{"id":372,"date":"2020-07-07T22:31:23","date_gmt":"2020-07-07T22:31:23","guid":{"rendered":"http:\/\/certcent.io\/?p=372"},"modified":"2020-07-07T22:31:23","modified_gmt":"2020-07-07T22:31:23","slug":"hardening-office-365-security","status":"publish","type":"post","link":"https:\/\/certcent.io\/index.php\/2020\/07\/07\/hardening-office-365-security\/","title":{"rendered":"Hardening Office 365 security"},"content":{"rendered":"

A couple easy ways to harden Office 365 security:<\/strong><\/h3>\n

Here are a couple messy notes for client access rules. We are trying to limit access to e-mail accounts that are legacy, i.e., MFA printer devices or devices that send notifications, but do not support Modern Authentication. Most MFP printers, Canon, HP, Xerox printer built before 2017 probably do not support Modern Authentication. A key sign that it is modern authentication is it opens a browser window for user\/pass and not a Windows popup box.
\nCreate Priority Rule 1 to Allow Powershell Access:<\/p>\n

New-ClientAccessRule -Name AllowRemotePS -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1<\/pre>\n
1) Identify clients that do not support Modern authentication. smtp.utility@mydomain.com
\n2) Specify field to input client to filter, e.g., deparment, custom, company and input ‘SMTP’
\n3) Create new client rule to only applies to that field:<\/p>\n
New-ClientAccessRule -Enabled $true -Action Block -UserRecipientFilter \"Department -eq 'SMTP'\" -ExceptAnyOFClientIPAddressesOrRanges @{Add='1.1.1.1','2.2.2.2'}<\/pre>\n
4) Test new rule with test-clientaccessrule
\nMore Powershell Exchange Fun!
\nHere are Office Modules\/Applications you should have loaded:
\n1) Connect-MsolService<\/strong>
\n2) Connect-ExchangeOnline
\n3) Connect-AzureAD
\n<\/strong>
\n1) Enable Modern Authentication (disable use of older more vulnerable protocols)
\n2) Enable Client Access Rules (limit access to apps based on location)
\n3) Configure AuthenticationPolicy (block older protocols)
\nConsider enable policy and rules using these commands:
\nGet-OrganizationConfig
\nRun the following command to enable modern authentication connections to Exchange Online by Outlook 2013 or later clients:<\/p>\n
Set-OrganizationConfig -OAuth2ClientProfileEnable $true<\/pre>\n
I am using the Microsoft.Exchange.Management.ExoPowershellModule Module on my test tenant.
\nAuthentication Policies and Client Access Rules:<\/p>\n
NAME\n    Set-AuthenticationPolicy<\/strong>\nSYNTAX\n    Set-AuthenticationPolicy [-Identity] <AuthPolicyIdParameter> [-AllowBasicAuthActiveSync] [-AllowBasicAuthAutodiscover] [-AllowBasicAuthImap] [-AllowBasicAuthMapi]\n    [-AllowBasicAuthOfflineAddressBook] [-AllowBasicAuthOutlookService] [-AllowBasicAuthPop] [-AllowBasicAuthPowershell] [-AllowBasicAuthReportingWebServices] [-AllowBasicAuthRpc]\n    [-AllowBasicAuthSmtp] [-AllowBasicAuthWebServices] [-DomainController <Fqdn>] [-ProxyToMailbox <MailboxIdParameter>] [-ProxyToServer <string>] [-WhatIf] [-Confirm] [-Name <string>]\n    [<CommonParameters>]\n<\/pre>\n
NAME\n    Set-ClientAccessRule<\/strong>\nSYNOPSIS\n    This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.\n    Use the Set-ClientAccessRule cmdlet to modify existing client access rules. Client access rules help you control access to your organization based on the properties of the connection.\n    For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax (https:\/\/technet.microsoft.com\/library\/bb123552.aspx).\n    -------------------------- Example 1 --------------------------\n    Set-ClientAccessRule \"Allow IMAP4\" -AnyOfClientIPAddressesOrRanges @{Add=\"172.17.17.27\/16\"}\n    This example adds the IP address range 172.17.17.27\/16 to the existing client access rule named Allow IMAP4 without affecting the existing IP address values.\n<\/pre>\n
When setting ClientAccessRules, this will apply to everybody in your tenant, so be careful.  The policy will take a while to apply too, so give it at least an hour before you give up.
\nClient Access Rules provide a solid way limited who can access e-mail, administrator portals, and remote Powershell.  These things are not enabled by default, so tighten your security up to be safe.
\nTips:
\nYou can use this parameter to filter:<\/p>\n
Get-ClientAccessRule<\/pre>\n
 (list current rules).
\n<\/strong><\/p>\n
Get-User -Filter \"Department -eq 'IT'\"<\/pre>\n
(filter by field Department)
\n<\/strong><\/p>\n
Set-User Username -Department IT<\/pre>\n
 (set the department for this user)<\/strong><\/p>\n
Set-ClientAccessRule -Identity ITPolicy -UserRecipientFilter \"Department -eq 'IT'\"<\/pre>\n
Set-ClientAccessRule -Identity ITPolicy -UserRecipientFilter \"Department -ne 'IT'\" -Action DenyAccess -AnyofProtocols \"RemotePowerShell\",\"ExchangeAdminCenter\" <\/strong><\/pre>\n
Configure rules based by IP addresses.  This is perfect for older mailboxes that need to send mail, but do not support Modern Authentication.  This is common with printers internally.
\n<\/p>\n
\n
Set-ClientAccessRule -ExceptAnyOfClientIPAddressesOrRanges @{Add=\"50.34.200.0\/24\"}<\/pre>\n<\/div>\n

\nHere are the types of access you can allow or deny:<\/p>\n
-AnyOfProtocols<\/strong>\n<\/pre>\n
\n
The AnyOfProtocols parameter specifies a condition for the client access rule that's based on the client's protocol.\nValid values for this parameter are:<\/pre>\n