Monday

Tag: Microsoft Intune

O365 Security Overview

Office 365 is a popular cloud-based productivity suite that offers many benefits for businesses of all sizes. These Top 5 Security Settings in O365 should help you get started on your path towards a more secure cloud. However, with great power comes great responsibility. As an O365 administrator, you need to ensure that your organization’s data and users are protected from cyber threats and unauthorized access. In this blog post, we will share with you the top 5 security settings in O365 that you should configure to enhance your security posture and reduce your risk exposure.

1. Enable multi-factor authentication (MFA). MFA is a simple but effective way to prevent account compromise by requiring users to provide an additional factor of authentication besides their password, such as a code sent to their phone or email, or a biometric verification. MFA can stop attackers from accessing your O365 account even if they have your password. You can enable MFA for all users or specific groups in the Azure Active Directory portal.

2. Set up conditional access policies. Conditional access policies allow you to control who can access what resources in O365 based on certain conditions, such as location, device, app, or risk level. For example, you can block access to O365 from untrusted locations or devices, or require MFA for high-risk sign-ins. You can create and manage conditional access policies in the Azure Active Directory portal.

3. Configure data loss prevention (DLP) policies. DLP policies help you prevent sensitive data from leaving your organization or being shared with unauthorized parties. You can define what types of data are sensitive, such as credit card numbers, social security numbers, or health records, and what actions are allowed or blocked when such data is detected in O365 apps, such as Outlook, SharePoint, OneDrive, or Teams. You can create and manage DLP policies in the Microsoft 365 compliance center.

4. Enable audit logging and alerts. Audit logging and alerts help you monitor and respond to suspicious or malicious activities in your O365 environment. You can view and search audit logs for various events, such as user sign-ins, file downloads, mailbox access, password changes, or admin actions. You can also set up alerts to notify you when certain events occur, such as a user logging in from an unusual location or a file containing sensitive data being shared externally. You can access audit logs and alerts in the Microsoft 365 security center.

5. Review and update your security settings regularly. Security is not a one-time task but an ongoing process. You should review and update your security settings regularly to keep up with the changing threat landscape and best practices. You can use the Microsoft Secure Score tool to assess your current security posture and get recommendations on how to improve it. You can also use the Microsoft Security Roadmap to plan and prioritize your security initiatives. You can access both tools in the Microsoft 365 security center.

These are some of the most important security settings in O365 that you should configure to protect your organization’s data and users. By following these steps, you can enhance your security posture and reduce your risk exposure in the cloud.

Deciding on Microsoft Intune

 

Many companies are trying to figure out how to handle their mobile device management at their business. Many will buy a product that performs some or all of the functions they need, or at least they think they need. As their needs mature or as requirements change, they may need to change the solution to a different product. I think the full-featured product that many companies need is Microsoft Endpoint Management, also known as Microsoft Intune. Intune is Microsoft’s answer to mobile-device management for Windows centric companies, and it is so very simple to use.

Intune will allow you to enroll all your Windows 10, macOS, iPadOS, and Android devices. Once a device is enrolled, it can be configured, applications can be installed, and devices can be wiped when they no longer need to be managed.

As you can imagine, effective configuration and application management across all business devices, including advanced security settings on multiple operating systems, using one powerful and easy-to-use interface will make support and training much easier, and your business will save money and time.

It is a popular and cost effective cloud-based tool that gives all employees access to corporate applications on their assigned endpoint,  along with conditional access to corporate data, and is simplifies the deployment of those settings, applications, and access to sensitive data to easily support hundreds or even thousands of employees with very little hands-on work by your technology team.

If you have your technology team buying and manually building laptops as you hire new employees you already know how difficult, time consuming, and manual that process can be, even if you have automated some of those steps. You need to deploy a new application to all employees? Simple, just send someone to all your users and they can install the software from a network share or flash drive. Maybe you have automated some of these steps and you deploy the new software via GPO? How long does it take for your remote workforce to finally make a VPN connection to the corporate network to get the new software? How easy is it to determine who is still missing the new software package or has installation errors?

  • How easy would it be to implement 10-20 new security settings to all your users laptops overnight?
  • How easy will it be to remove software they aren’t supposed to have installed, even if you can detect it exists on their laptop?
  • Do you have an accurate and up-to-date asset inventory of user laptops and what software is actually installed?
  • Are you able to detect missing patches to the OS and all the installed software for every user?
  • Can you make sure users are even trying to install patches on their laptops?

