Office 365 is a flexible, cost-effective, and easy-to-use cloud productivity platform. Office 365 provides a suite of productivity services that you can use to manage your business. This paper is targeted at customers’ internal security, risk and compliance teams and their external auditors who may have a need to assess the use of Office 365.
This paper provides a checklist to support assessments of Office 365 based on the following domains:
- Office 365 Super Admins - Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
- Office 365 Identity Access Management - Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
- Office 365 Resources - Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
- Office 365 Chat & Conferences - Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
- Office 365 Email Security - Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
- Office 365 Certificates - SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
- Office 365 Incident Response - Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
Automate your Office 365 ISO / PCI compliance process and prevent misconfiguration.
1. Office 365 Super Admins
Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
1.1. Admin Recovery
Title | Action | Overview | Services |
|---|---|---|---|
| Multiple Super Admins | Detects if multiple super admin accounts is set | A business should have more than one super admin account, each managed by a separate person. If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered. | Office 365 Azure AD |
2. Office 365 Identity Access Management
Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
2.1. Multi Factor Authentication
Title | Action | Overview | Services |
|---|---|---|---|
| MFA enforcement | Ensures MFA is enforced for all users | MFA helps protect a user account from unauthorized access should someone manage to obtain their password. | Office 365 IAM |
| MFA disable detection | Detects Users without MFA enrolled | MFA helps protect a user account from unauthorized access should someone manage to obtain their password. | Office 365 IAM |
2.2. Secrets Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Password Expiration | Ensures password policy enforces a password expiration. | A strong password policy enforces minimum length, expirations, reuse, and symbol usage | Office 365 Org Settings |
2.3. Third Party Access
Title | Action | Overview | Services |
|---|---|---|---|
| Guest accounts in the organization tenant | Detects guest users in the organization tenant. | By granting guest access you’re allowing your guests to get a access to your team’s files and other data that is shared through channels which poses potential data security risks. | Office 365 IAM |
| Enforces access of guests users is disabled | Ensures guest users can not login to the organization tenant. | By granting guest access you’re allowing your guests to get a access to your team’s files and other data that is shared through channels which poses potential data security risks. | Office 365 IAM |
2.4. Access Keys
Title | Action | Overview | Services |
|---|---|---|---|
| Access Keys Last Used | Detects access keys that have not been used for a period of time and that should be decommissioned. | Having numerous, unused access keys extends the attack surface. Access keys should be removed if they are no longer being used. | Office 365 IAM |
| Access Keys Rotated | Detects if access keys are not older than 180 days in order to reduce accidental exposures. | Access keys should be rotated frequently to avoid having them accidentally exposed. | Office 365 IAM |
3. Office 365 Resources
Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
3.1. Limit calendar sharing
Title | Action | Overview | Services |
|---|---|---|---|
| Discover publicly accessible calendars | Detects if calendars are publicly accessible from the internet | Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. | Office 365 Outlook |
| Limit calendar sharing | Enforces calendars to restrict publicly accessible from the internet | Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. | Office 365 Outlook |
3.2. Limit file sharing
Title | Action | Overview | Services |
|---|---|---|---|
| Discover publicly accessible files | Ensures users can not share files with externals | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Office 365 Sharepoint |
| Limit file sharing with externals | Ensures files can not be shared with users outside the organization | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Office 365 Sharepoint |
| Limit file sharing publicly to everyone | Ensures files can not be shared with users outside the organization | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Office 365 Sharepoint |
4. Office 365 Chat & Conferences
Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
5. Office 365 Email Security
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
5.1. Data Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Disable automatic forwarding | Ensures automatic forwarding is disabled | Prevent users from automatically forwarding incoming mail to another address. This reduces the risk of data exfiltration through email forwarding, which is a common technique employed by attackers. | Office 365 Outlook |
6. Office 365 Certificates
SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
7. Office 365 Incident Response
Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
7.1. Security Notifications & Alerting
Title | Action | Overview | Services |
|---|---|---|---|
| Compliance Notification Mails | Ensures Email assigned to be notified on security event | Enabling security alerts to be sent to admins ensures that detected vulnerabilities and security issues are sent to the subscription admins for quick remediation. | Office 365 Azure Security Center |
| Compliance Notification Phones | Ensures Phones assigned to be notified on security event | Enabling security alerts to be sent to admins ensures that detected vulnerabilities and security issues are sent to the subscription admins for quick remediation. | Office 365 Azure Security Center |