Fixing Vulnerabilities in the DHS Office 365 Security Advisory

On May 13th, the US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) released Analysis Report AR19-133A, “Microsoft Office 365 Security Observations”. This release identifies security issues found in Office 365 tenants deployed by third-party consultants.

To be clear these are not new vulnerabilities. These are frequent configuration issues that leave organizations exposed to cyber-attacks after an Office 365 migration. The configuration vulnerabilities they list are:

• Multifactor Authentication for admins not enabled as default
• Mailbox auditing disabled
• Password Sync Enabled
• Unified audit logging is disabled
• Authentication unsupported by legacy protocols

While these issues are not difficult to remediate, the DHS also explains that the larger part of the problem is that small and medium businesses do not normally have a dedicated security staff that would proactively know to implement Office 365 security best practices.

Remediating Issues in Analysis Report AR19-133A

Enabling MultiFactor Authentication for Admins

Seriously, MFA should be enabled for all employees. But at the very least all admin accounts MUST be protected by MFA. The technical requirements for enabling MFA in your tenant are minimal and can be turned on for the whole organization in a few minutes. Please don’t do this, unless you REALLY like distressed calls from half of your organization. It is also important to consider a break glass procedure should the MFA process fail due to a service outage, DDOS attack, or a natural disaster that impacts cell tower availability.

MFA is managed in the user settings of Office 365 admin center, and Microsoft’s official documentation on Multifactor Authentication covers everything you need to know.

Mailbox Auditing

Mailbox auditing was turned on by default in January 2019. Even tenants migrated prior to that should have had the setting changed, but it is important to make sure. Thankfully it is simple to verify. From Exchange online Powershell, run the command:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-OrganizationConfig | Format-List auditdisabled

Get-OrganizationConfig | ft OAuth*

Most of the mailbox auditing commands are also managed with PowerShell. For a full rundown of commands and switches read Microsoft’s guidance on enabling mailbox auditing. However, even with mailbox auditing now on by default, for those audits to be useful, you still need to enable Unified Audit Logging.

Unified Audit Logging

Unified audit logging is also in the process of being turned on by default. Unified audit logging takes Mailbox logging one step further, by also allowing you to view user and admin activity in Sharepoint Online and OneDrive for Business. In order to turn on and manage Unified Audit Logging, you will need to use Office 365 PowerShell. Once enabled you can search the generated audit logs in Security and Compliance Center and via Azure Sentinel.

Blocking Legacy Authentication methods:

Another easy setting to remediate, but one with potentially harmful ramifications if not managed carefully with your end users. IMAP, POP3, and STMP all had their day in the sun, but none of them can use modern authentication methods, meaning they can be easily used by attackers to circumvent MFA  protection. Microsoft has a default baseline to disable legacy authentication that is accessed via the Azure Active Directory Admin Center. If you have any legacy apps still using the old protocols (or a CEO who insists the built-in iOS mail client is the only thing he’ll use, you can set conditional access policies on those accounts to defend them while disabling them for all other accounts. Microsoft’s documentation on the baseline goes into detail on this setup.

Password Sync

This one is ugly and is more likely to impact tenants where admin accounts were migrated by an internal team. AD Connect is used during the migration process and compares on-premises accounts to cloud accounts. If a match is found, the password is duplicated from the on-premises account and the account is flagged as being managed by the on-premises directory. The critical issue here is that if the on-premises account has been compromised, password sync provides a wide-open lane for lateral movement of the breach.

Thankfully, like many of these vulnerabilities, Microsoft has removed the ability to use password sync for many types of administrator accounts as of October 2018. Again, it is imperative to verify that your configuration is not leaving you open to attack. If you are looking for the best way to securely manage your hybrid deployments, you should be looking at the new functionality in Azure Active Directory Domain Services.

Securing Office 365

Completing these remediations will NOT secure your Office 365 tenant, and should be considered only part of a complete security strategy. If you need help or guidance to secure Office 365 we are here to help. We have over 15 Gold Competencies and are a four-time Microsoft Partner of the Year. We are one of only six Microsoft AOS-G partners, and our security clients range from state governments to finance, health and retail. To find out more, request a free quote:

The Full DHS Office 365 Security Advisory

(Read the original DHS Advisory here)

Summary

As the number of organizations migrating email services to Microsoft Office 365 (O365) and other cloud services increases, the use of third-party companies that move organizations to the cloud is also increasing. Organizations and their third-party partners need to be aware of the risks involved in transitioning to O365 and other cloud services. This Analysis Report provides information on these risks as well as on cloud services configuration vulnerabilities; this report also includes recommendations for mitigating these risks and vulnerabilities. Description Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have used third-party partners to migrate their email services to O365. The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts). In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities. Technical Details The following list contains examples of configuration vulnerabilities:

• Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrator accounts are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts.[1] There is a default Conditional Access policy available to customers, but the Global Administrator must explicitly enable this policy in order to enable MFA for these accounts. These accounts are exposed to internet access because they are based in the cloud. If not immediately secured, these cloud-based accounts could allow an attacker to maintain persistence as a customer migrates users to O365.
• Mailbox auditing disabled: O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in O365 prior to January 2019. Customers who procured their O365 environment before 2019 had to explicitly enable mailbox auditing.[2] Additionally, the O365 environment does not currently enable the unified audit log by default. The unified audit log contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[3] An administrator must enable the unified audit log in the Security and Compliance Center before queries can be run.
• Password sync enabled: Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365.[4] This technology provides the capability to create Azure AD identities from on-premises AD identities or to match previously created Azure AD identities with on-premises AD identities. The on-premises identities become the authoritative identities in the cloud. In order to match identities, the AD identity needs to match certain attributes. If matched, the Azure AD identity is flagged as on-premises managed. Therefore, it is possible to create an AD identity that matches an administrator in Azure AD and create an account on-premises with the same username. One of the authentication options for Azure AD is “Password Sync.” If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. Note: Microsoft has disabled the capability to match certain administrator accounts as of October 2018. However, organizations may have performed administrator account matching prior to Microsoft disabling this function, thereby synching identities that may be have been compromised prior to migration. Additionally, regular user accounts are not protected by this capability being disabled
• Authentication unsupported by legacy protocols: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will not be disabled. This leaves email accounts exposed to the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols. Using Azure AD Conditional Access policies can help reduce the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce the attack surface for organizations.[5]

Solution CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets through defending against attacks related to their O365 transition and securing their O365 service.[6] Specifically, CISA recommends that administrators implement the following mitigations and best practices:

• Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
• Enable unified audit logging in the Security and Compliance Center.
• Enable mailbox auditing for each user.
• Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
• Disable legacy email protocols, if not required, or limit their use to specific users.