COVID-19 prompts DHS warning to review Office 365 security

Heads up, Microsoft Office 365 users: It’s time to take some important steps in securing your account. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released some recommendations to help secure the online productivity service.

In May 2019, CISA released a report detailing some security shortcomings in Microsoft’s cloud-based productivity system. CISA published its latest advisory to press home the recommendations made during that report, in part because of the move to remote working during the current health crisis, it said:

While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.

The Agency has several recommendations for Office 365 users, mainly covering access controls.

One such recommendation concerns administrator access to Azure Active Directory (Azure AD). This is a cloud-based counterpart to the Active Directory system that has long shipped with Windows Server, and it houses user information for users of Microsoft’s cloud services along with their privileges.

Companies should use Global Administrator (GA) accounts sparingly because of their unparalleled privileges, it suggested. For example, these accounts can delegate other admins. Instead, use other built-in admin roles that have privileged access but don’t carry the same God-like powers. To be fair, this is something that Microsoft also suggests.

Microsoft doesn’t enable multi-factor authentication (MFA) for admins by default, warns the advisory, which adds that they should turn it on to protect these highly privileged accounts. It should do the same for normal users too, it said, pointing to the possibility of phishing attacks (like this one) that use Microsoft’s cloud productivity services.

MFA might be a problem when authenticating to Exchange Online using legacy protocols that don’t support it, warns the Agency, including POP3, IMAP, and SMTP. That’s why it recommends turning those off and relying completely on Azure AD as an authentication mechanism instead.

That’s timely advice because Microsoft has joined Google in delaying related security upgrades while everyone grapples with COVID-19. Soon enough, though, it will turn off the Basic Authentication mechanism on which these protocols rely.

In the meantime, if you really must support these protocols for users that refuse to move away from insecure clients, then at least turn them off for everyone else, CISA says.

Other recommendations include using Office 365’s Unified Audit Log (UAL) feature. This logs events from the service’s applications, including SharePoint Online, Azure Active Directory, and Microsoft Teams. Integrating the logs with a security information and event management (SIEM) tool will help you to spot dodgy-looking activities, CISA says.

On that note, it also advises enabling alerts within the Security and Compliance Centre to notify admins of suspicious events. At the very least, you should turn on red flags for logins from suspicious locations and for accounts exceeding sent email thresholds.

Finally, the Agency advises companies to use Microsoft’s Secure Score tool, which grades your security posture based on which measures you have turned on. It isn’t perfect, but every little helps, it says:

These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change.

Isn’t there a way to just turn on all the necessary security by default? Yup. Microsoft has a security defaults feature for Azure AD that provide a basic level of security out of the box. Accounts created after 22 October, 2019 might have them turned on already, the company says, but old accounts won’t. It’s at least a simple switch to flip. It requires all your users to register for MFA in 14 days, eventually blocking them from sign-in until they do, and kills Basic Authentication.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.