npab19 / automate-azure Goto Github PK

You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party

You should allow your users to use anonymous guest sharing links for SharePoint Online sites and documents. While there are inherent risks in sharing documents anonymously, Microsoft has found that when anonymous sharing is disabled, users often use more risky methods of sharing sites and documents, email for example. A proactive approach would be to enable anonymous sharing links for customers while also educating users on the pitfalls with sharing anonymously and monitoring links shared for signs of exfiltration by an attacker.

You should ensure that your users do not use mailbox delegation. While there are many legitimate uses of mailbox delegation, it also makes it much easier for an attacker to move laterally from one account to another to steal data.

You should store user documents in OneDrive for Business because it safeguards this content against data loss. We found that OneDrive for Business is False.

You should set your Exchange Online Outbound Spam notifications to copy and notify someone when a sender in your tenant has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails to other people.

You should require your users to use a password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. We found that your mobile device policy requiring a password is set to False.

You should review the Azure Security reports at least every week. These reports contains records of accounts that have successfully signed-in after multiple risk events, such as locations, IP addresses which could be an indication that the account could be compromised.

You should set your Exchange Online mail transport rules to not forward mail to domains not registered in your tenancy. Attackers will often create these rules to exfiltrate data from your tenancy.

You should adopt the Office 365 Advanced Security Management Console. This console will allow you to set up policies to alert you about anomalous and suspicious activity.

You should enable Data Loss Prevention (DLP) policies to help protect your data from accidental, or malicious exposure. DLP allows Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords, and will alert users and administrators that this data should not be exposed.

You should require your users to use a complex password to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.

You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information.

You should review your account provisioning activity report at least weekly. This report includes a history of attempts to provision accounts to external applications. If you don't usually use a third party provider to manage accounts, any entry on the list is likely illicit. But, if you do, this is a great way to monitor transaction volumes, and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate. If you review it, your score will go up 5 points.

You should consume your audit data either through the audit log search or through the Activity API to a third party security information system at least every week. This data enables a wide range of illicit activity detection and security breach scoping and investigation capabilities. Consuming and reviewing it regularly makes it less likely that an attacker will operate in your tenancy undetected for long periods of time. We found that the last time you reviewed this report was not within the suggested timeframe.

You should not use mail forwarding rules to forward user mail to external domains. While there are some legitimate uses, attackers will often create these rules to exfiltrate data from your tenancy.

You should enable versioning on all of your SharePoint online site collection document libraries. This will ensure that accidental or malicious changes to document content can be recovered.

You should require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.

You should enable audit data recording for your Office 365 service to ensure that you have a record of every user and administrator's interaction with the service, including Azure AD, Exchange Online, and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur.

You should review user role group changes at least every week. There are several ways you can do this, including simply reviewing the list of users in different administrative role groups in the Office 365 Admin Portal, or by reviewing role administration activity in the last week from the Audit Log Search. You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy.

You should apply labels to documents in SharePoint Online. If you use document classification tags, you can author rules that leverage the label to implement specific retention/deletion policies using data loss protection (DLP) in the Security and Compliance Center. In the future there will more DLP actions possible when labels are detected on documents.

You should not allow anonymous calendar sharing. This feature allows your users to share the full details of their calendars with external, unauthenticated users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.

You should enable the Office 365 Advanced Threat Protection Safe Attachments feature. This will extend the malware protections in the service to include routing all messages and attachments that don't have a known virus/malware signature to a special hypervisor environment where a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent.

You should disable any accounts that have not been used in the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed.

You should review the Mailbox Access by Non-Owners report at least every other week. This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time, and can help discover malicious insider activity sooner.

You should enable Client Rules Forwarding Blocks because the use of client-side forwarding (rules) to exfiltrate data to external recipients is becoming an increasingly used vector for data exfiltration by bad actors.

You should ensure that alternate contact information, such as alternate email or cell phone number, is completed for all users. This will ensure that you can safely contact users to verify anomalous activity, and will ensure that if you have to enable multi-factor authentication for a user that they will be able to complete the registration.

You should configure your mobile device management policies to block access to devices that violate your policy and to report those violations to an administrator. Users will be able to connect with non-compliant devices unless you block access, leading to vulnerable devices connecting to your data.

You should set your Exchange Online mail transport rules to not whitelist specific domains. Doing so bypasses regular malware and phish scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.

You should review non-global administrator role group assignments at least every week. While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If you see something unusual contact the user to confirm it is a legitimate need.

You should enable the Office 365 Advanced Threat Protection Safe Links feature. This will extend the phishing protection in the service to include redirecting all email hyperlinks through a forwarding service which will block malicious ones even after it has been delivered to the end user.

You should configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data.

You should setup and use SharePoint Online data classification policies on data stored in your SharePoint Online sites. This will help categorize your most important data so that you can effectively protect it from illicit access, and will help make it easier to investigate discovered breaches.

You should enable MFA for all of your user accounts because a breach of any of those accounts can lead to a breach of any data that user has access to.

You should require your users to use encryption on their mobile devices. Unencrypted devices can be stolen and their data extracted by an attacker very easily.

You should leverage non-global administrator roles to perform required administrative work with the least privileges necessary to complete the task. Using roles like Password Administrator or Exchange Online Administrator will reduce the number of high value, high impact global admin role holders you have, which will in turn reduce the likelihood of a breach of an account with global administrative privileges.

You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.

You should configure your mobile device management policies to require the PC and mobile device to be patched, have anti-virus, and have a firewall enabled. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data.

You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.

You should enable and use Information Rights Management protections on email and document data. This will help prevent accidental or malicious exposure of your data outside of your organizational boundaries. Attackers targeting specific, high value data assets will be prevented from opening them without a user credential in your tenancy.

You should enable MFA for all of your admin accounts because a breach of any of those accounts can lead to a breach of any of your data. We found that you had 2 admins out of 3 that did not have MFA enabled.

You should use a mobile device management service such as Office 365 Mobile Device Management or Microsoft InTune. Devices, especially mobile devices, are vulnerable to attacks such as malware that can lead to account and data breaches. We found that your enablement of mobile device management services is False.

You should review the Malware Detections report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn't strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations.

You should enable IRM services so that your users can implement encryption and data leakage policies on specific documents and emails. This will make it more difficult for an attacker to steal valuable data.

You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared.

You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker.

You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users' email is not being exfiltrated.

You should review your blocked devices report weekly. You should do this to look for devices and users that violated your mobile device management policies so you can determine if those violations were malicious or non-malicious.

You should designate less than five global tenant administrators because the more global admin users you have, the more likely it is that one of those accounts will be successfully breached by an external attacker.

You should designate more than one global tenant administrator because that one admin can perform malicious activity without the possibility of being discovered by another admin.

You should enable mailbox auditing for at least ninety percent of all users that have mailboxes in your tenancy. By default all non-owner access is audited, but you must enable auditing on the mailbox for owner access to also be audited. This will allow you to discover illicit access of Exchange Online activity if a user's account has been breached.