Microsoft 365: Security Benchmarks for SEC Registered Firms

How to Use Benchmarks to Secure your Microsoft 365 Environment

As a registered firm with the Securities and Exchange Commission (SEC), it is important to have an adequate understanding of security benchmarks and how they can help ensure your IT infrastructure is deployed securely. This blog post will provide an overview of security benchmarks as they relate to Microsoft 365 and Office 365, explain why they are important, and discuss what I look for when auditing a firm’s Microsoft environment

What Are Security Benchmarks?

Security benchmarks are standards that guide configuring a system or network in a way that minimizes risk. Security benchmarks are often provided by vendors and organizations such as the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS). These guidelines provide specific instructions on configuring systems and networks to maximize security. For example, one guideline may include disabling unnecessary ports on servers or devices connected to the network. Other guidelines may include using strong passwords or limiting access to certain areas of a website based on user roles.

How Can You Use Them?

There are several ways you can use security benchmarks when assessing your existing IT infrastructure. The first step is to review any existing policies or procedures you have in place regarding security configuration. Once you have identified any gaps, you should then research any relevant security benchmarks available from vendors or third-party organizations such as NIST or CIS. You should also consider conducting an audit of your current system configuration using automated scanning tools such as Nessus (that’s what we use for our clients) which can help identify potential areas of weakness in your network configuration. Finally, you should review your existing vulnerability scans to see if they identify areas that need remediation.

Example: The CIS Microsoft 365 Foundation Benchmark

Numerous registered firms rely on Microsoft products, and we specialize in providing benchmark examinations of our clients’ Microsoft environments. For example, here are some of the most critical security items I inspect when auditing my clients. These are copied from the CIS Microsoft 365 Foundation Benchmark.

Account/Authentication Policies

  • Ensure multifactor authentication is enabled for all users in all roles.
  • Ensure that between two and four global admins are designated.
  • Ensure self-service password reset is enabled.
  • Ensure modern authentication for Exchange Online is enabled.
  • Ensure modern authentication for SharePoint applications is required.
  • Ensure modern authentication for Skype for Business Online is enabled.
  • Ensure that Office 365 Passwords Are Set to Expire.

Application Permissions

  • Ensure third-party integrated applications are not allowed (User Settings > No App Registrations).
  • Ensure calendar details sharing with external users is disabled.
  • Ensure O365 ATP SafeLinks for Office Applications is Enabled.
  • Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled (blocks malicious files).

Data Management

  • Ensure the customer lockbox feature is enabled.
  • Ensure SharePoint Online data classification policies are set up and used.
  • Ensure external domains are not allowed in Skype or Teams.
  • Ensure DLP policies are enabled.
  • Ensure that external users cannot share files, folders, and sites they do not own.
  • Ensure external file sharing in Teams is enabled for only approved cloud storage services.

Email security/Exchange Online

  • Ensure the Common Attachment Types Filter is enabled.
  • Ensure Exchange Online Spam Policies are set correctly.
  • Ensure mail transport rules do not forward email to external domains.
  • Ensure mail transport rules do not whitelist specific domains.
  • Ensure the Client Rules Forwarding Block is enabled.
  • Ensure the Advanced Threat Protection Safe Links policy is enabled.
  • Ensure the Advanced Threat Protection Safe Attachments policy is enabled.
  • Ensure basic authentication for Exchange Online is disabled.
  • Ensure that an anti-phishing policy has been created.
  • Ensure that DKIM is enabled for all Exchange Online Domains.
  • Ensure that SPF records are published for all Exchange Domains.
  • Ensure DMARC Records for all Exchange Online domains are published.
  • Ensure notifications for internal users sending malware is Enabled.

Auditing Policies

  • Ensure Microsoft 365 audit log search is Enabled.
  • Ensure mailbox auditing for all users is Enabled.
  • Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly.
  • Ensure the Application Usage report is reviewed at least weekly.
  • Ensure the self-service password reset activity report is reviewed at least weekly.
  • Ensure user role group changes are reviewed at least weekly.
  • Ensure mail forwarding rules are reviewed at least weekly.
  • Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly.
  • Ensure the Malware Detections report is reviewed at least weekly.
  • Ensure the Account Provisioning Activity report is reviewed at least weekly.
  • Ensure non-global administrator role group assignments are reviewed at least weekly.
  • Ensure the spoofed domains report is review weekly.
  • Ensure Microsoft 365 Cloud App Security is Enabled.
  • Ensure the report of users who have had their email privileges restricted due to spamming is reviewed.

Storage Policies

  • Ensure document sharing is being controlled by domains with whitelist or blacklist.
  • Ensure the expiration time for external sharing links is set.

Mobile Device Management

  • Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks.
  • Ensure that mobile device password reuse is prohibited.
  • Ensure that mobile devices are set to never expire passwords.
  • Ensure that users cannot connect from devices that are jail broken or rooted.
  • Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise.
  • Ensure that settings are enable to lock multiple devices after a period of inactivity to prevent unauthorized access.
  • Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data.
  • Ensure that mobile devices require complex passwords to prevent brute force attacks.
  • Ensure that devices connecting have AV and a local firewall enabled (Windows 10).
  • Ensure mobile device management policies are required for email profiles.
  • Ensure mobile devices require the use of a password.