As agencies adapt or change enterprise collaboration capabilities to meet remote requirements at unprecedented speeds, IT leaders must consider the security issues that come with basing collaboration tools on cloud platforms.
Simple best practices can improve security in Microsoft 365 and reduce the likelihood that hackers could compromise sensitive accounts or move laterally from on-premises networks to the cloud.
The first step: enable passwordless authentication or multifactor authentication. Passwords are a security risk, and Microsoft has been pushing passwordless authentication for several years. This method replaces passwords with a combination of something you have, such as a security key, plus something you are or you know, such as a fingerprint or a PIN.
Authentication Can Come in Multiple Forms
Agencies can choose from FIDO2 security keys, SMS, the Microsoft Authenticator app or Windows Hello for Business when implementing passwordless authentication in Microsoft 365.
Each method has its pros and cons. FIDO2 security keys are better for those who log in to multiple devices, whereas Windows Hello works for those with a permanent workstation. The Microsoft Authenticator app can also protect passwords with multifactor authentication, which requires users to provide something in addition to their password, such as a one-time passcode or a biometric gesture.
Account passwords protected by MFA are much less likely to be hacked, but passwordless authentication is a better solution if you can implement it.
Agencies should enforce MFA or passwordless authentication for all admin accounts, which are routinely targeted by hackers because of the access they have to Microsoft 365 tenants. Once a hacker has access to an admin account, they control your tenant and can perform any action.
EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust.
IT Leaders Should Turn Off Legacy Protocols
The next step: Turn on mailbox and unified auditing. The Unified Audit Log in Microsoft 365 is turned off by default. The U.S. Computer Emergency Readiness Team (US-CERT) recommends enabling the log, which records user and admin activity from Exchange Online, SharePoint Online, OneDrive, Azure Active Directory (Azure AD), Microsoft Teams, PowerBI and other Microsoft 365 services for up to one year depending on the license assigned to users.
Before admins can run queries in the Office 365 Security and Compliance Center, the Unified Audit Log must be enabled by a user who is assigned the Audit Logs role (assigned to the Compliance Management and Organization Management role groups by default). Agencies that provisioned a Microsoft 365 tenant before January 2019 should also enable mailbox auditing.
Another tip: If email clients don’t require legacy Exchange Server protocols such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP), disable them; these don’t support MFA. Agencies using Outlook and newer Office desktop apps should be able to safely disable legacy protocol support.
To check for legacy protocols, apply a filter in the Sign-ins section of Azure AD in the Azure management portal. Add a filter that shows only client apps using legacy protocols to better identify which users can be safely denied access to the protocols.
Legacy protocols can be disabled by blocking Basic Authentication for all or selected protocols; if protocols aren’t specified when creating a new authentication policy, Basic Authentication is blocked for all Exchange Online client protocols.
Another approach is to use Azure AD Conditional Access, which allows agencies to create a policy that blocks Exchange ActiveSync clients and “Other clients” to prevent use of legacy protocols.
Assign Privileges to Users Carefully
In addition, agencies that have extended their Windows Server Active Directory to Azure AD should make sure admin passwords are not synced to Azure AD. Azure AD Connect can be used to sync on-premises AD accounts to Azure AD and optionally overwrite passwords in Azure AD.
If a Windows Server AD admin account password is compromised and it is synced to or matched with an existing Azure AD account, then the hacker can get access to an agency’s Microsoft 365 tenant. Starting in October 2018, Azure AD Connect stopped syncing passwords for Windows Server AD accounts by default where the isCriticalSystemObject attribute is set to “true.”
Password syncing enables single sign-on for users and simplifies password management. But password syncing should be carefully planned to make sure compromised on-premises accounts don’t provide privileged access to Microsoft 365.
Finally, when managing Microsoft 365, agencies should take note of how privileges are assigned. The first account in a Microsoft 365 tenant is assigned Global Admin privileges, which means it has the highest level of access possible.
Implementing the principle of least privilege in Microsoft 365 can significantly reduce the risks associated with admin accounts.