Date posted: 29th September 2015
To ensure a successful migration to the cloud and Office 365 you have to get the settings and administrative functions right. Office 365 defaults are setup for the majority of companies but do not provide protection for email in regards to malware and sensitive information. In addition to security concerns many of Office 365’s productivity boosters are not realized with maintaining default settings.
Here are some tips from Netfast Cloud Managed Services on how to get your setup right:
Mail Flow Settings
When you first set up Office 365, you are prompted to configure your domains’ DNS to work with Office 365. Microsoft provides records for mail routing (MX), (CNAME), and SPF (Sender Protection Framework). Failure to apply the correct settings here can mean complete loss of mail flow or lack of connectivity to the client.
SPF needs special attention. This record type is used to inform other mail systems whether email from your domain is coming from an authorized system in an effort to combat phishing. Microsoft default setting only applies if every single email you send is directly from Office 365. This is rarely the case, however, because you probably use third-party tools such as NetSuite, Constant Contact or MailChimp to send sales or marketing communications on behalf of your domain. In order to ensure delivery to your intended recipients, be sure to include any of these 3rd party services in your SPF records.
Once you have full access to the Exchange admin center, you should verify that all of your domain names are listed and declared as authoritative under Mail Flow > Accepted Domains.
Secure Mail Flow
You or your clients and vendors may require TLS encryption for email exchanges. Financial and health care (HIPAA) providers will often be subject to government regulations that require this additional layer of protection. The default configuration provides opportunistic TLS encryption; in other words, Exchange Online will first try to connect to another mail system with TLS encryption and fail back to plain text if that doesn’t work. This violates SOX and HIPAA compliance requirements for publicly traded or health care companies.
If you require enforced TLS encryption, you will need to create two connectors: one for sending mail and one for receiving mail. To do so, open the Exchange admin center and navigate to Mail Flow > Connectors. Creating the sending connector is very straightforward. Click on the + (plus) sign and select “Sending from Office 365 to a partner organization.” Give the new connector a name and type an optional description. Finally, you will enter your partner organization’s domain name(s) and save the connector.
The connector for receiving mail is slightly more complicated but still rather straightforward. You begin as before by clicking the + sign. This time you will select sending from your partner organization to Office 365. You will then be prompted to specify whether you want to set this connector to apply to specific domain names or IP addresses. Choose whichever is appropriate for your scenario and enter the information on the next screen. Choose to reject any messages not sent using TLS encryption and optionally verify the TLS certificate. If you want to scope this domain to a specific IP range, you can do so here and save the connector.
Now that all of your email and service settings are stored in the cloud, you must pay very close attention to your security settings. It takes only one lucky phishing attempt or social engineering call to give up the keys to the kingdom.
At a minimum, you should establish and use a separate account from your main mailbox as an administrator account and configure your other administrators in the same fashion. In addition, each administrator account should have an enforced minimum password length and expiration period (Service Settings > Passwords), and use multi-factor authentication (Users > Active Users > Set multi-factor authentication requirements > Set up), and only the minimum set of permissions required to do the job through Role Based Access Control settings (Exchange admin center > Permissions > Admin roles).
The security of your mail is equally important. The built-in Exchange Online Protection offers basic forms of protection against spam and malware but doesn’t prevent address spoofing (phishing). You should spend some time evaluating third-party products or work with a trusted managed security provider to provide a solid email security foundation for your Office 365 environment.
Mobile device settings
Most of your users will probably want to use their own mobile devices to access company email. This benefits the user in that they will only need to carry one device (BYOD), and it benefits the company in that it doesn’t have to purchase and manage devices and contracts for its users. Those mobile devices, however, are now portable access points into your mail system or, if you use line-of-business applications or have a mobile VPN, your entire network.
Once you have completed MDM setup, click on “Manage device security policies and access rules.” Click on the + sign to create a new policy, providing it with a name and optional description. There are a number of options available to you here. You can enforce PIN locking (or more complex passwords), sign-in failure counts, inactivity locks, device encryption, and preventing “rooted” or “jailbroken” devices from connecting.
You should at least configure a six-digit PIN, wipe after 10 tries, force data encryption, and disallow hacked devices. This should prevent the largest number of basic attacks against your devices without greatly inconveniencing your users.
Data and Disaster Recovery
It’s important to note that Office 365 does not back up your email by default. Microsoft offers native data protection, which includes multiple passive copies (lagged copies) split between two data centers. That is a fantastic solution for providing availability of existing data, but it doesn’t ensure a point-in-time recovery of data deleted that has gone past the deleted item retention period. In addition, that retention period is 14 days by default and can be extended to 30 days (you read that correctly: 30 days) through a remote connection. You should be aware that your data can be lost.
Knowing these limitations may mean you need to look to a third-party backup/recovery solution for Office 365 or a solid online archive solution. You want to know your data is safe and discoverable (for compliance and more). This is another area, like security, where you may need to look to the Office 365 partner ecosystem to find the solution that bolts on and can resolve these concerns.
As you put together your optimal Office 365 environment, remember that the above settings recommendations are merely the basics. Consider them the absolute must-have settings to get you up and running. If your organization has a Cloud Managed security operations center, you should consult with them about further improving your security.
But whatever you do, don’t settle for the default settings.