Microsoft 365 Security Standards

Security Phase 1- Overview

Let’s face it, gone are the days when installing antivirus was a sufficient cyber security strategy. New threats and vulnerabilities are being discovered daily, end users can access company data from anywhere, and the overall control of where data is flowing is difficult to control without appropriate understanding of where the data is and how it is being protected. 

The Miller Group is set out to implement a comprehensive while cost-effective security program that encompasses the various layers of protection that every small to medium business needs to succeed in today’s competitive market. Our goal is to build trust through consultation to ensure we have identified the controls needed but also to help to educate you on your organization’s risks and future considerations. 

Our typical cyber security journey is accomplished through 3 phases of implementation and then ongoing maintenance and monitoring processes to ensure the controls are sufficient in this forever changing threat landscape. 

YouTube video

What Security Controls Are Being Implemented in Phase 1?

Identity Protection and MFA

  • Ensure best practices are being followed for “least privileged” access 
    • Restrict persistent browser sessions for administrator roles 
  • Configure standard Microsoft 365 Groups and assign users 
  • Enforce MFA for all users and administrators 
  • Block Legacy Authentication 
  • Set M365 Passwords to Not Expire 
  • Enable Self-Service Password Reset for end users 
  • Restrict Guest Access control to specified internal users 

Email Security

  • Email Authentication (outbound) 
    • Configure SPF, DKIM, DMARC
    • Disable SMTP 
  • Threat Protection (inbound) for email and files 
    • Link / Attachment Protection 
    • Anti-Spam, Anti-Phishing Protection 
    • Anti-Malware Scanning; Zero-Hour Auto Malware Purge 
    • Block IP Allow List 
    • Impersonation Protection 

File Storage, Sharing, and Collaboration

Teams / SharePoint / OneDrive

  • Prevent meeting participants from requesting control of your computer 
  • Block 3rd party file sharing and file storage 
  • Remove default Teams Meetings Settings
    • Block Anonymous users from starting a meeting 
    • Restrict automatic admittance to meetings 
    • Block contact to Skype Users 
    • Allow only the meeting organizer to record meetings
  • Remove "Anyone Links"
  • Configure guest access to expire and require reauthentication after 30 days 
  • Block custom scripts from running

Compliance and Information Protection

  • Initial Retention Policies 
  • External email sender warnings
  • Initial Data Loss Prevention (DLP) Policies
  • Initial Email Encryption / Sensitivity Labels 
  • External Microsoft 365 Backup
  • End User Security Training + Simulated Phishing Testing

Ongoing Maintenance Tasks

  • Monitor and review administrative privileges
  • Adding / removing users
  • Ongoing user support of security controls implemented in Phase 1

Requirements

  • Dedicated point of contact to answer questions timely and authorized to make decisions on security direction for your organization
  • Already utilizing Microsoft 365 for email and Office apps
  • Purchase Business Premium Licenses and assigning to appropriate users
  • Moving completely to the cloud in the near future? Let's do that first and/or in cooperation with Security Phase 1 but that can be determined in the initial consultation.

Implementation Process

Day 1

Initial Consultation

Our account management team will walk through the various security controls, discuss options, answer questions, and work with you to define the scope of the project.

Day 1

Day 1

Technical Discovery & Planning

Our project team will dig through the various systems to determine the technical needs and build the project plan based on the defined scope.

Day 1

Day 1

Client Review & Approval

We will prepare a Statement of Work for you to review and approve that will cover the implementation plan and associated project fees.

Day 1

Day 1

Prepare Schedule & Educate End Users

We will provide you with an estimated project schedule and also provide emails to the end users that will let them know what changes to expect throughout the project.

Day 1

Day 1

Implementation & Support

In accordance to all steps completed prior, we will implement the project plan and dedicate support resources to quickly address any issues that may arise.

Day 1

Day 1

Closure & Documentation

We will confirm all steps have been completed to your and our satisfaction, update documentation for future support measures and prepare for future implementation of additional security controls.

Day 1

How Will These Security Controls Affect End Users?

  • Register for Multi-Factor Authentication (MFA): on scheduled day, each user will need to enroll and configure MFA on their mobile devices and one other MFA method (SMS, secondary email, etc). If they do not register in a timely manner, access to their applications could be blocked.
    • Be Aware of Fraudulent Login Attempts: If users are being prompted for MFA when they aren't actively logging in, they need to report as fraud via the app so our team can investigate.
  • Clicking On Links: When a user clicks on an external link from within Outlook, Teams, SharePoint, OneDrive, the link will first send them to a “scanning” environment to check the destination to ensure it is a safe place to go.
  • Self-Service Password Reset: End users will now be able to reset their own passwords for their Microsoft 365 account.
  • External Email Warning: Emails received from external users will have a header at the top letting them know the message is from outside the organization and they should be cautious when clicking on links or opening attachments.
  • Encryption and Labeling Sensitive Information: All users with Business Premium licenses will be able to send encrypted emails by selecting the sensitivity label from within Outlook prior to clicking send.
  • Current Administrators: Anyone with a current administrator role within their "daily user" account, we will be removing their admin access and provide a new, unlicensed account if the administrative privileges are deemed necessary.

Frequently Asked Questions - Security Phase 1

NO! Each user will need to reauthenticate on the desktop application only once after MFA is enforced. If a user tries to access their Microsoft 365 account from a web browser, they will be prompted for the second factor on EVERY login.

For qualifying license types (i.e. Basic or Standard), YES, you can upgrade those licenses to Business Premium at any time.

Our approach is that any user that currently has a Standard license, those will automatically be upgraded to Business Premium.

If a user has a lower level license (i.e. Basic or email only), there is an opportunity for those users to keep their lower level of licensing and then we would do individual security add-on licenses to achieve the security objectives.

No. MFA being implemented in Phase 1 is only covering your login to your Microsoft 365 environment which contains your emails and may contain your files if stored in Teams/SharePoint/OneDrive.

MFA on your computer logins will be completed in Security Phase 2 utilizing Windows Hello for Business (WHFB).

Absolutely! Part of Security Phase 3 is to circle back to the policies created in Phase 1 to see how they need to adapt / expand to cover more scenarios. The security solutions we are implementing are built in a way that they can remain relevant into the future through continual monitoring and consultation.

Client Success Stories

Critical Cybersecurity Project

The Miller Group Ranks 5/5 Stars For Critical Cybersecurity Project

The development and maintenance of Security Policies are an integral part of any business’ cybersecurity posture.

Read More
Reality Of Password Security

The Miller Group Enhanced This Firm’s Password Security

Maintaining strong and complex passwords may sound easy in theory, but most users opt for easy-to-remember passwords instead.

Read More
5 Star IT Services Manufacturing

5-Star Services For Manufacturing Firm’s Microsoft 365 Migration Project

As a result of this seamless Microsoft 365 Migration, this manufacturing firm now has its email access fully integrated into the existing tenant. This gives them easier communication and management across the enterprise.

Read More

Ready to Get Started?  We’re here ready to serve you and your staff.

Managing IT for small and medium sized businesses in St. Louis since 1985.