The Essential Guide to Acing the CIS Microsoft 365 Foundations Benchmark and Mitigating Risk
Below is the resource content that will be visible after form successful submission.
Microsoft Office 365, or Microsoft 365 as it is now called, is a major attack surface hackers just love to poke. The Microsoft SaaS platform holds user identities, and according to experts, 80% of your confidential data.
Unfortunately, Office 365 doesn’t protect itself, and standard security tools only do part of the job.
The world-renowned Center for Internet Security (CIS) understands this and has detailed guidance to help secure the Microsoft SaaS platform in its CIS Microsoft 365 Foundations Benchmark.
“Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customer’s cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings,” according to the Best Practices for Securely Using Microsoft 365 – The CIS Microsoft 365 Foundations Benchmark blog by Microsoft’s Jonathan Trull and Sean Sweeney. “The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.”
Meeting the CIS M365 Challenge
CoreView, and our solution architect Matt Smith, dissected the CIS benchmark, and are working with enterprises to adopt CIS guidance and manage and enable the 73 different CIS controls – largely in the areas of Zero Trust, Least Privilege Access, and compliance.
“I recently went through this with a 5,000-seat hospital, going line by line implementing the CIS controls. It took us about five or six hours, spread over several days. It was amazingly effective and very satisfying to know,” said Matt Smith, CoreView solutions architect. “We are also working on NIST controls for our state, local and federal government customers and those who are subject to federal guidelines for things like NIST 800-53 audit advice.”
Microsoft Zero Trust and CIS Controls
On a macro level, Microsoft has a concept of Zero Trust, a major philosophy and approach Microsoft says is a journey of several months, or even up to a year or two. “We think that’s too long. We help implement and judge the effectiveness of a substantial portion of the Microsoft Zero Trust model,” Smith argues. By adopting Zero Trust, your tenant is more secure and that much closer to abiding by the CIS benchmarks. Zero Trust is an evolution of the IT concept that’s been around for years of Least Privilege Access. One principle is to assume a breach and verify the details of it explicitly.
Meanwhile, identities are part of the Microsoft Shared Responsibility Model where SaaS providers handle core platform security duties, and IT handles more tenant and end user specific responsibilities. Identities are IT’s responsibility within that Shared Responsibility Model. IT has to implement identity processes, validate that those identities are configured properly, and maintain all that correctly on an ongoing basis.
In the middle of the Zero Trust Model are conditional access policies. Conditional access is at the edge of the Microsoft stack, at the network. Here, IT puts in policies that will block a user based on the type of device that they have, the authentication protocol that they are leveraging, or even the region of the world they are trying to connect to. For instance, if someone is trying to connect from Southeast Asia, but are currently in New York, that log-in attempt will be flagged and blocked.
IT in general knows these kinds of log-in attempts are happening, but unfortunately do not have deep insight, such as the accounts they are going after, and do not have the ability to block.
CoreView changes all that by reporting what conditional access policies were applied and which ones weren’t; whether multi-factor authentication came into play, whether it was configured, and then allows IT to take remediation actions directly from a policy report. This is the deeper value of CoreView, versus simply being told to deploy conditional access.
The CIS benchmark deeply involves moving towards Zero Trust. CIS is very explicit in the approach. Not only does it say you should do things like have conditional access policies, but CIS defines exactly how to implement these as best practices.
- Ensure Multifactor Authentication Is Enabled for All Users in Administrative Roles
- Ensure Multifactor Authentication Is Enabled for All Users in All Roles
- Ensure That Between Two and Four Global Admins Are Designated
- Ensure Self-service Password Reset Is Enabled
- Ensure That Password Protection Is Enabled for Active Directory in Hybrid Environments
- Enable Conditional Access Policies to Block Legacy Authentication
- Ensure That Password Hash Sync Is Enabled for Resiliency and Leaked Credential Detection
- Enabled Identity Protection to Identify Anomalous Logon Behavior
- Enable Azure Ad Identity Protection Sign-in Risk Policies
- Enable Azure Ad Identity Protection User Risk Policies
- Use Just In Time Privileged Access to Office 365 Roles
- Ensure Modern Authentication for Exchange Online Is Enabled
- Ensure Modern Authentication for Skype for Business Online Is Enabled
- Ensure that Office 365 Passwords Are Not Set to Expire
Deeper Dive into CIS Controls
The first section of the CIS benchmark document includes detailed guidance on Azure Active Directory (AD) identities that are foundational to M365.
Concerning Azure Active Directory and identities, if you look at the Microsoft Shared Responsibility matrix, you’ll find identities are square in the middle of what IT is responsible for enacting. This first one is ensuring multi-factor authentication is enabled for all users and administrator roles.
The CIS MFA Control
As mentioned, a key CIS control is to ensure multi-factor authentication is enabled for ALL users and ALL roles.
So how do you track compliance with this control? CoreView has a report showing who has administrative roles, and if those administrative roles have been activated. This is not just critical for MFA, but for knowing – and then limiting – the number of Global Admins.
If you want to see administrative roles, CoreView offers a report detailing roles the admins have. The report shows the roles, and the related users. It shows if users are licensed, and the last time that they signed in. Under users with admin roles, IT can see the multi-factor authentication state, and whether it’s enforced or not.
For unenforced MFA, you can see if a multi-factor authentication state is not enabled. That means it’s turned on, but not enforced for the log-in via a conditional access policy. “That’s not going to do anyone any good. The fact that they have it, have registered for it but not required to use it, is not what IT wants. And disabled is certainly not what IT wants either,” Smith remarked.
This report can be saved as a KPI. It will show up in a CoreView dashboard and allow IT to operationalize and check the status on a daily, weekly, monthly, or quarterly basis. This way, IT can see if administrators for some reason have disabled multi-factor authentication, or if they are bypassing the conditional access rule that makes them leverage MFA when they sign in.
Exceptions to MFA Rule
IT may have a valid reason multi-factor authentication is not enabled in some cases. One example is a service account that must run multiple PowerShell scripts. PowerShell doesn’t support multi-factor authentication for multiple commands in a row. It would require MFA for each command as it’s iterated.
With CoreView, IT can identify which accounts don’t need MFA, and mark them as white listed and set conditional access rules so that they can only be accessed from certain IP addresses, for example.
MFA for IT Admins
MFA for IT is especially critical. If an admin account is cracked, the hacker has deep access to your tenant, data and other user identities. You can only enforce MFA for IT if you know who the admins are and their MFA state. This ties into the CIS advice to “Enable multi factor authentication for all users who are members of administrative roles in the Microsoft 365 tenant.”
Examples of such roles include:
- Billing Administrator
- Dynamics 365 Service Administrator
- Exchange Administrator
- Global Administrator
- Password Administrator
- Power BI Administrator
- Service Administrator
- SharePoint Administrator
- Skype for Business Administrator
- User Management Administrator
Making sure all admins have MFA requires some adjustments – but it’s well worth it. “Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment,” CIS said.
Limit the Number of Global Admins to Only 2-4
Having Global Admins is critical. You need someone with a complete view of the tenant, and the ability to make changes and solve problems. But too many Global Admin cooks spoil the M365 soup. “More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant,” CIS advised. “If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.”
Limiting admins to 2-4 requires a change in how admin roles are structured, and rights delegated. Shops that are already disciplined in this area have little trouble abiding by the new guidance. But some shops give every admin GLOBAL rights. “The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access,” CIS explained.
Controlling the Number of Global Admins
CIS and Microsoft agree that IT should ensure that between two and four global admins are designated. With CoreView, IT has a report on the users with administrator roles, and shows that the admin role of Company Administrator is also a Global Admin.
Maintain Inventory of Administrative Accounts
CIS backs the idea of knowing how many admins you have and what rights these accounts entail, and advises M365 shops to “Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.” This ties directly to the concept of Least Privilege. CoreView keeps an actionable list of admins and their rights. By actionable, we mean if an admin needs to be disabled or their rights changed, it can be done right from the report.
Least Privilege Access and Global Admins
The idea behind CoreView’s Least Privilege Access model is not to take away the role of Global Administrator, or the need for that role. The purpose is to CONTROL the role of Global Admins who can by definition make platform level configuration settings. The idea is to not give an unlimited ability to make these changes unless that admin needs and deserves that level of privilege.
Some functions require or are best handled with global rights – such as having control over SharePoint external sharing which is a tenant wide setting that is appropriate for a global administrator. Maybe IT needs to set up an encrypted mail channel between their organization and another organization. Again, this is a great role for global administrator. But the functions beneath that are perfect for CoreView’s Least Privilege Access model, and our Functional Access Control (FAC) approach.
How does IT effectively get to Least Privilege Access – and get there safely? What CoreView does is proxy these admin commands through a service account. That service account has its credentials stored in Azure Key Vault services. That’s a big differentiator. Nobody knows the password. IT doesn’t know the password, CoreView doesn’t know the password. It is stored in the tenant’s Azure Active Directory — it’s subject to their restrictions for conditional access policies, multifactor authentication and so on. The credentials are in the same Azure Key Vault services that Microsoft uses for its own service accounts for Microsoft 365, for Exchange Online, and so forth.
Setting Proper and Granular Permissions
Proper permissions are key to efficiency and security, and so should be taken seriously. Under the CoreView permissions approach, which is check box-based and detailed, IT can define roles in a deeply granular way. As an example, IT can define a role akin to an Exchange admin, but make it far less broad.
CoreView, for instance, could give somebody at the help desk the ability to forward email addresses — but that’s all that person can do. And IT can scope it using Virtual Tenants so the admin can only do this for the users in a specific department.
Workflow and Least Privilege
Workflow is another critical component of Least Privilege Access. With workflow, IT can enforce naming standards that are exceedingly difficult to do in applications like Teams. For example, IT could easily and automatically grant the ability to create a Team’s channel, but not the ability to delete a Team’s channel.
Let’s see how this works in real life. The person (acting as an admin even though they may not be an IT pro) begins to create a Teams channel. A form may come up and say, “I see that you’re an operator for ABC department. All Teams channels you create will start with the naming convention ABC-, and then your Team’s channel name.” More detail can also be given in a message to central tenant administrators to the effect of “This is the purpose of the Team’s channel, and here are the settings I want. I’m going to allow external members or not. I’m going to allow the default membership to share files within the organization, etc.”
All those granular settings within the generic ability of creating a Team’s channel are done through workflow. The first step was taking the Microsoft roles and making them more granular. Consider the standard role of Exchange Admin, which allows the person to change mail routing for the whole organization. That’s not what IT wants to give to the typical operator. Instead, make it more granular – only allow them to forward SMTP addresses. IT can make it more granular still, with workflow – and allow them to create shared mailboxes automatically, but only with a specified naming convention, only with the display name and the format that IT designates, only create Teams group channels with the associated Microsoft 365 group that leverages the company’s group naming standards, and so forth.
The Enduring Importance of Complex Passwords
Everyone (at least we hope) knows complex passwords are vital to identity protection. CoreView makes it easy to track the complexity level of end user passwords, and automatically prompt users to strengthen their password levels.
Block Legacy Authentication
Hackers love legacy authentication. These older schemes have long been probed for weaknesses so there are all kinds of ways to crack them. Plus, older authentication schemes are not updated as aggressively as their more modern counterparts. That is why CIS is telling IT to “use Conditional Access to block legacy authentication protocols in Microsoft 365.”
Nor do legacy authentication solutions commonly use MFA. “Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access,” CIS said. “Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.”
In Microsoft 365, legacy authentication is enabled by default. CoreView can discover the use of legacy authentication, and correct the problem by moving end users to modern approaches.
Disable Legacy Authentication
There is a conditional access policy available that blocks legacy Exchange authentication, which is good thing to implement. However, actually ensuring legacy authentication is disabled, via a conditional access policy, is a hard thing to do.
One CoreView customer implemented an approach to legacy authentication. They were able to extrapolate from the conditional access policy, plus the users, plus all their sign-in events for a specified period, all the protocols and applications that they’re leveraging as well as the devices that they have. This way they identify, and can correct, all the instances of legacy authentication.
Most M365 IT pros know they face a bevy of suspicious logons, but don’t know how, where they come from, and whom they target. CIS believes that IT should dive deeper into this issue, and enable “Identity Protection to identify anomalous logon behavior.”
CoreView dives deep into suspicious logon attempts, and reports these through actionable reports detailing impossible sign-ins, unsuccessful sign-in attempts, sign-ins from infected devices, and other potentially dangerous sign-in events.
Just In Time Privileges
We have already talked about limiting the roles M365 admins can perform, and the scope upon which they can perform them. But controlling the duration is just as vital. Here CIS suggests using “Just In Time privileged access to Microsoft 365 roles.”
The idea sounds simple, but can be a bear to implement. IT should “allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Microsoft 365 roles and instead make them eligible, through a JIT activation workflow,” CIS advises. “Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD and Microsoft 365. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges.”
Just in Time privileges are far easier said than done. “Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to re authenticate to enable role access,” CIS said.
Getting to Just In Time Privileged Access
Fortunately, Just In Time Privileged Access to Microsoft 365 roles is something CoreView is really good at. CoreView can automatically elevate, through a workflow, the ability for a user to get access to Microsoft roles, like Global Admin or Exchange Admin, and do it for a set period of time, versus the Microsoft method, which is to grant access to that role, and put an expiration date on it.
CoreView Just in Time roles are a lot more granular. IT can execute a workflow saying, “IT security director, I need the ability to reset passwords for the ABC department because we’re rolling out the OneDrive sync client, and I need it for the next 37 minutes.” IT will approve or disapprove, and if they say yes, the requestor will have the ability just to do those functions, just for that group, just for that time period. It’s a lot more granular, it’s a lot more secure.
- Ensure Third Party Integrated Applications Are Not Allowed
- Ensure Calendar Details Sharing With External Users Is Disabled
- Ensure O365 ATP SafeLinks for Office Applications Is Enabled
- Ensure Office 365 ATP for Sharepoint, Onedrive, and Microsoft Teams Is Enabled
Controlling Third Party Apps
Third party apps can be a major security threat and management issue – and thus should be controlled. Fortunately, CoreView’s audit function shows third party apps – and is a great place to take a monthly look to see what applications have been authorized that leverage your Azure Active Directory.
While CIS says IT shouldn’t allow these third-party applications, that’s probably not entirely practical. What you can do is limit who has access to that third party app granting role, and make them go through an approval process to authorize a specific application, versus giving that person the role and letting them authorize anything.
With the Microsoft method of granting third party app permissions, you have to have access to Application Administrator and or Global Admin, which is above the level of privileges needed to simply allow third party apps. With these high level privileges, you can authorize any third-party app to leverage Azure AD.
CoreView has a safer way that involves fewer permissions — and a touch of automation. With a CoreView defined role, you can request access to third party apps, which initiates a workflow authorizing a specific app. CoreView then runs a report showing that that is the app you authorized. That is a much more secure way to implement that type of third-party app control.
Inventory of Admins and Privileges
CIS advises M365 shops to maintain an inventory of all administrative accounts. It further suggests using “automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.”
CoreView takes care of this with a simple, actionable report.
Password Expiration – A New Best Practice
CIS password guidelines may come as a shock to IT old timers used to forcing users to change passwords regularly – all in the name of purported safety. The new CIS approach is to “ensure that Microsoft 365 passwords are not set to expire.”
CIS is joining Microsoft and NIST in making this change. “NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure,” CIS explained. “Other recommendations within this Benchmark suggest the use of MFA authentication for at critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.”
In the case of a risk event, CoreView can protect the password through a reset and at the same time strengthen authentication by enforcing MFA measures.
CoreView reports show who has non-expiring passwords, which as mentioned is now actually a good thing in the new Microsoft model. Best practices used to be to expire the password every 30 days. At the same time, IT required the password to be super complicated, uppercase, and lowercase symbols.
So what else does CIS say IT should do if there is a risk event? Enable risk-based multi-factor authentication, and identify explicitly who needs this action taken. If IT finds a user at risk, they make that person reauthenticate. “CoreView takes this a step further through workflow. CoreView can wipe the user sessions. In other words, make the user log out of every application. Because a token is good for eight hours by default, is IT just going to allow that person to keep pounding on it for eight hours?” Smith asked. “No, IT will log them out right now, because they showed up on a high-risk report. IT will block the account and notify IT security and the help desk that before they reenable that account to do steps A, B and C. This could all be because that user showed up on an impossible travel report or a malware or device report.”
- Ensure the Customer Lockbox Feature Is Enabled
- Ensure SharePoint Online Data Classification Policies Are Set Up and Used
- Ensure External Domains Are Not Allowed in Skype or Teams
- Ensure DLP Policies Are Enabled
- Ensure DLP policies are enabled for Microsoft Teams
- Ensure That External Users Cannot Share Files, Folders, and Sites They Do Not Own
- Ensure External File Sharing in Teams Is Enabled for Only Approved Cloud Storage Services
- Ensure That Cloud App Security Is Enabled
CIS Data Management guidelines revolve mainly around Data Loss Prevention (DLP) and controlling data sharing and leakage.
