back to article Office 365 user security practices are woeful, yet it's still 'Microsoft's fault' when an org is breached

The US Cybersecurity and Infrastructure Security Agency (CISA) has become the latest government body to plead with admins to implement security best practices on Microsoft's Office 365 platform. The UK's National Cyber Security Centre (NCSC) made a similar appeal in December 2018. The evidence, though, is that most users are …

  1. GnuTzu
    FAIL

    Security Polices Set by Microsoft

    I see it all the time. Vendors try to set your security policies. This will be no different; Microsoft will promise that they've got everything covered, and customers will become complacent about reviewing their risks. After all, you're paying someone else to manage things for you--so that you can ignore any responsibilities that you may have in selecting technologies that are sufficiently secure and able to your data assets according to the value of those assets and the potential cost of having them compromised.

    There's a reason that safes come with different ratings and the more secure ones are more expensive. Somebody needs to make sure that the cloud is not becoming a all eggs in a, one-size-fits all, basket. Yes, I know there are those attending to this. But, how many customers are actually thinking this through? And, how many customers are simply going to make the wrong assumptions about this?

    1. TheVogon

      Re: Security Polices Set by Microsoft

      "Cost is another problem. Want Office 365 Advanced Threat Protection (ATP), for example? This service checks email attachments and links for malware, blocks malicious files in SharePoint online, and attempts to detect phishing attacks."

      Exchange Online Anti-Malware also does that for free. Office 365 ATP proactively screens for unknown and evolving threats in real time by “detonating” potential carriers (email attachments, embedded URLs, files linked to malicious websites, etc.) in a secure, sandbox environment.

      1. steviebuk Silver badge

        Re: Security Polices Set by Microsoft

        But also doesn't work that well. Not only that but it quarantines an email. Fine its not been released. Oh actually no it has? But fucking why? MS told me "Yes you've blacklisted that domain but you now need to setup a rule with what to do with that blacklist otherise they just default to the junk folder in Outlook" WHAT!

        1. TheVogon

          Re: Security Polices Set by Microsoft

          That's well documented, by design and expected behaviour. Which is easy to change if needed. Not Microsoft's fault if you don't RTFM!

  2. Anonymous Coward
    Anonymous Coward

    The main issue is - MS lets ORG admins handle all security - instead of giving users access to enable MFA on theer account at any time - no unless an ORG admin enables it you are SoL.

    When your ORG admin doesn't understand that MFA is something that actually is very much needed... I'm just waiting for the explosion.

    1. Anonymous Coward
      Anonymous Coward

      MFA is not needed, and in some cases, adds nothing to security.

      Furthermore, it does not work for everyone.

      A better idea is further security invoked when exceptional circumstances are detected.

  3. Nick Ryan Silver badge

    In fact, even by flinging a document or two into OneDrive, Microsoft will reward you with 10 points.

    It's bollocks like this that devalues the entire scheme.

    Taking a potentially sensitive document out of corporate control and dropping it onto a largely uncontrolled file dump service where every user gets their own file dump area and often manages their own sharing... and duplication... and versioning... this is 10 points better for security? Is it possible to granularly restrict such data leak services? Nope, it's a case of "use this service and microsoft will force and encourage the use of others that provide easy leak options" or "don't use this service at all". For example, we are (relatively) happy to use teams as it's being forced as the replacement to skype for business. Are we happy to have this include effectively uncontrollable file dump areas where documents are stored on Microsoft's clouds? No, we are not.

    I may be permanently grumpy attempting to keep data secure... and to manage office 365 (hybrid) to get the best out of it.

    1. Doctor Syntax Silver badge

      I suppose the theory is that the document is protected from ransomware. However something like OwnCLoud or NextCloud will let you do that and either use your own server or a service provider of your own choosing.

      1. yoganmahew

        And that the "lost laptop containing sensitive files" goes away.

        Not much use if OneDrive is seamlessly enabled on the lost laptop though...

        1. Doctor Syntax Silver badge

          "Not much use if OneDrive is seamlessly enabled on the lost laptop though"

          Convenience wins out over security every time.

      2. Daniel 18

        Spectre and friends? Sandbox escapes? Hypervisor escapes? Compromised hypervisor? Compromised physical server?

        If anyone else has ever run on the physical box, you can no longer trust it.

        Therefore, the safer cloud is private cloud.

        Public cloud is for encrypted tertiary backups, and public facing read everything web sites.

    2. Anonymous Coward
      Anonymous Coward

      "Taking a potentially sensitive document out of corporate control"

      You're already using Office365. Your data are already "out of corporate control" - i.e. email - if you mean they are outside the perimeter of the company. OneDrive for Business is somewhat more controlled than the consumer version (do you prefer your use share documents over their personal Dropbox?), but if you decided to use cloud services you can't complain much about that, after all.

    3. TheVogon

      "taking a potentially sensitive document out of corporate control "

      OneDrive is not out of corporate control. It can be fully locked down and you can apply DLP policies, backup policies, etc.

      "Is it possible to granularly restrict such data leak services"

      Yes. As even a basic knowledge of O365 would tell you.

      1. Anonymous Coward
        Anonymous Coward

        "OneDrive is not out of corporate control. It can be fully locked down and you can apply DLP policies, backup policies, etc."

        Seriously?

        Being able to set user application admin parameters on an application you do not install and monitor, running on a box you do not control, in a security domain yoiu do not control does not mean you control it... it means you can request that various things happen.

        Being able to tell your waiter what you want to drink does not mean you control the restaurant, or what goes in the drink... or what will arrive - or not - at your table. Nor, for that matter, do you know where your credit card number goes after you hand them the card.

        1. TheVogon

          "Being able to set user application admin parameters on an application you do not install and monitor, running on a box you do not control, in a security domain yoiu do not control does not mean you control it... it means you can request that various things happen."

          You do install OneDrive, you centrally control all policies, it is on operating systems that you control, and on client devices that you control. Otherwise it wont work - unless you want it to work in those circumstance. And even then you can still control BYOD systems via Intune policies, etc. that will be required as part of logging into OneDrive.

  4. Nate Amsden

    diligent admins

    Seems MS did their best to do away with those admins when they started pushing office 365/hosted exchange to begin with. Hard for anyone to complain now.

  5. Nick Ryan Silver badge
    Stop

    MFA

    I'd be more include to deploy MFA if it currently wasn't such a barely worth it mess. While the vendors are trying to push rubbish where non-secret things replace secret things such as passwords, they can just go away. A user's voice or face is a reasonable replacement for a user identifier however it is not a reasonable replacement for something that is secret such as a password and no amount of hollywood bullshit will change this. True, retina scans are rather secure as they are harder to fake however they should still be considered only a user identifier, or a third attribute, not a replacement for a secret.

    If Microsoft's MFA was vaguely sensibly granular, and worked with cheap(ish) fobs or smart cards then it would be a help. But it's a totally disjointed mess particularly where authentication connections come across a spread of devices and services. Enforce MFA for external webmail/outlook proprietary/IMAP connectivity to mailboxes, particularly when in a different country? Hell yes. Enforce MFA for using a workstation within the corporate network? Not so much? Enforce MFA to allow a user's email application to connect to email on their mobile phone? Erm, this is getting awkward. Particularly when they may have a tablet and a laptop as well and use remote desktop.

    1. Anonymous Coward
      Anonymous Coward

      Re: MFA

      It's much worse than that. Microsoft's MFA is a total and complete mess. Around here, this is the situation:

      If you connect to the company intranet or to company email from a company workstation on the company network, no MFA needed. Basically, if you're already inside the perimeter you're assumed to be good to go. I'm sure that there are those who can see a problem with this.

      If you connect to the company intranet or to company email from a company laptop on the company network, same as above. Once again I'm sure that there are those who see a problem or two.

      If you connect to the company intranet or to company email from a company laptop but not on the company network, you need to run MFA. The MFA is connected to the Microsoft Authenticator app, available for iOS and Android but not, I think, for WinPhone, gee I wonder why. If you lose the device with the MS Authenticator app, you're outta luck until you can get IT security to reconfigure the system to allow for a new app. Please note that if you download MS Authenticator onto several devices, only _one_ can be used to authenticate, so if you have two phones or a phone and a tablet, no, you _can't_ authenticate with the other one if you lost the primary. You must reauthenticate every 24 hours.

      If you connect to the company intranet or to company email using a personal laptop on the company network, that laptop must be added to Active Directory and then functions as though it were a company laptop.

      You can't connect to the company intranet using a personal laptop which has not been blessed by IT. You can connect to company email. You need to use MFA, and you must reauthenticate every 24 hours.

      You can't connect to the company intranet using a tablet, company or personal. Connecting to the company network requires installing the MDM and being blessed by IT. On the network you don't need MFA and can connect to the company email at will. Away from the network you need to use MFA, again every 24 hours... except if the MS Authenticator is on the same device which you're trying to use to read email, in which case you NEVER HAVE TO USE MFA EVEN ONCE. Looks like a giant security hole to me.

