The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.
CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.
"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert.
SEE: 10 tips for new cybersecurity pros (free PDF)
"O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy."
CISA's new advice is similar to an alert it issued last year after seeing contractors deploy O365 with poor security configurations. The document contains links to Microsoft's relevant best-practice documents for secure configuration of Azure AD and Office 365.
The first thing organizations need to do is lock down Azure Active Directory (AD) Global Administrator accounts in Office 365 with multi-factor authentication (MFA).
It's the account used to set up other accounts and has the highest privileges, equivalent to the domain administrator in an on-premise AD environment. MFA isn't enabled by default for this account, so admins need to actively enable it.
CISA points to Microsoft's Security Defaults, released in January to help organizations secure their accounts to the same level that Microsoft protects consumer accounts from attacks like password spraying and phishing.
The tool helps ensure administrators use MFA. Microsoft earlier this year revealed that 99.9% of the compromised accounts don't use MFA and that only 11% of enterprises had enabled MFA.
"If not immediately secured, an attacker can compromise these cloud-based [admin] accounts and maintain persistence as a customer migrates users to O365," CISA warned.
CISA says the Global Administrator account should only be used when "absolutely necessary" and that it's important to assign administrator roles using role-based access control.
"Using Azure AD's numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators. Practicing the principle of 'least privilege' can greatly reduce the impact if an administrator account is compromised," CISA notes.
CISA recommends that admins enable Unified Audit Log in the Security and Compliance Center to assist incident investigations. The Audit Log contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other Office 365 services.
SEE: DHS CISA: Companies are getting hacked even after patching Pulse Secure VPNs
The agency also recommends enabling MFA for all users even though they don't have elevated permissions. Additionally, admins should disable legacy protocols, especially if they don't support MFA features, such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP).
However, CISA acknowledges that these protocols won't be disabled if an older email client requires them. It recommends that organizations conduct an inventory of users who need to use a legacy email client and restrict access to those protocols to them.
"Taking this step will greatly reduce an organization's attack surface," CISA says.
Finally, CISA recommends using Microsoft's Secure Score tool, which is designed to measure an organization's security posture for Office 365, and integrated Unified Audit Log with a SIEM tool.