Securing Office 365 with better configuration

The adoption of cloud computing by businesses continues to skyrocket. For context, EuroStat reported that 42% of UK enterprises used cloud computing services in 2018, compared to 24% in 2014.

As expected, cyber attackers are also adapting, shifting their focus toward the cloud while employing established tactics such as password guessing and phishing schemes to execute their attacks.

With the rapid expansion of Office 365 adoption across organizations of all sizes, it has become a prime target for malicious actors. Our advisory and Microsoft’s guidelines aim to mitigate the increasing security risks associated with its popularity.

Before diving into Microsoft’s security advice, we strongly advocate for the use of Multi-factor Authentication. Utilizing MFA for accessing cloud services is essential.

Sometimes referred to as two-factor authentication or 2FA, if you have not yet implemented this, it’s imperative to start immediately.

MFA typically relies on single-use codes generated by apps. However, as our MFA guidelines outline, there are alternative methods to achieve MFA. For example, logging in from a trusted IP address or from a device pre-registered in Azure AD are two viable methods.

Enterprises can leverage Conditional Access to enforce MFA usage. Smaller organizations and individuals should ensure that each account has a second factor enabled.

Microsoft’s updated security guidance offers up-to-date advice on configuring Office 365 installations to align with NCSC’s cloud security principles.

This guidance is recommended for both public and private sector enterprises, as it is designed to assist UK public sector organizations in configuring Office 365 to adhere to the OFFICIAL classification.

The guidance encompasses all Office 365 services, thereby ensuring that you can confidently utilize both newer cloud-only features and established services like SharePoint and Exchange.

Microsoft’s guidance is split into two parts:

• The first document responds to NCSC’s 14 cloud security principles and details how specific configurations map to these principles.
• The second document outlines recommended configurations for Office 365 services, complete with step-by-step implementation instructions.

In the second document, Microsoft categorizes the recommendations into good, better, and best.

The NCSC suggests that enterprises aim to implement all recommendations in the good category and aspire to include those in the better category, which are available with the Office 365 E3 license.

This new guidance introduces a significant recommendation that may prompt discussion.

We now advise that hybrid environments utilizing both Active Directory and Azure AD should consider native Azure AD authentication over ADFS.

In Microsoft terminology, this is known as ‘Seamless SSO with Password Hash Sync,’ which can be configured to use per-user or Conditional Access MFA.

While synchronizing passwords with the cloud may seem daunting, we believe that organizations using Azure AD as the primary authentication source will reduce their risks in comparison to ADFS. The rationale includes the following points:

• The hashing of password hashes sent to Azure AD prevents the reusable NTLM hashes that are often associated with “pass the hash” attacks. (Further details can be found in the Azure AD Connect documentation). Thus, the credentials sent to Azure AD cannot be used for authentication against on-premise infrastructure reliant on Active Directory.
• Trust is already placed in Azure AD for access control decisions that regulate data visibility in Office 365. Storing password hashes does not compromise this security requirement.
• The availability of Office 365 will not be impacted by any outages or downtime occurring within your on-premise ADFS or Active Directory systems.
• Microsoft’s full suite of credential protection technologies operates solely on accounts fully synchronized with the cloud. Benefits include identifying users with easily guessed passwords and flagging accounts with reused passwords that have been compromised through data breaches.
• Future enhancements to Conditional Access that incorporate device health assessments may only be accessible to users authenticating directly to Azure AD.

The guidance delves deeper into relevant authentication options and services, including implementation strategies.

We encourage organizations already utilizing Office 365 to evaluate their deployments against both the NCSC advisory and the new guidance provided by Microsoft, treating their recommendations as essential.

For smaller organizations, the mitigations outlined in the advisory will be especially relevant, while larger organizations and public sector bodies should also leverage the detailed guidance.

If you have not yet implemented measures against password guessing and leaked credentials through MFA or Conditional Access, it is important to start this process immediately!

The landscape of cloud products and our usage of them will continue to evolve over the coming years. Thus, it is crucial to periodically review your organization’s configurations for all SaaS instances, ensuring to verify if vendors have updated their recommendations.

Andrew A

NCSC Cloud Security Research Lead