Update Notification:
Last Updated: April 2024 – Microsoft has released a comprehensive set of configuration guidelines intended for UK government and public sector entities to safeguard OFFICIAL data within their SaaS applications. Since the security requirements for OFFICIAL data are largely akin to those faced by major UK private sector firms, these frameworks may also prove beneficial for private organizations. More details on this guidance can be found on GOV.UK: Visit GOV.UK for Microsoft 365 Guidance.
For questions regarding best practices for securing your data in SaaS applications like Microsoft 365, we recommend reviewing our guidance on Using SaaS Securely and consulting your selected service provider.
This blog will not be updated after April 2024.
Last Updated: October 2023 – Microsoft has also produced a collection of configuration guides for UK public sector and governmental organizations. Further information can be found on GOV.UK: Visit GOV.UK for Microsoft 365 Guidance.
Last December, we published an advisory highlighting methods to secure Office 365 accounts against credential theft attacks that were increasingly reported.
We advocate that any individual with an Office 365 account should prioritize implementing the security recommendations outlined in this advisory. This applies to everyone, from small enterprises to large corporations, underscoring the importance of measures like Multi-factor Authentication (MFA).
This blog post elaborates on certain recommendations and unveils crucial new security advice published by Microsoft.
Growing Cloud Usage
The adoption of cloud computing by businesses is on a rapid rise. For context, EuroStat indicated that 42% of UK businesses were relying on cloud computing services in 2018, a stark increase from 24% in 2014.
Long-time followers will not be shocked to learn that cyber attackers are adapting to this trend, shifting their focus toward the cloud. They are employing proven tactics like password guessing and phishing to launch their assaults.
The rapid adoption of Office 365 across organizations makes it an attractive target. Our advisory, alongside Microsoft’s own guidance, aims to mitigate the heightened risk associated with its growing utilization.
Implement Multi-factor Authentication (MFA)
Before delving into Microsoft’s security recommendations, I want to stress the necessity of Multi-factor Authentication. Utilizing some form of MFA to access cloud services is essential.
Often referred to as 2-factor authentication or 2FA, if you haven’t adopted this yet, you should prioritize it immediately.
While single-use codes are typical, our MFA guidance explains other methods of authentication. Logging in from secure IP addresses or using devices pre-registered in Azure AD are key examples.
Enterprises can utilize Conditional Access to enforce MFA. Smaller organizations and individuals should verify that two-factor authentication is enabled for their accounts.
New Microsoft Office 365 Guidance
Microsoft’s newly released security guidance offers updated advice designed to assist in implementing Office 365 in alignment with the NCSC’s cloud security principles.
We advocate this guidance for both public and private sector enterprises, especially those within the UK public sector aiming to utilize Office 365 securely and effectively.
The guidance encompasses all Office 365 services, ensuring that users can safely adopt both new cloud-exclusive features as well as established applications like SharePoint and Exchange.
Microsoft’s guidance is divided into two parts:
- The first document responds to the NCSC’s 14 cloud security principles and illustrates how various configurations align with these principles.
- The second document outlines recommended configurations for Office 365, complete with step-by-step instructions for implementation.
In the second document, Microsoft categorizes recommendations as good, better, and best.
The NCSC suggests that enterprises aim to implement all recommendations in the good category and ideally those in the better category, which are available under the Office 365 E3 license.
Transition to Cloud-native Authentication
This new guidance includes a significant change that may be viewed as contentious by some.
We now recommend that organizations using hybrid environments – those utilizing both Active Directory and Azure AD – should prefer native authentication against Azure AD rather than ADFS.
In Microsoft terminology, this refers to ‘Seamless SSO with Password Hash Sync’, which can be set up either per-user or via Conditional Access MFA.
Although synchronizing passwords with the cloud raises concerns for some, we believe organizations using Azure AD as their primary authentication method will reduce their risks compared to ADFS, due to several factors:
- The hashes of passwords sent to Azure AD are not reusable NTLM hashes, reducing vulnerability to “pass the hash” attacks (more details can be found in the Azure AD Connect documentation).
- Azure AD already manages access control relating to data visibility in Office 365, necessitating trust in its security. Storing password hashes does not impact that security requirement.
- Office 365 availability will be unaffected by outages in on-premise ADFS or Active Directory setups.
- Microsoft’s credential protection technologies function optimally for accounts fully synchronized with the cloud, which can help identify weak passwords and accounts with leaked credentials.
- Extensions for Conditional Access related to device health assessments will likely be limited to users authenticating directly with Azure AD.
Detailed guidance is available with further information on relevant authentication options and services.
Implementing New Guidance
We urge organizations currently using Office 365 to assess their deployments in relation to the NCSC advisory and the newly released Microsoft guidance, treating these recommendations as essential.
Smaller organizations may find the advisory’s mitigations more pertinent, while larger institutions and public sectors should leverage the additional guidance.
If you are not yet implementing measures against password guessing and credential leaks, such as MFA or Conditional Access, it’s crucial to start immediately!
Future Directions
The landscape of cloud products and their applications will inevitably evolve over the coming years. Therefore, it is wise to plan for regular reviews of the configurations of all SaaS instances your organization utilizes, including verifying any updates made by the vendors.
Andrew A
NCSC Cloud Security Research Lead
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/securing-office-365-with-better-configuration
