ICT Security Guide CCN-STIC 885A - Secure Setup Guide for Office 365 - CCN-CERT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ICT Security Guide
CCN-STIC 885A
Secure Setup Guide for Office 365
DECEMBER 2019
CCN-STIC 885A Secure Setup Guide for Office 365
Edit:
2.5.4.13=Qualified Certificate: AAPP-
SEP-M-SW-KPSC, ou=sello electrónico,
serialNumber=S2800155J, o=CENTRO
CRIPTOLOGICO NACIONAL, c=ES
2020.02.13 16:30:46 +01'00'
National Cryptologic Centre, 2019
NIPO: 083-19-261-6
Date of Edition: december 2019
Plain Concepts has participated in the creation and modification of this document and its annexes.
Sidertia Solutions S.L. has participated in the revision of this guide.
LIMITATION OF RESPONSIBILITY
This document is provided in accordance with the terms compiled in it, expressly rejecting any type of
implicit guarantee that might be related to it. In no case can the National Cryptologic Centre be
considered liable for direct, indirect, accidental or extraordinary damage derived from using information
and software that are indicated even when a warning is provided concerning this damage.
LEGAL NOTICE
The partial or total reproduction of this document by any means or procedure, including reprography
and computer processing, and the distribution of copies thereof by means of public rental or loan, are
strictly prohibited without the written authorization of the National Cryptologic Center, under the
sanctions established by law.
2
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
PROLOGUE
The massive use of information and telecommunications technologies (ICT), in all the
areas of society, has created a new space: the cyberspace, where conflicts and aggressions
occur, and where there are cyberthreats that will threaten national security, the rule of law,
economic prosperity, the welfare state and the normal functioning of society and public
administrations.
Law 11/2002 of 6 May 2002, which regulates the National Intelligence Centre (CNI),
entrusts the National Intelligence Centre with the exercise of functions related to information
technology security in its article 4.e) and to the protection of classified information in its article
4.f), while at the same time conferring on its Secretary of State Director the responsibility for
running the National Cryptologic Centre (CCN) in its article 9.2.f).
Based on the knowledge and experience of the CNI on threats and vulnerabilities in
terms of emerging risks, the Centre carries out, through its National Cryptologic Centre,
regulated by Royal Decree 421/2004, of 12 March, several activities directly related to ICT
security, aimed at training expert staff, applying security policies and procedures, and using
appropriate security technologies.
Royal Decree 3/2010, of 8 January, which regulates the National Security Framework in
the area of Electronic Administration (ENS, hereinafter), referred to in the second paragraph of
Article 156 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, establishes
the security policy in the use of electronic media that allows an adequate protection of
information.
Precisely, Royal Decree 3/2010 of January 8, updated by Royal Decree 951/2015 of
October 23, sets the basic principles and minimum requirements as well as the protection
measures to be implemented in the Administration's systems, and promotes the elaboration
and dissemination of information and communication technology security guides (STIC) by CCN
to facilitate a better compliance with such minimum requirements.
In short, the CCN-STIC series of documents is drawn up to fulfil the tasks of the National
Cryptologic Centre and what is reflected in the National Security Framework, aware of the
importance of establishing a reference framework in this area to support the Administration's
staff in carrying out their difficult and sometimes thankless task of providing security to the ICT
systems under their responsibility.
July 2019
Felix Sanz Roldan
Secretary of State
Director of the National Cryptologic Centre
3
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
TABLE OF CONTENTS
1. OFFICE 365 ............................................................................................................. 6
1.1 DESCRIPTION OF THE USE OF THIS GUIDE ...............................................................6
1.2 SOLUTION DEFINITION .............................................................................................6
1.3 PREREQUISITES FOR DEPLOYMENT USING POWERSHELL .......................................7
2. OFFICE 365 DEPLOYMENT ...................................................................................... 9
2.1 ADMINISTRATOR - INITIAL CONFIGURATION...........................................................9
2.2 END USER - FIRST STEPS .........................................................................................12
3. OFFICE 365 CONFIGURATION ............................................................................... 14
3.1 OPERATIONAL FRAMEWORK .................................................................................14
3.1.1 ACCESS CONTROL ..............................................................................................14
3.1.1.1 IDENTIFICATION……………………………………………………………………………………….14
3.1.1.2 ACCESS REQUIREMENTS…………………………………………………………………………..23
3.1.1.3 SEGREGATION OF FUNCTIONS AND TASKS………………………………………………23
3.1.1.4 ACCESS RIGHTS MANAGEMENT PROCESS……………………………………………….27
3.1.1.5 AUTHENTICATION MECHANISMS…………………………………………………………….27
3.1.1.6 LOCAL ACCESS…………………………………………………………………………………………31
3.1.1.7 REMOTE ACCESS……………………………………………………………………………………..31
3.1.2 EXPLOITATION……………………………………………………………………………………………..31
3.1.2.1 PROTECTION AGAINST MALWARE……………………………………………………………31
3.1.2.2 ACTIVITY RECORD…………………………………………………………………………………….32
3.1.2.3 INCIDENT MANAGEMENT………………………………………………………………………..35
3.1.2.4 PROTECTION OF ACTIVITY RECORDS………………………………………………………..37
3.2 PROTECTION MEASURES ........................................................................................38
3.2.1 PROTECTION OF COMMUNICATIONS ...............................................................38
3.2.2 SYSTEM MONITORING.......................................................................................38
3.2.3 PROTECTION OF INFORMATION .......................................................................43
3.2.3.1 RATING OF INFORMATION……………………………………………………………………….43
3.2.3.2 ENCRYPTION…………………………………………………………………………………………….69
3.2.3.3 CLEANING OF DOCUMENTS……………………………………………………………………..70
3.2.3.4 BACKUP COPIES……………………………………………………………………………………….70
3.2.4 PROTECTION OF SERVICES ................................................................................71
4
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
3.2.4.1 PROTECTION AGAINST DENIAL OF SERVICE……………………………………………..71
4. OTHER SECURITY CONCERNS................................................................................ 71
4.1 SERVICES AND COMPLEMENTS ..............................................................................71
5. FEATURES AVAILABLE THROUGH LICENSING ........................................................ 72
6. GLOSSARY AND ABBREVIATIONS ......................................................................... 74
7. SUMMARY TABLE OF SECURITY MEASURES ......................................................... 76
5
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
1. OFFICE 365
1.1 Description of the use of this guide
The purpose of this guide is to indicate the steps to follow for the configuration of
Office 365 complying with the requirements of the National Security Framework in its
HIGH category.
