Best Practices and Recommendations

Home / Links / Best Practices and Recommendations

Architecture

Tools

Microsoft Cybersecurity Self-Assessment – The purpose of this self-assessment is to help you pinpoint your Cybersecurity strengths and weaknesses, and to provide you with a complete Cybersecurity Healthcheck Report containing useful tips and recommendations. Your total possible Cybersecurity Health Check score is 100. Your score will be carefully calculated based off the answers you provide. Please allow 20 minutes to complete this assessment.

Videos and Recordings

Cyber Security Reference Strategies – Are you building cybersecurity strategies to protect an enterprise that includes cloud and mobile devices outside your network? Join us for a deep dive into Microsoft cybersecurity reference strategies, and get help from the experts, as you plan ways to manage the continuous flow of new threats and capabilities that modern enterprises face. Get an in-depth look at four main areas: Security Management Learnings and Principles, Identity and Access Management, Threat Protection, and Information Protection.
     Download Slide Deck

Microsoft Cyber Security Reference Architecture – Do you need help protecting an enterprise that spans cloud and mobile devices outside your network controls? Planning and implementing a security strategy to protect a hybrid of on-premises and cloud assets against advanced cybersecurity threats is one of the greatest challenges facing information security organizations today. Microsoft has built a set of strategies and integrated capabilities to help you solve these challenges and is continuing to invest in making this easier.
     Download Cyber Security Reference Architecture Powerpoint

Blogs

Cyber Security Reference Architecture – The Microsoft Cybersecurity Reference Architecture describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it.
    Download Architecture

Building Zero Trust networks with Microsoft 365 – Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources.
The End of Corporate Network is coming – General Electric recently announced it may “disconnect” as many as 5,000 sites from its corporate network. Is the idea of a secure, corporate network for employees past its prime?
A decision tree for Azure Networking – Use the following diagram to get some guidance around networking with Azure.

Tips for getting started on your security deployment (3 part Series) by Debbie Sere
     Intro
     Part 1 – Accelerate your security deployment with FastTrack for Microsoft 365
     Part 2 – Envisioning your security deployment
     Part 3 – Build a success plan
     Part 4 – Now that you have your plan, its time to start deploying

How Microsoft 365 Security integrates with the broader security ecosystem – Part 1 – discussed Microsoft’s overall security strategy for connecting with the broader security community
How Microsoft 365 Security integrates with the broader security ecosystem – Part 2 – looked at how Microsoft services help secure non-Microsoft services of an organization’s IT environment.
How Microsoft 365 Security integrates with the broader security ecosystem – Part 3 – we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Documentation & Whitepapers

Deploy M365 Enterprise Securely – This documentation set guides you through that deployment and the correct and required configuration of these products and their features.

Enterprise Mobility + Security: Survival Guide – This article will introduce how Enterprise Mobility + Security fit into today’s landscape with an increasingly mix and match the environment of devices, applications and platforms and being able to manage this cohesively and securely. This will provide a detailed explanation of what EMS includes, the different versions along with additional resources.

6 steps to a holistic security strategy with Microsoft 365 – This free e-book details how to create a holistic, comprehensive strategy proved out by real companies that have made security a cornerstone of their business

Baselines

Windows Security baselines – We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs

Security Compliance Toolkit (SCT) – includes tools to help admins manage their security baselines.

CIS Microsoft Azure Foundations Benchmark V1.0.0 – Provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud

STIGs – Security Technical Implementation Guide – The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

Identity and Access Management Best Practices

Documentation

Five steps to securing your identity infrastructure – This document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to inoculate your organization against cyber-attacks.

Azure Identity Management and access control security best practice – In this article, we discuss a collection of Azure identity management and access control security best practices. These best practices are derived from our experience with Azure AD and the experiences of customers like yourself.
Azure Security Documentation – Security is integrated into every aspect of Azure. Azure offers you unique security advantages derived from global security intelligence, sophisticated customer-facing controls, and a secure hardened infrastructure. This powerful combination helps protect your applications and data, support your compliance efforts, and provide cost-effective security for organizations of all sizes.
     White papers
     Technical overviews
     Best practices
Azure Security Services – Make sure to check this page on a regular basis to stay up-to-date on our security-related services and technologies.
Microsoft Services in Cybersecurity – Microsoft Services provides a comprehensive approach to security, identity and cybersecurity. Microsoft Services provides an array of Security and Identity services across strategy, planning, implementation, and ongoing support. These services can help Enterprise customers implement holistic security solutions that align with their strategic goals.

