Idle timeout in Microsoft365

With the new feature Idle Timeout, you can protect your data from unauthorized access. This setting automatically times-out inactive users, making your data more secure and less prone to unauthorized access. You can enable it in 3 simple steps:

What do you need to know about protecting documents in M365

Most of the time, when we are talking about security in M365, we talk about how to encrypt files and give permission to those files. But… did you know you can Protect a document in SharePoint and OneDrive from being accidentally altered or overwritten? What I can say that It is a very useful feature when autosave is enabled in Excel or Word files.

But… What key points do you need to know?

  1. You can only protect individual documents, not a complete document library.
  2. You can not protect OneNote documents, in desktop nor online nor that half-baked OneNote for Windows 10.
  3. In the desktop apps you can protect Word, Excel and PowerPoint documents against overwriting.
    (You can also use other ways of protection, but that is out-of-scope for now)
  4. In the online apps you can only protect Word and Excel, but not PowerPoint.
  5. You can protect Word and Excel files in SharePoint and OneDrive.
  6. You can only send with “review-only” in Word, not in Excel, PowerPoint or OneNote (I hope that in the future this will change).
  7. You can only send with “review-only” when you share with “people you specify” or “people in your tenant with the link”.
  8. You can use “review-only” in Word in SharePoint and OneDrive.
  9. When you share the document from SharePoint with an external person who has no access to the site, they receive a code via mail as soon as they try to open the document.
  10. How does a Word-document open, and which options do you have when you share the document with or without protection, with our without “review-only” and with people with various roles in your SharePoint site? See the table below. The first word is the option that the document opens with.

How to avoid M365 Security Concerns

Using M365 ecosystem enable us to collaborate and share data without problem, but nowadays, companies are concerned about security and the holes that those applications open in organizations.

Even though we are ultimately responsible for protecting our sensitive data, there are native security capabilities to address Microsoft Office 365 security concerns. Moreover, there are third-party solutions that can help us ensure strong security posture across the entire infrastructure.

So let’s list the common concerns that I have gathered from my experience in M365:

  • Unauthorized or External File Sharing: enabling users to collaborate with external users in applications like Teams and SharePoint
  • Privilege Abuse: having a user with more permission than they need. It is obvious, but excessive rights increase risk of data breach…
  • Global Admin Account Breach: this is a game over, if someone gains access to that type of accounts, forget everything, could be a disaster… If you are in that case, apply MFA to that users
  • Disabled Audit Logs: It is not being enabled by default, but for me is very powerful to know which actions are doing the users
  • Short Log: by default Microsoft sores 90 days our logs, if you need to archive those logs for further detail, keep that into account.

So what we can do to overcome those concerns?

  • Enable MFA: it is a very powerful resource, we have it for free, so… use it, it is great, if you have the license try it with Conditional Access
  • Use DLP and email encryption
  • Classify Data: help to understand the value of the content in order to apply appropriate security controls. For example, apply tags to not to share documents with external users or even disable the option
  • Minimize privileges: revoking excessive permission, expiration dates on links
  • Use the Unified Audit Logging: in order to gain visibility across M365 environment
  • use ATP, which can block malicious attachments in phishing emails or even verify URLs in messages and documents
  • Use Cloud App Security: in order to discover Shadow IT, control over permission in M365, application acess, etc…

There is no magic addressing concerns in M365, but the path is to gain visibility in the environment, investigate threats and if you’re case maintain regulatory compliance

Recommendations to secure your Office 365 tenant – Part 2

Last week I post a little talk about security, so my idea is to continue it. Regarding security in business, we can acquire Microsoft 365 (M365), which is super cool in terms of security. It includes all the best from Office 365 but also includes features available only as add-ons for Office package, plus, of course, Windows Defender and EMS.

Office message encryption

Encryption can easily make your corporate communication a lot safer, for me, this feature is cool, It makes it possible to:

  • Send encrypted emails to anyone inside your organization or outside
  • To any email address, including Office 365, Microsoft accounts (like Hotmail or Outlook.com), etc…
    • receive encrypted messages and open them from any app on any device
    • be sure that recipients won’t be able to forward this email to others, as encrypted emails are sent with a “Do Not Forward” setting.

 

Anti-phishing protection (ATP)

M365 Business includes Office 365 Advanced Threat Protection (ATP), where specialized code unmasks phishing attacks trying to penetrate the organization via corporate e-mail.

Often such attacks are impersonation based. You can easily set it right by choosing among various policy options to better identify and prevent phishing and spoofing attempts.

ATP safe attachments and safe links

ATP safe attachments tool opens every attached file in a virtual environment before releasing it to the user. The possible outcomes are:

  • safe attachment will be open right away after scanning;
  • attachment containing malicious content will be removed and a warning message will be displayed.

Exchange Online Archiving

Organizations often need to keep their business correspondence for litigation, compliance or other purposes. Online Archiving can complete the task of backing up emails.

  • an archive mailbox is created within the user’s primary mailbox
  • users may use both their archives and primary mailboxes
  • deleted items or even a deleted mailbox can be recovered
  • Able to set retention tags, which specifies how long the message is kept and the action taken when retention time expires
  • if retention tag is not applied, default retention tag will be applied to the file.

Azure Information protection

It offers capabilities for detecting, classifying and labelling files. Once applied label makes them confidential, general or any other to your choice. AIP can classify and label your data:

  • at rest
  • in use
  • in motion

And wherever it may reside:

  • Microsoft’s Cloud
  • SaaS apps
  • non-Microsoft Clouds
  • your own data center in on-premises file servers (needs the AIP P2 license)
  • other platforms such as Apple/Mac
  • non-Microsoft file types (e.g. PDFs in Adobe Reader).

This is pretty cool. It means that your data is protected no matter which service it actually ends up in, because all these services recognize the labels, so protections, implied by labels, are always going to be respected.

Intune

Allows to manage and control both Microsoft and non-Microsoft devices.

Data loss prevention

Data loss prevention (DLP) is a specific policy which may assist you in detecting personal sensitive data stored in various locations, like SharePoint or OneDrive etc., and prevent your users from inadvertently sharing it.

Windows Defender

Windows Defender in M365 is protecting end points running Windows in your organization. Similar to O365 and Azure AD, Windows Defender has its own Advanced Threat Protection and these three ATPs actually collaborate

As you can see, M365 offers many more advanced security features that will turn threat protection into something that meet all your security requirements.

Till next time folks!