Hello, fellow cloud enthusiasts! If you’re working with Microsoft 365 and Azure, and you’re looking to ensure compliance with the Australian Signals Directorate (ASD) Essential 8 security controls, you’re in the right place. Let’s take a deep dive into configuring your environment to meet these guidelines.
Background: What’s ASD Essential 8?
For those unfamiliar, the ASD Essential 8 is a set of security practices aimed at making it more difficult for adversaries to compromise systems. These strategies are designed to help mitigate various cyber threats. Now, let’s break down how we can apply these strategies within Microsoft 365 and Azure.
1. Application Whitelisting
- Goal: Only allow approved applications to run, thus preventing malware and unapproved applications.
- Microsoft 365 & Azure Configuration:
- Microsoft Defender for Endpoint: Use attack surface reduction (ASR) rules to specify which apps can run and which to block.
- AppLocker or Windows Defender Application Control: Within Windows 10 devices, you can define rules based on file attributes derived from the digital signature, including publisher, product name, file name, and file version.
2. Patch Applications
- Goal: Patch applications to mitigate vulnerabilities.
- Microsoft 365 & Azure Configuration:
- Microsoft Endpoint Manager: Helps in managing updates for Microsoft and third-party applications.
- Azure Update Management: A service that can manage OS updates for your virtual machines.
3. Configure Microsoft Office Macro Settings
- Goal: Limit the execution of macros to only those that are trusted and necessary.
- Microsoft 365 Configuration:
- Office Cloud Policy Service: Enforce macro settings for Office apps. It’s essential to block macros from the internet and only allow vetted macros to run in trusted locations.
4. User Application Hardening
- Goal: Configure web browsers and PDF readers to block unneeded content and features, minimizing the attack surface.
- Microsoft 365 & Azure Configuration:
- Microsoft Endpoint Manager: Utilize to manage browser settings, ensuring features like Java and Flash are disabled, and only necessary plug-ins are active.
- Azure AD Conditional Access: Limit access to certain apps based on risk profiles.
5. Restrict Administrative Privileges
- Goal: Limit admin privileges to reduce the risk of adversaries gaining unfettered access.
- Microsoft 365 & Azure Configuration:
- Azure AD Privileged Identity Management (PIM): Provides just-in-time privileged access, requires approval to activate privileged roles, and provides notifications of role activations.
- Azure AD Conditional Access: Set policies to ensure that only secure devices, located in trusted networks, can access sensitive data.
6. Patch Operating Systems
- Goal: Regularly update operating systems.
- Microsoft 365 & Azure Configuration:
- Windows Update for Business: Manage Windows 10 updates, ensuring devices stay patched.
- Azure Update Management: For Azure VMs, manage updates and ensure the latest security patches are applied.
7. Multi-Factor Authentication
- Goal: Require multiple methods of authentication.
- Microsoft 365 & Azure Configuration:
- Azure AD Multi-Factor Authentication: Ensure users provide two or more verification methods before accessing resources.
- Conditional Access Policies: These can require MFA based on the user’s risk profile or when accessing specific apps or data.
8. Daily Backups
- Goal: Regularly backup data to allow for recovery in case of incidents.
- Microsoft 365 & Azure Configuration:
- Azure Backup: Provides simple and scalable solutions to backup your data.
- Microsoft 365 Compliance Center: Configure retention policies and ensure data across Exchange Online, SharePoint Online, and OneDrive for Business is backed up.
Nuances & Additional Considerations
- Unified Logging: Use Azure Monitor and Microsoft 365 compliance center to maintain logs. This aids in identifying abnormal activities and provides an audit trail.
- Security Defaults: For smaller organizations or those just starting with Azure, Microsoft provides security defaults. While this doesn’t cover everything in the Essential 8, it’s a good starting point.
- Continuous Training: While not part of the Essential 8, continuously training your users to recognize threats, especially phishing, is a must. Microsoft Defender for Office 365 can simulate phishing attacks for user training.
In conclusion, the ASD Essential 8 offers a robust framework for cybersecurity, and Microsoft 365, combined with Azure, provides a suite of tools to help you achieve compliance. However, remember that technology is just one piece of the puzzle; regular reviews, audits, and user training are equally vital.
Stay safe, and happy cloud engineering!
