automate-azure's Introduction
automate-azure's People
automate-azure's Issues
Do not allow third party integrated applications
You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party
Allow anonymous guest sharing links for sites and docs
You should allow your users to use anonymous guest sharing links for SharePoint Online sites and documents. While there are inherent risks in sharing documents anonymously, Microsoft has found that when anonymous sharing is disabled, users often use more risky methods of sharing sites and documents, email for example. A proactive approach would be to enable anonymous sharing links for customers while also educating users on the pitfalls with sharing anonymously and monitoring links shared for signs of exfiltration by an attacker.
Do not allow mailbox delegation
You should ensure that your users do not use mailbox delegation. While there are many legitimate uses of mailbox delegation, it also makes it much easier for an attacker to move laterally from one account to another to steal data.
Store user documents in OneDrive for Business
You should store user documents in OneDrive for Business because it safeguards this content against data loss. We found that OneDrive for Business is False.
Set outbound spam notifications
You should set your Exchange Online Outbound Spam notifications to copy and notify someone when a sender in your tenant has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails to other people.
Require mobile devices to use a password
You should require your users to use a password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. We found that your mobile device policy requiring a password is set to False.
Review signs-ins after multiple failures report weekly
You should review the Azure Security reports at least every week. These reports contains records of accounts that have successfully signed-in after multiple risk events, such as locations, IP addresses which could be an indication that the account could be compromised.
Do not use transport rule to external domains
You should set your Exchange Online mail transport rules to not forward mail to domains not registered in your tenancy. Attackers will often create these rules to exfiltrate data from your tenancy.
Enable Advanced Security Management Console
You should adopt the Office 365 Advanced Security Management Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity.
Enable Data Loss Prevention policies
You should enable Data Loss Prevention (DLP) policies to help protect your data from accidental, or malicious exposure. DLP allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords, and will alert users and administrators that this data should not be exposed.
Do not allow simple passwords on mobile devices
You should require your users to use a complex password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.
Do not allow external domain skype communications
You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information.
Review account provisioning activity report weekly
You should review your account provisioning activity report at least weekly. This report includes a history of attempts to provision accounts to external applications. If you don't usually use a third party provider to manage accounts, any entry on the list is likely illicit. But, if you do, this is a great way to monitor transaction volumes, and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate. If you review it, your score will go up 5 points.
Use audit data
You should consume your audit data either through the audit log search or through the Activity API to a third party security information system at least every week. This data enables a wide range of illicit activity detection and security breach scoping and investigation capabilities. Consuming and reviewing it regularly makes it less likely that an attacker will operate in your tenancy undetected for long periods of time. We found that the last time you reviewed this report was not within the suggested timeframe.
Do not use mail forwarding rules to external domains
You should not use mail forwarding rules to forward user mail to external domains. While there are some legitimate uses, attackers will often create these rules to exfiltrate data from your tenancy.
Enable versioning on all SharePoint online document libraries
You should enable versioning on all of your SharePoint online site collection document libraries. This will ensure that accidental or malicious changes to document content can be recovered.
Require mobile devices to use alphanumeric password
You should require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.
Enable audit data recording
You should enable audit data recording for your Office 365 service to ensure that you have a record of every user and administrator's interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur.
Review role changes weekly
You should review user role group changes at least every week. There are several ways you can do this, including simply reviewing the list of users in different administrative role groups in the Office 365 Admin Portal, or by reviewing role administration activity in the last week from the Audit Log Search. You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy.
Tag documents in SharePoint
You should apply labels to documents in SharePoint Online. If you use document classification tags, you can author rules that leverage the label to implement specific retention/deletion policies using data loss protection (DLP) in the Security and Compliance Center. In the future there will more DLP actions possible when labels are detected on documents.
Do not allow anonymous calendar sharing
You should not allow anonymous calendar sharing. This feature allows your users to share the full details of their calendars with external, unauthenticated users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.
Enable Advanced Threat Protection safe attachments policy
You should enable the Office 365 Advanced Threat Protection Safe Attachments feature. This will extend the malware protections in the service to include routing all messages and attachments that don't have a known virus/malware signature to a special hypervisor environment where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent.
