Office 365 Security Best Practices
As the increasing number of organizations decide to migrate their infrastructure to the public cloud services, they overwhelmingly rely on the help of the outside vendors. The focus of most of these vendors is to complete the task as conveniently and efficiently as possible. However, convenience may lower the security standards and open the door for vulnerabilities and data breaches. It is also noteworthy that many of these vendors do not have security expertise and may unintentionally leave the backdoor open to attackers. Since October 2018, the Cyber-security and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have used third-party partners to migrate their email services to the Office 365 platform. According to DHS, these organizations have had a mix of configurations that lowered their overall security posture that led to the user and mailbox compromises.
The following list contains examples of configuration vulnerabilities:
Multi-factor authentication for administrator accounts:
Azure Active Directory`s (AD) Global Administrators in an Office 365 environment, possess the highest level of privileges. Due to its access, the Administrator account must be protected with an additional layer of security to reduce the possibility of the compromise. Multi-factor authentication is a security system that requires more than one method of authentication and can stop the attackers from accessing the critical accounts even if they successfully compromised the password. This security method is inactive by default and must become active for any account with vital access to resources.
Office 365 mailbox auditing records any actions that mailbox owners, delegates, and administrators perform. Therefore, it can retain a history of all changes that made to the system and expose malicious security changes. Office 365 environment does not currently enable the unified audit log by default, and an administrator had to allow mailbox auditing explicitly.
Azure Active Directory integrates an on-premises environment with Azure cloud services. This integration can use the Password sync feature to uniform passwords across all Microsoft services. This feature initiated by the on-premise Active directory can pose a danger if an intruder gains access to high privileged account such as administrator as they can change the credentials across cloud services as well. Implementing Password sync must happen with cautious about making sure that it does not transfer compromised credentials during the Office 365 migration.
Authentication unsupported by legacy protocols:
Azure AD is the authentication method that Office 365 uses to authenticate with Exchange Online to provides email services. There are several protocols associated with Exchange Online authentication that do not support modern authentication methods with Multi-factor authentication features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). These protocols should be disabled unless an organization requires older email clients as a business necessity. However, that leaves email accounts exposed to the internet with only the username and password as the primary authentication method. The best approach in this condition is to use Azure Active Directory Conditional access policies to limit and monitor the accounts using legacy protocols.