Securing Privileged Access to machines/services – Microsoft recommends you follow this roadmap to secure privileged access against determined adversaries. You may adjust this roadmap to accommodate your existing capabilities and specific requirements in your organizations.

Privileged Identity Management – Securing privileged access is a critical first step to establishing security assurances for business assets in a modern organization. The security of most or all business assets in an organization depends on the integrity of the privileged accounts that administer and manage IT systems. Cyber-attackers are targeting these accounts and other elements of privileged access to rapidly gain access to targeted data and systems using credential theft attacks like Pass-the-Hash and Pass-the-Ticket.

Location Administrator Password Solution (LAPS) – For occasions when login is required without domain credentials, password management can become complex. LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, it mitigates the risk of lateral escalation that results when customers have the same administrative local account and password combination on many computers.
    Download LAPS kit

Blogs

Defending against illicit consent grants by Brandon Koeller – Office 365 Security has been tracking an emergent threat to customer data in the Office 365 cloud over the last year. This blog post is intended to help IT Administrators of Office 365 organizations detect, monitor, and remediate this threat. In its simplest form, the attack consists of an adversary creating an Azure registered application which requests access to customer data (contact information, email, documents, etc.), and then tricking an end user into granting that application consent to access their data through a phishing attack, or by injecting illicit code into a trusted website. Once the illicit application has been granted consent, it functionally has account-level access to data but without needing an actual account in the organization. Normal remediation steps like resetting passwords for breached accounts or requiring MFA on accounts is not effective since these third party applications are external to the organization and leverage an interaction model which presumes the caller is automation, and not a human.
Software-as-a-Service Part 1 (Identity-as-a-Service) – Providing a prescription of steps to create and provide SaaS is an overwhelming endeavor, destined to sprawl and quickly become unwieldly. Yet companies need exactly this as they transition to the cloud. To answer this need, we identify some patterns and group them into related pillars. My intention in this series of posts is to showcase various applications demonstrating different aspects and patterns of Software-as-a-Service (SaaS) models.

White Papers & E-Books

Microsoft Azure Security Response in the Cloud – This white paper examines how Microsoft investigates, manages, and responds to security incidents within Azure. Other service impacting issues that are not security incidents are addressed by a separate response plan (or business continuity plan), and will not be discussed in this paper.
A crash course in security management: the keys to a better security posture – The way you manage your data and device security is a top priority in an evolving cyberthreat landscape.
Protecting your organization and improving security management starts with three key requirements: Visibility that helps you understand the security state and risks across resources, Built-in security controls to help you define consistent security policies, Effective guidance to help elevate your security

Office 365 Best Practices and Recommendations

Documentation

Office 365 Security RoadmapVideo Link – This article includes top recommendations from Microsoft’s cybersecurity team for implementing security capabilities to protect your Office 365 environment. This article is adapted from a Microsoft Ignite session — Secure Office 365 like a cybersecurity pro: Top priorities for the first 30 days, 90 days, and beyond. This session was developed and presented by Mark Simos and Matt Kemelhar, Enterprise Cybersecurity Architects.

Configure O365 for increased security – This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Office 365 environment. Your security needs might require more or less security. Use these recommendations as a starting point.

Microsoft Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizations – If your organization is agile, you have a small IT team, and your threat profile is higher than average, this guidance is designed for you. This solution demonstrates how to quickly build an environment with essential cloud services that include secure controls from the start. This guidance includes prescriptive security recommendations for protecting data, identities, email, and access from mobile devices.

Protect against threats in O365 – With Office 365 Enterprise, you can help protect your organization against a variety of threats, including spoofing, malware, spam, phishing attempts, and unauthorized access to data. Use the resources on this page to learn about threat protection and actions you can take.

