Misconfigurations for Office 365
Updated: Mar 11, 2022
Microsoft Office 365 offers so many compelling benefits, from the “work anywhere on anything” to automatic upgrades to subscription plans that fit everyone. 50,000 businesses still make the switch every month, even though the first iteration of Office 365 first launched 10 years ago.
Whether you made the switch years ago or just last month, the transition is loaded with decisions. Because you are migrating the core of your organization’s communications and file sharing, the migration needs to move quickly once started. The focus is to move fast, and once stable…leave it! This means there is a huge potential to overlook configuration issues that present some serious security flaws.
Security Pursuit offers a low-cost O365 Assessment that relies on automated tools and manual inspections to identify these misconfigurations and security risks. Here are the top problems we find in almost every assessment.
Excessive Administrative Privileges
A hacker’s ideal goal is to gain administrator privileges. Doing so gives intruders free reign over your network. It is for this reason, threat actors see administrative privileges as the golden egg and the best possible way to expand, whether that’s spreading ransomware to several systems, hiding malware, or exfiltrating data.
In O365, it is common to grant excessive privileges to users who don’t need them. For example, members of the Domain Admin Group inherit privileges. Make a change or forget to limit a particular user after their role changes, and you have room for problems.
Of course, we recommend MFA, especially for administrators. But you should still be mindful of excessive privileges.
Identifying excessive privileges requires regular assessments. Adhering to the principle of least privilege provides a useful guideline to minimize privileges by ensuring they only get access to resources that are strictly essential for their daily work.
Lax and Open Network Shares
Office 365 makes it easy to collaborate with team members and share information in the form of files or documents. However, this very ‘shareability’ can backfire when file-sharing is not securely configured. People store things in incorrect locations, create folders of similar names, then lose track of what folder is for what type of file, and so on. The worst-case scenario is when someone openly shares a file containing sensitive data without any limitations on who can access the file. These open sharing scenarios lead to data leaks or compliance breaches.
Complicating matters is that it can be hard to identify who exactly has access to particular resources because users share those resources on a group basis. Potential ways to address this issue include implementing role-based access for granular control over who can view particular shares, and regular assessments to review share privileges.
Neglecting Service Account Security
When trying to secure access to applications and resources, IT administrators understandably prioritize people rather than objects or services. This bias gets reinforced by the slew of online blog posts and articles outlining how users pose the biggest internal security threats to networks.
Many security risks and attacks stem from neglecting service accounts. These are essentially non-human accounts necessary for running jobs, tasks or services running on Windows. For example, a scanner that sends emails may have a service account.
The problem is that service accounts often have elevated privileges so they can access particular network resources. Using Managed Service Accounts (MSA) can be problematic, too, if that service doesn’t support them. Your relegated to admins using personal accounts (gasp!) or using traditional service accounts. Changing passwords on these is a burden, so many people simply use simple passwords and/or never change them. Neglected service account security results in these accounts having weak passwords that are easy to crack.
The fix for this issue starts with using MSA’s where possible, and using strong password policies for others. You can go further by using a third-party solution to automatically rotate service account passwords.
Weak and Reused Passwords
Poor password hygiene remains a common IT security loophole that hackers almost effortlessly exploit. Users create weak passwords and reuse the same passwords across different services and apps.
Because getting login names is trivial, adversaries today conduct password spraying attacks against Office 365 in which they try to log into multiple accounts using common passwords, such as“123456789”. These attacks don’t trigger account lockouts because they don’t depend on trying to brute force into a single account. All it takes is one account using a weak password, and the threat actor has an entry point to your network.
Combating this threat relies on better security awareness training combined with relevant controls. You need to regularly remind employees about what a strong password looks like and mandate those constraints when choosing passwords for Office 365 accounts. Of course, multi factor authentication provides a vital extra layer, but that doesn’t mean strong passwords are no longer required.
Running legacy software represents a security risk because out-of-date or discontinued versions don’t have the latest security updates applied. The difficulty is that within a complex Office 365 environment, legacy software can go unnoticed. Critical line-of-business apps that actually make money or serve clients are the common culprit, particularly if they are using add-ins that require older versions of software.
It’s an age-old problem that can get hidden in an O365 environment. Threat actors check installed software versions using PowerShell and seek to exploit known security issues with older software. For this reason, it’s vital to have an asset inventory and to know exactly when your software becomes outdated.
Misconfigurations in O365 will continue to provide hackers with a way to gain a foothold in your network. It’s easy to overlook O365 when its running smoothly. It’s also operationally risky to poke at O365 configurations for fear of creating bigger problems. We get that. But, don’t let these concerns cause you to avoid identifying and remediating risks in your O365 environment. It will catch up to you one day.