In this final part of my Office 365 Secure Score series, we'll look at other actions, mostly related to Exchange Online. We'll also explore actions you can take to improve your Secure Score along with recommendations for endpoint security.

Paul Schnackenburg

Paul Schnackenburg works part time as an IT teacher as well as running his own business in Australia. He has MCSE, MCT, MCTS and MCITP certifications. Follow his blog TellITasITis.

So far in this series, we've looked at what Office 365 Secure Score is, and how to enable MFA for administrators and for end users. We've also delved into a list of reports that'll give you insight into the overall security posture of your tenant.

Monitoring email in Office 365 ^

First up (for 15 points) you should set up Exchange Online to notify you when it blocks a sender in your tenant for sending a lot of emails or emails identified as spam. Click Learn more and add the people whom it should notify.

Set outbound spam notifications in Office 365

Set outbound spam notifications in Office 365

For 10 points, enable mailbox auditing for all users. The system audits all non-owner access by default, but enabling this control adds owner mailbox activity to the audit log. It thus lets you see what transpired in user mailboxes if anyone compromised their accounts. Clicking Learn more and Launch takes you to a PowerShell script on GitHub.

As pointed out in part 1, if you have enabled MFA for administrators, generic PowerShell instructions will not work, as it doesn't natively support MFA. Follow this article instead. Note that when I tried to run the downloaded file from Chrome, it failed, whereas when I downloaded it in Edge, it ran fine and installed the module. A PowerShell window opens, and when I run Connect-EXOPSSession -UserPrincipalName email@address, I get a login screen and an MFA phone call. I then manually run the second half of the GitHub script:

And then run Get-Mailbox | Select Name, AuditEnabled, AuditLogAgeLimit to make sure it worked.

Enabling Office 365 mailbox owner auditing in PowerShell

Enabling Office 365 mailbox owner auditing in PowerShell

A popular tactic by attackers to capture important email data from your tenant is to set up a transport rule to forward email to an external domain. For 5 points, follow the instructions; navigate to mail flow, rules in Exchange Admin Center (EAC). Delete any rules that forward email to domains not in your tenancy (provided there's not a legitimate reason for the rule).

Related to this and much less likely to attract notice is mail forwarding rules in a mailbox. For a grand total of 1 point, click Launch now and then recipients in EAC, double click on a user's mailbox, go to mailbox features, scroll down to Mail Flow, and click View details. See if any external recipients are receiving a copy of every email for this user. If you have a lot of users, you'll need a PowerShell way of checking this; here's a post that covers this.

Another 5-point action is to make sure you're not whitelisting domains, which bypasses malware and phishing scams.

OneDrive for Business and Rights Management Services in Office 365 ^

Another step to take for 10 points is to ensure users store their data in OneDrive for Business. I know that the dodgy performance of the sync client in the past has burned many IT pros. But it does seem like Microsoft has sorted these issues over the last few months. Having a copy of the data users are working on in the cloud is certainly preferable when ransomware hits their machines.

For 10 points, you should also activate Rights Management Services (RMS), making it possible for your users to protect their content.

Enable Rights Management in Office 365

Enable Rights Management in Office 365

A deep dive on RMS (now known as Azure Information Protection) is beyond this article. But it's the best way to protect your company's data as it floats around on computers, tablets, and phones, not to mention in emails and on USB sticks. User education will be key to have your users successfully use this across your business. But if you looked at RMS a few years ago and found it challenging, know that it's now a lot easier to administer for you and easier for your users to take advantage of.

Rights Management Service settings in AAD

Rights Management Service settings in AAD

A very important step (10 points) is to allow your users to classify documents in SharePoint, enabling data classification for High, Medium, and Low business impact. The Learn more link takes you to a technical case study on how Microsoft IT uses data loss prevention (DLP) and data classification with information on how to work with SharePoint and sensitive data.

To disabling anonymous calendar sharing for 10 points, Launch will take you to the Admin portal. Head to Settings, Services & add-ins, click Calendar, and disable Allow anonymous users to access calendars with an email invitation. This is one way an attacker could gain information about your users' movements to plan a more severe attack.

Disabling anonymous calendar sharing in Office 365

Disabling anonymous calendar sharing in Office 365

For 5 points, you can consider limiting Skype for Business communications to inside your company. This is one you should check with your business users first. On one hand, this could be a vector where people outside your organization could trick users into thinking they're known and then send them malicious attachments or links. However, it may also limit your users' ability to collaborate with others outside your business.

Skype for Business external communication settings

Skype for Business external communication settings

Further Secure Score actions to take ^

Dragging the slider all the way to the right in the Secure Score portal unlocks all the actions I could take on my tenant. It lists things such as applying information rights management (IRM) to documents and email, limiting the lifetime of external sharing links, and tagging SharePoint documents. It also includes disabling accounts not used for over 30 days, enabling DLP policies, and a whole host of settings related to mobile devices. Some of these settings are only applicable if your users are licensed using the Enterprise E5 plan.

Resources ^

Conclusion ^

Security is always a tradeoff between convenience and risk mitigation. For too long we in the IT trenches have been blaming "stupid users" for security breaches when the reality is that we can do a lot more to help our users stay secure in this highly mobile, cloudy world. Secure Score is by no means perfect, but it's a good way to get started implementing a lot of the great security features that Microsoft offers us.

My score has gone from 26 to 179. What's yours?

Win the monthly 4sysops member prize for IT pros



Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account