This guide will address the essential services common to all the services in the Office
365 software solution and should be consulted jointly with the other specific guides oh
each service: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for
Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for
Exchange Online] and Teams [CCN-STIC-885D - Secure Configuration Guide for
Microsoft Teams].
The scenario presented in the guides is the "only cloud", not contemplating the
hybridization of on-premises systems of the organization with cloud environment.
The following sources have been consulted for the preparation of this guide:
- Official Microsoft documentation.
- CCN-STIC-823 Cloud Services.
- CCN-STIC-884A - Secure Configuration Guide for Azure.
- ENS Royal Decree BOE-A-2010-1330.
1.2 Solution definition
Office 365 is a set of cloud-based applications and services hosted on Microsoft owned
servers and available from Internet-connected devices. Office 365 executes on
Microsoft Azure.
Is a Microsoft solution that allows us to create,
access and share Word, Excel, OneNote and
PowerPoint documents from any device that has
access to the Internet.
In addition, it provides additional tools for email,
instant messaging, video conferencing, screen
sharing, cloud storage, calendars, contacts, etc.
6
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
1.3 Prerequisites for deployment using PowerShell
Office 365 PowerShell allows to manage the Office 365 settings from the command
line. Connecting to Office 365 PowerShell is a simple process that involves installing
the necessary software and connecting to the Office 365 organization.
There are two versions of the PowerShell module that can be used to connect to Office
365 and manage user accounts, groups, and licenses:
Azure Active Directory PowerShell for Graph (cmdlets include Azure AD on their
behalf).
Microsoft Azure Active Directory module for Windows PowerShell (cmdlets
include MSOL on their behalf).
On the date of this guide, the Azure Active Directory for Graph Module does not
completely replace the functionality of the cmdlets of the Microsoft Azure Active
Directory for Windows PowerShell Module for user, group, and license management. In
many cases, both versions should be used. Both versions can be safely installed on the
same equipment.
It should be noted that there are two ways for executing the PowerShell commands
described in this guide: Azure Cloud Shell, included in Azure's own portal; and remote
execution of PowerShell, installing the necessary modules on the administrator's client
computer. The security of a PowerShell remote communication connection is viewed
from two perspectives:
- Initial authentication. By a user with the appropriate rights for the
management of the service.
- Continuous encryption of communication. Once the initial authentication is
completed, the PowerShell remote communication protocol encrypts all
communication with an AES256 symmetric key per session.
Pre-requisites
Use a 64-bit version of Windows. Compatibility with the 32-bit version of the Microsoft
Azure Active Directory Module for Windows PowerShell was discontinued in October
2014. It is also necessary to use version 5.1 or later of PowerShell. More information
on platform prerequisites can be found at: https://docs.microsoft.com/es-
es/office365/enterprise/powershell/connect-to-office-365-powershell.
Install Azure Active Directory PowerShell Module for Graph
1. Install the necessary software
These steps are necessary only once on the physical computer from which the Office
365 tenant is going to be administered, not every time it is connected.
1. Open a Windows PowerShell command prompt with elevated privileges
(execute Windows PowerShell as administrator).
7
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
2. In the Windows PowerShell command window (as administrator), execute this
command:
# Install-Module -Name AzureAD
In case you are asked if you want to install a module from a repository that you
don't trust, type "Y" and press ENTER.
This happens because by default, the PowerShell Gallery is not configured as a
trusted repository. Answer Yes or Yes to everything.
To update a new version of the module, execute the previous command with the Force
parameter:
# Install-Module -Name AzureAD -Force
Note: Monthly updates are recommended.
2. Connect to Azure AD for Office 365 subscription
To connect to Azure AD for Office 365 Subscription with an account name and
password or with Multifactor Authentication (MFA), execute this command from a
Windows PowerShell command prompt:
# Connect-AzureAD
The section [2.1. Administrator - Initial Setup] explains how to obtain the
administration access credentials.
Install Microsoft Azure Active Directory module for Windows PowerShell
Microsoft Azure Active Directory Module for Windows PowerShell commands have
Msol in the name of your cmdlet.
1. Install the necessary software
These steps are necessary just once on the computer, not every time it is connected.
However, it will be probably necessary to install the latest versions of software
periodically.
1. Install the 64-bit version of Microsoft Online Services - Login Assistant:
Microsoft Online Services Login Assistant for IT Professionals (RTW)
2. Install the Microsoft Azure Active Directory Module for Windows PowerShell
following these steps:
8
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
Open a Windows PowerShell command prompt with elevated privileges
(execute Windows PowerShell as administrator)
Execute the command:
# Install-Module MSOnline
o Accept the installation of the NuGet provider.
o Accept the installation of the module from PSGallery.
To update a new version of the module, execute the previous command with the Force
parameter:
# Install-Module MSOnline -Force
Note: Monthly updates are recommended.
2. Connect to Azure AD for Office 365 subscription
To connect to Azure AD for Office 365 Subscription with a name account and password
or with Multifactor Authentication (MFA), execute this command from a Windows
PowerShell command prompt
# Connect-MsolService
2. OFFICE 365 DEPLOYMENT
This guide refers to the security settings of Office 365. The specific information of each
service is found in the following guides: Sharepoint Online [CCN-STIC-885B - Secure
Configuration Guide for Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure
Configuration Guide for Exchange Online] and Teams [CCN-STIC-885D - Secure
Configuration Guide for Microsoft Teams].
Office 365 is included in the SaaS (Software as a Service) service category. The CSP
(Microsoft) is responsible for offering the software as a service to the client.
2.1 Administrator - initial configuration
1. Access the Office 365 portal with an administrator user.
The administrator user can access the Office 365 portal through the same url as the
end user: portal.office365.com.
When creating the Office 365 subscription, Microsoft sends an email with the user and
a temporary password that must be changed at the first login.
In addition to the applications you have access to according to your license, you have
an administration icon, to access the Microsoft Administration Center 365.
9
National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365
And a security icon, to access the Office 365 Security &
Compliance Center.
The first time you access the Office 365 portal as administrator, a message like the one
in the figure below may appear. Shown when product licenses have not yet been
assigned to users in the organization.
2. Change the language to Spanish.
It can be accessed from the Configuration icon on the top bar of the portal.
10
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
The assignment of licenses to users is done from the Microsoft 365 Administration
Center.
3. Access the Microsoft Administration Center 365.
It can be accessed through the Admin icon in the Office 365 portal or through the url:
admin.microsoft.com.
If you do not have a professional domain name, a message may appear warning you
to set one up to customize your email accounts.
Press the "Go to installation" button:
3.1. Customize login and email.
Customization with an organization's own domain is recommended.
3.2. Add new users.
To assign licenses to the users specified in this step.
11
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
3.3. End of the installation process.
More detailed information on how to add users and licenses is provided in section
[3.1.1 Access Control] of this guide.
2.2 End user - first steps
The end user can access the Office 365 portal through the url: portal.office365.com.
After entering your credentials, a panel is displayed with all the applications you have
access to.
In some cases, if the user license has not been assigned correctly, the following
warning message may appear:
12
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
From the Office 365 panel itself, you can install the
desktop version of the applications.
Note: For the security configuration of the desktop
version of Office applications, please refer to the most
recent CCN-STIC Guide (CCN-STIC-585 at the time of
editing this guide).
Once the license has been assigned to the end user, and after logging into the Office
365 portal, a home page will be displayed with the icons of all the applications that can
be accessed, and some warning messages.
It is advisable to establish the language and the time zone.
It is possible to install the desktop versions of the applications or to access them online
by clicking on the corresponding icons.
13
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
3. OFFICE 365 CONFIGURATION
Next, the configuration of Office 365 will be addressed focusing on compliance with
the requirements of the National Security Framework.
3.1 Operational Framework
3.1.1 Access Control
Access control includes all the preparatory and executive activities aimed at allowing
or denying an entity, user or process access to a system resource for the performance
of a specific action.
3.1.1.1 Identification
Office 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and an
authentication service included with the Office 365 subscription, to manage Office 365
identities and authentication. For more information see [CCN-STIC-884A - Secure
Configuration Guide for Azure].
3.1.1.1.1 Identity management models
This section will address the different models and mechanisms for identity
management in Office 365. We will mainly focus on two: only cloud identity model
(which will be taken as a reference in this guide) and hybrid identity model.
Below is a table with the characteristics of both models.
Cloud-only identity Hybrid identity
Definition The user account only exists in The user account exists at AD DS and a copy
the tenant of Azure Active is also available in the tenant of Azure AD for
Directory (Azure AD) for your your Microsoft 365 subscription. The user
Microsoft 365 subscription. account in Azure AD can also include a hash
version of the user account password.
How Microsoft Azure AD's tenant for your Azure AD's tenant for your Microsoft 365
365 Microsoft 365 subscription subscription manages the authentication
authenticates performs the authentication with process or redirects the user to another
user credentials the cloud identity account. identity provider.
Ideal for Organizations that do not have Organizations that use AD DS or other
and do not need a local AD DS identities provider
Greater profit Easy to use. No additional Users can use the same credentials when
servers or directory tools are accessing local or cloud-based resources.
14
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
required.
Cloud-only identity model
A cloud only identity uses user accounts that only exist in Azure AD. Cloud identity is
often used in small organizations that do not have local servers or do not use AD DS to
manage local identities.
These are the basic components of the
cloud-only identity.
Local and remote (online) users use their
Azure AD user accounts and passwords to
access Office 365 cloud services. Azure AD
authenticates user credentials based on
their stored user accounts and passwords.
Administration
Since user accounts are stored only in Azure AD, you can manage cloud
identities with tools like Microsoft Management Center 365 and Windows
PowerShell with the Azure Active Directory PowerShell module for Graph.
Hybrid identity model
The hybrid identity uses accounts that originate from a local AD DS and have a copy in
Azure AD's tenant of a Microsoft 365 subscription. However, most changes only flow
one way. Changes you make to AD DS user accounts are synchronized with your copy
of Azure AD. But changes made to cloud-based accounts in Azure AD, such as new user
accounts, are not synchronized with AD DS.
Azure AD Connect provides ongoing account synchronization. It executes on a local
server, checks for changes in AD DS and forwards those changes to Azure AD. Azure AD
Connect allows filtering the accounts to be synchronized and whether to synchronize a
hashed version of the user passwords, known as password hash synchronization (PHS).
By implementing the hybrid identity, your local SD is the authoritative source for
account information. This means that the administration tasks are mainly performed in
the local environment, which are then synchronized with Azure AD.
These are the components of the hybrid identity.
15
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
The tenant of Azure AD has a copy of the AD DS accounts. In this configuration, local
and remote users who have access to Microsoft 365 cloud services are authenticated
with Azure AD.
3.1.1.1.2 Identity management in the cloud-only model
With the cloud-only identity, all users, groups, and contacts are stored in the Azure
Active Directory (Azure AD) tenant of the Office 365 subscription.
Both user and group creation can be done from:
Microsoft Administration Center 365
Office 365 PowerShell
Microsoft Administration Center 365
It can be accessed through the Admin icon in the Office 365 portal or through the url:
admin.microsoft.com.
User creation
1. From the menu [Users\Active users] click on the icon
"Add a user” and fill in the form.
16
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Note: More information on password management is given in section [3.1.1.5 Authentication
mechanisms].
2. The license is assigned and the applications to which the user will have access are
associated.
3. To verify that the user has been created correctly, check the list of "active users".
Basic operations on users
From the [Users/Active users] menu, select the user and click on the "More
options" icon.
17
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Manage licenses
From the menu [User\Active users] the list of users with the assigned licenses is
displayed. Select the appropriate user and click on the name. In the right panel, the tab
"Licenses and Applications" configure the relevant options.
Assign user to group
From the [Users/Active users] menu, click on the
user's "More options" icon.
18
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Edit user
1. From the [Users/Active users] menu, click on the user's "name".
2. To assign roles to the user, see section [3.1.1.3 Segregation of roles and tasks].
Delete user
From the [Users/Active users] menu, click on
the user's "More options" icon.
You must move the files you want to keep within the retention period set for OneDrive
files. By default, the retention period is 30 days.
19
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Create Group
In the groups section of the Microsoft Administration Center 365, you can create and
manage these types of groups:
Office 365 groups are used for collaboration between users, both inside and
outside the company.
Distribution groups are used to send notifications to a group of people.
Security groups are used to grant access to SharePoint resources.
Mail-enabled security groups are used to grant access to SharePoint resources
and send email notifications to those users.
Shared mailboxes are used when several people need to access the same
mailbox, such as company information or technical support email address.
It is important to activate the "Shared Mailbox Audit" to allow traceability in
these mailboxes, as described in the guide [CCN-STIC-885C - Secure
Configuration Guide for Exchange Online].
1. Add group.
From the [Groups] menu, press the "Add a Group" icon.
2. Fill in group information.
20
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Although the privacy option message indicates that it can't be changed after the
group is created, it's already allowed in new updates. The possible values are:
Private: only members can see the group's content.
Public: anyone can see the group's content.
Note: The use of the Private value is recommended to increase control over access to
group information by users.
Manage group members
1. From the [Groups] menu, clicking on the group name displays the group panel with
different tabs. Select the "Members" tab.
21
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
2. Then click on the link "View all members and manage them".
Delete group
From the [Groups] menu, click on the "More options" icon of the group.
Office 365 Powershell
The Microsoft Azure Active Directory module for Windows PowerShell is required to
execute the following scripts.
Create an individual user account
# New-MsolUser -DisplayName -FirstName -LastName
-UserPrincipalName -UsageLocation -LicenseAssignment [-Password
]
Example:
# New-MsolUser -DisplayName "John Doe" -FirstName John -LastName Doe -
UserPrincipalName johndoe@contoso.onmicrosoft.com -UsageLocation US
Create multiple user accounts
1. Create a comma-separated value (CSV) file containing the necessary user account
information. For example:
UserPrincipalName,FirstName,LastName,DisplayName,UsageLocation,AccountSkuId
ClaudeL@contoso.onmicrosoft.com,Claude,Loiselle,ClaudeLoiselle,US,contoso:ENTERPRISEPACK
22
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
LynneB@contoso.onmicrosoft.com,Lynne,Baxter,Lynne Baxter,US,contoso:ENTERPRISEPACK
ShawnM@contoso.onmicrosoft.com,Shawn,Melendez,Shawn Melendez,US,contoso:ENTERPRISEPACK
2. Execute from PowerShell:
# Import-Csv -Path | foreach {New-MsolUser -
DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -
UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation -
LicenseAssignment $_.AccountSkuId [-Password $_.Password]} | Export-Csv -
# Path
3.1.1.2 Access requirements
The mechanisms for accessing resources are detailed in the specific guides for each
service: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for Sharepoint
Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for Exchange
Online].
3.1.1.3 Segregation of functions and tasks
Management Roles
The O365 subscription includes a set of administrator roles that can be assigned to
users in your organization. Each administrator role is assigned to common business
functions and provides users with permissions to perform specific tasks in the
administration centers.
Since administrators have access to sensitive data and files, Microsoft recommends
following these guidelines to keep the organization's data more secure.
Recommendation Why is it important?
Have 2 to 4 global Since only one other global administrator can reset the global
managers administrator's password, it's recommended having at least
two global administrators in your organization in case of an
account lockout. But the global administrator has almost
unlimited access to the organization's configuration and to
most of the data, so it is also recommended not having more
than 4 global administrators because it is a security threat.
Assigning the least Assigning the least permissive role involves giving
permissive role administrators the minimum permissions necessary to do the
job. For example, if you want someone to reset the
employees' passwords, you should not assign the role of
unlimited global administrator, but the role of password
manager.
23
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Require MFA for It is good practice to require MFA at login for all users, but it
administrators is necessary at least for administrators. The MFA makes users
write a second method of identification to verify that they
are who they say they are.
Assigning Administrator Roles to a User
From the administration center, go to the user
details and manage functions to assign a role to
the user.
24
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Available roles in the Microsoft Administration Center 365
The Microsoft 365 administration center allows to manage more than 30 Azure AD
roles. However, these roles are a subset of the functions available in Azure portal.
Usually, it is enough to assign the following roles to the organization:
Administrator Who should be assigned this role?
role
25
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Global Assign the global administrator role to users who need global access to most
Administrator features and management data in Microsoft Online Services.
Providing too many users with global access is a security risk and it is
recommended to have 2-4 global administrators.
Only global administrators are able to:
-To reset passwords for all users
-To add and manage domains
Note: The person who signed up for Microsoft Online Services automatically
becomes a global administrator.
Billing Assign the billing administrator role to users who need to do the following:
Administrator -To purchase licenses and subscriptions
-To upgrade subscriptions
-To pay for services
-To receive email notifications for invoices
-To manage service requests
-To monitor the service status
Administrator Assign the Administrator of the Technical Support Department role to users
of the Technical who need to do the following:
-REST passwords
Support -To force users to log out
Department -To manage service requests
-To monitor service status
Note: The Support Department administrator can only help non-
administrators users and users who are assigned these roles: directory
reader, guest, support administrator, message center reader, and report
reader.
License Assign the license administrator role to users who need to do the following:
Administrator -To manage licenses assigned to users
-To manage licenses assigned to groups using group-based licenses
-To edit the use location for users
Note: This role does not allow to purchase or manage subscriptions, add or
manage groups, or edit the user properties, except for the use location.
Report Reader Assign the report reader role to users who need to do the following:
- To view usage data and activity reports
- To get access to the Power BI adoption content package
- To view reports and login activity
-To view data returned by the Microsoft Graph Reports API
26
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
User Assign the user administrator role to users who need to do the following for
Administrator all the users:
- To add users and groups
- To assign licenses
- To manage most of the user properties
- To create and manage user views
-To update password expiration policies
-To manage service requests
-To monitor the service status
The user's administrator can also perform the following actions for non-
administrators and users who are assigned the following roles: directory
reader, guest, support administrator, message center reader, report reader:
- To manage user names
- To delete and restore users
- To restore passwords
- Forcing users to log out
-To update device keys (FIDO)
Azure's portal has more roles than those available in the Microsoft 365 Administration
Center.
From Azure AD it is possible to create customized roles. It requires Azure AD Premium
P1 or P2.
3.1.1.4 Access rights management process
More information is available in the specific guides for each service: Sharepoint Online
[CCN-STIC-885B - Secure Configuration Guide for Sharepoint Online], Exchange Online
[CCN-STIC-885C - Secure Configuration Guide for Exchange Online].
3.1.1.5 Authentication mechanisms
From the Microsoft Administration Center 365 from the [Settings\ Security and Privacy]
menu, password policies can be set for all the users in the organization.
From Office 365 you can only change these parameters, whose default values are:
Days before the passwords expire 90
Days before notifying a user about the expiration 14
For a more advanced management, it is necessary to resort to Azure AD. Consult guide
[CCN-STIC-884A - Secure Configuration Guide for Azure].
27
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Enable Multifactor Authentication (MFA)
As described in section [3.1.1.3 Segregation of duties and tasks] it is important to
enable MFA at least for users with the administration role. To that end:
1. Access the [Users/Active users] menu.
2. Press the "Multifactor Authentication" icon on the top bar.
3. You access a new administration panel:
4. Mark a user with the corresponding check and enable or disable the MFA in the
right panel.
Note: It is also possible to perform a mass update by marking several users at once.
Office 365 Powershell
Planning of authentication methods
Administrators can choose which authentication methods they want to make available
to users. It is important to enable more than one authentication method so that users
have an alternative method available in case their primary method is not available. The
following methods are available for administrators to enable:
Notification through mobile application.
A push notification is sent to the Microsoft Authenticator application on the
mobile device. The user sees the notification and selects Approve to complete
28
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
the check. Push notifications through a mobile application provide the least
intrusive option for users.
Verification code from mobile application.
A mobile application like Microsoft Authenticator generates a new OATH
verification code every 30 seconds. The user writes the verification code in the
login interface. The mobile application option can be used regardless of
whether the phone has a mobile phone signal or data.
Phone call.
An automatic voice call is made to the user. The user answers the call and
presses # on the phone keyboard to approve their authentication. The phone
call is an excellent alternative method for verification or notification codes for a
mobile application.
Text message to the phone.
A text message containing a verification code is sent to the user; the user is
then prompted to enter the verification code in the login interface.
For more information on how to configure the different authentication methods, see
the [CCN-STIC-884A - Secure Configuration Guide for Azure] guide.
Powershell
From PS it can be consulted and/or modified three parameters related to user
passwords:
StrongPasswordRequired: if it is required a strong password… See table below.
PasswordNeverExpires: if the password never expires.
ForceChangePassword: if the password is required to be changed at the next
login.
User list with complexity and expiration information
# Get-MsolUser | ft -auto UserPrincipalName, StrongPasswordRequired,
PasswordNeverExpires
Changing Password Parameters
The following command is recommended:
# Set-MsolUser -UserPrincipalName "User Principal Name"
-StrongPasswordRequired $true
-PasswordNeverExpires $false
Note: Is not recommended to use the PasswordNeverExpires parameter in the company's
Production environments.
As mentioned above, for advanced configuration of the password policy, the guide
[CCN-STIC-884A - Secure Configuration Guide for Azure] should be used.
29
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
The following is a breakdown of the features of Azure Active Directory user accounts,
and the commands for modifying them:
Property UPN (User Principal Name) requirement
Allowed characters Capital letters: A-Z
Lower case: a-z
Numbers: 0-9
Special characters: @ # $ % ^ & * - _ ! ? / ` ~ “ ( ) ;
Characters not allowed in Unicode characters
passwords
Spaces
Restrictions on Minimum of 8 characters and maximum of 16.
passwords For "strong password" only: Use 3 of the following 4 groups:
Lower case
Capital letters
Numbers (0-9)
Symbols (shown above)
Password Expiration Default value: 90 days.
The value is configurable using the AAD Power Shell cmdlet:
Set-MsolPasswordPolicy
Notification of password Default value: 14 days (before the password expires)
expiration:
The value is configurable using the AAD PowerShell cmdlet:
Set-MsolPasswordPolicy
Password expiration Default value: false.
The value can be set individually for user accounts using the
cmdlet:
Set-MsolUser
Password History The last password cannot be used when the user updates the
password.
Resetting Password History The last password can be used again when the user has
forgotten it.
30
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Account blocking After 10 attempts with wrong passwords, the user is locked out
for 1 minute.
Subsequent unsuccessful attempts increase the blocking time.
3.1.1.6 Local access
It requires the establishment of a "two-factor authentication" (MFA) and an
appropriate credential management policy, which are described in section [3.1.1.5
Authentication mechanisms]. It also requires a record of successful and unsuccessful
system access attempts is also required, as described in section [3.1.2.2 Activity Log] of
this guide. Additionally, access to Office 365 can be controlled through conditional
access policies or rules in ADFS, as described in the guide [CCN-STIC-884A - Secure
Configuration Guide for Azure].
3.1.1.7 Remote Access
At this point it should be noted at this point that Office 365 is a cloud solution
accessible by the end user through the Internet. Data encryption will be applied as
described in section [3.2.3.2 Encryption].
3.1.2 Exploitation
Since Office 365 is a software offered as a service (SaaS), it will always be updated. In
other words, the service is permanently maintained by Microsoft, being in charge of
the updates and patches, as well as of establishing the mechanisms for detection and
protection against threats, complying with the requirements of the National Security
Framework in its HIGH category.
This section will explain the operation and features
of the Office 365 Security and Compliance Center,
which can be accessed from the Administration
portal.
3.1.2.1 Protection against malware
If your organization has Office 365 Advanced Threat Protection (Office 365 ATP), it will
have a real-time discovery browser, accessible from the Office 365 Security and
Compliance Center.
31
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
The [Threat Management Panel] panel displays the general status:
A detailed report is available in the [Threat Management] browser where the following
actions can be taken:
To view malware detected by Office 365 security features.
To see data on phishing url addresses and click on verdict.
To initiate an automated inquiry and response process from a view in the
browser.
Investigate malicious e-mail, etc.
More information is available in the guide [CCN-STIC-885C - Secure Configuration
Guide for Exchange Online].
3.1.2.2 Activity record
Regarding the recording of user and administrator activity, the activation of the Office
365 Audit is required.
When the audit log search is enabled in the Office 365 Security and Compliance Center,
the user and administrator activity in the organization is recorded in the audit log and
retained for 90 days.
Activate/Deactivate Audit Log
The Audit Logs role in Exchange Online must be assigned to enable or disable audit log
searching in your Office 365 organization. By default, this role is assigned to the
Compliance Management and Organization Management role groups on the
permissions page in Exchange Management Center. Global Office 365 administrators
are members of the organization management role group in Exchange Online.
1. From the Office 365 Security and Compliance Center [Search/Search for Audit logs]
menu, click the "Enable Audit" button.
32
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
2. Press "Yes".
Note: It can take several hours from the time
the audit log is activated until the data is
accessible in the search.
Office 365 Powershell
1. Connection to Exchange Online via PowerShell.
2. To execute the following PowerShell command to enable/disable the searching
for audit records in Office 365:
Enable audit:
# Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Disable audit:
# Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
Consult audit log
It allows to search in the audit log for what users and administrators in your
organization are doing: email-related activities, groups, documents, permissions,
directory services, and more.
33
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Nota: At least 24 hours must pass before searching in the audit log.
The Activities drop-down shows all possible searches related to the audit log and
sorted by topic.
Example of a query related to credentials:
Example of a query related to file access:
34
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Office 365 Management Activity API
In addition to the Office 365 Security and Compliance Center, there is an Office 365
Management Activity API to retrieve information about actions and events for users,
administrators, systems, and policies from the Office 365 and Azure AD activity logs.
The Office 365 Management Activity API is a REST Web service that can be used to
develop solutions using any hosting language and environment that supports HTTPS
and X.509 certificates. For more information, see the following Microsoft
documentation:
url: docs.microsoft.com/es-es/office365/securitycompliance/office-365-management-activity-api
Activity reports in the Microsoft Administration Center 365
Another way to get information on how users in the organization are using Office 365
services is through the Microsoft 365 Administration Center, menu [Reports/Use]. For
example, you can identify who is using a service very often, who is meeting quotas, or
who may not need an Office 365 license at all.
Reports can be obtained for the last 7, 30, 90 or 180 days. Clicking on each report
widget will deepen in the information provided, going down to a more detailed level.
Note: data will not be available for all the reporting periods instantly (usually within 48 hours).
3.1.2.3 Incident Management
See section [3.1.2.1 Protection against malware] for how to access "Threat
Management" reports.
Other relevant reports related to incident management and accessible from the Office
365 Security and Compliance Center are:
Alert panel. Menu [Alerts/Panel].
https://protection.office.com/alertsdashboard
35
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Report panel. Menu [Reports\Panel].
https://protection.office.com/insightdashboard
Reports for download. Menu [Reports\Reports for download].
https://protection.office.com/ReportsForDownload
Search and inquiry. Main panel widget.
https://protection.office.com/searchandinvestigation/dashboard
36
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Mail flow panel. Menu [Mail Flow/Panel].
https://protection.office.com/mailflow/dashboard
3.1.2.4 Protection of activity records
Through the use of users roles, you can secure who can view the activity log
information. The roles defined for this purpose are:
- Global Administrators.
- Exchange Administrators.
- SharePoint Administrators
- Skype Business Administrators.
- Report reader.
When a user or administrator performs an audited activity, an audit record is
generated and stored in the organization's Office 365 audit log. The amount of time an
audit log is retained, and can therefore appear in searches, depends on the Office 365
subscription and specifically on the type of license that has been assigned to a specific
user.
37
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
Office 365 E3: Audit records are kept for 90 days. That means you can search the audit
log for activities that have been performed in the last 90 days.
Office 365 E5: Audit records are also kept for 90 days.
Note: As of the publication date of this guide, Microsoft is working on extending the retention
period to 1 year for users with an E5 or E3 license with the "Office 365 Advanced Compliance"
add-on license.
3.2 Protection measures
3.2.1 Protection of communications
Regarding the protection of the communications, it should be noted that the
cryptographic protocols for TLS connections, which are automatically integrated into
Office 365, are used. This is when:
Users work with files stored in OneDrive For Business or SharePoint Online.
Users share files in online meetings and instant messaging conversations.
In fact, all Office 365 communications are encrypted: Mail Clients (POP, IMAP, SMTP-
TLS), Outlook Clients (MAPI-HTTPS), Browsers (Web HTTPS), Mobile Devices
(ActiveSync HTTPS), Teams and Skype (SIP-TLS). No additional configuration is
required, but it is important to note that as of June 2020, TLS 1.0 and 1.1 support will
be removed. This has direct implications for clients.
See: https://docs.microsoft.com/en-us/office365/troubleshoot/security/prepare-tls-1.2-in-office-365.
3.2.2 System monitoring
It is possible to set alerts in Office 365 through the Office 365 Security and Compliance
Center, [Alerts] menu.
Activity alerts can be used to send email notifications to system administrators when
users perform specific activities in Office 365. Activity alerts are similar to the events
search in the Office 365 audit log, except that an email will be sent when an event
occurs for which an alert has been created.
How Alert Policies Work
The following is a quick introduction on how alert policies work and what alerts are
triggered when the activity of the user or the administrator meets the conditions of an
alert policy.
38
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
1. An administrator creates, configures, and activates an alert policy using the Alert
Policies page in the Office 365 Security and Compliance Center. You can also create
alert policies with the New-ProtectionAlert cmdlet.
2. A user performs an activity that matches the conditions of an alert policy. In the
case of malware attacks, infected emails sent to users in your organization trigger
an alert.
3. Office 365 generates an alert that is displayed in the [Alerts/View Alerts] menu of
the Office 365 Security and Compliance Center. In addition, if e-mail notifications
are enabled for the Alerts Policy, Office 365 sends a notification to a list of
recipients. The alerts that an administrator or other users can see on the view
alerts page is determined by the roles assigned to the user.
4. An administrator manages alerts in the Office 365 Security and Compliance Center.
Alert management is about assigning an alert status to help track and manage any
investigations.
Creating an Alert Policy
Alert policies can be used to track the activities of administrators and users, malware
threats or data loss incidents across the organization. After choosing the activity that
requires alerting, the policy can be refined by adding conditions, deciding when to
activate the alert and who should be notified.
1. Access the [Alerts/Alerts Policies] menu from the Office 365 Security and
Compliance Center.
39
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
2. Mark the alerts that you want to track from the list of predefined alerts.
Predefined alerts can be turned on or off and some of their settings can be
changed.
3. Click on a specific policy to access its
properties.
For example, the "Unusual volume of file
deletion" policy is activated when a user has
deleted an unusual number of files.
Learn more about the default alerts in
Microsoft's documentation.
https://docs.microsoft.com/es-
es/office365/securitycompliance/alert-policies
40
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
To create a custom alert policy, click on the "New Alert Policy" button in the
[Alerts/Alerts Policies] menu. As an example, a policy will be created for the suspicious
deletion of word files in a specific location (Sharepoint site CCN-SPO-SITIO1).
1. Assign a name.
2. Create alert settings.
What do you want to send alerts about?
Select an activity:
Add conditions:
For most activities, you can define additional conditions that must be met to trigger an
alert. Common conditions include references to IP addresses (so an alert is triggered
41
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
when the user performs the activity on a computer with a specific IP address or within
a range of IP addresses), specific users, file names, site urls, or file extensions.
In the example:
How do you want the alert activated?
42
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
3. Configure the recipients
View Alert Policies
Custom policies, as well as all default policies, can be viewed in the Office 365 Security
and Compliance Center from the [Alerts/Alert Policy] menu.
3.2.3 Protection of information
3.2.3.1 Rating of information
This section will mainly deal with the mechanisms offered by Office 365 to qualify the
information and implement certain policies. Specifically:
Retention policies that can be applied on the tenant. To determine what to do
with the information after a certain period of time.
DLPs (Data Loss Prevention). With these Data Loss Prevention policies, you can
identify, monitor and protect sensitive information throughout Office 365.
Sensitivity labels. They allow to sort, encrypt, bookmark, and control access to
documents and emails in Office 365.
43
National Cryptologic CentreCCN-STIC 885A Secure Setup Guide for Office 365
3.2.3.1.1 Retention policies
Defining Retention Label
These labels are defined in the Office 365 Security and
Compliance Center under the [Classification/Retention
Labels] menu and are used to apply retention policies to
Exchange emails and SharePoint and OneDrive documents.
You can define the time that the mail or document should
be retained, or the time after which it should be deleted. In
addition, retentions can be applied from the date of creation, last change, or from the
date of application of the label.
A document can also be declared as a Record to prevent it from being edited or
deleted.
Labels can be automatically applied according to conditions set in the Office 365
Security and Compliance Center, and users can also apply these labels directly to Office
applications, as well as to SharePoint or OneDrive.
Retention labels are related to compliance and are applied to mail or documents in a
specific location.
Example: in the commercial department, it is necessary to apply retention policies on
various documents:
- Budget: 5-year retention after the budget deadline.
- Contracts: 10-year retention after the end date of the contract.
- Product sheets: declared as record (not delete)
Consulting and modifying retention labels
1. Access the [Classification/Retention Labels] menu.
2. Select a label.
3. Edit label. In the right panel, press the "Edit label" button.
44
National Cryptologic CentreYou can also read
