Security in Obscurity
A thought by Jeff Stein
Securing Microsoft O365: Accessing Services (Part 1)
This thought focuses on securing Microsoft O365 through service access, February 2020
For many companies Microsoft O365 has afforded them the ability to not only shift their traditional on premise infrastructure to the cloud but shift entirely away from an infrastructure model to embrace a software-as-a-service (SAAS) model. And while the SAAS model and O365 specifically can greatly reduce the internal dependencies on securing your email or collaboration environment, the shared security model still does place some onus on a company to secure their O365 tenant. This thought is a part of a multi-part series on securing Microsoft O365 including:
Accessing Services
Exchange Online
SharePoint Online
Accessing Services
When accessing the capabilities of your O365 environment it is important to understand that the feature set at your fingertips will really depend upon your licensing level of O365. There are a number of tiers that Microsoft offers in their enterprise offering and in particular in some of the lower tier levels your mileage will vary with the feature set abilities to secure your O365 tenant. A listing breaking down Microsoft's offering on their licensing levels can be found below:
| Office 365 ProPlus | Office 365 E1 | Office 365 E3 | Office 365 E5 |
|---|---|---|---|
| Enterprise Edition of Office apps plus cloud-based storage and sharing. Business email is not included. | Business services such as email, file storage and sharing. Office apps are not included. | All the features included in the previous versions plus security and compliance features. | All of the features of E3 plus advanced security, analytics and voice capabilities. |
Because the security and compliance features begin at the E3 level of O365 the information included in this though will focus on the E3 level as a sweet spot for looking at how to secure O365.
Additionally it is important to understand the design of O365. Depending upon your subscription level you will have access to a number of different services. A service might be Exchange Online if you are using O365 for email or SharePoint Online if you are using either SharePoint or OneDrive for document storage and collaboration. Each service has a strong relationship but can function independently in many ways. All of your services will sit inside of your O365 tenant which represents your account for O365. While much of the security hardening will be focused at the individual service level there are some core pieces related to access of O365 that will take place at the tenant level rather than the O365 service level.
Tenant Configuration
The main item configurable at the tenant level is authentication for most services. Most other configuration items are done from a service standpoint. Credentials will go to the Microsoft tenant and authorize, typically through Azure AD, however depending on any existing on premise requirements this could also include Active Directory Federated Services (ADFS). Important to note is that if you are utilizing conditional access that authentication will be performed prior to any of your conditional access policies. Another exception to this rule is if you are leveraging basic authentication for legacy mail protocols with Exchange Online such as POP3 or IMAP (which I strongly recommend you disable from a security perspective) this authentication will bypass the Microsoft tenant and be authenticated by Exchange Online.
Conditional Access
Conditional access can be leveraged in your O365 tenant to grant specific access based on if-then statements. The feature can also be leveraged to deny access which would be the most restrictive option. The feature lives in Azure AD so even if you are using ADFS with your on premise Active Directory environment you will still configure Azure AD with your tenant to be able to leverage conditional access. The feature can be accessed from the Azure portal and by navigating to Azure Active Directory - Security - Conditional Access.
Using conditional access you can create policies for many of your services such as Exchange Online and tie in requirements for your mobile devices leveraging Intune. Important to remember is what I mentioned previously, which is that conditional access policies you have created will be applied post authentication. This means that conditional access can not be used as a means to secure O365 authentication. It will not protect your O365 users against password spraying attacks and if you have basic authentication enabled on your tenant you can not use conditional access polices as a compensating control to mitigate risk of basic authentication being exploited.
Below is a table recommending some access conditions you should consider applying to your O365 services when performing security hardening.
| Policy | Purpose |
|---|---|
| Permit hybrid Azure AD joined devices to make desktop client and browser-based connections without any additional authentication beyond user credentials | This can be a base policy for domain joined machines to access O365 as if the service was on premise infrastructure |
| Permit Intune enrolled macOS devices to make desktop client and browser-based connections without any additional authentication beyond user credentials | This will allow your mac devices to join similar to your windows laptops |
| Permit devices connecting from a known network location to make desktop client and browser-based connections without any additional authentication beyond user credentials | Rather than from a device perspective, this will allow your office networks to connect to O365 as if the service was on premise infrastructure |
| Permit Intune enrolled personal electronic devices to make mobile app, browser-based, and ActiveSync connections without any additional authentication beyond user credentials | This can be used for your MDM controlled devices using Intune |
| Permit untrusted devices to make browser-based connections if user provides a second authentication factor via Azure Authenticator | Allows untrusted devices such as a partner or employees personal system to access the tenant if they have MFA setup |
| Deny desktop client, mobile app, and ActiveSync connections from untrusted devices in unknown network locations | Your deny all policy that will deny all other systems if they do not meet the above requirements |
O365 hardening can offer your organization the ability to lock down your environment from undesired access in accordance with the shared service cloud model. When looking at your tenant the main area you will need to consider hardening will be access and authentication. By leveraging conditional access you can also provided added security rigor to your O365 services while still providing an exceptional user experience to your client base.
Resources Consulted
[1] Powerful tools to support your enterprise (n.d.). Retrieved from Article Link
[2] Set up conditional access policies (n.d.). Retrieved from Article Link
Tags
Security Vulnerabilities WAF Malware Policies PowerShell Python Splunk Cloud O365 PKI Firewall Access Control Vulnerability Management
