Secure Office 365 for Remote Access

We have seen a marked move to remote work in recent months.  While the times have been troubling and stressful in many ways, there has been a flip side.  Many of us have found newfound freedoms in how and where we work.  With these freedoms come risks.      

While we can access our email, files and other communications remotely, many have not stopped to ask; are we too open?  What level of remote access does each employee need and more crucially what do they not need?

In this article, we run through several remote access methods and procedures and show how to configure them as required per user and at an organisation level.  We suggest you do this for your organisation.

Method: PowerShell ticks all boxes

Many (but not all) configurations can be made through the various admin UIs.  However, even when available, documenting these can be tricky as UI appearance changes location and appearance.  Furthermore, you have to go to multiple locations to achieve the recommended results.  

As with many of our articles, we suggest making configurations in PowerShell.  PowerShell documentation is consistent and less prone to change, can be scripted (if you desire although not required), repeatable and very quick once you have the commands ready.  

Get remote users using Multi-factor authentication (MFA).

If you haven't yet drunk the cool-aid on MFA, then it is time to get with the program.  MFA considerably reduces the chances of an external mal-actor accessing your accounts for malicious purposes.  This is not to say that MFA solves all your security problems.  MFA can be bypassed in some instances.  We also hear of many cases of employees getting so used to accepting the MFA access request on their phones, that they had done so unconsciously when an attacker triggered it.  Insider threats, for which a legitimate user is themselves the mal-actor, account for about 50% of breaches.  Anyway, pontificating aside, you need to enable MFA.  This article shows you how through various means.

Access Methods to Consider

The methods of access that we need to consider are:

1. Outlook on the Web (through the browser)
2. Outlook for iOS and Android
3. Outlook Desktop Application on PCs or laptops
4. Other third-party mail clients
5. Legacy Authentication methods

Mange these using Get-CASMailbox, and Set-CASMailbox PowerShell commands.  Below we will show you how

Outlook on the Web (OWA)

Many of us who use Outlook on our desktops forget we can also access our mail through OWA.  While sometimes useful when we are without our laptop, many employees will never use this.  Never the less it exposes the most risk since it allows an attacker with our credentials to access our mail and control our mailbox, quickly, from anywhere.  

Ask yourself does my remote worker require this, given they already have Outlook desktop, and maybe Outlook on their mobile device.  The answer is more than often. No.  Mange it as follows.   First, you will need to connect to exchange online

‍

Get-CasMailbox "joe.bloggs@YouCompany.com" -OWAEnabled -OWAforDevicesEnabled

Set-CasMailbox -OWAEnabled &false -OWAforDevicesEnabled $false

‍

Outlook for iOS and Android

I couldn't keep up with the frequent demand of email responding without using Outlook on my personal Android device.  Like many organisations, we do not buy mobile devices for our employees so cannot reasonably enforce strict policies around them on personal devices, such as enforcing encryption or remote wiping in the case of its loss.  If we cannot even guarantee that employees enforce a pin/passcode to lock their device, then automatically how can we reasonably allow them to access company mail on them.  Doing so is analogous to letting our employees remove password protection from their company laptop.  Maybe even worse since mobile devices can be lost so easily.  The only sensible thing, therefore, is to block the access of company data on personal mobile devices without prior agreement and assurances.  

There are two things we can do here.  the first is disable the ActiveSync

protocol by default and place any requesting device to be placed in Quarantine until agreed by an admin

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -

AdminMailRecipients will@YouCompany.com,susan

@YouCompany.com

Here Will and Susan are the designated admins who will be notified to admit or deny any request

You may also want to review and update existing mailboxes for access.  You can do this again using the Get/Set-CasMailbox

Get-CasMailbox "joe.bloggs@YouCompany.com" -ActiveSyncEnabled

Set-CasMailbox "joe.bloggs@YouCompany.com" -ActiveSyncEnabled $false

‍

Outlook

Most orgs require all their users to have outlook access through their laptop and desktop.  This uses the MAPI protocol and will be on by default.  We list it here for completeness.  

Get-CasMailbox "joe.bloggs@YouCompany.com" -MAPIEnabled

Third-Party and Legacy Protocols

POP and IMAP are usually deemed legacy and have certain vulnerabilities which, unless you have a specific reason to expose them (For example if a user must use Windows Live Mail, Mozilla Thunderbird, or Lotus Notes), should be turned off.  

SMTP is another protocol with security vulnerabilities.  It is used for the sending of mail alongside POP3 and IMAP.  Again unless you know of a reason to use it should be turned off.  

Set-CasMailbox -PopEnabled $false -ImapEnable $false -SmtpClientAuthenticationDisable $true

Note the final parameter is DISABLE parameter and thus should be set to TRUE.  

Microsoft would also suggest that SMTP AUTH should be disabled for the entire organisation

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Finally, we need to set defaults for new users so that we don't have to repeat the process on new user creation.  We can do this as follows

Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

Disable Legacy Authentication

Basic/Legacy Authentication is where the username and password are sent with every request.  Sending the password each time is insecure, and unless you know of a good reason to use it should be turned off immediately.  Microsoft had intended to roll out a change whereby basic auth would be disabled by default however they have delayed this because of COVID

Disabling Basic Auth at this time requires the creation of an Authentication Policy

New-AuthenticationPolicy -Name "Block Basic Auth"

You can set the default policy for your organisation using

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"

If your organisation has never applied explicit Authentication Policies to users accounts, then this default will take precedence.  Please note, however, that this will prevent the use of PowerShell without modern authentication. Putting it together: A Quick script for all users

Putting it together: A Quick script for all users

Some of the above commands are for single users only.  It might be useful to create a single script to apply to your entire organisation, especially if your organisation is straightforward and you have never before changed Authentication Policies.  You could then alter it as you need.  For example, I turn off OWA for all users which you may not want to do in your organisation.

‍

Get-Mailbox -ResultSize unlimited | Set-CASMailbox -OWAEnabled &false -OWAforDevicesEnabled $false -ActiveSyncEnabled

$false -PopEnabled $false -ImapEnable $false -SmtpClientAuthenticationDisable $true

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

New-AuthenticationPolicy -Name "Block Basic Auth"

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"

‍

Octiga Office 365 Security Automation

The checks and methods outlined in this article can all be easily checked, updated and monitored using Octiga Office 365 Security Solution in just a few clicks.  What’s more it can alert you of changes as your business evolves and employees come and go. So you don’t have to worry.

We have created easy to use interfaces and wizards to guide you through these configurations and alert you of risky protocols.  

Furthermore, you can protect your business using our comprehensive security suite to easily apply resilient configurations, monitor for changes and suspicious activities, and finally remediate from breaches and other incidents. Schedule an appointment to know what it can do for your business now.