One key CIS control is to “ensure DLP policies are enabled.”
Some DLP actions are built into M365, while deeper protections are provided by CoreView. “Enabling Data Loss Prevention (DLP) policies allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords,” CIS argued. “Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.”
Teams is a special CIS concern. “Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.”
CoreView has built-in reports that easily identify potential access issues to e-mail accounts and file-sharing folders, minimizing your data leakage risks.
Our reports include:
- User permissions to shared OneDrive files and folders;
- Delegation access to e-mail accounts;
- Notification of e-mail accounts with auto-forwarding enabled (especially when forwarding outside the company);
- Views of all inactive e-mail accounts;
- Reports for e-mail accounts placed on hold for litigation purposes;
- Views of all e-mail distribution lists.
CoreView provides activity log file auditing capabilities that allow you to search for specific issues, plus instant event notifications sent to an administrator if the wrong person accesses or modifies a file in SharePoint or OneDrive.
External Users and External Sharing
A huge source of data leakage comes from users sharing files. Here CIS advises IT to “ensure that external users cannot share files, folders, and sites they do not own.”
SharePoint, as an enterprise document repository, is a critical concern. “SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party,” CIS said. “Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.”
The impact depends on the behaviors of users in your environment, CIS advises. “Impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to ‘re-share’ content.”
With native Microsoft 365 security, intercepting the sharing of sensitive and confidential files is nearly impossible. IT can create alerts on a per file basis or per user basis and notify IT or a group of users – but this approach is ineffective. IT receives thousands of alerts per day: these new alerts are just extra noise in an already loud world.
CoreView has a better way to stop dangerous external data sharing. In a CoreView world, when a user from the sales department, for instance (CoreView’s unique enriched audit log grants the capability to identify users by location or department), shares a file with an external user, a workflow starts. This notifies the user sharing the file, his/her manager, and the external user that this activity has been logged, and any following activities on the file will be audited. In this case, IT is not even involved, responsibility is shared among all actors involved and security is increased.
OneDrive being shared with external users is a particular pain point and security threat, and is something CoreView easily addresses.
Data Management – SharePoint Data Classification Policies
CIS has a guideline to ensure SharePoint Online Data Classification Policies are set up and used. Here, IT should do an inventory of what they have before setting the security controls. Again, CIS points to the NIST M365 framework which says, “the first step is, do data classification of all your information assets.”
Most IT pros know SharePoint is the file repository for most of Microsoft 365. It’s the document libraries, OneDrive, and the libraries that hold the files from Teams. All this is in SharePoint Online.
IT should look for patterns for data that needs extra protection like Personally Identifiable Information (PII) or financial information such as credit card numbers and Social Security numbers. IT can put in its own criteria for what they consider sensitive information. As a result of the scan, CoreView will tag that information with additional metadata, which makes your SharePoint search work the way it should.
It also allows IT to tag those items with data labels, which provides encryption within the Microsoft platform. Not only can IT set up data classification policies, and apply them to certain assets, but IT can scan them and assist with the data classification. Then IT can go back and recertify that the data classification has been applied.
The same thing applies to DLP policies. With the native M365 Admin Center, DLP policies are tenant wide. CoreView does not enable tenant wide DLP policies. However, we have reports that will tell you what DLP policies are firing, and for whom, and for what objects.
Email Security/Exchange Online
- Ensure the Client Rules Forwarding Block Is Enabled
- Ensure Basic Authentication for Exchange Online Is Disabled
- Ensure That DKIM Is Enabled for All Exchange Online Domains
- Ensure That SPF Records Are Published for All Exchange Domains
- Ensure DMARC Records for All Exchange Online Domains Are Published
- Ensure Notifications for Internal Users Sending Malware Is Enabled
- Ensure MailTips Are Enabled for End Users
Email is the easiest route to data leakage and dangerous file and information sharing. For instance, a user may mail confidential data to another person. But automatic forwarding can be just as dangerous. “You should disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment,” CIS said. “Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.”
Blocking Mail Transport Rules to External Domains
CIS has strict guidance around Exchange security. Here there are many protections that are not turned on by the native Microsoft 365 Admin Center by default.
For example, blocking mail transport rules to forward to external domains is not on by default. In some exceedingly rare cases IT has transport rules that allow forwarding. Most organizations allow Outlook to do that, but not at the transport level. CIS has a control ensuring that client rules that block forwarding are enabled.
