ICT Security Guide CCN-STIC 885A - Secure Setup Guide for Office 365 - CCN-CERT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CCN-STIC 885A Secure Setup Guide for Office 365 Edit: 2.5.4.13=Qualified Certificate: AAPP- SEP-M-SW-KPSC, ou=sello electrónico, serialNumber=S2800155J, o=CENTRO CRIPTOLOGICO NACIONAL, c=ES 2020.02.13 16:30:46 +01'00' National Cryptologic Centre, 2019 NIPO: 083-19-261-6 Date of Edition: december 2019 Plain Concepts has participated in the creation and modification of this document and its annexes. Sidertia Solutions S.L. has participated in the revision of this guide. LIMITATION OF RESPONSIBILITY This document is provided in accordance with the terms compiled in it, expressly rejecting any type of implicit guarantee that might be related to it. In no case can the National Cryptologic Centre be considered liable for direct, indirect, accidental or extraordinary damage derived from using information and software that are indicated even when a warning is provided concerning this damage. LEGAL NOTICE The partial or total reproduction of this document by any means or procedure, including reprography and computer processing, and the distribution of copies thereof by means of public rental or loan, are strictly prohibited without the written authorization of the National Cryptologic Center, under the sanctions established by law. 2 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 PROLOGUE The massive use of information and telecommunications technologies (ICT), in all the areas of society, has created a new space: the cyberspace, where conflicts and aggressions occur, and where there are cyberthreats that will threaten national security, the rule of law, economic prosperity, the welfare state and the normal functioning of society and public administrations. Law 11/2002 of 6 May 2002, which regulates the National Intelligence Centre (CNI), entrusts the National Intelligence Centre with the exercise of functions related to information technology security in its article 4.e) and to the protection of classified information in its article 4.f), while at the same time conferring on its Secretary of State Director the responsibility for running the National Cryptologic Centre (CCN) in its article 9.2.f). Based on the knowledge and experience of the CNI on threats and vulnerabilities in terms of emerging risks, the Centre carries out, through its National Cryptologic Centre, regulated by Royal Decree 421/2004, of 12 March, several activities directly related to ICT security, aimed at training expert staff, applying security policies and procedures, and using appropriate security technologies. Royal Decree 3/2010, of 8 January, which regulates the National Security Framework in the area of Electronic Administration (ENS, hereinafter), referred to in the second paragraph of Article 156 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, establishes the security policy in the use of electronic media that allows an adequate protection of information. Precisely, Royal Decree 3/2010 of January 8, updated by Royal Decree 951/2015 of October 23, sets the basic principles and minimum requirements as well as the protection measures to be implemented in the Administration's systems, and promotes the elaboration and dissemination of information and communication technology security guides (STIC) by CCN to facilitate a better compliance with such minimum requirements. In short, the CCN-STIC series of documents is drawn up to fulfil the tasks of the National Cryptologic Centre and what is reflected in the National Security Framework, aware of the importance of establishing a reference framework in this area to support the Administration's staff in carrying out their difficult and sometimes thankless task of providing security to the ICT systems under their responsibility. July 2019 Felix Sanz Roldan Secretary of State Director of the National Cryptologic Centre 3 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 TABLE OF CONTENTS 1. OFFICE 365 ............................................................................................................. 6 1.1 DESCRIPTION OF THE USE OF THIS GUIDE ...............................................................6 1.2 SOLUTION DEFINITION .............................................................................................6 1.3 PREREQUISITES FOR DEPLOYMENT USING POWERSHELL .......................................7 2. OFFICE 365 DEPLOYMENT ...................................................................................... 9 2.1 ADMINISTRATOR - INITIAL CONFIGURATION...........................................................9 2.2 END USER - FIRST STEPS .........................................................................................12 3. OFFICE 365 CONFIGURATION ............................................................................... 14 3.1 OPERATIONAL FRAMEWORK .................................................................................14 3.1.1 ACCESS CONTROL ..............................................................................................14 3.1.1.1 IDENTIFICATION……………………………………………………………………………………….14 3.1.1.2 ACCESS REQUIREMENTS…………………………………………………………………………..23 3.1.1.3 SEGREGATION OF FUNCTIONS AND TASKS………………………………………………23 3.1.1.4 ACCESS RIGHTS MANAGEMENT PROCESS……………………………………………….27 3.1.1.5 AUTHENTICATION MECHANISMS…………………………………………………………….27 3.1.1.6 LOCAL ACCESS…………………………………………………………………………………………31 3.1.1.7 REMOTE ACCESS……………………………………………………………………………………..31 3.1.2 EXPLOITATION……………………………………………………………………………………………..31 3.1.2.1 PROTECTION AGAINST MALWARE……………………………………………………………31 3.1.2.2 ACTIVITY RECORD…………………………………………………………………………………….32 3.1.2.3 INCIDENT MANAGEMENT………………………………………………………………………..35 3.1.2.4 PROTECTION OF ACTIVITY RECORDS………………………………………………………..37 3.2 PROTECTION MEASURES ........................................................................................38 3.2.1 PROTECTION OF COMMUNICATIONS ...............................................................38 3.2.2 SYSTEM MONITORING.......................................................................................38 3.2.3 PROTECTION OF INFORMATION .......................................................................43 3.2.3.1 RATING OF INFORMATION……………………………………………………………………….43 3.2.3.2 ENCRYPTION…………………………………………………………………………………………….69 3.2.3.3 CLEANING OF DOCUMENTS……………………………………………………………………..70 3.2.3.4 BACKUP COPIES……………………………………………………………………………………….70 3.2.4 PROTECTION OF SERVICES ................................................................................71 4 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 3.2.4.1 PROTECTION AGAINST DENIAL OF SERVICE……………………………………………..71 4. OTHER SECURITY CONCERNS................................................................................ 