Some hidden security features ever office 365 admin should know about! as well as some best practises to secure your office 365 environment!

1. {elysiumsecurity}
OFFICE 365 SECURITY
Version: 1.2a
Date: 25/07/2018
Author: Sylvain Martinez
Reference: ESC9-MUSCL
Classification: Public
cyber protection & response

2. {elysiumsecurity}
cyber protection & response
2
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
• What is Office 365? • Misconception • Dual Factor
Authentication;
• Enable Audit Logs;
• Review Email
Protection Settings;
• Admin as a Separate
User;
• Limit Usage of Admin
Account;
• Microsoft Security
Score.
• Enforce Dual Factor
Authentication;
• Enable Advanced
Audit Logs;
• Advanced Threat
Protection;
• Create ATP Policies;
• Disable OWA by
default;
• Regular Log Reviews;
• Limitations;
• Where to start?
• What to look for?
CONTENTS
Public

3. {elysiumsecurity}
cyber protection & response
3
WHAT IS OFFICE 365
Public
EXCEL, WORD, POWERPOINT,
OUTLOOK/EMAIL
STARTED IN 2010
INTEGRATES WITH AZURE ACTIVE
DIRECTORY
MICROSOFT CLOUD OFFERING
FOR OFFICE TOOLS
Icons from the noun project unless specified otherwise
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

4. {elysiumsecurity}
cyber protection & response
4
MISCONCEPTION
Public
NO NEED FOR EXTRA SECURITY
CONFIGURATION
PHISHING ATTACKS AND
CREDENTIALS COMPROMISE ARE
NOT POSSIBLE
HOSTED MY MICROSOFT SO IT
CANNOT BE HACKED
MANY SECURITY FEATURES
TURNED OFF BY DEFAULT
RISK CAN BE REDUCED BUT NOT
REMEDIATED COMPLETELY
THERE IS NO SUCH A THING AS A
100% SECURE SYSTEM
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

5. {elysiumsecurity}
cyber protection & response
5
OVERVIEW
Public
ENABLE DUAL FACTOR
AUTHENTICATION
ENABLE AUDIT LOGS
REVIEW EMAIL PROTECTION
SETTINGS
SET YOUR ADMIN ACCOUNT AS A
SEPARATE USER
LIMIT USE OF ADMIN/ENTERPRISE
ACCOUNT
LOOK AT YOUR SECURITY SCORE
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

6. {elysiumsecurity}
cyber protection & response
6
DUAL FACTOR AUTHENTICATION
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

7. {elysiumsecurity}
cyber protection & response
7
ENABLE AUDIT LOGS
Public Images from slashadmin.co.uk
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

8. {elysiumsecurity}
cyber protection & response
8
REVIEW EMAIL PROTECTION SETTINGS
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

9. {elysiumsecurity}
cyber protection & response
9
ADMIN AS A SEPARATE USER
Public
STATUS: UNLICENSED
NO NEED FOR MAILBOX
NO NEED TO LOGON TO DOMAIN
ONLY NEED TO LOGON TO ADMIN PORTAL
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

10. {elysiumsecurity}
cyber protection & response
10
LIMIT USAGE OF ADMIN ACCOUNT
Public Images from Dreamstime
NO HUMAN RISK
NO HUMAN ERRORS =
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

11. {elysiumsecurity}
cyber protection & response
11
MICROSOFT SECURITY SCORE
Public
SECURITY COMPLIANCE HOME &
https://securescore.microsoft.com
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

12. {elysiumsecurity}
cyber protection & response
12
OVERVIEW
Public
ENFORCE DUAL FACTOR
AUTHENTICATION FOR ALL USERS
ENABLE ADVANCED AUDIT LOGS
INSTALL ADVANCED THREAT
PROTECTION
CREATE ATP POLICIES
DISABLE OUTLOOK WEB ACCESS
BY DEFAULT
REGULAR LOGS REVIEW
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

13. {elysiumsecurity}
cyber protection & response
13
ENFORCE DUAL FACTOR AUTHENTICATION
Public
https://blogs.technet.microsoft.com/office365/2015/08/25/powershell-
enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

14. {elysiumsecurity}
cyber protection & response
14
ENABLE ADVANCED AUDIT LOGS
Public
READY?
DONE?
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
START POWERSHELL AS ADMIN1
Set-ExecutionPolicy RemoteSigned2
$UserCredential = Get-Credential3
NO
MFA!
$Session = New-PSSession –
ConfigurationName Microsoft.Exchange –
ConnectionUri
https://outlook.office365.com/powershell-
liveid/ -Credential $UserCredential –
Authentication Basic -AllowRedirection
4
Import-PSSession $Session5
CHECK
STATUSGet-Mailbox ”myname"| FL Audit*6
CHECK
STATUS FOR
ALL USERS
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
FL Name,Audit*
7
ENABLE
LOGS FOR
ALL USERS
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true
8
BY DEFAULT ONLY
UPDATEFOLDERPERMISSION IS ENABLED
FOR NORMAL USERS.
9

15. {elysiumsecurity}
cyber protection & response
15
ENABLE ADVANCED AUDIT LOGS
Public
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} | Set-
Mailbox -AuditOwner
@{Add="MailboxLogin","HardDelete","SoftDelete
", " Create", "Move", "MoveToDeletedItems"}
https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-
aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
10

16. {elysiumsecurity}
cyber protection & response
16
ADVANCED THREAT PROTECTION
Public
OFFICE 365
ADVANCED
THREAT
PROTECTION
$2 user/month
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

17. {elysiumsecurity}
cyber protection & response
17
ADVANCED THREAT PROTECTION
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

18. {elysiumsecurity}
cyber protection & response
18
CREATE ATP POLICIES
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

19. {elysiumsecurity}
cyber protection & response
19
CREATE ATP POLICIES
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

20. {elysiumsecurity}
cyber protection & response
20
DISABLE OWA BY DEFAULT
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

21. {elysiumsecurity}
cyber protection & response
21
REGULAR LOGS REVIEW
Public
LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE
FOR KEY USERS
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

22. {elysiumsecurity}
cyber protection & response
22
LIMITATION
Public
POTENTIAL TIMEZONE
DIFFERENCE OF THE SERVER
CLOUD ENVIRONMENT MEANS
NO FULL ACCESS TO RAW DATA
INFORMATION LIMITATION
WEB REPORTS BUGS
ENABLE AUDIT LOGS
(Not a default option!)
NO OFFLINE LOGS BACKUP
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

23. {elysiumsecurity}
cyber protection & response
23
WHERE TO START
Public
https://protection.office.com
https://portal.office.com/adminportal
https://portal.azure.com
USE A GOBAL ADMIN ACCOUNT OR
PROVIDE ENOUGH ROLES/RIGHT TO
YOUR INVESTIGATION ACCOUNT
-> SECURITY & COMPLIANCE
-> REPORT DASHBOARD
-> SEARCH & INVESTIGATION
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

24. {elysiumsecurity}
cyber protection & response
24
WHAT TO LOOK FOR?
Public
MAIL FORWARDING RULES
ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox /
double click -> mail box feature -> mailflow -> view details
Not part of the Audit Logs!
AUDIT SEARCH FILTER INTERESTING KEYWORDS
UserLoggedIn
New-Inboxrule
Set-InboxRule
Set-Mailbox
IP ADDRESS AND IMPOSSIBLE LOGINS
SUSPICIOUS ACTIVITIES
SUSPICIOUS DATE AND TIME
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT

25. {elysiumsecurity}
cyber protection & response
A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT
“FORENSIC LUNCH” SHOW:
https://www.youtube.com/watch?v=WgRxPCofIrA
Presentation starts at 15 minutes in
Devon Ackerman
“Forensically sound incident response in Microsoft’s Office 365”
HIGHLY RECOMMENDED!

26. {elysiumsecurity}
cyber protection & response
© 2018 ElysiumSecurity Ltd.
All Rights Reserved
www.elysiumsecurity.com
ElysiumSecurity provides practical expertise to identify
vulnerabilities, assess their risks and impact, remediate
those risks, prepare and respond to incidents as well as raise
security awareness through an organization.
ElysiumSecurity provides high level expertise gathered
through years of best practices experience in large
international companies allowing us to provide advice best
suited to your business operational model and priorities.
ABOUT ELYSIUMSECURITY LTD.
ElysiumSecurity provides a portfolio of Strategic and Tactical
Services to help companies protect and respond against Cyber
Security Threats. We differentiate ourselves by offering discreet,
tailored and specialized engagements.
Operating in Mauritius and in the United Kingdom,
our boutique style approach means we can easily adapt to your
business operational model and requirements to provide a
personalized service that fits your working environment.