Exchange Online

This page will list security settings and configurations that is advisable to implement in your environment.
Each environment is different where I believe the below settings are easy to setup and provides a way to get to a more mature security level.

  1. Enforce modern authentication
  2. Enable common attachment filter
  3. Restrict access from non compliant devices
  4. Enable Malware Zero-hour Auto Purge
  5. Verify SPF records exists
  6. Verify DMARC records exists
  7. Verify DKIM records exists and it's enabled
  8. Disable calendar sharing with externals
  9. Client Rules Forwarding Block
  10. Mailbox Auditing

Enable modern authentication

Modern authentication makes it able to logon using multi-factor authentication, smartcard or using certificates. It is advisable to enforce modern authentication if possible. Multi-factor authentication can be circumvented if basic authentication is still allowed. Should the need arise to allow basic authentication you can also use conditional access to further protect the environment to only allow some users from some locations using basic authentication.

How will this impact my users?

Users will no longer be able to use older or third party applications that only work with basic authentication like Office 2010.

 

Using PowerShell

You will need to install the Exchange Online module to be able to use the below CMDlets. Run the below CMDlets to enable modern authentication for your Exchange Online environment.

Connect-EXOPSSession
Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

Using conditional access

You can use conditional access to block access when basic authentication is used or allow access for basic authentication applications. Click here for the direct link.

Create a new policy and select a group which has all or some of the users. Preferably a dynamic group. And then select for which application this policy applies. In my case I select Exchange Online.

Then under conditionals you can select the authentication client this application can or cannot use. Under Access controls you can block or allow this policy.

 

Enable common attachment filter

This policy blocks certain file types from being used in mails. You can add or remove file types if needed. It is disabled by default.

How will this impact my users?

Users will no longer be able to send certain file types as attachment.

Using the user interface

You can configure these settings in the Exchange admin portal by going to https://outlook.office365.com/ecp and then Protection -> malware filter

Edit the default filter and enable the common attachment filter

Using PowerShell

You will need to install the Exchange Online module to be able to use the below CMDlets. Run the below CMDlets to enable the common attachment types filter for your Exchange Online environment. You need to specify the correct identity should you have create a custom policy.

Connect-EXOPSSession
Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true

Restrict access from non compliant devices

SharePoint and Exchange Online have the possibility to restrict users from non compliant devices. In Exchange this will restrict users from downloading attachments directly to their system drives. You will need to have Azure Active Directory premium and Intune license as you also need to create a conditional access policy. This is especially helpful to prevent users from downloading documents on devices that are not managed by the company.

How will this impact my users?

Users will no longer be able to download documents from everywhere as it will require a compliant device. When using Intune you can setup your own rules to be sure that content is being secured and managed.

Users have the following experience without the policy when downloading through Outlook Web Access.

Users have the following experience with the policy when downloading through Outlook Web Access.

 

Using PowerShell

You will need to use PowerShell to change the default Outlook Web App policy. You will also need to install the Exchange Online module to be able to use the below CMDlets. Run the below CMDlets to enable the common attachment types filter for your Exchange Online environment. You need to specify the correct identity should you have create a custom policy. Note that this alone isn't enough as you will also need to create a conditional access policy.

Connect-EXOPSSession
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

Using conditional access

You can customize the SharePoint Online policy should this have been created already or create a new one where  you can exclude certain service accounts or want to allow this policy on company devices which are located on-premises. Click here for the direct link.

Make sure you add Exchange Online to this policy

and select that this policy applies to the browser.

and lastly use app enforced restrictions

Enable common attachment filter

Protects your users by automatically taking your policy's action to quarantine messages with malware detected after delivery. It is enabled by default but make sure it's still configured as it is still a new feature at time or writing. You can find more information here.

How will this impact my users?

Mails containing spam, phishing or malware will be automatically removed from users mailboxes. This doesn't prevent users from clicking on it should the mail still be in the mailbox. It will help for users that didn't read or acted on the mail yet.

Users will see the following without the policy enabled

and the following with the policy

 

Using the user interface

You can configure these settings in the Exchange admin portal by going to https://outlook.office365.com/ecp and then Protection -> malware filter

Ensure the Malware Zero-hour Auto Purge is On and we suggest you add a mail address for notications.

Using PowerShell

You will need to install the Exchange Online module to be able to use the below CMDlets. Run the below CMDlets to enable the common attachment types filter for your Exchange Online environment. You need to specify the correct identity should you have create a custom policy.

Connect-EXOPSSession
Set-MalwareFilterPolicy -Identity Default -ZapEnabled $true

Verify SPF records exists

A Sender Policy Framework (SPF) record should be created for each domain. An SPF record tells Exchange Online who else can mail via this server. You can for example add an internal SMTP IP or FQDN so this can use the Exchange Online server. SPF records prevents for example spoofing. The default value you should add is v=spf1 include:spf.protection.outlook.com -all where you may add additional IP's or FQDN's. Note that you need to update the SPF-record each time a third party or internal IP or FQDN is removed. Click here for more information.

How will this impact my users?

This setting has no impact on users but applications aren't able to relay messages if the SPF record is not correct.

 

Using the user interface

You will need to add this record to each domains DNS list. The DNS list can be altered at your domain providers website. Add a TXT-record with the value "v=spf1 include:spf.protection.outlook.com -all"

Using PowerShell

You can add DNS records programmatically for some providers but most likely it will have to be added manually. The below commands can be used to verify if the record exists.

resolve-dnsname <Domain> -type TXT

Verify DMARC records exists

A Domain-Based Message Authentication, Reporting and Conformance (DMARC) record should be created for each maildomain. Below a quote from Microsoft which can be found here:

Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.

 

 

How will this impact my users?

This setting has no impact on users.

 

Using the user interface

You will need to add this record to each domains DNS list. The DNS list can be altered at your domain providers website. Add a TXT-record with the value "_dmarc" which should translate to _dmarc.<Domain>.<Extension> and add as content "v=DMARC1; p=none; pct=100; rua=mailto:<MailAddress>; ruf=mailto:<MailAddress>; fo=1

Using PowerShell

You can add DNS records programmatically for some providers but most likely it will have to be added manually. The below commands can be used to verify if the record exists.

resolve-dnsname _dmarc.<Domain>.<Extenstion> -type TXT

 

Verify DKIM records exists and it's enabled

DomainKeys Identified Mail (DKIM) records should be created for each domain. DKIM with SPF and DMARC will prevent spoofers from tying to spoof the domain. It allows for non-repudation as the receiver can verify that the sender is correct.

How will this impact my users?

This setting has no impact on users.

 

Using the user interface

There are two things you need to do to enable DKIM.

  • DNS Records

You will need to add the below records to each domains DNS list. The DNS list can be altered at your domain providers website. Add the below CNAME records

Host name: selector1._domainkey
Points to address or value: selector1-<DomainName>-<Extension>._domainkey.<TenantName>.onmicrosoft.com
TTL: 3600

Host name: selector2._domainkey
Points to address or value: selector2-<DomainName>-<Extension>._domainkey.<TenantName>.onmicrosoft.com
TTL: 3600

  • Exchange Admin Portal

Go to protection -> Dkim and click on Enable after you updated the DNS records.

 

Using PowerShell

You can enable DKIM with the below PowerShell command after you created/updated the DNS records.

Set-DkimSigningConfig -Identity -Enabled $True

Disable calendar sharing with externals

Attackers can retrieve a lot of information from calendars which are available outside the organizations. Preventing calendar sharing will limit the possibility for attackers to analyze your behavior or the kind of meetings your employees have.

 

 

How will this impact my users?

Users will not be able to share their calendar with external users. They can still share it with colleagues.

 

Using the user interface

You can change this setting using the default admin portal of Office 365 at https://admin.microsoft.com. Navigate to Settings -> Settings -> Calendar

Make sure you deselect the checkbox to disable sharing with external users

 

 

Using PowerShell

You can change this setting using PowerShell. The below Cmdlet can be used to change this setting. You will need the Exchange Online PowerShell module for this. You may need to change the name of the identity if you created a custom policy.

Connect-EXOPSSession
Set-SharingPolicy -Identity "Default Sharing Policy" -Enabled $False

 

Client Rules Forwarding Block

You should create the Client Rules Forwarding Block transport rule to disable users from auto forwarding emails to external domains. This is to prevent users from directly sending emails to other mail addresses but it also prevents attackers who have access to a mailbox to configure which may configure a auto forward rule.

How will this impact my users?

Users can't auto forward mail from their mailbox directly to for example their Live account.

Using the user interface

You can add this rule using the Exchange Admin portal at https://outlook.office.com/ecp/.

Go to Mail Flow Rules

Create a new rule where I already added one

Configure the rule to block mails from inside the organization to outside the organization.

 

 

Using PowerShell

You can add this rule using PowerShell. The below Cmdlet can be used to add the rule. You will need the Exchange Online PowerShell module for this. You can customize the text.

Connect-EXOPSSession
$MessageText = "Custom text for the user"
New-TransportRule -name "Client Rules To External Block" -Priority 1 -SentToScope NotInOrganization -FromScope InOrganization -MessageTypeMatches AutoForward -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText $MessageText

Mailbox Auditing

Mailbox auditing enables administrators to track logons and activities related to mailboxes using the audit log. It may be required to enable mailbox auditing due to compliance policies or you can enable it for forensics. Administrators aren't able to read the mail but they can help the user if issues occur with the mailbox. This setting is enabled by default since January 2019 but it's advisable to verify if all mailbox have auditing enabled.

 

 

How will this impact my users?

There is no user impact.

 

Using the user interface

There is no option to verify which mailboxes have auditing enabled via the Exchange admin portal. You will need to use PowerShell.

Using PowerShell

You will need the Exchange Online PowerShell module for this. Using the below Cmdlet you can verify which mailbox doesn't have auditing enabled

Connect-EXOPSSession
Get-Mailbox -ResultSize Unlimited | Where-Object {$_.AuditEnabled -eq $False} | Format-Table Name, AuditEnabled

You can then enable auditing using the below Cmdlets

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.AuditEnabled -eq $False} | Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin,HardDelete,SoftDelete,Update,Move -AuditDelegate SendOnBehalf,MoveToDeletedItems,Move -AuditAdmin Copy,MessageBind

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.