The CIS Microsoft 365 Foundations Benchmark | In todays cloud focused IT, it’s more important than ever to stay ahead of the bad guys when it comes to security. A good security posture is key to protect company data and to know that we have a good security postore we need tools to meassure this.
The CIS Microsoft 365 Foundations Benchmark
The Center for Internet Security (CIS) is a nonprofit organization set out to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace”.
CIS provides free benchmarks in PDF format for many different platforms like Linux, Windows Desktop, Windows Server, VMware and now cloud providers.
They recently announced, in partnership with Microsoft, the CIS Microsoft 365 Foundations Benchmark which helps you get the most important security settings in place in Microsoft 365. It’s a guidance for establishing a secure configuration posture for Microsoft 365 running on any OS.
The benchmark is divided into seven sections with a total of around 60 recommendations.
You can find a list of all steps involved in the CIS Microsoft 365 Foundations Benchmark below.
Altitude 365 can help you perform this benchmark to understand how secure your Microsoft 365 tenant is and what you can do to improve. Feel free to contact me with questions about the benchmark or the Microsoft cloud in general.
The Benchmark Content
Recommendations related to setting the appropriate account and authentication policies.
- Ensure multifactor authentication is enabled for all users in administrative roles.
- Ensure multifactor authentication is enabled for all users in all roles.
- Ensure that between two and four global admins are designated.
- Ensure self-service password reset is enabled.
- Ensure modern authentication for Exchange Online is enabled.
- Ensure modern authentication for SharePoint applications is required.
- Ensure modern authentication for Skype for Business Online is enabled.
- Ensure that Office 365 Passwords Are Not Set to Expire.
Recommendations related to the configuration of application permissions within Microsoft 365.
- Ensure third party integrated applications are not allowed (User Settings > No App Registrations).
- Ensure calendar details sharing with external users is disabled.
- Ensure O365 ATP SafeLinks for Office Applications is Enabled.
- Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled (blocks malicious files).
Recommendations for setting data management policies.
- Ensure the customer lockbox feature is enabled.
- Ensure SharePoint Online data classification policies are set up and used.
- Ensure external domains are not allowed in Skype or Teams.
- Ensure DLP policies are enabled.
- Ensure that external users cannot share files, folders, and sites they do not own.
- Ensure external file sharing in Teams is enabled for only approved cloud storage services.
Email security/Exchange Online
Recommendations related to the configuration of Exchange Online and email security.
- Ensure the Common Attachment Types Filter is enabled.
- Ensure Exchange Online Spam Policies are set correctly.
- Ensure mail transport rules do not forward email to external domains.
- Ensure mail transport rules do not whitelist specific domains.
- Ensure the Client Rules Forwarding Block is enabled.
- Ensure the Advanced Threat Protection Safe Links policy is enabled.
- Ensure the Advanced Threat Protection Safe Attachments policy is enabled.
- Ensure basic authentication for Exchange Online is disabled.
- Ensure that an anti-phishing policy has been created.
- Ensure that DKIM is enabled for all Exchange Online Domains.
- Ensure that SPF records are published for all Exchange Domains.
- Ensure DMARC Records for all Exchange Online domains are published.
- Ensure notifications for internal users sending malware is Enabled.
Recommendations for setting auditing policies on your Microsoft 365 tenant.
- Ensure Microsoft 365 audit log search is Enabled.
- Ensure mailbox auditing for all users is Enabled.
- Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly.
- Ensure the Application Usage report is reviewed at least weekly.
- Ensure the self-service password reset activity report is reviewed at least weekly.
- Ensure user role group changes are reviewed at least weekly.
- Ensure mail forwarding rules are reviewed at least weekly.
- Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly.
- Ensure the Malware Detections report is reviewed at least weekly.
- Ensure the Account Provisioning Activity report is reviewed at least weekly.
- Ensure non-global administrator role group assignments are reviewed at least weekly.
- Ensure the spoofed domains report is review weekly.
- Ensure Microsoft 365 Cloud App Security is Enabled.
- Ensure the report of users who have had their email privileges restricted due to spamming is reviewed.
Recommendations for securely configuring storage policies.
- Ensure document sharing is being controlled by domains with whitelist or blacklist.
- Ensure expiration time for external sharing links is set.
Mobile Device Management
Recommendations for managing devices connecting to Microsoft 365.
- Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks.
- Ensure that mobile device password reuse is prohibited.
- Ensure that mobile devices are set to never expire passwords.
- Ensure that users cannot connect from devices that are jail broken or rooted.
- Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise.
- Ensure that settings are enable to lock multiple devices after a period of inactivity to prevent unauthorized access.
- Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data.
- Ensure that mobile devices require complex passwords to prevent brute force attacks.
- Ensure that devices connecting have AV and a local firewall enabled (Windows 10).
- Ensure mobile device management policies are required for email profiles.
- Ensure mobile devices require the use of a password.