Professional Documents
Culture Documents
Security Assessment
0
Table of Contents
1
Overview
The goal of this assessment is to help Australian businesses to understand and reduce security risks to their
business. With over 30% of cyber incident breaches in Australia coming from compromised or stolen
credentials and another 43% from Phishing attacks it is highly important to secure your Microsoft Office
365 tenant.
30%
This assessment can be used to review your Microsoft Office 365 configuration for best practices and outline
any recommendations to improve your security posture. The recommendations in this assessment are based
on utilising Microsoft 365 Business as a minimum, however some recommendations will work for lower levels
of Microsoft licensing.
Microsoft Office 365 is an integral part of many Australian businesses providing key business services like
Azure Active Directory identity management, email, SharePoint and One Drive file management systems,
Microsoft Teams for collaboration software and device management.
30% of Cyber Incident
Your Microsoft Office 365 applications and data can be accessed in many ways; whether you’re working in Breaches in Australia Come From
the office, at your home office, on the road or from your laptop, phone or tablet device. There are now many Compromised or Stolen Credentials
ways to access sensitive business data so it’s imperative to ensure the security of this data of your
organisation’s Microsoft Office 365 suite.
This document will help considerably to raise your organisation’s Office 365 security posture. It can be used
to check off user, identity, and authentication actions needed to take to bolster security across each of these
critical vulnerability points.
43%
A1 Technologies specialises in helping businesses secure their Microsoft Office 365 environments. This
assessment template is based on our experience with our clients and ongoing improvements to our Managed
Services clients as part of our service. Through a continuous review and improvement schedule we regularly
add additional security improvements to our assessments. This version is offered here freely to allow
Australian Businesses the opportunity to improve their Security and reduce the risks to their businesses.
If, at any point, you need assistance with your security project to complete and assessment, implement
recommendations or discuss our Managed Services options, don’t hesitate to reach out, we would love to
hear from you.
Another 43% From
Phishing Attacks
2
What Is Covered
This assessment template will cover the following Microsoft Office 365 components:
Azure AD Assessment
- General identity access and device management settings.
Exchange
- Mail Flow assessment, mailbox and groups permissions, connectors, etc.
Teams
- Teams ownership, channel settings, sharing settings, etc.
Information Security
- Auditing, data loss prevention, information protection, etc.
3
Microsoft Secure Score
Your Microsoft Secure Score represents an overall scoring of security across five key Microsoft 365 areas:
identities, data, apps, devices, and infrastructure, each with its own associated score. The higher the score,
the more secure these are. It is a good check of overall system security health and by assessing each area
you can raise the individual and overall scores. Microsoft Secure Score is also based on your Microsoft
licensing, for example if your business utilises Microsoft Office 365 Business you will have less security
options available to you compared with Microsoft 365 Business (which includes Advanced Security and
Device Management).
Out of the box, most Microsoft Office 365 environments have a Microsoft Secure Score of between 35-45 –
this is a very low score however Microsoft provide the tools to greatly increase security. A score of 176 (like
the below example) provides a moderate level of security with low user impact on staff workflows, however
it’s possible to do better.
This assessment template focuses heavily on credentials protection to mitigate threats, in particular the
largest user changes that organisations will typically make is by implementing Multi-Factor Authentication
(MFA), which forces users to use a second level of authentication when accessing company data. You’ll be
familiar with MFA in real life – e.g. banks asking for a verification code sent over SMS or via Windows or
Google Authenticator.
Additionally, planning and tuning security settings over time will ensure your environment and your staff are
much safer from the risk of attacks. A1 Technologies recommend monthly reviews of logs and quarterly
planning for to implement improvements.
4
Cheat Sheet: Recommended Improvements
A recommended list of actions to increase your Microsoft Secure Score can be seen in the table below.
5
Security Assessments
Azure AD
Microsoft Office 365 uses Azure Active Directory (Azure AD), a Microsoft cloud-based user identity and
authentication service to manage identities and authentication for Microsoft Office 365. Getting your
identity infrastructure configured correctly is vital to managing Microsoft Office 365 user access and
permissions for your organisation.
6
Multi-Factor Authentication
Two-factor verification is more secure than just a password, because it relies on two forms of
authentication: something you know (your password), and something you have with you (i.e. a mobile
device). Two-factor verification can help to stop malicious hackers from pretending to be you. Even if they
have your password, they will also require access to your mobile to gain access to your account. Multi-
factor authentication can refer to two or more authentications necessary to gain access.
Global Admins:
Microsoft recommends that you have at least 2 global admins required at
any time to reset passwords and to protect against a rogue admin or
compromised account. We now also recommend that you have no more
than 4 global admins to reduce your organisation's collective risk.
MFA:
Enforce MFA for all users.
Modern Authentication:
App passwords are used by legacy applications. Enforce users to use modern
authentication clients and disable app passwords.
7
Self-Service Password Reset
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset
their passwords without needing to contact IT. Employees must register for, or be registered for, the self-
service password reset before using the service. During registration, the employee chooses one or more
authentication methods enabled by their organisation.
