You need to perform your own risk analysis and make your own choices.īy the way, I know I’m exposing our Office 365 security settings for a large part and making the recon job for a potential attack way easier. I’ve just highlighted my recommendations and I’m fully aware that not everything may be a workable trade-off in your organization. Also, this is not a point-and-click guide. I’m assuming that you are fairly acquainted with the Admin environment of Office 365 and with Azure AD. To keep things a bit readable, I’ve categorized the changes in the following buckets:
Part 3 - Even more improvements with paid features. Part 2 - Setting up monitoring on Office 365. Part 1 - Hardening a vanilla Office 365 (this blog). Since the number of changes made is extensive, and some features require additional licenses, I’ll split this article in three parts. Most of the changes are not direct mitigations of any security issue, but are aimed at attack surface reduction. So I’ve documented all the changes we made to a vanilla Office 365 instance. Also, the official Microsoft documentation was nice, but not as elaborate as I hoped for. Although there was a lot of “guides” on hardening Office 365, most barely scratched the surface. I was expecting to find plenty documentation, but was disappointed a bit. So early January, when we started FalconForce, I’ve set out to harden our Office 365 instance as much as we deemed fit. And although I’m overall fairly happy with (almost) all choices they made for the general public, it wasn’t secure enough for us. However, also Microsoft has to make the trade-off between security and usability. I’m not aware of any public (serious) vulnerabilities in the past on the platform. Out of the box, Office 365 security is fairly good. At FalconForce, we use Office365 for “day-to-day” office work and obviously, we tried configuring it as securely as possible. Every piece of IT we use (COTS or self-built), we aspire to make as secure and as hardened as possible. 
Being hackers at FalconForce, we are a bit paranoid by nature and by professional deformation.
0 kommentar(er)
