SkyNorth

The Admins guide to securing your Office 365 data

Wed, 17 Oct 2018 02:05:06 Z

During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security.

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant. If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

How do we limit and control access?
How to ensure it’s the correct person?
How do we secure our data?
How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password. This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer. When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

The Who and Where
The What
The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy. If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

Option 1 - ADFS Server
- Pros
  - Many people already have this infrastructure in place from past SSO requirements
  - Uses Microsoft technologies
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Limited Options
  - This has became the 'outdated' way of providing a secured Single Sign-On solution
- Extras
  - Limiting Access to Office 365 Services Based on the Location of the Client
Option 2 - Conditional Access
- Pros
  - Extremely configurable and stackable rules
  - Tied to your cloud login
  - Available to all Azure Applications and internal apps that are published via Azure Application Proxy
- Cons
  - Requires Azure AD Premium Plan 1
- Extras
  - Limit logins based on the following policies
  - Allows you to limited login based on the following
    - Select Users
    - Trusted IP Range
    - Trusted Applications
    - Browser or Client Application
    - Device Platforms
    - Device Compliance (Requires Intune)
    - Login Risk (Requires Azure Active Directory Premium Plan 2)
    - Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

Option 1 - Multi-Factor Authentication (MFA)
- Pros
  - Helps ensure the person is who they say they are
  - Easy to use and configure
  - Available for on-prem applications, rdp, and VPN via MFA Server
- Cons
  - Limited to call/text or mobile application
- Extras
  - A second form of user identification such as a phone call, email, or mobile app

Option 2 - ADFS Server 2016 – MFA First
- Pros
  - Skews attempts to brute-force login attempts
  - Validates the users device before the username/password
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
- Extras
  - ADFS 2016 allows you to prompt for device MFA first, ensuring no password is passed to the session until the first factor has been passed
Option 3 - Password-free Login
- Pros
  - Very secure
  - Easy to use
  - No passwords to remember
  - Corporate Credentials are not passed through the session
  - Only devices with an approved certificate/key will be allowed access
- Cons
  - Certificate Based requires infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Authenticator/Hardware Key have limited support at this time
- Extras
  - ADFS: Certificate Authentication with Azure AD & Office 365
- - Windows Hello for Business
  - Why a PIN is better than a password
  - Can Use Biometrics as a form of PC Authentication
    - Fingerprint
    - Facial recognition
  - Microsoft Authenticator App
    - Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The What?

What data are people accessing and how do we secure it?

Option 1 - SharePoint Site Permissions
- Pros
  - Highly customizable at different SharePoint levels (Site/Web/Library/Item)
  - Have remained the same with all versions of SharePoint
- Cons
  - Can get complicated with breaking inheritance
  - Auditing/Ensuring users are correctly setting permissions
- Extras
  - Understanding permission levels in SharePoint
Option 2 - External Sharing Settings
- Pros
  - Allow or prevent external users from accessing your SPO data
- Cons
  - A misconfigured policy could mean bad news for your company
  - It's not meant for every type of business or scenario
- Extras
  - Manage external sharing for your SharePoint Online environment.
Option 3 - Tenant Restrictions
- Pros
  - Increased security
- Cons
  - Makes external collaboration difficult
- Extras
  - Use Tenant Restrictions to manage access to SaaS cloud applications
    - Prevent your users from accessing other data
    - This is handled via proxy server and HTTP Headers that identify and prevent external access
Option 4 - Azure Rights Management / Azure Information Protection
- Pros
  - Increased data security
  - Available to many data formats
  - Set up on the SPO library or global rules via Azure
  - Labeling Support for O365 Data Classification
- Cons
  - Multiple setup/config areas that do not span a broad spectrum of services
  - Typically requires an internet connection to pass ACL validation
- Extras
  - Protect SharePoint libraries to prevent read/write/edit/print/etc.
    - Enabled on the document library or list level.
  - Protect files with Azure Information Protection
    - Gives you the option to classify, encrypt, and secure your data at a local level
      - For use with O365 documents, as well as on-prem file storage
      - Uses Azure RMS to encrypt and secure access
Option 5 - Data Loss Prevention
- Pros
  - Easy to configure rules
  - Used for SharePoint/OneDrive/Exchange
- Cons
  - Other similar methods make it confusing to determine the best use
    - AIP / Transport Rules / Classification & Labels
- Extras
  - Overview of data loss prevention policies
    - Searches through your existing data to find matches that may need protection
- - - Create a DLP query to identify what sensitive information now exists in your site collections.
    - Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

Option 1 - Azure AD Device Registration / Workplace Join
- Pros
  - Identifies what users and devices are using cloud services
  - Configure MFA for first-time registration
  - Allows easy SSO access to all of your apps
- Cons
  - There isn't much security you can place around the device without extras
  - MFA Conditional Access rules are met with registered devices so you will not receive a call/text
- Extras
  - Azure AD Device Registration
Option 2 - Azure AD Joined Device
- Pros
  - Same as Option 1
  - Azure AD Bitlocker Recovery
  - PIN Sign-In
  - Enterprise State Roaming Features
  - Automatic MDM Enrollment (With AAD Premium P1)
- Cons
  - On-premises domain access would typically require VPN client
  - There isn't much security you can place around the device without extras
Option 3 - O365 Mobile Device Management (MDM)
- Pros
  - Comes with O365 E3
- Cons
  - Limited control
- Extras
  - Provides Selective Wipe and removal of certain data
  - Set up O365 MDM
Option 4 - Microsoft Intune
- Pros
  - Highly configurable
  - Tied with your cloud identity and your device
  - Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
- Cons
  - Requires Intune or EM+S subscription
- Extras
  - What is Intune?
  - Contains Mobile Application Management policies (MAM)
    - Prevent Cut/Copy/Paste
    - Prevent SaveAs
    - Require a PIN for specific Mobile Apps
    - *With or without device enrollment*
  - Selective or Full Wipes of the device
  - Manages device compliance settings
    - Encryption/Password Rules/Etc.
  - Manages device configuration settings
    - Blocks to cameras, screen shots, USB ports, and tons more
  - Conditional Access via Compliance Policy and Device Registration
    - Allow only ‘domain joined’ devices to access cloud data

I hope I've made an extremely complex topic a little easier for everyone to understand. Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios. You may need to mix-and-match and you may also need to use features I didn't even mention here. If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!

Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs!

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization.

How much does it cost?

It’s FREE! Out introductory package is completely free and includes a 1-hour finding call with self-help documentation. If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.

Intermittent Workflow failures – ‘The workflow failed to start due to an internal error’

Tue, 03 Oct 2017 14:15:16 Z

I just got through working a pretty nasty workflow issue that had nothing to go on with verbose ULS logging. Our issue was that even the most basic workflow’s were failing on a brand new custom list, with the first item created. After the first item was created the workflow would work fine for X amount of time. This issue was ugly, and intermittent, and it probably would have helped if I read this first - http://support.microsoft.com/kb/2001370

We found a way to reproduce the error with the following:

1.) Create a new list

2.) Create a new workflow with SharePoint Designer

a.) Step 1: Email user X

3.) Create a new list item

4.) Start the workflow

5.) Watch the failure

Note: Every other attempt after this work would fine (restarting the workflow)

Like I said – the ULS logs were clean, tracking the correlation ID we came up with nothing. Right when we took a break to review the final 3 sets of logs, my friend Wes had attempted a fix he used in the past with another workflow problem.

Disabling the OffWfCommon feature.

disable-spfeature -identity "OFFWfCommon" –url http://yoursitehere/sites/site

enable-spfeature –identify “OffWfCommon” –url http://yoursitehere/sites/site

After doing this the workflow consistently worked - but had me questions as to why, so I did some checking and I have found this to be a fix for other similar workflow issues such as a modified “Workflow Task” content type version that contains this error:

The requested workflow task content type was not found on the SPWeb

If you have a modified "Workflow Task" version greater then 0 and are seeing this same issue, the steps above may be relevant. I would always recommend testing this in a test environment fully before doing it. Here is some sample PowerShell code to help find versions that are not 0. Again, to be used in a test environment.

$site = get-spsite http://yoursitehere/sites/site
$site = $site.RootWeb
foreach ($sites in $site)
{
   foreach ($ctype in $site.ContentTypes)
{
       if ($ctype.name -eq "workflow Task" -and $ctype.version -gt "0")
           {

$ctype.Scope,$ctype.name,$ctype.version }
}

}

Please only use these steps if you are experience the exact scenarios listed above, and I hope this helps you!

ULSViewer Filters – Performance Filters

Tue, 03 Oct 2017 13:13:54 Z

By now everyone should know about ULSViewer that is available for download from MSDN, and you also should be familiar with the data filter that comes built into the tool. If you are not familiar with the ULSViewer you may be using some other log reader that is out there, but I would highly recommend getting use to ULSViewer as it is a powerful, user friendly, tool. This blog is about making your life easier to troubleshoot SharePoint issues using the ULS logs and ULSViewer filter.

One of the best things I have found with the ULSViewer is the ability to create, save, and reuse a filter. When you do this, you can bring it to any other ULSViewer and import the filter. Why is this handy? This is handy because you may have a common web application, or site that you are trying to troubleshoot and you know exactly what you are looking for but don't like entering in all of the filter fields over and over again.

The following filter is one that I have used many times in performance related issues. It has a the common stack of performance EventIDs and has saved me many times during troubleshooting performance problem.

Tag Description (EventID)

nask             SPRequestMemory leak
c8hq            ECM Object Cache Full Flush - too many changes
8gsc             WSS Template Cache Trim - memory usage exceeds target
avjr              WSS Template Cache Trim - low memory condition
fa43             slow query with duration
fa44             call stack for slow query
tzkv             query text (useful for slow queries and sql exceptions)
tzku             connection string (useful for slow queries and sql exceptions)
8pbe            Watson bucketing parameters
fa45             exception encountered during a sql query
btq8             exception encountered during a sql query
d0d6            exception encountered during a sql query
880i             exception encountered during a sql query

So how to do this?

1.) Open ULSViewer and load a ULS log - this gives you the ability to create a filter

Notice: The EventID are IDs inserted in the ULS directly from the SharePoint source. In most scenarios this will be a pretty unique ID, however some generic catch-all's will be used and may not be as helpful, but great to Bing!

2.) Open the Filter Tool with the icon directly below the Edit Menu (shown above)

3.) Start creating your filter!

Note: This will be the hardest part. Everything will be OK in the end, so start clicking and typing!

Notice: One thing to note here is the 'Save As', 'Save', and 'Load' button. This is obviously where you would save, or import your filter for reuse. Start using this TODAY!

Notice: Another very cool feature is the ability to Group your AND/OR logic so your filter works as expected. If you have a grouping set the bar will show on the left side of the filter.

4.) That's It! You now have created a very useful filter that will help you troubleshoot a lot of performance related problems.

On a final note, I really love when our customers are proactive in troubleshooting new features or applications in SharePoint. You could create a AND filter like I have done above to watch for specific sites and see how they are performing when using your new tool, and if they trigger any of the performance EventIDs above when you test them.

If anyone has a useful filter combination please post it in the comments below and explain how it helped you troubleshoot SharePoint!