In December last year we published an advisory detailing how to protect Office 365 accounts against the kind of credential stealing attacks that we had been seeing.
We believe that anyone with an Office 365 account would benefit from acting on the security recommendations in this advisory. From small businesses through to large enterprises, implementing measures such as Multi-factor Authentication (MFA) should be a high priority.
This blog post gives you a little background on some of these recommendations and introduces important new security guidance published by Microsoft.
More cloudy by the day
Business adoption of cloud computing continues to grow rapidly. To put this in perspective – EuroStat noted that 42% of UK enterprises depended on cloud computing services in 2018, compared with 24% in 2014.
Regular readers will not be surprised to learn that cyber attackers are also following this trend, shifting their focus to the cloud. They’re also using tried and tested techniques, such as password guessing and phishing campaigns, to spearhead their attacks.
Rapid adoption across organisations of all sizes, has made Office 365 a particularly juicy target. Our advisory, and Microsoft’s own guidance aim to address the increased level of unwanted attention which this popularity is generating.
Use Multi-factor Authentication (MFA)
Before going on to look at Microsoft’s security advice, I want to make a plea for Multi-factor Authentication. You should be using some sort of MFA to access their cloud services.
Sometimes called 2-factor authentication, two-step authentication or 2FA, this is your account’s first line of defence, and it’s a good one. If you’re not already doing this, you should get onto it right away.
The single-use codes generated by authenticator apps can be a tough sell in larger organisations. However, as our MFA guidance explains, the same level of security can be achieved in other, more user-friendly, ways. Logging in from a trusted IP address or from a device that has been pre-registered in Azure AD are two examples.
Enterprises can use Conditional Access to enforce the use of MFA. Smaller organisations and individuals should manually check that each of their accounts has enabled a second factor.
New Office 365 guidance from Microsoft
Microsoft’s new security guidance provides up to date advice on how to implement Office 365 installations so that they meet the NCSC’s cloud security principles.
We recommend this advice to enterprises in both the public and private sectors, though it was conceived to explain how UK public sector bodies can configure and use Office 365 to meet the threat at OFFICIAL.
The guidance covers all Office 365 services. So, the measures it suggests will give you confidence that you are safely using newer, cloud-only features, and familiar staples such as SharePoint and Exchange.
There are two parts to Microsoft’s guidance:
- The first document is a response to the NCSC’s 14 cloud security principles. It also explains how certain configurations map to those security principles.
- The second document describes the recommended configurations for an Office 365 service, including step-by-step implementation instructions.
In the second document, Microsoft has divided the recommendations into three categories: good, better and best.
The NCSC recommends that enterprises should aim to implement all the recommendations in the good category. And, ideally, the ones in the better category which are included in the Office 365 E3 license.
Moving to cloud-native authentication
This new guidance includes one major change which some may find a little controversial.
We now recommend that hybrid environments – i.e. those that use Active Directory as well as Azure AD – should prefer native authentication against Azure AD rather than ADFS.
In Microsoft-speak this is ‘Seamless SSO with Password Hash Sync’, configured to use either per-user or Conditional Access MFA.
Password synchronisation with the cloud can feel like a scary thing to do, but we think that organisations using Azure AD as their primary authentication source will actually lower their risk compared with ADFS. This is because:
- It’s actually the hashes of your password hashes that are sent to Azure AD, and not the reusable NTLM hashes commonly discussed in “pass the hash” attacks. (Microsoft explains further in their Azure AD Connect documentation). This means that the credentials sent to Azure AD can’t be used to authenticate to any of your on-premise infrastructure that relies on Active Directory.
- We are already relying on Azure AD to make access control decisions regulating who can see which data, hosted in Office 365. So we already need to trust that it’s built and operated securely. Storing password hashes doesn’t change that security requirement.
- The availability of Office 365 will no longer be affected by any outages or downtime suffered by your on-premise ADFS or Active Directory infrastructure.
- The full set of Microsoft’s credential protection technologies only work on accounts that are fully synchronised with the cloud. Benefits include the service identifying users with passwords that are easily guessed, and flagging accounts whose reused passwords have been leaked through data breaches from other services.
- Extensions to Conditional Access that include an assessment of the health of a device will, in the future, probably only be available for users that are authenticating directly to Azure AD.
The guidance goes into more detail about some of the relevant authentication options and associated services, including how to implement them.
Acting on the new guidance
We recommend that organisations already using Office 365 review their deployments against the NCSC advisory and the new guidance published by Microsoft, treating their recommendations as the minimum you should put in place.
Smaller organisations will find the mitigations in the advisory more relevant, larger organisations and the public sector should also use the more detailed guidance.
If you aren’t already protecting against the risk of password guessing and leaked credentials using something like MFA or Conditional Access, it’s worth repeating – you should get started, right now!
Cloud products and the way we use them will continue to change and develop over the next few years. It’s therefore worth planning to periodically review the configuration of all the SaaS instances used by your organisation, including a check to see whether the vendor has updated their recommendations.
If you have any questions for us about the recommendations in the guidance, or have any comments, please use the Contact us form.
We’d also love to hear from other vendors whose services are popular with the UK public sector if you’re writing guidance about how you meet our 14 security principles and/or how you’d recommend configuring a service to meet the threat at OFFICIAL.