CoreView has a report that shows people who are forwarding to external domains, which allows IT to validate that this control is in place.
Blocking forwarding at the transport level is set in the Microsoft 365 admin portal. This isn’t a control that CoreView sets, but we will validate that it’s in place and that it’s effective and that nobody has found a way around it.
Phishing is an obvious and egregious security problem. CoreView is not an anti-phishing tools per se. CoreView kicks in when a phishing attack has somehow made it through IT’s defenses. In this case, IT can use CoreView to do a forensic audit.
First of all, you can do an extremely fast message trace to find out who received those messages. The CoreView message trace takes seconds, not hours like with the native Microsoft platform.
Then IT can drill into every single action that user took if they clicked on the bad phishing link.
Email Forwarding of Phishing
If a phishing email is sent to Exchange, and then forwarded externally to Gmail, CoreView can still help. CoreView can tell precisely when a client forwarding rule is enabled, and the scope of all the messages that were forwarded, so IT knows what their exposure is to that platform.
Stop the Sending of Malware
Malware is bad enough when one user gets it – way worse when it winds its way through your email system. Here CIS suggest that IT “ensure notifications for internal users sending malware is enabled.”
This approach requires IT to “setup the EOP malware filter to notify administrators if internal senders are blocked for sending malware. This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated,” CIS indicated.
CoreView malware mitigation goes far further. Despite best efforts, malware routinely gets through antivirus/anti-malware defenses, especially zero-day attacks – and spreads like wildfire.
Luckily, there is an answer. “CoreView addresses those issues by providing auditing tools for cloud operations. Any anti-virus software in the world can show there is malware on a particular device. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions,” said CoreView’s Smith. “No antivirus or end point protection tools do this.”
By speeding up security audits and performing more efficient forensic analysis, IT quickly closes any security issues when they are identified. And these issues are out there. The KnockKnock and ShurL0ckr attacks that focus on Microsoft 365 have been active since May 2017 – and are still running – along with newer M365-specific malware exploits. Finding the audit trail to identify these types of attacks is extremely difficult, and requires assistance from specialized tools that have powerful security auditing and analysis capabilities – like those offered by CoreView.
- Ensure Microsoft 365 Audit Log Search Is Enabled
- Ensure Mailbox Auditing for All Users Is Enabled
- Ensure the Azure Ad ‘risky Sign-ins’ Report Is Reviewed at Least Weekly
- Ensure the Application Usage Report Is Reviewed at Least Weekly
- Ensure the Self-service Password Reset Activity Report Is Reviewed at Least Weekly
- Ensure User Role Group Changes Are Reviewed at Least Weekly
- Ensure Mail Forwarding Rules Are Reviewed at Least Weekly
- Ensure the Mailbox Access by Non-owners Report Is Reviewed at Least Biweekly
- Ensure the Malware Detections Report Is Reviewed at Least Weekly
- Ensure the Account Provisioning Activity Report Is Reviewed at Least Weekly
- Ensure Non-global Administrator Role Group Assignments Are Reviewed at Least Weekly
- Ensure Guest Users Are Reviewed at Least Biweekly
Auditing M365 is critical for security, tracking user behavior, and making sure admins are doing a proper job. For all these reasons, CIS advises IT to “ensure Microsoft 365 audit log search is enabled.”
But not all IT pros know that auditing is not set up by default – but must actually be turned on. “When audit log search in the Microsoft 365 Security & Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. Enabling Microsoft 365 audit log search helps Microsoft 365 back office teams to investigate activities for regular security operational or forensic purposes,” CIS said.
With CoreView, IT can produce an audit log in seconds for every administrative action taken in Microsoft 365 since the platform was initiated. This is not the case with the native M365 Admin Center. Ask yourself, if a bank teller has a transaction log of every deposit and withdrawal, why don’t you have this for M365?
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Microsoft 365 environment.
One enterprise organization, based in the northeastern US, reported that CoreView saved their IT team over 1,000 hours last year when researching and analyzing security related incidents.
CoreView saves Microsoft 365 audit logs for a minimum of one year, and does so securely. CoreView enables not just mailbox auditing in Exchange Online, but auditing for all the major M365 workloads, including Azure AD, PowerBI, SharePoint, OneDrive, etc. With CoreView, data retention is for one year by default for all these workloads.
