[ad_1]
The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security. USA He has released security tips for organizations that may have rushed Office 365 deployments to support remote work during the coronavirus pandemic.
CISA cautions that it continues to see organizations that have not implemented security best practices for their Office 365 deployment. It is concerned that hasty deployments may have led to significant security configuration oversights that could be exploited by attackers.
“In recent weeks, organizations have been forced to change their collaborative methods to support an entire ‘work from home’ workforce,” CISA said in the new alert.
“O365 provides cloud-based email capabilities, as well as video and chat capabilities using Microsoft Teams. While the abrupt change to work from home may require rapid deployment of collaborative cloud services, such as O365, the Expedited implementation can lead to oversights in security configurations and undermine a robust O365-specific security strategy. “
CISA’s new advice is similar to an alert it issued last year after seeing contractors implement O365 with poor security settings. The document contains links to relevant Microsoft best practice documents for secure confirmation of Azure AD and Office 365.
The first thing organizations need to do is block global Azure Active Directory (AD) administrators in Office 365 with multi-factor authentication (MFA).
It is the account used to configure other accounts and has the highest privileges, equivalent to the domain administrator in a local AD environment. MFA is not enabled by default for this account, so administrators must actively enable it.
CISA points to Microsoft’s security defaults, released in January to help organizations protect their accounts at the same level that Microsoft protects consumers’ accounts from attacks like password theft and phishing.
The tool helps ensure that administrators use MFA. Microsoft earlier this year revealed that 99.9% of compromised accounts do not use MFA and that only 11% of companies had enabled MFA.
“If not secured immediately, an attacker can compromise these cloud-based [admin] accounts and maintain persistence while a client migrates users to O365, “CISA warned.
CISA says the global administrator account should only be used when “absolutely necessary” and that it is important to assign administrator roles using role-based access control.
“Using the numerous other Azure AD built-in administrator functions in place of the global administrator account may limit the allocation of excessively permissive privileges to legitimate administrators. Practicing the ‘least privilege’ principle can greatly reduce the impact if an administrator account is compromised. ” notes
CISA recommends that administrators enable the Unified Audit Log in the Security and Compliance Center to assist in incident investigations. The audit trail contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI and other Office 365 services.
The agency also recommends enabling MFA for all users even if they don’t have elevated permissions. Additionally, administrators must disable legacy protocols, especially if they do not support MFA functions, such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Transport Protocol. mail (SMTP).
However, CISA recognizes that these protocols will not be disabled if required by a previous email client. It recommends that organizations inventory users who need to use a legacy email client and restrict access to those protocols.
“Taking this step will greatly reduce an organization’s attack surface,” says CISA.
Finally, CISA recommends the use of Microsoft’s Secure Score tool, which is designed to measure an organization’s security posture for Office 365, and the Unified Audit Log integrated with a SIEM tool.