71 4.1 SERVICES AND COMPLEMENTS ..............................................................................71 5. FEATURES AVAILABLE THROUGH LICENSING ........................................................ 72 6. GLOSSARY AND ABBREVIATIONS ......................................................................... 74 7. SUMMARY TABLE OF SECURITY MEASURES ......................................................... 76 5 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 1. OFFICE 365 1.1 Description of the use of this guide The purpose of this guide is to indicate the steps to follow for the configuration of Office 365 complying with the requirements of the National Security Framework in its HIGH category. This guide will address the essential services common to all the services in the Office 365 software solution and should be consulted jointly with the other specific guides oh each service: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for Exchange Online] and Teams [CCN-STIC-885D - Secure Configuration Guide for Microsoft Teams]. The scenario presented in the guides is the "only cloud", not contemplating the hybridization of on-premises systems of the organization with cloud environment. The following sources have been consulted for the preparation of this guide: - Official Microsoft documentation. - CCN-STIC-823 Cloud Services. - CCN-STIC-884A - Secure Configuration Guide for Azure. - ENS Royal Decree BOE-A-2010-1330. 1.2 Solution definition Office 365 is a set of cloud-based applications and services hosted on Microsoft owned servers and available from Internet-connected devices. Office 365 executes on Microsoft Azure. Is a Microsoft solution that allows us to create, access and share Word, Excel, OneNote and PowerPoint documents from any device that has access to the Internet. In addition, it provides additional tools for email, instant messaging, video conferencing, screen sharing, cloud storage, calendars, contacts, etc. 6 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 1.3 Prerequisites for deployment using PowerShell Office 365 PowerShell allows to manage the Office 365 settings from the command line. Connecting to Office 365 PowerShell is a simple process that involves installing the necessary software and connecting to the Office 365 organization. There are two versions of the PowerShell module that can be used to connect to Office 365 and manage user accounts, groups, and licenses: Azure Active Directory PowerShell for Graph (cmdlets include Azure AD on their behalf). Microsoft Azure Active Directory module for Windows PowerShell (cmdlets include MSOL on their behalf). On the date of this guide, the Azure Active Directory for Graph Module does not completely replace the functionality of the cmdlets of the Microsoft Azure Active Directory for Windows PowerShell Module for user, group, and license management. In many cases, both versions should be used. Both versions can be safely installed on the same equipment. It should be noted that there are two ways for executing the PowerShell commands described in this guide: Azure Cloud Shell, included in Azure's own portal; and remote execution of PowerShell, installing the necessary modules on the administrator's client computer. The security of a PowerShell remote communication connection is viewed from two perspectives: - Initial authentication. By a user with the appropriate rights for the management of the service. - Continuous encryption of communication. Once the initial authentication is completed, the PowerShell remote communication protocol encrypts all communication with an AES256 symmetric key per session. Pre-requisites Use a 64-bit version of Windows. Compatibility with the 32-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell was discontinued in October 2014. It is also necessary to use version 5.1 or later of PowerShell. More information on platform prerequisites can be found at: https://docs.microsoft.com/es- es/office365/enterprise/powershell/connect-to-office-365-powershell. Install Azure Active Directory PowerShell Module for Graph 1. Install the necessary software These steps are necessary only once on the physical computer from which the Office 365 tenant is going to be administered, not every time it is connected. 1. Open a Windows PowerShell command prompt with elevated privileges (execute Windows PowerShell as administrator). 7 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 2. In the Windows PowerShell command window (as administrator), execute this command: # Install-Module -Name AzureAD In case you are asked if you want to install a module from a repository that you don't trust, type "Y" and press ENTER. This happens because by default, the PowerShell Gallery is not configured as a trusted repository. Answer Yes or Yes to everything. To update a new version of the module, execute the previous command with the Force parameter: # Install-Module -Name AzureAD -Force Note: Monthly updates are recommended. 2. Connect to Azure AD for Office 365 subscription To connect to Azure AD for Office 365 Subscription with an account name and password or with Multifactor Authentication (MFA), execute this command from a Windows PowerShell command prompt: # Connect-AzureAD The section [2.1. Administrator - Initial Setup] explains how to obtain the administration access credentials. Install Microsoft Azure Active Directory module for Windows PowerShell Microsoft Azure Active Directory Module for Windows PowerShell commands have Msol in the name of your cmdlet. 1. Install the necessary software These steps are necessary just once on the computer, not every time it is connected. However, it will be probably necessary to install the latest versions of software periodically. 