800 likes | 822 Views
Learn the advanced steps to configure users and policies in Microsoft 365 Business. Discover new security features, protect against cyber threats, safeguard sensitive information, and increase email malware protection.
E N D
Microsoft 365 Business Technical FundamentalsModule 3: Configuring users and policies (advanced) Speaker Name Date
Microsoft 365 Business Deployment overview steps Step 1 Step 2 Step 3 Step 4 Configure users & policies Deploy Office 365 Workloads & Clients Deploy & manage Windows 10 Management & Troubleshooting
Deployment Step 1 | Configure users & policies - advanced Step 1 Step 2 Step 3 Step 4 Deploy Office 365 Workloads & Clients Deploy & manage Windows 10 Management & Troubleshooting Configure users & policies
Key takeaways New security features segmented by threats and safeguards Cyber threats Safeguard sensitive information • Office 365 Advanced Threat ProtectionAttachment scanning & ML detection to catch suspicious attachments Link Scanning/Checking to prevent users from clicking suspicious links • Windows Exploit Guard EnforcementPreventing devices from ransomware and malicious websites at device end points • Data Loss PreventionDoes Deep Content Analysis to easily identify, monitor, and protect sensitive information from leaving org • Azure Information ProtectionControls & Manages how sensitive content is accessed • Intune AvailabilityProtecting data across devices with E2E Device and app management • Exchange Online Archiving100GB Archiving & preservation policies to recover data or remain compliant • BitLocker EnforcementEncrypt Data on devices to protect data if device lost or stolen
Set up Multi-factor authentication (MFA) Train the end users Use dedicated admin accounts for administering Microsoft 365 Business Increase email malware protection Protect against ransomware Block auto-forwarding externally Use Office Message Encryption Protect against phishing attacks Protect against malicious email attachments Protect against phishing attacks with ATP Safe Links Review Secure Score early and often Secure Microsoft 365 Business
Secure Microsoft 365 Business | What you need to know • Require MFA for all admins • Administrators can use automation (e.g. PowerShell) with interactive logon prompt with MFA • Administrators can use automation (e.g. PowerShell) without interactive logon prompts with MFA & OAuth S2S authentication • Users shoulduse MFA • App passwords are available to allow users to continue to use clients that do not support MFA after their account is enabled • Office 365 Business Premium apps support MFA and do not require app passwords • Multi-factor authentication (MFA)
Secure Microsoft 365 Business | Training What you need to know Establishing a strong culture of security awareness Train users to identify spoof & phishing attacks Using strong passwords Protect devices Enable security features on devices Protect social media & personal email accounts • Most support MFA
Secure Microsoft 365 Business | Dedicated Admin Accounts What you need to know Admin accounts are prime targets Use multi-factor authentication (MFA) Do not assign M365B license Close out all unrelated browser sessions and apps Always log out when done
Secure Microsoft 365 Business | Increase email malware protection What you need to know M365B includes baseline protection against malware Increase protection in Security & Compliance Center • Evaluate email attachment types customer needs to send and receive • Evaluate email attachment types Microsoft can block in defaults policy • Evaluate email attachment types that may pose additional risk for customer • Enable Common Attachment Filter • Add/Remove file types per customer requirements
Secure Microsoft 365 Business – Protect against ransomware What you need to know • Microsoft 365 Business includes baseline protection against ransomware • Increase protection by blocking potential ransomware in email • Evaluate email attachment types customer needs to send and receive • Evaluate if customers need to receive Office documents that contain macros via email • Block file extensions that are commonly used for ransomware • Warn users before opening Office file attachments that include macros • Additional layer of defense with Office 365 ATP
Secure Microsoft 365 Business | Block auto-forwarding externally What you need to know • Email forwarding is a common exfiltration technique used by bad actors • Can happen without the user’s awareness • How you can prevent external auto-forwarding • Evaluate customer requirements for auto-forwarding email externally • If needed, determine which users than require it • Block auto-forwarding by configuring a mail flow rule
Secure Microsoft 365 Business | Use Office Message Encryption What you need to know Office Message Encryption (OME) is enabled by default in M365B Train users to use it Two default OME options • Do Not Forward • Encrypt M365B also includes AIP and those labels/protection also available • Confidential / All Employees • Highly Confidential / All Employees Recipient experience • Office 365 recipients see restricted alert in reading pane and open email normally • Gmail / Yahoo recipients see a link and must sign in to view • Other recipients must request a one-time passcode to view the message in a web browser
Secure Microsoft 365 Business | Protect against phishing attacks What you need to know Microsoft 365 Business include Office 365 ATP Protect against impersonation-based phishing attacks Protect against other phishing attacks such as credential theft Identify high value phish targets • CEO, CFO, and other senior leaders • Council members or board of directors Creating a policy to protect targets
Secure Microsoft 365 Business | Malicious attachment protection What you need to know Attachments detonated in sandbox virtual machines • Behavior examined, malicious behaviors blocked • Office attachments and executables • Various versions of Windows and Office Will introduce latency while scanning • Option for dynamic of email body while attachments are scanned • Ensure users trained and expectations set. • Scan times vary, ~60 seconds normal but can be longer Must be enabled via policy to work Protection extends to files in SharePoint, OneDrive, and Microsoft Teams
Secure Microsoft 365 Business | ATP Safe Links What you need to know Bad actors hide malicious websites in links in email or other files Links often benign initially, then changed on back end after delivery Provides time-of-click verification of web addresses (URLs) in email messages and Office documents Very low latency (nearly instantaneous) Users will notice rewritten links • Train users to set expectations • Train users to understand difference between ATP Safe Links and possible phish Create at least two policies • Evaluate if all users or specific users should get Safe Link protection • Policy to enable Safe Links in Office 365 and client applications • Policy to enable Safe Links in Email
Advanced Threat Protection (ATP) View reports to see how ATP is working If you are a Microsoft 365 Business global administrator, security administrator, or security reader, you can view reports for Office 365 Advanced Threat Protection (ATP) in the Security & Compliance Center. (Go to Reports > Dashboard.) ATP reports include: • Threat protection status report • ATP Message Disposition report • ATP File Types report If there is no data in the report, double check that policies are set up correctly. Organizations must have ATP Safe Links policies and ATP Safe Attachments policies defined in order for ATP protection to be in place.
Advanced Threat Protection (ATP) | Summary Key Points Office 365 Advanced Threat Protection (ATP) is included with Microsoft 365 Business subscriptions. It helps to protect organizations from malicious attacks by: • Scanning email attachments with ATP Safe Attachments • Scanning web addresses (URLs) in email messages and Office documents with ATP Safe Links • Identifying and blocking malicious files in online libraries with ATP for SharePoint, OneDrive, and Microsoft Teams • Checking email messages for unauthorized spoofing with spoof intelligence • Detecting when someone attempts to impersonate users and an organization's custom domains with ATP anti-phishing capabilities in Office 365
Advanced Threat Protection (ATP) | Summary What you need to know Protection through Office 365 ATP is determined by defining policies that an organization's security team defines for Safe Links, Safe Attachments, and Anti-Phishing. Reports are available to show how ATP is working for the organization. And, companies can submit suspicious files to Microsoft for analysis.
Data Loss Prevention (DLP) What is it? Data loss prevention (DLP) policy help you prevent sensitive information such as credit card numbers, social security numbers, or health records from inadvertently leaking outside your organization. What you need to know A DLP policy contains a few basic things: • Where to protect the content – locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites. • When and how to protect the content by enforcing rules comprised of: Conditions the content must match before the rule is enforced – for example, look only for content containing Social Security numbers that's been shared with people outside your organization. Actions that you want the rule to take automatically when content matching the conditions is found – for example, block access to the document and send both the user and compliance officer an email notification. Data loss prevention policy Locations to apply the policy Rule 1 Conditions Actions Rule 2 Conditions Actions Rule n… Conditions Actions
Data Loss Prevention (DLP) How to implement Create a DLP Policy from a template • Go to https://protection.office.com • Sign into Office 365 • In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy • Choose the DLP policy template that protects the types of sensitive information that you need and name the policy Send email notifications and show policy tips for DLP policies • Send an email notification when someone is working with content that conflicts with a DLP policy • Display a policy tip for content that conflicts with the DLP policy
Data Loss Prevention (DLP) How to implement (cont.) Create a DLP policy to protect documents with FCI or other properties • Create a process to identify and classify sensitive information by using the classification properties in Windows Server File Classification Infrastructure (FCI). View the reports for data loss prevention • Use the DLP reports in the Office 365 Security & Compliance Center to verify that they’re working as you intended and helping you to stay compliant.
Azure Information Protection (AIP) What is it? Azure Information Protection (AIP) is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. What you need to know AIP works by classifying data based on sensitivity. You configure policies to classify, label, and protect data based on its sensitivity. Classification and protection information follows the data—ensuring it remains protected regardless of where it’s stored or who it’s shared with. You can define who can access data and what they can do with it—such as allowing to view and edit files, but not print or forward. AIP is turned on with a default set of labels in M365 Business.
Azure Information Protection (AIP) IT Required technology Technical capabilities and limitations Legal What regulations apply to my organization? Translate the regulation into customer specific requirements Business Provides insight in business processes and needs Does it fit, is it workable? Test & validate Data Classification beyond the basics – how to start? Legal requirements Business requirements IT requirements Taxonomy Policies Labels Conditions Sensitive Data Types
Azure Information Protection (AIP) How to implement Verify Azure Information Protection in enabled • Sign in to the Azure portal • Select All services, and then, in the search box type Azure Information Protection. • Click the star icon next to Azure Information Protection to make as favorite • Select Azure Information Protection • Select Protection activation toensure protection status is activated
Azure Information Protection (AIP) How to implement (cont.) View the Azure Information Protection policy • In the Azure Portal, select classifications > Labels • Notice the default labels created by the service • Click on one of the labels to view available options • Consider if you need to change default labels
Azure Information Protection (AIP) How to implement (cont.) View the Azure Information Protection policy • In the Azure Portal, select classifications > Policies > Global • Consider if you may need to change the default policy or create policies scoped to different sets of users
Azure Information Protection (AIP) How to implement (cont.) Install the Client manually • Download AzInfoProtection.exe from the Microsoft download center • Verify the installation by opening a new, blank Word document Validate Classification, Labeling, and Protections • Validate that you can change the default label Run a Test Document
Azure Information Protection (AIP) How to automate client installation with Intune Download the .msi version of the Azure Information Protection client from the Microsoft download center Ensure update for Microsoft Office 2016 (KB3178666) is installed on devices not using up to date Office Click-to-Run installs Sign into the Azure Portal at https://portal.azure.com
Azure Information Protection (AIP) How to automate client installation with Intune Add App to Intune • Client apps > Apps > Add • App type: Line-of-business app • App package file:AZInfoProtection_MSI_for_central_deployment.msi • Description:Azure Information Protection client • Publisher: Microsoft • Category: Business, Productivity • Command-line arguments: /quiet • Wait for app to upload and show ready in Intune