Disable accounts not used in last 30 days
You should disable any accounts that have not been used in the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed.
Review mailbox access by non-owners report bi-weekly
You should review the Mailbox Access by Non-Owners report at least every other week. This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time, and can help discover malicious insider activity sooner.
Enable Client Rules Forwarding Block
You should enable Client Rules Forwarding Blocks because the use of client-side forwarding (rules) to exfiltrate data to external recipients is becoming an increasingly used vector for data exfiltration by bad actors.
User alternate contact info is completed for all users
You should ensure that alternate contact information, such as alternate email or cell phone number, is completed for all users. This will ensure that you can safely contact users to verify anomalous activity, and will ensure that if you have to enable multi-factor authentication for a user that they will be able to complete the registration.
Require mobile devices to block access and report policy violations
You should configure your mobile device management policies to block access to devices that violate your policy and to report those violations to an administrator. Users will be able to connect with non-compliant devices unless you block access, leading to vulnerable devices connecting to your data.
Do not use transport white lists
You should set your Exchange Online mail transport rules to not whitelist specific domains. Doing so bypasses regular malware and phish scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.
Review non-global administrators weekly
You should review non-global administrator role group assignments at least every week. While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If you see something unusual contact the user to confirm it is a legitimate need.
Enable Advanced Threat Protection safe links policy
You should enable the Office 365 Advanced Threat Protection Safe Links feature. This will extend the phishing protection in the service to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after it has been delivered to the end user.
Require mobile devices to manage email profile
You should configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data.
SPO Sites have classification policies
You should setup and use SharePoint Online data classification policies on data stored in your SharePoint Online sites. This will help categorize your most important data so that you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.
Enable MFA for all users
You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.
Require mobile devices to use encryption
You should require your users to use encryption on their mobile devices. Unencrypted devices can be stolen and their data extracted by an attacker very easily.
Use non-global administrative roles
You should leverage non-global administrator roles to perform required administrative work with the least privileges necessary to complete the task. Using roles like Password Administrator or Exchange Online Administrator will reduce the number of high value, high impact global admin role holders you have, which will in turn reduce the likelihood of a breach of an account with global administrative privileges.
Do not allow calendar details sharing
You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.
Require PC and Mobile devices to be patched, have anti-virus, and firewalls enabled
You should configure your mobile device management policies to require the PC and mobile device to be patched, have anti-virus, and have a firewall enabled. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data.
IRM protections applied to documents
You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.
IRM protections applied to email
You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.
Enable MFA for all global admins
You should enable MFA for all of your admin accounts because a breach of any of those accounts can lead to a breach of any of your data. We found that you had 2 admins out of 3 that did not have MFA enabled.
Enable mobile device management services
You should use a mobile device management service such as Office 365 Mobile Device Management or Microsoft InTune. Devices, especially mobile devices, are vulnerable to attacks such as malware that can lead to account and data breaches. We found that your enablement of mobile device management services is False.
Review malware detections report weekly
You should review the Malware Detections report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn't strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations.
Enable Information Rights Management (IRM) services
You should enable IRM services so that your users can implement encryption and data leakage policies on specific documents and emails. This will make it more difficult for an attacker to steal valuable data.
Configure expiration time for external sharing links
You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared.
Do not expire passwords
You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker.
Review mailbox forwarding rules weekly
You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users' email is not being exfiltrated.
Review blocked devices report weekly
You should review your blocked devices report weekly. You should do this to look for devices and users that violated your mobile device management policies so you can determine if those violations were malicious or non-malicious.
Designate less than 5 global admins
You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker.
Designate more than one global admin
You should designate more than one global tenant administrator because that one admin can perform malicious activity without the possibility of being discovered by another admin.
Enable mailbox auditing for all users
You should enable mailbox auditing for at least ninety percent of all users that have mailboxes in your tenancy. By default all non-owner access is audited, but you must enable auditing on the mailbox for owner access to also be audited. This will allow you to discover illicit access of Exchange Online activity if a user's account has been breached.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.