SlideShare a Scribd company logo

OFFICE 365 SECURITY

S
Sylvain Martinez

Some hidden security features ever office 365 admin should know about! as well as some best practises to secure your office 365 environment!

Related slideshows

OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
1 of 26
Download to read offline
{elysiumsecurity} OFFICE 365 SECURITY Version: 1.2a Date: 25/07/2018 Author: Sylvain Martinez Reference: ESC9-MUSCL Classification: Public cyber protection & response
{elysiumsecurity} cyber protection & response 2 FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT • What is Office 365? • Misconception • Dual Factor Authentication; • Enable Audit Logs; • Review Email Protection Settings; • Admin as a Separate User; • Limit Usage of Admin Account; • Microsoft Security Score. • Enforce Dual Factor Authentication; • Enable Advanced Audit Logs; • Advanced Threat Protection; • Create ATP Policies; • Disable OWA by default; • Regular Log Reviews; • Limitations; • Where to start? • What to look for? CONTENTS Public
{elysiumsecurity} cyber protection & response 3 WHAT IS OFFICE 365 Public EXCEL, WORD, POWERPOINT, OUTLOOK/EMAIL STARTED IN 2010 INTEGRATES WITH AZURE ACTIVE DIRECTORY MICROSOFT CLOUD OFFERING FOR OFFICE TOOLS Icons from the noun project unless specified otherwise FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 4 MISCONCEPTION Public NO NEED FOR EXTRA SECURITY CONFIGURATION PHISHING ATTACKS AND CREDENTIALS COMPROMISE ARE NOT POSSIBLE HOSTED MY MICROSOFT SO IT CANNOT BE HACKED MANY SECURITY FEATURES TURNED OFF BY DEFAULT RISK CAN BE REDUCED BUT NOT REMEDIATED COMPLETELY THERE IS NO SUCH A THING AS A 100% SECURE SYSTEM FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 5 OVERVIEW Public ENABLE DUAL FACTOR AUTHENTICATION ENABLE AUDIT LOGS REVIEW EMAIL PROTECTION SETTINGS SET YOUR ADMIN ACCOUNT AS A SEPARATE USER LIMIT USE OF ADMIN/ENTERPRISE ACCOUNT LOOK AT YOUR SECURITY SCORE FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 6 DUAL FACTOR AUTHENTICATION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 7 ENABLE AUDIT LOGS Public Images from slashadmin.co.uk FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 8 REVIEW EMAIL PROTECTION SETTINGS Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 9 ADMIN AS A SEPARATE USER Public STATUS: UNLICENSED NO NEED FOR MAILBOX NO NEED TO LOGON TO DOMAIN ONLY NEED TO LOGON TO ADMIN PORTAL FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 10 LIMIT USAGE OF ADMIN ACCOUNT Public Images from Dreamstime NO HUMAN RISK NO HUMAN ERRORS = FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 11 MICROSOFT SECURITY SCORE Public SECURITY COMPLIANCE HOME & https://securescore.microsoft.com FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 12 OVERVIEW Public ENFORCE DUAL FACTOR AUTHENTICATION FOR ALL USERS ENABLE ADVANCED AUDIT LOGS INSTALL ADVANCED THREAT PROTECTION CREATE ATP POLICIES DISABLE OUTLOOK WEB ACCESS BY DEFAULT REGULAR LOGS REVIEW FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 13 ENFORCE DUAL FACTOR AUTHENTICATION Public https://blogs.technet.microsoft.com/office365/2015/08/25/powershell- enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/ FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 14 ENABLE ADVANCED AUDIT LOGS Public READY? DONE? FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT START POWERSHELL AS ADMIN1 Set-ExecutionPolicy RemoteSigned2 $UserCredential = Get-Credential3 NO MFA! $Session = New-PSSession – ConfigurationName Microsoft.Exchange – ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $UserCredential – Authentication Basic -AllowRedirection 4 Import-PSSession $Session5 CHECK STATUSGet-Mailbox ”myname"| FL Audit*6 CHECK STATUS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit* 7 ENABLE LOGS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true 8 BY DEFAULT ONLY UPDATEFOLDERPERMISSION IS ENABLED FOR NORMAL USERS. 9
{elysiumsecurity} cyber protection & response 15 ENABLE ADVANCED AUDIT LOGS Public Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set- Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete ", " Create", "Move", "MoveToDeletedItems"} https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365- aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT 10
{elysiumsecurity} cyber protection & response 16 ADVANCED THREAT PROTECTION Public OFFICE 365 ADVANCED THREAT PROTECTION $2 user/month FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 17 ADVANCED THREAT PROTECTION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 18 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 19 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 20 DISABLE OWA BY DEFAULT Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 21 REGULAR LOGS REVIEW Public LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE FOR KEY USERS FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 22 LIMITATION Public POTENTIAL TIMEZONE DIFFERENCE OF THE SERVER CLOUD ENVIRONMENT MEANS NO FULL ACCESS TO RAW DATA INFORMATION LIMITATION WEB REPORTS BUGS ENABLE AUDIT LOGS (Not a default option!) NO OFFLINE LOGS BACKUP FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 23 WHERE TO START Public https://protection.office.com https://portal.office.com/adminportal https://portal.azure.com USE A GOBAL ADMIN ACCOUNT OR PROVIDE ENOUGH ROLES/RIGHT TO YOUR INVESTIGATION ACCOUNT -> SECURITY & COMPLIANCE -> REPORT DASHBOARD -> SEARCH & INVESTIGATION FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response 24 WHAT TO LOOK FOR? Public MAIL FORWARDING RULES ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox / double click -> mail box feature -> mailflow -> view details Not part of the Audit Logs! AUDIT SEARCH FILTER INTERESTING KEYWORDS UserLoggedIn New-Inboxrule Set-InboxRule Set-Mailbox IP ADDRESS AND IMPOSSIBLE LOGINS SUSPICIOUS ACTIVITIES SUSPICIOUS DATE AND TIME FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
{elysiumsecurity} cyber protection & response A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT “FORENSIC LUNCH” SHOW: https://www.youtube.com/watch?v=WgRxPCofIrA Presentation starts at 15 minutes in Devon Ackerman “Forensically sound incident response in Microsoft’s Office 365” HIGHLY RECOMMENDED!
{elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

More Related Content

OFFICE 365 SECURITY

  • 1. {elysiumsecurity} OFFICE 365 SECURITY Version: 1.2a Date: 25/07/2018 Author: Sylvain Martinez Reference: ESC9-MUSCL Classification: Public cyber protection & response
  • 2. {elysiumsecurity} cyber protection & response 2 FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT • What is Office 365? • Misconception • Dual Factor Authentication; • Enable Audit Logs; • Review Email Protection Settings; • Admin as a Separate User; • Limit Usage of Admin Account; • Microsoft Security Score. • Enforce Dual Factor Authentication; • Enable Advanced Audit Logs; • Advanced Threat Protection; • Create ATP Policies; • Disable OWA by default; • Regular Log Reviews; • Limitations; • Where to start? • What to look for? CONTENTS Public
  • 3. {elysiumsecurity} cyber protection & response 3 WHAT IS OFFICE 365 Public EXCEL, WORD, POWERPOINT, OUTLOOK/EMAIL STARTED IN 2010 INTEGRATES WITH AZURE ACTIVE DIRECTORY MICROSOFT CLOUD OFFERING FOR OFFICE TOOLS Icons from the noun project unless specified otherwise FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 4. {elysiumsecurity} cyber protection & response 4 MISCONCEPTION Public NO NEED FOR EXTRA SECURITY CONFIGURATION PHISHING ATTACKS AND CREDENTIALS COMPROMISE ARE NOT POSSIBLE HOSTED MY MICROSOFT SO IT CANNOT BE HACKED MANY SECURITY FEATURES TURNED OFF BY DEFAULT RISK CAN BE REDUCED BUT NOT REMEDIATED COMPLETELY THERE IS NO SUCH A THING AS A 100% SECURE SYSTEM FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 5. {elysiumsecurity} cyber protection & response 5 OVERVIEW Public ENABLE DUAL FACTOR AUTHENTICATION ENABLE AUDIT LOGS REVIEW EMAIL PROTECTION SETTINGS SET YOUR ADMIN ACCOUNT AS A SEPARATE USER LIMIT USE OF ADMIN/ENTERPRISE ACCOUNT LOOK AT YOUR SECURITY SCORE FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 6. {elysiumsecurity} cyber protection & response 6 DUAL FACTOR AUTHENTICATION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 7. {elysiumsecurity} cyber protection & response 7 ENABLE AUDIT LOGS Public Images from slashadmin.co.uk FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 8. {elysiumsecurity} cyber protection & response 8 REVIEW EMAIL PROTECTION SETTINGS Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 9. {elysiumsecurity} cyber protection & response 9 ADMIN AS A SEPARATE USER Public STATUS: UNLICENSED NO NEED FOR MAILBOX NO NEED TO LOGON TO DOMAIN ONLY NEED TO LOGON TO ADMIN PORTAL FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 10. {elysiumsecurity} cyber protection & response 10 LIMIT USAGE OF ADMIN ACCOUNT Public Images from Dreamstime NO HUMAN RISK NO HUMAN ERRORS = FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 11. {elysiumsecurity} cyber protection & response 11 MICROSOFT SECURITY SCORE Public SECURITY COMPLIANCE HOME & https://securescore.microsoft.com FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 12. {elysiumsecurity} cyber protection & response 12 OVERVIEW Public ENFORCE DUAL FACTOR AUTHENTICATION FOR ALL USERS ENABLE ADVANCED AUDIT LOGS INSTALL ADVANCED THREAT PROTECTION CREATE ATP POLICIES DISABLE OUTLOOK WEB ACCESS BY DEFAULT REGULAR LOGS REVIEW FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 13. {elysiumsecurity} cyber protection & response 13 ENFORCE DUAL FACTOR AUTHENTICATION Public https://blogs.technet.microsoft.com/office365/2015/08/25/powershell- enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/ FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 14. {elysiumsecurity} cyber