This guide summarizes recommendations for implementing critical cybersecurity controls defined by the Center for Internet Security (CIS) when using Microsoft 365 Business Premium.
Microsoft 365 Business Premium is a comprehensive suite of collaboration products and enterprise-grade security tools curated specifically for businesses with 1 to 300 employees. It includes Office productivity apps and services plus advanced security and device management capabilities to help defend businesses against cyberthreats, protect data, and secure devices. This guide will detail how to implement these advanced security capabilities while applying the CIS Controls framework.
CIS Controls cybersecurity framework is a list of the top 20 controls or objectives for any organization to meet, in order to achieve basic cybersecurity hygiene. Meeting these controls can significantly reduce your risks of cybersecurity incidents.
The 20 CIS Controls are broken down into three categories:
In addition to these categories, there are also a series of sub-controls under each major control. Not every organization needs to implement every sub-control. To guide organizations' level of engagement and commitment to the cybersecurity program, these sub-controls are arranged into Implementation Groups as follows:
To learn more about CIS Controls click here.
Let's go through IG1 and a few IG2 sub-controls that you can deliver with your Microsoft 365 Business Premium deployment. You can also see this video where Alex Fields, whose blog https://itpromentor.com has great tips on helping small and medium-sized businesses succeed with the Microsoft Cloud, and I talk through these sub-controls.
Implementation Group 1 sub-controls include:
1.4 Maintain a Detailed Asset Inventory: Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process corporate information. This inventory shall include all assets, whether connected to the organization’s network or not.
1.6 Address Unauthorized Assets: Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.
The simplest way to maintain a detailed asset inventory of end user computing devices is to enroll them in Intune. Enrollment is easy; however, the steps used to enroll devices will vary depending what type of device it is. These steps generally apply to devices the company owns or controls.
In addition to end user computing devices, you will also need to keep an inventory of other devices such as firewalls, switches, wireless access points, and network printers. Microsoft 365 does not include an asset tracking capability for these; however, a manual inventory of these other devices with asset tagging is acceptable to meet the control to Implementation Group 1. You can also automate asset tracking of other devices to further reduce your risk due to human error.
Once you have all of your devices enrolled, you should enable a Conditional Access policy to enforce the access control and require devices to be marked as compliant. That means if a device wants access to corporate resources such as Email or Teams, it must be enrolled and marked compliant. This ensures that you have complete control of endpoints accessing company data, and that no endpoints escape your visibility and control. Follow the steps in this article to apply Device-based Conditional Access rules to your tenant.
For Implementation Group 1, meeting this control means having an accurate picture of all the software that is installed and used in the organization, as well as having an understanding of which packages are approved and not approved (the idea is that you should regularly remove or block unapproved packages).
2.1 Maintain Inventory of Authorized Software: Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
2.2 Ensure Software Is Supported by Vendor: Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
2.6 Address Unapproved Software: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Intune will give you visibility into the software packages that are installed on your endpoints. Therefore, if you have already completed the first control and onboarded devices into the Intune service, then you are already on your way toward meeting this control. To fully meet the spirit of this control, you will want a strategy to control the software installations. This will also help users stay productive by ensuring the software they need is available and up to date.
You can leverage Intune to push approved software application packages, and then use Autopilot deployment profiles to remove the local administrator rights (so that end users cannot install their own software). For more information on adding apps to Intune see Add apps to Microsoft Intune. For more information on setting up Autopilot deployment profiles see Configure Autopilot profiles.
Microsoft 365 Business Premium also includes a feature known as Cloud App Discovery. This tool allows an organization to identify “Shadow IT” apps (i.e. unmanaged apps) that are in use in the environment. Once evidence of Shadow IT has been uncovered, then the organization can decide whether they want to take steps to protect and manage those outside applications, or whether to block them instead. See this article to get started: Basic setup for Cloud App Security.
Microsoft 365 allows you configure software updates for the operating system (Windows) as well as Microsoft Office products, but not third-party software. The first implementation group (IG1) covers both:
For help configuring Windows updates, see this article: Manage Windows 10 software updates in Intune.
3rd party software patches can be managed in Intune with 3rd party add-ons; however, this is beyond the scope of this guide.