1. Install the 64-bit version of Microsoft Online Services - Login Assistant: Microsoft Online Services Login Assistant for IT Professionals (RTW) 2. Install the Microsoft Azure Active Directory Module for Windows PowerShell following these steps: 8 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Open a Windows PowerShell command prompt with elevated privileges (execute Windows PowerShell as administrator) Execute the command: # Install-Module MSOnline o Accept the installation of the NuGet provider. o Accept the installation of the module from PSGallery. To update a new version of the module, execute the previous command with the Force parameter: # Install-Module MSOnline -Force Note: Monthly updates are recommended. 2. Connect to Azure AD for Office 365 subscription To connect to Azure AD for Office 365 Subscription with a name account and password or with Multifactor Authentication (MFA), execute this command from a Windows PowerShell command prompt # Connect-MsolService 2. OFFICE 365 DEPLOYMENT This guide refers to the security settings of Office 365. The specific information of each service is found in the following guides: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for Exchange Online] and Teams [CCN-STIC-885D - Secure Configuration Guide for Microsoft Teams]. Office 365 is included in the SaaS (Software as a Service) service category. The CSP (Microsoft) is responsible for offering the software as a service to the client. 2.1 Administrator - initial configuration 1. Access the Office 365 portal with an administrator user. The administrator user can access the Office 365 portal through the same url as the end user: portal.office365.com. When creating the Office 365 subscription, Microsoft sends an email with the user and a temporary password that must be changed at the first login. In addition to the applications you have access to according to your license, you have an administration icon, to access the Microsoft Administration Center 365. 9 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 And a security icon, to access the Office 365 Security & Compliance Center. The first time you access the Office 365 portal as administrator, a message like the one in the figure below may appear. Shown when product licenses have not yet been assigned to users in the organization. 2. Change the language to Spanish. It can be accessed from the Configuration icon on the top bar of the portal. 10 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 The assignment of licenses to users is done from the Microsoft 365 Administration Center. 3. Access the Microsoft Administration Center 365. It can be accessed through the Admin icon in the Office 365 portal or through the url: admin.microsoft.com. If you do not have a professional domain name, a message may appear warning you to set one up to customize your email accounts. Press the "Go to installation" button: 3.1. Customize login and email. Customization with an organization's own domain is recommended. 3.2. Add new users. To assign licenses to the users specified in this step. 11 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 3.3. End of the installation process. More detailed information on how to add users and licenses is provided in section [3.1.1 Access Control] of this guide. 2.2 End user - first steps The end user can access the Office 365 portal through the url: portal.office365.com. After entering your credentials, a panel is displayed with all the applications you have access to. In some cases, if the user license has not been assigned correctly, the following warning message may appear: 12 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 From the Office 365 panel itself, you can install the desktop version of the applications. Note: For the security configuration of the desktop version of Office applications, please refer to the most recent CCN-STIC Guide (CCN-STIC-585 at the time of editing this guide). Once the license has been assigned to the end user, and after logging into the Office 365 portal, a home page will be displayed with the icons of all the applications that can be accessed, and some warning messages. It is advisable to establish the language and the time zone. It is possible to install the desktop versions of the applications or to access them online by clicking on the corresponding icons. 13 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 3. OFFICE 365 CONFIGURATION Next, the configuration of Office 365 will be addressed focusing on compliance with the requirements of the National Security Framework. 3.1 Operational Framework 3.1.1 Access Control Access control includes all the preparatory and executive activities aimed at allowing or denying an entity, user or process access to a system resource for the performance of a specific action. 3.1.1.1 Identification Office 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and an authentication service included with the Office 365 subscription, to manage Office 365 identities and authentication. For more information see [CCN-STIC-884A - Secure Configuration Guide for Azure]. 3.1.1.1.1 Identity management models This section will address the different models and mechanisms for identity management in Office 365. We will mainly focus on two: only cloud identity model (which will be taken as a reference in this guide) and hybrid identity model. Below is a table with the characteristics of both models. Cloud-only identity Hybrid identity Definition The user account only exists in The user account exists at AD DS and a copy the tenant of Azure Active is also available in the tenant of Azure AD for Directory (Azure AD) for your your Microsoft 365 subscription. The user Microsoft 365 subscription. account in Azure AD can also include a hash version of the user account password. How Microsoft Azure AD's tenant for your Azure AD's tenant for your Microsoft 365 365 Microsoft 365 subscription subscription manages the authentication authenticates performs the authentication with process or redirects the user to another user credentials the cloud identity account. identity provider. Ideal for Organizations that do not have Organizations that use AD DS or other and do not need a local AD DS identities provider Greater profit Easy to use. No additional Users can use the same credentials when servers or directory tools are accessing local or cloud-based resources. 