{"id":2349,"date":"2019-01-21T10:26:43","date_gmt":"2019-01-21T10:26:43","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=1843"},"modified":"2023-04-05T13:58:56","modified_gmt":"2023-04-05T08:28:56","slug":"best-practices-to-harden-office-365","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/best-practices-to-harden-office-365\/","title":{"rendered":"Best Practices to Harden Office 365"},"content":{"rendered":"


\nHere are some best practices to harden office 365 and ensure your data remains protected.<\/strong><\/p>\n

1. Password Policy<\/strong><\/h3>\n

It is always recommended to use a strong password policy to help secure the data and service access. In
\nOffice 365 for cloud-only users and active directory synced users, passwords expire after 90 days by
\ndefault.<\/p>\n

 <\/p>\n

2. Single Sign-On<\/strong><\/h3>\n

Single sign-on is convenient as well as allows password policies to be managed in a centralized place.
\nMicrosoft offers its own single sign-on solution, Azure Active Directory, which allows users to log in using the same password as they do for on premises Microsoft products, as well as cloud products from other providers.<\/p>\n

 <\/p>\n

3. Use Multi-Factor Authentication (MFA)<\/strong><\/h3>\n

Multi-factor authentication makes it more difficult for a third party to gain access to an account by
\nrequiring an additional authentication measure after submitting the username and password. The
\nsecondary authentication methods supported by Office 365 include the use of mobile app notification, a one-time password generated by a mobile app or sent to the user via a phone call or SMS text message, and per-app passwords used with clients such as Outlook. Some of the MFA solutions are Azure AD, Okta, One Login, Ping Identity, and Centrify.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/admin\/security-and-compliance\/set-upmulti-factor-authentication?view=o365-worldwide<\/p>\n

 <\/p>\n

4. Configure Data Loss Prevention (DLP)<\/strong><\/h3>\n

A data loss prevention strategy ensures that confidential or personal data can’t be uploaded, shared or
\nemailed. DLP is available in SharePoint Online and Exchange and can also be integrated into Enterprise
\nSearch. With this, create policies to restrict content being saved to certain locations, such as One Drive
\nfor Business and SharePoint Online sites.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/data-loss-preventionpolicies<\/p>\n

 <\/p>\n

5. Turn on Office 365 Cloud App Security<\/strong><\/h3>\n

Set up alerts with Office 365 Cloud App Security help admins can review unusual or risky user activity,
\nsuch as downloading large amounts of data, multiple failed sign-in attempts, or sign-ins from an
\nunknown or dangerous IP address. Organizations with an Office 365 Enterprise E5 plan can start using
\nOffice 365 Cloud App Security right away.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/turn-on-office-365-cas<\/a><\/p>\n

 <\/p>\n

6. IP Filtering<\/strong><\/h3>\n

To reduce the risk of account compromise is to disallow extranet access to corporate cloud services such as Office 365. If an attacker were to obtain an account credential, they would be unable to successfully log into the account, unless he or she is on the corporate network or accessing via virtual private network (VPN). Microsoft supports IP filtering, referred to variously as \u201cIP Whitelist\u201d and \u201cTrusted IPs,\u201d for customers using either Azure Active Directory or federating user identity with their on-premises Active Directory.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/configure-theconnection-filter-policy<\/p>\n

 <\/p>\n

7. Configure Alert Policies<\/strong><\/h3>\n

Creating alert policies in Office 365\u2019s Compliance center can assist in meeting organization\u2019s data
\nsecurity obligations. For example, alerts can warn about sharing confidential information anytime about
\nemail contacts that aren\u2019t listed as authenticated in the organization\u2019s network. These preemptive
\nnotices can educate employees on data sharing best practices and prevent data leaks. Office 365 offers
\nseveral built-in alert policies that help determine permissions abuse, data governance risks, and
\nmalware risks.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/alert-policies<\/a><\/p>\n

 <\/p>\n

8. Office 365 Message Encryption<\/strong><\/h3>\n

Message encryption allows to send a message to a recipient encrypted. The recipient receives an email
\nwith a link to a page on a download portal, where users authenticate using their Office login or a onetime passcode to view the message. To use Office 365 Message Encryption (OME), organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/ome<\/a><\/p>\n

 <\/p>\n

9. Use S\/MIME Protocol to Secure Connection to the Server and Prevent Data Interception<\/strong><\/h3>\n

Unlike message encryption, which is based on policies defined by an administrator, S\/MIME is controlled by the end user, who decides whether to use it. While message encryption is browser-based, and requires no client software or certificates, S\/MIME uses certificates to digitally sign and optionally encrypt the email content itself. Digitally signing the email ensures that the message content is what the sender originally wrote, and that the message hasn\u2019t been altered or tampered with. S\/MIME requires users to access their email through a client like Outlook, not a web browser.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/email-encryption<\/a><\/p>\n

 <\/p>\n

10. Mobile Device Management (MDM)<\/strong><\/h3>\n

Office 365 has built in mobile device management that is available for both Office 365 for Business and
\nOffice 365 Enterprise. If employees use company-owned devices, admins are able to manage and
\nrevoke access to important data when needed.
\nReference URL: https:\/\/support.office.com\/en-us\/article\/set-up-mobile-device-management-mdm-inoffice-365-dd892318-bc44-4eb1-af00-9db5430be3cd<\/a><\/p>\n

 <\/p>\n

11. Office Client Deployment<\/strong><\/h3>\n

Office client deployment keeps client versions of Office up to date through the latest security updates.
\nThere is a lot of flexibility regarding updates, for example; can opt in to feature and bug fixes quarterly.
\nAlso control the Office deployments using an XML-based deployment process called Click2Run (available on Office 365 Pro Plus plans only).
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/deployoffice\/overview-of-the-office-2016-deployment-tool<\/a><\/p>\n

 <\/p>\n

12. Sharing Content<\/strong><\/h3>\n

The admin portal offers the option to enable or disable content sharing which allows the admin to turn
\nsharing on or off for different apps within Office 365, including Sites, Calendar, Skype for Business and
\nIntegrated Apps. Reports are available that show what has been shared with whom, and admin can
\nrevoke sharing directly from the admin center without needing to go directly into the app\u2019s settings.
\nReference URL: https:\/\/support.office.com\/en-us\/article\/manage-sharing-with-external-users-in-office-365-small-business-2951a85f-c970-4375-aa4f-6b0d7035fe35<\/a><\/p>\n

 <\/p>\n

13. Use Office 365 Secure Score and Compare Security<\/strong><\/h3>\n

Secure Score is a security analytics tool that recommends on what can do to further reduce risk. Secure
\nScore looks at the Office 365 settings and activities and compares them to a baseline established by
\nMicrosoft. A score is then provided based on the settings and is re-evaluated in an on-going basis.
\nNote: Settings should be carefully reviewed and exceptions may need to be made to not disrupt mail
\nflow for legitimate emails which are being spoofed intentionally.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-securescore<\/p>\n

 <\/p>\n

14. Enable Mailbox Auditing<\/strong><\/h3>\n

In Office 365, administrators should enable mailbox audit logging to record mailbox access activity. By
\ndefault, mailbox auditing is disabled. Once audit logging is enabled, the audit log can be searched for
\nmailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by
\nadministrators, delegates, and owners are logged by default.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/enable-mailboxauditing<\/p>\n

 <\/p>\n

15. Configure DMARC and SPF Records to Validate Email<\/strong><\/h3>\n

Implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) with SPF
\n(Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is recommended. These features
\nprovide an additional layer of protection against spoofing and phishing emails. They can also help to
\nreduce the risk of business email compromise attacks. DMARC settings will tell the Exchange servers
\nwhat to do with messages that were transmitted with the organization\u2019s domain that fail SPF or DKIM
\nvalidation checks. A DMARC TXT Record also helps to prevent spoofing and phishing attacks by verifying the IP address of an email’s author against the alleged owner of the sending domain It is highly recommended the DMARC settings are reviewed and deployed with careful consideration such not to disrupt intended mail flow.
\nReference URL:https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/use-dmarc-to-validateemail<\/p>\n

 <\/p>\n

16. Define Data Exfiltration Rule Restrictions<\/strong><\/h3>\n

Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy
\nof email outside of the organization to a 3rd party email domain. Users may also desire to send copies of
\nemails to personal email accounts. These forwards reduce the overall security of the organization. A rule can be created in the Exchange Admin Center to reject any messages and include an explanation that client forwarding rules to external domains are not permitted. This rule can be defined if a message is sent \u2018outside the organization\u2019 and the message type is \u2018auto-forward\u2019 and the email is received from \u2018inside the organization.\u2019 It may also be beneficial to configure alert definitions based on these conditions to ensure an account was not compromised. An alert definition can be defined while creating the rule to email a notification to the defined contact upon triggering.<\/p>\n

 <\/p>\n

17. Changing Anti-Spoofing Settings<\/strong><\/h3>\n

To create or update the (cross-domain) anti-spoofing settings, navigate to the Anti-phishing > Antispoofing settings under the Threat Management > Policy tab in the Security & Compliance Center.
\nReference URL: https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/anti-spoofingprotection<\/p>\n

 <\/p>\n

18. Use Office 365 Advanced Threat Protection<\/strong><\/h3>\n

Office 365 Advanced Threat Protection (ATP) helps to protect the organization from malicious attacks by scanning email attachments for malware with ATP Safe Attachments. It helps protect against unknown malware and viruses by providing robust zero-day protection and includes features to safeguard from harmful links in real time. It can perform the following tasks:<\/p>\n