A 2022 checklist for protecting Microsoft 365 users and data

Keep this in mind as we start the 2022 Windows software patching year: Patching is not enough to keep Microsoft 365 protected. Before you purchase third-party tools that claim to protect you from all threats, or before you begin that zero-trust project, stop for a moment to evaluate whether you are doing all you can with what you have to protect Microsoft 365 users and data. 

Protect against ransomware attacks

Operating system patching often isn’t enough to protect your firm from ransomware attacks. Even fully patched operating systems can be susceptible if attackers target users with phishing attacks. End user education can often be some of the best prevention if your technology protections fail to work or get bypassed by attackers.

Evaluate if your solutions include enough logging to determine if an attacker has been hiding in your network and how they gained access. Recent FireEye research shows the median dwell time for ransomware is 72.75 days. All other attacks have an average dwell time of 56 days. Ransomware attackers be in your network for a maximum of 547.49 days. I’ll bet that your logging doesn’t go back 547.49 days. I know mine doesn’t, but I can strive to log for 72.75 days. With that amount of logging it’s possible to go back into the archives to determine how the attackers gained access to your network.

Maximize the security tools in your Microsoft 365 license

Next, remind yourself that if you have Microsoft 365, you have the power to protect yourself with many of the tools included in the subscription suite. Ruairidh Campbell’s blog showcased scenarios where you can use Microsoft 365 to protect information. While the best solution would be to purchase a Microsoft E5 license for all Microsoft 365 users, it’s hard to justify an E5 license for everyone. You can blend licenses based on your needs. I often assign a 365 license of higher security resources to those users in my office who either perform riskier duties or who are more targeted by attackers.

Reduce risk from consultant access to cloud accounts

Campbell has a checklist of items to review to ensure that you are protecting yourself from attacks. He starts with the risk from consultants who have admin rights to your network. Your biggest issue may arise from consultants that want to have cloud service provider (CSP) administrative privileges to the tenant. He recommends that you don’t provide your consultant with CSP delegated admin privileges. Rather, he recommends that you purchase a full user account for the consultant as it allows you to have more granular password policies.

As Campbell points out, granular delegated admin privileges are on Microsoft’s roadmap. Alternatively, you can add the consultant as needed and remove the account once the project is done. Always ensure that any administrative account has multi-factor authentication (MFA) enabled. If you expect pushback from your users, an Azure P1 license allows you to whitelist static IP addresses so that those that log in from certain locations that you’ve vetted and trusted won’t need MFA prompts.

Seek alternatives to VPN

I’m of the opinion that we rely on VPN technologies too much and they are not the security protection some think they are. For enterprises, unpatched VPN software is often the entry point into the network. VPN software is often not Microsoft based and patching tools can miss updating it.

Like Campbell, I recommend moving away from VPN solutions and looking for alternative solutions. Consider using Azure AD application proxy if you need to remote into assets. If your network is such that you have older applications that can’t use Azure AD, consider Remote Desktop Gateway with Duo as an MFA workaround until you can move to more Azure AD based solutions. If you are still using nothing but on-premises servers and VPN for all your remote access, it’s time to review your options and solutions. Review your reliance on Group Policy and configuration management and review your ability to manage with Intune instead.

Review browser choices and plug-ins

Malicious websites are often a way that ransomware enters our network. Your choice of browser as well as add-ons often set the security for both consumers and enterprises. I recommend having multiple browsers on systems as often you will find that a web application will prefer one browser over another. In a business setting you would be wise to spend energies and research into locking down browsers or at least reviewing what plug-ins have been installed in the browser. Browser plug-ins are often how malicious actors gain toe holds into systems.

Check your access rules

Soon after my office moved to Microsoft 365 years ago, attackers from foreign countries started attempting to log into accounts. I immediately enabled conditional access and built a geographic blocking rule. These attacks went after more administrative email accounts such as postmaster, secretary or other generic aliases that may receive more spam email than normal.

If you have key employees that may receive more phishing attacks and are targeted, I recommend adding Microsoft Defender for Cloud Apps. It includes risk-based rules that will review and monitor for unusual behavior or illogical actions such as logging in from one country and then logging in from the IP address of another country within a time frame that would logically be impossible to occur.

Set up alerts for lateral movement

Lateral movement is often the first clue that attackers have set up shop inside your firm and are preparing to do damage. You can use Microsoft Defender for Identity to track such lateral movements. It can be used to monitor for pass-the-ticket, reconnaissance and credential theft. I have it set up to monitor and to send me a report daily if such activities are detected.

Bottom line if you have Microsoft 365, review your options. Mere patching is not enough, but you might already have what you need in Microsoft 365 to be more secure.