14 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 required. Cloud-only identity model A cloud only identity uses user accounts that only exist in Azure AD. Cloud identity is often used in small organizations that do not have local servers or do not use AD DS to manage local identities. These are the basic components of the cloud-only identity. Local and remote (online) users use their Azure AD user accounts and passwords to access Office 365 cloud services. Azure AD authenticates user credentials based on their stored user accounts and passwords. Administration Since user accounts are stored only in Azure AD, you can manage cloud identities with tools like Microsoft Management Center 365 and Windows PowerShell with the Azure Active Directory PowerShell module for Graph. Hybrid identity model The hybrid identity uses accounts that originate from a local AD DS and have a copy in Azure AD's tenant of a Microsoft 365 subscription. However, most changes only flow one way. Changes you make to AD DS user accounts are synchronized with your copy of Azure AD. But changes made to cloud-based accounts in Azure AD, such as new user accounts, are not synchronized with AD DS. Azure AD Connect provides ongoing account synchronization. It executes on a local server, checks for changes in AD DS and forwards those changes to Azure AD. Azure AD Connect allows filtering the accounts to be synchronized and whether to synchronize a hashed version of the user passwords, known as password hash synchronization (PHS). By implementing the hybrid identity, your local SD is the authoritative source for account information. This means that the administration tasks are mainly performed in the local environment, which are then synchronized with Azure AD. These are the components of the hybrid identity. 15 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 The tenant of Azure AD has a copy of the AD DS accounts. In this configuration, local and remote users who have access to Microsoft 365 cloud services are authenticated with Azure AD. 3.1.1.1.2 Identity management in the cloud-only model With the cloud-only identity, all users, groups, and contacts are stored in the Azure Active Directory (Azure AD) tenant of the Office 365 subscription. Both user and group creation can be done from: Microsoft Administration Center 365 Office 365 PowerShell Microsoft Administration Center 365 It can be accessed through the Admin icon in the Office 365 portal or through the url: admin.microsoft.com. User creation 1. From the menu [Users\Active users] click on the icon "Add a user” and fill in the form. 16 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Note: More information on password management is given in section [3.1.1.5 Authentication mechanisms]. 2. The license is assigned and the applications to which the user will have access are associated. 3. To verify that the user has been created correctly, check the list of "active users". Basic operations on users From the [Users/Active users] menu, select the user and click on the "More options" icon. 17 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Manage licenses From the menu [User\Active users] the list of users with the assigned licenses is displayed. Select the appropriate user and click on the name. In the right panel, the tab "Licenses and Applications" configure the relevant options. Assign user to group From the [Users/Active users] menu, click on the user's "More options" icon. 18 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Edit user 1. From the [Users/Active users] menu, click on the user's "name". 2. To assign roles to the user, see section [3.1.1.3 Segregation of roles and tasks]. Delete user From the [Users/Active users] menu, click on the user's "More options" icon. You must move the files you want to keep within the retention period set for OneDrive files. By default, the retention period is 30 days. 19 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Create Group In the groups section of the Microsoft Administration Center 365, you can create and manage these types of groups: Office 365 groups are used for collaboration between users, both inside and outside the company. Distribution groups are used to send notifications to a group of people. Security groups are used to grant access to SharePoint resources. Mail-enabled security groups are used to grant access to SharePoint resources and send email notifications to those users. Shared mailboxes are used when several people need to access the same mailbox, such as company information or technical support email address. It is important to activate the "Shared Mailbox Audit" to allow traceability in these mailboxes, as described in the guide [CCN-STIC-885C - Secure Configuration Guide for Exchange Online]. 1. Add group. From the [Groups] menu, press the "Add a Group" icon. 2. Fill in group information. 20 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Although the privacy option message indicates that it can't be changed after the group is created, it's already allowed in new updates. The possible values are: Private: only members can see the group's content. Public: anyone can see the group's content. Note: The use of the Private value is recommended to increase control over access to group information by users. Manage group members 1. From the [Groups] menu, clicking on the group name displays the group panel with different tabs. Select the "Members" tab. 21 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 2. Then click on the link "View all members and manage them". Delete group From the [Groups] menu, click on the "More options" icon of the group. Office 365 Powershell The Microsoft Azure Active Directory module for Windows PowerShell is required to execute the following scripts. Create an individual user account # New-MsolUser -DisplayName -FirstName -LastName -UserPrincipalName -UsageLocation -LicenseAssignment [-Password ] Example: # New-MsolUser -DisplayName "John Doe" -FirstName John -LastName Doe - UserPrincipalName johndoe@contoso.onmicrosoft.com -UsageLocation US Create multiple user accounts 1. Create a comma-separated value (CSV) file containing the necessary user account information. For example: UserPrincipalName,FirstName,LastName,DisplayName,UsageLocation,AccountSkuId ClaudeL@contoso.onmicrosoft.com,Claude,Loiselle,ClaudeLoiselle,US,contoso:ENTERPRISEPACK 22 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 LynneB@contoso.onmicrosoft.com,Lynne,Baxter,Lynne Baxter,US,contoso:ENTERPRISEPACK ShawnM@contoso.onmicrosoft.com,Shawn,Melendez,Shawn Melendez,US,contoso:ENTERPRISEPACK 2. Execute from PowerShell: # Import-Csv -Path | foreach {New-MsolUser - DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName - UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation - LicenseAssignment $_.AccountSkuId [-Password $_.Password]} | Export-Csv - # Path 3.1.1.2 Access requirements The mechanisms for accessing resources are detailed in the specific guides for each service: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for Exchange Online]. 3.1.1.3 Segregation of functions and tasks Management Roles The O365 subscription includes a set of administrator roles that can be assigned to users in your organization. Each administrator role is assigned to common business functions and provides users with permissions to perform specific tasks in the administration centers. Since administrators have access to sensitive data and files, Microsoft recommends following these guidelines to keep the organization's data more secure. Recommendation Why is it important? Have 2 to 4 global Since only one other global administrator can reset the global managers administrator's password, it's recommended having at least two global administrators in your organization in case of an account lockout. But the global administrator has almost unlimited access to the organization's configuration and to most of the data, so it is also recommended not having more than 4 global administrators because it is a security threat. Assigning the least Assigning the least permissive role involves giving permissive role administrators the minimum permissions necessary to do the job. For example, if you want someone to reset the employees' passwords, you should not assign the role of unlimited global administrator, but the role of password manager. 23 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Require MFA for It is good practice to require MFA at login for all users, but it administrators is necessary at least for administrators. The MFA makes users write a second method of identification to verify that they are who they say they are. Assigning Administrator Roles to a User From the administration center, go to the user details and manage functions to assign a role to the user. 24 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Available roles in the Microsoft Administration Center 365 The Microsoft 365 administration center allows to manage more than 30 Azure AD roles. However, these roles are a subset of the functions available in Azure portal. Usually, it is enough to assign the following roles to the organization: Administrator Who should be assigned this role? role 25 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Global Assign the global administrator role to users who need global access to most Administrator features and management data in Microsoft Online Services. Providing too many users with global access is a security risk and it is recommended to have 2-4 global administrators. Only global administrators are able to: -To reset passwords for all users -To add and manage domains Note: The person who signed up for Microsoft Online Services automatically becomes a global administrator. Billing Assign the billing administrator role to users who need to do the following: Administrator -To purchase licenses and subscriptions -To upgrade subscriptions -To pay for services -To receive email notifications for invoices -To manage service requests -To monitor the service status Administrator Assign the Administrator of the Technical Support Department role to users of the Technical who need to do the following: -REST passwords Support -To force users to log out Department -To manage service requests -To monitor service status Note: The Support Department administrator can only help non- administrators users and users who are assigned these roles: directory reader, guest, support administrator, message center reader, and report reader. License Assign the license administrator role to users who need to do the following: Administrator -To manage licenses assigned to users -To manage licenses assigned to groups using group-based licenses -To edit the use location for users Note: This role does not allow to purchase or manage subscriptions, add or manage groups, or edit the user properties, except for the use location. Report Reader Assign the report reader role to users who need to do the following: - To view usage data and activity reports - To get access to the Power BI adoption content package - To view reports and login activity -To view data returned by the Microsoft Graph Reports API 26 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 User Assign the user administrator role to users who need to do the following for Administrator all the users: - To add users and groups - To assign licenses - To manage most of the user properties - To create and manage user views -To update password expiration policies -To manage service requests -To monitor the service status The user's administrator can also perform the following actions for non- administrators and users who are assigned the following roles: directory reader, guest, support administrator, message center reader, report reader: - To manage user names - To delete and restore users - To restore passwords - Forcing users to log out -To update device keys (FIDO) Azure's portal has more roles than those available in the Microsoft 365 Administration Center. From Azure AD it is possible to create customized roles. It requires Azure AD Premium P1 or P2. 3.1.1.4 Access rights management process More information is available in the specific guides for each service: Sharepoint Online [CCN-STIC-885B - Secure Configuration Guide for Sharepoint Online], Exchange Online [CCN-STIC-885C - Secure Configuration Guide for Exchange Online]. 3.1.1.5 Authentication mechanisms From the Microsoft Administration Center 365 from the [Settings\ Security and Privacy] menu, password policies can be set for all the users in the organization. From Office 365 you can only change these parameters, whose default values are: Days before the passwords expire 90 Days before notifying a user about the expiration 14 For a more advanced management, it is necessary to resort to Azure AD. Consult guide [CCN-STIC-884A - Secure Configuration Guide for Azure]. 27 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Enable Multifactor Authentication (MFA) As described in section [3.1.1.3 Segregation of duties and tasks] it is important to enable MFA at least for users with the administration role. To that end: 1. Access the [Users/Active users] menu. 2. Press the "Multifactor Authentication" icon on the top bar. 3. You access a new administration panel: 4. Mark a user with the corresponding check and enable or disable the MFA in the right panel. Note: It is also possible to perform a mass update by marking several users at once. Office 365 Powershell Planning of authentication methods Administrators can choose which authentication methods they want to make available to users. It is important to enable more than one authentication method so that users have an alternative method available in case their primary method is not available. The following methods are available for administrators to enable: Notification through mobile application. A push notification is sent to the Microsoft Authenticator application on the mobile device. The user sees the notification and selects Approve to complete 28 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 the check. Push notifications through a mobile application provide the least intrusive option for users. Verification code from mobile application. A mobile application like Microsoft Authenticator generates a new OATH verification code every 30 seconds. The user writes the verification code in the login interface. The mobile application option can be used regardless of whether the phone has a mobile phone signal or data. Phone call. An automatic voice call is made to the user. The user answers the call and presses # on the phone keyboard to approve their authentication. The phone call is an excellent alternative method for verification or notification codes for a mobile application. Text message to the phone. A text message containing a verification code is sent to the user; the user is then prompted to enter the verification code in the login interface. For more information on how to configure the different authentication methods, see the [CCN-STIC-884A - Secure Configuration Guide for Azure] guide. Powershell From PS it can be consulted and/or modified three parameters related to user passwords: StrongPasswordRequired: if it is required a strong password… See table below. PasswordNeverExpires: if the password never expires. ForceChangePassword: if the password is required to be changed at the next login. User list with complexity and expiration information # Get-MsolUser | ft -auto UserPrincipalName, StrongPasswordRequired, PasswordNeverExpires Changing Password Parameters The following command is recommended: # Set-MsolUser -UserPrincipalName "User Principal Name" -StrongPasswordRequired $true -PasswordNeverExpires $false Note: Is not recommended to use the PasswordNeverExpires parameter in the company's Production environments. As mentioned above, for advanced configuration of the password policy, the guide [CCN-STIC-884A - Secure Configuration Guide for Azure] should be used. 29 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 The following is a breakdown of the features of Azure Active Directory user accounts, and the commands for modifying them: Property UPN (User Principal Name) requirement Allowed characters Capital letters: A-Z Lower case: a-z Numbers: 0-9 Special characters: @ # $ % ^ & * - _ ! ? / ` ~ “ ( ) ; Characters not allowed in Unicode characters passwords Spaces Restrictions on Minimum of 8 characters and maximum of 16. passwords For "strong password" only: Use 3 of the following 4 groups: Lower case Capital letters Numbers (0-9) Symbols (shown above) Password Expiration Default value: 90 days. The value is configurable using the AAD Power Shell cmdlet: Set-MsolPasswordPolicy Notification of password Default value: 14 days (before the password expires) expiration: The value is configurable using the AAD PowerShell cmdlet: Set-MsolPasswordPolicy Password expiration Default value: false. The value can be set individually for user accounts using the cmdlet: Set-MsolUser Password History The last password cannot be used when the user updates the password. Resetting Password History The last password can be used again when the user has forgotten it. 30 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Account blocking After 10 attempts with wrong passwords, the user is locked out for 1 minute. Subsequent unsuccessful attempts increase the blocking time. 3.1.1.6 Local access It requires the establishment of a "two-factor authentication" (MFA) and an appropriate credential management policy, which are described in section [3.1.1.5 Authentication mechanisms]. It also requires a record of successful and unsuccessful system access attempts is also required, as described in section [3.1.2.2 Activity Log] of this guide. Additionally, access to Office 365 can be controlled through conditional access policies or rules in ADFS, as described in the guide [CCN-STIC-884A - Secure Configuration Guide for Azure]. 3.1.1.7 Remote Access At this point it should be noted at this point that Office 365 is a cloud solution accessible by the end user through the Internet. Data encryption will be applied as described in section [3.2.3.2 Encryption]. 3.1.2 Exploitation Since Office 365 is a software offered as a service (SaaS), it will always be updated. In other words, the service is permanently maintained by Microsoft, being in charge of the updates and patches, as well as of establishing the mechanisms for detection and protection against threats, complying with the requirements of the National Security Framework in its HIGH category. This section will explain the operation and features of the Office 365 Security and Compliance Center, which can be accessed from the Administration portal. 3.1.2.1 Protection against malware If your organization has Office 365 Advanced Threat Protection (Office 365 ATP), it will have a real-time discovery browser, accessible from the Office 365 Security and Compliance Center. 31 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 The [Threat Management Panel] panel displays the general status: A detailed report is available in the [Threat Management] browser where the following actions can be taken: To view malware detected by Office 365 security features. To see data on phishing url addresses and click on verdict. To initiate an automated inquiry and response process from a view in the browser. Investigate malicious e-mail, etc. More information is available in the guide [CCN-STIC-885C - Secure Configuration Guide for Exchange Online]. 3.1.2.2 Activity record Regarding the recording of user and administrator activity, the activation of the Office 365 Audit is required. When the audit log search is enabled in the Office 365 Security and Compliance Center, the user and administrator activity in the organization is recorded in the audit log and retained for 90 days. Activate/Deactivate Audit Log The Audit Logs role in Exchange Online must be assigned to enable or disable audit log searching in your Office 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the permissions page in Exchange Management Center. Global Office 365 administrators are members of the organization management role group in Exchange Online. 1. From the Office 365 Security and Compliance Center [Search/Search for Audit logs] menu, click the "Enable Audit" button. 32 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 2. Press "Yes". Note: It can take several hours from the time the audit log is activated until the data is accessible in the search. Office 365 Powershell 1. Connection to Exchange Online via PowerShell. 2. To execute the following PowerShell command to enable/disable the searching for audit records in Office 365: Enable audit: # Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Disable audit: # Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false Consult audit log It allows to search in the audit log for what users and administrators in your organization are doing: email-related activities, groups, documents, permissions, directory services, and more. 33 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Nota: At least 24 hours must pass before searching in the audit log. The Activities drop-down shows all possible searches related to the audit log and sorted by topic. Example of a query related to credentials: Example of a query related to file access: 34 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Office 365 Management Activity API In addition to the Office 365 Security and Compliance Center, there is an Office 365 Management Activity API to retrieve information about actions and events for users, administrators, systems, and policies from the Office 365 and Azure AD activity logs. The Office 365 Management Activity API is a REST Web service that can be used to develop solutions using any hosting language and environment that supports HTTPS and X.509 certificates. For more information, see the following Microsoft documentation: url: docs.microsoft.com/es-es/office365/securitycompliance/office-365-management-activity-api Activity reports in the Microsoft Administration Center 365 Another way to get information on how users in the organization are using Office 365 services is through the Microsoft 365 Administration Center, menu [Reports/Use]. For example, you can identify who is using a service very often, who is meeting quotas, or who may not need an Office 365 license at all. Reports can be obtained for the last 7, 30, 90 or 180 days. Clicking on each report widget will deepen in the information provided, going down to a more detailed level. Note: data will not be available for all the reporting periods instantly (usually within 48 hours). 3.1.2.3 Incident Management See section [3.1.2.1 Protection against malware] for how to access "Threat Management" reports. Other relevant reports related to incident management and accessible from the Office 365 Security and Compliance Center are: Alert panel. Menu [Alerts/Panel]. https://protection.office.com/alertsdashboard 35 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Report panel. Menu [Reports\Panel]. https://protection.office.com/insightdashboard Reports for download. Menu [Reports\Reports for download]. https://protection.office.com/ReportsForDownload Search and inquiry. Main panel widget. https://protection.office.com/searchandinvestigation/dashboard 36 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Mail flow panel. Menu [Mail Flow/Panel]. https://protection.office.com/mailflow/dashboard 3.1.2.4 Protection of activity records Through the use of users roles, you can secure who can view the activity log information. The roles defined for this purpose are: - Global Administrators. - Exchange Administrators. - SharePoint Administrators - Skype Business Administrators. - Report reader. When a user or administrator performs an audited activity, an audit record is generated and stored in the organization's Office 365 audit log. The amount of time an audit log is retained, and can therefore appear in searches, depends on the Office 365 subscription and specifically on the type of license that has been assigned to a specific user. 37 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 Office 365 E3: Audit records are kept for 90 days. That means you can search the audit log for activities that have been performed in the last 90 days. Office 365 E5: Audit records are also kept for 90 days. Note: As of the publication date of this guide, Microsoft is working on extending the retention period to 1 year for users with an E5 or E3 license with the "Office 365 Advanced Compliance" add-on license. 3.2 Protection measures 3.2.1 Protection of communications Regarding the protection of the communications, it should be noted that the cryptographic protocols for TLS connections, which are automatically integrated into Office 365, are used. This is when: Users work with files stored in OneDrive For Business or SharePoint Online. Users share files in online meetings and instant messaging conversations. In fact, all Office 365 communications are encrypted: Mail Clients (POP, IMAP, SMTP- TLS), Outlook Clients (MAPI-HTTPS), Browsers (Web HTTPS), Mobile Devices (ActiveSync HTTPS), Teams and Skype (SIP-TLS). No additional configuration is required, but it is important to note that as of June 2020, TLS 1.0 and 1.1 support will be removed. This has direct implications for clients. See: https://docs.microsoft.com/en-us/office365/troubleshoot/security/prepare-tls-1.2-in-office-365. 