      "Connecting to company email" means using OWA or a dedicated mail client such as MS Outlook, Thunderbird, or Apple Mail. Apparently Microsoft Mail need not apply. If you change the password on the mail system, all that happens on a tablet when using any client, OWA, Outlook, Tbird, Mail, anything else, is that you have to update the password there. You still never have to enter MFA if you're using a device which has the MS Authenticator installed. On a personal laptop, you must run the MFA as soon as you change the password, but then you're good for another 24 hours. On a company laptop, if you change the password while connected to the company network you're good. On a company workstation, you're good.

      If I wanted to screw with the company I'd use a personal laptop which was not blessed by the company or a tablet, again not blessed. Or I'd take a company laptop out, do things to it, then bring it back and connect to the network.Or just do things from a company workstation. Because IT security makes everyone change their passwords every 60 days and mandates 'complex' passwords, people write down passwords, so it is trivial to 'borrow' someone else's login creds and use a workstation other than your own.

      I'm waiting for the explosion.

      1. Sandtitz Silver badge
        Stop

        Re: MFA

        "If you connect to the company intranet or to company email from a company workstation on the company network, no MFA needed."

        That's true - IF you have defined your company network as a trusted network in Azure. By default there are no trusted sites. Your IT admins have decided to do this, probably for convenience.

        "If you connect to the company intranet or to company email using a personal laptop on the company network, that laptop must be added to Active Directory and then functions as though it were a company laptop."

        Not necessary to join AD.

        "You can't connect to the company intranet using a personal laptop which has not been blessed by IT. You can connect to company email. You need to use MFA, and you must reauthenticate every 24 hours."

        Complain to your IT if this bothers you.

        If you're using Outlook in your personal computer, the particular Outlook can be trusted with a secret key installed (copypaste) to the Outlook. No need to reauth. Fine if the laptop is encrypted or otherwise secured.

        "Because IT security makes everyone change their passwords every 60 days and mandates 'complex' passwords, people write down passwords,"

        You're complaing about Microsoft when in fact you should be complaining to your IT dept who have implemented the things you complained about in your message!

        1. Anonymous Coward
          Anonymous Coward

          Re: MFA

          As you underlined, a lot depends on the security requirements of your company, that often are on a collision course with acceptable costs.

          For example, MFA using SMS or apps: are SMS and company apps allowed only on company owned and controlled phones? If so you have to deploy phones to everybody needing MFA - and many companies don't want to give a company phone to each user needing to access a company network. On the other end allowing them on non-company phones may be a security issue.

          Hardware tokens have costs as well, and may need need to be replaced when they expire. Smartcards needs smartcard readers, and you may found they are no longer supported as you change OS. Same for fingerprint readers. Face recog tech may work with a simple camera, but to be secure it needs specific hardware too. And in some situations cameras may not be allowed.

          MFA may look a simple solution, but not always is.

          1. TheVogon

            Re: MFA

            "On the other end allowing them on non-company phones may be a security issue."

            Why? MFA software can be on any mobile device. The underlying hardware source is not relevant.

    2. TheVogon

      Re: MFA

      "If Microsoft's MFA was vaguely sensibly granular, and worked with cheap(ish) fobs or smart cards then it would be a help."

      Microsoft MFA works as a free application on your mobile device. No need for $$ fobs and smartcards.

      "Enforce MFA for using a workstation within the corporate network? Not so much? "

      Yes it will - you authenticate against Azure AD and use single sign-on to on premises resources.

      "Enforce MFA to allow a user's email application to connect to email on their mobile phone? Erm, this is getting awkward"

      No it isn't - Microsoft MFA does that out of the box.

  6. Anonymous Coward
    Anonymous Coward

    Yet another bit of blackmail

    Fine set of services you have there, wouldn't it be a shame if someone hacked it because you didn't pay us extra for services that should be a default?

    I see Microsoft have stepped up their approach to blackmail fees out of their users, something that starts with their still non-compliance with Open Standards. ODF support? Yes, the trolls tell you that Microsoft's support for ODF is "the best" - reality begs to differ. MS Exchange and Outlook still do not speak carddav and caldav - etc etc. Adding security as another argument to squeeze more revenue out of their users doesn't surprise me, but what surprise me is that people believe this - Microsoft doesn't exactly have a great track record here.

    1. Reg Reader 1

      Re: Yet another bit of blackmail

      Wait until they have huge corporate up take of this service. Lock in will increase and then you'll see prices increase.

      1. GnuTzu
        Unhappy

        Re: Yet another bit of blackmail -- Resistance to Upgrades is Futile

        Yes, and don't forget: they don't have to wait for users to buy an upgrade, as they do for regular software. A subscription means that upgrades are automatic and irrevocable.

        Imagine how the future of software reviews looks when they morph into cloud-service reviews--possibly after bad U.I. design has been forced on users and too late to resist. See: resistance is futile.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yet another bit of blackmail

        Wait until they have huge corporate up take of this service. Lock in will increase and then you'll see prices increase.

        Yeah, we saw that years ago with UK education - of course, us "uneducated" oinks could not possible see a ruse, the academic high and mighty knew that it was Gates' generosity that drove him (I think that was when I joined Mensa just to piss off those idiots, but I digress).

        Of course, then the prices went up as we predicted, and the howls of protest were stymied by Gates buying himself a knighthood by returning a fraction of the loot to Cambridge to get his name on a building and so give hope to others that - if they kept their mouth shut - they'd get some dosh back too (which, of course, didn't happen).

        The way I see it, Bill Gates was knighted for robbing the education system of the little money it had to start with. This is merely a repeat of a tactic that just keeps working on the principle that there's one born destined for manglement every minute.

        1. Rich 11

          Re: Yet another bit of blackmail

          Yeah, we saw that years ago with UK education - of course, us "uneducated" oinks could not possible see a ruse, the academic high and mighty knew that it was Gates' generosity that drove him

          Decisions like that were nothing to do with education level or high and mighty academics, as someone with an IQ which qualifies for Mensa membership should realise (at least assuming your intelligence is applicable to the real world rather than to little else but IQ tests).

          For one, academics themselves rarely get a say in the detail of what an IT department chooses to implement across the institution, at least when it comes to general services. For another, HE is always short of money and when IT budgets are slashed a department will often end up going with the cheapest replacement option which doesn't carry a greater risk than the system currently needing replacement. Add to that the beancounters' preference for projects which have a regular annual cost rather than a big up-front capital outlay, and everyone ends up just trying to make the best of a bad situation, knowing full well that it could have been worse than it actually is.

          1. Anonymous Coward
            Anonymous Coward

            Re: Yet another bit of blackmail

            "Add to that the beancounters' preference for projects which have a regular annual cost rather than a big up-front capital outlay"

            How odd.

            We can get capital funding for projects and equipment and installation, but can't get FTEs to support them when they are up and running.

    2. TheVogon

      Re: Yet another bit of blackmail

      "ODF support? Yes, the trolls tell you that Microsoft's support for ODF is "the best" - reality begs to differ. MS Exchange and Outlook still do not speak carddav and caldav"

      Those are not part of ODF.

      Why would Microsoft care when the native MAPI / ActiveSync solutions are way better and pretty much everyone uses Exchange. There are third party plugins if you need this.

  7. Dan 55 Silver badge
    WTF?

    "Even by flinging a document or two into OneDrive, Microsoft will reward you with 10 points"

    So are these points a reflection of account security or just using more Office 365 products which most people never touch?

  8. Crazy Operations Guy

    Microsoft will hand you a lot of rope, but won't discourage you from putting it around your neck.

    A big problem is that Microsoft lets you do some really insecure stuff without warning you that its insecure, or just couch the warnings in really gentle language when it should be screaming at you and requiring confirmation.

    It also doesn't help that Microsoft is constantly touting how secure its products are without mentioning that they can -attain- that level of security if you do a bunch of procedures, rather than being secure right out of the box.

  9. sgrier23

    Microsoft and Security

    I am not an advocate of Mckysoft and its over-reaching arm in all things IT, but would it not be easy for MS to simply switch on these advanced security features on ALL accounts by default -that way everyone has the multifactor authentication and best practice of all things MS.

    If they did this by default then it would definitely be the users fault if security was breached, as they would have to have reduced the security features on their MS Office365 service. But no, MS are on a scapegoat kick - kick their customers, those who spend their in buying MS software, operating systems and services. The average user will receive the kicking occasionally, but after a while they will get sick of it and move to another system and supplier.

  10. Doctor Syntax Silver badge

    Oh dear, my score seems to be zero. Not even a document on OneDrive.

  11. jake9000

    plan 0

    While we could definitely do better and I do review those recommendations, if Conditional Access could wander over the the AAD free tier I would be sooooo happy.

  12. Anonymous Coward
    Anonymous Coward

    "This global average is no doubt pulled down by millions of tiny accounts and will improve as seat count increases. For a seat count of six to 99 the average increases to a massive... 46."

