Don't Leave Microsoft Security at the Defaults. Here Are 5 Settings You Need to Configure

Microsoft 365 is one of the most used business platforms throughout the world. It has the reliable productivity apps (Word, Excel, Outlook, PowerPoint) along with multiple cloud-based collaboration and communication tools.

Many companies that use the platform store most, if not all, their data in Microsoft 365, utilizing the file storage and sharing capabilities of OneDrive, SharePoint, and Microsoft Teams. But one area where they often leave vulnerabilities is in the security settings.

If you leave all the security configurations at default settings, you could be leaving your account open to a breach, ransomware infection, or insider attack.

Misconfiguration, which is not having proper security settings put in place, is cited by security professionals the #1 threat to cloud security.

Luckily, Microsoft has provided a lot of flexibility and safeguards in its platform. Users just need to know they’re there and which are some of the most critical settings to configure to give them the best protection.

Security Configurations to Set Up in Microsoft 365

Implement MFA for All Users

Seventy-seven percent of all cloud account breaches are due to compromised login credentials. One of the best protections you can put in place is to enable multi-factor authentication (MFA) for all your users.

According to Microsoft, MFA can block approximately 99.9% of all fraudulent sign-in attempts. This helps you prevent insider attacks, where a cyber attacker logs in as a legitimate user to bypass security.

Use a Single Dedicated Admin Account

Users with administrative privileges in Microsoft 365 pose a higher risk than users with lower-level credentials. If one of those accounts is breached, an attacker can turn off security features, add and remove users, and do other damaging things.

You can protect your administrator-level account by using a single Dedicated Global Administrator rather than granting admin access to individual user accounts.

You can set up a Dedicated Global Administrator account without having to secure another user license. Then, admins just log into that account for admin tasks, and log back out when finished and back into their own user account.

Increase Your Malware Defenses

Ransomware, viruses, and other types of malware pose significant cybersecurity threats to Dallas-Fort Worth businesses. These threats don’t only infect on-premises equipment, they can also infect cloud file storage platforms.

You can significantly increase your protection against malicious file attachments by turning on a filter in Microsoft 365 to block dangerous attachments and adding several file types known to be used for carrying malware.

To do this:

  • In the Security & Compliance Center, look for Threat Management in the left navigation pane
  • Choose Policy > Anti-Malware
  • Double-click to edit the default policy, then select Settings
  • Look for Common Attachment Types Filter and select On
  • Edit the file types adding the following: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
  • Select Save 

Prevent Auto-Forwards of Emails Outside Your Domain 

Auto-forwarding of a user’s mail to their own address is one of the tactics that cyber criminals use to gain access to sensitive company information. Unless a user specifically looks at their auto-forward settings, copies of their mail could be stolen for months without them knowing.

Auto-forwarding is something that a hacker can do if they gain access to a lower-privileged account.

You can stop this from happening by setting up a mail flow rule that prohibits this action.

To do this:

  • In the Exchange admin center, go the mail flow category
  • Select rules and then, “+” to Create a new rule
  • Select More options at the bottom
  • Apply the following rule settings:
    • If sender is internal AND recipient is external AND message type is Auto-forward
    • Block the message and add explanation
    • Add text, such as “Auto-forwarding outside the company is prohibited”
  • Save the rule

Set Up Alerts for Suspicious Activities

You can catch a malicious actor that’s breached your account quickly by setting up two important alerts that will let you know immediately if there is some strange behavior happening.

Alert one to set up is if there is an account login from outside your geographic area, such as one from Asia, when your business is in the U.S. only.

Alert two is if sent mail for a user reaches a certain designated threshold. For example, if a user sends over 150 emails in a short period of time, this could indicate that a hacker has breached the account and is sending out phishing emails on your company domain.

Get Help Improving You Microsoft 365 Security

We have certified Microsoft 365 experts that can help your business with the security settings you need as well as assist with ongoing administration to make your life easier.

Contact Cloudavize today for a free consultation to get started.