3.2.2 System monitoring It is possible to set alerts in Office 365 through the Office 365 Security and Compliance Center, [Alerts] menu. Activity alerts can be used to send email notifications to system administrators when users perform specific activities in Office 365. Activity alerts are similar to the events search in the Office 365 audit log, except that an email will be sent when an event occurs for which an alert has been created. How Alert Policies Work The following is a quick introduction on how alert policies work and what alerts are triggered when the activity of the user or the administrator meets the conditions of an alert policy. 38 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 1. An administrator creates, configures, and activates an alert policy using the Alert Policies page in the Office 365 Security and Compliance Center. You can also create alert policies with the New-ProtectionAlert cmdlet. 2. A user performs an activity that matches the conditions of an alert policy. In the case of malware attacks, infected emails sent to users in your organization trigger an alert. 3. Office 365 generates an alert that is displayed in the [Alerts/View Alerts] menu of the Office 365 Security and Compliance Center. In addition, if e-mail notifications are enabled for the Alerts Policy, Office 365 sends a notification to a list of recipients. The alerts that an administrator or other users can see on the view alerts page is determined by the roles assigned to the user. 4. An administrator manages alerts in the Office 365 Security and Compliance Center. Alert management is about assigning an alert status to help track and manage any investigations. Creating an Alert Policy Alert policies can be used to track the activities of administrators and users, malware threats or data loss incidents across the organization. After choosing the activity that requires alerting, the policy can be refined by adding conditions, deciding when to activate the alert and who should be notified. 1. Access the [Alerts/Alerts Policies] menu from the Office 365 Security and Compliance Center. 39 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 2. Mark the alerts that you want to track from the list of predefined alerts. Predefined alerts can be turned on or off and some of their settings can be changed. 3. Click on a specific policy to access its properties. For example, the "Unusual volume of file deletion" policy is activated when a user has deleted an unusual number of files. Learn more about the default alerts in Microsoft's documentation. https://docs.microsoft.com/es- es/office365/securitycompliance/alert-policies 40 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 To create a custom alert policy, click on the "New Alert Policy" button in the [Alerts/Alerts Policies] menu. As an example, a policy will be created for the suspicious deletion of word files in a specific location (Sharepoint site CCN-SPO-SITIO1). 1. Assign a name. 2. Create alert settings. What do you want to send alerts about? Select an activity: Add conditions: For most activities, you can define additional conditions that must be met to trigger an alert. Common conditions include references to IP addresses (so an alert is triggered 41 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 when the user performs the activity on a computer with a specific IP address or within a range of IP addresses), specific users, file names, site urls, or file extensions. In the example: How do you want the alert activated? 42 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 3. Configure the recipients View Alert Policies Custom policies, as well as all default policies, can be viewed in the Office 365 Security and Compliance Center from the [Alerts/Alert Policy] menu. 3.2.3 Protection of information 3.2.3.1 Rating of information This section will mainly deal with the mechanisms offered by Office 365 to qualify the information and implement certain policies. Specifically: Retention policies that can be applied on the tenant. To determine what to do with the information after a certain period of time. DLPs (Data Loss Prevention). With these Data Loss Prevention policies, you can identify, monitor and protect sensitive information throughout Office 365. Sensitivity labels. They allow to sort, encrypt, bookmark, and control access to documents and emails in Office 365. 43 National Cryptologic Centre
CCN-STIC 885A Secure Setup Guide for Office 365 3.2.3.1.1 Retention policies Defining Retention Label These labels are defined in the Office 365 Security and Compliance Center under the [Classification/Retention Labels] menu and are used to apply retention policies to Exchange emails and SharePoint and OneDrive documents. You can define the time that the mail or document should be retained, or the time after which it should be deleted. In addition, retentions can be applied from the date of creation, last change, or from the date of application of the label. A document can also be declared as a Record to prevent it from being edited or deleted. Labels can be automatically applied according to conditions set in the Office 365 Security and Compliance Center, and users can also apply these labels directly to Office applications, as well as to SharePoint or OneDrive. Retention labels are related to compliance and are applied to mail or documents in a specific location. Example: in the commercial department, it is necessary to apply retention policies on various documents: - Budget: 5-year retention after the budget deadline. - Contracts: 10-year retention after the end date of the contract. - Product sheets: declared as record (not delete) Consulting and modifying retention labels 1. Access the [Classification/Retention Labels] menu. 2. Select a label. 3. Edit label. In the right panel, press the "Edit label" button. 44 National Cryptologic Centre
You can also read