Remote workers that never connect to the corporate network make this management process even more difficult.

Do you have a solution to this issue? I think Microsoft Intune may be the solution to your problem, and it may already be included in your O365 licensing.

Let’s talk about some of the reasons I like Microsoft Intune.

Continue reading “Deciding on Microsoft Intune”

Using Microsoft Intune to Secure Windows 10

Microsoft Endpoint Management (Microsoft Intune) is a service available as part of the traditional O365 environment that allows a business to configure and enroll their Windows 10 devices (as well as macOS, iOS, and Android devices) to centrally manage corporate devices while ensuring that they meet your basic compliance requirements. You can read more about Microsoft Intune here.

The basic approach to cloud management of your Windows 10 devices is quite simple, but it can take a little work to get the pieces into place.

  1. Enroll new devices so that once you remove a new laptop from the box, your users log directly into the device using their standard network login to enroll new devices into Endpoint Management. This is how your devices will be managed and configured. This will take a little bit of work to get configured.
  2. Configure new devices so that your preferred settings are detected and applied to the devices during the initial enrollment. This can be a few settings to hundreds of specific settings, depending on how detailed you want your configuration to be, and the settings applied can be controlled based on Azure AD groups, so some devices can be configured differently that other devices.
  3. Require specific settings be applied before the device can be considered “compliant”, which can help you verify how secure a device is or isn’t, which can help you target specific devices for remediation.
  4. Download software directly onto the device, which can make software deployment almost effortless, software inventory easier, and may significantly reduce user complaints.
  5. Configure Windows Update to automatically update the Windows 10 endpoint, which will help avoid a missing patch from causing security headaches later.

Configuration Policy – Endpoint Security

Click on the Devices option, then select Configuration Policies, then select Create new policy, for the platform, select Windows 10 and later, select Profile and select Endpoint Protection. Set a name for your policy, such as “Windows Security Configuration”.

Microsoft Defender Smart Screen

  • SmartScreen for apps and files: Enable

Interactive Logon

  • Minutes of lock screen inactivity until screen saver initiates: 15
  • Require CTRL + ALT + DEL to log on: Enable

Local device security options

 Accounts

  • Guest account: Block
  • Guest Account: Rename
  • Administrator Account: Rename

Network access and security

  • Anonymous access to Names Pipes ad Shares: Block
  • Anonymous enumeration of SAM accounts: Block
  • Anonymous enumeration of SAM accounts and shares: Block
  • LAN Manager hash value stored on password change: Block
  • Insecure Guest logons: Block

User Account Control

  • Elevated prompt for app installations: Enabled

Compliance Policy

Click on the Devices option, then select Compliance Policies, then select Create new policy, for the platform, select Windows 10 and later. Set a name for your policy, such as ‘Windows Security Compliance”.

Device Health

  • Require Bitlocker: Require

System Security

  • Require a password to unlock mobile devices.: Require
  • Password type: Device default
  • Minimum password length: 8

Device Security

  • Firewall: Required
  • Trusted Platform Module (TPM): Required
  • Antivirus: Required
  • Antimalware: Required

Defender

  • Microsoft Defender Antimalware: Required
  • Microsoft Defender Antimalware security intelligence up-to-date: Required
  • Real-time protection: Required

Windows 10 Update rings

Click on the Devices option, then select Windows 10 update rings, then select Create profile, set a name for your policy, such as “Windows Update Configuration”.

  • Servicing channel: Semi-annual
  • Microsoft product updates: Allow
  • Windows drivers: Allow
  • Quality update deferral period (days) : 3
  • Feature update deferral period (days): 3
  • Automatic update behavior: Auto install at maintenance time
  • Active hours start: 8 am
  • Active hours end: 8 pm
  • Restart checks: Allow
  • Option to pause Windows updates: Disable

You can also create other Configuration Profiles to enforce various policies that you may be using GPO policies to enforce today, like various network settings, Windows Defender Firewall settings, renaming the local administrator account, disabling the guest account, etc. You can also create Apps, which allows you to install various software directly to the enrolled device.

Once you start working with Endpoint Manager (Intune) you will see the enormous potential that cloud management brings to your environment.

%d bloggers like this: