Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft 365 E3 security baseline

Posted on 19. January 201928. January 2020

As a license bundle, Microsoft 365 E3 combines Office 365 E3, Enterprise Mobility + Security (EM+S) E3, and Windows 10 Enterprise E3. It’s the way to go if you want to add advanced security features to you O365 workloads and you also need a Windows 10 Enterprise license anyway.

If you want to get to know the additional capabilities of Microsoft 365 E5 visit my other post: Microsoft 365 E5 security baseline.

What you get (security related)

Office 365 E3
Anti-malware
Anti-spam
Basic alerting & auditing
Data Loss Prevention (DLP)
EMS E3
Azure AD Premium P1 (Multi-factor authentication, Conditional Access, Advanced security reporting, Azure AD Cloud App Discovery)
Microsoft Intune (MDM/EMM)
Azure Information Protection P1
Microsoft Advanced Threat Analytics
Windows Server CALs
Windows 10 Enterprise E3
Windows Defender Anti-Malware
Windows Defender Firewall
SmartScreen & Network Protection
Windows Defender Credential Guard
Windows Defender System Guard
Windows Defender Application Control
Windows AppLocker
Windows Defender Exploit Guard
Windows Defender Application Guard


Office 365 E3 security baseline

  • Configure anti-malware and anti-spam policies for basic mail protection. Implement SPF and DKIM to use authentication for your domains.
  • Enable Office 365 auditing
  • Enable Office 365 mailbox auditing
  • Check Office 365 Secure Score on a regular basis but do not rely exclusively on it! Some things are not covered and probably never will.
  • Use SharePoint / OneDrive for Business Access Controls to limit potential data loss.

EMS E3 / Azure AD security baseline

  • Use dedicated administrative accounts for Office 365 and Azure AD. Make sure that on-premises admin accounts are NOT cloud enabled.
  • Implement Multi-factor Authentication for all administrative accounts
  • Hybrid join Windows 10 devices to use them as known devices
  • Use Device Writeback to implement Windows Hello for Business in hybrid mode
  • Implement Multi-factor Authentication for standard users. Build a sufficient strategy based on known devices and locations by leveraging Conditional Access. If users are forced to confirm prompts at every logon, they will most likely do so for sign-ins they did not perform
  • Use Conditional Access to limit cloud usage. Use known locations, known devices, and approved client apps to make sure an attacker would also need other factors besides username and password to gain access
  • Get rid of legacy authentication
  • Block Exchange ActiveSync and switch to modern authentication mail clients
  • Regularly check Azure AD sign-in logs for failed authentication to get a feeling on how affected your tenant is by password spray attacks
  • Monitor Azure AD Connect Health status including ADFS failed sign-ins (if you use federation)
  • Monitor Azure AD app registrations
  • Use Cloud App Discovery (sub-function of Microsoft Cloud App Security) to discover cloud app usage.
  • Limit external access and guest users depending on your use cases
  • Use Intune to prevent data leakage on mobile devices by leveraging either Intune App Protection (app containers) or a fully-managed implementation for Android and iOS
  • Evaluate Azure Information Protection to protect corporate data. Start with a simple approach that allows users to get a feeling for how it works. Extend your deployment once you get an overview about the impact AIP has for users and how data is handled inside your organization.
  • Deploy Microsoft Advanced Threat Analytics to monitor your on-premises Active Directory for known attacks like Pass-the-Hash, Pass-the-Ticket, and many others.

Windows 10 Enterprise E3 security baseline

Expand your existing Windows 10 settings to leverage enhanced security features:

  • Limit local administrative rights, users should work as standard users per default
  • Randomize des built-in Administrator account, e.g. using LAPS (Local Administrator Password Solution)
  • Make sure all devices come with a Trust Platform Module (TPM) version 2.0. Version 1.2 is fine for existing devices.
  • Install devices in UEFI mode with Secure Boot enabled
  • Activate virtualization capabilities
  • Protect UEFI settings from unwanted changes
  • Use BitLocker with a TPM for volume encryption. Protect from DMA attacks by either using a startup PIN or DMA protection which is now included in Windows 10.
  • Activate Credential Guard to protect the LSASS process. Start without UEFI lock for fallback, switch to UEFI lock once you get comfortable with manually reseting UEFI variables, which is needed to deactivate Credential Guard
  • Implement client isolation by leveraging the Windows Firewall. Clients mostly never need to communicate with other clients unsolicitedly
  • Activate User Account Control, SmartScreen, and Network Protection
  • Use Application Control (or AppLocker) and Exploit Guard at least in audit mode. Audit data can be evaluated in the cloud if you use Microsoft Defender ATP which is part of Windows 10 Enterprise E5. Keep in mind that some sub-features of Exploit Guard regarding monitoring are also exclusive to Microsoft Defender ATP.
  • Use Windows Hello for Business for passwordless sign-in (PIN or biometry + TPM)
  • Deprecate legacy protocols like SMBv1 and LM/NTLM
  • Use all those Windows 10 security features to build Privileged Access Workstations (PAWs) for cloud and on-prem administration.

Disclaimer: This overview was created to the best of my knowledge. It might be suspect to change at any time, especially if Microsoft changes licensing. I do not guarantee that this is a comprehensive overview.

Thanks for reading!

Chris



@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT