Microsoft 365 Configuration Reviews
November 21, 2023
Introduction
Configuration reviews are becoming increasingly important in the cybersecurity world, including Microsoft 365 config reviews. The landscape of bad actors is constantly changing, increasing in complexity and cleverness every day. Configuration reviews are an important step in defending against these bad actors, considering they review vulnerabilities, potential threats, and various other aspects that protect you.
There are a few different configuration reviews that are available, including firewall configurations, VPN configurations, and more. There has been a focus on Microsoft 365 configurations, however, since it is becoming widely used by many businesses. Microsoft has their own defenses for their platform, but default settings can still leave your systems vulnerable.
Using Microsoft 365
Microsoft 365 has become a cornerstone for many businesses across the world. It is an extremely useful suite of programs that consist of Microsoft Office programs like Word and Excel. There are other useful things as well, including email, Sharepoint and a collective place to put documents and important information. A whole organization can have one place to have all their information and data.
However, that is also a double-edge sword. Even though it’s extremely convenient to have everything in one place, a bad actor can do some major damage. Simple ransomware or an account takeover can cause irreparable damage. This is why configuration reviews are so important—it keeps everything up to date and makes sure there aren’t vulnerabilities.
Account Takeover
Because Microsoft 365 has so many things in one place, an account takeover can lead to heavy damage. Account takeover, or ATO, is when a bad actor gains access to a user’s account. If a username or password is obtained, an account takeover can be performed. These can be difficult to detect at times, too, especially if the bad actor remains quiet for a time.
These attacks can come in a quiet form or a noisy form. “Noisy” attacks are when a bad actor simply takes what they can get and lets the business know they have sensitive information. A “quiet” attack, however, is much more dangerous. The bad actor will retain access to the account and slowly siphon information in the background. This leads to even more information being taken and possibly more accounts being hacked.
Microsoft 365 Configuration Review
Since these config reviews are becoming more common, it is important to know exactly what goes on in a Microsoft 365 config review. There are multiple aspects, but the most crucial thing to remember is that Microsoft 365 is constantly changing. Microsoft wants to make sure their platform has the best ease of use for their customers. That’s understandable, since everyone enjoys things being easier.
However, because of the constant updates and changes to the platform, it can lead to dangerous situations. Even the smallest change can cause a vulnerability to pop up or a threat to get through. As such, it is important to get configuration reviews often. It is recommended to get one each quarter of the year, or at least twice a year.
Here are a few of the checks that happen in a Microsoft 365 configuration review:
Entra
This is the main check of any Microsoft 365 config review. Entra is Microsoft’s cloud-based identity and access management service. This includes all userbase, directory services, multifactor databases, and more. Bad actors will target this more than anything in order to get into accounts, since it has all the information on users and authentication. If a bad actor broke through, it could be the start of a very bad attack.
Exchange and Email
The email server is another important review check, considering emails can have sensitive information in them. If a bad actor gets into an email account, they can easily send off malicious emails to others, causing a chain of malware to release across the network. However, if an actor manages to get into an account quietly, they can sit and wait, continually picking up more sensitive information from users. Checks in Exchange and Outlook can prevent bad actors from getting in.
Defender and Endpoint
Microsoft Defender and Endpoint are Microsoft’s built-in antivirus and cybersecurity options. While they are good, these need to be checked as well. Whether there are unpatched vulnerabilities or new threats on the horizon, everything can have potential weaknesses. This is especially true as Microsoft continually updates their platforms.
Additional Defenses
While configuration reviews are important to any business, there are specific things that can be done to make config reviews easier. There are CIS, or Center of Internet Security, guidelines that specify special recommendations for network controls. These guidelines are okay at best, but they mix in different controls and situations to defend against. It’s always better to get a config review, but these recommendations can help.
Another thing that can be done is to check SPF records and administrative logs constantly. Even though a config review will check these, checking these records and logs can save a lot of headaches in the long run. Looking over these lists can tell you if something is amiss before a config review can, so it’s important to check them often. This includes Microsoft 365.
Conclusion
Microsoft 365 is becoming increasingly popular among businesses. Over the past 5 years, millions of companies have adopted the platform. It’s an easy platform to use and it is becoming increasingly useful. However, with Microsoft constantly updating this suite of programs, it is easy to cause vulnerabilities and other dangerous situations.
To circumvent this, Microsoft 365 configuration reviews are becoming more and more important. These reviews go over many things like Entra, Exchange, Sharepoint, and more. Config reviews should be done every quarter, or at least two times a year or after a large database update. Third parties will be able to assist businesses with these and some are required by the government, so be sure to remain compliant with configuration reviews.