Since October 22, 2019, Microsoft has enabled security defaults on new accounts automatically. However, there are a lot of security basics that should be enabled to properly secure your Microsoft 365 account. Most of these basic security measures are available without purchasing additional licenses.
Table of Contents
Secure Account Access
- Enforce Multifactor Authentication – Require a second form of authentication such as the Microsoft Authenticator App, SMS, or email to verify the identity of the person trying to access the account.
- Expire Passwords – Multifactor Authentication is not a silver bullet security measure. Your users could still unintentionally give a cyber-criminal everything they need to comprise your accounts. If an account has been compromised and the password never changed, a cyber-criminal could stay logged into that account indefinitely.
Exchange Online Hardening
Phishing emails are still one of the most common ways cybercriminals compromise accounts. According to Verizon “66% of breaches involved Phishing, Stolen credentials, and/or Ransomware”.
- Enable First Contact Tip – Alert users to possible phishing attempts by appending a safety warning at the top of external emails. The tip is prefixed to the message when the sender first contacts the user or they do not often get messages from the sender.
- Enable attachments filter – Block emails that contain files that should never be sent via email. For example, you should not allow your users to receive installation files via email.
- Enforce Mobile Device Security – Company data should never be allowed on unprotected mobile devices. These devices often contain a lot of personal and company data.
- Block devices that do not fully support your mobile device policy
- Require a password with a minimum length of 6.
- Wipe mobile devices after 10 failed sign-ins.
- Lock devices 15 minutes of inactivity.
- Enable a Retention Policy – Protect data in Exchange from accidental or malicious deletion. A retention policy prevents data from being permanently deleted for a period.
- Enable DKIM – Sign your emails so they can be authenticated by the receiver. This will improve the chances of your email landing in the inbox.
- Fail unauthorized senders – Set your SPF record to fail emails sent from unauthorized sources.
- Set DMARC to reject – Tell email servers to reject mail that fails DKIM and SPF checks. This will help protect your email reputation and clients from fake emails that appear to come from you.
SharePoint and OneDrive Hardening
The default security measures for SharePoint and OneDrive are too relaxed. Considering both applications are designed to house most of your company’s data, particular care should be taken to enforce strict controls to mitigate the risk of data leaks.
- Require verification for share links – Allowing unrestricted access to files and folders outside your organization is always a bad idea. If you need to share files with the world, share them from your web hosting not SharePoint or OneDrive.
- Auto Expire Guest Access – Ensure external access to your data expires after a reasonable amount of time. Imagine if your accountant, sales, or some other employee shared a link to your files and folders to themselves with a link that never expires. They would have access to your files even after they left the company.
- Block Legacy Authentication – Prevent third-party applications and unsupported versions of Office from connecting to SharePoint Online to increase security.
- Enable a Retention Policy – Protect data in SharePoint Online from accidental or malicious deletion. A retention policy prevents data from being permanently deleted for a period of time. We suggest setting retention policies for at least 1 year.
Additional Security Enhancements
The following recommendations require a minimum of 1 Azure AD Premium P1 license to create these policies.
- Require Multi-Factor Authentication – Require everyone including guests and external users to use multi-factor authentication.
- Set Browser Time Limits – Prevent the possibility that someone stays signed into Microsoft 365 in the browser. For example, someone may sign into SharePoint Online using Chrome or some other internet browser for a document at a client’s site and forget to log off. By default, that person would remain signed in for up to 90 days. We suggest requiring browser sessions to sign in every 4 hours.
- Block Unsupported Devices – Microsoft 365 supports Windows, Android, iOS, macOS, Windows Phone, and Linux platforms. Block any device platforms you are unlikely to use such as Linux.
There are a lot of extra steps beyond the base setup needed to have a secure foundation to protect your company and client data. Unfortunately, many of these security policies are not enabled even though most of them cost nothing extra. Take the time to verify these basic security enhancements are enabled on your Microsoft 365 account.
Our engineers at GMT Solutions can enable these basic security enhancements for you.