06 Apr Better securing your Microsoft 365 – Access Security
With cyber attacks on the rise, during this blog series we have explored the potentially catastrophic consequences of your Microsoft 365 account being breached, how to secure it to avoid this happening, and some of the security options, the risks they tackle, and how to apply them.
In this, the last blog in the series, we will explore more security measures that can ensure your system is well defended against cyber criminals.
If access to files, folders, document libraries and email is not secured on a ‘need to know’ basis, your team will have full and free visibility of any documents and data your organisation holds, whether that be within or outside of their job role and responsibilities (some of which may be sensitive and subject to protection under legislation).
More concerningly are the opportunities offered to a cyber criminal should an individual’s account suffer a breach – the cyber criminal will be granted unbridled access to your entire digital environment, opening the door to incomprehensible levels of theft and corruption.
Overcoming the risks
Control access! Controlling access is essential! Within Microsoft 365 this can be easily achieved by structuring your files and folders and the rights needed to view and edit that data.
Typically, the best way to organise files is departmentally – finance, sales and marketing, for example. Then user permissions are granted amongst the team members across those departments.
Depending on the grading system you have in your organisation – junior, senior, manager, etc -permissions can be broken down further to restrict, for example, juniors from accessing accounts not destined for them (Managers’ accounts).
Users are not restricted to one department either – if you are a member of management or have people within functions that cross-departments, multiple permissions may be assigned; these permission sets are defined within Microsoft 365 as groups.
Let’s take a closer look at Microsoft 365 groups.
What are Microsoft 365 groups
For users to be allowed access to resources and to assign a set of permissions against a group of users (department in your organisation) a group must be set up within Microsoft 365.
These groups can be defined through the administration portal or created for you in the background by the system automatically when you create a new SharePoint Library or a Teams Channel – and by defining the user permissions front-end in those applications.
Different types of permission groups exist within 365:
- Distribution groups are commonly used as a group email list – such as firstname.lastname@example.org being an email address used to email multiple users.
- Security groups are used for granting permissions to specific resources, such as SharePoint sites and Teams channels.
- Shared mailboxes – provide multiple users with parallel access to a single email mailbox.
- Microsoft 365 groups (formerly Office 365 groups) are used for collaboration between users, whether inside or outside of your organisation.
Creating and managing Microsoft 365 groups
Your active groups (across all of the previously outlined types) are accessible by visiting https://admin.microsoft.com/adminportal/home?#/groups and logging in with your administrator credentials.
This is the main hub. From here you can add new groups and define the users included in those groups; you can do this all whilst being able to see and manage existing groups that were created elsewhere within your Microsoft 365 environment, such as directly with SharePoint or Microsoft Teams.
Permissions for external sharing in Microsoft 365
There are a number of controls that are in place to define whether and how data can be shared externally.
There are two distinct differences that exist within 365 between different types of external users.
External access – Provides access to all of the users within an entire domain
Guest access – Permits permissions to an individual.
To control whether to permit external users to be added as guests:
- Go to Admin portal, https://admin.microsoft.com/AdminPortal/Home#/Settings/SecurityPrivacy
- Click ‘Sharing’
- Tick or untick the box.
To control whether to permit external sharing from SharePoint
You may define this at your organisation level or set the permissions individually within a specific SharePoint site. If a SharePoint site’s external sharing option does not marry up with the organisation’s level of permissions, then the most restrictive rules will apply.
To control whether to permit external sharing from Teams
Guest access must be authorised separately for Microsoft Teams.
Prevent emails from being automatically forwarded externally from Microsoft 365.
You may wish to disable users from having the ability to be able to set an email rule that automatically forwards emails to external addresses, as, by doing this, you can retain control of your email content and prevent any email inadvertently leaking outside of your internet environment.
To enable or disable this rule for your tenancy, follow the steps and video shown here.
Beyond the tools and features designed to secure access to your Microsoft 365 environment, and those policies we have listed that mitigate the risk of loss, there are a number of other cybersecurity defences that exist to go even further in the effort to protect your data from cyber criminals.
Malware protection comes as standard in the Microsoft 365 ecosystem; however, this functionality can be further increased in capability by blocking certain file types that are most commonly associated with malware.
This can be implemented by taking the following actions:
- Visit https://protection.office.com/ and log in with your admin credentials.
- In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’, select ‘Policy’ > ‘Anti-Malware’.
- Double-click the default policy to edit this organisation-wide policy.
- Select ‘Settings’.
- Under ‘Common Attachment Types of Filter’, select ‘On’.
Email encryption in Microsoft 365 ensures that only the person/ people intended can view your email content. Aside from encryption, you can also define permissions that restricts what your recipient can do with your email – such as blocking the email from being forwarded, printed or the content copied elsewhere.
To send protected email:
- In Outlook for Windows, select the ‘Options’ tab and click ‘Permission’
Anti-phishing technology, ‘Safe Links’ as a part of the Microsoft Defender service, help protect your users from accidentally clicking on malicious links within emails and files. Safe Links provides time-of-click verification of web addresses within emails and Office documents. How this service acts can be defined within the Safe Links.
This can be implemented by:
- Visit https://protection.office.com/ and login with your admin credentials.
- In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’ select ‘Policy’ > ‘Safe Links’.
There are options to change the system defaults if required, depending on your requirements.
Your custom domain can be protected from being ‘spoofed’ through Microsoft 365’s Anti-phishing protection. This protection includes the support of email security best practices, including, SFP, DKIM and DMARC protocols.
It is advised you seek the expertise of a Microsoft 365 consultant, such as Edge IT, to correctly configure these protocols, as the implementation of such controls can be quite complex, with a number of steps involved.
Best security practices to apply
This blog series has presented a number of top standard security options for you to consider implementing within your organisation. However, not all will be necessary in your organisation depending on the way you work.
At Netcom, we will recommend a number of these components as standard practice within any and every organisation. They are as follows:
- Enforce security defaults – especially MFA among all of your users.
- Structure your files and folders in an ordered way within SharePoint sites / libraries or Teams channels – associate users and permissions appropriately.
- Educate your users about email phishing and ransomware, particularly how to look out for suspicious files and links.
‘Cloud-Native Authentication’ – modern authentication in the Cloud
There are other considerations that are apparent from the advice contained within this article, predominantly the way in which users authenticate with their Cloud services. Microsoft 365 relies upon the user administration contained within its sister cloud platform, Microsoft Azure. For free, all 365 environments are provided with access to Azure Active Directory, from which the usernames, passwords and login security may be controlled.
A business with a more traditional ‘on-premise’ setup will likely have their active directory delivered by their Windows Server; meaning that your authentication runs locally rather than in the cloud environment. You may already have a hybrid environment, with your services running both locally and within the cloud – if this is the case, the best practice advice provided by the NCSC is that businesses should make the transition to cloud-based authentication, rather than rely on their older locally based services to support this function. The Cloud is more secure and cohesive with other SSO (Single Sign-On) Cloud-based services to run this function within the one ecosystem.
Protecting you every step of the way – Netcom
Our team of experts offer effective comprehensive cyber defences that protect your data. Everything we do is centred around reducing the risk your business faces, as we have a range of services to help mitigate risk and protect your business. We are one of a handful of IASME Certified Assessors in the region, which means we not only work to the highest security standards but can also deliver and award Cyber Essentials certification. If you need help with your cyber security or simply have IT issues you need guidance with please do not hesitate to get in touch.