Auditing mailboxes is another CIS must do, and here the organization says IT should “ensure mailbox auditing for all users is Enabled.” This has numerous advantages. “By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default,” CIS said. “Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.”
As you may have guessed, CoreView provides deep mailbox auditing with long-term data retention.
Risky Sign-In Reports
We talked about tracking risky signons and sign-ins. That means nothing if IT isn’t reading and acting upon these reports, which is why CIS advises IT to “ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly.”
With this information, IT knows where the threat lies, and what holes to close. “This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: -successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords -signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) -successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions,” CIS said. “Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.”
CoreView sign-ins reports go far deeper than the native M365 Admin Center.
Here Are Suspicious Sign-Ins Tracked by CoreView:
Sign-Ins from Infected Devices
This report showcases the account logins that were performed from infected devices that are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that are known to be in contact with botnet servers. These are important to quickly identifying users infected with malware or other infestations that need immediate remediation. These reports are completely customizable.
Sign-Ins from IP Addresses with Suspicious Activity
This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in this case is defined as an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.
Sign-Ins from Multiple Geographies
This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.
Impossible Travel Sign-Ins
These types of questionable sign-ins are identified based on an “impossible travel” condition combined with an anomalous sign-in location and device. This means that a successful sign-in occurs from a single account over multiple geographic locations in overlapping time sequences. This may indicate that a hacker has successfully signed in using this account.
Review Email Forwarding Rules Regularly
Ensuring that users comply with email rules is critical to M365 security, and CIS suggests that IT make sure their mail forwarding to external domain rules are reviewed at least once a week.
“While there are lots of legitimate uses of mail forwarding rules, they are also a popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated,” CIS said.
Guest users are not just a boon for working with contractors and partners, but a threat to confidential data – especially if not tracked and managed correctly. CIS advises IT to review guest users data at least biweekly. “Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. Periodic review of guest users ensures proper access to resources in your tenant,” CIS said.
Your M365 admin staff should ensure the safety of guest or external users by:
- Crafting a governance plan that determines what guest or external users can do, data they can access, and what they can and cannot share
- Using Least Privilege Access to limit the rights of guest or external users
- Disabling anonymous sharing
- Applying Data Loss Prevention (DLP) policies to automatically discover dangerous information sharing
- Disabling or limiting external sharing of sensitive data
- Ensure Mobile Devices Are Set to Wipe on Multiple Sign-in Failures to Prevent Brute Force Compromise
- Ensure That Settings Are Enable to Lock Devices After a Period of Inactivity to Prevent Unauthorized Access
- Ensure Mobile Device Management Policies Are Required for Email Profiles
Mobile Device Management
Mobile devices are a key way users access M365 and share data – and are just as much a danger as PCs and laptops. That is why CIS advises IT to “ensure mobile device management policies are set to require advanced security configurations to protect from basic Internet attacks.”
Securing mobile is too often neglected. “You should configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic Internet attacks, leading to potential breaches of accounts and data,” CIS said. “Managing mobile devices in your organization, helps provide a basic level of security to protect against attacks from these platforms. For example, ensure that the device is up to date on patches or is not rooted. These configurations open those devices to vulnerabilities that are addressed in patched versions of the mobile OS.”
Mobile Password Expiration
Just like on PCs and laptops, ensure that users passwords on their mobile devices never expire. “While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong is 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason,” Microsoft explained.
Going Through the CIS Benchmarks is Time Well Spent
CoreView works with customers to boost M365 by complying with CIS controls and guidelines. It takes five- or six-hours’ worth of IT time for your organization to validate that you have the reports and processes in place. This work gives your shop a much better security posture, one that is ahead of your competition.
For forensics – and peace of mind – CoreView can produce an audit log of every single administrative action taken within the platform – and who did what precisely. You can schedule this report and send it to somebody in IT security outside of the administration group who can review all the administrative actions. This tends to drive far better end user behavior.
Check Your CIS Compliance and Know EVERYTHING About Your Tenant’s Security
Don’t fly blind when it comes to M365 security flaws. The Microsoft 365 Security Health Check provides insight no $500 an hour consultant can offer, including:
- The State of Multi-Factor Authentication and Password Safety
- Who Has Dangerous Privileges
- How Your Company’s Data Is Really Being Managed
- Email Security
- Audit Logs and Paths
- Where Security and Compliance Problems Lay
- And What To Do About It!
Sign up for your FREE Security Health Check here.