Microsoft 365 Security Standards

Security Phase 2- Overview

Protecting devices that access company data is crucial for maintaining the security and integrity of an organization's information. Utilizing tools such as Microsoft Intune and Microsoft Defender for Endpoint can help ensure that devices are properly managed and protected against threats. Intune allows for the management of mobile devices and applications, while Microsoft Defender for Endpoint provides advanced threat protection and response capabilities. Together, these tools can help safeguard company data and prevent unauthorized access.

From an efficiency standpoint, Microsoft Intune can help automate device setup and management in several ways. Intune allows for centralized device management, which means that you can manage all of your organization's devices from a single, centralized location. This makes it easier to enforce policies and ensure compliance across all devices. Intune also supports Windows Autopilot, which simplifies the process of deploying new devices by allowing you to set a baseline setup for all new computers joined to Azure AD at first login. This means that new devices can be automatically configured with the necessary settings, applications, and policies, without the need for manual intervention.

 

YouTube video

What Security Controls Are Being Implemented in Phase 2?

Profile Migration + Enrollment

  • Confirm devices are meeting baseline requirements
  • Migrate profiles and join to Entra ID (AAD)
  • Intune Enrollment
  • Endpoint Encryption
  • Computer MFA (Windows Hello for Business)

Endpoint Security Controls

  • Endpoint Detection & Response
  • Automated Investigation & Response
  • Next Generation Antivirus
  • Default Firewall Policies
  • Web Content / DNS Filtering
  • Endpoint Monitoring & Alerting
  • Threat & Vulnerability Management

Device Access & Compliance Policies

  • Bring your own device definition (BYOD)
    • Block personal device access to company data
  • Implement company policy that determines what device (computers or mobile) requirements must be met to access company data and block access if requirements aren't met
  • App Protection Policies
  • Require MFA for device enrollment

App Deployment & Management

  • Automated App Deployment Profiles
  • User / Device Grouping
  • Windows Autopilot
  • Remotely Wipe / Reset Devices
  • Automate Policy Management
  • Remove data from lost or stolen devices

Requirements

  • Dedicated point of contact to answer questions timely and authorized to make decisions on security direction for your organization
  • Already utilizing Microsoft 365 for email and Office apps
  • Purchase Business Premium Licenses and assigning to appropriate users
  • Security Phase 1 has been completed
  • All devices are current and meeting baseline OS requirements

Implementation Process

Day 1

Initial Consultation

Our account management team will walk through the various security controls, discuss options, answer questions, and work with you to define the scope of the project.

Day 1

Day 1

Technical Discovery & Planning

Our project team will dig through the various systems to determine the technical needs and build the project plan based on the defined scope.

Day 1

Day 1

Client Review & Approval

We will prepare a Statement of Work for you to review and approve that will cover the implementation plan and associated project fees.

Day 1

Day 1

Prepare Schedule & Educate End Users

We will provide you with an estimated project schedule and also provide emails to the end users that will let them know what changes to expect throughout the project.

Day 1

Day 1

Implementation & Support

In accordance to all steps completed prior, we will implement the project plan and dedicate support resources to quickly address any issues that may arise.

Day 1

Day 1

Closure & Documentation

We will confirm all steps have been completed to your and our satisfaction, update documentation for future support measures and prepare for future implementation of additional security controls.

Day 1

How Will These Security Controls Affect End Users?

  • Enroll in Windows Hello for Business on computer: After user signs in, the enrollment process begins. The user will be prompted to set up biometrics (if available) by default but if they won't be using biometrics then it will prompt them to create a PIN.
  • Download app(s) on mobile devices: If the company policy will be requiring enrollment in Entra ID in order to access company data, the users will need to download the Company Portal app on their phones.
  • Native Mail App: After app protection polices are created, only authorized apps can be used on a mobile device to access company data. The common scenario is any user that is currently using the built-in Mail app on their phone will need to download the Outlook app and set up their email in there instead as the built-in app will no longer work.
  • Computer Access Requirements: If compliance policies are put in place, the following requirements need to be met in order to access company data from that computer:
    • - Computers will need to be Entra ID joined
    • - Microsoft Defender is installed and scans are clean
    • - Computer is encrypted, has a secure boot, and has code integrity
  • Mobile Device Access Requirements: If compliance policies are put in place, the following requirements need to be met in order to access company data from that mobile device:
    • - Mobile devices will need to be registered in Entra ID/Intune
    • - Microsoft Defender is installed
    • - Mobile device is not rooted or jailbroken
  • Web Filtering: Based upon what web filtering categories are blocked, end users may notice access to certain website may be blocked on any computer or mobile device that is enrolled in these policies

Frequently Asked Questions - Security Phase 2

Quick answer, we are only locking down the apps that access company data and not the phone itself.

Per Microsoft's documentation, by enrolling in Intune, we will ONLY be able to collect hardware inventory information (device name, model, OS, manufacturer, etc) and then put in security measures for the apps that contain company data.

Intune or any admin WILL NOT have access to calling logs, text messages, photos, personal email, contacts, passwords to personal accounts, or web browsing history.

Many employees and employers prefer to use their own mobile devices to access personal or work information rather than carrying around multiple devices for each purpose. The use of personal devices for work, while common, increases the risk that business information could end up in the wrong hands. The security solutions we would implement would toe the line for both efficiency (and privacy) for the individual but data protection for the company.

For Phase 2 (assuming Phase 1 is already completed), YES, all users will need to upgrade to Business Premium in order to enroll Intune and Defender for Business which are included. By doing additional add-ons it will actually cost more than purchasing the Business Premium as it bundles all of these licenses together and gives a price discount through the bundle.

Windows 10/11 Pro or Enterprise or you can upgrade a Home edition by purchasing a Pro license. Other considerations may require older computers that are no longer functioning as they should and may need to be replaced or retired prior to implementing these security controls.

Absolutely! Part of Security Phase 3 is to circle back to the policies created in Phase 1 and 2 to see how they need to adapt / expand to cover more scenarios. The security solutions are built in a way that they can remain relevant into the future through continual monitoring and consultation.

Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.

  1. A PIN is tied to a device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it is set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign into your account from anywhere. If you want to sign in on multiple devices, you have to set up Hello on each device.
  2. A PIN is local to the device. An online password is transmitted to the server for authentication. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server.
  3. A PIN is backed by hardware. The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

Windows Autopilot is used to set up and pre-configure new devices. It simplifies the device lifecycle process for both the IT team but also the end users as it can apply universal company settings and approved applications for install on any device part of the network.

When a threat is detected, alerts are created in the system for a member of our team to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an Incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

Defender for Business allows our support team to run deep antivirus scans, isolate devices, stop and quarantine a file, and add indicators to block or allow a file.

Client Success Stories

Critical Cybersecurity Project

The Miller Group Ranks 5/5 Stars For Critical Cybersecurity Project

The development and maintenance of Security Policies are an integral part of any business’ cybersecurity posture.

Read More
Reality Of Password Security

The Miller Group Enhanced This Firm’s Password Security

Maintaining strong and complex passwords may sound easy in theory, but most users opt for easy-to-remember passwords instead.

Read More
5 Star IT Services Manufacturing

5-Star Services For Manufacturing Firm’s Microsoft 365 Migration Project

As a result of this seamless Microsoft 365 Migration, this manufacturing firm now has its email access fully integrated into the existing tenant. This gives them easier communication and management across the enterprise.

Read More

Ready to Get Started?  We’re here ready to serve you and your staff.

Managing IT for small and medium sized businesses in St. Louis since 1985.