Connect O365 to MCAS (Cloud App Security) – Start monitoring using the default threat detection policies for O365 anomalous behaviors. (Takes around 7 days to baseline)

O365 ATP Attack Simulator – Test Credential harvesting, internal phishing campaigns, brute force and password spray attacks. Run realistic attack scenarios in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line.
     Office 365 Attack Simulator and Mitigating Common Attacks (Part 1)

Email Security

General

Video – Getting started with protecting your email – The following series of introductory videos will help you use Exchange Online Protection (EOP) to protect your mailboxes. These videos are applicable for EOP standalone customers who are protecting on-premises mailboxes such as Exchange Server 2013, and for Exchange Online customers whose cloud-hosted mailboxes by default are protected by EOP.
Protect against Threats in Office 365 – security features Microsoft provides for customers to secure their o365 environment.
How to securely add a sender/3rd party mail service/server to an allow list in Office 365 – Explains the right and wrong way to setup Exchange Transport Rules (ETRs) to ensure you block anything you don’t know about.
NOT Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing or 3rd party – Helps you configure some advanced Exchange Transport Rules (ETRs) to whitelist known servers leveraging DMARC to check the authenticity of the message.
How to align with SPF and DMARC for your domains if you use a lot of 3rd parties to send email as you

SPF

How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing – This article describes how Office 365 uses the Sender Policy Framework (SPF) TXT record in DNS to ensure that destination email systems trust messages sent from your custom domain. This applies to outbound mail sent from Office 365. Messages sent from Office 365 to a recipient within Office 365 will always pass SPF.
Setup SPF in Office 365 to help prevent spoofing – This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) with your custom domain in Office 365. Using SPF helps to validate outbound email sent from your custom domain.
SPF Official Documentation – openspf.org – This page serves as an introduction and quick overview of SPF mechanism syntax.

DKIM

Use DKIM to validate outbound email sent from your custom domain in O365 – This article describes how you use DomainKeys Identified Mail (DKIM) with Office 365 to ensure that destination email systems trust messages sent from your custom domain.
Setup DKIM so that a third-party service can send, spoof, email on behalf of your custom domain – This article describes how you use DomainKeys Identified Mail (DKIM) with Office 365 to ensure that destination email systems trust messages sent from your custom domain.

DMARC

Use DMARC to validate email in Office 365 – Domain-based Message Authentication, Reporting, and Conformance DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.
How Microsoft moved to a P=Quarantine DMARC Record? – Explains the steps Microsoft took to migrate to a P=Quarantine DMARC record in detail.
M3AAWG.org DMARC Training Series – Series of videos to help understand DMARC. Really useful for those that need more clarification.
Best Practices for implementing DMARC in O365
Best Practices for Exchange Online Protection Customers to align with DMARC
Dmarcian.com DMARC Deployment Checklist
A way to sort of approximate DMARC aggregate reports in O365 – Shows you how to extract this information and send it off to a DMARC reporting address via powershell

Advanced/Troubleshooting

Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks – article helps troubleshoot and investigate what could be the issue and why a particular mail is being flagged.

Spoof Intelligence

Spoof Intelligence – allowing or blocking a particular sender from sending spoofed email into your organization.

Anti-Spam and Anti-Malware

Anti-Spam and Anti-malware protection – If you’re an Office 365 customer whose mailboxes are hosted in Microsoft Exchange Online, your email messages are automatically protected against spam and malware.

Helpful/Related Instructions

Enable Audit logging and Search the audit log in O365 Security and Compliance Portal – Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the Office 365 Security & Compliance Center to search the unified audit log to view user and administrator activity in your Office 365 organization

Configuring Safe Attachments, Safe Links, and Anti-Phishing Policies – Helpful guide to configure various Office 365 ATP policies for your tenant.

Security Baselines

Azure

CIS Microsoft Azure Foundations Benchmark V1.0.0 – Provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud

Windows

Windows Security baselines – We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs

Security Compliance Toolkit (SCT) – includes tools to help admins manage their security baselines.

CIS Microsoft Benchmarks – CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

STIGs – Security Technical Implementation Guide – The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

GCHQ Windows 10 Security Guidance – National Cyber Security Centre guidance has been updated to cover the 1803 “April 2018 Update” of Windows 10 Enterprise. It builds on the previous Windows 10 ALPHA Mobile Device Management (MDM) guidance.

AUSC Windows 10 Hardening Guide – Australian Cyber Security Centre guidance. This document provides guidance on hardening workstations using Enterprise and Education editions of Microsoft Windows 10, version 1709. Some Group Policy settings used in this document may not be available or compatible with Professional, Home or S editions of Microsoft Windows 10, version 1709.