It is important to note that Microsoft Defender ATP, an add-on product available via Cloud Solutions Providers (CSPs), includes a feature known as Threat and Vulnerability Management that highlights active vulnerabilities on your endpoints (whether associated with first or third-party software packages), along with Common Vulnerability Scoring System (CVSS) ratings, and mitigation details. While not exactly in the spirit of the first implementation group, it does help to address other sub-controls, which reference vulnerability scans (on endpoints). See this article for more information about Threat and vulnerability management in MDATP.
The spirit of this control is fairly simple; the idea is to contain or limit the use of administrative privileges as much as possible. In the context of Microsoft 365, this applies to two areas in particular: privileges in the cloud, and privileges on the endpoint.
4.2 Change Default Passwords: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
4.3 Ensure the Use of Dedicated Administrative Accounts: Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.
For traditional hardware assets such as servers, switches, wireless access points, and other network devices you should use strong, unique passwords. If you have on-premises Active Directory you can use RADIUS for authentication, authorization, and accounting. For more information see RADIUS Authentication, Authorization, and Accounting .
You should use dedicated accounts for administration that are not licensed for productivity software. For example, if my primary user account is AlexW@contoso.com I would not assign any administrative roles to that account, instead I would create AlexW-Admin@contoso.com for administrative activities and not assign a license. On the endpoints, this also means that users should not be local administrators on their computers. This can be accomplished using Autopilot profiles within Intune, which was discussed in CSC #2, above. For more information see Securing privileged access for hybrid and cloud deployments in Azure AD.
Even though these steps cover the requirements of IG1, it is recommended for most organizations to consider incorporating one more sub-control from IG2, covering Multi-factor authentication (MFA):
As part of IG1, the CIS controls recommends documenting your security settings and baseline policies that you choose to implement (separately from the technical enforcement system):
5.1 Establish Secure Configurations: Maintain documented security configuration standards for all authorized operating systems and software.
When you apply baseline configurations, you need to be sure that your customer understands and accepts the impacts (and if they need to make exceptions to the policy for some business reason or another, you can document that as well).
If you are using Intune to configure security settings on your endpoints, then you will be meeting some of the controls in IG2, as well. For example:
5.4 Deploy System Configuration Management Tools: Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
A quick and easy way to apply a security policy is to add a Windows 10 Device Configuration policy under Devices > Policies. This will create an Intune policy for you with just a few clicks. See this article for more details. For comprehensive guidance to all of the settings available in Intune, refer to the article: Apply features and settings on your devices using device profiles in Microsoft Intune.
For more advanced security configuration, check out Endpoint security > Security Baselines. These profiles are updated regularly by Microsoft according to their best practices. Note that some features may only be compatible with Windows 10 Enterprise and may not apply to Microsoft 365 Business Premium / Windows 10 Pro environments. For more information see Use security baselines to configure Windows 10 devices in Intune.
Many IT service providers will prefer to create their own custom Device configuration profiles and/or Endpoint security profiles. These will have the same settings available, but enables smaller, more discreet policies that are easier to manage (you could exclude a system or user from a single policy rather than an entire set of baseline settings in one giant policy). It is worth mentioning that applying some of these profiles will help you to meet other, later controls from the Foundational category.
Audit logging is critical to being able to effectively detect and respond to cybersecurity incidents. Without logging enabled, there is very often no or extremely low visibility into potential threats and incidents.
6.2 Activate Audit Logging: Ensure that logging has been enabled on all systems and networking devices.
Plan to enable the Unified Audit Log for all of the cloud applications in Microsoft 365. For more details see: Turn audit log search on or off. This also enables Alert policies in the Security & Compliance center, which will be important for detecting anomalous events.
With regard to endpoint devices, the most interesting data becomes visible only with a subscription to Microsoft Defender ATP—which is an add-on product available from CSPs.
We hope this article helps make it easier to get started with CIS Controls. These controls are a great starting point for implementing a well known and highly respected cybersecurity framework and are compatible with other frameworks and programs. For more information on compliance with security and regulatory frameworks, be sure to check out Compliance Manager and Compliance Score. You can learn more by signing into the Microsoft Service Trust Platform.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.