Blogs by Ashwin

  Summary Enabling this policy will permit the URLs that exist inside of the Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required. Note: E5 licensing generally includes a number of Built-in Protection policies and while auditioning the policy note of whatever policy is being viewed,  you should not forget that CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to Pass the highest priority, policy must match all the recommended settings. Reason Safe links to Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to the user. What If? The impact of this change on the user is minor in which users may experience a very short delay while clicking on the URLs in Office documents before being directed to the requested site and in the event of an

  Summary Users should not be allowed to share full details of their calendars with external users.  Reason Since, attackers always study about an organization before launching an attack, publicly available calendars can help them easily understand the organizational relationships and determine when specific users may be more vulnerable to attack, such as when they are travelling. What If? As this functionality is not used widely, it is unlikely that implementation of this setting will cause an impact to most users. However, the users utilizing this one may experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant. How to? To disable the calendar details sharing with external users, use the Microsoft 365 Admin Center: Select the  Admin centers  and click to expand Settings. Click Org settings. Select  Calendar. Uncheck Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.

  Summary Third party integrated applications should not be allowed to connect to your services. Reason As stated above, third party integrated applications should not be allowed to be connected to your services, unless, there is a very clear value and you have robust security controls in place. Attackers can easily gain access via breached accounts to third party applications, in order to exfiltrate data from your tenancy without maintaining the breached account. What If? This change will affect both end users and administrators. While end users will not be able to integrate third-party applications that they really want to use, the administrators will probably receive requests from end users for permissions to the necessary third party applications.   How to? To prohibit third party integrated applications, use the Microsoft 365 Admin Center: Select the Admin centers and Azure Active Directory. Select Users from the Azure navigation pane. Select Users settings. Set  App registrations

  Summary Administrative accounts are known to have special privileged accounts that could have varying levels of access to data, users and settings. Whereas in the case of a hybrid environment, regular user accounts should not be utilized for Administrative tasks and should be cared for, to keep Administrative accounts separated from on-prem accounts. Applications are not assigned to administrative accounts so that they have no access to potentially vulnerable services (for example, Teams, SharePoint, etc.) and can only access perform tasks as required for Administrative purposes.  Reason Ensuring Administrative accounts are clouds-only, without applications assigned to them will reduce the attack surface of high privileged identities in the environment. In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access, an Administrative account will require a license attached to it. This license should not have any application with pot

  Summary Generally, Microsoft cloud-only accounts consists of pre-defined password policy that cannot be changed. You can only change the number of days until a password expires and whether or not passwords expire at all. Reason Some of the organizations like NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords are a specific amount of time, unless there is evidence that the password is compromised or the user forget it.  What If? If the passwords are set not to expire, then, the other controls should be in place to supplement this setting. The following steps are recommended to be taken: Ban common passwords Educate users to not reuse organization passwords anywhere else Enforce MFA registration for all users Enforce MFA registration How to? To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center: Expand settings then select the Org Settings subcategory. Click on Security & privacy. Sele

  Summary The option of modern authentication in Microsoft 365 enables authentication features like Multifactor Authentication (MFA) using smart cards, Certificate-based Authentication (CBA), and third-party SAML identity providers. Reason Authentication controls like MFAs can be circumvented if basic authentication is used by SharePoint Applications. Additionally, requiring modern authentication for SharePoint applications ensures that strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. What If? If modern authentication for SharePoint is implemented, then, users will have to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior. How to? To set SharePoint settings, use the Microsoft 365 Admin Center: Under Admin centers select SharePoint. Expand the Policies  section, and then choose Access control. Select Apps that don't use modern authentication.

  Summary The option of modern authentication in Microsoft 365 enables authentication features like Multifactor Authentication (MFA) using smart cards, Certificate-based Authentication (CBA), and third-party SAML identity providers; when it is enabled in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.  When certain email clients like Outlook 2013 and Outlook 2016 are configured, the users have to authenticate with the help of enhanced authentication mechanisms, such as MFA. Other Outlook clients that are available in Microsoft 365 (like Outlook Mobile and Outlook for Mac 2016) generally use modern authentication to log in to Microsoft 365 mailboxes. Reason Authentication controls like MFAs can be circumvented if basic authentication is used by Exchange Online email clients such as Outlook 2016 and Outlook 2013. However, if modern authentication is enabled for Exchange Online, strong authentication mechanisms can be used whil

  Summary The option S tay signed in or Keep me signed in will be prompted after a successful login, and when a user select this option, a persistent refresh token is created which will generally last till 90 days and does not prompt for sign-in or Multi-Factor. Reason If the users are permitted to choose this option, it may pose risk especially when the user signs into their account on a publicly accessible computer/web browser. This will result in easier access for an unauthorized person to any associated cloud data from that account. What If? Hiding this setting, will result in no Stay signed in?  message prompts during signing-in, which also means that users will be forced to sign-in more frequently. Note- Some of the SharePoint Online and Office 2012 features have a dependency on users remaining signed in. If this option id hidden, then, users may get additional and unexpected sign-in prompts. How to? To verify the option to remain signed-in is disabled, use the Microsoft 365 Admi

