Archive

Author Archive

Step 5. Set up mobile device management: top 10 actions to secure your environment

February 14th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Graph showing ContosoCars locations, device ownership, groups, platforms, and requirements. All part of their use-case management plan.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 5. Set up mobile device management: top 10 actions to secure your environment

February 14th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Graph showing ContosoCars locations, device ownership, groups, platforms, and requirements. All part of their use-case management plan.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 1. Identify users: top 10 actions to secure your environment

December 5th, 2018 No comments

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. Well provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to create a single common identity across on-premises and cloud with hybrid authentication.

Establishing a single, common identity for each user is the foundations step to your cybersecurity strategy. If you currently have an on-premises footprint, this means connecting your Azure Active Directory (Azure AD) to your on-premises resources. There are various requirements and circumstances that will influence the hybrid identity and authentication method that you choose, but whether you choose federation or cloud authentication, there are important security implications for each that you should consider. This blog walks you through our recommended security best practices for each hybrid identity method.

Set up password hash synchronization as your primary authentication method when possible

Azure AD Connect allows your users to access on-premises resources including Azure, Office 365, and Azure AD-integrated SaaS apps using one identity. It uses your on-premises Active Directory as the authority, so you can use your own password policy, and Azure AD Connect gives you visibility into the types of apps and identities that are accessing your company resources. If you choose Azure AD Connect, Microsoft recommends that you enable password hash synchronization (Figure 1) as your primary authentication method. Password hash synchronization synchronizes the password hash in your on-premises Active Directory to Azure AD. It authenticates in the cloud with no on-premises dependency, simplifying your deployment process. It also allows you to take advantage of Azure AD Identity Protection, which will alert you if any of the usernames and passwords in your organization have been sold on the dark web.

Figure 1. Password hash sync synchronizes the password hash in your on-premises Active Directory to Azure AD.

Enable password hash synchronization as a backup during on-premises outages

If your authentication requirements are not natively supported by password hash synchronization, another option available through Azure AD Connect is pass-through authentication (Figure 2). Pass-through authentication provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. Since pass-through authentication relies on your on-premises infrastructure, your users could lose access to both Active Directory-connected cloud resources and on-premises resources if your on-premises environment goes down. To limit user downtime and loss of productivity, we recommend that you configure password hash synchronization as a backup. This allows your users to sign in and access cloud resources during an on-premises outage. It also gives you access to advanced security features, like Azure Directory Identity Protection.

Figure 2. Pass-through authentication provides a simple password validation for Azure AD authentication services.

Whether you implement password hash synchronization as your primary authentication method or as a backup during on-premises outages, you can use the Active Directory Federation Services (AD FS) to password hash sync deployment plan as a step-by-step guide to walk you through the implementation process.

Implement extranet lockout if you use AD FS

AD FS may be the right choice if your organization requires on-premises authentication or if you are already invested in federation services (Figure 3). Federation services authenticates users and connects to the cloud using an on-premises footprint that may require several servers. To ensure your users and data are as secure as possible, we recommend two additional steps.

First, enable password hash synchronization as a backup authentication method to get access to Azure AD Identity Protection and minimize interruptions if an outage should occur. Second, we recommend you implement extranet lockout. Extranet lockout protects against brute force attacks that target AD FS, while preventing users from being locked out of Active Directory. If you are using AD FS running on Windows Server 2016, set up extranet smart lockout. For AD FS running on Windows Server 2012 R2AD, youll need to turn on extranet lockout protection.

Figure 3. Federation services authenticates users and connects to the cloud using an on-premises footprint.

You can use the AD FS to pass-through authentication deployment plan as a step-by-step guide to walk you through the implementation process.

Learn more

Check back in a few weeks for our next blog post, Step 2. Manage authentication and safeguard access. In this post well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 1. Identify users: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags: