Lucid Security often conducts Microsoft 365 (M365) reviews. This article will detail 5 default M365 settings to change immediately that we have identified during our assessments. Microsoft 365 (formerly Office 365) is incredibly popular for small and large businesses, and has a number of security-related controls that you’ll want to immediately tweak or enable/disable. This list should help quickly determine what an organization should do to keep your M365 environment secure!
Password Policy and MFA
Enforcing multi-factor authentication (MFA) and a strong password policy will IMMEDIATELY reduce overall attack surface. While Azure smart lockout is getting smarter, attackers are still performing trivial password spray attacks against M365. We recommend changing the default M365 password requirements to the following:
- At least 12 characters
- Lowercase characters
- Uppercase characters
- Special characters
- Numbers
In addition, enforce MFA for all users. Microsoft also provides the option to create a password blacklist, to prevent users from using weak passwords consisting of, for example, your company name, local sports teams, commonly used weak passwords, etc. When a user creates a password, it will check the list of banned passwords and the request will fail if there is a match in the banned password list. The Center for Internet Security (CIS) has a great guide on password policy here.
Block Legacy Authentication
Blocking legacy authentication is a solid security measure to prevent authentication protocols that do not support MFA, which is a common target for attackers. Generally no one is going to be running Microsoft Office from 2013 (or older) or trying to authenticate via IMAP. By disabling legacy authentication, organizations can significantly reduce their attack surface, thwarting a wide array of common attack techniques, including credential stuffing and brute-force attacks. This proactive step ensures that all authentication requests meet current security standards, thereby enhancing overall system integrity and resilience against potential breaches.
Prevent Users from Registering OAuth Applications
By default M365 allows users to create and register OAuth applications. These applications can access the accounts of users who grant consent, with the level of access determined by the permissions specified by the application. Attackers often exploit this feature by compromising a corporate account to conduct internal phishing campaigns and escalate privileges within a tenant. A Microsoft blog post here shares additional details about this threat.
SharePoint External Sharing
Within SharePoint and OneDrive, the “External Sharing” level is set to “Anyone” by default. This means that users can share files / folders with links that do not require sign-in. Generally this is a bad idea, especially if you have sensitive information stored within SharePoint / OneDrive. Consider configuring this setting to restrict external sharing from SharePoint and OneDrive according to your organization’s needs.
Consider Enabling Security Defaults
Enabling Security Defaults is an easy way to enforce the above, and other security settings, within your M365 tenant. For example, Security Defaults will enforce MFA, block legacy authentication protocols, and protect access to potentially sensitive services like Azure portal. The massive caveat here is that as soon as you create a Conditional Access Policy, Security Defaults can no longer be enabled. We recommend that if your organization does NOT need more granular policies, consider Security Defaults. Otherwise, manually configuring the above items (and others we will write about) will be necessary. Microsoft has documentation on Security Defaults here.
Lucid Security Can Help
Hopefully you are now armed with the information on the 5 default M365 settings to change immediately! For a more detailed security review of your M365 environment, Lucid Security is happy to help! Feel free to reach out and let us know how we can further secure your M365 environment by contacting us.