  Summary If a time out for MFA is forced, then, it will ensure that the sessions are not kept alive for an indefinite period of time, which will help in preventing drive-by attacks in web browsers along with the creation and saving of session cookies leaving nothing for an attacker to take. Administrative roles this should apply to include those such as: Global Administrator Billing Administrator Exchange Administrator SharePoint Administrator Password Administrator Skype for Business Administrator Service Support Administrator User Administrator Dynamics 365 Service Administrator Power BI Administrator NOTE- The frequency at which MFA is prompted will be determined by your organization's policy and need. Reason Making sure that these additional controls are present for Administrative users adds an extra layer of defense against drive-by attacks as well as some ransomware attacks. What If? Users with Administrative roles will be prompted at the frequency set for MFA.  How to? To e

  Summary Integration with LinkedIn should be disabled in order to prevent phishing scams.  Reason Office 365 have always been a prime target for phishing scams that are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over sensitive information. Social networking sites have made social engineering attacks easier to conduct. LinkedIn integration is enabled by default in Office 365 and may lead to a risky scenario where an external party could accidentally disclose sensitive information. What If? Users will not be able to sync contacts or use LinkedIn integration. How to? To disable LinkedIn account data sharing, perform the following steps via the Azure AD admin center: Navigate to https://admin.microsoft.com and login as a Global Admin. Expand Admin centers then choose Azure Active Directory. After the Azure AD admin center is opened select Users followed by User Settings then User settings. Under LinkedIn accou

  Summary Users should be able to send collaboration invitations to allowed domains only. Reason If the allowed domains for collaborations are specified, external companies can be explicitly identified. Additionally, this prevents internal users from inviting unknown external users like personal accounts and give them access to resources.  What If? This could make harder collaboration if the setting is not quickly updated when a new domain is identified as "allowed". How to? From the Azure portal: Go to Azure Active Directory. Go to Users. Go to User Settings. Under External users, click on Manage external collaboration settings. Under Collaboration restrictions, choose allow invitations only to the specified domains (most restrictive), check the Target domains setting, and specify the domains allowed to collaborate. Default Value: It is Allow invitations to be sent to any domain (most inclusive) and thus no domain is specified. Monitor: From the Azure portal: Go to Azure Act

  Summary Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365 and can provide a group of people access to a collection of shared resources. Although, there are various types of group types, this recommendation is concerned with Microsoft 365 Groups. In the Administration panel, when a group is created, the default privacy value is "Public". Reason As the heading suggests, this one will make sure that only organizationally managed and approved public groups exist and when a group has "Public" privacy, users may easily access data related to this group (like SharePoint), via 3 methods: By using the Azure portal, and adding themselves into the public group. By requesting access to the group from the Group application of the Access Panel. By accessing the SharePoint URL. Administrators are generally notified whenever a user uses Azure portal. Requesting access to the group, forces the users to send a message to group

  Summary Security Defaults easily secure and protect your organization and consists of preconfigured security settings for common attacks. In order to ensure that all the organizations have a basic level of security-enabled at no extra cost, Microsoft is making security defaults available to everyone that can be turned on in the Azure portal. However, their use will prohibit custom settings which are being set with more advanced settings from this benchmark. Reason Security Defaults offer secure default settings that can be managed on behalf of the organizations to keep customers safe until they are ready to manage their own identity security settings. For example doing the following: Requiring all users and admins to register for MFA. Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks. Disabling authentication from legacy authentication clients, which can't do MFA. What If? Disabling of security defaults can a

  Summary It can be used to permit just in time activation of roles, grant periodic role attestation, and audit roles. The permanent members should be removed from privileged Office 365 roles, and should be made eligible through a JIT activation workflow. Reason Although organizations are keen to minimize the number of people with access to secure information or resources, in order to lessen the chance of malicious attacks, or an authorized user's unintentional impact on a sensitive resource, but, users are still required to carry out privileged operations in Azure AD and Office 365. Hence, they can provide the users with just-in-time (JIT) privileged accessed roles and since oversight of what those users are doing with their administrator privileges, PIM will help to mitigate the risks of excessive, unnecessary, or misused access rights.  What If? Implementing JIT privileged access will definitely change the administrator routine as they will be granted access to administrative ro

  Summary It can easily detect the probability that a user account has been compromised. Reason If the user risk policy is turned on, then, Azure AD will be able to detect the probability of a compromised user account, allowing an administrator to configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, an access to your resources or a password change required can be blocked to get a user account into a clean slate. What If? After triggering the policy, access to the account will either be blocked or the user will be required to use MFA to access the account to change their password. However, the users without MFA will be blocked from accessing the account and after that the admin will have to recover the account. Hence, it is recommended to configure the MFA registration policy for all users who are a part of the User Risk policy. How to? To configure a User risk policy, use the following steps: Login to  https://admin.micros