The Microsoft 365 suite of tools provides productivity benefits to many organizations. However, the default settings of Microsoft 365 when implemented out of the box may not be secure enough for your organization. This can leave your organization vulnerable to unwanted attackers who can present a threat to your entire Microsoft 365 environment. A crucial first step is to understand which settings need strengthening, since as an organization you cannot begin to protect what you don’t know you have. Throughout this post we will explore the areas within Microsoft 365 that require attention and can be enhanced to create a more secure environment.
Microsoft 365 Admin Center is the hub for managing user accounts, teams, groups, and policies. These are all sensitive tasks, so it’s important that default settings are properly configured or security risks can present themselves.
- Roles and permissions often follow a more permissive model, which can violate the principle of least privilege and give users more access than necessary. This can increase the risk of insider threats or accidental data breaches if roles and permissions are not appropriately configured.
- Password policies may not enforce strong password requirements, leaving them vulnerable to brute force attacks. Users may also be prompted for regular password change intervals, which can lead to password fatigue and the use of generic and easily guessed passwords. With the use of a strong password policy, the necessity to rotate passwords lessens since users are required to meet length requirements and use special characters and numbers, making their passwords more difficult to guess by an attacker.
- Third-party storage services, when allowed without stringent controls can open doors for data leaks and unauthorized access, as these services may not be compliant with your organization’s security policies.
Microsoft 365 Defender provides comprehensive security across the Microsoft ecosystem, yet its default settings may not always be robust enough to prevent sophisticated threats.
- Notifications for internal users sending malware, unless they are properly configured, may be disabled, delaying the detection and response to internal threats.
- Anti-phishing policies are often not fully implemented and enforced, leaving the organization exposed to phishing attacks that can compromise sensitive information.
- Email authentication protocols like SPF, DKIM, and DMARC may not be properly configured by default, making it easier for attackers to spoof emails and conduct phishing or business email compromise attacks.
Microsoft Purview is designed as a data governance and compliance solution that helps organizations manage, protect, and govern their data across their environments and enhance data security. It is capable of data discovery, classification, labeling, and policy enforcement to streamline data management and governance.
- Data loss prevention (DLP) and information protection are critical aspects of a secure Microsoft 365 environment. However, default settings might not have these protections fully enabled. Without DLP policies in place, sensitive information can be inadvertently shared outside the organization and lead to data breaches.
- SharePoint Online information protection policies are also essential for controlling access and protecting data stored in SharePoint, but these might not be adequately configured and leave data exposed to unauthorized access.
Microsoft Entra ID is a cloud-based identity and access management service. Managing identities and access through the Microsoft Entra Admin Center is crucial for maintaining security.
- Multi-Factor Authentecation (MFA) settings out of the box might allow for per-user MFA instead of enforcing it through conditional access policies, leading to inconsistent security practices.
- Third-party applications. If users can register them, they can expand the attack surface and introduce potential vulnerabilities.
- Other risks include non-admin users having the capability to create tenants and unrestricted access to the Azure AD administration portal, which can lead to unauthorized changes and potential security breaches. Additionally, by default, Entra presents users with the choice to remain signed into the environment on their device which can increase the risk of unauthorized access if a device is lost or compromised.
Microsoft Exchange is a mail and calendar server developed to provide email, calendar, contact management, and task management capabilities. Securing it is extremely important, and the Exchange admin center settings play a significant role in doing so.
- Mailbox auditing might not be enabled, making it difficult to monitor and respond to suspicious activities within user mailboxes.
- Identification of emails from external senders is crucial to prevent phishing attacks, but this may not be clearly configured, increasing the risk of employees falling victim to spoofed emails.
- Outlook add-ins need to be restricted if users are allowed to install them because they can introduce malicious extensions that can compromise security.
- Additional storage providers in Outlook on the web without proper control can lead to unauthorized data access and sharing.
SharePoint is a vital collaboration tool but proper security settings in the SharePoint Admin Center are critical.
- Default settings might not enforce modern authentication for SharePoint applications, leaving the system vulnerable to legacy authentication attacks.
- External content sharing and OneDrive content sharing can be overly permissive by default, potentially leading to data leakage if not properly restricted.
- Guest users in SharePoint might have more access than necessary, and access might not expire automatically, posing a continuous risk if their credentials are compromised.
Microsoft Teams is widely used for communication and collaboration, and the security settings in Microsoft Teams Admin Center need careful attention.
- External file sharing might be allowed by default settings with unapproved cloud storage services, which should align with the approved list of the organization.
- Protections during meetings should also be in place against anonymous users joining, bypassing lobbies, and engaging in meeting chats, allowing unauthorized individuals to disrupt meetings or gain access to sensitive information.
- Ensuring that users can report security concerns within Teams is also essential for maintaining a proactive security posture, but this feature might not be prominently enabled by default.
How Tangible Security Can Help
Tangible Security helps organizations safeguard their Microsoft 365 Cloud Environments by leveraging the CIS Microsoft 365 Foundations Benchmark v3.0.0. Our comprehensive assessment evaluates customer environments against each control, providing a detailed analysis of their current security posture. We deliver a thorough report that includes findings for each control, the severity of each finding, and concrete evidence supporting these findings. Additionally, we offer detailed remediation steps to address any identified vulnerabilities. This approach ensures that organizations can enhance their security measures, reduce risks, and maintain their defense against potential threats in their Microsoft 365 environments.
Recent Comments