Securing Office 365 with better configuration

Cloud computing adoption by businesses is rapidly increasing. To illustrate this growth, EuroStat reported that 42% of UK enterprises relied on cloud computing services in 2018, compared to only 24% in 2014.

Regular readers might not be surprised to know that cyber attackers are closely following this trend, shifting their focus to cloud environments. They continue to employ established techniques like password guessing and phishing schemes to launch their attacks.

The widespread adoption of Office 365 across organizations of varying sizes has made it a prime target. Our advisory, alongside Microsoft’s guidance, aims to mitigate the increasing risk stemming from this popularity.

Before delving into Microsoft’s security advice, I want to emphasize the necessity of Multi-factor Authentication. Utilizing some form of MFA to access cloud services is crucial.

Often referred to as 2-factor authentication or 2FA, if you aren’t already employing this security measure, it’s imperative that you implement it as soon as possible.

While one-time codes can be generated through apps, our MFA guidance details that MFA can be achieved in various other ways too, such as logging in from a pre-registered device or trusted IP address.

Enterprises can utilize Conditional Access to mandate MFA use, while smaller organizations should ensure that a second factor is enabled for each of their accounts.

Microsoft’s up-to-date security guidance provides advice on effectively implementing Office 365 configurations in alignment with the NCSC’s cloud security principles.

This guide is beneficial for enterprises in both the public and private sectors, although it primarily addresses how UK public sector organizations can configure and leverage Office 365 to handle threats at the OFFICIAL level.

The guidance encompasses all Office 365 services, ensuring that the recommended measures inspire confidence when utilizing both new, cloud-only features as well as established tools like SharePoint and Exchange.

Microsoft’s guidance consists of two main parts:

• The initial document serves as a response to the NCSC’s 14 cloud security principles and outlines how certain configurations align with those principles.
• The second document details the recommended configurations for Office 365 services, providing comprehensive step-by-step implementation instructions.

This second document categorizes recommendations into three levels: good, better, and best.

The NCSC strongly encourages enterprises to implement all recommendations in the good category, striving ideally for those in the better category, which are covered in the Office 365 E3 license.

This new guidance embraces a significant shift that may evoke some debate.

We now advise that hybrid setups—those utilizing both Active Directory and Azure AD—should favor native authentication with Azure AD over ADFS.

In Microsoft’s terminology, this is referred to as ‘Seamless SSO with Password Hash Sync’, configured for either per-user or Conditional Access MFA.

While the idea of password synchronization with the cloud may seem daunting, we believe that organizations relying on Azure AD as their primary authentication source can reduce their risk compared to ADFS. This is because:

• Only the hashes of your password hashes are sent to Azure AD, rather than the reusable NTLM hashes typically involved in “pass the hash” attacks (Microsoft offers a more detailed explanation in their Azure AD Connect documentation). This means the credentials sent to Azure AD cannot be used for authentication to your on-premises infrastructure that hinges on Active Directory.
• Trust is already placed in Azure AD for access control decisions, determining who can view various data housed within Office 365. The storage of password hashes does not alter this security imperative.
• Access to Office 365 will no longer be impacted by any rural outages or downtimes stemming from your on-premises ADFS or Active Directory setups.
• The complete suite of Microsoft’s credential protection technologies is only available for accounts fully synchronized with the cloud. Benefits entail the service detecting users with easily guessable passwords and flagging accounts that have been compromised due to data leaks from other services.
• Conditional Access extensions that incorporate device health assessments will likely only be available for users authenticating directly through Azure AD in the near future.

The guidance elaborates further on the pertinent authentication options and services along with implementation instructions.

We urge organizations currently utilizing Office 365 to assess their deployments against the NCSC advisory and the latest guidance issued by Microsoft, treating these recommendations as essential.

While smaller organizations may find the advisory’s mitigations more applicable, larger entities and public sector organizations should also reference the more thorough guidance.

If you have not yet taken steps to protect against risks associated with password guessing and credential leaks through methods like MFA or Conditional Access, it cannot be emphasized enough—get started immediately!

The landscape of cloud products and their usage will evolve in the coming years. It is prudent to plan for regular reviews of the configuration for all SaaS instances employed by your organization, including a check on whether vendors have updated their recommendations.

Andrew A

NCSC Cloud Security Research Lead