Feb 21 2018 07:38 AM
Feb 21 2018 07:38 AM
Noticed two things for Secure Score on SharePoint:
Title: Review list of external users you have invited to documents monthly
Description: You should review the list of external users that you have invited to sensitive documents on a weekly basis. Attackers that have compromised accounts with sharing privileges will be able to expose sensitive data to external users for long periods of time without regular review of who has access. We found that the last time you reviewed this report was on 2/13/2018.
The Title says to review monthly but the description says weekly.
The other question I have is for the SharePoint links:
Description: You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. We found that your external link expiration time is set to False. If you set an expiration time, your score will go up 2 points.
We have it set up not to share links outside of our tenant. We are not given the option to set an expiration. I have tried to set it to allow anonymous links and set the time and then set it back to the original setting thinking that it would see something is set, to no avail:
Can we get credit for the score if we are not sharing externally <smile> ?
Feb 21 2018 11:04 AM
Why do people care so much about the score? The main benefit from the Secure Score tool is getting used to following some of the best practices when it comes to security and compliance in Office 365. Whether the number goes up or down is surely not as important? :)
Feb 21 2018 12:01 PM
For the first comment, this control is deprecated and I can only find it in the control list spreadsheet where it is tagged so. Are you seeing this in the user interface?
For your second comment, the setting the control is looking for is in the screenshot below. I will talk with the team about giving points if you disable but I think the idea of the control is that anonymous links are ok to use but you should expire them.
Feb 21 2018 12:21 PM