Getting started with Microsoft Defender for Office 365 - Security templates style!
Source credits: Microsoft
This one has been long coming and I am glad that I have finally been able to implement Defender for Office 365 in my tenant and write about it.
Implementing Defender for Office 365 may seem like a herculean task, and while it can involve many moving parts, organizations can actually set it up quickly using the preset security policies and build over it.
What are preset security policies?
Preset security policies are Microsoft's recommended starting point for all customers when it comes to their security configuration. Like all changes, it's important to understand any potential impact. They provide a simplified method to apply all of the recommended spam, malware, and phishing policies to users across your organization. As Microsoft adds new threat protection capabilities, preset policies through the templates will automatically stay up to date and continue to enforce ever so evolving recommended settings. More importantly, organizations that are looking for less admin work, preset security policy templates are a perfect way to achieve this.
As of writing this blog post, there are 2 preset templates that can be used -
Standard preset - This security policy incorporates Microsoft's general recommendations and best practices, and is recommended as the starting point for most organizations to apply to all recipients.
Strict preset - This security policy takes a more aggressive approach of keeping unwanted content out of mailboxes with an emphasis on quarantining the threats, including spam and bulk, and is recommended for highly targeted organizations\individuals.
What are the pre-requisites?
- Permissions: Global Administrator or Security Administrator in Microsoft Entra ID.
- Licensing: Users must be licensed for Defender for Office 365 (Plan 1 or Plan 2).
- Email Authentication: It is highly recommended to configure SPF, DKIM, and DMARC DNS records for your custom domains for improved spoofing protection before enabling policies.
Note: If you are using only the default onmicrosoft.com domain, Microsoft automatically handles the basic SPF and DKIM setup for you, so you do not need to perform manual configuration for these two records. However, for comprehensive protection and control over how receiving email systems handle unauthenticated mail, you should still manually configure a DMARC record for the onmicrosoft.com domain, like I did for my own tenant.
Configuring the DMARC record
Let's start by configuring the DMARC record and then also validating it.
1. Sign in to the Microsoft 365 admin center and go to the Domains page.
2. In the left-hand navigation pane, select Show all, then expand Settings, and select Domains.
Select your onmicrosoft.com domain.
3. On the Domains page, select your *.onmicrosoft.com domain from the list.
4. Add a new DNS record.
5. On the domain details page that opens, select the DNS records tab, and then select + Add record.
6. Configure the DMARC TXT record as shown below.
Values to look for -
p=none: This policy monitors your email traffic and provides reports without taking any action on emails that fail authentication. This is the recommended starting point for monitoring.
p=quarantine: Emails failing authentication are moved to the recipient's spam/junk folder.
p=reject: Emails failing authentication are blocked entirely. This is the most secure option once you are confident all legitimate email sources are correctly authenticated.
It can take 2-3 hours for the DNS record to propagate across the internet. Eventually it will and it can be validated by checking on MXTOOLBOX for free.
Enable and Configure Defender for Office 365 Standard Template
Now the good stuff..
1. Sign in to the Microsoft Defender portal.
2. In the left-hand navigation pane, expand Email & collaboration, then select Policies & rules >Threat policies. Under the Template policies section, select Preset Security Policies.
3. On the Preset security policies page, you will see options for Standard protection and Strict protection. Under Standard protection, slide the toggle switch to On. Note: The toggle for me was grayed out so I had to click on Manage protection settings.
4. On the Apply Exchange Online Protection page, select All recipients to apply the default email protections for all users in your organization (recommended). Alternatively, you can select specific recipients to manually select users, groups, or domains to be exempted from the policy.
5. Configure Defender for Office 365 Protection by selecting Previously selected recipients to use the same recipients from the previous step, or select specific recipients if needed.
6. Configure Impersonation Protection (optional but recommended). The standard template automatically includes some impersonation protection, but you can add specific high-value users or domains to be protected.
On the Add email addresses to flag when impersonated by attackers page, enter the email addresses of key personnel (up to 350 users) you want to protect and select Add.
7. On the Add domains to flag when impersonated by attackers page, add any specific domains you want to protect and select Add.
8. On the Add trusted email addresses and domains to not flag as impersonation page, add any senders or domains that should be excluded from impersonation checks (e.g., trusted third-party senders) and select Add. I didn't have any such requirements so I didn't add any.
9. Next up is to Turn on the policy when finished. You can enable it later as will if you wish. In that case, select the second option Leave it turned off.
10. Review the policy settings before confirming.
Note: It may take up to 30 minutes for the new policy to take full effect across your organization.
The policies configured via the templates are not displayed as a single, combined policy entry in most lists. Instead, they activate several individual, underlying threat policies (anti-malware, anti-spam, anti-phishing, Safe Links, and Safe Attachments) that are applied simultaneously with a specific priority.
These can be accessed directly under Threat Policies
Attack Simulation Training (Highly recommended)
A thumb rule after creating any policy is to test it. Microsoft provides a powerful tool called Attack simulation training within the Microsoft Defender portal to test the security policies and also measure user awareness. Through Attack Simulation Training you can run realistic, benign cyberattack scenarios (like phishing, credential harvest, or malware attachments) in a controlled environment to identify vulnerable users and check if your configured policies are effectively detecting and blocking these threats and evaluate automated controls triggered for vulnerable users\actions.
1. Sign in to the Microsoft Defender portal.
2. In the left-hand navigation pane, select Email & collaboration > Attack simulation training.
3. On the Overview tab, select Launch instant simulation which is the quickest way to create an attack simulation. Note: You can create your own simulation if you like.
4. Select specific users or groups to include in the simulation.
5. Review the settings and select Submit to launch the simulation.
A test phishing email will be sent to the targeted set of recipients.
When a user clicks on the phishing link and provides the credentials, this action will be picked and evaluated by the attack simulator.
The user in question will automatically receive an email containing a link for the training module.
Back on the Microsoft Defender Security admin portal, activity will be tracked and can be monitored.
Conclusion
Enabling preset policies can most certainly have a positive impact on your organization's security posture. It is relatively simple, customizable and can also be rolled back.
You can always disable the policies from the Preset security policies page once you have got the custom policies sorted. However, please note that either of the two preset security policies will override any custom policies and Built-in protection.
References:
Comments
Post a Comment