When I started working in IT, the cutting edge was an IBM System/55 with OS/2 and Lotus Notes. Even though many applications needed a 3270 Terminal, the transition of the communication from the Mainframe to PC indicated the future hub of the enterprise: Email server. The limits of email have been reached quite quickly: To work in a team you need – often – something more immediate. Google proposed a solution with Waves in 2009, a sort of continuous dialogue, with no beginning or end. It ended almost immediately, after two years the service was closed, and our much-coveted – honestly quite empty – waves were closed.

The past year, due to COVID-19, has forced many companies to work differently, increasing the distance between people and forcing them to look for collaboration solutions. Office 365 (O365) is certainly the simplest collaborative platform to switch to when you already have an Office package: It offers a tool for every need and allows you to create a geographically distributed office.

O365 security is pretty good. There were no known severe public vulnerabilities for a long time. However, given the large audience, Microsoft must find a balance between security and usability.

Microsoft Teams is a hub for teamwork, bringing together everything your team needs with the power of Microsoft 365 applications. Teams, like any hub, can have access to multiple components both internal to O365 and external, such as Dropbox. Given its fundamental purpose as a facilitator of communication between people, much has been done to simplify communication between company members and outside people. Also, as the system isn’t complex enough, there is a convergence between Skype for Business and Teams.

Although familiar by name, the technologies that make O365 work are very complex and often underestimated by small business administrators who care more about operation than security.

The attackers are well aware of this, who – unlike many administrators – have studied the functionality of O365 very well: Several indicators show us how O365 is a greedy target and how high the success rate of an attack is (for example Barracuda declares that 30% of attacks end with an account takeover).

The analysis of the attacks also shows that they are successful not thanks to technological flaws, but thanks to naive users or administrators.

Avoiding the use of online collaboration platforms could be an instinctive solution, but remember that “local” security has performed and continues to perform worse. In any case, administrators must approach these complex technologies with more conviction and study the hundreds of options available, enabling only what is strictly necessary for their company.

Here are some points to look out for to harden your Microsoft Teams security environment.

Area to Review

As mentioned, O365 and Teams are based on complex and interconnected technologies. We suggest studying the implications and reviewing the issues raised in the following areas.

Guest Access

The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files, and meetings. This can pose a security problem as it is difficult to control what information is exchanged in the channel with outside world.

Permissions

Microsoft intentionally designed Teams with an open permissions model, to simplify the self-organized collaboration:

• Any user can create a team and invite other users to join it (team ownership)
• Every team member has full access to all data on the team’s public channels, including chat messages, meeting content and shared files
• Every team member can share files and create new channels
• A guest from outside can share files and even create new channels within the team
• Members are visible outside the organization

Data Sharing

A Teams user can deliberately or accidentally share information with unauthorized recipients.

App Management

The capabilities of team channels can be extended by adding apps, which can take the form of custom tabs, bots, or connectors. An app lets users in a channel get content and updates directly from their favorite third-party services, such GitHub. However, these apps often request (or even require) users to allow them to access their data, which opens the door to improper transfer of company information to external third parties.

Check Policy

Teams has a very complex WebUI, but not all parameters are visible through it. Besides, it is complex to check and keep track of all the changes and the new settings through the WebUI.

We suggest using Powershell to list the settings, compare them with a reference policy, and list the new ones. For example:

PS> Connect-MicrosoftTeams -Credential $credential
PS> $session = New-CsOnlineSession -Credential $credential
PS> Import-PsSession $session -AllowClobber -DisableNameChecking
PS> Get-CsTeamsClientConfiguration
Identity                         : Global
Allowe-mailIntoChannel             : True
RestrictedSenderList             :
AllowDropBox                     : True
AllowBox                         : False
AllowGoogleDrive                 : True
AllowShareFile                   : False
AllowEgnyte                      : False
AllowOrganizationTab             : True
AllowSkypeBusinessInterop        : True
ContentPin                       : RequiredOutsideScheduleMeeting
AllowResourceAccountSendMessage  : False
ResourceAccountContentAccess     : NoAccess
AllowGuestUser                   : False
AllowScopedPeopleSearchandAccess : False
AllowRoleBasedChatPermissions    : False
...

To analyze the areas mentioned above, you need to check the following functions:

Official documentation is available on the Microsoft website, under Skype for Business. Search for Set- to get the description of all parameters.

Policy

A policy is closely linked to the business model implemented by the company. For this reason, the values of the following parameters are suggestions that must be validated before an implementation.

We suggest, as general policy, aligning with the following values to minimize Teams functionality and mitigate the risks discussed. If you need some feature, check if possible to create an ad-hoc policy and assign them to a sub group.

The Microsoft Tools

These parameters are useful for mitigating some risks associated with Teams, but in any case, a great starting point are the Tools made available by O365 (even if not specific to the product): If you are new to O365, check the Admin Centers Security and Compliance or the Microsoft Security Score. Verify if the suggested alignments are right for you and follow the step-by-step instructions to implement them.

This will begin to take you to a higher level of safety and trust in the product. Later you can use more advanced tools to monitor the health of your infrastructure.

Summary

Microsoft invests heavily in the security of its products, especially the cloud ones. Nevertheless, to satisfy the majority of the public that uses its products, Microsoft must find a balance between usability and security. It is very likely that most of the possibilities offered by Teams are not required by your company; in this case it is useful to review all the settings and disable the unnecessary. Start implementing the alignments suggested by Microsoft tools.

In a second phase, using Powershell, monitor the configuration status with respect to a reference one and identify and assess new settings introduced in the latest versions, to configure the product in the best way for the needs of your company.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://blog.barracuda.com/2019/05/02/threat-spotlight-account-takeover/
• https://docs.microsoft.com/en-us/MicrosoftTeams/teams-architecture-solutions-posters
• https://docs.microsoft.com/en-us/powershell/module/skype/?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamschannelspolicy?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsclientconfiguration?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsguestcallingconfiguration?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsguestmeetingconfiguration?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsguestmessagingconfiguration?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingbroadcastpolicy?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-cstenantfederationconfiguration?view=skype-ps
• https://docs.microsoft.com/en-us/powershell/module/skype/set-cstenantpublicprovider?view=skype-ps
• https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html