rvlsoft - Fotolia


12 Microsoft 365 security best practices to secure the suite

Migrating to or operating cloud-based Microsoft 365 can bring with it a host of problems and misconfigurations. Check out 12 best practices to tighten Microsoft 365 security.

Part one of this two-part series on Microsoft 365 (formerly Office 365) security weaknesses examined some of main misconfigurations that cause problems when trying to securely operate or migrate to the cloud-based Microsoft 365 suite of services. While knowing the challenges is half the battle, what about addressing those challenges? Based on our work with clients, our research data and a review of available information, Nemertes recommends the following 12 best practices to secure Microsoft 365.

  1. Implement a Microsoft 365 cybersecurity task force. To address known concerns with Microsoft 365, we recommend enterprises form a cybersecurity team focused specifically on Microsoft 365 cybersecurity. This team should be responsible for the following:
  • educating itself on the known issues;
  • recommending remediations and best practices;
  • developing a security-based project plan for the Microsoft 365 migration;
  • working directly with any third-party providers to ensure migration and implementation align with best practices; and
  • working directly with Microsoft's technical experts if issues arise.
  1. Review Microsoft documentation. Microsoft has an extensive library that grows daily, documenting security vulnerabilities -- particularly those related to configuration issues. As a regular practice, the task force should review the library. Earlier this year, for example, Microsoft added a recommendation to the repository that businesses should use Domain-based Message Authentication, Reporting and Conformance (DMARC) to validate and authenticate mail servers to ensure destination email systems trust messages sent from company domains to help companies fortify their systems.

    Using DMARC with Sender Policy Framework (SFP) and DomainKeys Identified Mail (DKIM) provides additional protection against spoofing and phishing emails. The library has hundreds of recommendations like this. As a result, the task force should familiarize itself with the library's documentation and, as a regular practice, continue reviewing the library on a regular basis.
  1. Enable and use DMARC, SPF and DKIM. When used together, these three protocols dramatically reduce the risk of spoofing and phishing. Use Microsoft Exchange as your email service provider in this configuration.
  2. Enable multifactor authentication (MFA) by default, at the very least for administrator accounts and, ideally, for all accounts. The May 2019 U.S. Cybersecurity and Infrastructure Security Agency (CISA) report noted that MFA for administrator accounts isn't enabled by default, yet Azure Active Directory (AD) global administrators in a Microsoft 365 environment have the highest level of administrator privileges at the tenant level. Modifying this configuration to require administrator MFA is a huge step toward ensuring security.
  3. Enable mailbox auditing by default. The CISA report also revealed Microsoft didn't enable auditing by default in Microsoft 365 prior to January 2019. The Microsoft 365 task force should ensure this step is enabled by default.
  4. Determine if password sync is required. By default, Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to Microsoft 365. In this scenario, the on-premises password overwrites the password in Azure AD. Therefore, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. If password sync is required, the team should carefully think through the implications of a premises-based attack on cloud systems, or vice versa.
  5. Move away from legacy protocols. Several protocols, including Post Office Protocol 3 and Internet Mail Access Protocol 4, don't effectively support authentication methods such as MFA. CISA recommended moving away from all legacy protocols.
  6. Upgrade all software and OSes prior to migration. Earlier versions of Microsoft software, such as Office 2007, have known security vulnerabilities and weaker protection thresholds. Upgrade all software to current versions prior to migrating to Microsoft 365.
  7. Test all third-party applications before integrating them into Microsoft 365. If you are using Microsoft 365 in conjunction with third-party applications -- developed in-house or by outside companies -- be sure you conduct solid cybersecurity testing before integrating them with Microsoft 365.
  8. Develop and implement a backup and business continuity plan. Many organizations wrongly assume that, because Microsoft 365 is cloud-based, it is automatically backed up. That's not the case; Microsoft uses replication rather than traditional data backup methods. As a result, it can't guarantee an organization's files will remain available if files are compromised through ransomware or accidental deletion.
  9. Implement cloud-based single sign-on (SSO). Known vulnerabilities in Microsoft 365's security protocols involve using cross-domain authentication to bypass federated domains. The best approach to mitigating these issues is to deploy SSO as a service from a provider such as identity and access management company Okta or identity security company Ping Identity.
  10. Assess your Microsoft Secure Score and Compliance Score. Microsoft has developed two registries for Microsoft 365: Secure Score and Compliance Score. These registries list hundreds of steps customers should take to improve their overall scores and include a way to indicate whether they've done it, not done it yet or accept the risk. Secure Score is aimed at traditional security, such as "Did you enable MFA?" Compliance Score offers a general assessment, as well as regulation-specific assessments, such as GDPR and the California Consumer Privacy Act.

Microsoft 365 security effort requires focus

In summary, Microsoft 365 is peppered with cybersecurity vulnerabilities, in its architecture and design and in the default configuration. The known vulnerabilities and best practices discussed here are just a start. What's more important is that enterprise technology pros maintain a focused and ongoing cybersecurity effort to protect their environments.

Organizations are facing a lot of pressure to migrate to Microsoft 365. Nemertes believes the platform's cybersecurity challenges can be overcome with effort and attention. In particular, it is vital to have a Microsoft 365 cybersecurity task force. This is not an optional component of any migration to Microsoft 365. That means companies need to consider the cost and effort involved in creating and maintaining an ongoing Microsoft 365 task force when computing the ROI of migrating to the platform. If the perceived benefit of agility and a cloud-based environment exceeds the cost of maintaining a focused internal group, a move to Microsoft 365 is warranted.

Next Steps

Microsoft's security roadmap goes all-in on 365 Defender

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing