Microsoft has built the Microsoft 365 Government Cloud (GCC and GCC-High) to address the specific needs of government customers. Many of the infrastructure-level requirements (such as data sovereignty) of government customers are met by the platform. The National Institute of Standards and Technology (NIST) has provided guidance for the best practices on securing government information systems. Following this guidance and working closely with NIST, Microsoft provided a robust, secure platform and infrastructure that’s constantly monitored and protected from large-scale, widespread threats as well as targeted, focused attacks.
But just using a GCC or GCC-High tenant in Microsoft 365 doesn’t guarantee that an agency will meet the requirements they have for security processes and practices. In recent days, this has been highlighted by malicious attacks on Microsoft 365 tenants by adversaries. In at least one instance, it has been reported that an attack was able to access an account in a Microsoft 365 GCC tenant that didn’t have multi-factor authentication enforced.
As a result, the US Cybersecurity and Infrastructure Security Agency (CISA) has produced an analysis and alert recommending specific configurations for Microsoft 365 GCC and GCC-H to ensure that adequate security controls are being used to keep these high-security services…well, highly secure. Additionally, Microsoft has provided a “top ten” security list for organizations to reference. As would be expected, many of the items on these three lists are the same.
Below, I have aggregated and explained the recommended actions from both CISA’s analysis and alert and Microsoft’s tips article. All the following controls are available and included in a Microsoft 365 E3/G3 tenant and should be enabled and configured as best practices:
1. Multi-Factor Authentication (MFA)
This is the best mitigation technique to use to protect against credential theft for Office 365 users. While it’s available for all customers, it’s not enabled by default. Enabling MFA is the single most impactful action an administrator can take to secure their tenant.
2. Enable unified audit logging in the Security and Compliance Center
While available to all tenants, it is not enabled by default. Enabling unified auditing allows admins to determine the impact of any breach attempts easily and quickly.
3. Enable mailbox auditing for each user.
Mailbox activity can often be an early indication of an intrusion, as the attacker looks to spread their access within the system or to other targets.
4. Ensure Azure AD password sync is planned for and configured correctly prior to migrating users.
By maintaining a single password for a single username, the risk of human error and the available number of attack opportunities are reduced.
5. Disable legacy email protocols, if not required, or limit their use to specific users.
Legacy protocols are used for many services due to their simplicity and ubiquity. However, they are legacy because better, more secure protocols have replaced them. Disabling them greatly improves your security stance.
6. Protect Global Admins from compromise and use the principle of “Least Privilege.”
Global Administrators should not be using an account with elevated privileges for their day-to-day work. Create a separate account with GA privileges for administrative use, while all other “business” is conducted on an account with regular user-level permissions.
GA privileged accounts should not be used for sending/receiving emails.
Use Application Profiles (token, not service account) – the app profile creates a token to authenticate into the tenant. After the GA has authorized the application, its credentials are not used to authenticate the application.
7. Enable Alerting capabilities.
Automation allows attackers to act faster than humans can react. Automated monitoring and alerting will notice attacks before you will.
8. Integrate with organizational SIEM solutions.
SIEM solutions aggregate and surface critical information to ensure threats or attacks are not “lost in the noise’” or other warnings are overlooked.
9. End-user security awareness and compliance training
No matter how good your security policies, plans, and controls, a user that doesn’t practice good security can undo all your hard work and allow a breach.
Security awareness and compliance training is critical to keeping your tenant secure.
10. Over-permission end-users
End-users with higher than necessary permissions can create an opening into your tenant if their account is compromised.
Delegated Administration, self-service options, and other 3rd party tools can improve your security practices by enforcing controls, providing services, and provisioning without requiring privileges in Microsoft 365 and approval flows with multiple steps.
The next four items are enhancements to the security offerings in Microsoft 365 provided with the E3/G3 Premium subscriptions:
1. Malicious software scanning
Safe Attachments is a service offered within Microsoft 365 that automatically scans all attachments for the signature(s) of malicious software.
2. Turn off auto-forwarding
Microsoft 365 Premium licenses offer extra controls for forwarding e-mails, meaning that malicious software cannot spread throughout and from your agency.
3. E-mail encryption by default
Forcing email encryption to be on by default means outside actors cannot read email in transit, and email that is forwarded will not be readable.
4. Phishing protection
The Safe Links service scans links in incoming emails to determine if they’re connected to known phishing operations, match signatures of known phishing attacks, or have a mismatch between the claimed sender and actual message routing information.
This reduces the likelihood of phishing emails ever appearing in users’ mailboxes.
Depending on the network rules in use at your organization, it may be necessary to specify the endpoints your network associates with Microsoft 365 services. This can provide extra security by preventing man-in-the-middle attacks, DNS-poisoning attacks, and other hacks that attempt to fool applications and users into providing credential information to attackers using spoofed login sites.
One last point to mention: the current standards and guidance for many government information systems security will eventually be replaced by the Cybersecurity Maturity Model Certification (CMMC). The DoD has completed its review of CMMC, and changes will be recommended before the next version is released.