    In the 5000 - 19000 bracket... its a massive 91 !

  13. steviebuk Silver badge

    It doesn't help that...

    ...when turning on MFA it randomly picks users who it'll have different MFA settings to everyone else. Outlook 2016 or Outlook 365 as they call it is a Modern App yet when at home the FING thing keeps asking for the Application Password for my Outlook instance. MFA works fine when logging into the 365 admin console but the fact its not working properly for my Outlook instance but works fine on others is annoying. And the mobile app is fine and just accepts the MFA code. We have one user who you can't turn it off for, despite us being full admins and the MS support don't know why either.

    It's good having it on but people don't turn it on as sometimes it can be a pain in the arse.

  14. Anonymous Coward
    Anonymous Coward

    apple

    Apple's MFA can be equally annoying when you don't have an iPhone and a betatest partition or drive. It always sends to the device that isn't booted up.

  15. LeahroyNake

    On site woes

    I'm still a firm believer in on site Exchange for control but am moving towards postfix dovecot very slowly. The reason for this is I have known on site for a very long time / Exchange 2000 migrated through 2003, 2010 and 2013.

    If you have carried out those migrations I'm guessing you are still having nightmares about them :0 If you haven't then just make sure you have pst exports of every mailbox just in case, put an email scanning appliance in front of exchange and prey to whatever deity suits before you OK the dreaded Schema updates.

    Regarding security disable active sync and remote access for everyone unless they need it. The perimeter firewall is still a great defence as is an email scanning appliance as it massively reduces the load on Exchange and the one I use probably has better connection logging as well. For any connection issues wireshark is great... try that with 365.

    Anyway, I am never using Office 36? I get to retire before they completley kill on site servers. I will (hopefully) go cloud when I expire.

  16. Anonymous Coward
    Anonymous Coward

    "...locked out of their account if they lose their phone".

    Small inconvenience?!?

    Yeah right. It is so long as it happens to other people who you probably regard as idiots for losing their phones.

    But it's not all about you.

  17. Anonymous Coward
    Trollface

    Good-byee!

    In my 4,000 user organisation, one Global Admin manages the Office 365 workloads of Exchange Online, SharePoint, Teams, OneDrive, Skype for Business, Yammer, Intune and Azure AD. Massive headcount savings on BOFHs

    1. Anonymous Coward
      Anonymous Coward

      Re: Good-byee!

      In my 4,000 user organisation, one Global Admin manages the Office 365 workloads of Exchange Online, SharePoint, Teams, OneDrive, Skype for Business, Yammer, Intune and Azure AD

      --------------------------------------------------------------------------------------------------------------------

      So nothing is secure, and up to date corporate expertise is either nil or thin, and probably eroding monthly.

      Nothing can go wrong

      1. TheVogon

        Re: Good-byee!

        "So nothing is secure, and up to date corporate expertise is either nil or thin, and probably eroding monthly."

        Who says nothing is secure? It's pretty easy to lock down O365. If one guy is managing the requirements of 4,000 users (quite possible if you automate leavers / joiners) then this would suggest that he is pretty well trained. And if he leaves tomorrow, because O365 is a completely standardised solution you could have a replacement contractor up and running in a day or two.

  18. Sir Loin Of Beef

    When Does Technology Become A Burden Instead of A Benefit?

    What is the point of using technology if we have to authenticate multiple times?

    This reminds me of the checkpoints the USA setup in WW2 when the Germans started infiltrating US camps with impostors. That got so absurd that a US General was detained for not knowing who Mickey Mouse was or some shit.

    Just ludicrous.

    1. James O'Shea

      Re: When Does Technology Become A Burden Instead of A Benefit?

      General Omar Bradley had a problem at a checkpoint when he said, correctly, that the capital of Illinois was Springfield, but the idiot in charge at the checkpoint thought that it was Chicago. It;s not enough that _you_ know the answer, the guys asking have to know the answer, too.

      My fav scene in the (really bad, though the original isn't nearly as bad as the remake which managed to be worse in every possible way, including the alleged acting) movie _Red Dawn_ is where one American fighter pilot has been shot down and the local yokel 'resistance' terrorists grab him. One of the yokels asks what the capital of Texas is. The pilot answers correctly. The yokel is about to shoot him because she's convinced that it's Houston (it's not, it's Austin...) when one of the other yokels corrects her.

    2. TheVogon

      Re: When Does Technology Become A Burden Instead of A Benefit?

      Well on premise to Azure AD / O365 and Azure AD to on premises both fully support single sign-on so if you do have to authenticate multiple times, then ask your IT department why.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like