protection & response 14 ENABLE ADVANCED AUDIT LOGS Public READY? DONE? FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT START POWERSHELL AS ADMIN1 Set-ExecutionPolicy RemoteSigned2 $UserCredential = Get-Credential3 NO MFA! $Session = New-PSSession – ConfigurationName Microsoft.Exchange – ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $UserCredential – Authentication Basic -AllowRedirection 4 Import-PSSession $Session5 CHECK STATUSGet-Mailbox ”myname"| FL Audit*6 CHECK STATUS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit* 7 ENABLE LOGS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true 8 BY DEFAULT ONLY UPDATEFOLDERPERMISSION IS ENABLED FOR NORMAL USERS. 9
  • 15. {elysiumsecurity} cyber protection & response 15 ENABLE ADVANCED AUDIT LOGS Public Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set- Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete ", " Create", "Move", "MoveToDeletedItems"} https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365- aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT 10
  • 16. {elysiumsecurity} cyber protection & response 16 ADVANCED THREAT PROTECTION Public OFFICE 365 ADVANCED THREAT PROTECTION $2 user/month FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 17. {elysiumsecurity} cyber protection & response 17 ADVANCED THREAT PROTECTION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 18. {elysiumsecurity} cyber protection & response 18 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 19. {elysiumsecurity} cyber protection & response 19 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 20. {elysiumsecurity} cyber protection & response 20 DISABLE OWA BY DEFAULT Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 21. {elysiumsecurity} cyber protection & response 21 REGULAR LOGS REVIEW Public LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE FOR KEY USERS FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 22. {elysiumsecurity} cyber protection & response 22 LIMITATION Public POTENTIAL TIMEZONE DIFFERENCE OF THE SERVER CLOUD ENVIRONMENT MEANS NO FULL ACCESS TO RAW DATA INFORMATION LIMITATION WEB REPORTS BUGS ENABLE AUDIT LOGS (Not a default option!) NO OFFLINE LOGS BACKUP FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 23. {elysiumsecurity} cyber protection & response 23 WHERE TO START Public https://protection.office.com https://portal.office.com/adminportal https://portal.azure.com USE A GOBAL ADMIN ACCOUNT OR PROVIDE ENOUGH ROLES/RIGHT TO YOUR INVESTIGATION ACCOUNT -> SECURITY & COMPLIANCE -> REPORT DASHBOARD -> SEARCH & INVESTIGATION FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 24. {elysiumsecurity} cyber protection & response 24 WHAT TO LOOK FOR? Public MAIL FORWARDING RULES ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox / double click -> mail box feature -> mailflow -> view details Not part of the Audit Logs! AUDIT SEARCH FILTER INTERESTING KEYWORDS UserLoggedIn New-Inboxrule Set-InboxRule Set-Mailbox IP ADDRESS AND IMPOSSIBLE LOGINS SUSPICIOUS ACTIVITIES SUSPICIOUS DATE AND TIME FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 25. {elysiumsecurity} cyber protection & response A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT “FORENSIC LUNCH” SHOW: https://www.youtube.com/watch?v=WgRxPCofIrA Presentation starts at 15 minutes in Devon Ackerman “Forensically sound incident response in Microsoft’s Office 365” HIGHLY RECOMMENDED!
  • 26. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.