Written by Duo’s Umang Barman
The Cybersecurity and Infrastructure Security Agency (CISA) recently shared an in-depth analysis of the security risks associated with Microsoft Office 365. You can read the entire report here. The CISA observed that when organizations migrate their email services to O365, they are left with potential security vulnerabilities. Attackers take advantage of these vulnerabilities to compromise accounts and mailboxes and cause data breaches.
Based on CISA’s findings, we recommend the following best practices when deploying Microsoft O365:
1. Always Enable MFA for All Admin Accounts
A Microsoft Office 365 administrator has the highest level of
privilege. O365 admins are able to configure accounts (create new accounts, remove accounts or modify accounts). The CISA report found that multi-factor authentication (MFA) wasn’t enabled by default in admin accounts, but should be. If attackers compromise admin accounts, they can reset user passwords and log into all user accounts the admin controls. CISA report recommends that organizations deploy MFA for all administrator accounts to reduce the risk of stolen admin credentials.
With Duo’s MFA, admins can secure O365 administrator logins in a few minutes. Duo offers a variety of simple integration options that allow admins to secure access to O365 and all third-party applications with a single solution.
2. Protect All User Accounts Regardless of Role
To prevent attackers from using stolen credentials to access O365, organizations should protect all user logins with an MFA. With Duo, organizations can deploy to thousands of users using one of several user-friendly options to authenticate into O365 that reduce friction while keeping users secure.
3. Scale MFA with SSO for Third-Party Cloud Applications
When customers migrate to O365, Microsoft provides tools such as Azure AD Connect to help them move their on-premises identities into the cloud. An additional feature, Password Sync, allows passwords from on-premises AD to be replicated in Azure AD. However, Password Sync could expose admins to additional risks. If an admin account was compromised, attackers can laterally move into any cloud application that uses Azure AD identities. To mitigate this risk, Microsoft offers an option to disable Password Sync for admin accounts. The recommended and more secure option for admins is to enable single sign-on (SSO) with MFA for all cloud applications.
With Duo’s SSO, admins can use a single username and password to log into any cloud application. Before admins can access cloud applications, Duo’s MFA will prompt them to verify their identities. Duo supports thousands of cloud applications available natively. A list of supported applications can be found here.
4. Identify and Track all BYOD Accessing O365
With O365, users can access email anywhere on any device. While Exchange Online supports several legacy protocols such as Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP), several email clients that use these protocols do not support MFA by default. Without MFA, users accounts are at risk of compromise. Admins can enable modern authentication to support MFA on clients such as Outlook 2013 or later. In addition,
Duo gives customers visibility into the security posture of all bring your own devices (BYOD) and unmanaged devices accessing O365 to help them stay compliant. If admins detect an out-of-date or vulnerable device getting access to O365, they can set a Duo policy to prevent this device from getting access.
5. Detect Malicious Activity with Logging and Reporting
The CISA recommends that organizations enable O365 mailbox audit logs. Admins can use audit logs to determine risky behavior, such as finding the IP address of the computer used to access a compromised account or determining who set up email forwarding for a mailbox. In addition to O365 logs, Duo can help admins detect malicious login activity and alert if there is a fraudulent login. Admins can even export Duo logs into Splunk or any other SIEM tools to consolidate their logs and set policies to detect risky behavior.