SQLite forensic's notes
This is how you Secure O365 Teams
The past year, due to COVID-19, has forced many companies to work differently, increasing the distance between people and forcing them to look for collaboration solutions. Office 365 (O365) is certainly the simplest collaborative platform to switch to when you already have an Office package: It offers a tool for every need and allows you to create a geographically distributed office.
O365 security is pretty good. There were no known severe public vulnerabilities for a long time. However, given the large audience, Microsoft must find a balance between security and usability.
Microsoft Teams is a hub for teamwork, bringing together everything your team needs with the power of Microsoft 365 applications. Teams, like any hub, can have access to multiple components both internal to O365 and external, such as Dropbox. Given its fundamental purpose as a facilitator of communication between people, much has been done to simplify communication between company members and outside people. Also, as the system isn’t complex enough, there is a convergence between Skype for Business and Teams.
Although familiar by name, the technologies that make O365 work are very complex and often underestimated by small business administrators who care more about operation than security.
The attackers are well aware of this, who – unlike many administrators – have studied the functionality of O365 very well: Several indicators show us how O365 is a greedy target and how high the success rate of an attack is (for example Barracuda declares that 30% of attacks end with an account takeover).
The analysis of the attacks also shows that they are successful not thanks to technological flaws, but thanks to naive users or administrators.
Avoiding the use of online collaboration platforms could be an instinctive solution, but remember that “local” security has performed and continues to perform worse. In any case, administrators must approach these complex technologies with more conviction and study the hundreds of options available, enabling only what is strictly necessary for their company.
Here are some points to look out for to harden your Microsoft Teams security environment.
As mentioned, O365 and Teams are based on complex and interconnected technologies. We suggest studying the implications and reviewing the issues raised in the following areas.
The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files, and meetings. This can pose a security problem as it is difficult to control what information is exchanged in the channel with outside world.
Microsoft intentionally designed Teams with an open permissions model, to simplify the self-organized collaboration:
A Teams user can deliberately or accidentally share information with unauthorized recipients.
The capabilities of team channels can be extended by adding apps, which can take the form of custom tabs, bots, or connectors. An app lets users in a channel get content and updates directly from their favorite third-party services, such GitHub. However, these apps often request (or even require) users to allow them to access their data, which opens the door to improper transfer of company information to external third parties.
Teams has a very complex WebUI, but not all parameters are visible through it. Besides, it is complex to check and keep track of all the changes and the new settings through the WebUI.
We suggest using Powershell to list the settings, compare them with a reference policy, and list the new ones. For example:
PS> Connect-MicrosoftTeams -Credential $credential PS> $session = New-CsOnlineSession -Credential $credential PS> Import-PsSession $session -AllowClobber -DisableNameChecking PS> Get-CsTeamsClientConfiguration Identity : Global Allowe-mailIntoChannel : True RestrictedSenderList : AllowDropBox : True AllowBox : False AllowGoogleDrive : True AllowShareFile : False AllowEgnyte : False AllowOrganizationTab : True AllowSkypeBusinessInterop : True ContentPin : RequiredOutsideScheduleMeeting AllowResourceAccountSendMessage : False ResourceAccountContentAccess : NoAccess AllowGuestUser : False AllowScopedPeopleSearchandAccess : False AllowRoleBasedChatPermissions : False ...
To analyze the areas mentioned above, you need to check the following functions:
|CsTeamsClientConfiguration||The TeamsClientConfiguration allows IT admins to control the settings that can be accessed via Teams clients across their organization. This configuration includes settings like which third party cloud storage your organization allows, whether or not guest users can access the teams client, and how Surface Hub devices can interact with Skype for Business meetings.|
|CsTeamsChannelsPolicy||The CsTeamsChannelsPolicy allows you to manage features related to the Teams and Channels experience within the Teams application.|
|CsTeamsGuestCallingConfiguration||Specifies what options guest users have for calling within Teams.|
|CsTeamsGuestMeetingConfiguration||Designates what meeting features guests using Microsoft Teams will have available.|
|CsTeamsGuestMessagingConfiguration||TeamsGuestMessagingConfiguration determines the messaging settings for the guest users.|
|CsTeamsMeetingBroadcastPolicy||User-level policy for tenant admin to configure meeting broadcast behavior for the broadcast event organizer.|
|CsTeamsMeetingPolicy||Control the type of meetings that users can create or the features that they can access while in a meeting. It also helps determine how meetings deal with anonymous or external users.|
|CsTenantFederationConfiguration||Provides a way for administrators to return federation information for their Skype for Business Online tenants.|
|CsTenantPublicProvider||Determine which providers (if any) have been enabled for federation.|
Official documentation is available on the Microsoft website, under Skype for Business. Search for Set- to get the description of all parameters.
A policy is closely linked to the business model implemented by the company. For this reason, the values of the following parameters are suggestions that must be validated before an implementation.
We suggest, as general policy, aligning with the following values to minimize Teams functionality and mitigate the risks discussed. If you need some feature, check if possible to create an ad-hoc policy and assign them to a sub group.
These parameters are useful for mitigating some risks associated with Teams, but in any case, a great starting point are the Tools made available by O365 (even if not specific to the product): If you are new to O365, check the Admin Centers Security and Compliance or the Microsoft Security Score. Verify if the suggested alignments are right for you and follow the step-by-step instructions to implement them.
This will begin to take you to a higher level of safety and trust in the product. Later you can use more advanced tools to monitor the health of your infrastructure.
Microsoft invests heavily in the security of its products, especially the cloud ones. Nevertheless, to satisfy the majority of the public that uses its products, Microsoft must find a balance between usability and security. It is very likely that most of the possibilities offered by Teams are not required by your company; in this case it is useful to review all the settings and disable the unnecessary. Start implementing the alignments suggested by Microsoft tools.
In a second phase, using Powershell, monitor the configuration status with respect to a reference one and identify and assess new settings introduced in the latest versions, to configure the product in the best way for the needs of your company.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here