365 Standards\Best Practices

Written by paris on . Posted in Research

 
Tenant Level Checking 
  • Check 2FA is enabled for all staff
  • Correct Licensing ( no extra licenses not applied ) 

  • Azure AD if used setup for Password Sync , make sure Passwords cannot be changed in 365 if they don’t have Azure AD p1

  • 365 has email Filtering Inbound and Outbound
  • DKIM/SPF and DMARC Records ( Vali for Dmarc )
  • 365 Backup and Continuity ( Mimecast and Veeam ) 

  • Technical Contact is correct and Notifications are set for service outage

  • Tenant Location is in right Global Datacenter
  • Check Litigation hold:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (LitigationHoldEnabled -eq $False)} | fl name, LitigationHoldEnabled

  • Check Mailbox auditing:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (AuditEnabled -eq $False)} | fl name, AuditEnabled
    Check Auditing is enabled (both should come back ‘true’)
    get-AdminAuditLogConfig | fl AdminAuditlogenabled,UnifiedAuditLogIngestionEnabled

  •  Search Log – Need to fix filters
    Search-UnifiedAuditLog -StartDate 1/1/2018 -EndDate 8/8/2018 -Filter {(Activity eq ‘UserLoginFailed’)} | Format-List userIds, creationdate

  • Retention Policy – Get-RetentionPolicy ( Make sure there’s a Tenant Retention Policy if the license admits one ) 
     
  • Check No Retention Policy Hold ( Otherwise archive won’t work )  :Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto 8.2)
  • Deleted items retention – Get-Mailbox * | Where-Object {$_.Retaindeleteditemsfor -lt 30} | Format-Table name ( Increase Deleted Items from 14 days to 30 days)

  • Run the Secure Score in O365 – https://securescore.microsoft.com/ ( https://support.office.com/en-us/article/how-to-check-office-365-service-health-932ad3ad-533c-418a-b938-6e44e8bc33b0 ? )

  • Check modern auth is enabled on Exchange Online Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
  • Check and Report on any Email Forwarders -> https://gcits.com/knowledge-base/find-external-forwarding-mailboxes-office-365-customer-tenants-powershell/
  • Check for any flow’s setup – You will need to create a flow in Microsoft Flow under the Domain account to search out flows and check them out – disabling any that forward email or alert a domain admin

  • Check Oauth – Audit your Oath applications on the domain you didn’t have the first step locked down via: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview this is as close as you can get to the M365 Microsoft Cloud App Security portal. and revoke anything that shouldn’t be there
    Get-MsolCompanyInformation | Select DisplayName, UsersPermissionToUserConsentToAppEnabled
  • Check Spam Policy ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide
    • Image links to remote sites = OFF
    • Numeric IP addresses = ON
    • URL redirect to other port = ON
    • URL to .biz or .info websites = ON
    • Empty messages = ON
    • Javascript or VBScript in HTML = ON
    • Frame or iFrame tags in HTML = ON
    • Object tags in HTML = ON
    • Embed tags in HTML = ON
    • Form tags in HTML = ON
    • Web bugs in HTML = ON
    • Apply sensitive word list = ON
    • SPF record hard fail = ON
    • Conditional sender ID hard fail = ON
    • NDR backscatter = ON
  • Check to see if basic auth in O365 has been disabled
  • Make sure there is a onmicrosoft.com administrator account documented incase anything wrong with adconnect sync

Tenant Level Changing
## RUNNING BELOW COMMANDS WILL APPLY CHANGES TO PRODUCTION ENVIRONMENT ##
  • Set ligation Hold For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity LitigationHoldEnabled $true }

  • Set mailbox auditting For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  • Disable users being able to installed 3rd party Plugins : set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

# If authentication policy column is empty that means not authentication policy is applied and basic auth is allowed

get-user -ResultSize unlimited -RecipientTypeDetails usermailbox | get-user | where{($_.AuthenticationPolicy -eq $null) | select UserPrincipalName,authenticationpolicy

# create new policy to disable basic auth

New-AuthenticationPolicy -Name “Disable Basic Auth”

# assign new auth policy to all mailboxes

get-user -RecipientTypeDetails usermailbox | set-User -AuthenticationPolicy “Disable Basic Auth” -StsRefreshTokensValidFrom $([System.DateTime]::UtcNow)

# Set default auth policy for org. i.e. this policy will be applied to any mailbox without a policy assigned. Assigned policy will take precedence over the default.

Set-OrganizationConfig -DefaultAuthenticationPolicy <PolicyIdentity>

 

NOTES: 

– App Password will stop working

– Recreation of account is required for iOS Mail App, or changing any application accounts from App Password to Modern Auth (just to be safe).

 

Ref: 

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

Disabling Basic Authentication on Exchange Online

 

 

GD Star Rating
loading...
GD Star Rating
loading...

Tags: 365, 365 best practice, policys, standards

Trackback from your site.