Office 365 Teams Security - Securing the Central Communication Hub

Office 365 Teams Security

Securing the Central Communication Hub

Rocco Gagliardi
by Rocco Gagliardi
on January 14, 2021
time to read: 12 minutes

Keypoints

This is how you Secure O365 Teams

  • Office 365 and in particular Teams are becoming more and more central for many small and medium-sized companies
  • Although Microsoft makes huge investments in security, especially cloud products, to satisfy the general public it is forced to balance usability and security
  • It is likely that many functions are not necessary for your company, in this case it is useful to disable them
  • With Powershell it is possible to monitor the status of the Teams settings, with respect to a reference one, and assess the new parameters introduced with updates

When I started working in IT, the cutting edge was an IBM System/55 with OS/2 and Lotus Notes. Even though many applications needed a 3270 Terminal, the transition of the communication from the Mainframe to PC indicated the future hub of the enterprise: Email server. The limits of email have been reached quite quickly: To work in a team you need – often – something more immediate. Google proposed a solution with Waves in 2009, a sort of continuous dialogue, with no beginning or end. It ended almost immediately, after two years the service was closed, and our much-coveted – honestly quite empty – waves were closed.

The past year, due to COVID-19, has forced many companies to work differently, increasing the distance between people and forcing them to look for collaboration solutions. Office 365 (O365) is certainly the simplest collaborative platform to switch to when you already have an Office package: It offers a tool for every need and allows you to create a geographically distributed office.

O365 security is pretty good. There were no known severe public vulnerabilities for a long time. However, given the large audience, Microsoft must find a balance between security and usability.

Microsoft Teams is a hub for teamwork, bringing together everything your team needs with the power of Microsoft 365 applications. Teams, like any hub, can have access to multiple components both internal to O365 and external, such as Dropbox. Given its fundamental purpose as a facilitator of communication between people, much has been done to simplify communication between company members and outside people. Also, as the system isn’t complex enough, there is a convergence between Skype for Business and Teams.

Although familiar by name, the technologies that make O365 work are very complex and often underestimated by small business administrators who care more about operation than security.

The attackers are well aware of this, who – unlike many administrators – have studied the functionality of O365 very well: Several indicators show us how O365 is a greedy target and how high the success rate of an attack is (for example Barracuda declares that 30% of attacks end with an account takeover).

The analysis of the attacks also shows that they are successful not thanks to technological flaws, but thanks to naive users or administrators.

Avoiding the use of online collaboration platforms could be an instinctive solution, but remember that “local” security has performed and continues to perform worse. In any case, administrators must approach these complex technologies with more conviction and study the hundreds of options available, enabling only what is strictly necessary for their company.

Here are some points to look out for to harden your Microsoft Teams security environment.

Area to Review

As mentioned, O365 and Teams are based on complex and interconnected technologies. We suggest studying the implications and reviewing the issues raised in the following areas.

Guest Access

The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files, and meetings. This can pose a security problem as it is difficult to control what information is exchanged in the channel with outside world.

Permissions

Microsoft intentionally designed Teams with an open permissions model, to simplify the self-organized collaboration:

Data Sharing

A Teams user can deliberately or accidentally share information with unauthorized recipients.

App Management

The capabilities of team channels can be extended by adding apps, which can take the form of custom tabs, bots, or connectors. An app lets users in a channel get content and updates directly from their favorite third-party services, such GitHub. However, these apps often request (or even require) users to allow them to access their data, which opens the door to improper transfer of company information to external third parties.

Check Policy

Teams has a very complex WebUI, but not all parameters are visible through it. Besides, it is complex to check and keep track of all the changes and the new settings through the WebUI.

We suggest using Powershell to list the settings, compare them with a reference policy, and list the new ones. For example:

PS> Connect-MicrosoftTeams -Credential $credential
PS> $session = New-CsOnlineSession -Credential $credential
PS> Import-PsSession $session -AllowClobber -DisableNameChecking
PS> Get-CsTeamsClientConfiguration
Identity                         : Global
Allowe-mailIntoChannel             : True
RestrictedSenderList             :
AllowDropBox                     : True
AllowBox                         : False
AllowGoogleDrive                 : True
AllowShareFile                   : False
AllowEgnyte                      : False
AllowOrganizationTab             : True
AllowSkypeBusinessInterop        : True
ContentPin                       : RequiredOutsideScheduleMeeting
AllowResourceAccountSendMessage  : False
ResourceAccountContentAccess     : NoAccess
AllowGuestUser                   : False
AllowScopedPeopleSearchandAccess : False
AllowRoleBasedChatPermissions    : False
...

To analyze the areas mentioned above, you need to check the following functions:

Key Description
CsTeamsClientConfiguration The TeamsClientConfiguration allows IT admins to control the settings that can be accessed via Teams clients across their organization. This configuration includes settings like which third party cloud storage your organization allows, whether or not guest users can access the teams client, and how Surface Hub devices can interact with Skype for Business meetings.
CsTeamsChannelsPolicy The CsTeamsChannelsPolicy allows you to manage features related to the Teams and Channels experience within the Teams application.
CsTeamsGuestCallingConfiguration Specifies what options guest users have for calling within Teams.
CsTeamsGuestMeetingConfiguration Designates what meeting features guests using Microsoft Teams will have available.
CsTeamsGuestMessagingConfiguration TeamsGuestMessagingConfiguration determines the messaging settings for the guest users.
CsTeamsMeetingBroadcastPolicy User-level policy for tenant admin to configure meeting broadcast behavior for the broadcast event organizer.
CsTeamsMeetingPolicy Control the type of meetings that users can create or the features that they can access while in a meeting. It also helps determine how meetings deal with anonymous or external users.
CsTenantFederationConfiguration Provides a way for administrators to return federation information for their Skype for Business Online tenants.
CsTenantPublicProvider Determine which providers (if any) have been enabled for federation.