It is strongly recommended that Global Administrators also set up this service for their own accounts.
8
Device Management
Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce
to be productive while keeping your corporate data protected. With Intune, you can:
- Manage the mobile devices your workforce uses to access company data, whether company
owned or BYO device.
- Manage the client apps your workforce uses.
- Protect your company information by helping to control the way your workforce accesses and
shares it.
- Ensure devices and apps are compliant with company security requirements.
Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure
Information Protection for data protection. We recommend all organisations use Intune for enterprise
mobile security management.
9
Conditional Access
The modern security perimeter now extends beyond an organisation's network to include user and device
identity. Organisations can utilise these identity signals as part of their access control decisions.
Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and
enforce organisational policies. Conditional Access policies at their simplest are if-then statements, if a
user wants to access a resource, then they must complete an action.
Security Defaults:
Baseline Protection policies are a legacy experience which is being
deprecated. All baseline protection policies will be removed on
February 29th, 2020. If you are looking to enable security policy for
your organisation, we recommend enabling Security Defaults or
configuring Conditional Access policies.
Role Assignments
There are several default roles in Azure AD / Office 365. It is important to define what identities can
manage different aspects of your Office 365 environment.
10
Exchange Online
Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. It gives users access to email, calendar, contacts, and tasks from
PCs, the web, and mobile devices.
Mail Flow
Current State Recommended State Update Requirements
Ensure SPF record published for Office 365.
Ensure DKIM is configured for the all domains.
Ensure DMARC is configured for all domains.
Spam Filter Policy:
Spam Filter policy configured for all domains. Additionally, enable
advanced threat protection (or 3rd party spam filter products).
Anonymous Connectors:
Configure connector only if you need device to anonymously relay.
11
Email Protection
To protect your email messages from malicious attacks, Office 365 uses Advanced Threat Protection.
Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps
protect your organisation against unknown malware and viruses by providing robust zero-day protection
and includes features to safeguard your organisation from harmful links in real-time. ATP has rich reporting
and URL trace capabilities that give administrators insight into the kind of attacks happening in your
organisation.
12
Impersonations & Phishing
While Microsoft works hard for ATP to catch impersonation and phishing
attempts, sometimes these emails can still land in organisational inboxes.
Invoking policies like only accepting emails from known domains, while
effective, can completely stifle workflow.
You can choose to use additional email filtering products by third party
services; however, the best line of defence is in-house security briefings
about current phishing attacks and what to look out for in emails.
13
SharePoint Online / OneDrive for Business
Microsoft SharePoint Online in Office 365 is a content, knowledge, and application management and
organisation platform. It empowers people to share and work together, to inform and engage others
across the company, to transform business processes, and to harness collective knowledge. In addition,
SharePoint provides capabilities for organisations to protect and manage their data and to build custom
solutions.
OneDrive is an online storage space in the cloud that's provided for individual licensed users in an
organisation. Use it to help protect work files and access them across multiple devices. OneDrive lets you
share files and collaborate on documents, and sync files to your computer.
14
Microsoft Teams
Microsoft Teams is a unified communications platform that combines persistent workplace chat, video
meetings, file storage (including collaboration on files), and application integration. The service integrates
with your organisation's Microsoft Office 365 subscription office productivity suite and features extensions
that can integrate with non-Microsoft products. Microsoft Teams is a competitor to services such as Slack
and is the evolution and upgrade path from Microsoft Skype for Business.
Alert Policies:
Alert policies enabled for detection of suspicious actions.
Establish Company Branding:
Allows admins and users to quickly identify what tenant they are
connecting into.
15
Essential 8
A1 Technologies also recommends complying with the Australian Cyber
Security Centre’s Essential 8 guidelines. This includes the below 8 key areas,
of which, several of the key areas reside outside of Microsoft Office 365.
1. Application Whitelisting
2. Microsoft Office 365 Macro Settings
3. Restrict Administrative Privileges
4. Multi-Factor Authentication
5. Patch Applications
6. User Application Hardening
7. Patch Operating Systems
8. Daily Backups
16
Key Findings &
Recommendations
// use this section to outline key findings & recommendations for your
team, managers, or vendors. It should include critical, important, and
general recommendations.
Critical Items
To be addressed and remediated immediately.
1. Critical item
2. Critical item
Important Items
To be addressed and remediated immediately.
1. Important item
2. Important item
General Items
To be addressed and remediated immediately.
1. Important item
2. Important item
17
A1 Technologies is an Australian IT Consultancy and Managed Service Provider (MSP)
specialising in delivering robust, responsive, and secure IT and Technology solutions to
businesses Australia-wide.
If you need help deploying, managing, or optimising any part of your technology
infrastructure, feel free to reach out, we would love to hear from you.
“A1 has been very efficient and a great value-add to our business”
Trevor Bolland, CEO, Nuzest Life.
Get in Touch
Contact: Rob Rattray, Sales Director
P: 1300 287 910 | E: rob@a1t.com.au
18