The US Dept of Homeland Security has published advice on the extra precautions that Microsoft Office 365 customers should take to protect themselves.
The advice is politely titled as Microsoft Office 365 Security Observations but should perhaps be called ‘Office 365 defaults you need to change’.
Many of the recommendations apply to people or organizations using Office 365 hosting for their email, calendar, contacts plus documents and files. But the first applies to everyone with a Microsoft account …
Default everyone should change
Their first recommendation applies to all Office 365 customers, hosting or not. That includes anyone with Office 365 Home, Personal or University.
Two-factor authentication is the single best thing you can do to secure your Microsoft account. That includes all your files on OneDrive cloud storage.
Office Watch has released an ebook all about Two-Factor Authentication: Straight Talk. It explains, step-by-step, how to setup ‘2Fac’ for all major accounts (Microsoft, Apple, Google, Facebook etc). The book also busts some common misunderstandings which stop people using two-factor authentication.
Third-party setup warning
Homeland Security has some stern words about third-party consultants who setup Office 365 for organizations. The warning is somewhat obscured in the phrasing:
“The organizations that used a third party have had a mix of configurations that lowered their overall security posture”
That means the setup was not all it should be from a security point of view. Consultants are prone to choosing options that make for less support work for them, rather than what’s best for their customer.
Entirely relying on outside advice might not be the best strategy, as Homeland Security notes:
” … the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.”
The other US government recommendations apply to Office 365 hosting administrators. In some cases, admins should make sure that the latest Office 365 hosting defaults have been applied for organizations that moved to Office 365 some time ago.
Logging or Auditing
Office 365 hosting has two auditing or logging options: Mailbox and Unified.
Mailbox auditing creates a log of actions on a mailbox so administrators can see what’s happened and when.
New Office 365 customers get mailbox auditing turned on automatically, but prior to January 2019 it was off for new customers. Customers who setup before January 2019 will need to ensure that Mailbox Auditing is ON
The unified audit log tracks events in Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other Office 365 services.
Unified Auditing is still OFF by default though that’s gradually changing, according to Microsoft. The Homeland Security advisory recommends ensuring that this logging also is on.
Logging isn’t a protection against hacking but helps find out what’s happened and identify improper access.
Organizations that use Azure AD should ensure that ‘Password Sync’ is OFF. This feature ensures that on-site accounts are synchronized with the cloud storage of accounts and passwords. That sounds great but it means that a hacked account in an organization gets copied to the cloud, allowing much wider access to the organization.
Password Sync was on by default until October 2018. All admins should check this option is OFF.
Old mailbox connection options
The best way to connect with Exchange Server/Online is Microsoft’s ActiveSync. It’s widely supported in all major devices. From a security viewpoint, ActiveSync is better for organizations because it’s directly linked to Azure AD authentication.
Legacy connection methods like IMAP, POP3 and SMTP don’t support 21st Century security and authentication.
Homeland Security suggest turning off these options entirely. If they have to be on, enable them for only the users who truly need it.