Official documentation is available on the Microsoft website, under Skype for Business. Search for Set- to get the description of all parameters.

Policy

A policy is closely linked to the business model implemented by the company. For this reason, the values of the following parameters are suggestions that must be validated before an implementation.

We suggest, as general policy, aligning with the following values to minimize Teams functionality and mitigate the risks discussed. If you need some feature, check if possible to create an ad-hoc policy and assign them to a sub group.

Function Key Value
CsTeamsClientConfiguration Allowe-mailIntoChannel False
CsTeamsClientConfiguration AllowDropBox False
CsTeamsClientConfiguration AllowBox False
CsTeamsClientConfiguration AllowGoogleDrive False
CsTeamsClientConfiguration AllowShareFile False
CsTeamsClientConfiguration AllowEgnyte False
CsTeamsClientConfiguration AllowGuestUser False
CsTeamsClientConfiguration AllowResourceAccountSendMessage False
CsTeamsClientConfiguration AllowScopedPeopleSearchandAccess False
CsTenantFederationConfiguration AllowFederatedUsers False
CsTenantFederationConfiguration AllowPublicUsers False
CsTenantPublicProvider PublicProviderSet False
CsTenantPublicProvider AllowShareFile False
CsTeamsChannelsPolicy AllowOrgWideTeamCreation False
CsTeamsChannelsPolicy AllowPrivateTeamDiscovery False
CsTeamsChannelsPolicy AllowPrivateChannelCreation False
CsTeamsChannelsPolicy AllowSharedChannelCreation False
CsTeamsChannelsPolicy AllowChannelSharingToExternalUser False
CsTeamsChannelsPolicy AllowUserToParticipateInExternalSharedChannel False
CsTeamsGuestCallingConfiguration AllowPrivateCalling False
CsTeamsGuestMeetingConfiguration AllowIPVideo False
CsTeamsGuestMeetingConfiguration ScreenSharingMode False
CsTeamsGuestMeetingConfiguration LiveCaptionsEnabledType False
CsTeamsGuestMeetingConfiguration AllowTranscription False
CsTeamsGuestMessagingConfiguration AllowUserChat False
CsTeamsGuestMessagingConfiguration AllowGiphy False
CsTeamsGuestMessagingConfiguration AllowMemes False
CsTeamsGuestMessagingConfiguration AllowImmersiveReader False
CsTeamsGuestMessagingConfiguration AllowStickers False
CsTeamsMeetingBroadcastPolicy AllowBroadcastScheduling False
CsTeamsMeetingBroadcastPolicy AllowBroadcastTranscription False
CsTeamsMeetingBroadcastPolicy BroadcastAttendeeVisibilityMode InvitedUsersInCompany
CsTeamsMeetingBroadcastPolicy BroadcastRecordingMode True
CsTeamsMeetingPolicy LiveCaptionsEnabledType Disabled
CsTeamsMeetingPolicy DesignatedPresenterRoleMode OrganizerOnlyUserOverride
CsTeamsMeetingPolicy AllowEngagementReport Disabled
CsTeamsMeetingPolicy AllowAnonymousUsersToDialOut False
CsTeamsMeetingPolicy AllowAnonymousUsersToStartMeeting False
CsTeamsMeetingPolicy AllowPrivateMeetingScheduling False
CsTeamsMeetingPolicy AutoAdmittedUsers OrganizerOnly
CsTeamsMeetingPolicy AllowCloudRecording False
CsTeamsMeetingPolicy AllowRecordingStorageOutsideRegion False
CsTeamsMeetingPolicy AllowParticipantGiveRequestControl False
CsTeamsMeetingPolicy AllowExternalParticipantGiveRequestControl False
CsTeamsMeetingPolicy AllowPSTNUsersToBypassLobby False
CsTeamsMeetingPolicy AllowOrganizersToOverrideLobbySettings False
CsTeamsMeetingPolicy AllowUserToJoinExternalMeeting FederatedOnly
CsTeamsMeetingPolicy EnrollUserOverride Disabled
CsTeamsMeetingPolicy RoomAttributeUserOverride Off
CsTenantFederationConfiguration AllowFederatedUsers False
CsTenantFederationConfiguration AllowPublicUsers False
CsTenantFederationConfiguration TreatDiscoveredPartnersAsUnverified True
CsTenantFederationConfiguration SharedSipAddressSpace False
CsTenantPublicProvider PublicProviderSet False

The Microsoft Tools

These parameters are useful for mitigating some risks associated with Teams, but in any case, a great starting point are the Tools made available by O365 (even if not specific to the product): If you are new to O365, check the Admin Centers Security and Compliance or the Microsoft Security Score. Verify if the suggested alignments are right for you and follow the step-by-step instructions to implement them.

This will begin to take you to a higher level of safety and trust in the product. Later you can use more advanced tools to monitor the health of your infrastructure.

Summary

Microsoft invests heavily in the security of its products, especially the cloud ones. Nevertheless, to satisfy the majority of the public that uses its products, Microsoft must find a balance between usability and security. It is very likely that most of the possibilities offered by Teams are not required by your company; in this case it is useful to review all the settings and disable the unnecessary. Start implementing the alignments suggested by Microsoft tools.

In a second phase, using Powershell, monitor the configuration status with respect to a reference one and identify and assess new settings introduced in the latest versions, to configure the product in the best way for the needs of your company.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

You need support in such a project?

Our experts will get in contact with you!

×
Enhancing Data Understanding

Enhancing Data Understanding

Rocco Gagliardi

Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi

auditd

auditd

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here