POP3), IMAP, and Simple Mail Transport Protocol (SMTP are not supported). However, CISA states that if an older email client requires such protocols, they will not be disabled. It advises that organizations store and limit access to these protocols by users who choose to use an older email application. “Taking this step will greatly reduce an organization’s attack surface,” CISA says. CISA suggests, ultimately, that the Microsoft Safe Score tool be used to calculate a security status for an enterprise for Office 365 and an integrated SIEM tool with the Centralized Audit Log.
