OFFICE 365 SECURITY

1. {elysiumsecurity} OFFICE 365 SECURITY Version: 1.2a Date: 25/07/2018 Author: Sylvain Martinez Reference: ESC9-MUSCL Classification: Public cyber protection & response

2. {elysiumsecurity} cyber protection & response 2 FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT • What is Office 365? • Misconception • Dual Factor Authentication; • Enable Audit Logs; • Review Email Protection Settings; • Admin as a Separate User; • Limit Usage of Admin Account; • Microsoft Security Score. • Enforce Dual Factor Authentication; • Enable Advanced Audit Logs; • Advanced Threat Protection; • Create ATP Policies; • Disable OWA by default; • Regular Log Reviews; • Limitations; • Where to start? • What to look for? CONTENTS Public

3. {elysiumsecurity} cyber protection & response 3 WHAT IS OFFICE 365 Public EXCEL, WORD, POWERPOINT, OUTLOOK/EMAIL STARTED IN 2010 INTEGRATES WITH AZURE ACTIVE DIRECTORY MICROSOFT CLOUD OFFERING FOR OFFICE TOOLS Icons from the noun project unless specified otherwise FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

4. {elysiumsecurity} cyber protection & response 4 MISCONCEPTION Public NO NEED FOR EXTRA SECURITY CONFIGURATION PHISHING ATTACKS AND CREDENTIALS COMPROMISE ARE NOT POSSIBLE HOSTED MY MICROSOFT SO IT CANNOT BE HACKED MANY SECURITY FEATURES TURNED OFF BY DEFAULT RISK CAN BE REDUCED BUT NOT REMEDIATED COMPLETELY THERE IS NO SUCH A THING AS A 100% SECURE SYSTEM FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

5. {elysiumsecurity} cyber protection & response 5 OVERVIEW Public ENABLE DUAL FACTOR AUTHENTICATION ENABLE AUDIT LOGS REVIEW EMAIL PROTECTION SETTINGS SET YOUR ADMIN ACCOUNT AS A SEPARATE USER LIMIT USE OF ADMIN/ENTERPRISE ACCOUNT LOOK AT YOUR SECURITY SCORE FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

6. {elysiumsecurity} cyber protection & response 6 DUAL FACTOR AUTHENTICATION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

7. {elysiumsecurity} cyber protection & response 7 ENABLE AUDIT LOGS Public Images from slashadmin.co.uk FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

8. {elysiumsecurity} cyber protection & response 8 REVIEW EMAIL PROTECTION SETTINGS Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

9. {elysiumsecurity} cyber protection & response 9 ADMIN AS A SEPARATE USER Public STATUS: UNLICENSED NO NEED FOR MAILBOX NO NEED TO LOGON TO DOMAIN ONLY NEED TO LOGON TO ADMIN PORTAL FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

10. {elysiumsecurity} cyber protection & response 10 LIMIT USAGE OF ADMIN ACCOUNT Public Images from Dreamstime NO HUMAN RISK NO HUMAN ERRORS = FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

11. {elysiumsecurity} cyber protection & response 11 MICROSOFT SECURITY SCORE Public SECURITY COMPLIANCE HOME & https://securescore.microsoft.com FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

12. {elysiumsecurity} cyber protection & response 12 OVERVIEW Public ENFORCE DUAL FACTOR AUTHENTICATION FOR ALL USERS ENABLE ADVANCED AUDIT LOGS INSTALL ADVANCED THREAT PROTECTION CREATE ATP POLICIES DISABLE OUTLOOK WEB ACCESS BY DEFAULT REGULAR LOGS REVIEW FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

13. {elysiumsecurity} cyber protection & response 13 ENFORCE DUAL FACTOR AUTHENTICATION Public https://blogs.technet.microsoft.com/office365/2015/08/25/powershell- enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/ FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

14. {elysiumsecurity} cyber protection & response 14 ENABLE ADVANCED AUDIT LOGS Public READY? DONE? FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT START POWERSHELL AS ADMIN1 Set-ExecutionPolicy RemoteSigned2 $UserCredential = Get-Credential3 NO MFA! $Session = New-PSSession – ConfigurationName Microsoft.Exchange – ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $UserCredential – Authentication Basic -AllowRedirection 4 Import-PSSession $Session5 CHECK STATUSGet-Mailbox ”myname"| FL Audit*6 CHECK STATUS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit* 7 ENABLE LOGS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true 8 BY DEFAULT ONLY UPDATEFOLDERPERMISSION IS ENABLED FOR NORMAL USERS. 9

15. {elysiumsecurity} cyber protection & response 15 ENABLE ADVANCED AUDIT LOGS Public Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set- Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete ", " Create", "Move", "MoveToDeletedItems"} https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365- aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT 10

16. {elysiumsecurity} cyber protection & response 16 ADVANCED THREAT PROTECTION Public OFFICE 365 ADVANCED THREAT PROTECTION $2 user/month FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

17. {elysiumsecurity} cyber protection & response 17 ADVANCED THREAT PROTECTION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

18. {elysiumsecurity} cyber protection & response 18 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

19. {elysiumsecurity} cyber protection & response 19 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

20. {elysiumsecurity} cyber protection & response 20 DISABLE OWA BY DEFAULT Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

21. {elysiumsecurity} cyber protection & response 21 REGULAR LOGS REVIEW Public LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE FOR KEY USERS FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

22. {elysiumsecurity} cyber protection & response 22 LIMITATION Public POTENTIAL TIMEZONE DIFFERENCE OF THE SERVER CLOUD ENVIRONMENT MEANS NO FULL ACCESS TO RAW DATA INFORMATION LIMITATION WEB REPORTS BUGS ENABLE AUDIT LOGS (Not a default option!) NO OFFLINE LOGS BACKUP FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

23. {elysiumsecurity} cyber protection & response 23 WHERE TO START Public https://protection.office.com https://portal.office.com/adminportal https://portal.azure.com USE A GOBAL ADMIN ACCOUNT OR PROVIDE ENOUGH ROLES/RIGHT TO YOUR INVESTIGATION ACCOUNT -> SECURITY & COMPLIANCE -> REPORT DASHBOARD -> SEARCH & INVESTIGATION FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

24. {elysiumsecurity} cyber protection & response 24 WHAT TO LOOK FOR? Public MAIL FORWARDING RULES ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox / double click -> mail box feature -> mailflow -> view details Not part of the Audit Logs! AUDIT SEARCH FILTER INTERESTING KEYWORDS UserLoggedIn New-Inboxrule Set-InboxRule Set-Mailbox IP ADDRESS AND IMPOSSIBLE LOGINS SUSPICIOUS ACTIVITIES SUSPICIOUS DATE AND TIME FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT

25. {elysiumsecurity} cyber protection & response A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT “FORENSIC LUNCH” SHOW: https://www.youtube.com/watch?v=WgRxPCofIrA Presentation starts at 15 minutes in Devon Ackerman “Forensically sound incident response in Microsoft’s Office 365” HIGHLY RECOMMENDED!

26. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

OFFICE 365 SECURITY

Related Books

Free with a 30 day trial from Scribd

Related Audiobooks

Free with a 30 day trial from Scribd